Auditing 1 L13 & 14 Internal Controls

Lecture 13
Internal Controls
 The auditors must understand the accounting
system and control environment in order to
determine their audit approach.
 An understanding of internal control assists the
auditor in identifying types of potential misstatements
and factors that affect the risks of material
misstatement, and in designing the nature, timing and
extent of further audit procedures.
 Internal control is defined as ‘the whole system of
control, financial and otherwise, established by the
management in other to carry on the business of the
enterprise in an orderly and manner efficient, ensure
adherence to management policies, safeguard the
assets and secure as far as possible the completeness
and accuracy of records’. APC of UK
 The individual components of an internal control
system are known as controls or internal controls.
 ‘Internal control is the process designed and effected
by those charged with governance, management, and
other personnel to provide reasonable assurance about
the achievement of the entity’s objectives with regard
to reliability of financial reporting, effectiveness and
efficiency of operations and compliance with
applicable laws and regulations’. ISA 315
 Internal controls includes all policies and procedures
adopted by the directors and management of an entity
to assist in their objective of achieving as far as
possible the orderly and efficient conduct of the
business including adherence to internal policies,
safeguard of assets, the prevention and detection of
fraud and error, the accuracy and completeness of
accounting record and timely preparation of reliable
financial statement.
Objectives of Internal Controls
 Internal Controls are instituted in an organization in
order to ensure:
 The reliability and integrity of information
 Compliance with policies
 The safeguarding of assets
 The economical and efficient use of resources
 The accomplishment of established objectives and goals
for operations and programmes
Elements of internal controls
 Internal control has five elements;
 The control environment
 The entity’s risk assessment process
 The information system relevant to financial reporting
 Control activities
 Monitoring of controls
Control environment
 The control environment is the framework within which
controls operate. It is very much determined by the
management of a business.
 It includes the governance and management functions and
the attitudes, awareness and actions of those charged with
governance and management concerning the entity’s
internal control and its importance in the entity.
 A strong control environment does not by itself, ensure the
effectiveness of the overall internal control system, but can
be a positive factor when assessing the risks of material
misstatement. A weak control environment can undermine
the effectiveness of controls
Elements of control environment
 Communication and enforcement of integrity and
ethical values.
 Commitment to competence
 Participation by those charged with governance
 Management’s philosophy and operating style
 Organizational structure.
 Assignment of authority and responsibility
 Human resource policies and practices
Entity’s risk assessment process
 ISA 315 says the auditor shall obtain an understanding
of whether the entity has a process for;
 Identifying business risks relevant to financial reporting
 Estimating the significance of the risks
 Assessing the likelihood of their occurrence
 Deciding upon actions to address those risks
Information system relevant to
financial reporting
 This is a component of internal control that includes
the financial reporting system, and consists of the
procedures and records established to initiate, record,
process and report entity transactions and to maintain
accountability for the related assets, liabilities and
equity. The areas include;
 Classes of transactions in the entity’s transactions
 Procedures within both IT and manual systems are
 Related accounting records
 Controls surrounding journal entrries
Control activities
 These are those policies and procedures that help
ensure that management directives are carried out.
 Control activities include those activities designed to
prevent or detect and correct errors. They include
activities relating to authorisation, performance
reviews, information processing, physical controls and
segregation of duties.
 Examples are approval and control of documents,
controls over computerised application, checking
arithmetical accuracy of records, etc
Monitoring of controls
 This is a process to assess the effectiveness of internal
control performance over time. It includes assessing
the design and operation of controls on a timely basis
and taking necessary corrective actions modified for
changes in conditions.
Limitations of accounting and
control systems
 Any internal control system can only provide the
directors with reasonable assurance that their
objectives are reached, because of inherent
limitations. These include;
 The costs of control not outweighing their benefits
 The potential for human error (key)
 Collusion between employees
 The possibility of controls being by-passed or
overridden by management
 Controls being designed to cope with routine and not
non-routine transactions
Recording accounting and control
 The auditor must keep a record of the client’s systems
which must be updated each year. This can be done
through the use of narrative notes, flowcharts,
questionnaires or checklists.
Narrative notes
 The purpose of narrative notes is to describe and explain
the system, at the same time as making any comments or
criticism which will help to demonstrate an intelligent
understanding of the system.
Simple to record and understand
Flexible method and can be used for any system
Editing is easy when computerised
Time consuming compared to flowcharts
Awkward to update if kept manually
Difficult to identify missing controls
 This can take many forms but generally are graphic illustrations of the
physical flow of information through the accounting system. Flowlines
represent the sequence of processes, and other symbols represent the
inputs and outputs to a process.
