F8 – Chapter 3- Internal control

Internal control

Key Highlights on Chapter 3

Purpose of Internal Control Systems

• Primary goal: Safeguard assets and enhance reliability of financial reporting
• Functions: Mitigate risks of fraud, errors, and inefficiencies
• Complement external audits by providing assurance to stakeholders

Auditor’s Utilization of Internal Control Systems

• Approach: Design and perform audit procedures based on controls
• Evaluate design and implementation effectiveness
• Tailor audit approach to specific risks

Evaluation of Internal Control Components

• Focus: Assess effectiveness of internal control system
• Components: Control environment, risk assessment, control activities, information and communication, monitoring

Considerations in Computerized Environment

• Additional consideration: Speed of data processing
• Challenges: Maintaining effective controls over rapid data flows
• Assess design and operation of automated controls

Components of Internal Control Systems

• Control environment: Ethical tone and commitment to integrity
• Sets tone at the top, influences control consciousness
• Includes leadership, management philosophy, organizational structure

Assessment of Internal Control Utilization

• Method: Testing and evaluating design and effectiveness
• Gain assurance on reliability of control activities and information systems

Benefits for Auditors

• Increased efficiency in audit planning and execution
• Focus audit efforts on higher-risk areas
• Streamline audit procedures, allocate resources effectively

Evaluation Component: Monitoring

• Refers to ongoing assessment of effectiveness
• Oversight by management, regular reviews, audits
• Detect control failures, take corrective actions

Adapting Approach in Computerized Environment

• Consider speed and complexity of automated processes
• Assess design and operating effectiveness of controls

Primary Goal in Computerized Environment

• Manage and control risks associated with automated processes
• Ensure data integrity, safeguard assets

Purpose of Internal Control

• Provide reasonable assurance regarding achievement of objectives
• Safeguard assets, ensure reliability of financial reporting

COSO Framework Components

• Control environment, risk assessment, control activities, information and communication, monitoring
• Excludes financial forecasting as a component

Examples of Control Types

• Preventive control: Segregation of duties
• Detective control: Internal audit reviews

Purpose of Control Activities

• Implement policies and procedures to achieve objectives
• Authorization, segregation of duties, performance reviews

Entity-Level Control Example

• Tone at the top: Ethical climate and culture established by management

Limitation of Internal Control

• Reliance on human judgment and supervision
• Cannot eliminate all risks entirely

Detective Control Example

• Internal audit reviews: Identify errors or irregularities after occurrence

Key Characteristic of Effective Internal Control

• Adaptability: Flexible to changes in operations, environment

Role of Monitoring Activities

• Assess effectiveness of internal controls over time
• Identify weaknesses, take corrective actions

Factors Influencing Design of Internal Controls

• Management’s risk appetite: Determines approach to risk management
• Align controls with identified risks and management’s tolerance levels

Topic 1: Internal Control Systems 

To formulate their audit strategy effectively, auditors must possess a deep understanding of the accounting system and the control environment.

Internal control is the mechanism orchestrated and executed by individuals entrusted with governance, management, and other personnel. It aims to offer a reasonable level of assurance concerning the achievement of an organization’s objectives, specifically focusing on the reliability of financial reporting, the efficiency of operations, and compliance with relevant laws and regulations.

Comprehending the intricacies of internal control greatly aids auditors in identifying potential forms of misstatements and elements influencing the risks associated with material misstatements. It also plays a pivotal role in shaping the nature, timing, and scope of subsequent audit procedures.

Initially, gaining insight into internal control helps auditors pinpoint the controls relevant to the audit process. As per ISA 315 (Revised), which deals with the identification and assessment of material misstatement risks by understanding the entity and its environment, there exists a direct correlation between an organization’s objectives and the controls it employs to provide reasonable assurance about their accomplishment. While many of these controls pertain to financial reporting, operations, and compliance, not all objectives and controls within an entity are pertinent to the auditor’s risk assessment.

