Internal control

Internal control
Internal control is a process performed by the management and board of directors of the
company. This process assures that all the rules, laws, policies, and procedures are followed with
compliance. It helps to minimize the risk and protect the organization.
Internal control refers to the whole system of internal checks, internal audits, and other forms of
control, financial and otherwise established by management in order to carry on the business of
the company in any orderly manner that safeguards its records.
According to the committee of sponsoring organizations (COSO), internal control is the process
effected by an entity’s board of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the following categories”.
⮚ Reliability of the financial reporting
⮚ Compliance with applicable laws and regulations
⮚ Effectiveness and efficiency of operations
According to the American institute of certified public accountants (AICPA), the plan of an
organization and all of the co-ordinate methods and measures adopted within a business to
safeguard its assets, check the accuracy and reliability of its accounting data, promote
operational efficiency and encourage adherence to prescribed managerial policies.

There are four total steps in the auditor's process of understanding internal control and
assessing control.
The first step is to obtain a document understanding of internal control- design and operation: It
is a document used to automatically classify the files and information as per the requirements.
The second step is to Assess control risk- It is a function of management for internal control,
which helps increase effectiveness by assessing control over risks that may affect the business's
goals and achievements.
The third step is to design the tests of controls. Once the design is done, it is implemented,
performed the test, and evaluated in the control test.
The fourth step is to decide and plan the detection of risks and substantive tests, which will help
the auditor achieve an understanding of internal control and control of the risks associated with
the public companies.
Reasons for internal control
Reinforcing internal controls is generally seen as one of the most important steps in avoiding
negative surprises. Even a company that is considered “in control” will face risks. Effective
internal controls will ensure that they are identified at an early stage. Company risk management
procedures will identify ways to deal with these risks, to the extent possible. The reason for
internal control can be seen in the complex. They include.
a. Minimizing the company's business risks
b. Ensuring that continue in the effective functioning of the company
c. Ensuring the company’s compliance with relevant laws and regulations.
Most of these reasons funnel back to the ultimate objective that the company continues to
operate. For example, if the company failed to comply with the relevant laws and regulations it
might be forced to stop operations.

Components of internal control structure

The most widely accepted internal control Framework in the United States (committee of
sponsoring organization (COSO) describes five components of internal control that management
designs and implements to provide reasonable assurance that it is control objectives will be met.
Each component contains many controls, but auditors concentrate on those designed to prevent
or detect material misstatements in the financial statements.
The COSO internal control components include the following
⮚ Control environment
⮚ Risk assessment
⮚ information and Communication
⮚ control activities
⮚ Monitoring
Control environment
The control environment sets the tone of an organization, influencing the control consciousness
of its people. It is the foundation for all other components of internal control, providing
discipline and structure. Numerous factors comprise the control environment in an entity, among
which are the following:
⮚ integrity and ethical values
⮚ commitments to competence
⮚ board of directors and Audit Committee
⮚ management philosophy and operating a style
⮚ organizational structure
⮚ assignment of authority and responsibility
⮚ human resource policies and practices
Risk assessment
Risk assessment for the financial reporting purposes in an entity’s identification analysis, and
management of risks relevant to preparing financial statements that are fairly presented in
conformity with Generally Accepted Accounting Principles. Management’s risk assessment
should include special consideration of the risks that can arise from changed circumstances, such
as new areas of business or transactions, changes in accounting standards, new laws or
regulations, the rapid growth of the entity, and changes in personal involvement in the
information processing and reporting functions.
Information and Communication
The information system relevant to financial reporting objectives, which includes the accounting
system, consists of the methods and records established to identify, assemble, analyze, classify,
record, and report entity transactions and to maintain accountability for the related assets and
liabilities.
Communication involves providing a clear understanding of individual roles and responsibilities
pertaining to the internal control structure over financial reporting.
Control activities
Control activities are those policies and procedures that help ensure that management directives
are carried out. They help ensure that necessary actions are taken to address risks to the
achievement of the entity's objectives. Control activities have various objectives and are applied
at various organizational and functional levels.
Control activities related to the financial statement audit may be categorized in many different
ways. One way is the follows:
⮚ information processing control
● general control
● application controls
✔ proper authorization
✔ documentation and records
✔ independent checks
⮚ Segregation of duties
⮚ physical controls
⮚ performance reviews
Monitoring
Monitoring is the process that assesses the quality of the internal control structure's performance
over time. It involves assessment by appropriate personnel of the design and operation of control
on a suitably timely basis to determine that the ICS is operating as intended and that it is
modified as appropriate for sensors in conditions.
The COSO Report defines an internal control structure along with the above five elements and
three components/ objectives (financial reporting, operation, and compliance), with the
identification of the areas/ activities audited (e.g. Geographic unit, business unit, process unit).
A Defined evaluation structure such as COSO is especially useful to understand the scope of the
audit work. For example, an opinion on using the COSO framework can define whether the
opinion on extends to all three components of the control and whether the audit work addressed
controls along all five elements.

