INTERNAL CONTROL
We are going to use the Internal control- Integrated framework published by COSO ( The
Committee of Sponsoring Organizations of the Treadway Commission) to describe the system of
internal controls of the company.
What is internal control?
COSO- internal control integrated framework defines internal control as the process, affected by an
entity’s board of directors, management and other personnel, to provide reasonable assurance
regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
Fundamental concepts are inherent in this definition:
• Internal control is an ongoing process, and it is effected by people at all organizational levels
• Management and the board receive reasonable assurance, not absolute assurance
• Internal control transcends policy manuals and forms and is geared toward the achievement
of organizational objectives.
As these multiple definitions point out, internal controls enable an entity’s management to achieve
the organization’s mission, goals and objectives.
Five components of effective internal control
Refer to the five parts of the COSO internal control integrated framework. The framework gives
the auditors a way to evaluate the control of an entity.
The five components are:
1. Control Environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
The COSO internal control framework defines the entity’s internal controls as those implemented for
multiple transaction cycles (Entity- Division- operating unit – Function) for the entire organization.
1
1. CONTROL NVIRONMENT
The attitude and actions of the board and management regarding the importance of control within
the organization and the focus they have at IT Controls. The way the management and the board
feels about controls.
Why should board and management care a about control environment?
Management – It is their responsibility to prepare accurate financial information.
Board of directors – ultimately responsible for financial statements
A good control environment will include:
• Communicating ethics
• Employing good staff
• Positive influence, participation and professionalism
• Management’s philosophy and operating style
• Organizational structure ( reporting lines, segregation of duties etc)
Generally the good control environment includes the following elements:
 Integrity and ethical values of organization
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resource policies and practices
 Competence of personnel
Why auditors should care about control environment?
2
It is their responsibility to express an opinion on financial statements on the fair
presentation.
The ‘top down approach’ to controls means that they set the tone for the focus of and
adherence to controls.
If management doesn’t care about controls, then the staff won’t either. The control at any
level will become unreliable…….
Thus the financial information may not be created in a reliable way, so we can’t rely on
control testing.
If reporting structures are not laid down properly, they can’t be segregation of duties. ie: if
people who record information (eg: Accountant) can change the system as well, then they
can change anything without any control or anyone knowing.
If management hires people who don’t have skills, the financial information they create may
be wrong.
If the staff all record transactions differently, they may not be using effective controls.
Note that: We can only test controls if they are reliable, effective and consistent used, since
this will create accurate financial information.
As an auditor I want to use control testing as evidence that the financial statements are fairly
presented, if the control environment is sound I have more of an idea that the information
created the same environment will be reliable.
Therefore there are a lot to evaluate before you can make an assessment as to
whether the company has effective control environment or not; ethical values & integrity,
commitment to competence, active Board & audit committee, management’s philosophy and
operating style, human resource policies, business structures & authority, IT Systems ,
Internal audit function etc
2. Risk assessment
3
Requires the management to identify all risks at multiple transaction cycles ( Entity- Division-
operation units - function) for the entire entity or in another way what could go wrong in a
transaction cycle?. The identification and analysis of relevant risks to the achievement of
objectives. Risks are measured in terms of likelihood and severity impact. Identify risks that
are critical by prioritizing them.
3. Control Activities
The company develops a course of action to reduce risks to the acceptable level by
performing control activities. The policies and procedures that help ensure that management
directives are carried out. They help to ensure that necessary actions are taken to address
risks to achievement of the entity’s objectives.
The control activities can be manual, automated and computer assisted controls. For
example a computer assisted control will be having a manger review an exceptional report
generated by system – may be a control to address completeness in account payable.
Automated controls- are those built in IT System for example if we accept reservation from
guest reservation website how could be sure of the accurate of information. The reservation
system will have various controls to ensure that customer completes all the necessary fields
on the screen to ensure accuracy before accepting the reservation – Application
controls.
IT Controls
Similar to the concept of entity- level versus process –and transaction –level controls,
information technology also has levels of control to address risks associated with IT
Systems.
