CH04 INTERNAL CONTROL

CHAPTER 4
INTERNAL CONTROL

4.1. The Meaning of Internal Control

• INTERNAL CONTROL is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives relating to:

 Effectiveness and Efficiency of Operations

 Reliability of Financial Reporting
 Compliance with Laws and Regulations

Primary Objectives of Internal Controls:

 Accurate Financial Information
 Compliance with Policies and Procedures
 Safeguarding Assets
 Efficient Use of Resources
 Accomplishment of Objectives and Goals

Why are Internal Controls Important?

1. Effectiveness and Efficiency of Operations
 Addresses an entity's basic business objectives, including performance and profitability
goals and safeguarding of resources.
2. Reliability of Financial Reporting
 Preparation of reliable financial statements and publicly reported financial data.
3. Compliance with Laws and Regulations
 Compliance with those laws and regulations to which the entity is subject.

According to Committee of Sponsoring Organization (COSO) report, there are five

interrelated components of the internal control. These are: control environment, control
procedures, risk assessment, information and communication, and monitoring.

4.2. Internal Control and Internal Audit

 Internal Control is the set of various processes laid down to keep a check on the
controls of the organizations. It is done to ensure that the functions of the organization are
being carried out in a proper manner.
 It is a system designed to ensure that there are clearly slept out policies and procedures
that guide operations and/or activities.

 Internal Audit is the proper checking of internal controls of the organization and
preparing the internal report pointing out the qualities and deficiencies in the controls of
the organization.
 It is a function involving an independent appraisal of an entity’s governance and internal
control system. It looks at the existence, adequacy and application of internal controls.

Page 1
 CH04 INTERNAL CONTROL

4.3. Control Environment

Control environment is the framework within which controls operate. The control environment is
very much determined by the management of a business and is the foundation for other internal
controls.

Control environment is the overall attitude, awareness and actions of directors and managers
regarding internal controls and their importance in the entity. The control environment
encompasses the management style and corporate culture and values shared by all employees. It
provides the background against which the various other controls are operated.

The following factors will be reflected in the control environment.

- The philosophy and operating style of management
- The entity's organizational structure
- The directors' methods of imposing controls.

4.4. Risk Assessment

One of the components of internal control is risk assessment. Management should carefully
consider the factors that affect the risk that the organization's objectives will not be achieved.
When considering the financial reporting objective, these risks include the threats to preparing
financial statements in accordance with generally accepted accounting principles.
For example, the following factors might be indicative of increased financial reporting risk:
- Changes in the organization's regulatory or operating environment
- Changes in personnel
- Implementation of a new or modified information system
- Rapid growth of the organization
- Changes in technology affecting production processes or information systems
- Introduction of new lines of business, products, or processes

Management's process of risk assessment is similar to the auditor's assessment of audit risk, as
described in previous chapters. However, the scope of management's risk assessment is more
comprehensive in that it involves consideration of factors that affect all of the organization's
objectives. The auditors are concerned only with the level of inherent risk and control risk that
affect the organization's ability to produce financial statements that are in accordance with
generally accepted accounting principles.

4.5. Control activities

Are the policies and procedures, in addition to those included in the other four control
components that help ensure that necessary actions are taken to address risks to the achievement
of the entity’s objectives? There are potentially many such control activities in any entity,
including both manual and automated controls.

Page 2
 CH04 INTERNAL CONTROL

The control activities generally fall into the following five types:-
1. Adequate separation of duties
 There are four general guidelines for adequate separation of duties to prevent both
fraud and errors which are especially significant for auditors.
a. Separation of the Custody of Assets from Accounting: To protect a company
from embezzlement, a person who has temporary or permanent custody of an
asset should not account for that asset.

b. Separation of the Authorization of Transactions from the Custody of Related

Assets: It is desirable to prevent persons who authorize transactions from having
control over the related asset, to reduce the likelihood of embezzlement. For
example, the same person should not authorize the payment of a vendor’s invoice
and also approve the disbursement of funds to pay the bill.

c. Separation of Operational Responsibility from Record-Keeping

Responsibility: To ensure unbiased information, record keeping is typically the
responsibility of a separate department reporting to the controller. For example, if
a department or division oversees the creation of its own records and reports, it
might change the results to improve its reported performance.
d. Separation of IT Duties from User Departments: Responsibility for designing
and controlling accounting software programs that contain the sales authorization
and posting controls should be under the authority of IT, whereas the ability to
update information in the master file of customer credit limits should reside in the
company’s credit department outside the IT function.
2. Proper Authorization of Transactions and Activities
 Every transaction must be properly authorized if controls are to be satisfactory. If any
person in an organization could acquire or expend assets at will, complete chaos
would result.

