Internal Control {Unit-05}

Internal control refers to the processes, procedures, and policies put in place by an organization to
ensure:

1. Effective and efficient operations – making sure the organization runs smoothly and achieves its
goals.
2. Reliable financial reporting – ensuring the accuracy and integrity of financial records.
3. Compliance with laws and regulations – adhering to all relevant rules and legal requirements.
4. Safeguarding of assets – protecting the organization’s resources from loss, theft, or misuse.

Key Components of Internal Control (as per COSO Framework):

1. Control Environment – the tone at the top; ethical values, management style, and organizational
structure.
2. Risk Assessment – identifying and analyzing risks that could prevent objectives from being
achieved.
3. Control Activities – specific actions like approvals, authorizations, verifications, reconciliations.
4. Information and Communication – systems for capturing and communicating information
effectively.
5. Monitoring – ongoing or periodic evaluations of the internal control system to ensure it works
properly.

Example:

An example of internal control is requiring two signatures on checks over a certain amount—this helps
prevent fraud or unauthorized payments.

Basic components of internal control

The basic components of internal control are commonly outlined in the COSO Framework, which
identifies five interrelated components that form the foundation for an effective internal control
system:

1. Control Environment

This is the overall attitude, awareness, and actions of management and the board regarding the internal
control system. It sets the tone for the organization.

Key elements include:

 Integrity and ethical values

 Commitment to competence
 Organizational structure
  Management philosophy and operating style
 Assignment of authority and responsibility
 Human resource policies and practices

2. Risk Assessment

Organizations must identify and analyze risks that could prevent them from achieving their objectives.

This includes:

 Identifying internal and external risks

 Assessing the likelihood and impact of risks
 Developing strategies to manage those risks

3. Control Activities

These are the actual policies and procedures that help ensure management's directives are carried out.

Examples:

 Approvals and authorizations

 Verifications
 Reconciliations
 Segregation of duties
 Safeguarding assets

4. Information and Communication

Effective internal control requires timely and relevant information to be identified, captured, and
communicated.

Includes:

 Internal communication (e.g., reporting lines, policies)

 External communication (e.g., with regulators, stakeholders)

5. Monitoring

Ongoing or periodic assessments to ensure the internal control system is functioning as intended and is
updated when necessary

Methods:

 Internal audits
 Management reviews
 Follow-up on control deficiencies
Requirements for Effective Internal Control:
1. Strong Control Environment
o Leadership sets a clear tone emphasizing integrity, ethics, and accountability.
o Roles and responsibilities are clearly defined.
o Competent personnel are hired and trained.
2. Risk Assessment
o The organization identifies, analyzes, and responds to risks that could affect goal
achievement.
o Risk assessments are performed regularly and updated as needed.
3. Well-Designed Control Activities
o Controls such as approvals, authorizations, verifications, and segregation of duties are in
place.
o Controls are appropriate to the size and complexity of the organization.
4. Reliable Information and Communication
o Accurate and timely information is captured and shared.
o Employees are informed of their control responsibilities.
o There is open communication across all levels of the organization.
5. Ongoing Monitoring
o Controls are regularly reviewed and tested (e.g., through internal audits).
o Deficiencies are identified and corrected promptly.
6. Segregation of Duties
o Responsibilities are divided so that no single individual controls all aspects of a transaction,
helping prevent errors or fraud.
7. Proper Documentation
o Policies, procedures, and control activities are documented and accessible.
o Documentation supports accountability and transparency.
8. Compliance with Laws and Regulations
o Internal controls ensure adherence to applicable legal and regulatory requirements.
9. Adaptability and Continuous Improvement
o The internal control system evolves with changes in business processes, risks, and
regulations.