IT General Controls/ General Computer Controls (IGC or GCC)
These are entity –level controls that apply to general IT processes and ensure overall
system integrity. The key areas of IGC can be summarized in three categories
1. Access operations ( segregation of duties- people who have access to the code
should not have access to the transactional data)
4
2. Acquisition, development, maintenance ( ensure that there is adequate system
acquisition, development and maintenance controls in place. For anytime IT system
changes for whatever reason control systems must be in place to ensure accurate
transition of data to a new system and that the new system the necessary controls of
the old system had)
3. Changes (ensure that there is adequate operational controls and support; these
controls cover up things like back and recovery procedures, the physical and logical
access, we don’t wont unauthorized users to having access to our systems).
If IT general controls are not effective there is unlikely to rely on these Application Controls;
computer assisted and automated controls. All we have left is manual controls
Application Controls
IT Application controls are designed to achieve key three objectives:
Application or technical controls are process or transactional – level controls that are usually specific
to a given application but may also control larger technical processes such as system access right
Application controls are sometimes grouped by common function:
Input controls – verify the integrity of data as it is manually or automatically entered into a system.
That the information input in the system is correct eg. Control total might verify that the proper
number of records is entered.
Processing controls- Check that data processing tasks are accurate, complete and valid. Processing
controls ensure that the information is accurately processed by the system. For example a control
total might be compared at various processing points.
Output controls- verify that the data outputs are accurate, complete and valid. Output controls
ensure that the output information from the system is correct. An example is a control to ensure
that output is being sent to and received by the intended recipient and no other person or system.
Recap: Financial statements assertions or objectives: Existence/occurrence, completeness, rights
and obligations, measurement (Valuation, Cut off, Accuracy) Presentation & Disclosure, Fraud
control & Safeguarding Assets
5
Input Processing Output
MANUAL CONTROLS
6
7
UDIT TEST RESULTS
Date: 23/06/2015
To: Funds chief accountants
From: Internal auditor
Prepared by: P.Sebastian
Audit objective: To determine whether payment made to seedling producers complied with the
CIDTF’s requirements.
Audit approach: selected 100% of the producers; reviewed and compared the payment vouchers,
attached documents to determine whether the payment made to group account, the group is
registered otherwise attached group meeting minutes to authorize payments to be done to personal
account who is a member of that particular group and that resolution approved by DED.
Test results:
Jina la
kikundi A/c
Idadi ya
miche(A)
Miche
iliyozalishwa(B)
malipo ya
awali
malipo
ya pili A-B muhasari Uthibitisho
barua
za h/w
Cheques
No
Msombe H 40000 41456 paid paid
-
1456 H H N
mitema
group H 5000 5000 paid paid 0 N N N
lingana
group H 15000 15000 paid paid 0 N N N
mtopwa H 5000 5000 paid paid 0 N N N
malatu H 5000 5000 paid paid 0 N N N
kasyunguti H 10000 10000 paid paid 0 H H N
masukila H 10000 10000 paid paid 0 H H N
umoja
luagala H 6000 3523 paid paid 2477 N N N
Ufafanuzi: H= hapana, N= Ndiyo
Kama ilivyoanishwa kwenye jedwali hapo juu matokeo ya uchunguzi yanaonyesha kuwa kati ya
vikundi 25 vilivyohakikiwa vikundi vitatu; Nsombe, Kayunguti and Masukila havikukizingatia
matakwa ya kulipwa pesa za uzalishaji . Pesa zilipwa kwa mtu binafasi, viambanisho vya muhatsari
wa kikao cha wanachama wa kurirzia kulipwa pesa katika katika accounti binafsi na uthibitsho wa
H/w (DALCO) wa muhatsari husika havikuambatanishwa kwenye malipo. Hali hii imepelekea malipo
ya Tshs: 46,456,000/= kulipwa nje ya taratibu zilizowekwa na mfuko.
Maelezo kutoka kwa wahusika:
8
a) Je unakubaliana na mapungufu yalijitokeza hapo juu? ..................................
b) Kama jibu ni ndiyo unaombwa kueleza kwanini hali hii imejitkokeza ?
