Q&A on Internal

Control
Source: Lie Dharma Putra
 

A client’s internal control is a process designed to provide

reasonable, but not absolute, assurance that the following entity
objectives will be achieved: reliable financial reporting, effective and
efficient operations, compliance with laws and regulations. A client’s
internal control consists of five interrelated components: control
environment, risk assessment, control activities, information and
communication systems support, monitoring.

1.  Question: What Is the Control Environment?

Answer: The control environment, which is the foundation

for the other components of internal control, provides
discipline and structure by setting the tone of an
organization and influencing control consciousness. 

Factors to consider in assessing the client’s control

environment include:

 Integrity and ethical values, including (1) management’s

actions to eliminate or mitigate incentives and temptations
on the part of personnel to commit dishonest, illegal, or
unethical acts, (2) policy statements, and (3) codes of
conduct
 Commitment to competence, including management’s
consideration of competence levels for specific tasks and
how those levels translate into necessary skills and
knowledge.
 Board of directors or audit committee participation,
including interaction with internal and external
(independent) auditors
 Management’s philosophy and operating style, such as
management’s attitude and actions regarding financial
reporting, as well as management’s approach to taking and
monitoring risks
 The entity’s organizational structure

1
  Assignment of authority and responsibility, including
fulfilling job responsibilities
 Human resource policies and practices, including those
relating to hiring, orientation, training, evaluating,
counseling, promoting, and compensating employees

2. Question: What Is Meant By Risk Assessment?

Answer: An entity’s risk assessment for financial reporting purposes is its

identification, analysis, and management of risks pertaining to financial
statement preparation. Accordingly, risk assessment may consider the possibility
of executed transactions that remain unrecorded.

The following internal and external events and circumstances may be

relevant to the risk of preparing financial statements that are not in
conformity with generally accepted accounting principles  [or another
comprehensive basis of accounting]:

 Changes in operating environment, including competitive pressures

 New personnel that have a different perspective on internal control
 Rapid growth that can result in a breakdown in controls
 New technology in information systems and production processes
 New lines, products, or activities
 Corporate restructuring that might result in changes in supervision and
segregation of job functions
Foreign operations
 Accounting pronouncements requiring adoption of new accounting
principles

3.  Question: What Control Activities Are Applicable to a Financial

Statement Audit?

Answer: Control activities are the policies and procedures

management has implemented in order to ensure that
directives are carried out. 

Control activities that may be relevant to a financial

statement audit may be classified into the following
categories:

2
  Performance reviews, including comparisons of actual
performance with budgets, forecasts, and prior period
results.
 Information processing. Controls relating to information
processing are generally designed to verify accuracy,
completeness, and authorization of transactions.
Specifically, controls may be classified as general controls
or application controls. General controls might include
controls over data center operations, systems software
acquisition and maintenance, and access security;
application controls apply to the processing of individual
applications and are designed to ensure that transactions
that are recorded are valid, authorized, and complete.
 Physical controls, which involve adequate safeguards over
the access to assets and records, include authorization for
access to computer programs and files and periodic
counting and comparison with amounts shown on control
records.
 Segregation of duties, which is designed to reduce
opportunities that allow any person to be in a position to
both perpetrate and conceal errors or fraud in the normal
course of his or her duties, involves assigning different
people the responsibilities of authorizing transactions,
recording transactions, and maintaining custody of assets.

4. Question: What knowledge about the “information and

communication systems support” component should an auditor
obtain?

Answer: The auditor should obtain sufficient knowledge about the

information system relevant to financial reporting . The information
system generally consists of the methods and records established to record,
process, summarize, and report entity transactions and to maintain
accountability of related assets, liabilities, and equity. Communication involves
providing an understanding of individual roles and responsibilities pertaining to
internal control over financial reporting.

5. Question: What is Meant by Monitoring?

Answer: Monitoring is management’s process of assessing

the quality of internal control performance over time.
Accordingly, management must assess the design and
operation of controls on a timely basis and take necessary
corrective actions.

3
Monitoring may involve:

(1) separate evaluations,

(2) (2) the use of internal auditors, and
(3) the use of communications from outside parties (e.g.,
complaints from customers and regulator comments).

6. Is There a Relationship Between Internal Control Objectives and

Components?

Answer: There is a direct relationship between objectives and components. This

results from the fact that objectives are what an entity strives to achieve, while
components are what an entity needs to achieve the objectives. It is also
important to remember that internal control is relevant not only to the entire
entity, but also to an entity’s operating units and business functions.

7. Question: What Objectives and Controls are Relevant to a

Financial Statement Audit?

Answer: In general, the auditor should consider the

controls that pertain to the entity’s objective of preparing
financial statements for external use that are presented
fairly in conformity with generally accepted accounting
principles (GAAP) or some other comprehensive basis of
accounting other than GAAP (OCBOA).

The controls relating to operations and compliance

objectives may be relevant to a financial statement audit if
they pertain to data the auditor evaluates or uses. For
example, the auditor may consider the controls relevant to
nonfinancial data (such as production statistics) used in
analytical procedures.