Visit http//
Can be prepared easily after a little experience
Fairly easy to follow and review
System is recorded in its entirety from start to end
Eliminate the need for extensive narrative
Suitable for standard systems
Amendment is difficult without withdrawing
Time consuming to areas that are of no audit significance
 The major question which internal control questionnaires
are designed to answer is ‘How good is the system of
 Although many different forms of ICQs exist in practice,
they all conform to the following basic principles.
 They comprise a list of questions designed to determine
whether desirable controls are present.
 Formulated to cover each of the major transaction cycle.
 ICQ is to evaluate the system as well as record it.
 Example; Are purchase invoices checked with GRN before
being passed for payment?
ICQ example on Goods inward
 Are suppliers examined on arrival as to quantity and
 Is such an examination evidenced in some way?
 Is receipt of suppliers recorded, perhaps by means of
goods inwards notes?
 Are receipt records prepared by a person independent
of those responsible for;
 Ordering function?
 The processing and recording of invoices
 ICEQs are concerned with assessing whether specific errors
(or frauds) are possible.
 They concentrate on significant errors or omissions that
could occur at each phase of the appropriate cycle if
controls are weak. Examples on purchases include;
 Is there reasonable assurance that;
 Goods or services could not be received without a liability
being recorded?
 Receipt of goods or services is required in order to establish a
 A liability will be recorded:
Only for authorised items
At the proper amount?
Advantages and disadvantages of
 Advantages
 Can ensure all controls are considered
 Quick to prepare
 Easy to use and control
 Easier to apply to a variety of systems than ICQs
 Identify key controls
 Highlight deficiencies
 Disadvantages
 Can be drafted vaguely, hence misunderstood
 May contain irrelevant controls
 May not include unusual controls
 May overstate controls
 Checklists may be used instead of questionnaires to
document and evaluate the internal control system.
The difference is that instead of asking questions,
statements are made to ‘mark off’ and tick boxes are
used to indicate where the statement holds true.
‘Suppliers are examined on arrival as to quantity and
Cross out
Checklists share many advantages and disadvantages
of ICQs and ICEQs
 Preventive Controls: that is, to deter undesirable
event from occurring.
 Detective Controls: This is aimed at detecting
undesirable event which have occurred.
 Corrective Controls: To remedy any undesirable
event that has occurred.
 S – Segregation of Duties
 O – Organisation
 A – Authorisation
 P – Physical
 S – Supervisory
 P – Personal
 A – Arithmetical and accounting
 M – Management
 These should be a division of responsibilities for
authorizing or initiating transactions physical custody
and control of assets recording the transaction.
Segregation of duties reduces the risk of intentional
manipulations or error and increase the element of
 Enterprises should have a plan of their organization,
defining and allocating responsibilities and
identifying lines of reporting for all aspects of the
enterprises operations, including the controls. The
delegation of authority and responsibility should be
clearly specified
 All transactions should require authorization or
approval by an appropriate responsible person. The
limits for these authorizations should be specified
 These are concerned mainly with the custody of assets
and involve procedures and security measures
designed to ensure that access to assets is limited to
authorized personnel. For example, the custody of the
keys to the safe should be limited to only the cashier
and possibly a highly placed responsible official.
 Any system of internal control should include the
supervision of responsible officials of day to day
transactions and recording thereof.
 There should be procedures to ensure be procedures to
ensure that personnel have capabilities commensurate
with their responsibilities. Inevitably, the proper
functioning of any system depends on the competence
and integrity of those operating it. The qualification,
selection and trainings well as the innate personal
characteristics of the personnel involved are important
features to be considered in setting up any control
 These are the controls within the recording functions
which check that the transactions to be recorded and
processed have been authorized, that they are all
included and that they are correctly recorded and
accurately processed. Such controls include checking
the arithmetical accuracy of the records, the
maintenance and checking of totals, reconciliations,
control accounts and trial balance and accounting for
 These are the controls exercised by management
outside the day to day routine of the system. They
include the overall supervisory controls exercised by
management, the review of management accounts,
and comparisons thereof with budget, the internal
audit function and any other special review
Limitations on the effectiveness of
internal controls
 No internal control system however elaborate, can by
itself guarantee efficient administration and the
completeness and accuracy of the records, nor can it
be proof against fraudulent collusions, especially on
the part of those holding positions of authority or
trust. Internal controls depending on separation of
duties can be avoided (side stepped) by collusion.
Limitations on the effectiveness of
internal controls
 Authorization controls can be abused by the persons
in whom the authority is vested, whilst the
competence and integrity of the personnel operating
the controls may be ensured by selection and training,
these qualities may alter due to pressure exerted both
within and outside the enterprise.