3. Adequate Documents and Records

 Documents and records are the records upon which transactions are entered and
summarized. They include such diverse items as sales invoices, purchase orders,
subsidiary records, sales journals, and employee time cards. Many of these documents
and records are maintained in electronic rather than paper formats.
 Adequate documents are essential for correct recording of transactions and control
of assets.
4. Physical Control Over Assets and Records
 To maintain adequate internal control, assets and records must be protected. If assets are
left unprotected, they can be stolen. If records are not adequately protected, they can be
stolen, damaged, altered, or lost, which can seriously disrupt the accounting process and
business operations.
 The most important type of protective measure for safeguarding assets and records is the
use of physical precautions. i.e., the use of storerooms for inventory to guard against
theft, safety deposit Vaults for the protection of assets such as currency and securities etc.

Page 3
 CH04 INTERNAL CONTROL

5. Independent Checks on Performance

 The last category of control activities is the careful and continuous review of the other
four, often called independent checks or internal verification. The need for independent
checks arises because internal controls tend to change over time, unless there is frequent
review. Personnel are likely to forget or intentionally fail to follow procedures, or they
may become careless unless someone observes and evaluates their performance.
 Personnel responsible for performing internal verification procedures must be
independent of those originally responsible for preparing the data. For example, bank
reconciliation is done by a person independent of the accounting records and handling of
cash.

4.6. Limitations of Internal control

An internal control system should be designed and operated to provide reasonable assurance.
That is an entity’s cost of internal control system should not exceed the benefits that are expected
to be derived. The necessity of balancing the cost of internal controls with the related benefits
requires considerable estimation and judgment on the part of management.

Therefore, the idea of reasonable assurance arises from two concepts: cost – benefit, and the
inherent weakness: The cost – includes paying employees for implementing the system,
constructing and acquiring facilities (safes, stoves) printing of vouchers, forms, etc. The benefits
include prevention of potential losses.

The inherent limitations include management override of internal control, personnel errors, or
mistakes, and collusion.

(i) Management override of internal control: an entity’s controls may be overridden

by management. For example, a senior – Level manager can require a low – level
employee to record entries into the accounting records (because) that is not consistent
with the substance of the transactions and are in violation of the organization’s
control. The lower – level employee may record the transaction, even though he or
she knows that it is a violation of control, because of fear of losing he’s or her job.
(ii) Personnel errors or mistakes – The internal control system is only as effective as
the personnel who implement and perform the controls. For example, employees may
misunderstand instructions or make errors of judgment. They may make mistakes
because of personnel carelessness, distraction, or fatigued.
(iii) Collusion – the effectiveness of segregation of duties lies in the individuals
performing only their assigned tasks or in the performance of one person being
checked by another. Collusion may occur, for example, an individual who receives
cash receipts from customers collide (agree) with the one who records those receipts
in the customers’ records order to steal cash from the entity.

Page 4
 CH04 INTERNAL CONTROL

4.7. The Auditor’s Consideration of Internal Control

The generally accepted auditing standard field work standard, number two states that a
satisfactory understanding of internal control is to be obtained to plan the audit and determine the
nature, timing and extent of tests to be performed. Thus, the primary purpose of studying and
evaluating of internal control system by external auditors is to determine the amount of audit
work. It is assumed that good internal control provides more reliable financial data and
statements.

NOTE:
 According to COSO report, there are five interrelated components of the internal
control. These are:
1. Control environment
2. Control procedures/activities,
3. Risk assessment
4. Information and communication,
5. Monitoring.
LET US DISCUSS THE BOLDED COMPONENTS OF INTERNAL CONTROL

Control Procedures: Control procedures are those policies and procedures in addition to
the control environment, which are established to achieve the entity's specific objectives.
 It includes those designed to prevent or to detect and correct errors. Some of the
specific control procedures are:
- Segregation of duties
- Approval and control of documents
- Control over computerized applications
- Checking the arithmetical accuracy of records
- Maintaining and reviewing control accounts and trial balances
- Reconciliation
- Comparing the results of cash, securities and stock counts with accounting
records
- Comparing internal data with external sources of information
- Limiting direct physical access to assets and records.

Information and Communication: One of the components of internal control is

information and communication is about the access of management to feedback
information and report.
 Effective accounting systems accomplish the following objectives.
- Identify all relevant financial events (transaction) of the organization
- Capture the important date of these transaction
- Record and process data through classification and summarization
- Report this summarized and aggregated information to manager
Monitoring:- is concerned with:
- The ongoing review and evaluation of the system
- Control whether the activities of the organization are on the right track or not

Page 5