Connect with us

Internal Control [Questions and Answers]



A client’s internal control is a process designed to provide reasonable, but not absolute, assurance that the following entity objectives will be achieved: reliable financial reporting, effective and efficient operations, compliance with laws and regulations. A client’s internal control consists of five interrelated components: control environment, risk assessment, control activities, information and communication systems support, monitoring. This post provides a brief overview about internal control, its interrelated core components, its relationship to the auditors and IT people in “questions and answers” form. Enjoy!



Question: What Is the Control Environment?

Answer: The control environment, which is the foundation for the other components of internal control, provides discipline and structure by setting the tone of an organization and influencing control consciousness. Factors to consider in assessing the client’s control environment include:

  • Integrity and ethical values, including (1) management’s actions to eliminate or mitigate incentives and temptations on the part of personnel to commit dishonest, illegal, or unethical acts, (2) policy statements, and (3) codes of conduct
  • Commitment to competence, including management’s consideration of competence levels for specific tasks and how those levels translate into necessary skills and knowledge.
  • Board of directors or audit committee participation, including interaction with internal and external (independent) auditors
  • Management’s philosophy and operating style, such as management’s attitude and actions regarding financial reporting, as well as management’s approach to taking and monitoring risks
  • The entity’s organizational structure
  • Assignment of authority and responsibility, including fulfilling job responsibilities
  • Human resource policies and practices, including those relating to hiring, orientation, training, evaluating, counseling, promoting, and compensating employees



Question: What Is Meant By Risk Assessment?

Answer: An entity’s risk assessment for financial reporting purposes is its identification, analysis, and management of risks pertaining to financial statement preparation. Accordingly, risk assessment may consider the possibility of executed transactions that remain unrecorded.

The following internal and external events and circumstances may be relevant to the risk of preparing financial statements that are not in conformity with generally accepted accounting principles [or another comprehensive basis of accounting]:

  • Changes in operating environment, including competitive pressures
  • New personnel that have a different perspective on internal control
  • Rapid growth that can result in a breakdown in controls
  • New technology in information systems and production processes
  • New lines, products, or activities
  • Corporate restructuring that might result in changes in supervision and segregation of job functions
    Foreign operations
  • Accounting pronouncements requiring adoption of new accounting principles



Question: What Control Activities Are Applicable to a Financial Statement Audit?

Answer: Control activities are the policies and procedures management has implemented in order to ensure that directives are carried out. Control activities that may be relevant to a financial statement audit may be classified into the following categories:

  • Performance reviews, including comparisons of actual performance with budgets, forecasts, and prior period results.
  • Information processing. Controls relating to information processing are generally designed to verify accuracy, completeness, and authorization of transactions. Specifically, controls may be classified as general controls or application controls. General controls might include controls over data center operations, systems software acquisition and maintenance, and access security; application controls apply to the processing of individual applications and are designed to ensure that transactions that are recorded are valid, authorized, and complete.
  • Physical controls, which involve adequate safeguards over the access to assets and records, include authorization for access to computer programs and files and periodic counting and comparison with amounts shown on control records.
  • Segregation of duties, which is designed to reduce opportunities that allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties, involves assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets.



Question: What knowledge about the “information and communication systems support” component should an auditor obtain?

Answer: The auditor should obtain sufficient knowledge about the information system relevant to financial reporting. The information system generally consists of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of related assets, liabilities, and equity. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.



Question: What is Meant by Monitoring?

Answer: Monitoring is management’s process of assessing the quality of internal control performance over time. Accordingly, management must assess the design and operation of controls on a timely basis and take necessary corrective actions.

Monitoring may involve: (1) separate evaluations, (2) the use of internal auditors, and (3) the use of communications from outside parties (e.g., complaints from customers and regulator comments).



Is There a Relationship Between Internal Control Objectives and Components?

Answer: There is a direct relationship between objectives and components. This results from the fact that objectives are what an entity strives to achieve, while components are what an entity needs to achieve the objectives. It is also important to remember that internal control is relevant not only to the entire entity, but also to an entity’s operating units and business functions.


Question: What Objectives and Controls are Relevant to a Financial Statement Audit?

Answer: In general, the auditor should consider the controls that pertain to the entity’s objective of preparing financial statements for external use that are presented fairly in conformity with generally accepted accounting principles (GAAP) or some other comprehensive basis of accounting other than GAAP (OCBOA).

