UNIT 10: INTERNAL CONTROL SYSTEM
Key unit competence: To be able to evaluate internal control system
Introductory activity
A case study
IHAHIRORYACU Ltd Company is located in Kigali city. Due to the lack of sufficient
staff at both managerial and operational levels staff , the management of the
company requested its staff to perform any tasks assigned to them. This impliesthat there were no specific duties and responsibilities assigned to each staff.
Procurement of goods and services are planned and executed by Head of Finance
(HoF). The Head of the Finance is the one who receives the goods and services
and later makes payments for them. Suppliers are paid with the use of cheques. As
part of practice, the issued must bear the signatures of the Hod and accountant.The accountant is the brother in law to the HoF.
In accordance with company’s human resources policy, the recruitment of staff isdone by a team of staff appointed by the Head of the Human Resources (HRM).
It is the responsibility of the Human Resources unit to conduct the recruitment
process and recommend to Managing Director (MD) the competent candidates for
appointment. This is not done as per the policy; recruitment of staff is conducted
by the Head of Finance and recommend the competent candidates to the MD for
appointment. The Human Resources unit does only prepare monthly payrolls andensure that the employees are paid timely.
The management of petty cash is done by the accountant. No one makes follow up
of money spent through petty cash. No records regarding petty cash managements.
IHAHIRORYACU Ltd Company maintains three bank accounts. The signatories to
the bank accountants are the accountant and HoF. Bank reconciliation for the bankaccounts are prepared at the end of financial year.
Question
What are weaknesses that exist in management of IHAHIRORYACU Ltd Company?
10.1. Features of internal control system
Learning activity 10.1
A manager of a company would like to build an overall system, which will
allow the management of the organisation to govern, control of organisationalactivities, examine financial information and review operating activities.
1. What do you think this manager can do in order to provide thecompany with an effective internal control system?
2. What are main elements of internal control system?
10.1.1. Meaning and features of internal control system
a) Meaning of internal control system
Internal control is the process designed and affected by those charged with
governance, management, and other personnel to provide reasonable assurance
about the achievement of the entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of operations and compliancewith applicable laws and regulations.
b) Features of internal control system
Effective internal control depends on good organization. Reducing the level of
errors and irregularities helps to ensure that the objectives of the control systemare effectively achieved.
Organization plan
The first feature of an internal control system is the organization plan. In order for
it to be effective, it must be simple and flexible. This plan should clearly outlinethe functions of each unit and its staff members.
• Segregation of functions
Structural independence of an organization means separating the functions of
each area of the company. This is essential for an effective internal control system,
as it ensures that one person is not responsible for all stages of an operation.
In this sense, all processes must go through different phases, and each of them
must be under the responsibility of different persons. Thus, the execution,
authorization or registration of a transaction is performed independently by
different employees.• Control of access to assets
Effective internal control depends on a large extent on the security of the
processes. An organization achieves an adequate degree of security when
access to assets or accounting records is limited. This involves restricting
physical or remote access to assets or the preparation of documents forauthorizing access to them.
Authorization system and procedure
Effective internal control includes methods to monitor the records of operations
and transactions. The procedures involved in an activity must include periodicaudits and reviews, as well as obtaining control information and authorisation.
10.1.2. Elements of internal control system
Internal control has five elements:
a) The control environment
The control environment is the framework within which controls operate. The
control environment is determined by the management of the business. The
control environment includes the governance and management functions and
the attitudes, awareness and actions of those charged with governance and
management concerning the entity’s internal control and its importance in theentity.
Communication and enforcement of integrity and ethical values: Essential
elements which influence the effectiveness of the design, administration andmonitoring of controls.
Commitment to competence: Management’s consideration of the competence
levels for particular jobs and how those levels translate into requisite skills andknowledge.
Organisational structure: The framework within which an entity’s activities forachieving its objectives are planned, executed, controlled and reviewed.
Assignment of authority and responsibility: How authority and responsibility
for operating activities are assigned and how reporting relationships andauthorisation hierarchies are established.
Human resource policies and practices: Recruitment, orientation, training,
evaluating, counselling, promoting, compensation and remedial actions.
