CHAPTER –4

INTERNAL CONTROL
 Contents
• Meaning and objectives of internal controls
• Accounting and administrative controls.
• Categories of internal control system
• The control process
• Importance of internal control
• Basic Internal control structure
activities/components
• Limitations of internal control
• Evaluating internal control
 Meaning of Internal Control
 Any organization wishing to conduct its
business in an organized and efficient
manner and to produce reliable financial
accounting information, both for its own and
for others’ use needs some controls to
minimize the effects of the endemic human
failings(with the best intentions or intentional
falsification).
When such controls are implemented within
the organization’s systems they are described
as internal controls.
Internal controls are mechanisms designed to
control all of an entity’s functions, not just
its accounting function. 3
 Meaning of Internal Control
An internal control system encompasses the
policies, processes, tasks, behaviors and
other aspects of a company that, taken
together:
Facilitate its effective and efficient
operation by enabling it to respond
appropriately to significant business,
operational, financial, compliance and other
risks to achieving the company’s objectives
Help ensure the quality of internal and
external reporting
Help ensure compliance with applicable
laws and regulations
4
Definition of Internal Control * COSO
Internal control is ‘a process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
 Compliance with applicable laws and
regulations’. (COSO)
•
* Committee of Sponsoring Organizations
5
of the Tread way Commission
 Definition of Internal Control
cont…
 Internal control is an activity that we perform to see
that the things we want to happen will happen …

 and the things we don’t want to happen won’t

happen.

6
Internal Controls Are Common Sense

What do you worry

about going wrong?

What steps have been taken

to assure it doesn’t?

How do you know

things are under control?

7
 Internal control is a process; it is a means
to an end, not an end itself.
 Internal control is effected by people; it’s

not merely policy manuals and forms but

people at every level of an organization.
 Internal control can be expected to only

provide reasonable assurance, not

absolute assurance.

8
 Objectives of Internal Control
Internal control is geared to the achievement of
objectives in one or more separate overlapping
categories. Objectives fall into four categories:
1. Operations – relating to effective and efficient
use of the entity’s resources
2. Financial reporting – relating to preparation of
reliable published financial statements
3. Compliance – relating to the entity’s
compliance with applicable laws and
regulations; and
4. Safeguarding of assets 9
 Components of Internal Control
ICs contain accounting and administrative
controls.
The internal accounting controls are designed, in
particular, to ensure that transactions which give
rise to the accounting data are:
1. properly recorded, that is, all relevant details
of transactions are recorded at the time the
transactions take place;
2. properly authorized, that is, all transactions
are authorized by a person with the requisite
authority;
 Components of Internal Control
3. valid, that is, transactions recorded in the
accounting system represent genuine exchanges
with legitimate parties:
4. complete, that is, all genuine transactions are
input to the accounting system; none are
omitted;
5. properly valued, that is, transactions are
recorded in their correct amounts;
6. Properly classified, that is, transactions are
recorded in the correct accounts;
7. Recorded in the correct accounting period
 Categories of Internal Control System
• Preventive controls: Prevent some thing
bad from happening.
• Detective Controls: Detect problems that
passed through preventive control.
• Corrective controls: Aimed at correcting
problems detected by detective control.
 The Control Process
Management designs systems of internal
control to accomplish all three objectives
(Reliability of Financial Reporting ,
Efficiency and Effectiveness of
Operations and
Compliance with Laws and
Regulations).
 The auditor’s focus in both the audit of
financial statements and the audit of
internal controls is to operations and to
compliance with laws and regulations
objectives that could materially affect
financial reporting. 13
 Common Internal Controls in our personal life

Lock-up valuable belongings.

Keep copies of your tax returns, registration
slip, academic credentials, etc.
Balance your checkbook.
Keep your ATM/debit card PIN number
separate from your card.
Lock-up your computer with pass word.
Compare your book and bank balance.
14
 Why are Internal Controls
Important?
 Compliance with applicable laws
and regulations.
 Accomplishment of the entity’s
mission.
 Relevant and reliable financial
reporting.
 Effective and efficient operations.
 Safeguarding of assets.