Once the auditor identifies the controls that are relevant and effectively designed to prevent material misstatements in the financial statements, they must then decide whether it is more efficient to place reliance on these controls and conduct tests of controls in that particular area or to opt for substantive testing over the same area. In cases where controls are not adequately designed, the auditor is compelled to perform thorough substantive testing due to the apparent lack of control, which indicates increased risk. Any deficiencies discovered should be noted and, when appropriate, conveyed to management (as discussed in Section 3.4).

ISA 315 (Revised) addresses the comprehensive domain of controls.

Internal control comprises five integral components:

The Student Accountant has published an article focusing on the components of internal control under ISA 315 (Revised), which can be accessed via the technical articles link on the ACCA’s website.

Obtaining an understanding of internal control mandates that the auditor comprehends both the design and implementation of these controls. In the ensuing sub-sections, we will delve into each element of internal control individually.

Control Environment

The control environment establishes the context within which controls operate. It is significantly influenced by an organization’s management.

The control environment encompasses governance and management functions, along with the attitudes, awareness, and actions of individuals entrusted with governance and management concerning an organization’s internal control and its importance. While a robust control environment, by itself, does not guarantee the effectiveness of the entire internal control system, it can be a positive factor when assessing the risks associated with material misstatements. Conversely, a weak control environment can undermine control effectiveness.

Aspects of the control environment, such as management’s outlook on control, remain a pivotal determinant of how controls function. Controls are more likely to function effectively in an environment where they are perceived as critical. Additionally, the examination of the control environment helps determine the existence of specific controls, such as internal auditors and budgets.

ISA 315 mandates that auditors gain a comprehensive understanding of the control environment. This understanding includes an assessment of whether:

– Management has fostered a culture of honesty and ethical behavior.

– The strengths of the control environment provide a suitable foundation for the other components of internal control, without being compromised by deficiencies in the control environment.

The ACCA’s audit examining team has authored an article titled “The Control Environment of a Company” in the Student Accountant, focusing on aspects auditors should consider when evaluating the effectiveness of the control environment of a large limited liability company (UK – limited company). This article is accessible through the Technical articles link on the ACCA’s website.

Entity’s Risk Assessment Process

ISA 315 stipulates that the auditor shall gain an understanding of whether the entity has instituted a process for:

– Identifying business risks that are pertinent to financial reporting objectives.

– Assessing the significance of these risks.

– Evaluating the likelihood of their occurrence.

– Determining actions to address these risks

Should the entity have established such a process, the auditor must comprehend it thoroughly. In cases where such a process is not in place, the auditor must engage in discussions with management to ascertain whether relevant business risks have been identified and the methods employed to address them.

Information System Relevant to Financial Reporting

The information system pertinent to financial reporting constitutes an integral aspect of internal control, encompassing the financial reporting system. It comprises the procedures and records established to initiate, record, process, and report an organization’s transactions and maintain accountability for the associated assets, liabilities, and equity.

The auditor is mandated to acquire an understanding of the information system pertinent to financial reporting objectives, including the following key areas:

– The categories of transactions within the organization’s operations that hold significance for the financial statements.

– The procedures, encompassing both IT and manual systems, employed to initiate, record, process, rectify, transfer to the general ledger, and report these transactions in the financial statements.

– The accounting records, supporting documentation, and specific accounts in the financial statements relevant to the initiation, recording, processing, and reporting of transactions.

– The mechanism through which the information system captures events and conditions, other than transactions, that hold significance for the financial statements.

– The financial reporting process utilized for preparing the organization’s financial statements, including substantial accounting estimates and disclosures.

– Controls surrounding journal entries, including non-standard journal entries used for recording non-recurring, unusual transactions, or adjustments.

Furthermore, the auditor must gain an understanding of how the entity communicates roles and responsibilities related to financial reporting and significant matters pertaining to financial reporting.

Control Activities

Control activities encompass the policies and procedures put in place to guarantee the execution of management’s directives.

ISA 315 mandates the auditor to acquire a comprehension of the control activities that hold significance for the audit and understand how the organization has addressed risks stemming from information technology.

Control activities encompass measures designed either to avert or to identify and rectify errors. Illustrations include actions associated with authorization, performance evaluations, data processing, physical security measures, and the division of responsibilities.

