F8 – Chapter 3- Internal control
Key Highlights on Chapter 3
Purpose of Internal Control Systems
- Primary goal: Safeguard assets and enhance reliability of financial reporting
- Functions: Mitigate risks of fraud, errors, and inefficiencies
- Complement external audits by providing assurance to stakeholders
Auditor’s Utilization of Internal Control Systems
- Approach: Design and perform audit procedures based on controls
- Evaluate design and implementation effectiveness
- Tailor audit approach to specific risks
Evaluation of Internal Control Components
- Focus: Assess effectiveness of internal control system
- Components: Control environment, risk assessment, control activities, information and communication, monitoring
Considerations in Computerized Environment
- Additional consideration: Speed of data processing
- Challenges: Maintaining effective controls over rapid data flows
- Assess design and operation of automated controls
Components of Internal Control Systems
- Control environment: Ethical tone and commitment to integrity
- Sets tone at the top, influences control consciousness
- Includes leadership, management philosophy, organizational structure
Assessment of Internal Control Utilization
- Method: Testing and evaluating design and effectiveness
- Gain assurance on reliability of control activities and information systems
Benefits for Auditors
- Increased efficiency in audit planning and execution
- Focus audit efforts on higher-risk areas
- Streamline audit procedures, allocate resources effectively
Evaluation Component: Monitoring
- Refers to ongoing assessment of effectiveness
- Oversight by management, regular reviews, audits
- Detect control failures, take corrective actions
Adapting Approach in Computerized Environment
- Consider speed and complexity of automated processes
- Assess design and operating effectiveness of controls
Primary Goal in Computerized Environment
- Manage and control risks associated with automated processes
- Ensure data integrity, safeguard assets
Purpose of Internal Control
- Provide reasonable assurance regarding achievement of objectives
- Safeguard assets, ensure reliability of financial reporting
COSO Framework Components
- Control environment, risk assessment, control activities, information and communication, monitoring
- Excludes financial forecasting as a component
Examples of Control Types
- Preventive control: Segregation of duties
- Detective control: Internal audit reviews
Purpose of Control Activities
- Implement policies and procedures to achieve objectives
- Authorization, segregation of duties, performance reviews
Entity-Level Control Example
- Tone at the top: Ethical climate and culture established by management
Limitation of Internal Control
- Reliance on human judgment and supervision
- Cannot eliminate all risks entirely
Detective Control Example
- Internal audit reviews: Identify errors or irregularities after occurrence
Key Characteristic of Effective Internal Control
- Adaptability: Flexible to changes in operations, environment
Role of Monitoring Activities
- Assess effectiveness of internal controls over time
- Identify weaknesses, take corrective actions
Factors Influencing Design of Internal Controls
- Management’s risk appetite: Determines approach to risk management
- Align controls with identified risks and management’s tolerance levels
Audit and Assurance (AA) – Chapter: Internal Control
Topic 1. Systems of Internal Control
1.a Explain why an auditor needs to obtain an understanding of internal control components
An auditor’s understanding of internal control components is crucial to identify and assess risks of material misstatement, determine the nature, timing, and extent of audit procedures, and evaluate the potential to rely on controls rather than substantive testing.
1.b Describe and explain the five components of a system of internal control
According to COSO’s Integrated Framework:
- Control Environment: The foundation of internal control. Encompasses ethical values, management’s philosophy and operating style, organisational structure, assignment of authority and responsibility, and human resource policies.
- Theory: Agency theory indicates that a strong tone at the top mitigates agency costs by aligning management and shareholder interests.
- Illustration: Case study of Company X, where lax executive oversight enabled revenue recognition fraud.
- Theory: Agency theory indicates that a strong tone at the top mitigates agency costs by aligning management and shareholder interests.
- Risk Assessment Process: Entity’s process for identifying, analysing, and responding to risks that may prevent the achievement of objectives.
- Theory: COSO ERM model—integrating risk appetite and strategy enhances proactive risk management.
