The document discusses internal controls and their components. It explains that tests of controls affect the audit strategy and level of substantive testing. Effective internal controls result in lower control risk and less substantive testing, while ineffective controls mean higher control risk and more substantive testing. The five key components of an internal control system are the control environment, risk assessment, information and communication, control activities, and monitoring. The document also provides examples of sales, purchase, and inventory control cycles and procedures.

1. INTERNAL CONTROLS

2. INTERNAL CONTROLS
Impact of tests of controls on the audit strategy and plan
• The extent of substantive testing to be carried out will depend on the results of the
tests of controls which will affect the auditor's assessment of control risk.
• If as a result of tests of controls auditor concludes that internal controls are effective
it means control risk is low and therefore less detailed substantive procedures are
performed.
• If as a result of tests of controls auditor concludes that internal controls are
ineffective it means control risk is high and therefore more substantive procedures
are performed.

3. LIMITATIONS OF INTERNAL CONTROLS
• The auditor can never eliminate the need for substantive procedures entirely because there are
inherent limitations to the reliance that can be placed on internal controls due to:
1. Human error.
2. Ineffective design or implementation of controls.
3. Collusion of staff to by pass controls.
4. The abuse of power by management (i.e. management override).
5. Controls can’t eliminate the risk of fraud and error
As a result, the auditor must always perform substantive testing on material balances in the
financial statements.

4. COMPONENTS OF AN INTERNAL CONTROL SYSTEM
1. E- The control environment: it is the attitude of the top management towards the
internal controls.
• It focuses largely on the attitude, awareness and actions of those responsible for
designing, implementing and monitoring internal controls and therefore includes the
following:
1. Management’s philosophy and operating style
2. Organisational structure
3. Assignment of authority and responsibility
4. Human resource policies and practices

5. COMPONENTS OF AN INTERNAL CONTROL SYSTEM
2. R- The risk assessment process: forms the basis for how management
determines the business risks to be managed, i.e. threats to the achievement of
ongoing business objectives. Because effectiveness of internal controls depends
upon the effective risk assessment as controls are designed and implemented
to reduce business risk.
3. I- The information system: it refers to all of the business processes relevant to
gathering information and its communication.
4. C- Control activities: includes all policies and procedures designed to ensure
that management directives are carried out throughout the organisation.

6. COMPONENTS OF AN INTERNAL CONTROL SYSTEM
Examples of specific control activities include those relating to:
• Authorisation control
• Performance review (i.e comparison of budgets with actual performance)
• Computer controls (passwords, anti viruses, off site backup)
• Physical controls
• Segregation of duties. Authorizing a transaction, receiving & handling asset,
recording.

7. COMPONENTS OF AN INTERNAL CONTROL SYSTEM
5. M- Monitoring of controls: this is the client's process of assessing the
effectiveness of controls over time and taking necessary remedial action. If a control
is not implemented properly, or is simply considered ineffective, misstatements may
pass undetected into the financial statements.
• Monitoring of internal controls is often the key role of internal auditors.
Note: mnemonic to memorize components of internal controls is CRIME.

8. ASCERTAINING THE SYSTEMS
Audit procedures used to obtain evidence regarding the design and implementation of
controls include:
1. Enquiries of relevant personnel. (management, lower employee, internal auditor)
2. Observing the application of controls.
3. Tracing a transaction through the system to understand what happens (a
walkthrough test).
4. Inspecting documents, such as internal procedure manuals/Standard operating
procedures (SOP).
5. Reperformance.

9. ASCERTAINING THE SYSTEMS
Documenting client systems: The auditor must document the client’s control systems
before evaluating whether the system is adequate and working effectively.
Possible ways of documenting systems include:
1. Narrative notes – a written description of a system.
Advantage: 1. Simple to record
2. Facilitate understanding by all audit staff
Disadvantage: May be difficult and cumbersome if system is complex

10. ASCERTAINING THE SYSTEMS
• Flowcharts – diagrammatical representation of the system.
Advantage: Easy to view whole system in one diagram
Disadvantage: Difficult to amend as whole diagram will be redrawn.
• Organisation chart – diagram showing reporting lines, roles and responsibilities.
Advantage & Disadvantage are same flowchart.
Questionnaires – a prepared list of questions in relation to the clients control
system. There are two types of questionnaire that can be used:

11. ASCERTAINING THE SYSTEMS
• Internal Control Questionnaire (ICQ) – a list of controls is given to the client and
they are asked whether or not those controls are in place.
Advantage: Quick to prepare.
Disadvantage: 1. Management might overstate controls.
2. Some irrelevant controls might be included inn the checklist not relevant to the
client.
• Internal Control Evaluation Questionnaire (ICEQ) – the client is asked to describe
the controls they have in place for a given control objective. A control objective
identifies the risk that the entity needs to manage.