Segregation of Responsibilities

Segregation involves involving multiple individuals in the accounting process, making it more challenging for fraudulent activities to occur (since collusion among multiple individuals is required for fraud), and it also enhances error detection (due to increased scrutiny from multiple parties). Segregation should occur in several ways:

(a) Segregation of Function: The key functions that should be separated include executing a transaction, recording that transaction in the accounting records, and safeguarding assets resulting from the transaction.

(b) Segregation of Various Transaction Steps: This concept will be explored further when examining major transaction cycles in Chapter 10.

(c) Segregation of Accounting Operations: For instance, the same personnel should not be responsible for recording transactions and conducting reconciliations at the end of a reporting period.

Monitoring Internal Controls

Monitoring internal controls is a process for evaluating the ongoing effectiveness of the internal control system. It involves assessing the design and operation of controls in a timely manner and taking corrective actions as needed, adapting to changing circumstances.

The auditor is required to comprehend the primary activities the entity employs to oversee internal control over financial reporting, including those related to relevant control activities for the audit. Additionally, the auditor should understand how the entity initiates corrective actions to address control deficiencies.

If the entity maintains an internal audit function, the auditor should gain an understanding of its responsibilities, organizational status, and past or planned activities.

The auditor should also acquire insight into the sources of information used in monitoring activities and the reliability of these sources as considered by management.

Control Challenges for Small Companies

Many controls that are applicable to larger entities may not be suitable or feasible for smaller companies, which often operate with straightforward internal control systems. For small companies, the most crucial form of internal control typically involves close oversight by directors or proprietors. However, it’s important to note that while close management involvement can prevent control issues, it can also enable management to override controls and omit transactions from records.

Auditors may encounter challenges not because controls are absent but because the evidence supporting their operation and the completeness of records is insufficient. For example, an owner-manager may perform an informal review of payroll records without documenting this review. This makes it difficult for auditors to verify the effectiveness of controls, even if they are functioning properly.

In smaller entities, segregation of duties may often be inadequate due to limited staff. Additionally, the organization and management controls are likely to be basic at best.

Evidence for Internal Control in Small Companies

Audit evidence related to elements of the control environment in smaller entities may not be documented, especially where communication between management and other personnel is informal yet effective. Nevertheless, small companies may establish a culture that prioritizes integrity and ethical conduct through verbal communication and by setting a good example. Therefore, the attitudes, awareness, and actions of management remain essential for the auditor’s assessment of the control environment in smaller entities.

While the scale and financial constraints in smaller entities may limit the opportunity for formal control activities, some evidence related to internal controls is likely to exist. Basic control activities are expected to be in place for major transaction cycles, such as revenue, purchasing, and payroll costs. In small companies, the approval authority for transactions like purchases and payments, often held by management, can offer substantial control over important account balances, reducing the need for more detailed control measures. If auditors can gather sufficient evidence that these critical controls are functioning effectively, the reliance on substantive testing can be minimized.

Nonetheless, due to the factors mentioned earlier, auditors may often resort to substantive procedures to collect adequate and relevant audit evidence in smaller entities. These procedures may include confirmations, sampling related to various financial statement areas, and analytical procedures, as appropriate.

Constraints of Accounting and Control Systems

Any internal control system can only provide the directors with reasonable assurance that their objectives are achieved, given inherent limitations. These limitations encompass:

– Control costs potentially outweigh their benefits.

– The potential for human error.

– Collusion among employees.

– The possibility of controls being bypassed or overridden by management.

– Controls designed for routine transactions but not suitable for non-routine transactions.

These limitations underscore why auditors cannot rely solely on tests of internal control systems for evidence. The primary factors contributing to control system limitations are human error and the potential for fraud. The principle of segregation of duties can help deter fraud. However, if employees collaborate in fraudulent activities or if management commits fraud by overriding systems, the accounting system cannot prevent such misconduct.

Topic 2 The Utilization of Internal Control Systems by Auditors

The auditors are tasked with evaluating the effectiveness of the systems as a foundation for the financial statements and pinpointing potential risks of significant misstatements to establish a basis for devising and executing subsequent audit procedures.

Auditors solely focus on appraising policies and procedures that pertain to the financial statements. Auditors are required to:

– Evaluate the effectiveness of the accounting system as the underpinning for financial statement preparation.

