CHAPTER 6: INTERNAL CONTROL EVALUATION

3.0. Aims and Objective

After studying this chapter, you should be able to:

 Define internal control

 Describe the purpose and objective of internal control, and management responsibility.

 Describe the components of Internal control system

 Explain the characteristics of effective Internal Control.

 Explain the limitation of internal control.

 Describe the auditor's consideration of internal control

 Discuss the phases of control evaluation.

3.1. Introduction

Dear learner you must have heard about the term internal control before studying this course.
Can you write in your own words the meaning of internal control
____________________________________________________________________________
____________________________________________________________________________
__________________________________________________________________________ .

Internal control is not only essential to maintaining the accounting and financial records of an
organization, it is essential to managing the entity. For that reason everyone, including external
auditors, management, board of directors, stockholders, government and other stake holders, is
interested in the internal control.

The important consideration of internal control in this chapter has three major objectives first,
to explain the meaning of internal control, second, the significance of purpose and objective of
internal control, third, the characteristics of good internal control. In addition, the chapter
would let you to know the broad classification of internal control and the major weakness of
internal control.
 3.2. Definition and Objective of Internal Control System

3.2.1. Definition Internal Control

Dear learner Internal Control is a process, effected by an entity’s board of directors,

management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories.

(1) effectiveness and efficiency of operations

(2) Reliability of financial reporting, and

(3) Compliance with applicable laws and regulations.

Alternative definition, internal control system means all the policies and procedures adopted by
the directors and management of an entity to assist in achieving their objective of ensuring, as
far as practicable, the orderly and efficient conduct of its business, including adherence of
internal policies, the safeguarding of assets, the prevention and detection of fraud and error, the
accuracy and completeness of the accounting records, and the timely preparation of reliable
financial information.

Overall internal controls are also defined as operational checks and balances that prevent loss
due to fraud, waste, abuse, and mismanagement of resources. The core resources include:
personnel, information, and capital.

3.2.2. Objectives of Internal Control System

The objectives of setting an internal control system can be discussed from the perspectives of the
different parties who have interest over the internal control systems of an organization.

 Management : the management typically has the following objectives in setting up a

good system of internal control.

a) The orderly and efficient conduct of its business

An organization which is efficient and conducts its affairs in an orderly manner is much more
likely to be able to supply the auditors with sufficient appropriate audit evidence on which to
base their audit opinion. More importantly, the level of inherent and control risk will be lower,
giving extra assurance that the financial statements do not contain material errors.
 b) Adherence to Internal Policies

Management is responsible for setting up an effective system of internal control and

management policy provides the broad framework within which internal controls have to
operate. Unless management does have a pre-determined set of policies, then it is very difficult
to imagine how the company could be expected to operate efficiently. Management policy will
cover all aspects of the company's activities and will range from broad corporate objectives to
specific areas such as determining selling prices and wage rates.

Given that the auditors must have a sound understanding of the company's affairs generally,
and of specific areas of control in particular, then the fact that management policies are
followed will make the task of the auditors easier in that they will be able to rely more readily
on the information produced by the systems established by the management.

c) Safeguarding of Assets

This objective may relate to the physical protection of assets (for example by locking monies in
a safe at night) or to less direct safeguarding (for example ensuring that there is adequate
insurance, cover for all assets). It can also be seen as relating to the maintenance of proper
records in respect of all assets.

The auditors will be concerned to ensure that the company has properly safeguarded its assets
so that they can form an opinion on existence of specific assets and, more generally, on
whether the company's records can be taken as a reliable basis for the preparation of financial
statements. Reliance on the underlying records will be particularly significant where the figures
in the financial statements are derived from such records rather than as the result of physical
inspection.

d) Prevention and Detection of Fraud and Error

The directors are responsible for taking reasonable stops to prevent and detect fraud. They are
also responsible for preparing financial statements, which give a true and fair view of the
entity's affairs. However, the auditors must plan and perform their audit procedures and
evaluate and report the results thereof, recognizing that fraud or error may materially affect the
financial statements. A strong system of internal control will give the auditors some assurance
that frauds and errors are not occurring. Unless management are colluding to overcome that
system.
 e) Accuracy and completeness of the accounting records/timely preparation of
reliable financial information

This objective is most clearly related to statutory requirements relating to both management
and auditors. The auditors must form an opinion on whether the company has fulfilling this
obligation and also conclude whether the financial statements are in agreement with underlying
records.

