Chapter 5

Theory and concepts of control

Objectives for this chapter:

 Define control and its accompanying elements in terms of the achievement of
organisational strategic objectives
 Describe the process of reporting on controls and control environments in order to
indicate the impact on the strategic objectives of the organisation
 Describe the process of assessing controls and give practical examples of how
these assessments are applied

5.1 Introduction
According to the definition of internal auditing, one of the main areas that internal auditors
should focus their efforts on is internal control. Before internal control and what it entails
within an organisation can be discussed, it is important to understand that control is part
of everyday life. When a person buys something, pays cash for it and
receives change, the checking of whether it is the correct amount is referred to as control.
When a house has burglar bars and a security system, the protection of assets is referred
to as control. When a refrigerator has a thermostat, the regulation of the temperature is
referred to as control.
Control within an organisation has a similar function and objectives as the controls that
are part of everyday life. In this chapter, the principles of internal control, the parties
responsible for the implementation and monitoring thereof, the advantages and
limitations, as well as internal control in an information technology (IT) environment are
introduced. Specifically, the role and responsibility of internal auditing with regard to
internal control will be explained.

5.1.1 What is internal control?

Numerous definitions for the term internal control exist. Some of these include:
Internal control is a process, effected by an entity’s governing body, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance.
Source: Committee of Sponsoring Organisations (COSO) of the Treadway
Commission
Control is any action taken by management, the governing body and other parties to
manage risk and increase the likelihood that established objectives and goals will be
achieved. Management plans, organises and directs the performance of sufficient actions
to provide reasonable assurance that objectives and goals will be achieved.
 Source: Institute of Internal Auditors (IIA) International Professional
Practices Framework (IPPF)
Internal control measures are those methods and procedures which have been
accepted by the management of an entity to help in the achievement of management’s
goal to ensure that the business of the entity is properly conducted in an
orderly and efficient manner.
Source: South African Institute of Chartered Accountants (SAICA)
These definitions enable the assumption of a few common factors related to internal
control, namely:
 Control is either a process or an action taken.
 Management is responsible for implementing internal control, but other parties may
also be involved.
 Controls are implemented to minimise risks, thus ensuring that an organisation’s
objectives are met. However, only reasonable assurance in the minimisation of risks
and the achievement of objectives can be provided by effective internal controls.

5.1.2 The objectives of internal control

According to the COSO framework and IIA Standard 2130.A1, the primary objectives of
internal controls are to ensure that objectives are met. These include:
 Strategic objectives
• Achievement of strategic objectives.
 Operational objectives
• reliability and integrity of financial and operational information;
• effectiveness and efficiency of operations; and
• safeguarding of assets.
 Reporting objectives
• reliability, timeliness, transparency of;
• internal and external reporting; and
• financial and non-financial reporting.
 Compliance objectives
• compliance with laws, regulations, policies and procedures.
Internal control forms the backbone of any organisation, as weaknesses and the total
absence of internal control activities may result in chaos and the eventual demise of the
organisation. Although various definitions and frameworks exist that relate to internal
control and internal control structure, this chapter will focus on the COSO framework as
published in 2013. Note that the first COSO framework: Internal Control – Integrated
Framework (1992) has been replaced with this new version. Also note that the COSO
committee issued a report in 2004 on enterprise risk management. This is a separate
report and whilst similar in nature, it should not be confused with the framework on
internal control.
5.2 The COSO framework and the internal control process
The various policies, procedures and activities that are implemented by management to
mitigate risks are collectively referred to as “control processes”. In 1992, the Treadway
Commission identified that a sound internal control structure is one of the major focus
areas for the survival of any organisation. A subcommittee was asked to investigate
internal control and the Committee of Sponsoring Organisations (COSO) issued a report
entitled Internal Control – Integrated Framework. This framework was updated in 2013
and incorporates all the essential aspects that need to be present in order to implement
an effective and efficient internal control structure. Figure 5.1 shows the control
components according to the COSO control framework.