The auditor shall assess whether these elements of the control environment
have been implemented using a combination of inquiries of management andobservation and inspection.
Entity risk assessment process: An auditor must obtain an understanding of
whether the entity has a process for:
– Identifying business risks relevant to financial reporting objectives;
– Estimating the significance of the risks;
– Assessing the likelihood of risks occurrence;– Deciding upon actions to address those risks.
b) Information system relevant to financial reporting
The information system relevant to financial reporting is a component of
internal control that includes the financial reporting system, and consists of
the procedures and records established to initiate, record, process and report
entity’s transactions and to maintain accountability for the related assets,liabilities and equity.
The auditor shall obtain an understanding of the information system relevant tofinancial reporting objectives, including the following areas:
– The classes of transactions in the entity’s operations that are
significant to the financial statements;
– The procedures, within both IT and manual systems, by which those
transactions are initiated, recorded, processed, corrected, transferred
to the general ledger and reported in the financial statements;
– The related accounting records, supporting information, and specific
accounts in the financial statements, in respect of initiating, recording,
processing and reporting transactions;
– How the information system captures events and conditions, other
than transactions, that are significant to the financial statements;
– The financial reporting process used to prepare the entity’s
financial statements, including significant accounting estimates and
disclosures;
– Controls surrounding journal entries, including non-standard journal
entries used to record non-recurring, unusual transactions oradjustments.
c) Control activities
Control activities are those policies and procedures that help ensure that
management directives are carried out. This means that the auditor shall obtain
an understanding of control activities relevant to the audit and how the entity
has responded to risks arising from IT. Control activities include those activitiesdesigned to prevent or to detect and correct errors.
Those include activities relating to authorisation, performance reviews,
information processing, physical controls and segregation of duties. Examples
of control activities include:
– Activities relating to authorisation;
– Performance reviews;
– Information processing;– Physical controls and segregation of duties.
Components of control activities
– Approval and control of documents
– Controls over computerised applications
– Checking the arithmetical accuracy of records
– Maintaining and reviewing control accounts and trial balance
– Reconciliations of accounts balances such as bank account.
– Comparing the results of cash, security and inventory accounts with
accounting records
– Comparing internal data with external sources of information
– Limiting physical access to assets and records– Segregation of duties
In brief, control activities are those policies and procedures that ensure
management’s directives are carried out. This means that the auditor shall
obtain an understanding of control activities relevant to the audit and how theentity has responded to risks arising from IT.
Table illustrating control objectives and control activities
d) Entity risk assessment process
An auditor must obtain an understanding of whether the entity has a process
for:
• Identifying business risks relevant to financial reporting objectives;
• Estimating the significance of the risks;
• Assessing the likelihood of risks occurrence;• Deciding upon actions to address those risks.
As part of managing business risk generally, the directors should have a system
for identifying and dealing with risks affecting the financial statements. If they
have such a system, and it works effectively, the chance of having an error in
the financial statements (control risk) is lower and so audit risk is lower. The
entity’s risk assessment process is an element of the control environment which
encompasses the entity’s process for identifying business risks relevant to
financial reporting objectives and deciding about actions to take to addressthose risks.
If the entity has established such a process, the auditor would obtain an
understanding of it. If there is not a process, the auditor shall discuss with
management whether relevant business risks have been identified and how theyhave been addressed.
e) Monitoring of controls
Monitoring of controls is a process to assess the effectiveness of internal
control performance over time. It includes assessing the design and operationof controls on a timely basis and taking necessary corrective actions/measures.
Small companies - the problem of control
Many of the controls which would be relevant to a large entity are neither practical
nor appropriate for a small company. For a small company, the most important
form of internal control is generally the close involvement of the directors or
proprietors. However, that very involvement will enable them to override controlsand, if they wish, to exclude transactions from the records.
Auditors can have difficulties not because there is a general lack of controls but
because the evidence available as to their operation and the completeness ofthe records is insufficient.
Segregation of duties will often appear inadequate in enterprises having a smallnumber of staff.