Limitation of internal controls

The implementation of internal control, no matter how well conceived and operated, cannot
provide absolute assurance to the management about the achievement of an organization’s
objectives or its survival. This is mainly due to different risk factors surrounding the
environment of the organization and it is activities. The limitations on internal control include at
least the following risk factors:
⮚ Judgment
The effectiveness of control will be limited by decisions made with the human judgment
under pressure to contact the business based on the information at hand.

⮚ Breakdowns
Even well-designed internal controls can break down. Employees sometimes
misunderstand instructions or simply make mistakes. Eros may also result from new
technology and the complexity of computerized information systems.

⮚ Management override
High-level personal May be able to overwrite prescribed policies and procedures for
personal gain advantages. This should not be confused with management intervention,
which represents management actions to depart from prescribed policies and procedures for
legitimate purposes.

⮚ Collusion
Control systems can be bypassed by employee Collusion. Individuals acting collectively
can alter financial data or other management information in a manner that cannot be
identified by the control system.

⮚ Cost versus benefit

The costs of an entity’s internal control structure may exceed the benefit that is expected to
be ensured.

⮚ Unusual transactions
Finally, a limitation of internal control is that they are generally designed to deal with what
normally or routinely happens in a business. However, it may be the case that an unusual
transaction may occur which does not fit into the normal routines, in which case standard
control may not be relevant to the unusual transaction, and hence mistakes may be made in
relation to the unusual transaction.

Obtain and document an understanding of internal control

Auditing standards require auditors to obtain and document their understanding of internal
control for every audit. This understanding is necessary for both the audit of internal
controls over financial reporting and the audit of financial statements. Management’s
documentation is a major source of information in gaining understanding. Documentation
in the working papers may take the form of completed questionnaires, flowcharts, decision
tables, and narrative memoranda.

Questionnaires
A questionnaire consists of a series of questions about ICS policies and procedures that the
auditor considers necessary to prevent material misstatement in the financial statement. The
questions are usually phrased so that either a Yes, No, or N/A answer results, with a Yes
answer indicating a favorable condition. Standardized questionnaires are used in a majority
of audits. By using a questionnaire, auditors cover each audit area reasonably quickly. The
two main disadvantage of questionnaires is their inability to provide an overview of the
system and their inapplicability for some audits, especially smaller ones.

Flowcharts
A flowchart is a schematic diagram using a standardized symbol, interconnecting the flow
lines, and annotations that portray the steps involved in processing information through the
accounting system. Flowcharts vary in the extent of detail.

An internal control flowchart is a diagram of the client’s documents and their sequential
flow in the organization. An adequate includes the same characteristics identified for
narratives.
Well-prepared flowcharts are advantageous primarily because they provide a concise
overview of the client’s system, which helps auditors identify controls and deficiencies in
the client system.

Decision tables
Decision tables are a precise yet compact way to model complicated logic. Decision tables
associate conditions with actions to perform, but in many cases do so in a more elegant way
to present data.
 Narrative memoranda
A narrative memorandum is a written description of a client’s internal control. A proper
narrative of an accounting system and related controls describe four things:

1. The origin of every document required in the system- for example, the description
should state where a customer orders come from and how sales invoices are generated.