Monitoring

Information and communication

Control activities

Risk assessment

Control environment

Figure 5.1: COSO control components

5.2.1 The control environment

The control environment forms the foundation of the COSO control framework and pro-
vides the atmosphere in which people conduct their activities and carry out their control
responsibilities in the organisation. It serves as the basis for the other four components.
The control environment has a direct influence on the way activities are structured,
objectives are established, and risk is addressed, and therefore affects the control-
consciousness of people performing their day-to-day activities. The control environment
represents the collective effect of various factors on establishing, enhancing, or mitigating
the effectiveness of specific policies and procedures. If the proper functioning of an
internal control structure is deemed as important by senior management, other personnel
will take note of this attitude, and will also, perhaps unknowingly, adhere to the prescribed
policies and procedures that form the foundation for any internal control structure.
Therefore, the control environment is sometimes referred to as the “tone at the top”.
The control environment can be divided into various elements which, together, contribute
to compliance with certain policies and procedures. Take note that the COSO list is not
a complete list of aspects affecting the control environment, and various sources of
literature include other aspects, such as the internal audit activity, as part of the control
environment. If it is expected from internal auditing to provide assurance on the control
environment, a preliminary investigation should be performed to identify the most prom-
inent aspects for the specific organisation. Some of these aspects in the control envir-
onment are briefly discussed.

5.2.1.1 The philosophy and style of senior management

The fundamental management skills (as covered in chapter 2) consist of four elements,
namely:
 Planning – All the activities of the organisation must be properly planned to
ensure that every individual understand his or her specific role in achieving the
objectives of the organisation. Planning includes establishing objectives, developing
strategies, and determining policies and procedures, to name but a few.
 Organising – This implies the co-ordination of people and plans in order to execute
the planning. Organising includes responsibility, authority, delegation,
decentralisation, committees, and structures.
 Directing – This is the process of allocating resources to ensure objectives are met,
and includes elements of leadership, motivation and communication.
 Controlling – This is the process of ensuring that the directed actions have been
executed as planned to ensure that objectives are achieved. It thus consists of
establishing criteria (“what should be”), comparing them with the actual results
(“what is”), and if needed, correcting the actual to conform to the criteria.

Management can execute the above principles by using different approaches, referring
to the philosophy it supports and the style in which it operates. Management’s philosophy
and operating style is covered in more detail chapter 2 that deals specifically with
management and leadership.

5.2.1.2 The organisational structure (hierarchy)

An organisation’s hierarchical structure provides the overall framework for planning,
organising, directing and controlling operations. An organisational structure includes
consideration of the form and nature of an organisation’s business units, related
management functions and reporting relationships. The following factors should be taken
into consideration when evaluating the organisational structure:

 The organisational structure should be suitable for the type of organisation

Some organisations’ functions are centralised, and others are decentralised. Some have
direct reporting relationships and others are more of a matrix organisation. The organ-
isational structure should be able to provide the necessary information to the managers
to enable them to manage the organisation.

Grouping of activities
Perhaps the most important decision that must be made in developing organisational
arrangements is the way in which, and to what extent, the activities should be grouped.
The major approaches normally used in practice are a division into functional, product or
geographical segments. In the functional approach (the most commonly used), the
organisation is structured along the lines of the major functions such as production,
marketing, personnel, and finance. The benefits exist in the specialised concentration of
authority that flows down through the various organisational levels. The disadvantages
are that key decisions must be co-ordinated and made at the top, restricting the possibility
of more urgently needed response at field levels.
The internal auditor should evaluate the organisational structure in order to ensure that
the necessary information does, in fact, reach the personnel concerned, as this
information flow will directly affect the decision-making process.