 Human error due to errors of judgment or
interpretation, or misunderstanding, carelessness,
fatigue or distraction may undermine the effective
operation of internal controls.
Why internal controls should
interest the auditor
 If the auditor wishes to place reliance on any internal
controls, he should ascertain and evaluate these controls
and perform compliance tests on their operation.
 The Auditors objective in evaluating and testing internal
controls is to determine the degree of reliance which he
may place on the information contained in the accounting
records. If he obtains reasonable assurance by means of
compliance test that the internal controls are effective in
ensuring the completeness and accuracy of the accounting
records and the validity of entries therein, he may limit the
extent of his substantive testing
In specific areas of business
Financial statement assertions
 Audit tests are designed to obtain evidence about the
financial statement assertions.
 Assertions relate to classes of transactions and
events, account balances at the period-end, and
presentation and disclosure.
 Financial statement assertions are the
representations by management, explicit or otherwise,
that are embodied in the financial statements as used
by the auditor to consider the different types of
potential misstatements that may occur.
Financial statement assertions
 ISA 315 states that the auditor must use assertions for
classes of transactions (ie income statement),
account balances (ie SOFP), and presentation and
disclosures in sufficient detail to form the basis for
the assessment of risks of material misstatement and
the design and performance of further audit
Assertions about classes of
transactions and events
 Occurrence; transactions and events that have been
recorded have occurred and pertain to the entity.
Completeness; all transactions have been recorded.
Accuracy; amounts and other data have been recorded
Cut-off; transactions have been recorded in the
correct accounting period
Classification; recorded in the proper accounts
Assertions about account balances
 Existence; assets, liabilities and equity interests exist.
 Rights and obligations; entity holds or controls the
rights to assets and liabilities are the obligations of the
 Completeness; all assets, liabilities and equity (ALE)
that should have been recorded have been recorded.
 Valuation and allocation; all ALE are included in the
financial statements at appropriate amounts and any
resulting valuation or allocation adjustments are
appropriately recorded.
Assertions about presentation and
 Occurrence and rights and obligation; disclosed
events, transactions and other matters have occurred
and pertain to the entity.
 Completeness; all disclosures that should have been
included in the financial statements have been
 Classification and understandability; financial
information is appropriately presented and described,
and disclosures are clearly expressed.
 Accuracy and valuation; information are disclosed
fairly and at appropriate amounts.
Cash sales and collections
 To ensure that all cash to which the enterprise is
entitled is received
 To ensure that all such cash is properly accounted for
and entered in the records
 To ensure that all cash is deposited promptly and
Cash sales and collections
 Clearly defining and limiting the number of persons who
are authorized to receive cash. Sales assistants, cashiers etc.
must be clearly identified.
 Establishing a means of evidencing cash receipts. E.g.
receipt books should be numbered serially and should be
in triplicates, a responsible official other than the cashiers
should keep control of the cash receipt books and the
issues as well.
 Ensure that whoever pays cash, must receive a receipt. And
if a cash register is used, the amount rung up should be
visible to the customer.
Cash sales and collections
 Appointment of officials with responsibility for employing
cash register at prescribed intervals, and agreeing the
amount present with till roll totals. Such collections should
be evidenced in writing and be initialed by the assistant
and the supervisor.
All cash and cheque must be banked intact and promptly.
All cash shortages and excesses should be promptly
The cashier should not have access to other cash funds or
sales ledgers or even the purchases ledger.
There should be occasional rotation of jobs.
Test of controls (compliance
 As part of his overall plan the auditor must ascertain the
adequacy of the accounting system and the internal
controls system. He will decide which controls if any he
wishes to rely on and plan compliance tests to determine
whether such reliance can be warranted. The auditor will
almost certainly use the Internal Control Evaluation
Questionnaire (ICEQ) completed for each component part
of the system to draw up the compliance controls to be
tested and provide information as to their strength and
 Test of Controls are designed to check that the control
procedures are being applied and that control objectives
are being achieved.
Sales System
 The three separate elements into which accounting
controls may be divided clearly appear in the
consideration of sales procedures. They are selling
(authorisation), goods outwards (custody) and
accounting (recording).
Sales System- Control objectives
 The control objectives include the following:
Sales are made in accordance with the company objectives, with
agreement in place with all customers.
Customer’s orders are authorised, controlled and recorded in
order to execute them promptly and determine any provision
required for losses arising from unfulfilled commitments.
Goods shipped and work completed is controlled to ensure that
invoices are issued and revenue recorded for all sales
Goods returned and claims by customers is controlled in order to
determine the liability for goods ordered and claims received but
not entered or recorded in the debtors’ records.