12. ASCERTAINING THE SYSTEMS
Advantage: Client will have to respond with which control they have on place rather
than yes or no which will reduce the chances of controls being overstated.
Disadvantage: 1. Management might still overstate controls.
2. Some irrelevant control objectives might be included in the checklist not relevant
to the client.

13. ASCERTAINING THE SYSTEMS
ICQ wording ICEQ wording
Does a supervisor authorise all How does the company ensure that
weekly timesheets? only hours worked are recorded on
timesheets?
Does the company perform a How does the company try to
regular credit check on all minimise the risk of irrecoverable
customers? debts?
Does a manager or director How does the company ensure
authorise purchase orders goods are only purchased for a valid
before an order is place? business use?

14. COMMUNICATING CONTROL DEFICIENCIES
ISA 265 Communicating Deficiencies in Internal Control to Those Charged with
Governance and Management requires the auditor to:
• Communicate any deficiencies that are of sufficient importance to merit
management’s attention
• Communicate significant deficiencies to those charged with governance.
• A control is designed, implemented or operated in such a way that it is unable to
prevent, or detect and correct misstatements in the financial statements on a
timely basis it is a deficient control.

15. COMMUNICATING CONTROL DEFICIENCIES
Examples of matters the external auditor should consider in determining whether a
deficiency in internal controls is significant includes:
1. The likelihood of the deficiencies leading to material misstatements in the
financial statements in the future.
2. The financial statement amounts exposed to the deficiencies.
3. The volume of activity that has occurred or could occur in the account balance or
class of transactions exposed to the deficiency or deficiencies.

16. COMMUNICATING CONTROL DEFICIENCIES
4. The importance of the controls to the financial reporting process.
5. The cause and frequency of the exceptions detected as a result of the deficiencies in the
controls.
6. The interaction of the deficiency with other deficiencies in internal control.
The auditor communicates the deficiencies in a management letter to management. It is usually
sent at the end of the audit process.
Deficiency:
Impact:
Recommendation:

17. SALES SYSTEM
Objectives: The objectives of controls in the sales system are to ensure that:
1. Sales are made to the customers who can pay.
2. All orders are completed.
3. Correct goods are dispatched to correct customers.
4. All goods dispatched are invoiced.
5. Correct invoices are raised.
6. Sales are completely are accurately recorded.

18. SALES SYSTEM
7. Long outstanding debts are followed up timely.
8. Irrecoverable debts are identified and written off.
Stages of sales system related risk & control procedures.
1. Order is received:
Risk: Order form unworthy customer is accepted.
Control Objective: Order form only worthy customer are accepted.
Internal Control: 1. Creditworthiness of new customers should be verified from the credit
rating agency. Determine the credit limit for that customer

19. SALES SYSTEM
2. Sales to old customers should not be made above their credit limit.
Risk: Order confirmed, but goods unavailable in stock.
Control Objective: Order should only be confirmed if goods are available in
inventory.
Internal control: Oder should be confirmed after checking availability in inventory, if
goods are not available in inventory waiting time should be communicated to the
customer.
Risk: Order might be wrongly recorded.
Control Objective: Order should be correctly recorded.

20. SALES SYSTEM
Internal control: Once recorded order should be reconfirmed from the customer to
identify any mistakes in recording.
2. Goods are dispatched:
Risk: Wrong Goods might be dispatched.
Control Objective: Correct goods should be dispatched.
Internal control: 1. Copy of customer order should be sent to the warehouse where
goods are packed for sending to the customer.
2. Once Goods are picked before sending to the customer they should be reconfirmed
from the customer order.

21. SALES SYSTEM
Risk: Goods might not be dispatched.
Control Objective: Goods must be dispatched against every order.
Internal control: 1. Those customer orders against which goods have been
dispatched should be marked, it would help to identify the customer orders against
which goods are yet be dispatched.
2. Customer orders should be sequentially numbered and regular sequence check
should be performed to identify any missing customer order.
3. With every customer order copy of GDN should be attached.

22. SALES SYSTEM
Risk: Goods might be sent to wrong customer.
Control Objective: Goods should be sent to correct customer.
Internal control: Person responsible for delivering goods to the customer should
get acknowledgement from the customer on goods dispatch note(GDN) that they
have received correct goods.
3. Invoice is raised
Risk: Wrong invoice might be raised.

23. SALES SYSTEM
Control Objective: Correct invoice should be raised.
Internal control: 1. Quantity of goods dispatched should be confirmed from the
GDN and price should be confirmed for the master file of the customer or approved
price list.
2. Once invoice is prepared amounts should recalculated to identify any arithmetical
error.