– Identify the types of conceivable misstatements that might occur within the financial statements.

– Deliberate on factors influencing the risk of misstatements.

– Formulate pertinent audit procedures.

We have previously covered the procedure of assessing the risks associated with significant misstatements in Chapter 6. The assessment of an entity’s controls will have a direct impact on this risk assessment.

Risks stemming from subpar control environments are unlikely to be limited to specific assertions in the financial statements and, if severe, may even raise questions about the auditability of the financial statements. In other words, if the level of control risk is exceedingly high, audit risk may not be reducible to an acceptable level.

Conversely, certain control measures might be closely linked to specific assertions within the financial statements. For instance, controls overseeing the inventory count are intricately tied to the existence and completeness of inventory in the financial statements.

There may be instances where substantive procedures alone are insufficient to address the associated risks. In cases where such risks exist, auditors must evaluate the design and evaluate the implementation of controls, typically through control testing. This is most commonly encountered in highly automated systems that require minimal manual intervention.

Documenting Accounting and Control Systems

The auditors are obliged to maintain a record of the client’s systems, which should be updated annually. This can be accomplished using various methods, such as narrative notes, flowcharts, questionnaires, or checklists.

Several techniques are available for documenting the assessment of control risk, depending on the complexity of the system. These include:

– Narrative notes

– Flowcharts

– Questionnaires

– Checklists

We will delve into each of these approaches in the subsequent sections of Section 2, outlining their advantages and limitations.

Concerning questionnaires, it is worth noting that there are two distinct types, each serving a different purpose:

– Internal Control Questionnaires (ICQs) inquire about the existence of controls that align with specific control objectives.

– Internal Control Evaluation Questionnaires (ICEQs) are employed to ascertain whether there are controls designed to prevent or detect specific errors or omissions.

The primary aim of internal control questionnaires is to address the fundamental question: “How effective is the control system?” While there are numerous variations of ICQs in practical use, they all adhere to these essential principles:

(a) They consist of a series of questions designed to ascertain the presence of desirable controls (various desirable controls are contemplated for each major transaction cycle in Chapter 10).

(b) These questions are structured in a manner that necessitates “YES” or “NO” responses, with a “NO” response signifying a deficiency in the system. For instance:

Is there a verification of purchase invoices against goods received notes before authorizing payment?

YES/NO/Comments

The provided ICQ questions, specifically addressing goods inward, offer further examples of the ICQ approach:

Goods Inward:

(a) Are incoming supplies examined for both quantity and quality upon arrival?

(b) Is there tangible evidence of such inspections?

(c) Is the receipt of supplies recorded, possibly via goods inwards notes?

(d) Are the individuals responsible for:

  (i) Ordering functions?

  (ii) The processing and recording of invoices?

   kept separate from those who create the receipt records?

(e) Are the goods inward records subject to controls that ensure receipt of invoices for all incoming goods and allow for the determination of the liability for unbilled goods (by pre-numbering records and tracking all serial numbers)?

(f) (i) Is there regular review of goods inward records for items lacking corresponding invoices?

    (ii) Are anomalies investigated when discovered?

(g) Is the review of these records conducted by an individual independent of those handling the receipt and control of goods?

Internal Control Evaluation Questionnaires (ICEQs)

In recent years, numerous auditing firms have developed an evaluation method that is more focused on ascertaining the potential for specific errors (or frauds) rather than confirming the presence of specific desirable controls. This is achieved by distilling the criteria for control in each transaction cycle into a set of essential questions (control questions) that focus on significant errors or omissions that may arise within each phase of the respective cycle when controls are lacking.

For a clearer understanding of the key questions’ nature, consider the example below pertaining to the purchases (expenditure) cycle:

Internal Control Evaluation Questionnaire: Control Questions

The Purchases (Expenditure) Cycle

Is there reasonable assurance that:

(a) Receipt of goods or services cannot occur without the recording of a liability?

(b) Receipt of goods or services is a prerequisite for establishing a liability?

(c) A liability is recorded:

  (i) Solely for authorized items?

  (ii) At the correct amount?

(d) All payments are appropriately authorized?

