INTERNAL CONTROLS

We define internal control as a process—effected by an entity’s board of directors, management, and other personnel—designed to
provide reasonable assurance regarding the achievement of objectives in the following categories:
(1) Reliability of financial reporting,
(2) Effectiveness and efficiency of operations, and
(3) Compliance with applicable laws and regulations.
Generally, controls that are relevant to an audit pertain to the entity’s objective of preparing financial statements for external purposes that
are presented fairly in conformity with generally accepted accounting principles. The controls relating to operations and compliance
objectives may be relevant to an audit if they pertain to data we evaluate or use in our audit procedures.

The terms internal control, controls, internal control system, and components of internal control may be used to refer to the same process.

The following are the five components of a typical business’s internal controls:
1. Control environment
This is the overall attitude, awareness, and actions of management, the board of directors, and owners concerning the importance
of controls and the emphasis given to controls in determining the client’s policies, procedures, methods, and organizational
structure. The control environment is the foundation for all other components of internal control, providing discipline and structure.
2. Risk assessment
In the context of the client, the identification and analysis of risks relevant to the achievement of its objectives
3. Information and communication
The process of identifying, capturing, and exchanging the information in a form and time frame needed to conduct, manage, and
control a client’s operations. It encompasses the related classes of transactions of the client, including the information technology
aspects of them
4. Control activities
Policies and procedures to help ensure that management’s directives are carried out. They help ensure that the necessary actions
are taken to address risks to achievement of the client’s objectives. Control activities, whether automated or manual, have various
objectives and are applied at various organizational and functional levels
5. Monitoring
This is the process that assesses the quality of internal control performance over time. Monitoring is accomplished through ongoing
activities, separate evaluations, or by a combination of the two

Internal Control Factors considered in detail

1. Control environment
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all
other components of internal control, providing discipline and structure. We obtain sufficient knowledge of the control environment,
including IT aspects of the control environment, to understand management’s and the board of directors’ attitudes, awareness, and
actions concerning the control environment, considering both the substance of controls and their collective effects.
The control environment consists of the following:
1.1 Integrity and ethical values, and behavior of key executives.
1.2 Management’s control consciousness and operating style.
1.3 Management’s commitment to competence.
1.4 Board of directors’ and/or audit committee participation in governance and oversight.
1.5 Organizational structure and assignment of authority and responsibility.
1.6 Human resource policies and practices.

When gaining an understanding of the control environment, we consider each of these and their interrelationships. In particular, we
recognize that deficiencies in any one of the factors may undermine the effectiveness of the others

1.1 Integrity and Ethical Values, and the Behavior of Key Executives
The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them.
Integrity and ethical values are essential elements of the control environment, affecting the design, administration, and monitoring of key
processes. Integrity and ethical behavior is the product of the entity’s ethical and behavioral standards, how they are communicated,
and how they are monitored and enforced in its business activities. They include management’s actions to remove or reduce incentives
and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of
the entity’s values and behavioral standards to personnel through policy statements and codes of conduct, as well as the examples set
by the executives.
Factors to Consider:
• Does the entity have a written code of conduct that is communicated to all employees?
• Does the entity’s corporate culture emphasize the importance of integrity and ethical behavior? For example, are violators
immediately sanctioned?
• Does management lead by example?
• Does senior management hold itself to the highest standards?
• Does management take appropriate action in response to departures from approved policies and procedures or the code of
conduct?
1.2 Management's Control Consciousness and Operating Style
Management’s control consciousness and operating style have a pervasive effect on internal control. This encompasses a broad range
of characteristics that might include: management’s attitudes about the importance of internal control, including how it responds to
comments from internal and external about improvements in internal control; management’s attitudes and actions toward financial
reporting (conservative or aggressive approach to the selection and implementation of available alternative accounting principles, and
the conscientiousness and conservatism with which accounting estimates are developed); and management’s attitudes toward
information processing and accounting functions and personnel.
Factors to Consider:
• Does management give appropriate attention to internal control, including information technology controls?
• Do one or a few individuals dominate management without effective oversight by the board of directors or audit committee?
• What is management’s tendency with respect to selecting accounting principles and determining accounting estimates —
aggressive or conservative?
• Does management consult with the auditors on significant matters relating to internal control and accounting issues, or are there
frequent disputes (or, for initial engagements, disputes with the predecessor auditors)?
1.3 Management’s Commitment to Competence
Management’s commitment to competence includes management’s consideration of the competence levels for particular jobs and how
those levels translate into requisite skills and knowledge. Among the many factors that should be considered by management are the
nature and degree of judgment to be applied to a specific job and the extent of supervision that will be provided