9
a) Je unakubaliana na mapungufu yalijitokeza hapo juu? ..................................
b) Kama jibu ni ndiyo unaombwa kueleza kwanini hali hii imejitkokeza ?
9

Internal control.. control env

  • 1.
    INTERNAL CONTROL We aregoing to use the Internal control- Integrated framework published by COSO ( The Committee of Sponsoring Organizations of the Treadway Commission) to describe the system of internal controls of the company. What is internal control? COSO- internal control integrated framework defines internal control as the process, affected by an entity’s board of directors, management and other personnel, to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations Fundamental concepts are inherent in this definition: • Internal control is an ongoing process, and it is effected by people at all organizational levels • Management and the board receive reasonable assurance, not absolute assurance • Internal control transcends policy manuals and forms and is geared toward the achievement of organizational objectives. As these multiple definitions point out, internal controls enable an entity’s management to achieve the organization’s mission, goals and objectives. Five components of effective internal control Refer to the five parts of the COSO internal control integrated framework. The framework gives the auditors a way to evaluate the control of an entity. The five components are: 1. Control Environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring The COSO internal control framework defines the entity’s internal controls as those implemented for multiple transaction cycles (Entity- Division- operating unit – Function) for the entire organization. 1
  • 2.
    1. CONTROL NVIRONMENT Theattitude and actions of the board and management regarding the importance of control within the organization and the focus they have at IT Controls. The way the management and the board feels about controls. Why should board and management care a about control environment? Management – It is their responsibility to prepare accurate financial information. Board of directors – ultimately responsible for financial statements A good control environment will include: • Communicating ethics • Employing good staff • Positive influence, participation and professionalism • Management’s philosophy and operating style • Organizational structure ( reporting lines, segregation of duties etc) Generally the good control environment includes the following elements:  Integrity and ethical values of organization  Management’s philosophy and operating style  Organizational structure  Assignment of authority and responsibility  Human resource policies and practices  Competence of personnel Why auditors should care about control environment? 2
  • 3.
    It is theirresponsibility to express an opinion on financial statements on the fair presentation. The ‘top down approach’ to controls means that they set the tone for the focus of and adherence to controls. If management doesn’t care about controls, then the staff won’t either. The control at any level will become unreliable……. Thus the financial information may not be created in a reliable way, so we can’t rely on control testing. If reporting structures are not laid down properly, they can’t be segregation of duties. ie: if people who record information (eg: Accountant) can change the system as well, then they can change anything without any control or anyone knowing. If management hires people who don’t have skills, the financial information they create may be wrong. If the staff all record transactions differently, they may not be using effective controls. Note that: We can only test controls if they are reliable, effective and consistent used, since this will create accurate financial information. As an auditor I want to use control testing as evidence that the financial statements are fairly presented, if the control environment is sound I have more of an idea that the information created the same environment will be reliable. Therefore there are a lot to evaluate before you can make an assessment as to whether the company has effective control environment or not; ethical values & integrity, commitment to competence, active Board & audit committee, management’s philosophy and operating style, human resource policies, business structures & authority, IT Systems , Internal audit function etc 2. Risk assessment 3
  • 4.
    Requires the managementto identify all risks at multiple transaction cycles ( Entity- Division- operation units - function) for the entire entity or in another way what could go wrong in a transaction cycle?. The identification and analysis of relevant risks to the achievement of objectives. Risks are measured in terms of likelihood and severity impact. Identify risks that are critical by prioritizing them. 3. Control Activities The company develops a course of action to reduce risks to the acceptable level by performing control activities. The policies and procedures that help ensure that management directives are carried out. They help to ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. The control activities can be manual, automated and computer assisted controls. For example a computer assisted control will be having a manger review an exceptional report generated by system – may be a control to address completeness in account payable. Automated controls- are those built in IT System for example if we accept reservation from guest reservation website how could be sure of the accurate of information. The reservation system will have various controls to ensure that customer completes all the necessary fields on the screen to ensure accuracy before accepting the reservation – Application controls. IT Controls Similar to the concept of entity- level versus process –and transaction –level controls, information technology also has levels of control to address risks associated with IT Systems. IT General Controls/ General Computer Controls (IGC or GCC) These are entity –level controls that apply to general IT processes and ensure overall system integrity. The key areas of IGC can be summarized in three categories 1. Access operations ( segregation of duties- people who have access to the code should not have access to the transactional data) 4
  • 5.
