5.

Internal controls & deficiencies

Table of Contents
5.1. Introduction ....................................................................................................... 45
5.2 Definition of internal control ............................................................................. 45
5.3 Components of Internal control ......................................................................... 45
5.4 Elements of internal control activities ............................................................... 50
5.5 Limitation of internal control ............................................................................. 53
5.6 Communicating deficiencies in internal control ISA 265............................... 54
5.6.1 Introduction ................................................................................................. 54
5.6.2 Objective ..................................................................................................... 54
5.6.3 Deficiency definition .................................................................................. 54
5.6.4 Importance and advantages of internal controls ......................................... 54
5.6.5 Examples of matters leading to significant deficiencies ............................. 55
5.6.6 Reporting procedures .................................................................................. 56
5.6.7 Illustrative example 1 .................................................................................. 56
5.6.8 Illustrative example 2 .................................................................................. 60

44

By Busara

5.Internal controls & deficiencies

5. INTERNAL CONTROLS
5.1. Introduction
As mentioned in previous chapter, it is the statutory responsibility of the
directors of a company for ensuring that proper accounting records are
kept and annual accounts presented to the members. The directors can
usually best discharge this responsibility by instituting a system of
internal control to ensure that the work is properly carried out by the
employees of the company.
The strength of internal control (or the presence of control weaknesses)
determines the reliance that the auditor may place on controls, established
by management, in determining the correctness of recorded amounts.
The great4er the reliance that can be placed on controls, the less the
reliance needed from substantive testing.
5.2 Definition of internal control
Internal control may be defined as the whole system of controls, financial
and otherwise, established by the management in order to carry on the
business of the company in an orderly manner, safeguard its assets and
secure, as far as possible, the accuracy and reliability of its records, and
improvement in operational efficiency and adherence to company
policies.
Internal control can be defined as the process designed and effected by
those charged with governance, management and other personnel to
provide reasonable assurance about the achievement of the entitys
objectives with regard to reliability of financial reporting, effectiveness,
and efficiency of operations and compliance with applicable laws and
regulation.
5.3 Components of Internal control
Internal control consists of the following five components: control
environment, entitys risk assessment process, control activities,
monitoring of controls, and information system, including the related
business processes, relevant to financial reporting and communication.
These components are discussed as hereunder:
(1) The control environment
Control environment includes the governance and management functions
and the attitudes, awareness and actions of these charged with governance
and management concerning the entitys internal control and its

45

By Busara

5.Internal controls & deficiencies

importance in the entity. It is the foundation for effective internal control,

providing discipline and structure. Control environment is a component
of internal control.
The control environment encompasses the following elements
(a) Communication and enforcement of integrity and ethical values.
The effectiveness of controls cannot rise above the integrity and ethical
values of the people who create, administer, and monitor them. Integrity
and ethical values are essential elements of the control environment
which influence the effectiveness of the design, administration, and
monitoring of the design, administration, monitoring of other components
of internal control. Integrity and ethical behavior is the product of the
entitys ethical and behavioral standards, how they are communicated,
and how they are reinforced in practice. They include managements
actions to remove or reduce incentives and temptations that might prompt
personnel to engage in dishonest, illegal, or unethical acts. They also
include the communication of entity values and behavioral standards to
personnel through policy statements and codes of conduct and by
example.
(b) Commitment to competence.
Competence is the function of knowledge, skills and experience
necessary to accomplish tasks that define the individuals job.
Commitment to competence includes managements consideration of the
competence levels for particular jobs and how those levels translate into
requisite skill and knowledge.
(c) Participation by those charged with governance.
An entitys control consciousness is influenced significantly by those
charged with governance. Attributes of those charged with governance
include independence from management, their experience, and stature,
the extent of their involvement and scrutiny of activities, the information
they receive, the degree to which difficult questions are raised and
pursued with management and their interaction with internal and external
auditors. The importance of responsibilities of those charged with
governance is recognised in codes of practice and other regulations or
guidance produced for the benefit of those charged with governance
including oversight of the design and effective operation of whistle
blower procedures and the process for reviewing the effectiveness of the
entitys internal control.