24. SALES SYSTEM
4. Sale is recorded.
Risk: Wrong amount of sale might be recorded.
Control Objective: Sale should be recorded at correct amount.
Internal control: After recording, amount should be reconfirmed from the invoice.
Risk: Amount might be recorded in wrong customer account.
Control Objective: Receivable should be recorded in correct customer account.
Internal control: 1. Monthly customer statement should be sent to the customers.

25. SALES SYSTEM
Internal control: 2. Receivable ledger control account should be prepared and it’s
reconciliation should be performed.
Risk: Sale might not be recorded.
Control Objective: All the sale should be completely recorded.
Internal control: Recorded invoices should be marked or stamped it will help to
identify those invoices which are not recorded and will prevent double recording.

26. SALES SYSTEM
5. Cash is received
Risk: Some receivables might pay late.
Control Objective: Late payments should be reduced.
Internal control: 1. Reminders should be sent to the customers when they get due.
2. Aged debt analysis should be performed to identify long outstanding debts.
Risk: cash is not received
Internal control: from aged debt analysis debts which should be written off are
identified.

27. PURCHASE SYSTEM
• Objectives: The objectives of controls in the purchase system are to ensure that:
1. Purchases are made only for valid business purpose.
2. Purchases are made from suppliers whose price and quality has been checked.
3. Goods accepted should be the ones which were ordered.
4. As soon as goods are received they should be recorded.
5. Invoices should be paid for goods actually received.
6. Payment should be made on time.

28. PURCHASE SYSTEM
7. All purchase and related payables should be completely and accurately
recorded.
8. Purchase should be recorded in the correct period.
1. Requisition is received:
Risk: Requisition of goods received which are not required for business purpose.
Control Objective: Only those requisition should be processed which are for goods
required for business purpose.
Internal Control: Requisition should be processed if approved by an authorized
person.

29. PURCHASE SYSTEM
Risk: Requisition of goods available in inventory is raised.
Control Objective: Requisition of goods available in inventory should not be processed.
Internal Control: Requisitions should be processed after checking the goods from
inventory.
2. Order is placed
Risk: Order placed to an expensive supplier giving poor quality.
Control Objective: Order should be placed to a reliable supplier.
Internal Control: Orders should be placed to only those suppliers who are there in the
approved supplier list.

30. PURCHASE SYSTEM
Risk: Order might not be placed.
Control Objective: Order should be placed against every requisition.
Internal Control: 1. Copy of purchase order (PO) should be attached to every
requisition. Those requisition which don’t have attached copy of PO indicates that
against them order has not been placed.
2. Purchase requisitions should be sequentially numbered and sequence check
should be performed on them to identify any missing requisition.

31. PURCHASE SYSTEM
3. Goods are received
Risk: Damaged goods or wrong goods might be received.
Control Objective: Damaged goods or wrong goods should not be accepted.
Internal Control: 1. Before receiving, goods should be physically verified to make
sure they are not damaged.
2. Goods should be compared with the copy of the purchase order to make sure
that the goods delivered are those which were ordered.

32. PURCHASE SYSTEM
Risk: Goods might get stolen after they are received.
Control Objective: Goods should be kept safe after they are received.
Internal Control: 1. Only a 1 or 2 people should be authorized to receive goods and
this should be communicated to the supplier as well.
2. As soon as goods are received, records should be updated.

33. PURCHASE SYSTEM
4. Invoice is received
Risk: Invoice received for goods which were never ordered.
Control Objective: Only those invoices should be recorded which are for the goods
which were actually received.
Internal Control: Only those invoices should be recorded and paid for which there is
a related goods received note (GRN).

34. PURCHASE SYSTEM
Risk: Invoice received with errors.
Control Objective: Correct invoices should be recorded.
Internal Control: 1. Invoices should be compared with the GRN to verify the
number of items that have been charged.
2. Prices should be confirmed from the quotation or agreement with supplier.
3. Amounts of invoice should be recalculated to identify any arithmetical error.

35. PURCHASE SYSTEM
5. Purchase is recorded.
Risk: Purchase might be recorded at incorrect amount
Control Objective: Purchase should be accurately recorded.
Internal Control: After recording amount should be reconfirmed with the related
invoice.
Risk: Invoice might remain unrecorded.
Control Objective: All the purchases should be completely recorded.
Internal Control: Recorded invoices should be marked or stamped it will help to identify
those invoices which are not recorded and will prevent double recording.

36. PURCHASE SYSTEM
Risk: Payable might be recorded in wrong supplier account.
Control Objective: Payable should be recorded in correct supplier account.
Internal Control: 1. Monthly supplier statement should be sent to the suppliers.
2. Payable ledger control account should be prepared and it’s reconciliation should
be performed.

37. PURCHASE SYSTEM
6. Cash is paid
Risk: Cash might not be paid or paid twice.
Control Objective: Cash should be paid against every invoice and no payment
should be done twice.
Internal Control: Once invoice is paid it should be stamped to avoid double
payment or nonpayment.

