College of Economics and Business Administration

Course : Principles of Auditing

Course Code : BSAC2104
Specialization: Accounting and Finance
Learning Outcomes
1. Identify the internal control system, its components
and limitations, and the principles of internal control

2. Evaluate the internal control systems, techniques and

audit tests and how to improve it
Contents

1.Definition and objectives of internal control system,

2.Components of internal control system

3.Procedure and limitations of internal control system

4.Evaluation of the internal control system

5.Recommendations to improve internal control

 Internal Control

Definition by Committee of Sponsoring Organizations (COSO):

Internal Control is a ‘process effected by an entity’s board of directors,
management and other personnel designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
 Operational Effectiveness and Efficiency
 Reliability of Financial Reporting and
 Compliance of Applicable Laws and Regulations’.
 Features of Internal Control

According to the COSO framework, Internal Control is:

1. A process consisting of ongoing tasks and activities – a means to an end,

not an end in itself
2. Effected by people – not merely about policies or procedures, systems
and forms but about people and actions taken
3. Able to provide reasonable assurance – not absolute assurance
4. Adaptable to the entity structure – flexible in application
 Objectives of Internal Control
The Committee of Sponsoring Organizations (COSO) framework divides internal control objectives into three
categories: 1. Operations, 2. Reporting and 3. Compliance.

1. Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on
the effectiveness and efficiency of your business operations.

2. Reporting objectives, including both internal and external financial reporting as well as non-financial reporting,
related to transparency, timeliness and reliability of the organization’s reporting habits.

3. Compliance objectives are internal control goals based on adhering to laws and regulations that the organization
must comply with.
 Components of Internal Control System

In an effective internal control • Control Environment

system, the following five • Risk Assessment
components work to support •
the achievement of an entity’s
Control Activities
mission, strategies and related • Information and Communication
business objectives: • Monitoring
 Components of Internal Control
1. Control Environment—is a set of standards, structures, and processes that provide the foundation for

performing internal control within the entity.

2. Risk Assessment—is a process used to identify, assess, and manage risks to the achievement of the entity’s

objectives.

3. Control Activities—are actions performed under the direction of management, as directed by an entity’s policies

and procedures, to mitigate the risks to the achievement of the entity’s objectives.

4. Information and Communication—is the distribution of information needed to perform control activities and

to understand internal control responsibilities to personnel internal and external to the entity.

5. Monitoring Activities—are on going evaluations of the implementation and operation of the five components of

internal control.
 Components of Internal Control
1. Control Environment
Refers to the actions, policies, and procedures that reflect the overall attitude of the client’s top management, directors, and
owners of an entity about internal control and its importance, such as:

 Exercising integrity and ethical values.

 Making a commitment to competence.
 Using the board of directors and audit committee.
 Facilitating management’s philosophy and operating style.
 Creating organizational structure.
 Issuing assignment of authority and responsibility.
 Utilizing human resources policies and procedures.
 Components of Internal Control

2. Risk Assessment

 Creating companywide objectives.

 Incorporating process-level objectives.
 Performing risk identification and analysis.
 Managing change.

3. Control Activities
 Following policies and procedures.
 Improving security of applications and networks.
 Conducting application change management.
 Planning business continuity and backups.
 Performing outsourcing.
 Components of Internal Control

4. Information and Communication

 Measuring quality of information.
 Assessing effectiveness of information
 Communicating to parties inside and outside the corporation.

5. Monitoring
 Performing the continuous monitoring of internal control activities.
 Conducting separate evaluations.
 Reporting deficiencies.
 Limitations of Internal Controls
 No matter how well the internal controls are designed, they can only provide reasonable assurance that objectives

have been achieved.

 Absolute assurance for the perfect working of the internal control system cannot be obtained due to the existence of the

following limitations:

1. Judgment Errors: The effectiveness of controls will be limited by decisions made with human judgment under

pressures to conduct business based on the information at hand.

2. Breakdowns: Even well designed internal controls can break down. Employees sometimes misunderstand

instructions or simply make mistakes. Errors may also result from new technology and the complexity of

computerized information systems.

Limitations of Internal Controls

3. Management Override: High level employees may be able to override the company’s internal
control policies and procedures for personal gain or advantage.

4. Collusion: Two or more employees acting collectively can alter the financial data or other
management information in a manner that cannot be identified by control systems.