Similarly, because of the scale of the operation, organisation and managementcontrols are likely to be rudimentary at best.
The onus is on the proprietor, by virtue of their day-to-day involvement to
compensate for this lack. This involvement should encompass physical,authorisation, arithmetical and accounting controls as well as supervision.
However, it is important to stress that in a well-run small company, there will be
a system of internal control. In any case, all companies must comply with anyrelevant legislation concerning the maintenance of a proper accounting system.
Where the manager of a small business is not himself/herself the owner, he/
she may not possess the same degree of commitment to the running of it as
an owner-manager would. In such cases, the auditors will have to consider
the adequacy of controls exercised by the shareholders over the manager inassessing internal control.
Controls in a computer environment
Auditors must be able to cope with the special problems that arise when auditing
in a computer environment and keep abreast of technical innovation. There aretwo types of controls such as: application controls and general IT controls.
Application controls are ‘manual or automated procedures that typically operate
at a business process level. Application controls can be preventative or detectivein nature and are designed to ensure the integrity of the accounting records.
Accordingly, application controls relate to procedures used to initiate, record,process and report transactions or other financial data.
General IT controls are ‘policies and procedures that relate to many applications
and support the effective functioning of application controls by helping to
ensure the proper continuity of operations of information systems. General IT
controls commonly include controls over data centre and network operations;
system software acquisition, change and maintenance; access security; andapplication system acquisition, development and maintenance.
Application controls and general IT controls are inter-related. Strong general
IT controls contribute to the assurance which may be obtained by an auditor inrelation to application controls.
On the other hand, unsatisfactory general IT controls may undermine strongapplication controls or exacerbate unsatisfactory application controls.
The following points will particularly influence the auditors’ approach:
– Before auditors placing reliance on application controls which involve
computer programs, they need to obtain reasonable assurance that
the programs have operated properly, by evaluating and testing the
effect of relevant general IT controls or by other tests on specific partsof the programs;
– Sometimes, a programmed accounting procedure may not be subject
to effective application controls. In such circumstances, in order to put
themselves in a position to limit the extent of substantive procedures,
the auditors may choose to perform tests of controls by testing the
relevant general IT controls either manually or by using CAATs, to gain
assurance of the continuity and proper operation of the programmedaccounting procedure;
– In a computer environment, there is the possibility of systematic
errors. This may take place because of program faults or hardware
malfunction in computer operations. However, many such potential
recurrent errors should be prevented or detected by general controls
over the development and implementation of applications, the integrityof the program and data files, and of computer operations;
– The extent to which the auditors can rely on general IT controls may
be limited because many of these controls might not be evidenced, orbecause they could have been performed inconsistently.
Table illustrating application controls
Table illustrating general IT controls, controls and where they are needed
Application activity 10.1
1. Find out the requirements to achieve the overall objectives of
application controls.
2. Explain the various ways through which the segregation of dutiesshould be carried out.
10.2. Assessment and recording of information systems
Learning activity 10.2
BUGIRIMANA is an entrant or beginner in the auditing profession. The
association of accountants where he is a member has offered him an
opportunity to audit TUZAMURANE Ltd Company, one of the medium
business category in the country. He was required to assess its recordingof information system and the entire internal control system.
1. What should the auditor do to assess the accounting system?
2. Explain how an auditor can test controls of the internal control systemof a business organisation.
3. What are several techniques for the assessment of control risk?
10.2.1. Assessment of information systems and internalcontrol
Auditors should assume control risk is high, unless it is assessed as low, and
the assessment confirmed by tests of controls.
In order to assess the information system and internal control, the auditor maydo the following:
• Assess the adequacy of the accounting system as a basis for preparing
the financial statements;
• Identify the types of potential misstatements that could occur in the
financial statements;
• Consider factors that affect the risk of misstatements;• Design appropriate audit procedures.
a) Accounting systems and the control environment
Auditors perform procedures to give them an understanding of the accounting
systems at a client and comprise what procedures are carried out, how many
and when depend on the size and complexity of the entity (more procedures are
likely to be required if the system is big and complicated), whether their systems
are documented or not (if so, reading this will give some understanding of thesystem).