Factors to Consider:
• Do the accounting, finance, and IT personnel have the competence and training needed to deal with the nature and complexity of
the entity’s business? Are repeated errors addressed appropriately by changes in personnel or systems?
• Is management committed to provide sufficient accounting, financial, and IT personnel to keep pace with the growth and/or
complexity of the business and the demands of the stakeholders?
• Do accounting, finance, and IT personnel have the required technical skills to address new or pending accounting, statutory, or IT
systems requirements?
1.4 Board of Directors and/or Audit Committee Participation in Governance and Oversight
The board of directors and/or audit committee has a significant influence on the entity’s control consciousness. The board of directors,
through its own activities and supported by an audit committee or an equivalent function, is responsible for overseeing the entity’s
accounting and financial reporting policies and procedures.
Factors to Consider:
• Does the board of directors have a charter (or other written objectives) for the audit committee?
• Is there an open line of communication among the board of directors, audit committee, and external and internal auditors, and is
the nature and frequency of communication appropriate given the size and complexity of the entity?
• Are the members of the audit committee appropriately experienced and qualified?
• Are the members of the board of directors (and audit committee) independent of management?
• Is the number and length of board and audit committee meetings sufficient given the size and complexity of the entity?
• Is the audit committee (and/or board of directors) adequately involved in the financial reporting process?
• Does the audit committee (and/or board of directors) give adequate consideration to monitoring business risks affecting the entity
and management’s risk assessment processes (including the risks of fraud)?
• Are significant IT activities, challenges, and risks periodically communicated with the board of directors or audit committee?
• Is there high turnover of board members?

1.5 Organizational Structure and Assignment of Authority and Responsibility

The entity’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned,
executed, controlled, and monitored. Considerations for establishing a relevant organizational structure include the identification of key
areas of authority and responsibility and appropriate lines of reporting. The entity should have an organizational structure that is suited
to its needs. The appropriateness of the entity’s organizational structure depends, in part, on its size and the nature of its activities. The
assignment of authority and responsibility pertains to how operating activities are assigned and how reporting relationships and
authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience
of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at
ensuring that all personnel understand the entity’s objectives, know how their individual actions interrelate and contribute to those
objectives, and recognize how and for what they will be held accountable.

Factors to Consider:
• Is the assignment of responsibilities clear within the entity (including responsibilities specific to information systems processing
and program development)?
• Is there an adequate structure for assigning ownership of data, including who is authorized to initiate and/or change transactions?
• Are policies and procedures for the authorization of transactions established at the appropriate level?

1.6 Human Resource Policies and Practices

Human resource policies and practices relate to hiring, orienting, training, evaluating, counseling, promoting, and compensating
personnel. These policies and practices also relate to remedial actions, such as disciplining and terminating personnel.
Factors to Consider:
• Does the entity have adequate standards and procedures for hiring, training, motivating, evaluating, promoting, compensating,
transferring, or terminating personnel (particularly those in accounting, finance, and information systems)?
• Does the entity have written job descriptions or reference manuals that inform personnel of their duties (or, in the absence of
written documentation, adequate communication of job responsibilities and expectations)?
• Are policies and procedures clear, and are they issued, updated, or revised timely?
• Does the entity have adequate procedures for establishing and communicating policies and procedures to personnel at
decentralized locations (including foreign operations)?
• Does the entity have protection (e.g. insurance, bonding) for employees with access to cash, securities, and other valuable
assets?
• Are contract personnel subject to policies and procedures created to control their activities by IT function and to protect the entity’s
information assets?