5. Limited Resources: A company that has limited resources may decide that certain controls are
too costly to implement. Controls that cost more than the benefit they are expected to give are not
worth having if the company has limited resources.
 Evaluation of Internal Control System
To evaluate the internal control system, the company auditor should follow the below given steps:

1. Interview Management
 Interview questions should include:
 Why the owner created certain internal controls,
 What the controls are for,
 Do managers understand the purpose of the controls and
 What corrective measures are taken when a control violation is found.
 Managers who are consistently absent from creating or reviewing internal controls can signal a careless
environment where employees may abuse company operations.
 Evaluation of Internal Control System
2. Interview Employees

 Auditors use employee interviews to determine how well individuals are trained for their jobs.
 The interviews can also shed more light on how well business owners and managers educate
employees on the importance of safeguarding business operations.
 Auditors may ask employees:
 what is their job responsibility,
 how do they protect the company’s business and financial information,
 have they been given a manual outlining the company’s standard operating procedures and
 who is responsible for reviewing the employee’s completed work.
Evaluation of Internal Control System

3. Observe the Process

 Auditors and business owners or managers generally select a few critical operations to observe
 Selecting a sample is a common process in internal and external audits.
 Auditors focus attention on processes that are responsible for the majority of the company’s
business production.
 Observing internal controls in the actual environment help auditors determine the effectiveness
of each control in the company
Evaluation of Internal Control System

4. Test of Controls
 Auditors often test a company’s internal controls by reviewing operational information.
 Testing internal controls generally relates to the company’s financial and accounting
operations
 Auditors select a sample of information and test it against the company’s standard
operating procedures or national accounting standards.
 This process ensures employees are not abusing a company’s financial information by
committing fraud or embezzlement. (theft/misappropriation).
 Recommendations To Improve Internal Control

Develop adequate Develop written

Ensure duties are Identify risks in Correct errors
physical control of policies and
segregated your business promptly
assets procedures
 Recommendations To Improve Internal Control
In order to strengthen the internal control system, the management
should ensure that the following activities are undertaken periodically:

• Perform reconciliations regularly

• Review and Approve processes/transactions
• Maintain adequate supporting documentation
• Provide adequate training to staff
• Perform a self-evaluation of internal control
 Practice Test 1

Which of the following statements correctly describes “Internal Control”?

A.It is a process effected by the company’s external auditor.
B.It provides absolute assurance not reasonable assurance.
C.One of the objectives of Internal Control is Operational effectiveness and efficiency
D.Internal Control is not flexible in its application

ANSWER: C
Practice Test 2

Which of the following category of internal control objectives ensure that a company abides by the
rules and regulations of the Ministry of Labor?
A. Operations objectives
B. Reporting objectives
C. Compliance objectives
D. None of these

ANSWER: C
Practice Test 3

Which component of internal control sets the “tone at the top” that highlights the management
philosophy and operating style?
A. Risk Assessment
B. Control Activities
C. Monitoring
D. Control Environment

ANSWER: D
Practice Test 4

Operational deficiencies are identified and reported under which component of Internal Control?
A. Control Environment
B. Control Activities
C. Information and Communication
D. Monitoring

ANSWER: D
Practice Test 5
JBM Company’s CEO Mr. Khalid instructed the Head Accountant to record its PPEs (Property, Plant
and Equipment's) at fair value in order to overstate the total assets, which is a clear violation of the
accounting standards. Which limitation in Internal Control is best described in this case?
A. Breakdowns
B. Management Override
C. Judgment
D. Limited Resources

ANSWER: B
Practice Test 6

Ali, a cashier of GB Trading needed money for his holidays. So he connived with the
accountant that the cash collection for the day will not be recorded in the books.
Which inherent limitation of internal control is best described in this case?
A. Management Override
B. Collusion
C. Breakdowns
D. All of these