5.2.1.3 Methods used to communicate tasks and responsibilities to personnel

In order to understand the methods used by management to assign authority and
responsibility to personnel, the following factors should be considered:
l organisational policy regarding such matters as acceptable business practices,
conflicts of interest, and other codes of conduct;
l assignment of responsibility and delegation of authority to deal with such matters as
organisational goals and objectives, operating functions and regulatory require-
ments;
l job descriptions delineating specific duties, reporting relationships, and constraints;
and
l computer system documentation indicating the procedures for authorising trans-
actions and approving systems changes.
For the internal auditor, it is important to realise that personnel can only execute their
duties if they know what is expected of them. Methods to communicate these authorities
and responsibilities can include the following:
l an organisational code of conduct;
l memorandums from senior management, setting out the importance of control-
related activities;
l formal organisational and operational plans;
l a manual on accounting policies and procedures;
l an organisational chart;
l job descriptions; and
l clear boundaries of authority.

5.2.1.4 Human resources management

Human resources management affects the organisation’s ability to appoint adequate,
competent personnel in order for the organisation to achieve its objectives. Human
resources management includes the rules of the organisation regarding the appointment,
training, evaluation, promotion and remuneration of personnel, and the supply of
sufficient resources to the personnel which they may need in order to carry out their
responsibilities. The personnel of an organisation are the most important element in any
system of control. Even competent and reliable personnel can at some or other stage
experience dissatisfaction, personal problems and boredom, which can have a direct
influence on the performance of their work. As a result of the importance of personnel,
the methods by which the personnel are appointed, evaluated and remunerated, form an
important part of the internal control structure.
Personnel practices can be categorised as follows:

l The appointment and evaluation of personnel

When appointing personnel, a formal evaluation process should be followed. Aptitude
tests, following up references and the conducting of interviews should form part of such
a process. Personnel should also be evaluated periodically to determine their progress
and to identify opportunities for further training.

l Personnel scheduling
Regular scheduling of personnel in respect of tasks should take place. In the same way,
the assignment of personnel’s tasks and duties should take the annual leave of personnel
into consideration.

l Regular rotation of duties, within limits

In order to afford personnel exposure, and to allow for an alternation in tasks to be pro-
moted, rotation of duties should be implemented. This should also combat fraud. This
rotation of duties should be applied with great caution, as personnel must have the
necessary level of training in order to perform the various tasks and not to create any
further opportunity for fraud to take place. For example, it would not be expected under
normal circumstances for computer programmers to perform the tasks of an operator.

l Career path possibilities

Clear career path possibilities must be made known to the personnel in order to create
promotion possibilities.

l The formalisation of personnel practices

Personnel practices should be contained in a formal document so that personnel are
made aware of intolerable practices.

l Exercise psychological control by striving to maintain a high morale

amongst personnel
Although management cannot be responsible for the psychological well-being of every
individual, aspects such as the overall atmosphere at the workplace, the example that
management sets, and the way personnel are treated, can all play an important role in
the morale amongst personnel.

5.2.2 Risk assessment

The second component of the COSO framework is risk assessment, as every
organisation faces a variety of risks that threaten the reaching of its objectives. These
risks must be identified, measured, analysed and controlled. Risk assessment is
management’s responsibility. It should initiate plans, programmes and actions to address
risks identified, or decide to accept risks because of cost or other considerations.
Management therefore assesses risks as part of designing and maintaining internal
controls to minimise the risks. It should be noted that although the assessment of risk
may guide management in designing the internal control structure, other mitigating
activities can also be implemented. The management of risks was discussed in chapter 4.

5.2.3 Control activities

Internal control activities (or control activities for short) are the policies (what is expected)
and procedures (policies in action) that management has put in place, to ensure that the
necessary actions are taken to address risks and achieve management’s objectives for the
organisation. Control activities are applied at various levels of the organisation and
extend beyond the accounting system to all operational, reporting and compliance
activities. Key control activities or primary control activities represent control activities
designed to manage significant organisational objectives. Secondary control activities
are those activities that are less critical and serve a supplementary purpose.