Caution: Not all of the objectives and related controls are relevant to a financial
statement audit. Furthermore, an understanding of internal control relevant to
each operating unit and business function may not be essential.

4
8. Question: What is the auditor’s primary
consideration with respect to the components of
internal control?

Answer: The auditor’s primary consideration is whether a

specific control affects the financial statement assertions
rather than its classification into any particular
component. Although the five components are applicable to
every audit, they should be considered in the context of the
following:

 Entity size
 Organization and ownership characteristics
 Nature of the entity’s business
 Diversity and complexity of operations
 Methods of transmitting, processing, maintaining, and
accessing information
 Applicable legal and regulatory requirements

9. Question: How does information technology (IT) affect internal

control?

Answer:

 An entity’s use of IT may affect any of the five interrelated components of

internal control.
 Controls in systems that use IT consist of a combination of automated
controls (e.g., controls embedded in computer programs) and manual
controls.

10. Question: What are the potential benefits of IT

to internal control?

Answer: IT provides potential benefits of

effectiveness and efficiency for internal control
because it enables the entity to:

 Consistently apply predefined rules and perform complex

calculations in processing large volumes of transactions or
data.

5
  Enhance the timeliness, availability, and accuracy of
information.
 Facilitate the additional analysis of information.
 Enhance the ability to monitor the performance of the
entity’s activities and its policies and procedures.
 Reduce the risk that controls will be circumvented.
 Enhance the ability to achieve effective segregation of
duties by implementing security controls in applications,
databases, and operating systems.

11. Question: What risks does IT pose to internal control?

Answer: IT poses specific risks to internal control, including :

 Reliance on inaccurate systems or programs

 Unauthorized access to data that may result in destruction of data or
improper alterations to data.
 Unauthorized changes to master files
 Unauthorized changes to systems or programs
 Failure to make necessary changes to systems or programs
 Inappropriate manual intervention
 Potential loss of data

Note: The extent and nature of these risks to internal control depend on the
nature and characteristics of the entity’s information system.

12. Question: To what extent must I consider the

client’s internal control?

Answer: The practitioner must obtain a sufficient

understanding of internal control to enable the proper
planning of the audit. Whether controls have been placed in
operations is of prime importance. Operating effectiveness is
not to be judged by the practitioner. 

The understanding of the internal control should: 

(1) provide a basis for identifying types of potential

misstatements,

6
(2) enable the assessment of the risk that such
misstatements will occur, and

(3) enable the auditor to design substantive tests.

  

13. Question: What are the procedures used to obtain an

understanding of internal control?

Answer: Ordinarily, a combination of the following procedures is

used in obtaining a sufficient understanding of internal control :

 Previous experience with the client

 Inquiry of appropriate client personnel
 Observation of client activities
 Reference to prior year working papers
 Inspection of client-prepared descriptions, such as organization charts
and accounting manuals.

 
14. Question: How should I document my understanding of internal
control?

Answer: The auditor must exercise professional judgment in determining the

methods and extent of documentation. The most frequently used methods of
documentation are:

 Flowcharts
 Questionnaires
 Narrative memos (written descriptions)

14. Question: What is meant by assessing control risk?

Answer: The assessment of control risk is a process of

evaluating the effectiveness of a client’s internal controls in
preventing or detecting material misstatements in the
financial statements.

 
15. Question: How do I assess control risk?

Answer: If the auditor concludes, based on his or her understanding of internal

control, that controls are likely to be ineffective or that evaluation of their

7
effectiveness would be inefficient, then the auditor may assess control risk at the
maximum level for some or all financial statement assertions.

If specific controls are likely to prevent or detect material misstatements and the
auditor performs tests of controls in order to evaluate the effectiveness of the
controls identified, then assessment of control risk below the maximum level is
permissible.

15. Question: What are tests of controls?

Answer: SAS 55 defines tests of controls as tests directed

toward the design or operation of an internal control to
assess its effectiveness in preventing or detecting material
misstatements in a financial statement assertion. Inquiry of
company personnel, inspection of client documents and
records, observation of client activities, and re-performance
of controls represent some of the procedures used in
performing tests of controls.

In performing tests of controls, the

auditor seeks answers to the
following questions:

 Who performed the control?

 When was the control performed?
 How was the control performed?
 Was the control consistently applied?
 What is the relationship between the assessed level of
control risk and substantive testing?

Since the auditor’s determination of the

nature, extent, and timing of substantive
tests is dependent on detection risk, the
assessed level of control risk must be
considered in conjunction with inherent
risk (see SAS 47). There is an inverse
relationship between detection risk and
the assurances to be.

