20 Januari 2026

Internal Control

Internal control in auditing

Internal control is a process designed and implemented by those charged with governance and management to provide reasonable assurance that the entity will:

  1. achieve operational objectives (effectiveness and efficiency),
  2. produce reliable financial reporting, and
  3. comply with laws and regulations.

In an audit, internal control matters because it directly affects the auditor’s assessment of the risk of material misstatement (RMM) and therefore the nature, timing, and extent of audit procedures.

1) Why auditors consider internal control

Auditors evaluate internal control not to guarantee it is perfect, but to:

  • Understand how relevant controls are designed and implemented.
  • Assess RMM at the financial statement level and assertion level.
  • Design audit responses:

    • If controls are reliable and tested as effective → auditors may rely more on controls and reduce some substantive testing.

    • If controls are weak or not reliable → auditors increase substantive procedures (more detailed testing, larger samples, closer to year-end).

2) The 5 components of internal control (COSO framework)

Auditors commonly frame internal control using COSO:

  1. Control Environment
    “Tone at the top,” integrity and ethics, governance oversight, organizational structure, competence, HR policies.

  2. Risk Assessment
    How management identifies and responds to business and reporting risks (including fraud risks, changes in systems, new products).

  3. Information and Communication
    The accounting system and related business processes; how information flows and responsibilities are communicated.

  4. Control Activities
    Policies/procedures that prevent or detect misstatements: approvals, reconciliations, segregation of duties, physical safeguards, IT controls.

  5. Monitoring
    Ongoing or periodic evaluation of controls, internal audit activities, follow-up on identified deficiencies.

3) Types of controls auditors look at

By purpose

  • Preventive controls: stop errors/fraud from occurring (e.g., segregation of duties).

  • Detective controls: identify issues after they occur (e.g., bank reconciliations).

  • Corrective controls: fix problems and reduce future recurrence (e.g., root-cause action plans).

By form

  • Manual controls (human review/approval)
  • Automated controls (system-enforced checks)
  • IT General Controls (ITGCs): access security, program change management, IT operations—these support the reliability of automated controls.
  • Application controls: input–processing–output checks (validations, edit checks, sequence checks).

4) How internal control affects the audit approach

Auditors generally use a mix of:

  • Tests of controls (TOC): to determine whether controls operate effectively.
  • Substantive procedures: analytical procedures and tests of details to detect material misstatements directly.

Practical implications:

  • High RMM / weak controls → more tests of details, larger samples, year-end testing.
  • Strong controls verified by TOC → reduced extent of certain substantive tests (where appropriate), but some substantive work remains necessary for material balances.

5) How auditors obtain evidence about controls

Common techniques:

  • Inquiry (ask personnel)
  • Observation (watch the control being performed)
  • Inspection (review documents/records)
  • Reperformance (independently execute the control again—often the most persuasive)

Note: Inquiry alone is rarely sufficient to conclude a control is effective.

6) Inherent limitations of internal control

Internal control cannot provide absolute assurance due to:

  • Human error
  • Management override
  • Collusion
  • Cost–benefit constraints
  • Changing conditions (new systems, staff turnover, process changes)

7) Control deficiencies and auditor communication

If issues are identified, auditors classify and communicate them (depending on standards and jurisdiction), such as:

  • Deficiency in internal control
  • Significant deficiency
  • Material weakness (term more common in some regulatory environments)

These are often reported in a management letter (also called a letter of internal control weaknesses), with recommendations for improvement.

Examples (area → typical key controls)

  • Cash/Bank → timely bank reconciliations, dual authorization for payments, restricted e-banking access.
  • Revenue → approved pricing/discounts, system blocks invoicing without delivery evidence, sales-to-AR reconciliations.
  • Purchases → three-way match (PO–GRN–invoice), vendor master file controls.
  • Inventory → cycle counts/stocktakes, controlled warehouse access, reconciliation between stock records and GL.
di

Tiada ulasan:

Catat Ulasan

Langgan: Catat Ulasan (Atom)