CHAPTER FOUR

AUDIT OF INTERNAL CONTROL

4.1. Definition

Internal Control is process affected by an entity’s board of directors, management, and other
personnel that is designed to provide reasonable assurance regarding the achievement of
objectives in the following categories.
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting, and
c. Compliance with applicable laws and regulations. Alternative definition defined by
AICPA (American Institutes for Certifications of Public Accountants) as: Internal
Control referees to all coordinate methods and measures within an organization or within
a system adopted to safeguard assets, cheek accuracy and reliability of accounting data,
promote operational efficiency and encourage adherence to prescribed managerial policy.

Overall internal controls are also defined as operational checks and balances that prevent loss
due to fraud, waste, abuse, and management of resources. The resources include: personnel,
information, and capital.
4.2. Purposes and Objectives of Internal Control

The purpose of internal control can be explained in to two aspects:

a) The management (client) concern and
b) The Auditors concern
4.2.1. The client concern
The reason an organization establishes a system of internal control is to attain objectives (goals).
Generally, management has the following purposes in setting good system of internal control.
These are to:
 Achieve reliability of accounting records.
 safeguard assets

Handout for Auditing I ch 4Page 1 prepared by Asfaw D.(Msc)

  increase profitability
 prevent and defeat frauds and errors
 prepare financial statements timely
 discharge laws, rules & regulations
Management is responsible for establishing and maintaining the entity’s internal controls
Mgt establishes and maintains control system
Reasonable assurance - Internal controls need only provide reasonable, not absolute
Assurance
Inherent limitations- No internal control system is perfect – only as good as the
employees using the system
Design of Internal Control – mgt must evaluate internal control whether the controls are
designed and put in place to prevent or detect material misstatements
Operating Effectiveness of Controls - management must test to determine whether the
controls are operating as designed
4.2.2. Auditors concern
They generally accepted auditing standard, field work standard, number three states that a
sufficient understanding of internal control is to be obtained to plan the audit and determine the
nature, timing and extent of testes to be performed. Thus, the primary purpose of studying and
evaluating of internal control system by external auditors is to determine the amount of audit
work. It is assumed that good internal control provides more reliable financial data and
statements.
The objectives of internal control includes to:
i) control operations – to ensure efficiency and effectiveness
ii) control financial reports – to ensure the preparation of reliable financial
statements
iii) control compliance – to ensure compliance of laws, regulations.
4.3. COMPONENTS OF INTERNAL CONTROL
1) CONTROL ENVIRONMENT
2) RISK ASSESSMENT
3) CONTROL ACTIVITIES
4) INFORMATION AND COMMUNICATION

Handout for Auditing I ch 4Page 2 prepared by Asfaw D.(Msc)

 5) MONITORING
4.3.1. CONTROL ENVIRONMENT
The control environment serves as the umbrella for the other four components. Without an
effective control environment, the other four are unlikely to result in effective internal control,
regardless of their quality.
Control environment consists, actions, policies and procedures that reflect the overall attitudes
of top management, board directors and owners of an entity about internal control and its
importance to the entity.
For the purpose of understanding and assessing these control environments, the following are the
most important subcomponents that the auditor should consider.
a) Integrity and ethical values: are the products of entity’s ethical & behavioral standards
& how they are communicated & reinforced in practice. They include management’s
action to remove or reduce incentives & temptations that might prompt personnel to
engage in dishonest, illegal, or unethical acts. They also include the communication of
integrity values & behavioral standards to personnel through policy statements and codes
of conduct.
b) Commitment to competence: competence is the knowledge skills necessary to
accomplish tasks that define the individual’s job. Commitment to competence includes
management’s consideration of the competence levels for specific jobs & how those
levels translate in to requisite skills & knowledge.
c) Board of directors or audit committee participation: an effective board of directors is
independent of management, & its members are involved in & scrutinize management’s
activities. The board delegates responsibility for internal control to management & is
charged with providing regular independent assessments of management- established
internal control. In addition, an active & objective board can often effectively reduce the
likelihood that management overrides existing controls. To assist the board in its
oversight, the board creates an audit committee that is charge with oversight
responsibility for the financial reporting process. The audit committee is also responsible
for maintaining ongoing communication with both external & internal auditors. This
allows the auditors & directors to discuss matters that might relate to such things as the
integrity or action of management. The audit committee’s independence from