2. Risk Assessment
Risk assessment is the entity’s process for identifying and analyzing the risks (both internal and external) that are relevant to the
achievement of its objectives. In addition, a risk assessment process provides the entity with a basis for determining how to manage its
risks (e.g., the actions to address specific risks or a decision to accept a risk because of cost or other considerations).
An entity’s risk assessment process for financial reporting purposes is its identification, analysis, and management of risks relevant to
the preparation of financial statements that give a true and fair view (or are presented fairly, in all material respects) in accordance with
IFRS, generally accepted accounting principles, or another appropriate financial reporting framework. When obtaining an understanding
of the entity’s risk assessment process, we should evaluate whether management has identified the risks of material misstatement in the
significant accounts and disclosures and related assertions of the financial statements and has implemented controls to prevent or
detect errors or fraud that could result in material misstatements. For example, risk assessment may address how the entity considers
the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks
relevant to reliable financial reporting also relate to specific events or transactions.
We gain an understanding of the entity’s risk assessment process, specifically as it relates to the financial reporting objective of internal
control. We then determine, generally through inquiry, observation, and inspection of relevant documents, whether the entity’s risk
assessment process has identified and analyzed each of the risks we have identified
Factors to Consider:
• Has a risk assessment process been established that includes estimating the significance of risks, assessing the likelihood of
their occurrence, and determining needed actions?
• Does the entity’s risk assessment process specifically include identifying and assessing the risks of fraud?
• Does the entity’s risk assessment process specifically include identifying and assessing the risks related to IT (e.g., has a
business impact assessment been performed that considers the effect of system failures on the financial reporting process)?
• Are there mechanisms in place to anticipate, identify, and react to changes that may have a dramatic and pervasive effect on
the entity (e.g., asset/liability management committee in a financial institution, commodities trading risk management group in
a manufacturing entity)?
• Are there mechanisms in place to anticipate, identify, and react to routine events or activities that affect achievement of entity
or process/application-level objectives?
• Does the IT department have a process to notify end-users (e.g., accounting) when significant changes are made that could
affect the method or the process of recording transactions?
• Does the accounting department have in place processes to identify significant changes in the financial reporting framework
promulgated by relevant authoritative bodies?
• Do communication channels in place notify the accounting and IT departments of changes in the entity’s business practices
that may affect the method or the process of recording transactions?
• Does the accounting department have processes in place to identify significant changes in the operating environment, including
regulatory changes?
• Are entity-level objectives established and communicated, including how they are supported by strategic plans and
complemented on a process/application level?
• Does IT management periodically communicate its activities, challenges, and risks with the CEO and CFO?

3 Information and Communication

Information and communication is the process of capturing and exchanging the information needed to conduct, manage, and
control a client’s operations. The quality of the client’s information and communication affects management’s ability to make
appropriate decisions in controlling the client’s activities and to prepare reliable financial reports. Information and communication
involves capturing and providing information to appropriate personnel so that they can carry out their responsibilities, including
providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.

The information systems that are relevant to the financial reporting objective encompass methods and records that:
• Identify and record all valid transactions
• Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial
reporting
• Measure the value of transactions in a manner that permits recording their proper monetary value in the financial
statements
• Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting
period
• Present properly the transactions and related disclosures in the financial statements
Communication is inherent in information systems, which has to provide information to appropriate personnel so that they can
carry out their financial reporting, operating, and compliance responsibilities. However, communication also has to take place in a
broader sense, dealing with expectations, responsibilities of individuals and groups, and other important matters.
An effective communication system often encompasses each individual knowing:
• Their specific duties (each individual needs to understand the relevant aspects of the internal control system and their
role in it)
• How to handle the ‘unexpected’ (personnel have to know that when unexpected events occur, attention is to be given not
only to the event itself, but also to its cause)
• How their activities relate to others (this is necessary to recognize a problem or to determine its cause and corrective
action)
• What behavior is expected, and what is acceptable or unacceptable
• How to communicate significant information upstream in the client’s organization

In understanding the client’s information and communication at the entity level, we consider such factors as:
Information
• Whether the information system provides management with necessary reports on the client’s performance relative to
established objectives, including relevant external and internal information.
• Whether information is provided to the right people in sufficient detail and on time to enable them to carry out their
responsibilities efficiently and effectively.
• To what extent information systems are developed or revised based on a strategic plan that is interrelated with the
client’s overall information systems, and is responsive to achieving the entity-level and process/application level
objectives.
• Whether management commits the appropriate human and financial resources to develop the necessary information
systems.
• How management ensures and monitors user involvement in the development (including revisions) and testing of
programs.
• Whether procedures are in place to back up and recover information.
Communication
• Whether management communicates employees’ duties and control responsibilities in an effective manner.
• Whether communication channels have been established for people to report suspected improprieties.
• The adequacy of communication across the organization to enable people to discharge their responsibilities effectively.
• Whether management takes timely and appropriate follow-up action on communications received from customers,
vendors, regulators, or other external parties.
 • Whether the client is subject to monitoring and compliance requirements imposed by legislative and regulatory bodies.
• The extent to which other parties outside the client (e.g., customers, suppliers) have been made aware of the client’s
ethical standards and policies.