- Illustration: Risk heat map plotting probability vs impact for a retailer’s cyber threats.
- Theory: COSO ERM model—integrating risk appetite and strategy enhances proactive risk management.
- Control Activities: Policies and procedures that help ensure risk responses are carried out. Activities include approvals, authorisations, verifications, reconciliations, reviews of operating performance, and segregation of duties.
- Theory: Segregation of duties (a form of internal control) reduces collusion risk, rooted in principal–agent theory.
- Illustration: Process diagram splitting purchase order initiation, receipt of goods, and invoice payment among different roles.
- Theory: Segregation of duties (a form of internal control) reduces collusion risk, rooted in principal–agent theory.
- Information System and Communication: Mechanisms for capturing and exchanging information needed to conduct, manage, and control operations, and for reporting financial results.
- Theory: Information asymmetry theory underscores the need for timely, relevant information to reduce gaps between management and stakeholders.
- Illustration: Data flow diagram from sales order entry through revenue recognition in the general ledger.
- Theory: Information asymmetry theory underscores the need for timely, relevant information to reduce gaps between management and stakeholders.
- Monitoring Activities: Processes that assess the quality of internal control performance over time, including ongoing management activities and separate evaluations such as internal audit.
- Theory: Continuous auditing concepts enable near real-time assessment of controls using technology.
- Illustration: Internal audit dashboard showing control test results across business units over time.
- Theory: Continuous auditing concepts enable near real-time assessment of controls using technology.
Topic 2. The Use and Evaluation of Systems of Internal Control by Auditors
2.a Explain how auditors record systems of internal control
- Narrative Notes: Detailed written descriptions of transaction cycles and controls.
- Flowcharts: Standardised symbols mapping processes, decision points, and control activities.
- Control Questionnaires: Structured checklists to confirm the presence and operation of key controls.
2.b Evaluate internal control components, including deficiencies
Auditors assess both the design (whether controls, if operating as intended, can mitigate risks) and implementation (whether controls are operating effectively).
- Deficiency: A control is missing or poorly designed.
- Significant Deficiency: A deficiency, or combination thereof, that increases the risk of material misstatement.
- Illustration: Evaluation matrix rating each component (environment, risk assessment, control activities, etc.) on design and operation effectiveness.
2.c Discuss limitations of internal control components
Internal controls cannot eliminate all risks due to:
- Human error and judgment failures.
- Collusion among employees.
- Management override of controls.
- Changes in operating environment rendering controls outdated.
- Cost–benefit considerations limiting control scope.
Topic 3. Tests of Controls
3.a Describe computer systems controls
- General IT Controls (GITC): Oversee IT environment—access controls, program change management, backup and recovery, and separation of IT duties.
- Application Controls: Specific to individual systems—input validation checks, processing controls (e.g., sequence checks), and output reconciliation.
3.b Describe control objectives, procedures and tests of controls by cycle
For each business cycle, auditors consider: control objectives (e.g., completeness, accuracy), control procedures, control activities, and direct/indirect controls before designing tests:
- Sales System:
- Control Objectives: Existence, accuracy, cut-off, authorization.
- Control Procedures: Credit approvals, automated invoicing, reconciliation of shipping logs to sales journals.
- Tests of Controls: Reperformance of match between sales invoices and shipping documents; inquiry of system parameter changes.
- Control Objectives: Existence, accuracy, cut-off, authorization.
- Purchases System:
- Control Objectives: Completeness, authorization.
- Control Procedures: Three-way matching of purchase orders, goods receipts, and supplier invoices.
- Tests of Controls: Inspect mismatch reports; test authorisation controls on purchase orders.
- Control Objectives: Completeness, authorization.
- Payroll System:
- Control Objectives: Occurrence, accuracy.
- Control Procedures: HR approval of new hires, automated payroll runs, segregation of payroll setup and processing.