Invoices and credit notes are appropriately checked as being
accurate and authorised before being entered in the debtors’
Sales System-Control
 Selling: Considerations include the following:
 What arrangements are to be made to ensure that goods
are sold at their correct price and to deal with cheque
receipts, discounts and special reduction including
those in connection with cash sales?
 Who is responsible for and how control is to be
maintained over the granting of credit terms to
 Who is responsible for accepting customer’s orders and
what procedures are to be adopted for issuing
production orders and dispatch notes?
Sales System-Control
 Selling:
 Who is to be responsible for the preparation of invoice
and credit notes and what controls are to be instituted
to prevent errors and irregularities. For example, how
selling prices are to be ascertained and authorised, how
the issue of credit note is to be controlled and checked,
what checks should be on prices, quantities, extensions
and totals shown on invoices and credit notes and how
such documents in blank or completed form are to be
protected against loss or misuse.
 What special controls are to be exercised over the
dispatch of goods free of charge or on special terms?
Sales System-Control
 Goods Outwards: Factors to be considered
include the following:
 Who may authorize the dispatch of goods and how such
authority is evidenced.
 What arrangements are to be made to examine and
record goods outwards (preferably this should be done
by a person who has no access to stocks and has no
accounting or invoicing duties)
 The procedures to be instituted for agreeing goods
outwards records with customers’ orders, dispatch notes
and invoices.
Sales System-Control
 Accounting: As far as possible sales ledger staff
should have no access to cash, cash books or stocks
and should not be responsible for invoicing and other
duties normally assigned to sales staff. The following
are amongst matters which should be considered:
 The appointment of persons as far as possible separately
responsible for:
 Recording sales and sales returns
 Maintaining customers’ accounts
 Preparing debtors’ statements
Sales System-Control
 Arrangements to ensure that goods dispatched but not
invoiced (or vice versa) during an accounting period are
properly dealt with in the accounts of the periods concerned.
What procedures are to be adopted for the preparation,
checking and dispatch of debtors’ statements and for
ensuring that they are not subject to interference before
How discounts granted and special terms are to be authorised
and evidenced.
What procedures is to be adopted for reviewing and following
up overdue accounts.
Who is to authorize the writing off of bad debts and how such
authority is to be evidenced.
 Accounting Records:
Check additions and cross-casts of the sales daybook
and sales returns day book.
Check the posting of individual invoices to the
nominal ledger and the control accounts
Check entries in the sales day book and sales returns
day book back to original invoices, credit notes and
dispatch notes and vice versa.
 Invoices and Credit Notes:
 Check the numerical sequence of invoices, enquiring into
missing numbers and inspecting all copies of cancelled
Check copy sales invoices and credit notes with sales day
books and debtors’ ledger accounts, checking analysis of sales
day books where appropriate and authorisation of credit
Compare invoice prices with authorised, up to date price lists,
quotations and correspondence.
Check calculations and additions of invoices and credit notes
Scrutinize credit notes for large or unusual items.
 Stock Records:
 Check goods dispatched notes or goods outwards
records to copy sales invoices.
 Trace good outwards from invoice or dispatch note to
stock record
 Trace goods returned from return documentation to
stock records and credit notes.
 General: Where returns or allowances affect the
calculation of commissions, ensure that adjustments
have been made properly.
 Control Accounts: Test the year-end control account
reconciliation, checking back to source
documentation such as sales invoices, cash and returns
records. Ensure that any reconciling items are dealt
with properly.
 Analytical Procedures:
 Fluctuations in sales levels. Compare levels of sales
throughout the year on a month-by-month basis and
also sales in the last month of the year to sales in the
first month of the next year.
 Investigate any large fluctuations. Consider vouching
larger individual sales.
 Compare current gross profit percentage to previous
 Compare stock turnover rate to previous year.
 Cut Off Tests:
 Select items on both sides of the end date and ensure
that they have been properly treated in the correct
accounting period.
 Examine the file of unprocessed invoices and dispatch
notes and ensure that none belongs to the period under
review but has not been treated.
 Check that dispatch notes issued before the end of the
year but not matched by any invoices are accrued and
reported in the accounts under review.
 Disclosure
 Check the classification, description and presented of
sales and sales return in the financial statements.
 Check that amounts stated are in agreement with the
accounting records.
 You may have noticed that the tests of controls and
substantive procedures noted above sometimes appear
very similar. One test can serve both as a test of control
and as substantive procedure. Where for example, an
invoice is checked for authorisation (test of control) it
can also be checked for accuracy and pricing
(substantive procedure). This does not mean that tests
of controls and substantive procedures are
interchangeable. It is vital that you understand the
conceptual difference between the two types of test.

similar documents