4. Control Activities
Control activities are policies and procedures that help make sure that management’s directives are carried out. They help
guarantee that the necessary actions are taken to address risks to achievement of the client’s objectives. Control activities,
whether automated or manual, have various objectives and are applied at various organizational and functional levels.
Examples of controls
i) Organizational plans or charts
An organizational plan shows clearly the various developments within the company, their functions and person charged with
ensuring that such functions are fulfilled. Delegation of authority and limits of authority should be well and clearly defined.
Such a plan boosts accountability within the organization and reduces duplication of effort.
ii) Segregation of duties
This is separation of various duties and responsibilities such that one person cannot possess and record complete
transactions from the beginning to the end without being checked by another person to minimize the risk of error and/or
intentional manipulation of information Examples of segregation include the following:
• Initiation of transactions
• Authorization of transactions which depend on the position, integrity, qualification and competence of the officer.
• Execution of transactions which should be done by independent persons from those who authorize the transactions.
• Custody of the asset. Official authorizing or executing of transactions should not have custody of the assets arising out
of the transactions.
• Recording of the transactions in the books of accounts.
iii) Physical controls
These are security measures concerned with the custody of assets by limiting access to authorized people only e.g. keeping
assets under lock and key, employment of security guards, fences, perimeter walls, alarm systems etc. Indirect measures
include documentation of the movement of assets such as the use of registers to record utilization of company vehicles etc.

iv) Authorization and approval

Transactions that commit organizational resources should be subject to authorization and approval by a responsible official.
There should be a committee to approve the capital budget of the company which should be initiated by board meeting.
v) Arithmetical and accounting controls
These are controls within the accounting function which check that transactions are authorized and are correctly and
accurately recorded to ensure completeness and accuracy of the accounting records .The key features of this control
include the following:
• Use of pre-numbered documents in processing transactions e.g. having pre-numbered local purchase to raise
purchases with suppliers.
• The documents should be issued in sequence when processing transactions
• You should monitor movement of documents by use of registers.
• Reconciliation between different accounts and related control accounts and other independent records e.g. the bank
statement with cash book, creditors balance with creditor’s statement etc.
vi) Personnel
This means hiring competent staff that have integrity and ready to work for the company using clearly defined procedures
i.e. advertising, receiving, applications, short listing, interviewing the successful applicants , selection of those who will be
employed . Also the entity should encourage self development through training, workshops, sessions etc. Lastly the staff
should be assigned responsibilities that match their qualification.
vii) Supervision
Day to day transactions and their recording should be subjected to supervision by competent responsible officials .Actions
should be taken timely to correct mistakes and the right punishment given to misstatement in the financial records.
viii) The management controls
These include
• The review of management accounts i.e. budgets and targets
• Comparison of actual performance with budgets and taking necessary steps for any deviation or variance.
• Audit committees to encourage comprehensive audit reports
• Internal audit functions
ix) Rotation of duties
 Staff should be encouraged to take responsibility in different areas in the same department to encourage growth of career
and motivate them to work harder. Also the staff should be encouraged to take annual leave which provides an opportunity
for their work to be checked by an independent person.

x) Internal Audit
It promotes corporate governance and risk management.