3.2.3. Detailed internal control objectives- for reliability of financial reporting:

There are seven detailed objectives that an internal control system must meet to prevent errors
in the accounting records. A basic assumption that underlines the assessment of whether the
objectives were met is that the system of internal control was in operation as described for the
period of reliance. The auditor must be careful to ensure that the objectives were met
continuously and not just periodically.

The client's system of internal control must be sufficient to provide reasonable assurance that:

a. recorded transactions are valid (validity). The system should not permit the inclusion of
fictitious or non-existent transactions in journal or other accounting records.

b. transactions are properly authorized (authorization). If a transaction that is not authorized

takes place, it could result in a fraudulent transaction and it could also have the effect of
wasting or destroying company assets.

c. the existing transactions are recorded (completeness). The client's procedures must provide
controls to prevent the omission of transactions from the records.

d. transactions are properly valued (valuation). An adequate system includes procedures to

avoid errors in calculating and recording transactions at various stages in the recording
transactions at various stages in the recording process.

e. transactions are properly classified (classification). The proper account classification

according to the client's chart of accounts must be made in the journals if the financial
statements are to be properly stated. Classification also includes such categories as division
and product.

f. transactions are recorded at the proper time (timing). The recording of transactions either
before or after the time they took place increases the likelihood of failing to record
transactions or of recording them at the improper amount. If late recording occurs at the end
of the period, the financial statements will be misstated.
g. transactions are properly included in subsidiary records and correctly summarized (posting
and summarization). In many instances individual transactions are summarized and totaled
before they are recorded in the journals. The journals are then posted to the general ledger,
and the general ledger is summarized and used to prepare the financial statements.
Regardless of the method used to enter transactions in the subsidiary records and to
summarize transactions, adequate controls are needed to make sure summarization is
correct.
The seven detailed internal control objectives must be applied to each material type of
transaction in the audit, such transactions typically include sales, purchases, cash receipts and
payments, acquisition and issuance provision of goods and services, payroll, and so on.
3.3. The Auditor's Consideration of Internal Control

The importance of internal control to the auditor is rooted in the second standard of field work,
which states:
A sufficient understanding of internal control is to be obtained to plan the audit and to
determine the nature, timing, and extent of tests to be performed.
The controls that are relevant to the entity's ability to record, process, summarize, and report
financial data consistent with management's assertions (existence or occurrence, completeness,
rights and obligations, valuation or allocation, and Presentation and disclosure) are the auditor's
main concern. More specifically, the auditor needs assurances about the reliability of the data
generated within the internal control system in terms of how it affects the fairness of the
financial statements and how well the assets and records of the entity are safeguarded.
As we have seen in the previous chapter, the auditor's understanding of internal controls is a
major factor in determining the overall audit plan and strategy.Thus, the primary purpose of
studying and evaluating of internal control system by external auditors is to determine the
amount of audit work. It is assumed that good internal control provides more reliable financial
data and statements.
Check your progress 3-1:
Dear leaner please read each of the following questions and answer them.

1. Define internal control system.

___________________________________________________________________________
_________________________________________________________________________ .
2. What are the objectives of internal control?

___________________________________________________________________________
_____________________________________ .
3.4. Elements of Internal Control

3.4.1. Components of Internal Control

Internal controls can be characterized as two types: administrative controls and accounting
controls. Administrative controls are primarily concerned with the promotion of operational
efficiency and the adherence to prescribed managerial policies. Administrative controls are
related to operational audits and compliance audits.