Tools for effective internal Control

Strong Supervision
Confirm Authorization
Detailed Documentation
Physical Security
Independent Checks
Rotation of Duties
Principles / Characteristics of Internal Control:
1. Goal-Oriented
o Designed to help achieve specific objectives: operational efficiency, accurate reporting, and
legal compliance.
2. Integrated System
o Not just a set of procedures, but a system involving people, processes, and technology
working together.
3. Preventive and Detective
o Includes controls to prevent errors or fraud (e.g. approval requirements) and to detect
them if they occur (e.g. audits, reconciliations).
4. Reasonable Assurance
o Provides reasonable, not absolute, assurance that goals will be met—due to inherent
limitations like human error or collusion.
5. Continuous Process
o Internal control is ongoing, not a one-time setup. It must be regularly monitored and
adjusted as needed.
6. Responsibility-Based
o Everyone in the organization has a role in internal control—from the board of directors to
front-line employees.
7. Documentation
o Policies and procedures are properly documented to provide clarity and accountability.
8. Segregation of Duties
o Duties are divided among different people to reduce risk and ensure checks and balances.
9. Flexibility
o Effective internal control systems are adaptable to changes in the business environment,
technology, or regulations.
10. Monitoring and Feedback
o Regular review and evaluation of control performance ensures improvement and
correction of weaknesses.

Internal Auditing
“Where Accountancy end, Auditing begin”.
‘’it is often called the CONTROL ON CONTROLS’’.

Meaning and Defination;

Auditing means the scrutiny of accounts books and relative documentary evidence by an Independent
qualified person in order to ascertain the accuracy of figures appearing therein.
Finally, we can say:-

Internal Audit means the independent appraisal of activity within an organization for the review of
accounting, Financial and other business practices as protective and constructive arms of
Management. It is a type of control which functions by measuring and evaluating the effectiveness of
other types of control.
Auditor:- The person who conduct audit is known as an auditor,. He makes a report to his appointing
authority, after careful examination of the accounting records and accounting statements. In this report,
he expresses his opinion about the statement of accounts.
Common Tools of Internal Audit:
1. Audit Checklists
o Predefined lists of items or procedures to review.
o Ensure consistency and completeness in audits.
2. Risk Assessment Tools
o Help identify and prioritize risks in processes or departments.
o Examples: Risk matrices, heat maps, and scoring models.
3. Flowcharts and Process Mapping
o Visual tools to understand and document business processes.
o Identify control points, redundancies, and weaknesses.
4. Sampling Techniques
o Select a representative set of data or transactions to audit.
o Methods: Random sampling, stratified sampling, judgmental sampling.
5. Audit Management Software
o Digital platforms to plan, track, and document audits.
o Examples: TeamMate+, AuditBoard, SAP GRC, IDEA, CaseWare.
6. Data Analytics Tools
o Used to analyze large volumes of data for patterns, trends, anomalies.
o Examples: Excel, ACL (Galvanize), Tableau, Power BI.
7. Interviews and Questionnaires
o Collect qualitative information from staff or management.
o Assess awareness, control effectiveness, or ethical practices.
8. Observation
o Watching actual processes to verify that procedures are followed as described.
o Useful for assessing physical controls or compliance in operations.
9. Document Review
o Examine records such as invoices, contracts, policies, or reports.
o Verify compliance, accuracy, and completeness.
10. Control Self-Assessments (CSA)
 Departments evaluate their own controls using internal audit-provided frameworks.
 Encourages ownership and awareness of risks and controls.

Main Role and Objectives of Internal Audit

 To verify the correctness and authenticity of the Financial Accounting.

 To confirm that liabilities have been incurred by the organization in respect of its valid and
legitimate activities.
 To comment on the effectiveness of the internal control system and proceeds of internal check
system.
 To examine the protection afforded to the company assets.
 To ensure that the standard accounting practices which have to be followed by the organization?
 To assist the management in achieving the most efficient administration.
Duties of Company Auditor
Duty under Section 227: It is otherwise known as the duty to give report. After completion of audit work, auditor
should give a report expressing his opinion. The report may be length or summarized. It may be in the form of
letter or statement. Whatever the form may be, it must be addressed to share holders.
Audit report should include the following:
 Whether company is maintaining proper books and records or not.
 Whether financial explanations from company staff are received or not .
 Whether financial statements are prepared in accordance with requirements of companies act or not.
 Whether balance sheet is giving true and fair view or not.
 Whether profit and loss account is giving true and fair view or not.
 If there are branches, whether statements from branch auditors under Sec. 228 are properly received or not.