In understanding the client’s control activities at the entity level, we consider such factors as:
• The extent to which performance of control activities relies on IT.
• Whether the necessary policies and procedures exist with respect to each of the client’s activities, including IT security and system
development.
• The extent to which controls called for by policy are being applied.
• Whether management has clear objectives in terms of budget, profit, and other financial and operating goals, and whether these
objectives are clearly written, communicated throughout the entity, and are actively monitored.
• Whether planning and reporting systems are in place to identify variances from planned performance and communicate such
variances to the appropriate level of management.
• Whether the appropriate level of management investigates variances and takes appropriate and timely corrective actions.
• To what extent duties are divided or segregated among different people to reduce the fraud risks or inappropriate actions.
• Whether logical access security software is used to control access to data and programs and, if so, the extent to which segregation
of incompatible duties is achieved by implementing logical access controls.
• Whether periodic comparisons are made of amounts recorded in the accounting system with physical assets.
• Whether adequate safeguards are in place to prevent unauthorized access to or destruction of documents, records, and assets.
5. Monitoring
Monitoring is the process that assesses the quality of the performance of internal control over time. An important management
responsibility is to establish and maintain internal control. Management monitors controls to consider whether they are operating as
intended and whether they are modified as appropriate for changes in conditions.
Factors to Consider:
• Does management respond timely and appropriately to recommendations on internal control from the internal auditors and external
auditors?
• Are monitoring procedures performed timely?
• Is there a low level of customer complaints, and does management respond timely and appropriately to the cause of such complaints?
• For smaller entities, is the owner/manager actively involved in the business?
• Does the parent company adequately scrutinize the activities of the various operating units (e.g., subsidiaries, divisions, plant
locations)?
• If applicable, is the oversight by legislative or regulatory bodies effective?

Additional factors for entities with internal audit departments (if the entity does not have an internal audit function, consider whether its
absence constitutes a significant deficiency in internal control or exacerbates identified risks of fraud):
• Is internal audit adequately staffed and trained, with appropriate specialized skills, including IT, given the nature, size, and complexity
of the entity and its operating environment?
• Is the internal audit department independent (authority and reporting relationships) and does it have adequate access to the audit
committee (or equivalent)?
• Is the scope of internal audit’s activities appropriate given the nature, size, and complexity of the entity and its operating
environment?
• Does internal audit devote sufficient time and attention to evaluating the design and operation of internal control?
• Does internal audit have the authority to examine all aspects of the entity’s operations, including those overseen or controlled by
senior management?
• Does internal audit adhere to professional standards?

IMPORTANCE OF INTERNAL CONTROL SYSTEM

a) Enable management to carry out the business in an orderly and efficient manner e.g. there will be systems laying out the
procedures to be followed in procuring raw materials to ensure that only necessary materials are procured which meet the quality
standards of the company.
b) Ensures adherence to management policies especially on quotations and tendering when procuring materials, hiring and firing
employees etc.
c) Safeguards the company assets i.e. protection from theft, destruction and see that they are used in the best interest of the
company e.g. taking of insurance cover, employing of security guards ,having fire extinguishers etc
d) Helps in ensuring the completeness and accuracy of the record maintained .This ensure timely reports that add value to the users
of the financial statements.
e) Strong internal controls help in preventing and detecting errors and fraud.
f) Ensures compliance with applicable laws and auditing standards and meeting the Companies Act requirement.

Limitations of internal control system

This is found in ISA 400 paragraph 14
i) The costs benefit analysis. Management has to ensure that the benefit expected from the internal control system outweigh
the costs e.g. segregation of duties in a small entity.
ii) Most internal controls tend to be directed toward routine transactions rather than non-routine transactions giving rooms for
errors and fraud e.g. special order from large companies, natural calamities e.g. fire, floods, PR float.
iii) Abuse of responsibility e.g. a member of the management may enter into a side agreement in ways that would affect
revenue recognition (Refer to IAS 18) or management may improperly modify the accounting records (Refer to ISA 24)
iv) The possibility that procedures may be inadequate to the changes in conditions e.g. changes in technology such as
electronic deposits and withdrawals in modern banks, changes in both auditing and accounting standards etc.
v) Mistakes or errors may be made the performance of controls as a result of misunderstanding of instruction, mistake of
judgment and estimates, carelessness, destruction, fatigue etc.
vi) A member of management or employee would circumvent through collusion with external persons or persons inside the
entity.

Circumstances when it is not appropriate for auditors to check ICS

i. Small business entities where there is absence of ICS e.g. segregation of duties.
ii. Small business entities where there are few transactions and an auditor can vouch every transaction.
iii. High risk areas mostly where the auditor is put upon enquiry e.g. in depth auditing by the tax authority.
iv. When high level of assurance was obtained in the previous year and the system has not changed.
v. A high level of assurance can be gained from inherent factors and analytical review.
vi. When the preliminary review indicates that the controls are not strong and a high level of assurance will have to come from a
substance testing.