Accounting controls are principally concerned with safeguarding of assets and providing
assurance that the financial statements and the underlying accounting records are reliable.
Internal accounting controls relate to external and internal financial audit. The independent
auditor is primarily concerned with the accounting controls which generally bear directly and
importantly on the reliability of financial records.

Auditing standards state that the directors of an entity will set up internal controls in the
accounting system to assess the following:

a) Transactions are executed with proper authorization

b) All transactions and other events are promptly recorded at the correct amount, in the
appropriate accounts and in the proper accounting period.

c) Access to assets is permitted only in accordance with proper authorization.

d) Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken with regard to any differences.

The internal control consists of five interrelated components. These are:

 control environment
 risk assessment
 control activities/procedures
 information and communication
 monitoring
3.4.1.1. Control Environment

The control environment consist of the actions, policies and procedures that reflect the overall
attitudes of the top management, directors and owners of an entity about internal control and its
importance to the entity. If management believes that control is important others in the
organization will sense that and respond by carefully observing the controls established on the
other hand, if it is clear to members of the organization that control is not an important concern
to top management it will not be important to them.

For the purpose of understanding and assessing the control environment, the following are the
most important sub-components that the auditor should consider:

 Integrity and ethical values

 Commitment to competence
 Board of directors or audit committee participation
 Management’s philosophy and operating style
 Organizational structure
 Human resource policies and practices

3.4.1.2. Risk Assessment

One of the components of internal control is risk assessment. Management should carefully
consider the factors that affect the risk that the organization's objectives will not be achieved.
When considering the financial reporting objective, these risks include the threats to preparing
financial statements in accordance with accepted accounting principles and standards. For
example, the following factors might be indicative of increased financial reporting risk:

 changes in the organization's regulatory or operating environment

 changes in personnel
 changes in the accounting standards
 implementation of a new or modified information system
 rapid growth of the organization
 changes in technology affecting production processes or information systems
 introduction of new lines of business, products, or processes
Management's process of risk assessment is similar to the auditor's assessment of audit risk, as
described in chapter 3. However, the scope of management's risk assessment is more
comprehensive in that it involves consideration of factors that affect all of the organization's
objectives. The auditor's are concerned only with the level of inherent risk and control risk that
affect the organization's ability to produce financial statements that are in accordance with
generally accepted accounting principles.

3.4.1.3. Control activities/procedures

The control activities are policies and procedures in addition to those included in other four
components that help ensure that necessary actions are taken to address risks in the
achievement of the entity’s objectives. The control activities are commonly identified as
essential elements of internal control systems and discussed below.

Essential Elements of Sound (effective) Internal Control

It is necessary that a system has certain elements or characteristics that increase the likelihood
of reliable accounting records and safeguarding of assets. Elements are directly related to
internal control objectives and the way in which a company satisfies them. The following six
are discussed in this section. In evaluating the strength and weakness of a system of internal
control it is imperative to look into the following elements.

 Competent, trustworthy personnel with clear lines of authority and responsibility

 Adequate segregation of duties
 Proper procedures for authorization
 Adequate documents and records
 Physical control over assets and records
 Independent checks on performance

a) Competent and Trustworthy Personnel

The most important element of any system of internal control is its personnel. If employees are
competent and trustworthy, even if some of the other elements are absent, reliable financial
statements will results. Honest, efficient people are able to perform at a high level even when
there are few other controls to support them. Conversely, even if the other five elements of
control are strong, incompetent or dishonest people can reduce the system to a shambles.

b) Adequate Segregation of Duties

Four general guidelines for segregation of duties to prevent both intentional and unintentional
errors are of special significance to auditors. A discussion of each follows.

 Separation of the Custody of Assets from Accounting

The reason for not permitting a person who has temporary or permanent custody of an asset to
account for that asset is to protect the firm from fraud. When one person performs both
functions, there is an excessive risk of his disposing of the asset for personal gain and adjusting
the records to reliance himself of responsibility. For example, if the casher receives cash and
maintains both the cash and account receivable records, it is possible for has to take the cash
received from a customer and adjust the customer's account by failing to record a sale or by
recording a fictitious credit to the account.