It will also depend on the auditors’ assessment of the risk of material misstatementin the financial statements. If the risk is low, fewer procedures will be carried out.
A client is unlikely to change its system substantially on too regular basis, so
normally, auditors simply have to update their understanding of the system from
the previous year (that is, for changes that have occurred during the year). Theydo this by:
• Asking staff (inquiry)
• Watching staff operate the system (observation)• Looking at documents produced by the system (inspection)
The auditor shall design and perform tests of controls to obtain sufficientappropriate evidence as to the operating effectiveness of relevant controls if:
– The auditor’s assessment of risks of material misstatement at the
assertion level includes an expectation that the controls are operating
effectively (that is, the auditor intends to rely on the operating
effectiveness of controls in determining the nature, timing and extentof substantive procedures);or
– Substantive procedures alone cannot provide sufficient appropriateaudit evidence at the assertion level.
b) Tests of controls
Tests of controls are audit procedures designed to evaluate the operating
effectiveness of controls in preventing, detecting and correcting material
misstatements at the assertion level and must cover the whole accountingperiod.
• They are performed to obtain audit evidence about the effectiveness of
the:
– Design of the accounting and internal control systems, ie whether
they are suitably designed to prevent or detect and correct
material misstatements.– Operation of the internal controls throughout the period.
The auditor will use inquiry in combination with other procedures (in particular
reperformance and inspection) to obtain evidence about the operatingeffectiveness of controls and should consider:
– How controls were applied
– The consistency with which they were applied during the period
– By whom they were applied
Deviations in the operation of controls (caused by change of staff etc) may
increase control risk and tests of controls may need to be modified to confirmeffective operation during and after any change.
c) Questionnaires
Internal Control Questionnaires (ICQs): are used to ask whether controlsexist which meet specific control objectives.
Internal Control Evaluation Questionnaires (ICEQs): are used to determinewhether there are controls which prevent or detect specified errors or omissions.
The specific controls for major transaction systems (sales, purchases, inventory,
payroll etc) are examined in detail in later Units. Here we will look at the overall
objectives of the questionnaires, although we have included examples fromspecific transaction systems to illustrate how ICQs and ICEQs are used.
Internal Control Questionnaires (ICQs)
The major question which internal control questionnaires are designed to answeris ‘How good is the system of controls?’
Where strengths are identified, the auditors will perform work in the relevant
areas. If, however, deficiencies are discovered they should then ask:
a) What errors or irregularities could be made possible by these deficiencies?
b) Could such errors or irregularities be material to the financial statements?
c) What substantive procedures will enable such errors or irregularities tobe discovered and quantified?
Although there are many different forms of ICQ in practice, they all conform to
the following basic principles:
– They comprise a list of questions designed to determine whether
desirable controls are present.
– They are formulated so that there is one to cover each of the majortransaction cycles.
Since it is the primary purpose of an ICQ to evaluate the system rather than
describe it, one of the most effective ways of designing the questionnaire is to
phrase the questions so that all the answers can be given as ‘yes’ or ‘no’ and a‘no’ answer indicates a deficiency in the system. An example would be:
Are purchase invoices matched to goods received notes before being passedfor payment?
A ‘no’ answer to that question clearly indicates a deficiency in the company’s
payment procedures. The ICQ questions below dealing with goods inwardprovide additional illustrations of the ICQ approach.
Goods inward
• Are supplies examined on arrival as to quantity and quality?
• Is such an examination evidenced in some way?
• Is the receipt of supplies recorded, perhaps by means of goods inwardsnotes?
• Are receipt records prepared by a person independent of thoseresponsible for :
– Ordering functions?
– The processing and recording of invoices?
- Are goods inwards record controlled to ensure that invoices are
goods to be determined (by pre-numbering the record and accountingfor all serial numbers)?
– Are goods inward record regularly reviewed for items for which noinvoices have been received?
– Are any such items investigated?
• Are these record reviewed by a person independent of those responsiblefor the receipt and control of goods?
