Assurance (Knowledge Level) 05th Chapter

Introduction to internal control

01. What is Internal Control? [P- 88]

Internal controls are the processes to administer unit effectively, which include rules & procedures. It is
designed to provide reasonable, but not absolute assurance regarding the achievement of objectives with
regard to the following:
Effective & efficiency of operations,
Reliability with applicable laws & regulations,
Compliance with applicable laws & regulations,

02. What are the reasons/ objectives of internal control? [P- 89]
The reasons for internal controls can be seen in the example. They include:
Minimising the business risks
Effective functioning of the company
Complies with relevant laws and regulations
Develop and maintain reliable financial and management date
Safeguard resources against loss
Ensure the confidentiality, integrity and availability of data
Control overall management of the company

03. What are the limitations of Internal Control? [P- 89]

The limitations of Internal Control are:
Expensive
Human element
Unusual transactions
Resource Constraints
Inadequate Skill, Knowledge or ability
Faulty judgment
Unintentional errors
Degree of motivations by management & employees.

05) What are the components/standards of Internal Control? [P- 90]

BSA 315 sets out that there are five components of internal control, each of which may impact on the audit
process differently
a) Control Environment d) Information & Communication
b) Control Activities e) Monitoring & Review
c) Risk Assessment
a) Control Environment:
Control environment include the integrity, ethical values & competence of a company.
b) Control Activities:
Control Activities include approvals, authorizations, verifications and reviews of operating performance,
security of assets & segregation of duties.
c) Risk Assessment:
Risk Assessment refers identifies & analyzes risks & determines how the risks should be managed.
d) Information & Communication:
Information & Communication are systems that employees to carry out their responsibilities.
e) Monitoring & Review:
Monitoring is a process that assesses internal control performance over time by monitoring activities.

Anamul Huq (M.Z. Islam & Co.) Page 1 of 5

Assurance (Knowledge Level) 05th Chapter

06. What are the Categories of controls that auditor category? [P- 90]
Discuss about Auditors Categorization of controls.
Auditor categories the control into the following four groups:
a) Preventive Controls:
Preventive controls are designed to prevent an error, omission or malicious act occurring.
b) Detective Controls:
Detective Controls are designed to detect errors, omissions or malicious acts that occur & report the
occurrence.

04. What is the control environment? [P- 91]

The control environment is the context of the internal control system, influenced by management. The control
environment includes the governance and management functions and the attitudes, awareness and actions of
those charged with governance and management concerning the entitys internal control and its importance in
the entity.

07. What is Audit committee? [P- 91]

A subsection of the board of directors which has a particular interest in the finance and accounting activities
of the company.

08. What are the terms of reference of audit committee? [P- 91]
What are the activities of audit committee?
The Code requires the committee to have written terms of reference which are likely to include the following:
To review the integrity of the financial statements and announcements of performance
To review internal financial controls and risk management systems
To monitor and review the effectiveness of internal audit function
To recommend the board to the external auditor
To monitor the independence of the external auditor
To implement policy on the provision of non-audit services by the external auditor

09. What is Entitys risk assessment process and Business risk? [P- 92]
Entity's risk assessment process: The process by which management in a business identifies business
risks relevant to financial reporting objectives and decides what actions to take to address those risks (for
example, implementing internal controls).
Business risk: The risk inherent to the company in its operations. It is risks at all levels of the business.

10. What are the elements of entity's risk assessment process? [P- 92]
The risk assessment process will involve the following elements:
Identify relevant Estimate the impact Assess the likelihood
business risks of risks of occurrence

Decide upon actions (internal controls, insurances, changes in operations) to manage them
Figure : Entity's risk assessment process

11. What is information system relevant to financial reporting objectives? [P- 93]
Information system relevant to financial reporting objectives includes the procedures and records
designed to initiate, record, process and report entity transactions and to maintain accountability for the related
assets, liabilities and equity.

Anamul Huq (M.Z. Islam & Co.) Page 2 of 5

Assurance (Knowledge Level) 05th Chapter

12. [P- 93]

The auditors will be interested in:
The classes of transactions that are significant to the entity
The procedures by which these transactions are recorded and reported
The related accounting records and supporting information
How the information system captures events other than transactions that are relevant to the financial
statements
The process of preparing the financial statements
This will typically involve the financial controller and/or director and the use of journals, which the auditors
will be interested in.

13. What are control activities? [P- 94]

The policies and procedures that help ensure that management directives are carried out.