The controls relating to operations and compliance objectives may be relevant to a financial statement audit if they pertain to data the auditor evaluates or uses. For example, the auditor may consider the controls relevant to nonfinancial data (such as production statistics) used in analytical procedures.

Caution: Not all of the objectives and related controls are relevant to a financial statement audit. Furthermore, an understanding of internal control relevant to each operating unit and business function may not be essential.


Question: What is the auditor’s primary consideration with respect to the components of internal control?

Answer: The auditor’s primary consideration is whether a specific control affects the financial statement assertions rather than its classification into any particular component. Although the five components are applicable to every audit, they should be considered in the context of the following:

  • Entity size
  • Organization and ownership characteristics
  • Nature of the entity’s business
  • Diversity and complexity of operations
  • Methods of transmitting, processing, maintaining, and accessing information
  • Applicable legal and regulatory requirements



Question: How does information technology (IT) affect internal control?


  • An entity’s use of IT may affect any of the five interrelated components of internal control.
  • Controls in systems that use IT consist of a combination of automated controls (e.g., controls embedded in computer programs) and manual controls.


Question: What are the potential benefits of IT to internal control?

Answer: IT provides potential benefits of effectiveness and efficiency for internal control because it enables the entity to:

  • Consistently apply predefined rules and perform complex calculations in processing large volumes of transactions or data.
  • Enhance the timeliness, availability, and accuracy of information.
  • Facilitate the additional analysis of information.
  • Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.
  • Reduce the risk that controls will be circumvented.
  • Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.



Question: What risks does IT pose to internal control?

Answer: IT poses specific risks to internal control, including:

  • Reliance on inaccurate systems or programs
  • Unauthorized access to data that may result in destruction of data or improper alterations to data.
  • Unauthorized changes to master files
  • Unauthorized changes to systems or programs
  • Failure to make necessary changes to systems or programs
  • Inappropriate manual intervention
  • Potential loss of data


Note: The extent and nature of these risks to internal control depend on the nature and characteristics of the entity’s information system.


Question: To what extent must I consider the client’s internal control?

Answer: The practitioner must obtain a sufficient understanding of internal control to enable the proper planning of the audit. Whether controls have been placed in operations is of prime importance. Operating effectiveness is not to be judged by the practitioner. The understanding of the internal control should: (1) provide a basis for identifying types of potential misstatements, (2) enable the assessment of the risk that such misstatements will occur, and (3) enable the auditor to design substantive tests.



Question: What are the procedures used to obtain an understanding of internal control?

Answer: Ordinarily, a combination of the following procedures is used in obtaining a sufficient understanding of internal control:

  • Previous experience with the client
  • Inquiry of appropriate client personnel
  • Observation of client activities
  • Reference to prior year working papers
  • Inspection of client-prepared descriptions, such as organization charts and accounting manuals.

Question: How should I document my understanding of internal control?

Answer: The auditor must exercise professional judgment in determining the methods and extent of documentation. The most frequently used methods of documentation are:

  • Flowcharts
  • Questionnaires
  • Narrative memos (written descriptions)


Question: What is meant by assessing control risk?

Answer: The assessment of control risk is a process of evaluating the effectiveness of a client’s internal controls in preventing or detecting material misstatements in the financial statements.


Question: How do I assess control risk?

Answer: If the auditor concludes, based on his or her understanding of internal control, that controls are likely to be ineffective or that evaluation of their effectiveness would be inefficient, then the auditor may assess control risk at the maximum level for some or all financial statement assertions.

If specific controls are likely to prevent or detect material misstatements and the auditor performs tests of controls in order to evaluate the effectiveness of the controls identified, then assessment of control risk below the maximum level is permissible.


Question: What are tests of controls?

Answer: SAS 55 defines tests of controls as tests directed toward the design or operation of an internal control to assess its effectiveness in preventing or detecting material misstatements in a financial statement assertion. Inquiry of company personnel, inspection of client documents and records, observation of client activities, and re-performance of controls represent some of the procedures used in performing tests of controls.

In performing tests of controls, the auditor seeks answers to the following questions:

  • Who performed the control?
  • When was the control performed?
  • How was the control performed?
  • Was the control consistently applied?
  • What is the relationship between the assessed level of control risk and substantive testing?

Since the auditor’s determination of the nature, extent, and timing of substantive tests is dependent on detection risk, the assessed level of control risk must be considered in conjunction with inherent risk (see SAS 47). There is an inverse relationship between detection risk and the assurances to be.



  1. Melisa

    May 25, 2009 at 6:03 am


    I would like to ask explanation of the three monitoring process in internal control.