Handout for Auditing I ch 4Page 3 prepared by Asfaw D.(Msc)

 management & knowledge of financial reporting issue are important determinants of their
ability to effectively evaluate internal controls & financial statements prepared by
management.
d) Management’s philosophy and operating style: management, through its activities,
provide clear signals to employees about the importance of internal control.
Eg. -Does management take significant risks, or is it risk averse?
- Are sales & earnings targets unrealistic, & are employees encouraged to take
aggressive actions to meet those targets?
- Can managements be described as fat & bureaucratic,” lean & mean,” dominated
by one or a few individuals, or is it “just right”?
Understanding these & similar aspects of management’s philosophy & operating style gives the
auditor a sense of management’s attitude about internal control.
e) Organizational structure: the entity’s organizational structure defines the existing line
of responsibility & authority. By understanding the client’s organizational structure, the
auditor can learn the management &functional elements of the business & perceive how
controls are implemented.
f) Assignment of authority and responsibility: in addition to the informal aspects of
communications already mentioned, formal methods of communication about authority &
responsibility & similar control-related matters are equally important. These might
include such methods memoranda from top management about the importance of control
& control related matters formal organizational & operating plans, & employee job
description & related policies.
g) Human resources policies and practices: the most important aspects of internal control
are personnel. If the employees are competent (well trained) and trustworthy (TRUST),
some of other elements can be absent and reliable financial information’s will still result.
Honest, efficient people are able to perform at a high level even when there are few other
control to support them. Even if there are numerous other controls incompetent &
dishonest people can reduce the system to a shambles. Even though personnel may be
competent and trust worthy, people have certain innate shortcomings.
Eg. They can become bored or dissatisfied, personal problems can disrupt their performance, or
their goals may change.

Handout for Auditing I ch 4Page 4 prepared by Asfaw D.(Msc)

Because of the importance of competent, trustworthy personnel in proving effective controls, the
methods by which persons are hired, evaluated, trained, promoted, & compensated are the
important part of internal control.
The auditor obtains information about of the subcomponents of the control environment. The
auditors then use this understanding as a basis for assessing management’s & the director’s
attitude & awareness about the importance of control.
Eg. The auditor might determine the nature of the client’s budgeting system as a part of
understanding the design of the control environment. The operation of the budgeting system
might then be evaluated in part by inquiry of budgeting personnel to determine budgeting
procedures & follow-up of difference b/n budget & actual.
4.3.2. RISK ASSESSMENT
Management’s identification and analysis of risks relevant to the preparation of financial
statements in conformity with appropriate accounting standards (GAAP)
Eg. If a company frequently sells product at a price blow inventory cost b/c of rapid
technological changes, it is essential for the company to incorporate adequate controls to
overcome the risk overstating inventory.
All entities, regardless of size, structure, nature, or industry, face a variety of risks from external
& internal sources that must be managed. Because economic, industry, regulatory, & operating
conditions constantly changed, management is challenged with developing mechanisms to
identify & deal with risks associated with change. Internal control under one set of conditions
will not necessarily be effective under another.
To do this first step is identifying factors that may increase risk: Failure to meet prior objectives,
Quality of personnel, Geographic Dispersion of company operations, Introduction of new
information technologies, Economic downturns ( decline) & Entrance of new competitors. Of
course, there is no cost –beneficial way to eliminate risk. However, management must assess
how much risk is prudently acceptable & strive to maintain risk within this level. Once
management identifies a risk, it estimates the significance of the risks and likelihood of
occurrence. Develop specific actions that need to reduce the risk to the an acceptable level.
Questionnaires and discussions with management are the most common ways Auditors to obtain
knowledge about management’s risk assessment process.

Handout for Auditing I ch 4Page 5 prepared by Asfaw D.(Msc)

 4.3.3. CONTROL ACTIVITIES
Are the Policies and procedures that help ensure that necessary actions are taken to address risks
to the achievement of the entity’s objectives. There are five types of control activities
Adequate separation of duties, Proper authorization of transactions and activities, Adequate
documents and records, Physical control over assets and records & Independent checks on
performance.

4.3.3.1. Segregation of Duties

It is important for an organization to segregate (separate) the authorization of transactions,
recording of transactions, and custody of the related assets. Independent performance of each of
these functions reduces the opportunity for any one person to be in apposition both to perpetrate
and to conceal errors or Irregular in the normal course of his or her duties.
For example,
- First if an employee can authorize the sale of marketable securities and has access to the stock
certificates, the assets can be misappropriated.
-Second, if an employee receives payment from customers on account and has access to the
accounts receivable subsidiary ledger, it is possible for that employee to misappropriate the cash
and cover the shortage in the accounting records.

There are four guidelines for segregations of duties to prevent both intentional and unintentional
errors and frauds.
a) Separation of the custody of assets from accounting. For example, if one person is
responsible for store keeping (custody of inventory) and maintains inventory records,
it is possible to ship (dispatch) some items for his /herself and adjust the inventory
balance by recording a factious transaction.
b) Separation of the authorization of transaction from the custody of related assets – for
example, if one person is assigned for authorization of payment transaction and
handling of cash it increases the possibility of frauds.
c) Separation of duties within the accounting section function: for example, includes the
recording in journals and related subsidiary ledgers and then keeping of control

Handout for Auditing I ch 4Page 6 prepared by Asfaw D.(Msc)

 ledgers in principle should be separated. Recording in sales journals and recording in
cash receipts journal and Accounts Receivable Control Ledger keeping should be
separated. Accounts payable control clerk should not record cash payments journal.
d) Separations of operational responsibilities from record keeping. For example,
accounting functions should be separated from management department activities.