15
 Risks of Weak Internal Controls
 Weak Internal Controls Increase Risk
Through…
 Business Interruption
system breakdowns or catastrophes,
excessive re-work to correct for errors.
 Erroneous Management Decisions
based on erroneous, inadequate or
misleading information.
 Fraud, Embezzlement and Theft
by management, employees, customers,
vendors, or the public-at-large.
16
 Statutory Sanctions
penalties arising from failure to
comply with regulatory
requirements, as well as overt
violations.
 Excessive Costs/Deficient Revenues
expenses which could have been
avoided, as well as loss of
revenues to which the organization
is entitled.
 Loss, Misuse or Destruction of Assets
unintentional loss of physical
assets such as cash, inventory,
17
 Benefits of Strong Internal
Controls
 Reducing and preventing errors in
a cost- effective manner.
 Ensuring priority issues are
identified and addressed.
 Protecting employees & resources.
 Providing appropriate checks and
balances.
 Having more efficient audits,
resulting in shorter timelines, less
testing, and fewer demands on staff.
 Contribute to the effectiveness of
control system 18
 Effective Internal Controls
 Make sense within each organization’s
unique operating environment.

 Benefit rather than encumber(hinder)

management.

 Are not stand-alone practices; they are

woven into day-to-day responsibilities.

 Are cost-effective.

19
 Basic Internal Control Structure

The most widely accepted internal

control framework in the United
States, describes internal control
as consisting of five components
that management designs and
implements to provide reasonable
assurance that its control
objectives will be met.
Each component contains many
controls, but auditors concentrate on
those designed to prevent or detect
material misstatements in the 20
 Internal control
components
The internal control components
include the following
1.Control environment
2.Risk assessment
3.Control activities
4.Information and
communication systems
support
5.Monitoring
 Internal Control Framework…
Five Inter-Related Standards: COSO’S

Monitoring Risk
Assessment

Control
Environment

Information &
Communication Control Activities

22
 1. Control Environment
 Foundation for all other standards of
internal control.
 Pervasive influence on all the decisions
and activities of an organization.
 Effective organizations set a positive
“tone at the top”.
 Factors include the integrity, ethical
values and competence of employees,
and, management’s philosophy &
operating style
 The control environment serves as the
umbrella for the other four
23
The Control Environment
The control environment consists of
the actions, policies, and
procedures that reflect the overall
attitudes of top management,
directors, and owners of an entity
about internal control and its
importance to the entity.
 To understand and assess the control
environment, auditors should consider
the most important control
subcomponents, …
24
The Control Environment
… which are:
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors’ audit committee
participation
4. The audit committee’s independence
5. Organizational structure
6. Human resource polices and practices
 2. Risk Assessment
 Risks are internal & external events
(economic conditions, staffing changes, new
systems, regulatory changes, natural
disasters, etc.) that threaten the
accomplishment of objectives.

 Risk assessment is the process of identifying,

evaluating, and deciding how to manage
these events…
 What is the likelihood of the event occurring?
What would be the impact if it were to occur?
What can we do to prevent or reduce the
risk? 26
 3. Control Activities
 Tools—policies, procedures, processes—
designed and implemented to help
ensure that management directives are
carried out.
 Help prevent or reduce the risks that
can impede the accomplishment of
objectives.
 Occur throughout the organization, at all
levels, and in all functions.
 Includes approvals, authorizations,
verifications, reconciliations, security of
assets, reviews of operating
performance, and segregation of duties.
27
 4. Communication & Information
 Pertinent
information must be
captured, identified and
communicated on a timely basis.
 Effective
information and
communication systems enable the
organization’s people to exchange
the information needed to conduct,
manage, and control its operations.
28
 5. Monitoring
 Internal control systems must be monitored
to assess their effectiveness… Are they
operating as intended?

 Ongoing monitoring is necessary to react

dynamically to changing conditions…Have
controls become outdated, redundant, or
obsolete?

 Monitoring occurs in the course of everyday

operations, it includes regular management
& supervisory activities and other actions
personnel take in performing their duties.
29
Key Internal Control
Activities/Components

30
1. Separation of Duties
 Divide responsibilities between
different employees so one
individual doesn’t control all
aspects of a transaction.
 Reduce the opportunity for an

employee to commit and conceal

errors (intentional or unintentional)
or perpetrate fraud.

31
 Adequate Separation of Duties

Custody of assets Accounting

Authorization The custody of

of transactions related assets

Operational Record-keeping
responsibility responsibility

IT duties User departments

32
 2. Documentation
 Document & preserve evidence to
substantiate:
 Critical decisions and significant

events...typically involving the use,

commitment, or transfer of resources.
 Transactions…enables a transaction to be

traced from its inception to completion.