    Thanks for quick reply.


  2. Sunny

    Oct 17, 2009 at 5:33 pm

    Dear Sir:

    Can you answer the statement below about internal control?

    No matter how sophisticated a system of internal control might be, its success ultimately requires that you place your trust in certain key personnel.

    For the above statement: Do you agree with the statement? Discuss fully

  3. Oct 18, 2009 at 1:37 am


    “No matter how sophisticated a system of internal control might be, its success ultimately requires that you place your trust in certain key personnel”.

    I would modify the above statement to become [see the additional wording in capital letters]:

    “No matter how sophisticated a system of internal control might be, its success ultimately requires that you place your trust in certain key personnel FOR CERTAIN LEVEL OF ACCESS AND AUTHORIZATION TO MAKE THEM FULLY FUNCTIONED ACCORDING TO THE CONTROL SYSTEM SET BY THE WHOLE ORGANIZATION”.

    what does this mean?

    We [as a real business] never trust persons, we only put our trust on “a system”. Everyone should “think and act” based on system. Anything run out of the system are “problems” need to be fixed [if not shutdown] right on the spot whenever-wherever it is occured.

    I am as a controller, who behind [designer] of the control system, who control anything/everybody/every bit of activities in my organization, I am not a live without control. Someone control me [the CFO] 🙂


  4. Gaikwad D K

    Jan 12, 2010 at 9:33 am

    i want competative exam question and answer

  5. Mar 30, 2010 at 9:26 am

    Dear Sir,
    Can you critically discuss the following statement?
    “Reliable accounting is dependent upon an effective system of internal control”
    Thank you

  6. Sep 25, 2010 at 9:36 am


  7. Sue

    Apr 11, 2012 at 4:42 pm

    I work in a small govt contracting co. in the accounting department. The department is one person (me) and my supervisor who is Director of Admin & Finance. My duties are AP system entries & AR billings.

    My question is would picking up the daily mail and distributing sealed mail to employees put our company at risk in the event of an audit?

    Thank you for your time.

  8. Poochie

    Apr 19, 2012 at 1:11 am

    Need help with this topic “Evaluating the internal control of JMMB

  9. Apr 16, 2017 at 5:23 pm

    If you desire to increase your experience simply
    keep visiting this web page and be updated with the latest
    information posted here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you looking for easy accounting tutorial? Established since 2007, hosts more than 1300 articles (still growing), and has helped millions accounting student, teacher, junior accountants and small business owners, worldwide.


Related pages

7 steps of accounting cyclefootnote disclosuresdefinition of deposit in transitmlp accountinginstallment sales method examplejournal entry for deferred expensesoptimal order quantity formulawrite off of uncollectible accountsrevenue recognition completed contract methodupkeep definitionquantitative forecasting examplesperiodic vs perpetual inventory systementry for deferred tax assetjournal entry for operating leasejournal entry for capital leasecollaborative arrangementsretained earning accountingwhat is forensic auditing and investigationsroyalty expense on income statementmachine hour rate cost accountingaccrual basis net income formulaexample of promissory lettertaxable income formulawash sale disallowedstereotypes of accountantscash disbursement budgetcontingent liability gaapaccounts receivable letterlabour mix variance formuladouble entry accounting for dummiestax penalty abatement letter samplehow to calculate goodwill in partnershiphow to calculate common size percentage income statementdebit vs credit in accountingwhat does dtd meanvehicle promissory note template freeamortization of tenant improvementsjob costing advantages1120s late filing penaltygearing financeinterim financial statement examplelabor variance formulaon demand promissory notesample letter for acknowledgement of paymentstatistical sampling auditbecker cpa study materialsdifference between ifrs and gaap balance sheetexample of matching principlenotes payable examplescapital vs finance leaseexamples of general ledger entriesifrs valuation allowanceaccounting entry for prepaid insurancemasters degree in accounting salaryperiodic vs perpetual inventory systemcash basis and accrual basis accounting examplesnegotiated transfer pricingperiodic inventory examplegross margin managerial accountingpromissory agreement templatewhat are forecasting techniquesdiscount on notes payable journal entryhow to figure out accumulated depreciationtroubled debt restructuremanufacturing accounting entriesaccumulated depreciation journal entriesmanufacturing accounts layoutcalculate pension expenseuca cash flowgoodwill calculation methodwhat is logics net worthwhat is standard costing systembudgeted profit formulahow to calculate direct materials costwhat is ifrs and gaapias fixed assetsrop in supply chain