Understanding the entity and environment - Internal control ...

Learning Outcomes

After reading this article, you will be able to explain why auditors require a clear understanding of the entity’s internal control and IT environment, describe the five components of internal control, distinguish between general IT controls and information processing controls, and outline the impact of IT on the audit approach. You will also be able to identify and evaluate deficiencies, and define key internal control terminology for the ACCA Audit and Assurance exam.

ACCA Audit and Assurance (AA) Syllabus

For ACCA Audit and Assurance (AA), you are required to understand how internal control systems operate, how to evaluate control components including IT, and the implications for the audit plan. Focus your revision on:

• Explaining why auditors obtain an understanding of internal control relevant to financial statements.
• Describing the five components of internal control: control environment, entity risk assessment, information system and communication, control activities, and monitoring.
• Distinguishing between general IT controls and information processing controls within audit contexts.
• Evaluating internal controls, identifying significant deficiencies, and recommending improvements.
• Recognizing limitations of internal controls and the impact of IT on audit evidence and risk.
• Recording and documenting internal control systems using narratives, flowcharts, and questionnaires.
• Testing controls and communicating control weaknesses to management and those charged with governance.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. List the five components of an internal control system.
2. Define ‘general IT controls’ and ‘information processing controls’ and give one example of each.
3. Which control component assesses the culture and tone set by management?
4. True or false? Effective internal control eliminates the need for all substantive procedures in the audit.
5. State two typical risks introduced by extensive use of IT in organisations’ accounting systems.

Introduction

Internal control is essential to achieving reliable financial reporting. Auditors must obtain sufficient understanding of an entity’s internal controls—including IT systems—to assess the risk of material misstatement and design audit procedures accordingly. Effective control systems help prevent, detect, and correct errors or fraud, but they also have inherent limitations.

Key Term: internal control
Processes designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance regarding achievement of objectives in financial reporting, operations, and compliance.

The Purpose of Understanding Internal Controls

Auditors need to understand the design and implementation of relevant controls to:

• Identify risk factors that could result in material misstatements.
• Assess the strength or weakness of the control environment and plan the audit accordingly.
• Determine which controls require testing and which areas will rely solely on substantive procedures.

The Five Components of Internal Control

An effective control system includes five interrelated components:

1. Control Environment: The organisational culture, attitude, and ethical values demonstrated by management and those charged with governance.
2. Entity’s Risk Assessment Process: Methods by which the entity identifies and manages business risks relevant to financial reporting.
3. Information System and Communication: Systems for recording, processing, and communicating transactions and financial information.
4. Control Activities: Policies and actions, manual or automated, that help ensure directives are carried out (e.g. authorisation, segregation of duties, physical controls, reconciliations).
5. Monitoring of Controls: Ongoing or separate analyses to assess the effectiveness of controls over time, including responses to deficiencies.

Key Term: control environment
The set of standards, processes, and structures that provide the basis for carrying out internal control in the organisation, including the tone at the top, integrity, ethical values, and governance.

Key Term: control activities
Actions and policies established through manual or automated procedures that help ensure management directives are carried out, such as authorisations, verifications, reconciliations, and segregation of duties.

Worked Example 1.1

Scenario:
Epic Furnishings Ltd has a centralised purchasing department. All purchase orders must be approved by the purchasing manager before being sent to suppliers. The warehouse manager signs for received goods and passes delivery notes to accounts staff who match them against invoices and authorise payment. Inventory records are updated daily, and the finance director reviews monthly reconciliations.

Question: Identify three internal control components present in this system and give a specific example for each.

Answer:

• Control activities: Requiring manager approval for purchase orders (authorisation control).
• Information system: Daily updating of inventory records.
• Monitoring: Monthly reconciliation review by the finance director.

Control Deficiencies and Evaluations

Auditors should be alert to missing or weak controls, such as:

• Lack of review of key reconciliations.
• Inadequate segregation of duties.
• Failure to restrict access to cash or sensitive system settings.

When deficiencies are identified, auditors must assess their significance and, if necessary, communicate them to management or those charged with governance.

Limitations of Internal Control

Internal control systems, no matter how well designed, cannot guarantee the prevention or detection of material misstatements. Limitations arise from possibilities such as:

• Human error (e.g., miscalculating or failing to act).
• Collusion between employees to bypass controls.
• Management override, where senior staff bypass controls for personal gain.
• Cost-benefit trade-offs leading to omitted controls judged to provide little value.