 Policies & Procedures…documents which

set forth the fundamental principles and

methods that employees rely on to do
their jobs.
33
Adequate Documents and Records

Pre-numbered consecutively

Prepared at the time of transaction

Simple enough to ensure understanding

Designed for multiple use

Constructed to encourage correct preparation

34
 3. Authorization & Approvals
 Management documents and
communicates which activities
require approval, and by whom,
based on the level of risk to the
organization.
 Ensure that transactions are

approved and executed only by

employees acting within the scope
of their authority granted by
management. 35
Proper Authorization of Transactions and
Activities

General authorization

Specific authorization

36
 4. Security of Assets
 Secure and restrict access to
equipment, cash, inventory,
confidential information, etc. to reduce
the risk of loss or unauthorized
use.
 Perform periodic physical inventories to
verify existence, quantities, location,
condition, and utilization.
 Base the level of security on the
vulnerability of items being secured,
the likelihood of loss, and the potential
impact should a loss occur.
37
 Physical Control over Assets
and Records

The most important type of protective

measure for safeguarding assets and
records is the use of physical precautions.

38
 5. Reconciliation & Review
 Examine transactions, information, and
events to verify accuracy,
completeness, appropriateness, and
compliance.
 Base level of review on materiality, risk,

and overall importance to

organization’s objectives.
 Ensure frequency is adequate enough

to detect and act upon questionable

activities in a timely manner.
39
Independent Checks on Performance

The need for independent checks arises

because internal control tends to change
over time unless there is a mechanism
for frequent review.

40
6. Information and Communication

The purpose of an accounting information

and communication system is to…

initiate, record, process, and report

the entity’s transactions and to maintain
accountability for the related assets .

41
 Limitations of Internal Control
Internal control; no matter how well designed,
implemented and conducted, can provide only
reasonable assurance to management and the
board of directors of the achievement of an
entity’s objectives.
 In considering limitations of internal control, two
distinct concepts must be recognized.
 The first set of limitations acknowledges that
certain events or conditions are simply beyond
management’s control.
 Limitations of Internal Control
The second acknowledges that no system of
internal control will always do what it is
designed to do.
 The best that can be expected in any
system of internal control is that reasonable
assurance be obtained
The effectiveness of internal control is
limited by the realities of human frailty in
the making of business decisions.
 Limitations of Internal Control
Internal control may not result in the
intended objectives due to:
Human judgment;
External events;
Management override; and
Collusion.
Limitations of Internal Control
Human judgment:
 Some decisions based on human
judgment may later, with the clarity of
hindsight (perception after the fact), be
found to produce less than desirable
results, and may need to be changed.
 External events
For objectives relating to the effectiveness
and efficiency of an entity’s operations—
achieving its mission, value propositions
(e.g., productivity, quality, and customer
service), profitability goals, and the like—
internal control cannot provide reasonable
assurance of the achievement when
external events may have a significant
impact on the achievement of objectives
and the impact cannot be mitigated to an
acceptable level.
 Management override:

The term “management override” is used

here to mean overruling prescribed
policies or procedures for illegitimate
purposes with the intent of personal gain
or an enhanced presentation of an entity’s
performance or compliance. Examples
include:
increase reported revenue to cover an
unanticipated decrease in market share,
Management override…
Enhance reported earnings to meet
unrealistic budgets,
Boost the market value of the entity prior
to a public offering or sale,
Meet sales or earnings projections to
bolster bonus payouts tied to performance,
Appear to cover violations of debt
covenant agreements,
Hide lack of compliance with legal
requirements,
 Collusion:
can result in internal control deficiencies.
Individuals acting collectively to perpetrate
and conceal an action from detection often
can alter financial or other management
information so that it cannot be detected or
prevented by the system of internal control.
Collusion can occur, for example, between
an employee who performs controls and a
customer, supplier, or another employee.
Limitations of Internal Control
Additionally,
 Staff size limitations may obstruct efforts to
properly segregate duties, which requires the
implementation of compensating controls to ensure
that objectives are achieved.
 A limitation inherent in any system is the element of
human error, misunderstandings, fatigue and
stress.
 Employees are to be encouraged to take earned
vacation time in order to improve operations by
enabling employees to overcome or avoid stress
and fatigue.
 Evaluating Internal Control
Evaluating and improving internal control
are among the core competencies of many
professional accountants.
Professional accountants can play a leading
role in ensuring that internal control forms
an integral part of an organization’s
governance system and risk management.
IFAC provides the following key principles
for evaluating and improving internal
control.
 Evaluating Internal Control…
The organization should make internal control
part of risk management and integrate both in its
overall governance system.
The organization should determine the various
roles and responsibilities with respect to internal
control, including the governing body,
management at all levels, employees, and
internal and external assurance providers, as well
as coordinate the collaboration among
participants.
Evaluating Internal Control…
The governing body and management should foster
an organizational culture that motivates members of
the organization to act in line with risk management
strategy and policies on internal control.
The governing body and management should link
achievement of the organization’s internal control
objectives to individual performance objectives.
The governing body, management, and other
participants in the organization’s governance system
should be sufficiently competent to fulfill the
internal control responsibilities associated with their
roles.
3. Control and Accounting Information Systems
 Internal Controls
• Processes implemented to provide assurance that the
following objectives are achieved:
 Safeguard assets
 Maintain sufficient records
 Provide accurate and reliable information
 Prepare financial reports according to established criteria
 Promote and improve operational efficiency
 Encourage adherence with management policies
 Comply with laws and regulations