46

By Busara

5.Internal controls & deficiencies

(d) Managements philosophy and operating style

Managements approach to taking and managing business risks, and
managements attitudes and actions towards financial reporting,
information processing and accounting functions and personnel.
(e) Organization structure
An entitys organisation structure provides the framework within which
its activities for achieving entity wide objectives are planned, exectu43ed,
controlled, and reviewed.
Establishing a relevant organisational
structure includes considering key areas of authority and responsibilit8iy
and appropriate lines of reporting.
(f) Assignment of authority and responsibility.
This factor includes how authority and responsibility for operating
activities are assigned and how reporting relationship and authorization
hierarchies are established. It also includes policies relating to appropriate
business practices, knowledge and experience of key personnel, and
resources provided for carrying out duties. In additional it includes
policies and communications directed at ensuring that all personnel
understand the entitys objectives, know how their individual actions
interrelate and contribute to those objectives, and recognise how and for
what they will be held accountable.
(g) Human resource policies and practices
Human resources policies and practices relate to recruitment, orientation,
training, evaluating, counseling, promoting, compensation and remedial
actions. For example, standards for recruiting the most qualified
individuals with emphasis on educational background, prior work
experience, past accomplishments, and evidence of integrity and ethical
behaviour demonstrate an entitys commitment to competent and
trustworthy people.
(2) The entity risk assessment process
Entitys risk assessment process is its process for identifying and
responding to business risks and the results thereof.
The auditor should obtain an understanding of the entitys process for
identifying business risks relevant to financial reporting objectives and
deciding about actions to address those risks, and the results thereof.
Risks can arise or change due to circumstances such as the following:
(a) Changes in operating environment.

47

By Busara

5.Internal controls & deficiencies

Changes in the regulatory or operating environment can result in

changes in competitive pressures and significantly different risks.
(b) New personnel.
New personnel may have a different focus on or understanding of
internal control.
(c) New or revamped information systems.
Significant and rapid changes in controls and increase the risk of a
breakdown in controls.
(d) New technology.
Incorporating new technologies into production processes or
information systems may change the risk associated with internal
control.
(e) New business models, products, or activities.
Entering into business areas or transactions with which an entity has
little experience may introduce new risks associated with internal
control.
(f) Corporate restructuring.
Restructurings may be accompanied by staff reductions and changes
in supervision and segregation of duties that may charge the risk
associated with internal control.
(g) Expanded foreign operations.
The expansion or acquisition of foreign operations carries new and
often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
(h) New accounting pronouncements.
Adoption of new accounting principles or changing accounting
principles may affect risks in preparing financial statements.
In evaluating the design and implementation of the entitys risk
assessment process, the auditor determines:
How management identifies business risks relevant to financial
reporting,
Estimates the significance of the risks,
Assesses the likelihood of their occurrence, and
Decides upon actions to manage them.
(3) The information system, including the related business processes,
related financial reporting and communication

48

By Busara

5.Internal controls & deficiencies

The information system relevant to financial reporting objectives, which

includes the accounting system, consists of the procedures and records
established to initiate, record, process, and report entity transactions (as
well as events and conditions) and to maintain accountability for the
related assets, liabilities, and equity.
The auditor should obtain an understanding of the information system,
including the related business processes, relevant to financial reporting,
including the following areas:
(a) The classes of transactions in the entitys operations that is significant
to the financial statements.
(b) The procedures, within both IT and manual systems, by which those
transactions are initiated, recorded, processed and reported in the
financial statements.
(c) The related accounting records, whether electronic or manual,
supporting information, and specific accounts in the financial
statements, in respect of initiating, recording, processing and reporting
transactions.
(d) The financial reporting process used to prepare the entitys financial
statements, including significant accounting estimates and disclosures.
(4) Control activities
Control activities are policies and procedures that help ensure that
management directives are carried out.
The auditor should obtain a sufficient understanding of control activities
to assess the risks of the material misstatement at the assertion level and
to design further audit procedures responsive to assessed risks. For
example, that necessary actions are taken to address risks that threaten the
achievement of the entitys objectives.
Examples of specific control activities include those relating to the
following:
(a) Authorization
(b) Performance reviews
(c) Information processing
(d) Physical controls
(e) Segregation of duties
See below, elements of internal controls activities for additional notes
(5) Monitoring controls