Key Term: management override
The ability of senior management to circumvent prescribed policies or procedures for illegitimate purposes, thereby undermining the effectiveness of internal controls.

The IT Environment in Internal Control

Most organisations rely on IT to process financial information. This brings advantages (speed, accuracy, consistency) but also introduces risks such as unauthorised access, data loss, or reliance on flawed automation.

Types of IT Controls

IT controls fall into two categories:

1. General IT Controls: These provide the overall basis for secure and reliable IT systems. They include:
   • Physical and logical access controls (passwords, firewalls)
   • Change management procedures (authorising software updates)
   • Backup and recovery procedures
2. Information Processing Controls: These are embedded within specific applications and focus on accuracy and completeness of transaction processing. Examples:
   • Batch total checks during invoice entry
   • Sequence checks to detect missing documents
   • Authorisation controls for online payment runs

Key Term: general IT controls
Core policies and procedures that support the continued effective operation of IT systems, including access, change management, and backup controls.

Key Term: information processing controls
Automated or manual checks embedded in IT applications which ensure completeness, accuracy, and validity of processing and recording transactions.

Worked Example 1.2

Scenario:
Melody Co processes payroll using an IT system. Employees enter hours worked; the system calculates pay automatically. Only payroll managers can update employee pay rates after entering a security password. Weekly reports are reviewed and signed by HR.

Question:
Identify one general IT control and one information processing control in this payroll system.

Answer:

• General IT control: Restricting access to payroll rate changes by password protection.
• Information processing control: Automated calculation of payroll from entered hours.

Impact of IT on the Audit

IT influences audit planning and execution due to:

• The need for specialised skills to assess systems and generated evidence.
• The potential for greater error concentration if system flaws exist.
• Difficulties in tracing transaction trails since many documents may exist only electronically.
• The possibility of using automated tools or test data to test system controls.

Auditors should:

• Assess the reliability of IT controls and the appropriateness of data.
• Consider using computer-assisted audit techniques (CAATs) like audit software or test data.
• Document the effect on audit evidence and risk accordingly.

Recording and Documenting Internal Controls

Auditors use several methods to record and evaluate systems, including:

• Narrative notes: Written descriptions of processes.
• Flowcharts: Visual maps illustrating control steps and sequences.
• Internal control questionnaires: Standardised questions to assess whether specific controls exist.

Each method has strengths and weaknesses in terms of clarity and completeness.

Key Term: internal control questionnaire (ICQ)
A pre-prepared set of questions used by auditors to confirm the existence and adequacy of controls in an entity, usually with yes/no responses.

Evaluating and Testing Controls

To assess whether controls are designed and operating effectively, auditors perform:

• Enquiries and interviews with relevant staff.
• Observation of control procedures in action.
• Inspection of documentary evidence (signatures, approvals, logs).
• Walkthrough tests, tracing transactions through the system.

Testing is focused on controls that address identified risks of material misstatement.

Worked Example 1.3

Scenario:
Finch Ltd’s bank reconciliations are prepared weekly but are not reviewed by anyone other than the preparer.

Question: Identify the control deficiency and make a specific recommendation.

Answer:
Deficiency: Lack of review increases the risk of misstatement or fraud remaining undetected.
Recommendation: Bank reconciliations should be independently reviewed and signed by a finance manager each week.

Exam Warning

In exams, clearly distinguish between general IT controls (system-wide) and information processing controls (application-specific). Mixing these examples is a common error.

Summary

An auditor’s understanding of internal control—especially the IT environment—is key to risk assessment and audit strategy. Internal controls consist of five components, with both manual and IT elements. General IT controls support reliable operation of information systems, while information processing controls ensure transactional integrity. All systems have limitations, so auditors remain alert to deficiencies and document controls using well-structured methods.

Key Point Checklist

This article has covered the following key knowledge points:

• List and explain the five components of internal control.
• Distinguish between general IT controls and information processing controls, with examples.
• State the main purposes and limitations of internal control systems.
• Outline common control deficiencies and how to evaluate them.
• Describe the impact of IT environments on audit risk and procedures.
• Identify and define key terminology used in internal control and IT contexts.

Key Terms and Concepts

• internal control
• control environment
• control activities
• management override
• general IT controls
• information processing controls
• internal control questionnaire (ICQ)