ANSWER: B
 Glossary
Assignment of authority and responsibility- the entity’s personnel should have a clear understanding of the entity’s objectives,
how their individual actions interrelate and contribute to those objectives and how and for what they will be held
accountable.
Board of directors and audit committee participation- the BOD and audit committee guide and oversee the entity. They
monitor the entity’s operation and progress for authorizing certain activities, for providing advice to management and for
overseeing internal control and financial reporting.
Collusion - Two or more employees acting collectively can alter the financial data or other management information in a manner
that cannot be identified by control systems.
Commitment to competence- is the knowledge and skills necessary to accomplish tasks that define an individual job.
Management considers the competence levels necessary for particular jobs and to use employees with appropriate skills and
knowledge for each job.
Control activities- are the policies and procedures management establish to address risks that might prevent the entity from
achieving its objectives.
 Glossary
Control Environment - sets an organization’s tone by influencing the control consciousness of its people. It reflects the
overall attitude, awareness and actions of the board of directors, management, employees and other concerning the
importance of control and the emphasis it is given in the entity.
Human resource policies and practices- an entity’s ability to employ sufficient, competent personnel to accomplish its
objectives. Policies and practices concerning hiring, training, evaluating, promoting and compensating employees.
Information and Communication- the financial reporting information system, which includes the accounting information
system, consists of the methods and records establish to identify, assemble, analyze, classify, record, and report entity
transactions and to maintain accountability for the related assets and liabilities.
Information processing- these control activities are used to check the authorization, accuracy, and completeness of
transactions.
Integrity and ethical values- are management’s value judgments, preferences, and management style. They form the set of
moral and behavioral standards that management adheres to.
 Glossary
Internal Control - is the process designed and effected by those charged with governance, management, and other personnel to

provide reasonable assurance about the achievement of the entity’s objectives concerning the reliability of financial

reporting, effectiveness, and efficiency of operations and compliance with applicable laws and regulations.

Management Override - is the intervention by managers in handling financial information and making decisions contrary to

internal control policy.

Management philosophy and operating style- auditor considers management’s method for taking and monitoring business risk.

Monitoring- the process of assessing the quality of internal control over time. Monitoring can be done through ongoing activities

or separate evaluations. Ongoing monitoring procedures are built into the normal recurring activities. Separate evaluations

are periodic assessment of all or portion of internal control.

Organizational structure- is the form and nature of its subunits and the management functions and reporting relationships. It

affects how authority and responsibility are assigned within the entity (centralized or decentralized)
 Glossary
Physical controls- these activities encompass the physical security of assets, including adequate safeguards over

access to assets and records, such as facilities; authorization for access to computer programs and data files

and periodic counting of assets and comparison with amounts shown on control records.

Reasonable Assurance - a high level of assurance regarding material misstatements, but not an absolute one.

Reasonable assurance includes the understanding that there is a remote likelihood that material

misstatements will not be prevented or detected on a timely basis.

Risk Assessment- is an entity’s identification, analysis, and management of risk relevant to the preparation of

financial statements that are fairly presented in conformity with generally accepted accounting principles.

Segregation of duties- duties should be divided to reduce the possibility of any person both perpetrating and

concealing errors and irregularities in the normal course of his or her duties. Management can segregate

duties by assigning different people the responsibilities of authorizing transaction, recording transaction, and

maintaining custody of assets

 References
1. The Internal Auditing Handbook by K. H. Spencer Pickett, Wiley Publications (3 rd Edition)
https://book.akij.net/eBooks/2018/March/5a9e7b2d97ef6/The%20Internal%20Auditing%20Handbook.pdf .

2. PRINCIPLES OF AUDITING An Introduction to International Standards on Auditing by Rick Hayes Roger Dassen Arnold Schilder Philip
Wallage, Printice Hall FT Publications (2nd Edition) http://library.wbi.ac.id/repository/211.pdf

3. Limitations of Internal Control System https://ofm.wa.gov/sites/default/files/public/legacy/policy/20.15.htm#20.15.50

4. The Committee of Sponsoring Organizations (COSO) of the Tread way Commission (www.coso.org).

5. Evaluation of internal control system https://smallbusiness.chron.com/checklist-evaluate-internal-controls-3799.html.

6. https://www.coso.org/Documents/COSO-CROWE-COSO-Internal-Control-Integrated-Framework.pdf

7. Recommendations to improve internal control

https://www.sai.ok.gov/Search%20FormsPubs/database/TopTenThingsICanDoToStrengthenInternalControlsInMyOfficeDocBW.pdf .

8. https://ebookpbt.files.wordpress.com/2011/11/acca-f8-audit-and-assurance-int-study-text-bpp.pdf , Exercise.
CONTACT INFORMATION:

Name of the Staff : Ms. Wijdan Saleem

Office:BS050
Email: wijdan.Salim@utas.edu.om

VERSION HISTORY

Version No Date Approved Changes incorporated

05 Sem. (I) 2023/2024 Updated

31