Internal control is designed to provide accountability and mitigate risk. It exists across all activities of an organization and includes processes to ensure reliable financial reporting, compliance with laws, and efficient operations. The key components of internal control are control environment, risk assessment, control activities, information and communication, and monitoring. General computer controls and application controls help ensure appropriate technology functioning.

1. Internal control is designed to provide accountability of those entrusted to run the
enterprise by the stakeholders, who have provided the resources to the entity.
Controls exists as a way to mitigate and manage risk and are necessary for good
long-term decision-making.
Internal controls are needed because every organization faces significant risks
ranging from:
a. corporate failure
b. misuse of corporate assets
c. incorrect or incomplete preparation of financial statements
internal control assist the organization in the following category
a. reliability of financial reporting
b. compliance with applicable laws and regulation
c. effectiveness and efficiency of operations
Important aspects of internal control
a. it is a continuous process
b. starts at the top of the organization
c. it includes all the people
d. broader than internal control over financial reporting
e. applied across all activities of the organization
Components of internal control
1. risk assessment
a. the manner in which a misstatement might occur varies with both
the organization’s control environment and the nature of
processing.
2. control environment: refers to the overall governance of the organization
a. starts with the audit committee, BOD and management
b. 7 effective control environment
i. Integrity and ethical values particularly top management
ii. Importance of BOD in financial reporting and related
controls
iii. Management philosophy an operating style achieving
effective internal control (sets the tone-> articulate ->
select accounting principles and oversees estimates)
iv. Organizational structure supporting effective internal
control
v. Commitment to financial reporting competencies
vi. Authority and responsibility(jobs of BOD define
responsibility and limit authority)
vii. Human resources: policies and practices including
compensation program.
3. control activities: errors that can occur

2. a. policies and procedures that are established to assist
organizations in accomplishing objectives and mitigating risks.
b. Organization implement control activities to mitigate the risks that
are specific to their organization.
c. Involves two components
i. The design and implementation of the controls including a
description of how the control activities operate.
ii. The operation of the controls
d. 3 process that affect the quality of data entering into the general
ledger
i. transactions processing
ii. accounting estumates
iii. adjusting and closing journal entries
e. control activities
i. segregation of duties ( custodial and process transaction)
ii. authorization procedures
iii. adequately document transaction trail(provide evidence to
authorization)
iv. physical controls to safeguard assets
v. reconciliation of control accounts with subsidiary ledgers,
transactions recorded with submitted for processing and
physical counts of assets
4. information and communication: communication of the management
a. indentifying, capturing and exchanging information in a timely
fashion to enable accomplishment of the organization’s objectives.
5. monitoring: monitor to assure that everything operates effectively
a. monitoring is a process that provides feedback n the effectiveness
of the other four components of internal control.
b. Can be done through ongoing activities or separate evaluations.
entity level control: exists on a higher level than transaction-level controls and affct
multiple processes, transactions, accounts and assertions.
Most BOD as three subcommittes:
1. the audit committee
2. the compensation committee
3. a nominating and governance committee
preventive VS detective control
Preventive control: designed to prevent the occurrence of a misstatement, usually
more cost efficient but my not provide documentary evidence that controls are
working.
Edit control:prevent some inappropriate transactions from being recorded.

3. Detective control:provides evidence on whether processing has been effective in
preventing errors.
General computer controls: computer controls that are pervasive and affect every
computerized system
Application controls: controls that are built into specific processes.
authentication: verifying to the system that the person is who she or he claims to be.
(something they know, they possess or from them)
General computer controls
a. planning and controlling data processing function
b. controlling applications development and changes to programs and or data
files and records (failure of programs)
c. controlling access to equipment,data and programs
a. The auditor should determine the extent to which the client has
instituted a data access program based on the following principles
i. access to any data item is limited to those with a need to know
ii. the ability to change, modify or delete a data item is restricted
to thse with the authorization to make such changes
iii. the access control system has the ability to identify and verify
any potential users as authorized or unauthorized for the data
item and function requests
iv. a security department should actively monitor attempts to
compromise the system
d. assuring business continuity such that control failures do not affect data or
programs (back ups)
e. controlling data transmission (encryption)
Application control
a. input control- assure that it fully captures and records all the
transactions.
i. Unique transaction identifier established by the computer
ii. Procedures to limit access
iii. Formation of an audit trail- allow auditor to trace a transaction
from its origination through to its final disposition.
b. Processing control
i. Designed to assure tha the correct program is used for
processing, all are processed and the correct transaction
update multiple files
c. Output control
i. Designed to assure that all date are completely processed and
that output is distributed only to authorized recipients.

4. Management evaluation of internal controls
“better internal controls lead to better data for decisions and increase the likelihood
of organizational success and sustainability.”
Material weakness- deficiency in internal control over financial reporting and may
not be detected in a timely basis.
Significant deficiency in internal control- deficiency in internal converol that is less
sever than a material weakness
Auditor’s evaluation of internal controls
Auditor’s purpose a. determine control risk that could affect financial statements
b. in an integrated audit internal controls,provide opoion of the
effectiveness of control.
Auditors are required to assess control risk for each relevant assertion.
a. controls are adequate to achieve a particular objective
b. determining how to test the controls and the accuracy of the processing
walkthrough: tracing the processing of transaction from its beginning to its reording
to general ledger and identifying the important controls over the process.
Note: walkthrough iis not same as testing controls
There is no need to test every control related to a relevant assertion, only thos that
are more important in reducing the risk.
Guidance on sample size for testing controls
a. manual transaction ortiented (30-100)
b. transaction controls built into computer applications
c. monthly control procedures
d. year-end controls
e. adjusting entry controls
a. other controls are not being overridden by management
b. there is support for the adjusting entries
f. entries receive proper approval by the appropriate management level.