13. What are the components of Control Activity? [P- 94]

The following components of focus on the control activity-
i. Personnel iv. Documentation & Record Retention
ii. Segregation of duties v. Physical Restrictions
iii. Authorization Procedures vi. Monitoring & Review
i. Personnel:
Personnel need to be competent & trustworthy.
ii. Segregation of duties:
Segregation of duties reduces errors & irregularities.
iii. Authorization Procedures:
Authorization procedures need to verify the propriety & validity of transactions.
iv. Documentation & Record Retention:
Documentation & record retention is to provide that all information & transactions are accurately recorded
& retained.
v. Physical Restrictions:
Physical restrictions are most important for safeguarding organization assets, procedures & data.
vi. Monitoring & Review:
Monitoring operation is essential to verify that controls are operating properly.

15. What is IT Control? Classify it. [P- 95]

In business and accounting, IT controls are specific activities performed by persons or systems designed to
ensure that business objectives are met. They are a subset of an enterprises internal control.
Classification of IT Control:
a) IT General Control (ITGC):
ITGC represents the foundation of the IT control structure. It helps to ensure the reliability of generated
data by IT systems.
b) IT Application Control:
IT application or program controls are fully automated designed to ensure the complete & accurate
processing of data from input through output. These controls may also help ensure the privacy and
security of data transmitted between applications.

Anamul Huq (M.Z. Islam & Co.) Page 3 of 5

Assurance (Knowledge Level) 05th Chapter

16. Give some examples of general controls. [P- 95]

Examples of general controls:
i. Development of Computer applications:
Standards over systems design, programming and documentation
Full testing procedures using test data
Approval by computer users and management
Segregation of duties
Installation procedures
Training of staff
ii. Prevention or detection of unauthorised changes to programs:
Segregation of duties
Full records
Password protection
Restricted access to central computer
Maintenance of program logs
Use of anti-virus software
Back-up copies
Control copies to compared with actual programs
Stricter controls by use of read only memory
iii. Testing and documentation of program changes:
Complete testing procedures
Documentation standards
Approval of changes by computer users and management
Training of staff using programs
iv. Controls to prevent wrong programs or files being used:
Operation controls over programs
Libraries of programs
Proper job scheduling
v. Controls to prevent unauthorised amendments to data files:
Such as passwords to prevent unauthorised entry, built in controls to permit changes
vi. Controls to ensure continuity of operations:
Storing extra copies of programs and data files off-site
Protection of equipment against fire and other hazards
Back-up power sources
Emergency procedures
Disaster recovery procedures, e.g. availability of back-up computer
facilities
Maintenance agreements and insurance

17. Give some examples of application controls. [P- 96]

Examples of application controls:
i. Controls over input: completeness
Manual or programmed agreement of control totals
Document counts
One-for-one checking of processed output to source documents
Programmed matching of input to an expected input control file
Procedures over resubmission of rejected data
ii. Controls over input: accuracy
Digit verification Character checks
Reasonableness test Necessary information
Existence checks Permitted range
iii. Controls over input: authorisation
Information was authorised Input by authorised personnel

Anamul Huq (M.Z. Islam & Co.) Page 4 of 5

Assurance (Knowledge Level) 05th Chapter

iv. Controls over processing

Control completeness
Screen warnings
v. Controls over master files and standing data
One to one checking of master files to source documents
Cyclical reviews of all master files and standing data
Record counts
Controls over the deletion

18. Which application controls the auditors may test? [P- 97]
The auditors may wish to test the following application controls.
Manual controls exercised by the user
Controls over system output
Programmed control procedures

19. What are the processes of recording of internal controls? [P- 98]
There are broadly three types of document which are used for recording the understanding of the business:
i. Narrative notes:
These are good for things like:
Short notes on simple systems
Background information
They are less good when things get more complex when diagrams tend to take over.
ii. Questionnaires and checklists:
These are:
Good as aide memoires to ensure you have all the bases covered but
Can lead to a mechanical approach so that an important extra question is never asked
Tick boxes often get ticked whether the brain is engaged or not
iii. Diagrams:
Things like:
Flowcharts
Organisation charts
Family trees
Records of related parties

***Others:
14. [P- 94]
Segregation should take place in various ways:
Segregation of function. The key functions that should be segregated are the carrying out of a
transaction, recording that transaction in the accounting records and maintaining custody of assets that
arise from the transaction.
The various steps in carrying out the transaction should also be segregated. We shall see how this works
in practice when we look at the major control cycles in the following chapters.
The carrying out of various accounting operations should be segregated. For example, the same staff
should not record transactions and carry out the related reconciliations at the period-end.

01. How the auditor collects information about internal controls?

Auditors will obtain information about internal controls from a variety of sources:
Studying manuals of internal controls and copies of internal controls policies or minutes of meeting of
the risk assessment group
Talking to the people involved with internal control at all stages and asking them what the controls are
and why they have been implemented
Observing controls in operations

Anamul Huq (M.Z. Islam & Co.) Page 5 of 5