49

By Busara

5.Internal controls & deficiencies

Monitoring in relation to quality control is a process comprising an

ongoing consideration and evaluation of the firms system of quality
control, including a periodic assessment of effectiveness of internal
control performance over time. It includes assessing the design and
operations of the controls on a timely basis and taking necessary
corrective actions modified for changes in conditions.
Monitoring controls can also be defined as a process to assess the
effectiveness of internal control performance over time. It involves
assessing the design and operation of controls on a timely basis and
taking necessary corrective actions modified for changes in conditions.
5.4 Elements of internal control activities
Control activities are the policies and procedures that help ensure that
management directives are carried out, for example, that necessary
actions are taken to address risks that threaten the achievement of the
entitys objectives. The following is a description of some of the types of
internal controls which the auditor may find in many enterprises and on
some or a combination of which he may seek to place some degree of
reliance:
1. Review and Authorization
Adequate authority levels should be established and set out for the
initiation or approval of transactions. All transactions, records and
document must be properly authorized. Authorization should be proper
from the responsible authority and should be based on the authorized
authorization limits. Authorization should be evidence by persons
signature.
Examples:
Purchase requisition review and authorization
Purchase order and contracts review and authorization
Payroll review and approval
Authorized price list and discounts
Purchase invoices approval before posting to purchase register and
creditors ledger.
2. Segregation of duties
There should be a well defined division of responsibilities between
departments, sections, and individuals, so that no one person handles a
transaction from the beginning to end. The purpose of the segregation

50

By Busara

5.Internal controls & deficiencies

of duties is first to detect innocent error and secondly to reduce the

opportunities for any person to be in a position to both perpetrate and
conceal errors or irregularities in the normal course of his/her duties.
This is generally achieved by segregating the functions of:
(a) Authorizing or initiation of transaction,
(b) Recording transaction in the accounting records
(c) Execution
(d) Maintaining custody of assets.
Rotation of duties.
Where practical, arrangements should be made for the duties of staff to be
rotated so that no one person deals with one aspect of the companys
accounting procedures on a continuously basis.
Annual leave
Every employee should be encouraged to take annual leave. The auditor
should put into inquiry if an employee is reluctant to do so.
3. Record and record keeping/Arithmetic and accounting.
Design and use of adequate documents and records. All transactions and
events must be properly recorded and the records such as register for
cash, purchases, sales, and payroll should be properly maintained.
Records must be in a permanent form (e.g. in ink, typed or computer
printed). Also documents such as sales invoice, tax invoice, cash receipts,
goods receiving notes, etc. should be sequentially pre-numbered
documents to ensure the completeness of recording.
Operational manuals should be prepared in all business operations and
documented. Records must be updated on a timely basis to portray a true
and fair picture of financial position and operation of a business.
Maintaining total control accounts to provide an independent overall
control over the ledgers to which they relate. Value totals of items to be
processed are recorded in a control account and the balances on which
control account is agreed periodically with the total of the balances on the
appropriate ledger. Sales and purchase invoices are posted to the posted
in total to the control account as well as being posted in detail to the
appropriate ledger accounts. The total of the balances on the individual
ledger accounts should then be reconciled with the control account
balance at regular intervals and any differences investigated. This

51

By Busara

5.Internal controls & deficiencies

technique ensures completeness and arithmetical accuracy of posting s to

the detailed ledgers, e.g. debtors or creditors.
4. Limited access to and use of assets and records/Physical controls
There should be a limited access to access organisational assets (safe,
strong room,) and records (payroll, vehicle registration card, cheques,
contracts, investment certificates, general ledgers, purchase & sales
orders, receipt books, assets, etc.), computer program and data files to
limited and authorized personnel. This could be exercised by using
password, use of locked cabinet, restricted access signs, etc.
5. Independent checks
These include surprise checks on financial records and assets by a person
who is independent of the operations. For example, petty cash count,
stocktaking, fixed asset counting, internal audit assignment, etc.
Usually large and medium size organisation will establish internal audit
department responsible for reviewing, and reporting to management on,
the design and operation of the controls in force and the accuracy of
information provided to management.
6. Reconciliation
Proper and regular reconciliation will enable the organisation to improve
on the quality of the information and data and hence make proper
decisions. Errors, omission, irregularities can be detected by performing
reconciliation. Records must be balanced on a regular basis and
variances, if any, must be investigation.
Examples of reconciliation include:
Cash book Vs. Bank Bank reconciliation
Creditors ledger Vs. Suppliers statement
Salary Vs. Net pay + deductions - payroll reconciliation
Physical and book stock reconciliation
This will ensure validity of transactions and the accuracy of the records.
7. Management Information System (MIS)
Establishing management information system on production, finance,
marketing, human resources etc. will ensure that proper, accurate and
timely decisions are made based on organisation MIS.
Scrutinizes or overall reviews to identify large or unusual items which
may not have been picked up by means of one of the other control
techniques.