However, note that while ICQs are used primarily for evaluating a system, they
can still be used to record a system. If they are used to record a system, then
the questions will be constructed in such a way that they require answers in theform of descriptive notes on the system.
Internal Control Evaluation Questionnaires (ICEQs)
In recent years, many auditing firms have developed and implemented an
evaluation technique more concerned with assessing whether specific errors
(or frauds) are possible rather than establishing whether certain desirable
controls are present. This is achieved by reducing the control criteria for each
transaction stream down to a handful of key questions (or control questions).
The characteristic of these questions is that they concentrate on the significant
errors or omissions that could occur at each phase of the appropriate cycle ifcontrols are weak.
Internal control evaluation questionnaire: control questions
The sales (revenue) cycle
Is there reasonable assurance that:
• Sales are properly authorised?
• Sales are made to reliable payers?
• All goods despatched are invoiced?
• All invoices are properly prepared?
• All invoices are recorded?
• Invoices are properly supported?
• All credits to customers’ accounts are valid?
• Cash and cheques received are properly recorded and deposited?
• Slow payers will be chased and that bad and doubtful debts will be
provided against?
• All transactions are properly accounted for?
• Cash sales are properly dealt with?
• Sundry sales are controlled?
• At the period end the system will neither overstate nor understatereceivables?
The purchases (expenditure) cycle
Is there reasonable assurance that :
• Goods or services could not be received without a liability beingrecorded?
• Receipt of goods or services is required in order to establish a liability?
• A liability will be recorded:
– Only for authorised items?
– At the proper amount?
• All payments are properly authorised?
• All credits due from suppliers are received?
• All transactions are properly accounted for?
• At the period end liabilities are neither overstated nor understated bythe system?
• The balance at the bank is properly recorded at all times?
• Unauthorized cash payments could not be made and that the balanceof petty cash is correctly stated at all times?
Wages and salaries
Is there reasonable assurance that:
• Employees are only paid for work done?
• Employees are paid the correct amount (gross and net)?
• The right employees actually receive the right amount?• Accounting for payroll costs and deductions is accurate?
Inventories
Is there reasonable assurance that :
• Inventory is safeguarded from physical loss (eg fire, theft, deterioration)?
• Inventory record are accurate and up to date?
• The recorded inventory exists?
• The recorded inventory is owned by the company?
• The cut-off is reliable?
• The costing system is reliable?
• The inventory sheets are accurately compiled?
• The inventory valuation is fair?
Non-current assets
Is there reasonable assurance that:
• Recorded assets actually exist and belong to the company?
• Capital expenditure is authorised and reported?
• Disposals of non-current assets are authorised and reported?
• Depreciation is realistic?
• Non-current assets are correctly accounted for?• Income derived from non-current assets is accounted for?
Management information and general controls
Is the nominal ledger satisfactorily controlled?
• Are journal entries adequately controlled?
• Does the organisation structure provide a clear definition of the extent
and limitation of authority?
• Are the systems operated by competent employees, who are adequately
supported?
• If there is an internal audit function, is it adequate?
• Are financial planning procedures adequate?• Are periodic internal reporting procedures adequate?
Each key control question is supported by detailed control points to beconsidered.
For example, the detailed control points to be considered in relation to key
control question (b) for the expenditure cycle (Is there reasonable assurance
that receipt of goods or services is required to establish a liability?) are asfollows:
– Is segregation of duties satisfactory?
– Are controls over relevant master files satisfactory?
– Is there a record showing that all goods received have been reviewed :
• Weight or number?
• Quality and damage?
• Are all goods received taken on charge in the detailed inventory ledgers?
– By means of the goods received note?
– Or by means of purchase invoices?
– Are there, in a computerised system, sensible control totals (hash
totals, money values and so on) to reconcile the inventory system
input with the payables system?
• Are all invoices initialled to show that,
– Receipt of goods has been matched to the goods received record?
– Receipt of services has been verified by the person using it?– Quality of goods has been reviewed against the inspection?
In a computerised invoice approval system, are there printouts (examined by aresponsible person) of:
– Where order, GRN and invoice are present but they are not equal (equal
within predetermined tolerances of minor discrepancies)?
