Internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting, and
3. Compliance with applicable laws and regulations
1.Internal control our EDP System
Internal controls are a vigorous part of accounting and data processing systems. It is important that the auditor be aware with the functions and uses of internal controls with respect to both manual and automatic systems. The controls of an electronic data processing system (EDP) and their identification, evaluation, and importance to the external auditor
1.1.1. Importance of Internal Control
Internal controls are a important part of accounting and data processing systems. It is important that the auditor be familiar with the functions and uses of internal controls with respect to both manual and automatic systems.
1.1.2. What are Internal Controls?
In a broad sense, internal control comprises controls which embrace the organizational plan and the methods used to protection the assets, create the dependability of financial data and records, endorse working efficacy and loyalty to managerial policies.
Internal control is categorized by independence between departments and lines of vicarious duty and authority. It is important that these internal controls verify the dependability and correctness of the data supportive all transactions using control total techniques, sanctions and approvals, contrasts, and other tests of data accuracy.
Committee on Auditing Procedure. “Auditing Standards and Procedures,” Statements on Auditing Procedure No. 33. New York: American Institute of Certified Public Accountants, 2008, p. 27.
1.1.3. Why Internal Controls are Important?
Before management can make judgments to maximize the long run profit of a firm, it must first have dependable accounting data on which to base these decisions. This info should be timely, accurate, complete, and reliable.
The protection of the assets of the firm against losses from misappropriation, robbery, failure to take discounts, inadequacy, and unjustified delays of credit are some functions of internal control that should be sufficiently interweaved in any good accounting system. These controls are necessary to assure management that the agreed procedures and orders are obeyed to since the management of large companies are not usually involved in personal supervision of their employees. Therefore, controls add reliability to accounting and financial data.
Internal controls are important to deliver appropriate segregation of functional responsibilities and to create a system of authorization and sanction to provide reasonable safety over these assets, liabilities, revenues, and expenses. Sound practices shadowed in the performance of duties with in the organization and the allocations of persons of a quality appropriate with responsibilities are two additional necessary and correct functions of internal controls in any system.
1.1.4. Why the Auditor is Concerned with Internal Controls?
Management identifies the needs and importance of internal controls as valuable tools to assure that events and transactions are properly carried out. The use and attendance of sufficient internal controls loans reliance and credibility to accounting records and consequently, reduces the length and detail of the audit. These internal controls reduce monotonous, routine, mechanical checks and verifications of bookkeeping accuracy, authorizing replacement of less time consuming approaches that involve judgment, reasoning, and common sense.
1.2. Internal Control Over Financial Reporting
The internal control system of an entity is severely interconnected to the structure used by management to supervise the activities of the organization, or to what is defined as the entity’s corporate governance. “Good corporate governance should deliver proper inducements for the board and management to follow purposes that are in the interest of the company and shareholders and should ease effective monitoring, thereby encouraged firms to use resources more proficiently” (OECD Principles of Corporate Governance). The Board of Directors is thus accountable for providing governance, supervision and oversight for senior management and guaranteeing that a suitable internal control system is in place and effective, meaning it ensure that foreseeable objectives are attained.
Financial reporting is the connection between the company and its external environment. One of the main features which contributed to these failures relate to the internal control system established around the disclosure of information to stakeholders. It seemed that not attaining the objective of effective internal control system over financial reporting demoralizes the status of a company, even at the attendance of many other control components, making it problematic or impossible for a company to be dependable on the market, to be able to collect financing resources, to be believable to shareholders and stakeholders in general.
1.2.1. Role of the Internal Auditor in Evaluating Internal Controls
The Internal auditor should scrutinize and contribute to the continuing effectiveness of the internal control system through evaluation and commendations.
Though, the internal auditor is not lodged with management’s primary obligation for designing, applying, maintaining and documenting internal control. Internal audit functions add value to an organization’s internal control system by transporting an orderly, disciplined approach to the evaluation of risk and by making commendations to strengthen the effectiveness of risk management struggles. The internal auditor should emphasis towards improving the internal control structure and promoting better corporate governance.
The role of the internal auditor consists of:
Evaluation of the efficiency and effectiveness of internal control
â€¢ Commending new controls where essential or stopping unnecessary controls
â€¢ Using control framework
â€¢ Developing Control self-valuation
The internal auditor’s assessment of internal control includes:
ƒ˜€ Determining the significance and the compassion of the risk for which controls are
ƒ˜€ Measuring the vulnerability to misuse of resources, failure to reach objectives concerning moralities, economy, efficiency and effectiveness, or failure to accomplish accountability obligations, and non-obedience with laws and regulations.
ƒ˜€ Identifying and understanding the design and operation of related controls.
ƒ˜€ Determining the grade of control effectiveness through testing of controls.
ƒ˜€ Measuring the sufficiency of the control design.
ƒ˜€ Reporting on the internal control evaluation and debating the essential corrective actions.
The comprehensive areas of review by the internal auditor in assessing the internal control System are:
ƒ˜€ Mission, vision, ethical and organizational worth system of the entity.
ƒ˜€ Personnel allocation, evaluation system, and growth policies
ƒ˜€ Accounting and financial reporting policies and obedience with applicable legal and regulatory standards
ƒ˜€ Objective of dimension and key performance pointers
ƒ˜€ Documentation standards
ƒ˜€ Risk management structure
ƒ˜€ Operational framework
ƒ˜€ Processes and procedures followed
ƒ˜€ Degree of management administration
ƒ˜€ Information systems, communication channels
ƒ˜€ Business Continuousness and Disaster Recovery Procedures
The internal auditor should get an understanding of the important processes and internal control systems adequate to plan the internal audit engagement and develop an effective audit tactic. The internal auditor should use professional finding to assess and evaluate the adulthood of the entity’s internal control. The auditor should obtain an understanding of the control environment sufficient to evaluate management’s attitudes, consciousness and actions regarding internal controls and their importance in the entity.