52

By Busara

5.Internal controls & deficiencies

Review of monthly financial report especially trial balance, will ensure

the arithmetical accuracy of the bookkeeping.
8. Performance reviews.
These control activities include reviews and analyses of actual
performance versus budgets, forecasts, and prior period performance;
relating different sets of data operating or financial to one another;
together with analyses of the relationships and investigative and
corrective actions; comparing internal data with external sources of
information; and review of financial or activity performance, such as
banks consumers loan managers review of reports by ranch, region, and
loan type for loan approvals and collections. Budget and expenditure
comparison is part of the management control
5.5 Limitation of internal control
Internal control, no matter how well designed and operated, can provide
an entity with only reasonable assurance about achieving the entitys
financial reporting objectives. The likelihood of achievement is affected
by limitations inherent to internal control.
1. These include the realities that human judgment in decision-making
can be faulty and that breakdowns in internal control can occur
because of human failures, such as simple errors or mistakes.
2. The possibility of circumvention of Internal controls through collusion
by two or more people, managers and or employees, with other parties
inside or outside the entity.
3. Internal controls can be circumvented by inappropriate management
override of internal control. For example, management may enter into
side agreements with customers that alter the terms and conditions of
the entitys standards sales contracts, which may result in improper
revenue recognition. Also, edit checks in a software program that are
designed to identify and report transactions that exceed specified
credit limits may be overridden or disabled.
4. Smaller entities often have fewer employees, which may limit the
extent to which segregation of duties is practicable. However for key
area, even in a very small entity, it can be practicable to implement
some degree of segregation of duties or other form of unsophisticated
but effective controls. The potential for override of controls by the
owner manager depends to a great extent on the control environment
and in particular, the owner managers attitudes about the importance
of internal control.
53

By Busara

5.Internal controls & deficiencies

5. The need to balance the costs of the control with its benefits.
6. Obsolescence of controls.
5.6 Communicating deficiencies in internal control ISA 265
5.6.1 Introduction
International Standard on Auditing (ISA) 265 provides guideline on how
auditor should discover and communicate findings on the deficiencies on
the client internal control systems. This topic should also be read with
ISA 200 regarding objectives of the independent external auditor.
In
USA, Sarbanes Oxley Act 2002 requires independent external auditor to
report on significant weaknesses on the independent external auditors
report so that readers could be well informed about strengths and
weaknesses prevailing at the organization.
5.6.2 Objective
The standard (ISA 265) imposes reporting responsibility to the auditor to
those charged with governance and management deficiencies observed by
the auditor in the course of auditing financial statements of the client at
any stage of the audit whether familiarization stage, planning stage,
implementation stage, reporting stage, etc.
5.6.3 Deficiency definition
Deficiency in internal control as the missing or inability of the designed,
implemented and operated internal control to prevent, detect or correct
misstatements in the financial statements of the client/auditee in a timely
manner. Two main reasons either controls are not in place i.e. they are
missing or they are unable to detect weaknesses. If the matter is so
serious, then it is termed as significant deficiency in internal control
warranting the attention of those charged with governance. Significant
deficiency should be communicated in a timely manner to those charged
with governance in writing and if not very serious, the matter may be
communicated to the management only. Also, if the matter is not very
serious, the auditor may discuss the matter orally with the management.
5.6.4 Importance and advantages of internal controls
The internal controls of any entity are essential due to the following
benefits and advantages:

54

By Busara

5.Internal controls & deficiencies

1. Monitoring: Internal controls facilitate easy oversight of the

organization by those charged with governance and management.
2. Fraud: Internal controls prevent and detect fraud easily whenever
happens
3. Accounting policies: Internal controls will facilitate easy selection
and consistent application of the accounting policies yearly for
comparability reasons
4. Related party monitoring: Internal controls help organizations to
control on significant transactions with related parties with proper
accounting and accountability.
5. Financial year end processes: Year-end closure processes are
sometimes complex and tedious but with effective internal control
systems, the processes can be done well with high accuracy.
5.6.5 Examples of matters leading to significant deficiencies
The following are some examples of significant deficiencies which the
external auditors should seriously consider in determining whether a
deficiency in internal controls is significant:
1. The possibility of the deficiencies leading to material misstatements in
the financial statements
2. The possibility of loss on the financial statements
3. The possibility to fraud of the related assets or liabilities
4. The subjectivity involved in accounting for estimate amount
5. The amount in the financial statements involved or exposed to the
deficiencies
6. The volume of activity occurred or could occur in the account balance
or class of transactions exposed to the deficiencies.
7. Financial interest by management and governance members on some
transactions bringing conflict of interest
8. Management fraud which was not detected or prevented by the
internal control systems
9. Failure to implement previous audit recommendations on how to
strengthen internal controls
10.Lack of risk management process within the organization hence
leading to error, fraud and irregularities.
11.Lack of corrective action plan to address actual and potential risks
facing the organization

55

By Busara

5.Internal controls & deficiencies

12.Restatement of previously issued financial statements to correct

material misstatements due to error, irregularities and fraud.
13.Failure to close financial year timely for audit purpose.
5.6.6 Reporting procedures
ISA 265 titled Communicating Deficiencies in Internal Control to those
Charged with Governance and Management states that a significant
deficiency in internal control is a deficiency or combination of
deficiencies in internal control that, in the auditors professional
judgment, is of sufficient importance to merit the attention of those
charged with governance. Therefore, significant deficiency should be
reported to the Board of Directors. Upon discovering of significant
deficiency in internal control, the auditor should consider the following
1. Report in writing the detected deficiency in internal control
2. Examples and detailed explanations of the noted weaknesses
3. Cause, possible or actual, of the deficiency in internal control
4. Effects, actual or potential, of the reported deficiency
5. Likelihood of occurrence in future
6. If the deficiency is based on questionable management integrity, then,
auditor should consider sharing the matter with those charged with
governance
7. The nature of the organization: Public and listed company may require
a different method of communicating the deficiencies compared to the
privately owned company due to wider interest on public and listed
companies
8. Legal framework: The laws and regulations should be considered in
delivering deficiencies messages on entity internal control. In some
countries, laws and regulations may require the auditor or board
members or management to provide a copy of the auditors written
communication on significant deficiencies to respective regulatory
authorities. Auditor should comply
5.6.7 Illustrative example 1
Mrembo company Ltd is dealing with the provision of clothes for Miss
East Africa and Miss World contest and the company is spread all over
Africa and to the rest of the world from its base in Africa. The market has
been there for over 20 years targeting average and low income earners.

56

By Busara

5.Internal controls & deficiencies

Mrembo company closes its financial year on December each year and
the most recent financial year just ended in December 2011.
Purchase order - It presses order twice annually but the fashion for the
beauty (Warembo) moved so fast that the speed of the Mrembo company
hence a lot of obsolete stocks and out of fashion goods were piled up in
the warehouse and selling outlet without being sold out. Mrembo
Company changed its ordering strategy to Just in Time from stock pile for
sale system. The company has neither been audited by the external
auditor nor internal auditor for the last 2 years.
Orders are done by one person, the highly trusted procurement manager
without involving stores department or sales & marketing department.
Procurement clerk compiles all order from Africa and the rest of the
world and present to the highly trusted person to authorize, the
procurement manager.
It takes too long to get ordered goods to the
store despite of having an automated inventory system. The internal sales
and delivery system is not connected with other branches hence a
customer missing a beauty product in one branch may not get it from
another branch of the same company, Mrembo Company.
Purchase invoice and receipt of beauty goods for sale -Goods ordered
are directly delivered to the branches not headquarters of Mrembo
company limited. They are received by clerk and checked against
delivery order and GRN is prepared. The GRN will eventually be
forwarded to the headquarter of Mrembo company for reconciliation and
payment. Procurement Manager, is also responsible to review and
authorize all purchase invoices and this takes more time since he has
many responsibilities in Mrembo Company. Other processes of recording
the invoice to the purchase day book and respective creditors ledger will
follow.
Discussion questions
Write a letter discussing deficiencies, possible implication of each
deficiency and recommendation to eliminate deficiencies.
Proposed solution
March 15, 2015
Board Chair
Mrembo Company Limited Co.
P.O.Box 7140
Dar es Salaam