4.3.3.2. Documentation Procedures

Documents provide evidence that transactions and events have occurred. Several procedures
should be established for documents. First, whenever possible document should be renumbered,
and all documents should be accounted for renumbering accounting documents should be
promptly forwarded to accounting to help timely recording documents should be produced in
copies. They should be simple to understand, sufficient, and designed for multiple uses.

4.3.3.3. Authorization Procedures

Every transaction must be properly authorized. Properly authorization implies that concerned
personnel should authorize (approve) each transaction at each step where transactions occurs.
For example, the authorized person for paying cash is the cashier, for receiving; it is the store
clerk, for permitting the transaction it is the manager etc.

4.3.3.4. Physical Control over Assets and Records

Physical control relates primarily to safeguard asset from theft, deterioration, spoilage, etc.
Accounting records and securities, (Bonds, Debentures, Treasury Stocks, Cheeks, Notes,) should
be in well locked custody. Inventories should be protected by constructing from fire proof
materials, well ventilated room and locked doors. Generally,
 Safes and vaults are necessary to store cash before the cash is deposited in bank.
 Locked ware houses for inventories.
 Fencing of the organization.
 Locked storage cabinets for accounting records. etc; are necessary elements, of
physical control.

4.3.3.5. Internal verification (Independent Internal Verification or Checking)

Handout for Auditing I ch 4Page 7 prepared by Asfaw D.(Msc)

This element of internal control refers to the need of independent checking process which
involves, reviewing, comparison, reconciliation of data, which are prepared by the other
personnel, and the findings (discrepancies) should be corrected.
4.3.4. MONITORING
Activities deal with ongoing or periodic assessment of the quality of internal control
performance by management to determine that controls are operating as intended & that they are
modified as appropriate for change in conditions. Information for assessment or modification
comes from a variety of sources, including studies of existing internal controls, internal audit
reports, exception reporting on control activities, reports by regulators such as bank regulatory
agencies, feedback from operating personnel, & complaints from customers about billing
charges.
TABLE : COMPONENT OF INTERNAL CONTROL
INTERNAL CONTRO
Components Description of components Further subdivision
Control environment Actions, policies and procedures that Subcomponents of the control
reflect the overall attitudes of top environment:
management, board directors and -integrity and ethical values
owners of an entity about internal -Commitment to competence
control and its importance -Board of directors or audit
committee participation
-Management’s philosophy
and operating style
-Organizational structure
-Assignment of authority and
responsibility
-Human resources policies and
practices
Risk assessment Management’s identification and Risk assessment process:
analysis of risks relevant to the - identify factors affecting risk
preparation of financial statements in -assess significance of risks &
accordance with GAAP likelihood of occurrence

Handout for Auditing I ch 4Page 8 prepared by Asfaw D.(Msc)

 -determine actions necessary
to manage risks

Control activities Policies and procedures that Types of control activities:

management has established to meet its -adequate separation of Duties
objectives for financial reporting. -proper Authorization of
transactions & activities
-physical control over assets &
records
-independent checks on
performance
Information & Method used to initiate, record, process Transaction related audit
communication & report an entity’s transactions & to objectives that must be
maintain accountability to related assets satisfied:
-existence
-completeness
-accuracy
-classification
-timing
-posting
MONTORING Management’s ongoing & periodic NOT APPLICABLE
assessment of the quality of internal
control performance to determine
whether controls are operating as
intended & modified when needed

4.4. LIMITATIONS OF INTERNAL CONTROL

An internal control system should be designed and operated to provide reasonable assurance.
That is an entity’s cost of internal control system should not exceed the benefits that are expected
to be derived. The necessity of balancing the loss of internal controls with the related benefits
requires considerable estimation and judgment on the part of management.

Handout for Auditing I ch 4Page 9 prepared by Asfaw D.(Msc)

Therefore, the idea of reasonable assurance arises from two concepts: cost – benefit, and the
inherent weakness: The cost – includes paying employees for implementing the system,
constructing and acquiring facilities (safes, stoves) printing of vouchers, forms, etc. The benefits
include prevention of potential losses.

The inherent limitations include management override of internal control, personnel errors, or
mistakes, and collusion.

4.4.1. Management override of internal control

An entity’s controls may be overridden by management. For example, a senior – level manager
can require a low – level employee to record entries into the accounting records (because) that is
not consistent with the substance of the transactions and are in violation of the organization’s
control. The lower – level employee may record the transaction even though he or she knows
that it is a violation of control because of fear of losing his or her job.
4.4.2. Personnel errors or mistakes
The internal control system is only as effective as the personnel who implement and perform the
controls. For example, employees may misunderstand instructions or make errors of judgment.
They may make mistakes because of personnel carelessness, distraction, or fatigued.

END OF
CHAPT
ER
Handout for Auditing I ch 4Page 10 prepared by Asfaw D.(Msc)