5.2.3.1 Classification of internal control activities

Internal controls are designed to achieve various outcomes. Some provides direction so
that personnel know what to do (directive controls). Some are installed to prevent
undesirable outcomes before they happen (preventive controls). Others are designed to
identify the undesirable outcomes when they do happen (detective controls). Still others
are designed to make sure that corrective action is taken to reverse the undesirable
outcomes that occurred or to see that they do not recur (corrective controls). All these
main categories have the same main function; namely to provide reasonable assurance
that management’s objective or goal will be met. They will now be discussed in more
detail.
 Directive controls
These controls provides direction (the rules that apply) and creates a common ground
from which the organisation operates across, for example, different department, divisions
and/or branches. Consequences of non-adherence is clearly stipulated. These controls
are embedded in internal policies.
 Preventive controls
Controls in this category are more cost-effective than the controls in the other categories.
When built into a system, preventive controls forestall errors and thereby avoid the cost
of correction. Preventive controls would include, for example:
• trustworthy, competent people;
• segregation of duties to prevent intentional wrongdoing;
• proper authorisation to prevent improper use of organisational resources;
• adequate documentation and records as well as proper record-keeping procedures
to deter improper transactions; and
• a physical control over assets to prevent their improper conversion or use.
 Detective controls
These are usually more expensive than preventive controls, but they too are essential.
First, they measure the effectiveness of the preventive controls. Second, some errors
cannot be effectively controlled through a system of prevention; they must be detected
when they occur. Detective controls include reviews and comparisons, such as records
of performance and independent checks on performance.

 Corrective controls
These controls take over when improper outcomes occur and are detected. All the
detective controls are worthless if the identified deficiency remains uncorrected or is
permitted to recur. Management must develop structures that keep the spotlight on an
undesirable condition until it is corrected and, where appropriate, must set up procedures
to prevent recurrence. Documentation and reporting structures keep problems under
management surveillance until they have been solved or the defect corrected. Corrective
controls thus close the loop that starts with prevention and passes through detection to
correction.

 Deterrent controls
These controls aim to deter people from doing wrong. It could be a warning that a person
found shoplifting or trespassing will be prosecuted, CCTV cameras that monitor
movement and actions or a security guard that check a till slip to purchases when a
customer leaves the store. These controls tend to be easy and cost effective and plays
an important role in protecting information assets.

5.2.3.2 Types of internal control activities

The outcome for which a control is designed is achieved by implementing control
activities.
The types of control activities include, amongst others:

 Segregation of duties
The principal purpose of segregation of duties is to reduce the opportunities for an
individual to make and then conceal errors or irregularities while performing a task. To
achieve this, no individual should be responsible for more than one of the following:
• authorising the transactions;
• recording the transaction; and
• executing the transaction or having custody of assets.
In an IT environment, there are other major functions that need to be segregated, but this
is dealt with in more detail later.
When duties are properly segregated, at least two personnel members would have to
work together to avoid complying with an established control. This is termed “collusion”.
An individual is less likely to attempt to commit an irregularity if he or she must first obtain
another personnel member’s consent. This is also why a good control environment is
important.
Personnel responsible for recording transactions should not also have the responsibility
for authorising the transactions. The organisation wants to ensure that only valid
authorised transactions take place. If the personnel member responsible for recording
may authorise a transaction, he or she could create and authorise fake transactions, in
order to balance the accounts.

Personnel who have access to or control physical assets should not be able to authorise
transactions. The same person should not be able to authorise a payment to a supplier
and sign the cheque, as the money in the bank is a form of asset.
Segregation of custody of assets from the recording function is needed to prevent the
personnel member from disposing of the asset for personal gain and then adjusting the
records to cover the fraudulent action. For example, if the cashier receives cash and is
responsible for recording the receipt and sales into the cash receipt journal, it becomes
possible for the cashier to take the cash received, adjust the debtors account by recording
some fictitious credit for discount or write-off, pocket the money, and neither the debtor
nor organisation will be any the wiser.
Separation of the execution of the transaction, or of the operational responsibility, from
the record-keeping responsibility, is important to safeguard physical assets. If the
warehouse personnel are also responsible for recording the transaction, there would not
be independent reconciliation between the physical assets and the recorded assets, as
records could be adjusted. If each department was responsible for preparing its own
records and reports, there could be a tendency to bias the results to improve reported
performance. To ensure unbiased information, record-keeping is typically a separate
function.