- Tests of Controls: Verify selections from HR system; recompute a sample of pay calculations.
- Control Objectives: Occurrence, accuracy.
- Inventory System:
- Control Objectives: Existence, valuation.
- Control Procedures: Physical counts, cycle counts, standard costing reviews, obsolescence analyses.
- Tests of Controls: Observe counts; reconcile count sheets to inventory records.
- Control Objectives: Existence, valuation.
- Bank and Cash System:
- Control Objectives: Completeness, accuracy.
- Control Procedures: Bank reconciliations, dual signatures on cash disbursements, automated cash receipts posting.
- Tests of Controls: Reperform bank reconciliation; inspect signature controls.
- Control Objectives: Completeness, accuracy.
- Non-Current Assets:
- Control Objectives: Existence, valuation.
- Control Procedures: Asset register reconciliations, depreciation calculations, fixed asset physical verification.
- Tests of Controls: Trace additions to board minutes; recompute depreciation expense.
- Control Objectives: Existence, valuation.
Topic 4. Communication on Internal Control
4.a Reporting significant deficiencies
Under ISA 265, auditors must report significant deficiencies and material weaknesses in writing to management and those charged with governance, promptly after identification.
4.b Sample format for management report
| Finding | Implication | Recommendation |
| Lack of review over manual journal entries | Risk of fraudulent or erroneous postings | Introduce supervisory review of manual journals |
4.c Discuss need for communication with governance
Regular communication ensures that those charged with governance are aware of control issues, understand risks, and can oversee management’s remediation efforts, reinforcing accountability and oversight.
Topic 5. Internal Audit and Governance vs External Audit
5.a Factors in assessing need for internal audit
Considerations include entity size, complexity, risk profile, volume of transactions, regulatory requirements, and effectiveness of existing controls.
5.b Elements of best practice in internal audit
- Organisational independence, typically reporting to the audit committee.
- Skilled and diverse staffing.
- Risk-based internal audit plan aligned to organisational objectives.
- Quality assurance and improvement programs, including external assessments.
5.c Compare external and internal audit roles
| Aspect | External Audit | Internal Audit |
| Purpose | Provide opinion on financial statements | Advise on governance, risk management and controls |
| Scope | Historical FS and control environment | Operational, compliance, financial, IT, strategic |
| Reporting Line | Shareholders, regulators | Management, audit committee |
| Authority | Statutory rights and professional standards | Mandate defined by internal audit charter |
Topic 6. Scope of Internal Audit, Outsourcing, and Assignments
6.a Scope and limitations of internal audit function
Internal audit scope covers financial, operational, compliance and IT auditing, but is limited by resource constraints, potential familiarity threats, and absence of enforcement power.
6.b Explain outsourcing internal audit
Outsourcing involves engaging a third party for internal audit services.
- Advantages: Access to specialised skills, cost savings, objective perspective.
- Disadvantages: Confidentiality concerns, loss of organisational knowledge, oversight complexity.
6.c Nature and purpose of internal audit assignments
- Value for Money: Evaluate economy, efficiency and effectiveness of operations.
- IT Audits: Assess cybersecurity, system implementations, data integrity.
- Financial Audits: Supplement external audit through deeper control testing.
- Regulatory Compliance: Verify adherence to laws and regulations.
- Fraud Investigations: Identify and investigate fraud schemes, recommend controls.
- Customer Experience Audits: Analyse service delivery processes and customer satisfaction.
6.d Nature and purpose of operational audit assignments
Examine business processes to identify inefficiencies, waste, or opportunities for improvement in resource utilisation and performance metrics.
6.e Format and content of internal audit review reports
Effective reports include:
- Executive Summary: High-level findings and recommendations.
- Scope and Objectives: Audit focus areas and criteria.
- Methodology: Procedures and evidence gathered.
- Findings: Detailed issues with impact assessment.
- Recommendations: Actionable steps, responsibility, and timelines.
- Management Response: Acknowledgement and planned actions.