INTERNAL CONTROL

SYSTEM
• Nature and Scope of Internal Control System
• Specific Internal Control Procedures
• Tests of Control
•  Internal Control Report to Management
•  Internal Audit as a Control Factor
 
NATURE AND SCOPE OF INTERNAL
CONTROL
• Introduction
• Definition
• Components of ICS
• Importance of ICQ
• Inherent Limitation of ICS
• Ascertaining ICS
• Recording/Documenting ICS
• Testing ICS
INTRODUCTION
• For systems based auditing to work effectively, the
auditor will like to rely on internal controls to reduce
the volume of substantive testing.
• It is therefore important for the auditor to examine the
internal control practice and procedures that are in
place in the client’s business.
• Where weaknesses are revealed, the auditor
recommends ways of improving the systems
• 
DEFINITION
• Policies and procedures adopted by the management
of entity to assist in the objective of achieving as far as
practicable, the orderly and efficient conduct of the
business, including
• adherence to internal policies,
• the safeguarding of assets,
• the prevention and detection of fraud and error,
• the accuracy and completeness of the accounting records,
and
• the timely preparation of reliable financial information.
COMPONENTS OF INTERNAL
CONTROL
• Control environment
• Risk assessment process
• Information system
• Control procedures/activities
• Monitoring of controls
Control environment
•The control environment includes:
– the governance and management functions
and the attitudes,
– awareness, and actions of those charged with
governance ,and
– management concerning the entity’s internal
control and its importance in the entity.
•The control environment sets the tone of an
organisation, influencing the control consciousness
of its people.
Control Environment
•The control environment has many elements such as
– communication and enforcement of integrity and
ethical values,
– commitment to competence,
– participation of those charged with governance,
management’s philosophy and operating style,
– organisational structure,
– assignment of authority and responsibility and
– human resource policies and practices
Entity’s risk assessment process
•For financial reporting purposes, the entity’s risk
assessment process includes how management
identifies business risks relevant to the preparation
of financial statements in accordance with the
entity’s applicable financial reporting framework.
•It estimates their significance, assesses the
likelihood of their occurrence, and decides upon
actions to respond to and manage them and the
results thereof.
,

The Information system

•The information system relevant to financial
reporting objectives consists of the procedures
and records designed and established to.
• Initiate , record, process and report
transactions
• Maintain accountability for access for
assets, liabilities and equity
• Resolve incorrect processing of transaction
The Information system
•Process and account for system overrides
•Transfer information to the general/nominal
ledger
•Capture information relevant to financial
reporting for other events and conditions, and
•Ensure information required to be disclosed in
appropriately reported
Control activities/procedures
•Control activities are the policies and procedures that help
ensure that management directives are carried out.
• Control activities, whether within information technology or
manual systems, have various objectives and are applied
at various organisational and functional levels.
Control activities/procedures
•Examples of specific control activities include those
relating to:
• Authorisation
• Maintaining controls accounts
• Checking the arithmetical accuracy of records
• Comparing internal data with external data source of information
• Performance review
• Reconciliations
• Information processing [General controls and appl controls]
• Limiting direct physical access to assets and records
• Segregation of duties
• Preventive controls
• Setting authorisation limits
• Physical control [limiting access to assets]
• Segregation of duties
• Budgeting systems
• Detective controls
• Reconciliation
• Exception reports
• Variance analysis
• Corrective controls
• Sanctions
• Punishments
• Correcting variances to avoid recurrence
Monitoring of controls
•Monitoring of controls is a process to assess the
effectiveness of internal control performance over time.
•It involves assessing the effectiveness of controls on a
timely basis and taking necessary remedial actions.
•Management accomplishes the monitoring of controls
through ongoing activities, separate evaluations, or a
combination of the two.
•Ongoing monitoring activities are often built into the normal
recurring activities of an entity and include regular
management and supervisory activities.
 