– Cases where invoices have been input but there is no correspondingGRN?
• Is there adequate control over direct purchases?
• Are receiving documents effectively cancelled (for example cross-referenced) to prevent their supporting two invoices
10.2.2. Recording the information system and internal control
The auditor must keep a record of client’s systems, which must be updated
each year. This can be done with narrative notes, flowcharts, questionnaires orchecklists.
There are several techniques for recording the assessment of control risk
and one or more of the following techniques may be used depending on thecomplexity of the system:
• Narrative notes
• Questionnaires
• Flowcharts• Checklists
Whatever method of recording is used, the record will usually be retained on the
permanent file and updated each year. We will look at the use of questionnaires
in a little more detail here. There are two types, each with a different purpose.
• Internal Control Questionnaires (ICQs) are used to ask whether controls
exist which meet specific control objectives.
• Internal Control Evaluation Questionnaires (ICEQs) are used to
determine whether there are controls which prevent or detect specifiederrors or omissions.
In most cases, specific controls are applied on major transactions relating tosales, purchases, inventory, cash, payroll, revenue and capital expenditure.
Confirming understanding
In order to confirm their understanding of the control systems, auditors will often
carry out walk-through tests. This is where they pick up a transaction and follow
it through the system to see whether all the controls they anticipate should bein existence were in operation with regard to that transaction.
Application activity 10.2
1. what are major questions which internal control questionnaires are
designed to answer?
2. What auditor should do in order to obtain the audit evidence aboutthe effectiveness of the internal control system?
0.3. Communication and control activities
Learning activity 10.3
MUTUNZI is an auditor who has finished to examine the internal control of
TURWUBAKE Ltd. Company wants to communicate for the first time thefindings of the audit examination to the management.
1. How does the auditor communicate the findings on the internalcontrol system to the organisation?
2. Give five statements reflecting the deficiencies in the internal controlsystem of an organisation.
10.3.1. Communication with the management
a) Commucation with managment
The auditor’s communication with the management is about communicating
significant deficiencies in internal controls and shall be communicated in writingto those charged with governance in a report to management.
b) The deficiency in the internal control of the organisation
A deficiency in internal control exists when a control is designed, implemented or
operated in a way that is unable to prevent, or detect and correct misstatements
in the financial statements on a timely basis, or if a control necessary to prevent,
or detect and correct, misstatements in the financial statements on a timely ismissing.
The likelihood of a misstatement occurring and its potential magnitude. Examples
of matters to consider when determining whether a deficiency in internal controlis a significant deficiency:
• The likelihood of the deficiencies resulting in material misstatements in
the financial statements in the future
• The susceptibility to loss or fraud of the related asset or liability
• The subjectivity and complexity of determining estimated amounts
• The amounts exposed to the deficiencies
• The volume of activity that has occurred or could occur
• The importance of the controls to the financial reporting process
• The cause and frequency of the exceptions identified as a result of the
deficiencies
• The interaction of the deficiency with other deficiencies in internalcontrol
• Evidence of ineffective aspects of the control environment
• Absence of a risk assessment process
• Evidence of an ineffective entity risk assessment process
• Evidence of an ineffective response to identified significant risks
• Misstatements detected by the auditor’s procedures that were not
prevented, or detected and corrected, by the entity’s internal control
• Restatement of previously issued financial statements that werecorrected for a material misstatement due to fraud or error
c) Necessary information the auditor should communicate to themanagement
• Evidence of management’s inability to oversee the preparation of the
financial statements.
• The auditor shall communicate any significant deficiencies in internal
control to those charged with governance on a timely basis.
• The auditor shall also communicate in writing to management on a
timely basis significant deficiencies in internal control that the auditor
has communicated or intends to communicate to those charged with
governance.
• Deficiencies in internal control that have not been communicated to
management by other parties and that the auditor considers are ofsufficient importance to warrant management’s attention.
The auditor shall include the following in the written communication:
• A description of the deficiencies and an explanation of their potentialeffects
Sufficient information to enable those charged with governance and managementto understand the context of the communication, in particular that:
• The purpose of the audit was for the auditor to express an opinion on
the financial statements.