2. All processing that takes place, for example, if sales amounts are determined by a
computer program that multiplies quantities shipped by standard prices contained in
price master files, that process should be described.

3. The disposition of every document and record in the system- the filing of documents,
sending them to customers, or destroying them should be described.

4. An indication of the controls relevant to the assessment of control risks typically

includes separation of duties such as separate recording cash for handling cash,
authorization, approvals such as credit approvals, and internal verification such as
comparison of the unit selling prices to the sales contacts.
In an audit of a large entity involving a combination of auditor strategies, all four types of
documentation may be used for different parts of understanding. In an audit of a small entity
where the primary substantive approach predominates, a single memorandum may suffice to
document the understanding of all components.

Control Risks
In simple words control risk is the probability that a material misstatement exists in an assertion
because that misstatement was not either prevented from entering the entity’s financial
information or was not detected and corrected by the internal control system of the entity.
It has been defined under the International Standard on Auditing ISA as following
The risk that misstatement that could occur in an assertion about a class of transaction, account
balance, or disclosure and that could be material, either individually or when aggregated with
other misstatements, will not be prevented, or detected and corrected, on a timely basis by the
entity’s internal control.
Assessing control risk
Assessment of control risk is the process of evaluating the effectiveness of the design and
operation of an entity's internal control structure policies and procedures in preventing or
detecting material misstatements in the financial statement. Control risk assessments are made
for individual financial statement assertions, not for the internal control structure as a whole.
Steps for assessing control risk
Following are the steps taken by the auditor for assessing the control risk:
Step 1: considered knowledge acquired from procedures to obtain an understanding
The auditor performs procedures to obtain an understanding of relevant internal control structure
policies and procedures for significant financial statements assertion. She or he documents the
understanding in the form of completed internal control questionnaires, flowcharts, and narrative
memoranda. For policies and procedures relevant to particular assertions, the auditor carefully
considered the Yes, No, and N/A responses and written comments in the questionnaires and the
strengths and weaknesses noted in the flowchart and narrative memoranda. Analysis of this
documentation is the starting point for assessing control risk.
Step 2: identify potential misstatements
Most audit firms have developed checklists that enumerate the types of potential misstatements
that could occur in specific assertions. And some audit firms use computer software for this
purpose. Using either the checklist or the computer software aid and his or her understanding of
the entity's internal control structure, the Auditor identifies the potential misstatements
applicable to specific assertions given the entity's circumstances. Potential misstatements may be
identified for assertions pertaining to each major class of transactions and for assertions
pertaining to each significant account balance.
Step 3: identify necessary controls
Whether by using computer software that processes internal control questionnaire responses or
manually by using the checklist, auditors can identify necessary control that could likely prevent
or detect specific potential misstatements. In some cases, several controls may pertain to a given
potential misstatement. In other cases, a single control may apply. In addition, a single control
may pertain to more than one type of potential misstatement. Specifying necessary controls also
requires consideration of circumstances and judgment. Thus the auditor must assimilate
information about a wide variety of possible control policies and procedures related to any of the
ICS components in considering the risk of potential misstatements in a particular assertion.
Step 4: perform tests of controls
In determining the tests to be performed, the auditor considers the types of evidence that will be
provided and the cost of performing the test. The test includes selecting a sample and inspecting
related documents, inquiring of client personnel, observing client personnel performing control
procedures, and the auditor's report performance of certain controls. The result of each test of
controls should provide evidence about the effectiveness of the design or operation of the related
necessary control. Once the tests to be performed have been selected, it is customary for the
auditor to prepare a formal written audit program for the planned tests of controls.
Step 5: Evil with evidence and make the assessment
The final assessment of control risk for a financial statement assertion is based on evaluating the
evidence gained from (i) procedures to obtain an understanding of relevant internal control
structure policies and procedures and (ii) related tests of controls. Based on the nature of the
procedures performed, the information obtained might be in the form of any combination of
documentary, electronic, mathematical, oral, or physical evidence. When different types of
evidence support the same conclusion about the effectiveness of control, the degree of assurance
increases. Conversely when the support different conclusions, the degree of assurance decreases.