********************************************

MANAGING RISK

8
Risk management occurs as part of a number of different activities in an organisation. It
is part of the management of projects, information security, health and safety and fraud.
Whilst many of the principles are the same, this guidance focuses on risk management in
the context of governance and managing the totality of risks across the organisation.
An international standard from the International Standards Organisation is due to be
released shortly. In addition, we have also outlined the key processes for managing
risks. Choosing between the standards Role of internal audit Factors to consider
Working with professional risk managers Common standards for risk management

Choosing between the standards

Not every standard will work for every organisation. Managers must select a standard
that suits their size, nature, culture and the demands of stakeholders such as regulators
or shareholders. To assess this, managers can look at the framework and processes that
the standards propose and decide which standard is the best fit to their organisation.

Role of internal audit

The management of risk is the responsibility of the managers of an organisation and of

those responsible for governance. The role of internal audit is to evaluate how
effectively the organisation's people manage risks and to help them to improve where
necessary. The International Standards for the Professional Practice of Internal Auditing
set out the role of internal audit, which is explained in more detail in the Position Paper,
The role of internal audit in enterprise risk management.

Factors to consider

The purpose of risk management is to maximise the likelihood that an organisation will
achieve its objectives. Risk management helps managers to grasp new opportunities and
provides a safety mechanism that prevents damage from things going wrong.

Effective risk management needs a framework, processes and the right culture and
behaviours. By framework, we mean the architecture and structures such as
committees, people, roles, responsibilities and policies. When reviewing the standards,
assess whether they require the sort of framework that suits your organisation.

Substance over form - culture and behaviour

Even if managers select the most appropriate standard, they can still implement it in a
way that minimises its effects. This happens when people in the organisation worry
more about having the right paperwork than about managing the risks. One message is
very important: the aim is to create and build a culture that focuses on identifying and
managing risks. The framework and processes must support real substantive actions
and awareness if they are to be useful and effective. They must be simple and proactive,
stimulating action where it is needed rather than creating a complicated bureaucracy.

In short, risk management should be PACED:

 Proportionate to the size of organisation and nature of risks,

 Aligned to the objectives of the organisation and the needs of the stakeholders,
 Comprehensive - covering all types of risk, •
 Embedded in the ongoing processes for strategic and operational decision making,
and
 Dynamic - able to change as the organisation and its environment changes
Embedding risk management

9
 To embed risk management successfully, you need to encourage five areas of activity in
the LILAC. These are:

• Leadership
• Involvement by all employees and indeed other workers
• Learning culture
• Attitude towards blame or accountability
• Communication up and down and across the organisation

Leadership through risk policies

The primary responsibility for ensuring that risks are managed rests with the board. It is
the board that must demonstrate leadership to embed risk management effectively. In
practice, the board is likely to set out its expectations within a risk policy and to delegate
the design and implementation of the risk management framework, processes and
culture to the senior management team. The way the board and senior management
express their beliefs about risk management has a direct impact on its effectiveness.
Most standards therefore emphasise the risk policy as a way of expressing the
organisation's commitment to risk management and for embedding a risk culture into
everyday business practices and procedures across the organisation. This provides a
foundation for the implementation of a methodology.

The following are examples of what might be included in a risk policy:

• The organisation's attitude towards taking risks
• Aims and expectations of risk management at different levels: strategy, operations,
projects, although all should link to the strategic direction of the organisation
• Sponsorship at board level
• Ownership and positive support by senior people
• Roles and responsibilities at senior and operational levels
• Risk appetites setting tolerance levels, limits and decision-making
• Performance measures and reporting requirements
• Terminology to define a common risk language

Supporting people and partnerships

Effective risk management relies upon the dedication and the ability of employees and
other workers to apply the recognised procedures within the framework. Managers
must work to involve everyone in the management or risk. Many organisations start at
the induction stage and continue with training and development. The extent of training
and development is a reflection of the organisation's commitment to risk management
and the culture that empowers staff to identify and be accountable for the management
of risks. As an extension of this, some organisations base their selection of business
partners on a willingness to embrace risk management and the sharing of business
risks.

Working with professional risk managers

As noted above, the role of internal auditors is to provide assurance to the board and to
senior management that the management of risk is effective and to assist the
organisation to improve where necessary. If the organisation enjoys the services of
professional risk managers, then internal auditors should strive to coordinate with them

10
and to work together to provide the most effective and efficient assurance and
consulting service to management and the board. The best way to do this is to build an
open relationship based on mutual respect. Ask the risk managers what they see their
role is. Understand what their objectives are. Find out if there is anything you can do to
help them. Take care with terminology. You may find that you use the same words as the
risk managers but that you and they mean different things. In contrast, different words
sometimes mean the same. One way to tackle this is to share professional publications
with them - you are free to give them this guidance if it helps you to build
understanding. During the drafting of this guidance, we discovered one small example of
the difference in the approach between the two professions, which may be of interest.
When we internal auditors explain how to respond to risks, we normally talk about our
response to inherent risks and our first thought is to terminate the underlying activity
or not to undertake it. After that, we consider 'transfer' then 'tolerate' and finally 'treat'.
Risk managers often look at residual not inherent risks. Their logical order for the
responses to risk is: tolerate the residual risk, or transfer it, or terminate the activity
and, finally, add extra treatments.

11