• The audit included consideration of internal control relevant to the
preparation of the financial statements in order to design audit
procedures appropriate in the circumstances, but not to express an
opinion on the effectiveness of internal control.
• The matters being reported are limited to those deficiencies identified
during the audit and which the auditor has concluded are sufficiently
important to merit being reported to those charged with governance.
• The auditor may also include suggestions for remedial actions on thedeficiencies.
Note: The communication to management of less important deficiencies ininternal control can be done orally.
10.3.2. Control activities of internal control system
a) Meaning of control activities
Control activities are those policies and procedures that help ensure thatmanagement directives are carried out.
• The auditor should obtain an understanding of control activities relevant
to the audit and how the entity has responded to risks arising from IT.
• Control activities include those activities designed to prevent or to
detect and correct errors. Examples include activities relating to
authorisation, performance reviews, information processing, physicalcontrols and segregation of duties.
b) Examples of control activities
Approval and control of documents: Transactions should be approved by an
appropriate person. For example, overtime should be approved by departmental
managers.
Controls over computerised applications: These are controls that assess the
overall system of the computerised operations.
Checking the arithmetical accuracy of records: For example, checking to see
if individual invoices have been added up correctly.
Maintaining and reviewing control accounts and trial balances: Control
accounts bring together transactions in individual ledgers. Trial balances bring
together unusual transactions for the organisation as a whole. Preparing these
can highlight unusual transactions or accounts.
Reconciliations: Reconciliations involve comparison of a specific balance in
the accounting records with what another source says the balance should be,
for example, a bank reconciliation. Differences between the two figures shouldonly be reconciling items.
Comparing the results of cash, security and inventory counts with
accounting records: For example, in a physical count of petty cash, the balanceshown in the cashbook should be the same as the amount held.
Comparing internal data with external sources of information: For example,
comparing records of goods despatched to customers with customers’acknowledgement of goods that have been received.
Limiting physical access to assets and records: Only authorised personnel
should have access to certain assets (particularly valuable or portable ones). For
example, ensuring that the inventory store is only open when store personnelare there and is otherwise locked.
Segregation of duties
Segregation of duties should take place in various ways:
Segregation implies a number of people being involved in the accounting
process. This makes it more difficult for fraudulent transactions to be processed
(since a number of people would have to collude in the fraud), and it is also
more difficult for accidental errors to be processed (since the more people are
involved, the more checking there can be). Segregation should take place invarious ways:
• Segregation of function. The key functions that should be segregated
are the carrying out of a transaction, recording that transaction in the
accounting record and maintaining custody of assets that arise fromthe transaction;
• The various steps in carrying out the transaction should also besegregated;
• The carrying out of various accounting operations should be segregated.
For example: the same staff should not record transactions and carryout the reconciliations at the period-end.
10.3.3. Benefits and limitations of internal control system
a) Benefits
The auditors shall assess the adequacy of the systems as a basis for the financial
statements and shall identify risks of material misstatements to provide a basisfor designing and performing further audit procedures.
Auditors are only concerned with assessing policies and procedures which arerelevant to the financial statements. Auditors shall:
• Assess the adequacy of the accounting system as a basis for preparing
the accounts
• Identify the types of potential misstatements that could occur in the
accounts
• Consider factors that affect the risk of misstatements
• Design appropriate audit procedures
The assessment of the controls of an entity will have an impact on that risk
assessment.
Risks arising from poor control environments are unlikely to be confined to
particular assertions in the financial statements, and, if severe, may even raise
questions about whether the financial statements are capable of being audited,
that is, if control risk is so high that audit risk cannot be reduced to an acceptablelevel.
On the other hand, some control procedures may be closely connected to an
assertion in financial statements, for example, controls over the inventory counts
are closely connected with the existence and completeness of inventory in thefinancial statements.