57

By Busara

5.Internal controls & deficiencies

Tanzania
Dear Sir/Madam Mrembo,
Re: Audit of Mrembo Company Ltd. December 2011
Thank you for appointing us to be the independent external auditors.
Attached, please find management letter on significant internal control
deficiencies which were observed in the most recent audit on
procurement with implication and recommendation to eliminate them.
Deficiency
1.Procurement
decisions are made
by
one
person
without
involving
sales and marketing
department
hence
may not have market
insight

Implication/consequences
Warehouse could have a
lot of unsold goods for
failing to match the
demanded beauty goods
with company supply side
hence failing to sell and
inadequate cash flow and
damage of products

2.The procurement
manager is the only
person who reviews
and
authorize
purchase orders all
over the world

Risk of errors due to one

man show hence poor
purchasing decision. High
possibility of buying what
is not needed in the market
High possibility of failing
to fulfill customers orders

3.Goods are only There is a high risk of

ordered by store running out of stock in the
clerk
absence of stores clerk.
4. Clients/customers
are instructed to
consult the nearest
branch
for
the
missing
products

Customer dissatisfaction
and
missing
sales
opportunities. Reflection
of inefficiency and lack of
clear vision to realize

58

Recommendation
Procurement
manager
should
involve
other
departmental
members on what
products to buy for
resale to avoid slow
moving goods and
cashflow problems
There should be a
proper segregation of
duties by allowing
other
procurement
members
to
participate
in
decision than one
person
Ordering can be done
from
different
branches based on
needs
Electronic
system
should be introduced
linking all branches
and headquarters to
track all orders. Staff

By Busara

5.Internal controls & deficiencies

instead of the office

consulting on behalf
of the client
5.Goods are received
without
being
verified

6.Sales clerks are

receiving
goods
instead
of
procurement clerks
7.Manual accounting
systems is used
when
receiving
goods from different
branches

targets hence slow moving,

low sales & market share,
cashflow challenges
Risk of receiving defective
products, poor quality
products and disputes

(not
customer)
should check stocks
with other branches
Goods
must
be
inspected at delivery
point before they are
accepted
and
recorded
Incorrect goods may be Procurement
and
received by the sales clerk Stores professionals
who is not professionally a should receive goods
procurement person.
Manual system may lead Procurement
and
to errors, irregularities, stores system should
fraud and takes long time be computerized to
to reconcile
improve efficiency.
Regular
reconciliation to be
performed

Please note that only significant deficiencies in internal control system on

procurement, invoicing and ordering were highlighted but other matter
which were significant were orally discussed with the management of the
Mrembo Company and the CEO promised to take corrective actions on
all matters.
Yours faithfully
CPA candidate
CPAPP auditing and accounting firm