 Separation of the Authorization of Transactions from the Custody of Related Assets

It is desirable, if possible, to prevent persons who authorized transactions from having control
over the related asset. For example, the same person should not authorize the payment of a
vendors invoice and also sing the cheque in payment of the bill. Similarly, the authority for
adding new employees to or eliminating terminated employees from the payroll should not be
given to the person responsible for distributing payroll cheques. As illustrated, the
authorization of the transaction and the handling of the related asset by the same person
increase the possibility of fraud within the organization.

 Separation of Duties within the Accounting Function

The least accounting system is one in which one employee is responsible for recording a
transaction from its origin to its ultimate posting in the general ledger. This enhances the
likelihood that unintentional or intentional errors will remain undetected and it may encourage
sloppy performance of duties. It is possible, however, that a single bookkeeper may be cost
effective.

There are many opportunities for automatic cross checking of different employees' work in a
manual system by simply segregating the recording in journals from the recording in related
subsidiary ledgers. It is also possible to segregate the responsibility for recording in related
journals, such as the sales and cash receipts journals.

 Separation of Operational Responsibility from Record Keeping Responsibility

If each department or division in an organization were responsible for preparing its won
records and reports, there would be a tendency to bias the results to improve its reported
performance. In order to ensure unbiased information, record keeping is typically included in a
separate department under the controller.

 Separation of IT duties from the duties of the key users outside IT

The computer operator (who inputs data) should not be able to modify the program and a
programmer should get access to input data. Such functions if performed by the same person it
creates temptation for manipulation.
The overall organizational structure of a business must provide proper segregation of duties,
yet still promote operational efficiency and effective communication.

c) Proper Procedures for Authorization

Every transaction must be properly authorized if controls are to be satisfactory. If any person in
an organization could acquire or expand assets at will, complete chaos would result.
Authorization can be either general or specific. General authorization means that management
establishes policies for the organization to follow. Subordinates are instructed to implement
these general authorizations by approving all transactions within the limits set by the policy.
Examples of general authorization are issuance of fixed price lists for the sale of products,
credit limits for customers, and fixed automatic recorder points for making purchases.

Specific authorization has to do with individual transactions. Management is often unwilling to

establish a general policy of authorization for some transactions. Instead, they prefer to make
authorizations on a case-by-case basis. An example is the authorization of a sales transaction
by the sales manager for a used car.

The individual or group who can grant either specific or general authorization for transactions
should hold a position commensurate with the nature and significance of the transactions. The
policy for such authorizations should be established by top management. For example, a
common policy is to have all acquisitions of capital assets over a set amount authorized by the
board of directors.

There is also a distinction between authorization and approval. Authorization is a policy

decision for either a general class transactions or specific transactions. Approval is the
implementation of management's general authorization decisions. For example, assume
management sets a policy authorizing the ordering of inventory when less than a three-week
supply on hand. That is a general authorization. When a department orders inventory, the desk
responsible for maintaining the perpetual record approves the order to indicate the
authorization policy has been met.

d) Adequate Documents and Records

Documents and records are the physical objects upon which transactions are entered and
summarized. They include such diverse items as sales invoices, purchase orders, subsidiary
ledgers, sales journals, time cards and bank reconciliation. Both documents of original entry
and records upon which transactions are entered are important elements of a system, but the
inadequacy of documents normally causes greater control problems.
Documents perform the function of transmitting information throughout the client's
organization and between different organizations. The documents must be adequate to provide
reasonable assurance that all assets are properly controlled and all transactions correctly
recorded. For example, if the receiving department fills out a receiving report when material is
obtained, the accounts payable department can verify the quantity and description on the
vendor's invoice by comparing it with the information on the receiving report.

Certain relevant principles dictate the proper design and use of documents and records.

Documents and records should be:

- Pre-numbered consecutively to facilitate control over missing documents, and as an aid in

locating documents when they are needed at a later date.