Wednesday, February 26, 2025 54

 3. Control and Accounting Information
Systems…
 Functions of Internal Controls
• Preventive controls
 Deter problems from occurring
• Detective controls
 Discover problems that are not prevented
• Corrective controls
 Identify and correct problems; correct and
recover from the problems.

Wednesday, February 26, 2025 55

 3. Control and Accounting Information
Systems…
• Control Frameworks
• COBIT (Control Objectives for Information and
Related Technologies)
– Framework for IT control
• COSO
– Framework for enterprise internal controls (control-
based approach)
• COSO-ERM
– Expands COSO framework taking a risk-based
approach

Wednesday, February 26, 2025 56

 3. Control and Accounting Information
Systems…

• COBIT Framework
• Current framework version is COBIT5
• Based on the following principles:
– Meeting stakeholder needs
– Covering the enterprise end-to-end
– Applying a single, integrated framework
– Enabling a holistic approach
– Separating governance from management

Wednesday, February 26, 2025 57

 3. Control and Accounting Information
Systems…
• COBIT5 Separates Governance from
Management

Wednesday, February 26, 2025 58

 3. Control and Accounting Information
Systems…
• Components of COSO Frameworks

COSO COSO-ERM
 Control (internal)  Internal
environment environment
 Risk assessment  Objective setting
 Control activities  Event
 Information and identification
communication  Risk assessment
 Monitoring  Risk response
 Control activities
 Information and
Wednesday, February 26, 2025
communication 59
 3. Control and Accounting Information
Systems…
Internal Environment
• Management’s philosophy, operating style, and risk
appetite.
• Commitment to integrity, ethical values, and competence
• Internal control oversight by Board of Directors
• Organizational structure
• Methods of assigning authority and responsibility
• Human resource standards

Wednesday, February 26, 2025 60

 3. Control and Accounting Information
Systems…
Objective Setting
• Strategic objectives
 High-level goals
• Operational objectives
 Effectiveness and efficiency of operations
• Reporting objectives
 Improve decision making and monitor performance
• Compliance objectives
 Compliance with applicable laws and regulations

Wednesday, February 26, 2025 61

 3. Control and Accounting Information
Systems…
Event Identification
Identifying incidents both external and internal to the
organization that could affect the achievement of the
organization’s objectives.
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?

Wednesday, February 26, 2025 62

 3. Control and Accounting Information
Systems…
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate of potential loss if event occurs
Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
Wednesday, February 26, 2025 63
 3. Control and Accounting Information
Systems…
Risk Response
• Reduce
Implement effective internal control
• Accept
Do nothing, accept likelihood and impact of risk
• Share
Buy insurance, outsource, or hedge
• Avoid
Do not engage in the activity

Wednesday, February 26, 2025 64

 3. Control and Accounting Information
Systems…
Control Activities
• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance

Wednesday, February 26, 2025 65

 3. Control and Accounting Information
Systems…
Segregation of Duties

Wednesday, February 26, 2025 66

 3. Control and Accounting Information
Systems…
Monitoring
• Perform internal control evaluations (e.g., internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal, network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline a direct telephone line set up for this
purpose.
Wednesday, February 26, 2025 67