There may be occasions where substantive procedures alone are not sufficient
to address the risks arising. Where such risks exist, auditors shall evaluate the
design and determine the implementation of the controls, which is by controls
testing. This is most likely to be the case in a system which is highly computerisedand which does not require much manual intervention.
b) Limitations
There are always inherent limitations to internal controls, including cost-benefit
requirements and the possibility of controls being by-passed and over-ridden.
Management of an entity will set up internal controls in the accounting systemto assess the following:
• Transactions are executed in accordance with proper authorisation.
• All transactions and other events are promptly recorded at the correct
amouns, in the appropriate accounts and in the proper accountingperiod.
• Access to assets is permitted only in accordance with properauthorisation.
• Recorded assets are compared with the existing assets at reasonableintervals and appropriate action is taken with regard to any differences.
However, any internal control system can only provide the directors with
reasonable assurance that their objectives are reached, because of inherentlimitations, such as the following:
The potential for human error
These include the fact that human judgement in decision-making can be faulty
or produce simple errors and mistakes. For example: if an entity’s information
system personnel do not completely understand how the company’s order entrysystem operates, they may incorrectly design changes to this system.
On the other hand, they may design the changes correctly but these may be
misunderstood by the personnel responsible for translating them into program
code. Errors may also occur in the use of information produced by IT. For example:
automated controls may be designed to report transactions over a specified
amount for management review, but individuals responsible for conducting the
review may not understand the purpose of these reports, and fail to review themor investigate unusual items.
The possibility of controls being by-passed or over-ridden
Controls can be circumvented by the collusion of two or more people or
management may inappropriately override controls. For example: management
could enter into a side agreement with customers that alter the terms andconditions of sales contracts, which could result in improper revenue recognition.
Also, edit checks in a software program that are designed to identify and reporttransactions that exceed specified credit limits may be overridden or disabled.
Collusion among employees
In any organisation collusion exist among employees due to different conflictingcircumstances.
The costs of controls outweighing their benefits
This is a particular problem faced by smaller entities. For example: smaller entities
often have fewer employees which may limit the extent to which segregation of
duties is practicable. It would not make commercial sense to employ additional
staff purely for the purposes of achieving greater segregation of duties.
However, this lack of formal control might be compensated for by a responsible
and ethical owner-manager, who closely monitors his/her company’s businessand accounting processes.
Controls tending to be designed to cope with routine and not non-routine transactions
Non-routine transactions are by their very nature unusual. As a result, it will be
difficult to predict what these might be and therefore is less likely that a system
will have been devised to deal with these effectively. Take a shipping company
that leases cargo ships to transport goods as an example. It may have effective
controls over leasing transactions, but if and when the company acquires a
vessel of its own, the controls around authorising and recording the acquisitionmay be much less effective.
These factors show why auditors cannot obtain all their evidence from tests ofthe systems of internal control.
The key factors in the limitations of controls system are human error and potential
for fraud. The safeguard of segregation of duties can help deter fraud. However,
if employees decide to perpetrate frauds by collusion, or management commit
fraud by overriding systems, the accounting system will not be able to preventsuch frauds.
Application activity 10.3
1. How do auditors assess policies and procedures which are relevantto the financial statements?
2. What does the management of an entity assess when it sets upinternal controls in the accounting system?
Skills lab activity 10
Under the supervision of teacher, students in their learning teams’ role
playing the communications with management, where one group play asmanagement another as auditor.
End unit 10 assessment
1. Define the term internal control system
2. What are the features of the internal control system?
3. Explain briefly the elements of internal control system.
4. What are different ways in which segregation ofduties should be
carried out to ensure that there is an effective internal control system
within the organisation?
5. After defining control activities, give some examples which explain
the application of control activities within an organisation.
6. In order to reflect a clear distinction between control objectives
and control activities, draw a table which illustrates the difference
between the two parts using examples.
7. Describe problems relating to internal control system and application
of controls in small companies.
8. After defining tests of controls, draw a table which demonstrates
how tests of controls are applied in the internal control system of an
organisation.
9. Find examples of matters to consider when determining whether a
deficiency in internal control is a significant deficiency.
10. What are the limitations of internal control system?11. what are the benefits of internal control
- Are goods inwards record controlled to ensure that invoices are