(e) All due credits from suppliers are received?

(f) All transactions are accurately accounted for?

(g) The system neither overstates nor understates liabilities at period end?

(h) The bank balance is continuously recorded accurately?

(i) Unauthorized cash payments are prevented, and the petty cash balance is always correctly stated?

Each of these key control questions is supported by specific control points for consideration. For example, the detailed control points for key control question (b) concerning the expenditure cycle (Is there reasonable assurance that receipt of goods or services is necessary to establish a liability?) include the following:

(1) Is the segregation of duties adequate?

(2) Are controls over relevant master files sufficient?

(3) Is there documentation verifying that all incoming goods have been checked for:

  – Quantity and quality?

(4) Are all received goods properly recorded in detailed inventory ledgers through goods received notes or purchase invoices?

  – Does the system include control totals (such as hash totals, monetary values, etc.) to reconcile inventory system inputs with the payables system?

(5) Are all invoices endorsed to indicate that:

  – Goods received have been cross-checked against goods received records?

  – The use of services has been verified by the user?

  – Goods’ quality has been examined against inspection records?

(6) In a computerized invoice approval system, are printouts (reviewed by a responsible individual) available for:

  – Cases where orders, goods received notes, and invoices are present but are not equivalent (within predefined tolerances for minor discrepancies)?

  – Instances where invoices have been entered, but no corresponding goods received notes exist?

(7) Are controls over direct purchases sufficient?

(8) Are receiving documents properly canceled (e.g., cross-referenced) to prevent them from supporting two invoices?

Topic 3 The Evaluation of Internal Control Components

If the auditors have confidence in the robustness of the control systems, they may opt to conduct tests on controls to verify their effective operation.

Confirming Understanding

To validate their comprehension of the control systems, auditors often perform walk-through tests. During these tests, they select a transaction and follow it through the system to determine if all expected controls were indeed operational for that transaction.

Control Testing

Control tests are examinations conducted to gather audit evidence regarding:

– The design of accounting and internal control systems, ensuring they are appropriately structured to either prevent or detect and correct significant misstatements at the assertion level.

– The operational effectiveness of internal controls throughout the reporting period.

Tests of control may encompass the following:

(a) Reviewing documents that support controls or events to confirm that internal controls have been executed correctly, such as validating that a transaction has received proper authorization.

(b) Making inquiries about internal controls that do not leave an audit trail, for instance, identifying the actual individuals performing specific functions, not just those assigned to them.

(c) Reperforming control procedures, like reconciling bank accounts, to verify that the entity correctly executed them.

(d) Examining evidence reflecting management’s perspective, such as minutes from management meetings.

(e) Testing internal controls operating within computerized systems or the overall IT function, including access controls.

(f) Observing controls to assess how they are being operated, taking into account factors like the manner in which the control is administered.

Auditors should consider:

Deviations in control operation, perhaps due to staff changes, can elevate control risk, necessitating potential adjustments to control testing to affirm effective operation during and after any such changes. The use of computer-assisted audit techniques (CAATs) may be appropriate, and these are thoroughly discussed in Chapter 11.

In an ongoing engagement, auditors will have some familiarity with the accounting and internal control systems from prior work, but they must update their knowledge and consider the need for additional audit evidence to account for any control changes.

Revision of Risk Assessment, Audit Strategy, and Audit Plan

Evidence from control testing may indicate that controls did not perform as anticipated. If the evidence contradicts the initial risk assessment, auditors must adjust their planned audit procedures accordingly. Notably, when control testing reveals that controls did not operate effectively throughout the year, auditors may need to expand their substantive testing.

Revising the risk assessment and audit procedures necessitates an update of the audit strategy, which outlines the audit’s scope, timing, and direction. For example, if tests of controls reveal issues with control effectiveness, this may lead to a strategy emphasizing substantive procedures.

The updated or new procedures should be reflected in the audit plan, which was discussed in Chapter 7 and specifies the nature, timing, and extent of audit procedures to be conducted.