38. INVENTORY SYSTEM
• Objectives: The objectives of controls in the inventory system are to ensure that:
1. Inventory levels meet the needs of production (raw materials and components)
and customer demand (finished goods).
2. Inventory levels are not excessive, preventing obsolescence and unnecessary
storage costs.
3. Inventory is safeguarded from theft, loss or damage.
4. Inventory received and despatched is recorded on a timely basis.

39. INVENTORY SYSTEM
5. All inventory is recorded.
6. Inventory should be recorded at the appropriate value.
7. Only inventory owned by the company is recorded.
Stages of inventory cycle.
1. Goods are received.
It is discussed in detail in purchase cycle.

40. INVENTORY SYSTEM
2. Inventory items are stored.
Risk: Inventory can get damaged.
Control objective: Inventory should be kept safe.
Internal control: 1. Inventory should be stored in reasonable conditions i.e
temperature, moisture level etc.
2. Only trained staff should handle inventory if items are fragile.
3. Inventory should be insured.

41. INVENTORY SYSTEM
Risk: Inventory can get stolen
Control objective: Inventory should be kept safe.
Internal control: 1. There should be limited access to warehouse, only authorized
personnel should be able to access inventory.
2. CCTV recording of warehouse should be done.
3. Door locks or biometric locks should be used for warehouse.
4. Inventory should be insured.

42. INVENTORY SYSTEM
3. Goods are dispatched.
This stage is already discussed in detail in sales system.
4. Goods (raw material) are issued to production.
Risk: Excessive goods might be issued to production.
Control objective: Quantities required in production should be issued.
Internal control: There should be standard quantity requisition form of raw
material over and above standard quantity should only be issued if approved by a
senior person.

43. INVENTORY SYSTEM
5. Inventory count.
Risk: Wrong count might be performed.
Control objective: Correct count should be performed.
Internal control: 1. Count should be performed by pair of two, one should count
the inventory and the other should record it.
2. Count should be done clockwise or anti clockwise and sections of warehouse
should be clearly divided amongst the teams doing the count.

44. INVENTORY SYSTEM
3. Counted inventory should be marked to prevent double counting and to identify
uncounted inventory.
4. There should be no in or out movement of inventory during the count.
5. Once count is done the persons responsible to count inventory should sign of
the count sheet.
6. Count sheets should be sequentially numbered.
7. Count sheets should be filled with ink.
8. Inventory count sheets should have blank column of quantity.

45. PAYROLL SYSTEM
Objectives: The objectives of controls in the payroll system are to ensure that:
1. Only valid employees are paid for actual hours worked.
2. Standing data is up to date and access to it is limited.
3. Payroll expense should be correctly recorded in the correct period.
4. Deductions are calculated and recorded correctly.

46. PAYROLL SYSTEM
1. Standing data
Risk: Standing data might not be updated.
Control objective: Standing data should be updated.
Internal control: Payroll department should compare their data with the data of HR
dept to identify any differences and to update the record of joiners and leaves.

47. PAYROLL SYSTEM
Risk: Unauthorized changes in standing data might be done.
Control objective: Standing data should be protected from unauthorized changes.
Internal control: 1. Standing data should be password protected only senior personnel should have
its access.
2. Passwords should be regular changed.
2. Hours are recorded
Risk: Overtime recorded, work actually not performed.
Control objective: Overtime should be paid only if work is actually performed.
Internal control: Overtime should be paid only if approved by a responsible person.

48. PAYROLL SYSTEM
Risk: Hours recorded for the day employee was absent.
Control objective: Only actual hours worked should be paid.
Internal control: If swipe cards are used for recording of time at the start and the
end of the shift the process of time recording should b supervised.

49. PAYROLL SYSTEM
3. Payroll calculation
Risk: Wrong calculation of payroll.
Control objective: Correct calculation of payroll should be done.
Internal control: If system calculates payroll few amounts should be calculated
manually to identify any errors.

50. PAYROLL SYSTEM
4. Payroll recording
Risk: Wrong amount of payroll might be recorded.
Control objective: Correct amount of payroll should be recorded.
Internal control: After the recording the amount of payroll should be compared with
the payroll working to identify any error.

51. PAYROLL SYSTEM
5. Wages are paid
Risk: Wage is paid to a wrong employee.
Control objective: Wage should be paid to a correct employee.
Internal control: Before payment identity proof of the employee should be checked.
Risk: Double claims of wage.
Control objective: Wage should be paid once.
Internal control: Receiving should be obtained from the employee/labor who receives
wage.

52. PAYROLL SYSTEM
Risk: Unclaimed wages might get stolen.
Control objective: Unclaimed wages should be kept safe.
Internal control: Unclaimed wages should be kept in some locked safe. Cashier
should not be allowed to keep the unclaimed wages.