- Prepared at the time transaction takes place, or as soon thereafter as possible. When there is
a longer time interval, records are less credible and the chance for error is increased.

- Sufficiently simple to ensure that they are clearly understood.

- Designed for multiple uses whenever possible, to minimize the number of different forms.
For example, a properly designed and used sales invoice can be the basis for recording sales
in the journals, the authority for shipment, the basis for developing sales statistics, and the
support for salesmen's commission.

- Constructed in a manner that encourages correct preparation. This can be done by providing
a degree of internal check within the form or record. For example, a document might
include instruction for proper routing, blank spaces for authorization and approvals,
designated column spaces for numerical data.

e) Physical Control over Assets and Records

The most important type of protective measure for safeguarding assets and records is the use of
physical precautions. An example is the use of storerooms for inventory to guard against
pilferage. When the storeroom is under the control of a competent employee, there is also
further assurance that obsolescence is minimized. Fireproof safes and safety deposit vaults for
the protection of assets such as currency and securities are other important physical safeguards.

Physical safeguards are also necessary for records and documents. The redevelopment of lost
or destroyed records is costly and time consuming. Imagine what would happen if an accounts
receivable master file were destroyed. The considerable cost of backup records and other
controls can be justified to prevent this loss. Similarly, such documents as insurance polices
and promissory notes should be physically protected.

Mechanical protective devices can also be used to obtain additional assurance that accounting
information is correctly and accurately recorded. Cash registers and certain types of automatic
data processing equipment are all potentially useful additions to the system of internal control
for this purpose.

f)Internal Verification

The last specific element of control is the careful and continuous review of the other five, often
referred to as independent checks or internal verification. The need for a system of independent
checks arises because a system tends to deteriorate over time unless there is a mechanism for
frequent review. Personnel are likely to forget or intentionally fail to follow procedures or
become careless unless someone observes and evaluates their performance. In addition, both
fraudulent and unintentional errors are always possible, regardless of the quality of the
controls.

An essential characteristic of persons performing internal verification procedures is

independence from the individual originally responsible for preparing the data. A considerable
portion of the value of checks on performance is lost when the individual doing the verification
is a subordinate of the person originally responsible for preparing the data or lacks
independence in some other way.

Independent internal verification generally involves the review, comparison, and reconciliation
of data prepared by employees.

a. Verification should be made periodically or on a surprise basis.

b. Verification should be done by an employee independent of the personnel responsible for
the information.
c. Discrepancies and exceptions should be reported to a management level that can take
appropriate corrective action.
d. In large companies, independent internal verification is often assigned to internal auditors.
e. Internal auditors are employees of the company who evaluate on a continuous basis the
effectiveness of the company’s system of internal control.
f. They periodically review the activities of departments and individuals to determine
whether prescribed internal controls are being followed.
3.5. Limitations of Internal control

An internal control system should be designed and operated to provide reasonable assurance.
That is an entity’s cost of internal control system should not exceed the benefits that are
expected to be derived. The necessity of balancing the lost of Internal controls with the related
benefits requires considerable estimation and judgment on the part of management.

Therefore the idea of reasonable assurance arises from two concepts: cost – benefit, and the
inherent weakness: The cost – includes paying employees for implementing the system,
constructing and acquiring facilities (safes, stoves) printing of vouchers, forms, etc. the
benefits includes prevention of potential losses.

The inherent limitations include:

(i) Management override of internal control: an entity’s controls may be overridden by

management. For example, a senior – Level manager can require a low – level
employee to record entries into the accounting records (because) that are not
consistent with the substance of the transactions and are in violation of the
organization’s control. The lower – level employee may record the transaction,
even though he or she knows that it is a violation of control, because of fear of
losing he’s or her job.

(ii) Personnel errors or mistakes – The internal control system is only as effective as the
personnel who implement and perform the controls. For example, employees may
misunderstand instructions or make errors of judgment. They may make mistakes
because of carelessness, distraction, or fatigue.