    2. Acquisition, development,maintenance ( ensure that there is adequate system acquisition, development and maintenance controls in place. For anytime IT system changes for whatever reason control systems must be in place to ensure accurate transition of data to a new system and that the new system the necessary controls of the old system had) 3. Changes (ensure that there is adequate operational controls and support; these controls cover up things like back and recovery procedures, the physical and logical access, we don’t wont unauthorized users to having access to our systems). If IT general controls are not effective there is unlikely to rely on these Application Controls; computer assisted and automated controls. All we have left is manual controls Application Controls IT Application controls are designed to achieve key three objectives: Application or technical controls are process or transactional – level controls that are usually specific to a given application but may also control larger technical processes such as system access right Application controls are sometimes grouped by common function: Input controls – verify the integrity of data as it is manually or automatically entered into a system. That the information input in the system is correct eg. Control total might verify that the proper number of records is entered. Processing controls- Check that data processing tasks are accurate, complete and valid. Processing controls ensure that the information is accurately processed by the system. For example a control total might be compared at various processing points. Output controls- verify that the data outputs are accurate, complete and valid. Output controls ensure that the output information from the system is correct. An example is a control to ensure that output is being sent to and received by the intended recipient and no other person or system. Recap: Financial statements assertions or objectives: Existence/occurrence, completeness, rights and obligations, measurement (Valuation, Cut off, Accuracy) Presentation & Disclosure, Fraud control & Safeguarding Assets 5 Input Processing Output
  • 6.
  • 7.
  • 8.
    UDIT TEST RESULTS Date:23/06/2015 To: Funds chief accountants From: Internal auditor Prepared by: P.Sebastian Audit objective: To determine whether payment made to seedling producers complied with the CIDTF’s requirements. Audit approach: selected 100% of the producers; reviewed and compared the payment vouchers, attached documents to determine whether the payment made to group account, the group is registered otherwise attached group meeting minutes to authorize payments to be done to personal account who is a member of that particular group and that resolution approved by DED. Test results: Jina la kikundi A/c Idadi ya miche(A) Miche iliyozalishwa(B) malipo ya awali malipo ya pili A-B muhasari Uthibitisho barua za h/w Cheques No Msombe H 40000 41456 paid paid - 1456 H H N mitema group H 5000 5000 paid paid 0 N N N lingana group H 15000 15000 paid paid 0 N N N mtopwa H 5000 5000 paid paid 0 N N N malatu H 5000 5000 paid paid 0 N N N kasyunguti H 10000 10000 paid paid 0 H H N masukila H 10000 10000 paid paid 0 H H N umoja luagala H 6000 3523 paid paid 2477 N N N Ufafanuzi: H= hapana, N= Ndiyo Kama ilivyoanishwa kwenye jedwali hapo juu matokeo ya uchunguzi yanaonyesha kuwa kati ya vikundi 25 vilivyohakikiwa vikundi vitatu; Nsombe, Kayunguti and Masukila havikukizingatia matakwa ya kulipwa pesa za uzalishaji . Pesa zilipwa kwa mtu binafasi, viambanisho vya muhatsari wa kikao cha wanachama wa kurirzia kulipwa pesa katika katika accounti binafsi na uthibitsho wa H/w (DALCO) wa muhatsari husika havikuambatanishwa kwenye malipo. Hali hii imepelekea malipo ya Tshs: 46,456,000/= kulipwa nje ya taratibu zilizowekwa na mfuko. Maelezo kutoka kwa wahusika: 8
  • 9.
    a) Je unakubalianana mapungufu yalijitokeza hapo juu? .................................. b) Kama jibu ni ndiyo unaombwa kueleza kwanini hali hii imejitkokeza ? 9
  • 10.
    a) Je unakubalianana mapungufu yalijitokeza hapo juu? .................................. b) Kama jibu ni ndiyo unaombwa kueleza kwanini hali hii imejitkokeza ? 9