 Authorisation of transactions and activities

Initiating a transaction is the first step in information processing. It is vitally important that
the transaction be authorised by the appropriate level of personnel. Every transaction
must be properly authorised and only valid authorised transactions should be executed
and recorded if controls are to be satisfactory.
Authorisation can be either general or specific. There is also a distinction between
authorisation and approval:
• General authorisation means that management establishes policies for the
organisation to follow. The policies and procedures required for authorising
transactions are often documented in a manual; for example, management sets the
policy authorising the re-ordering of inventory when the inventory reaches a certain
level.
• Staff or lower-level management are then instructed how and when to implement
these general authorisations by approving all transactions within the limits set by the
policy; for example, when the warehouse orders the inventory, the employee
responsible for inventory approves the order to indicate that the authorised policy has
been met.
• Specific authorisation has to do with individual transactions. These are normally more
significant transactions and require authorisation from a higher level of management;
for example, when inventory becomes obsolete, the warehouse manager may give
specific authorisation that the inventory must be removed.

 Documentation and record keeping

Documents perform the function of transmitting information throughout the organisation
and between different organisations. These documents take on different forms and
provide for different information to be transmitted. Source documents are any written
document that could explain or give proof of a transaction, system, decision or other
action; for example, an invoice received from the supplier will be proof of, inter alia, the
payment made, goods received, and date recorded.
Source documents should be:
• sequentially pre-numbered to facilitate control over completeness of recording,
unused or missing documents;
• prepared at the time the transaction takes place to increase the likelihood of
accurately recording details of the transaction;
• designed to obtain sufficient details, in a certain order, to fulfil business and
accounting needs;
• sufficiently simple to complete to ensure that they are understood and accurately
completed;
• have space for signature(s) to identify responsibility for the preparation and/or
authorisation of the document; and
• be designed for multiple use, whenever possible, to minimise the number of forms
and the times the information must be copied. Here multiple coloured copies work
well.

 Safeguarding of assets and information

Assets, accounting records and other information and documentation must be physically
protected and there should be limited access to these. The use of physical precautions,
such as keeping inventory behind locked doors, limiting access to the warehouse and
hiring guards, has proved to be effective safeguards for assets. Providing for sufficient
insurance is another form of safeguarding the assets.

 Independent checks / Reviews

This control activity is the careful and continuous review of the above four control
activities by independent senior management and internal auditors. Personnel are likely
to forget or intentionally fail to follow procedures, or become careless unless someone
observes and evaluates their performance. An essential characteristic of the person(s)
performing internal verification activities is independence from the individuals originally
responsible for preparing the data.

 Reconciliations
This control activity involves the comparison of information from different sources to
establish that the information in both sources are the same. The activity is primarily
aimed at achieving completeness and accuracy. Examples are a reconciliation between
the sub-ledger and the general ledger or between a bank statement and the general
ledger.

 Supervision
The act of watching a person or activity and making sure that things are done correctly
and according to rules.

 Application controls
Application control activities, which consist of both manual and ICT control activities, are
those control activities that specifically relate to an application or transaction cycle.
Application controls are covered in detail in section 5.5.2.

5.2.3.3 Nature of internal control activities

As is evident from the control activities discussed, the control activities can be
performed by a person, referred to as manual controls, or the activities can be
performed by a computer, referred to as automated controls. An example of a manual
control is the review of a reconciliation performed by someone. An example of an
automated control is the checking of the length of an ID number when information is
captured on the human resources application. There are control activities that require
both a human and a computerised element, for example capturing a password. The
application prompts for a password and the user needs to capture it. These controls
are referred to as IT dependent manual controls.