(iii) Collusion – the effectiveness of segregation of duties lies in the Individuals per
forming only their assigned tasks or in the performance of one person being
checked by another. Collusion may occur, for example, an individual who receives
cash receipts from customers collide (agree) with the one who records those
receipts in the customers’ records order to steal cash from the entity.

(iv)Change in conditions -the possibility that procedures may become inadequate due to
changes in conditions or that compliance with procedures may deteriorate overtime.
This may particularly apply if a business is expanding internal controls designed to
cope with a smaller business may well have problems coping
 (v) Focus on routine tasks -Most systematic internal controls tend to be directed at routine
transactions than non-routine transactions. Hence it is important for auditors to
ascertain what may go on outside the accounting system.

Check your progress 3-2

Dear leaner please read each of the following questions and answer them.

1. What are the limitations of internal control?

______________________________________________________________
______________________________________________________________
________________________ .
2. Distinguish between administrative control and accounting .
______________________________________________________________
__________________________________________________ .

3.6. Summary

Internal control is a process affected by the clients’ board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the categories of (1) effectiveness, and efficiency of operations, (2) reliability of financial
reporting (3) compliance with applicable laws and regulations.

The purpose of considering internal control in the auditors concern is to assess the audit risk
for each major financial statement assertions to determine the nature, timing and extent of the
substantive tests of that assertion. Whereas, in the managements concern, the purpose of
internal control is to increase profitability, safeguarding of assets and accounting records, to
produce reliable and accurate financial information, to adhere with applicable rules and
regulations. Thus, management of an organization should apply the six elements of good
internal control to achieve the above mentioned purposes and objectives.
3.7. Review Questions

Dear learner, the following review questions are prepared to enable you recap the basic
concepts discussed in the chapter and as well to help you assess your level of understanding as
per the objectives set at the beginning is the chapter.

1. What is the principle that states that the internal controls of an entity should not be greater
than the benefits those controls can be expected to deliver?
A. Reasonable assurance
B. Quality control
C. Cost and benefits analysis
D. Risk assessment
E. None of the above
2. Management often establishes a general policy of authorization on case by case basis to
facilitate smooth flow of operation and effective control.
A. True B. False
3. Internal verification refers to a careful and continuous review of the documents by
individuals originally responsible for preparing the data.
A. True B. False
4. What is the independent auditor’s principal purpose in conducting a study and evaluation of
the internal control structure?
A. To comply with generally accepted accounting principle
B. To obtain a measure of assurance of management’s efficiency
C. To plan and to determine the nature, timing, and extent of subsequent audit work
D. To maintain a state of independence in mental attitude in all matters relating to the audit
5. Proper segregation of functional responsibilities calls for separation of the
A. Authorization, recording and custodial function
B. Authorization, approval and execution functions
C. Authorization, execution and operation functions
D. Receiving, shipping and custodial functions

6. Regardless of the care followed in their design and implementation, internal control system
can never be regarded as completely effective.
A. True B. False

7. Which of the following is considered a major reason for establishing an internal audit
function?
A. To ensure the accuracy, reliability and timeliness of financial and operating data
used in management’s decision making.
B. To safeguard resources entrusted to the organization.
C. To assist members of the organization in the measurement and evaluation of the
effectiveness of the established internal control structure.
 D. To relieve overburdened management of the responsibility for establishing an
effective control structure.
E. None of the above
8. To provide the greatest degree of independence in performing internal auditing functions, an
internal auditor should probably report to the
A. Financial vice-president.
B. Corporate controller.
C. The general manager
D. Corporate stockholder

3.8. Glossary

 Accounting controls: are principally concerned with safeguarding of assets and providing
assurance that the financial statements and the underlying accounting records are reliable.

 Administrative controls: are primarily concerned with the promotion of operational

efficiency and the adherence to prescribed managerial policies.

 Authorization: is a policy decision for either a general class transactions or specific

transactions.

 Approval: is the implementation of management's general authorization decisions.

 Internal Control: is a process, effected by an entity’s board of directors, management and

other personnel, designed to provide reasonable assurance regarding the achievement of
certain objectives.