Rights of Company Auditor; the Companies Act, 1956.

 Rights to access the books and records.
 Right to get explanations from company staff.
 Right to receive notice of general meetings and can attend it
 Right to visit branches.
 Right to seek legal and technical advises.
 Right to claim remuneration.
 Right to refuse to commence the audit.
 Right to question the board.
 Right to qualify his report.
These undertaking are mentioned below, under the different laws that govern them:-
(External Auditing is mandatory)

 Joint Stock Companies Incorporated (under the companies Act 1956).

 Banking companies governed by the Banking Companies Regulation Act.
 Insurance Companies governed by the Insurance Act.
 Co-operative societies registered under the co-operative societies Act’s
 Public and charitable trust under various religious Acts.
 Local Authority and Govt. Undertaking establishment under special law Act, if any.
Difference between the Internal and External Auditor.
There are multiple differences between the internal audit and external audit functions, which are
as follows:

1. Internal auditors are hired by the company, while external auditors are appointed by a
shareholder and govt agencies

2. Internal auditors do not have to be CPAs,(Certified Public Accountant) while a CPA must
direct the activities of the external auditors.

3. Internal auditors are responsible to management, while external auditors are responsible
to the shareholders. or govt agencies

4. Internal auditors can issue their findings in any type of report format, while external
auditors must use specific formats for their audit opinions and management letters.

5. Internal audit reports are used by management, while external audit reports are used by
stakeholders, such as investors, creditors, and lenders.

6. Internal auditors can be used to provide advice and other consulting assistance to
employees, while external auditors are constrained from supporting an audit client too
closely.

7. Internal auditors will examine issues related to company business practices and risks,
while external auditors examine the financial records and issue an opinion regarding the
financial statements of the company.

8. Internal audits are conducted throughout the year, while external auditors conduct a single
annual audit. If a client is publicly-held, external auditors will also provide review services
three times per year.

9. In short, the two functions share one word in their names, but are otherwise quite
different. Larger organizations typically have both functions, thereby ensuring that their
records, processes, and financial statements are closely examined at regular intervals.
Auditor’s Report – Meaning and Structure
An auditor’s report is a formal opinion, or disclaimer of opinion, issued by an external or internal
auditor as a result of an audit of a company’s financial statements or internal controls. It provides
assurance to stakeholders (like investors, regulators, and management) about the accuracy, reliability,
and fairness of the financial information presented.

📄 Types of Auditor's Reports (Based on Opinion):

1. Unqualified Opinion (Clean Report)

o Financial statements are presented fairly, in all material respects.
o No significant issues were found.
o This is the best type of report a company can receive.
2. Qualified Opinion
o Financial statements are mostly fair, except for certain areas.
o Used when there’s a material issue, but not pervasive.
3. Adverse Opinion
o Financial statements are materially misstated and misleading.
o Indicates significant problems in accounting or reporting.
4. Disclaimer of Opinion
o Auditor cannot form an opinion due to lack of evidence or independence.
o Often a result of scope limitations or uncertainties.

🧾 Basic Structure of an Auditor’s Report:

1. Title
o “Independent Auditor’s Report”
2. Addressee
o Usually to the shareholders or board of directors.
3. Opinion Paragraph
o Clearly states the auditor’s opinion on the financial statements.
4. Basis for Opinion
o Describes the audit standards followed and what procedures were performed.
o Includes a statement of auditor independence.
5. Key Audit Matters (KAMs) (for listed companies)
o Discloses significant matters encountered during the audit.
6. Management's Responsibility
o Outlines the responsibilities of management for preparing the financial statements.
7. Auditor’s Responsibility
o Describes what the auditor does and the scope of the audit.
8. Other Reporting Responsibilities
o Includes legal or regulatory requirements (if applicable).
9. Signature and Details
o Auditor’s name, firm, registration number, location, and date.