Internal control procedures (more accurately: internal accounting control procedures; more simply: internal controls) comprise the procedures that management has adopted or devised to provide management with some degree of assurance that the objectives of the accounting information system will be achieved. (See COSO for a broader definition of internal controls). Auditors are concerned with the effectiveness of internal controls for two main reasons. Firstly, weaknesses in internal control procedures can lead to material misstatements in the financial information which may not be detected by the auditor [fn]. Secondly, effective internal control procedures provide assurance that misstatements will be detected by the client and may be relied upon by the auditor [fn]. This reliance may help to facilitate a more efficient audit. However, note that owing to their limitations [fn], internal control procedures can never provide more than reasonable assurance.
Note that auditors, irrespective of their audit approach, obtain an understanding of internal control sufficient to identify and assess the risk of material misstatement of the financial report.
The objectives of an accounting information system may differ from entity to entity, but most information systems have as an objective the provision of reliable information on a timely basis. Thus, internal controls will normally include control procedures that are designed to provide management with some degree of assurance that the information provided by the accounting information system is reliable and provided on a timely basis. Internal controls that are of particular interest to auditors are controls that provide assurance as to the reliability of the information output of an accounting information system, as auditors may wish to place reliance on these controls in order to reduce the time required to perform substantive procedures. Controls that provide assurance as to the reliability of accounting information are controls over the completeness, validity and accuracy of financial statements items and underlying account balances and classes of transactions.
When auditors become aware of weaknesses in internal control procedures, then as well as planning less (or no) reliance on the procedures, auditors also inform management of the weaknesses. Refer to the Journal of Accountancy publication Management Reports on Internal Controls.
There are two categories of internal control procedures: specific control procedures and general control procedures. Specific controls are those controls that provide management with assurance over a specific aspect of the accounting information system, such as the completeness of cash receipt transactions, or the accuracy of cash disbursement transactions. General controls (sometimes referred to as environmental controls) are those controls that provide support for the specific controls and therefore provide management with assurance relating to more than one aspect of the accounting information system. A procedure that provides assurance that staff employed by the entity are honest and sufficiently competent to perform specific internal control procedures is an example of a general control procedure.
Note that when auditors plan reliance on either a general control or a specific control, they firstly gathers evidence as to the operational effectiveness of the control procedure. If the procedure is not operationally effective, then auditors do not place any reliance on the control.
A more complete analysis of the differing frameworks of internal control can be found in the ISACA articles concerning Control Objectives for Information and related Technology (COBIT).
Copyright, Australian Educational Research Pty Ltd. Any person accessing this site agrees to the Terms of Use.