Such an understanding would also help the internal auditor to make an initial assessment of the sufficiency of the accounting and internal control systems as a basis for the preparation of the financial statements, and of the likely nature, timing and magnitude of internal audit procedures. The internal auditors measures the ‘as is’ internal control system within the organization.
The internal auditor should become an understanding of the internal control.
Procedures adequate to develop the audit plan. In obtaining that understanding, the internal auditor would consider knowledge about the attendance or absence of control procedures obtained from the understanding of the control environment, business processes and accounting system in determining whether any additional understanding of control procedures is essential. The internal auditor should document and understand the design and operations of internal controls to assess the effectiveness of the control environment.
When attaining an understanding of the business processes, accounting and internal control systems to plan the audit, the internal auditor obtains information of the design of the internal control systems and their operation. For example, an internal auditor may perform a “walk-through” test that is; present a few transactions through the accounting system. When the transactions selected are typical of those transactions that pass through the system, this procedure may be treated as part of the tests of control.
The internal auditor should deliberate the following aspects in the evaluation of internal control system in an entity:
ƒ˜€ Discovering the entity has a mission statement and written goals and objectives.
ƒ˜€ Evaluating risks at the activity (or process) level.
ƒ˜€ Completing a Business Controls worksheet for each important activity (or process) in each function or department with documentation of the attendant controls and their degree of effectiveness (partial or full); arranging those activities (or processes) which are most critical to the success of the function or department
ƒ˜€ Ensuring that all risks identified at the entity and function or department level are addressed in the Business Controls worksheet along with the combined documentation of the operating controls.
ƒ˜€ Discovering from the Business Controls worksheet, those risks for which no controls exist or existing controls are insufficient.
1.2.2. The assessment of internal control over financial reporting
The total assessment gives a complete opinion of the effectiveness of entity’s internal control system across internal control components. To facilitate the comparability with other entities and give complete assessment of the effectiveness of an entity’s internal control system as such, universal system for evaluations is needed.
Assessments and audits of internal control system should be tailor-made to the size, business, operations, risks, and procedures of each company, not directed by standardized lists (Heuberger 2009). This should more exactly identify possible problems, promote more efficient allocation of resources to higher-risk areas, and encourages a focus on outcomes rather than on processes.
Internal control over financial reporting can be judged effective when reasonable assurance subsists that financial statements are being prepared reliably.
Quantitative assessments are intended to measure the level of confidence that can be placed on the internal control system’s ability to perform effectively (Perry 2010).
Perry and Warner (Ibid: 52-55) have suggested a five-step model for quantitative assessment of internal control system, which is described on figure 1.1. The most important feature to note in this framework is scoring individual control objectives against the selected model. Using a suitable framework as a basis of the evaluation helps to attain a complete and structured assessment without missing important features of internal control.
Figure 1.1. Quantitative assessment of internal controls. Perry 2010: 52-55.
A framework can be deemed suitable as the fundamental for evaluation, when it is free from bias; it permits reasonably consistent qualitative and quantitative measurements; it is adequately complete so that those related factors that would modify a conclusion about the effectiveness of a company’s internal control over financial reporting are not mislaid; and it is related to the evaluation (PCAOB 2009: 11).
There are two key components of quantitative scoring: establishing how the maximum score will be assigned within the model and determining what percentage of the total allotted score to award to each control components. The initial COSO cube provides insight into the importance of the five internal control components in relative to each other, emphasizing the great importance of control environment and observing. However, Perry. (2010:54) note that those performing the assessment should apply their own experience with and information of internal controls and use this in combining with COSO guidance.
COB IT model describes numerous different levels of dependability or maturity of an internal control system. Levels may range from “initial”, the lowest level of dependability, to “optimized”, the highest.
COBIT Internal control reliability model is drawing the evaluator’s consideration to different features of the effectiveness of internal control, which would otherwise go unobserved, e.g. documentation and perceived value of controls. At the same time, this model is incomplete with respect to COSO internal control framework, because control environment and risk assessment are not comprised. Also, difficulties may arise greatly in small and medium-sized enterprises, where documentation regarding internal control system is limited and control procedures informal, but consciousness, communication and observing functioning might still be at high level.
The Internal Control Institute in the US features six categories in rating internal control components. Groups range from “reactive controls” to “world class system” pronounced in table 1.3. Each category is worth a percentage that is proportionate with the attained level of control (Perry 2005: 54). Specifically, category 1 is worth 162/3 percent (1/6) and category 6 is the highest level of maturity and is worth100 percent. The points for each control principle should be assigned according to the evaluated percentage of proposed maximum score, then concise and an assessment report prepared. In this system, the evaluators score the internal control over financial reporting according to the fulfillment of the principles of internal control through numerous criteria. The total evaluation of internal control is attained through summarizing the scores across objectives and components.
Perry’s model allows giving an total numerical opinion of the effectiveness of the internal control system, taking into account the distinct features of every organization by assigning different percentages for different control principles and components according to the entity’s size, ownership and business activities.
The assessment of the efficiency of internal control over financial reporting in an entity is closely associated to the concept of fraud. The Chartered Institute of Public Finance and Accountancy (CIPFA) defines fraud as those intentional misrepresentations of financial statements and other records which are carried out to conceal the misappropriation of assets or otherwise for gain (Pickett 2000: 550). For a person to commit fraud, three factors need to be in place: incentive or burden, chance and rationalization (Rittenberg 2005: 301; Pickett 2000: 550).