59

By Busara

5.Internal controls & deficiencies

5.6.8 Illustrative example 2

Mshiko Company runs a printing factory. Part of the processes are
manually performed and part are done by machines in the process of
printing. Each employee is required to work for 8 hours daily as per labor
law and any work performed before will fall under overtime.
Clock in electronic register was established in Mshiko Company whereby
all employee are required to sign electronically at 7:00 am during the
working days. Employee salaries, wages and benefits are based on the
record from the clock in electronic register.
Casual laborers are working on shifts and required to sign in
electronically and their pay are based on the electronic records. Each shift
group comprises 100 staff with one supervisor. There are two major
groups. Each staff is assigned to a printing work daily and the target is to
produce 4,000 outputs of printing work. However, the system is not well
monitored and controlled by the organization officials. The payment
beyond ordinary working hours is made without proper supervision and
reconciliation with printing output. The electronic sign in/out machine is
signed out by staff daily by their thumb.
Attended man-hours are submitted to the finance and human resource
departments weekly for payroll processing and casual wage payment
based on electronic register and accountants performs reconciliation by
using a password to enter into system and make computation of net pay,
pension, tax and other deductions and income. The password used in
processing payroll is the surname of the accountant, which is also the log
in name into his computer. The accountant surname is very famous and
he keeps sharing his password with junior accountants whenever he is
busy to allow work continuing without his presence.
Net pay is paid directly to employee bank accounts once computed. The
same accountant authorizes all payrolls which he had prepared and post
them straight to employee bank accounts. The senior accountant reviews
once in a while where appropriate on payroll accuracy with related
returns. Mshiko Company pays well its staff and very rare staff leaves
their job. However, once in a while, some staff leaves the company for
greener pasture, further studies and when they differ with their
supervisors. Terminal benefits are made without checking resignation or

60

By Busara

5.Internal controls & deficiencies

termination notice and letter but based on other correspondences and

discussion between outgoing staff and management. Human resource
department and finance department are not in very good terms so each
department is working without sharing information for the best interest of
the organization.
Discussion questions
Write a management letter discussing deficiencies, implication and
recommendations to alleviate deficiencies. List auditors control
objectives and substantive procedures to audit payroll and compensation
system.
Suggested solution
May 30, 2015
Board of Directors
Mshiko Company
P.O.Box 7777
James Bond Street
Bukoba
Tanzania
Dear Madam/Sir,
Re: Deficiencies and recommendation
We have completed the audit of your good company and wishes to share
with you the finding on the internal controls with recommendation on
how to address them to improve the company effectiveness, efficiency
and economy.
Deficiency
1.There is no proper
monitoring system
of electronic signing
in when employees
are
entering
premises.

Implication/consequences
Risk of using fake
identities and paying for
work
not
performed,
leading to loss.

61

Recommendation
Design proper control
system in monitoring
electronic attendance
register. Supervisor
can reconcile physical
presence with records

By Busara

5.Internal controls & deficiencies

2.Senior
officials Risk of paying for nonare not authorizing performed job. Risk of
overtime payments overrunning the budget.
Losses to the organization

3.The
password
used to process
payroll
is
commonly known
and shared among
staff
4.Net pay is not
reconciled
with
payroll summary
5.Human
and
department
reconciling
monthly

resource
finance
are not
records

Risk
of
unauthorized
transactions on the payroll
and wage system. Risk of
double payment. Risk of
errors and ghost payment
Risk of over or underpay.
Risk of penalties and fines
from revenue authority and
pension funds
Risk of errors in payroll.
Risk of ghost staff. Risk of
fines and penalties on
incorrect terminal benefits.

Senior staff in the

production
department
who
attended shift should
authorize
overtime
and reconcile with
records
Password should not
be shared and should
have a combination of
words and numbers.
Password
updated
regularly.
Senior
accountant
should
reconcile
payroll and returns
monthly.
Finance and HR
department
to
reconcile payrolls and
returns before and
after
pay
day.
Employee
signed
termination letters to
be used as evidence
to support terminal
dues

Above is a summary of only significant deficiencies noted on the internal

control system. Other minor weaknesses were discussed with
management. We are looking forward to check the implementation of
recommendations on the next year audit.
Audit control objectives for salary and wage systems are discussed
below:

62

By Busara

5.Internal controls & deficiencies

1. Completeness: All payroll input transactions have been properly

recorded for payment purpose before due date of pay
2. Accuracy: employees are only paid their entitlement for which they
had worked on and the gross and net pay were properly computed
3. Cut off: Payroll and wage transactions were properly recorded in the
respective accounting period to match revenue and effort side
4. Authorization: Wages and salaries have been properly authorized by
the respective senior official of the organization
5. Reconciliation: Proper reconciliation is performed between detailed
payroll, HR records, and financial records before and after pay.
6. Existence: Staff who are paid did exist and worked hence verification
by physical inspection and record inspection should be done.
7. Payroll returns such as pension and tax (PAYE) are properly
computed and remitted to the revenue and pension authority within
prescribed deadlines
Kind regards
Wifi
CPA intermediate candidate
Mkaguzi CPAPP firm.

63

By Busara