IMPORTANCE OF ICS
• Directors of corporate bodies set up internal controls in the
accounting system to ensure that:
• Transactions are executed in accordance with proper
authorization,
• All transactions are promptly recorded at the correct values in
the appropriate accounts and in accordance with relevant
regulatory frameworks,
• Access to assets is permitted in accordance with authorized
procedures, and
• recorded assets are compared with physically existing assets at
reasonable intervals and differences reconciled
• The Need for Internal Controls:
• Mgt ‘s perspective
• Internal Auditor’s perspective
• External auditor’s perspective
INHERRENT LIMITATION OF ICSs
• Any instituted internal control system only provides management
with reasonable assurance but not absolute assurance because of
inherent limitations such as the following:

•  The requirement that the cost of an internal control does

not outweigh the potential loss which may result from its
absence.
•  Most systematic internal controls tend to be directed at
routine transactions rather than non-routine transactions.
•The potential for human error in the operation of
internal controls due to carelessness, distraction,
mistakes of judgment and the understanding of
instructions.
•The possibility that a person responsible for
exercising an internal control could abuse that
responsibility by overriding an internal control.
• The possibility of controls being by-passed because
two or more people colluded. Collusion maybe
between people inside the organization, but may
involve outsiders as well.
• The possibility that procedures may become
inadequate due to changes in conditions or that
compliance with procedures may deteriorate over
time. This may particularly apply if a business is
expanding.
ASCERTAINING THE SYSTEM
• Procedures used to obtain evidence regarding the design
and implementation of controls include:
• Examining previous audit work
• Client’s own documentation of the system
• Interviews with client’s staff.
• Tracing transactions
• Examining client’s documents
• Observation of procedures
DOCUMENTING CLIENT SYSTEM
•Methods of recording the system may include
• Narrative Notes
• Organization Chart
• Internal Control Questionnaire[ICQs]
• Flow Charts and other Diagrammatic Presentation
• Risks and Control Forms
ICQs
• ICQ remains the longest used internal control assessment
and recording technique.
• Its function is to highlight precisely the areas of strength
and weakness in internal control.
• The questionnaire is a standardize pre-printed document
designed by the audit firm using it, and comprises a series
of questions designed to determine whether desirable
controls are present.
• They are formulated so that there is one to cover each of
the major transaction cycles.
• The following points are worth-noting about the use of
ICQ:.
•  An ICQ will normally be used if the size and complexity of
the client organization justifies it.
• A complete ICQ should have an effective life of
approximately three years during which only updating
would be necessary.
 • The completion of new ICQ would be necessary if a
major change in the system had taken place (e.g. a
change over from manual]
• The ICQ should be completed by a senior member of the
audit staff after putting the questions to the responsible
officers of the client company

 
• Observation and selected tests will ensure that the ICQ
accurately reflects the strengths and weaknesses within
the procedures that operate from day to day
• The auditor should not place reliance on controls on the
basis of this preliminary evaluation.
• He should conduct further compliance tests designated to
give a reasonable assurance that the controls are
functioning properly
• The questions should be formulated in such a way that the
relevant internal control criteria are implicit, so that no more than
a yes/no answer is required to indicate compliance or non-
compliance.
• This degree of simplicity is not possible for every question, for
example cases where it is necessary to know the names of
executive officer authorized to sign cheques, or the limit on the
authority of a particular officer to authorise expenditure.
ICQs
PURCHASES &TRADE PAYABLES YES NO N/A DATE

Are official orders issued showing names of

suppliers, quantities ordered and prices?

Are copies of orders retained on files?

Who authorizes orders and

what are their authority limits
Is a record kept of orders placed but not
TESTING THE SYSTEM
• Having documented the system, the auditor needs to
assess whether :
• They are actually being implemented, and
• They are effective
• In order to assess the operating effectiveness of
controls in preventing and detecting material
misstatement, the auditor performs tests of control.
• Tests of controls are designed to gather evidence
concerning:
• How controls were applied during the period;
• The consistency of application; and
• Who (or what they were applied by
• Typical methods of control testing include:
• Walkthrough tests [Where a transaction is
followed through the system]
• Observation of control activities [eg the
inventory count]
• Computer assisted audit technique [CAAT]