Control activities are covered further in section 5.5.2 on application controls in this
chapter and in chapters 15 to 19 of the textbook.

A summary of controls is included in Annexure 1.

5.2.4 Information and communication

The fourth element, namely information and communication, identifies the need for per-
tinent information to be identified, captured and communicated in a form and time-frame
that enables people to carry out their responsibilities. It also assumes that effective
communication must occur in a broader sense, as all personnel must receive a clear
message from senior management that control responsibilities must be taken seriously,
and that people must understand their role in the internal control structure, as well as
how individual activities relate to the work of others.

5.2.5 Monitoring
The last component, that is, monitoring, addresses the fact that most organisations
function in a changing environment. Internal control structures need to be monitored; a
process that assesses the quality of the structure’s performance over time to make sure
that current risks are identified, and the necessary controls are in place to address them.

5.3 Responsibility for internal control

5.3.1 The responsibility of management
The overall responsibility for internal control resides with the governing body of an
organisation. The governing body delegates this responsibility to management in the
organisation. In turn, management designs and implements control activities and is
accountable to the governing body in this regard. Management has to keep in mind the
objectives of internal control (refer to section 5.1.2) when designing an internal control
structure. The COSO framework is an example of an internal control structure that can
be used by management to develop the internal control activities. The function of
management is explained schematically in figure 5.2.

Organisational objectives

Risk(s) threatening
achievement of objectives

Management implementation of control(s)

to mitigate risks(s)

Control weakness
(Lack of control
activities)
Yes No

Control activities adequate Control activities inadequate

(poorly designed, insufficient,
inappropriate,

Figure 5.2: Management responsibility

Management must ensure that control activities are adequate. Adequacy entails that
management has planned and designed controls in such a manner that reasonable
assurance is provided that risks are managed effectively, and organisational objectives
will be achieved.

5.3.2 The function of the external auditor

The objective of an external auditor is to express an opinion on the reasonableness of
financial statements. When performing a financial audit, the external auditor only
examines those controls that relate to the financial statements; therefore, the focus is on
an evaluation of financial controls, accounting systems and related internal controls.
5.3.3 The function of the internal auditor
According to the definition of internal auditing, control represents one of the three major
elements that an internal audit activity should focus on. The Standards address the
relationship between the internal auditor and internal control in Standard 2130, by stating
that the internal audit activity should assist the organisation in maintaining effective
controls by evaluating their effectiveness and efficiency and by promoting continuous
improvement.
It also points out that the evaluation of controls should be based on a risk assessment
and the adequacy of the current controls in place to prevent the risk from occurring. In
other words, internal auditing must first identify what may go wrong, preventing the
organisation from achieving its objectives, and whether the controls in place will prevent
these from occurring, before it can assess the effectiveness of the controls implemented
by management. The function of the internal auditor is explained schematically in
figure 5.3.