Communication of Internal Control Deficiencies 

Significant internal control deficiencies must be conveyed in writing to those responsible for governance through a report to management, in accordance with ISA 265 – Communicating Deficiencies in Internal Control to Those Charged with Governance and Management. ISA 265 underscores that the auditor’s objective is to appropriately communicate to those responsible for governance and management any internal control deficiencies identified during the audit that are deemed significant enough to warrant attention.

A deficiency in internal control exists when a control is designed, implemented, or operated in a manner that prevents, detects, or corrects misstatements in the financial statements on a timely basis, or when a necessary control to prevent, detect, or correct misstatements in the financial statements on a timely basis is missing.

A significant deficiency in internal control is a deficiency or a combination of deficiencies in internal control that, according to the auditor’s professional judgment, is significant enough to merit the attention of those responsible for governance.

ISA 265 mandates that the auditor establish whether one or more internal control deficiencies have been identified and, if so, whether they represent significant deficiencies in internal control. The significance of a deficiency depends on whether it has resulted in a misstatement, as well as the likelihood and potential magnitude of such a misstatement. ISA 265 provides examples of factors to consider when assessing whether an internal control deficiency is significant, including:

– The likelihood of the deficiencies leading to material misstatements in future financial statements.

– The susceptibility to loss or fraud of the related assets or liabilities.

– The subjectivity and complexity in determining estimated amounts.

– The extent of exposure to the deficiencies.

– The volume of activity that has occurred or could occur.

– The importance of the controls in the financial reporting process.

– The cause and frequency of exceptions related to the deficiencies.

– The interaction of the deficiency with other internal control deficiencies.

ISA 265 also lists indicators of significant deficiencies in internal control, including:

– Evidence of ineffective aspects of the control environment.

– Absence of a risk assessment process.

– Evidence of an ineffective entity risk assessment process.

– Evidence of an inadequate response to identified significant risks.

– Misstatements discovered by the auditor’s procedures that were not prevented, detected, and corrected by the entity’s internal control.

– Restatement of previously issued financial statements corrected for a material misstatement due to fraud or error.

– Evidence of management’s inability to oversee the preparation of the financial statements.

The auditor must promptly communicate any significant deficiencies in internal control to those responsible for governance. The auditor must also provide written communication to management regarding significant internal control deficiencies that have been conveyed to or will be communicated to those responsible for governance, as well as any other internal control deficiencies that the auditor deems important enough to warrant management’s attention. Communication of other internal control deficiencies to management can be done verbally.

The written communication should include:

– A description of the deficiencies and an explanation of their potential effects (quantifying the effects is unnecessary).

– Sufficient information to enable those responsible for governance and management to understand the context of the communication, specifying:

  – The auditor’s primary purpose to provide an opinion on the financial statements.

  – The inclusion of internal control assessment to design appropriate audit procedures, rather than to evaluate internal control effectiveness.

  – The limitation of the report to deficiencies identified during the audit and considered significant enough for communication to those responsible for governance.

The auditor may also offer suggestions for addressing the deficiencies, document management’s actual or proposed responses, and state whether the auditor has taken steps to verify the implementation of management’s responses. Additionally, the auditor may include the following information:

– A statement that a more comprehensive assessment of internal control may have uncovered additional deficiencies or possibly rendered some reported deficiencies unnecessary for communication.

– A declaration that the written communication is intended for those responsible for governance and may not be suitable for other purposes.

Topic 4 Internal Controls in a Computerized Environment

When dealing with a computerized system, auditors must consider unique factors. These factors encompass IT controls, which encompass both general and application controls.

The internal controls within a computerized environment consist of a combination of manual processes and controls integrated into computer programs. These control procedures fall into two categories: general controls and application controls.

General IT controls are sets of policies and procedures that apply across numerous applications. They play a crucial role in facilitating the effective operation of application controls and ensuring the ongoing proper functionality of information systems. General IT controls often cover aspects such as overseeing data center and network operations, acquiring, changing, and maintaining system software, managing access security, and obtaining, developing, and maintaining application systems.

Application controls, on the other hand, are procedures, either manual or automated, that generally operate at the level of specific business processes. They serve both preventative and detective functions and are designed to guarantee the accuracy and reliability of accounting records. As a result, they pertain to the processes used to initiate, document, process, and report transactions or other financial data.