Figure 5.3: Internal control

The internal auditor assesses the effectiveness of control activities that are present
(Detailed activities performed by the internal auditor in assessing controls are covered in
chapter 13). Effectiveness entails the achievement of the control objective. If control
activities are not in place (lack of adequate control) or the control activities are insufficient
in managing risks (inadequate), this is reported as a finding to senior management and
the governing body.
The purpose of the examination of the internal control activities by the internal auditor
can be further explained as follows:
• The purpose of the review of the adequacy of the structure of internal control is to
determine whether the existing structure gives reasonable assurance that the
organisation’s objectives and goals are being achieved in an economical and
efficient manner. Reviews should be performed per programme or operation in the
organisation and linked to the goals and objectives of the organisation as a whole.
• Adequate criteria are needed to assess controls. Internal auditors should ascertain
the extent to which management has established adequate criteria to determine
whether objectives and goals have been accomplished. If adequate, internal
auditors should use such criteria in their evaluation. If inadequate, internal auditors
should work with management to develop appropriate evaluation criteria.
• Senior management and the audit committee expect the chief audit executive and
the internal audit team to perform their work in such a manner that a reasonable
assessment of the state of the internal controls within the organisation can be made,
based on their work. It is recommended that the chief audit executive delivers an
annual report on the state of the organisation’s internal controls, which could form
the basis for reporting on governance issues in the annual financial report.
• Internal auditors should continuously be alert to any control weaknesses in their
organisation, irrespective of the type of engagement they are executing. The internal
auditor is an expert on control issues and should ensure that this knowledge and
skills are applied for the organisation as a whole. When identifying control
weaknesses, recommendations that are both effective and efficient to address the
weakness should be made.
Sound governance principles also highlight the role of internal auditing and its
relationship with the internal control structure of an organisation. This document states
that the internal audit activity should assist the governing body and management in
maintaining effective controls by evaluating them to determine their effectiveness and
efficiency, and by developing recommendations for enhancement or improvement. A
written assessment on the effectiveness of the organisation’s internal control structure
must be submitted to the governing body.
A summary of the relationships between the different role-players and their
responsibilities for internal control is provided in table 5.1.

Table 5.1: Responsibilities for internal control

Management External auditor Internal auditor

 Management External auditor Internal auditor
should should should
↓ ↓ ↓
design internal control evaluate and test assess the adequacy and test the
structure and accounting structures, effectiveness of internal control
implement internal control related internal control activities
activities structures and financial control ↓
↓ activities to achieve
to achieve management’s ↓ engagement objectives
internal control objectives to achieve audit-related ↓
↓ objectives to express an opinion on
to meet organisational ↓ the adequacy and effectiveness
objectives to express an opinion on of controls in
financial statements mitigating risks

It should also be noted that, according to the IIA Standards, if management does not
implement adequate controls, the likelihood of a risk occurring and/or the impact of the
loss resulting from the risk will increase, and management must accept this residual risk
(the risk that still remains after management has implemented internal control activities).
If the chief audit executive believes that senior management has accepted a level of
residual risk that is unacceptable to the organisation, he or she should discuss the matter
with senior management. If the issue is not resolved, the matter should be reported to
the governing body for resolution.

5.4 Advantages and limitations of internal control

5.4.1 Advantages of internal control
Internal control can assist an organisation to:
• achieve its goals for profitability and outputs;
• prevent resource losses;
• promote reliable financial reporting;
• support compliance with legislation and regulations; and
• prevent the reputation of the organisation becoming tarnished and the related
results.
In summary, internal control can assist the organisation to attain its goals – to get where
it wants to be – and at the same time avoid surprises and threats along the way.

5.4.2 Limitations of internal control

Internal control CANNOT do either of the following:

 Ensure an organisation’s success

Internal control can assist an organisation to be successful but cannot ensure success.
Internal control can, for example, identify weaknesses, but cannot change management
from bad to good. Furthermore, factors such as government policy and economic factors
are beyond the scope of internal control activities.

 Ensure the reliability of financial reporting and compliance with legislation and
regulations
A system of internal control, no matter how well it has been designed, can only give
reasonable, but not absolute, assurance concerning the attainment of goals.
Certain limitations are inherent to all structures of internal control, such as:
• faulty judgement being applied in the decision-making process;
• ordinary errors being made;
• collusion between two or more persons invalidating the structure of internal control;
• management having the ability to override the structure; and
• the design of a system of internal control being limited by available resources, so
that the advantages arising from the control have to be compared to the cost.
The internal auditor should also consider the possibility of over-controlling. In some in-
stances, the controls recommended are too voluminous, too complex, too generalised,
stereotyped and misleading.

5.5 Control in an information technology environment

Most organisations use IT in the processing of financial, operational and other
information. Internal control objectives and principles do not change from a manual
environment to an IT environment, they merely take on different forms. The internal
auditor must also assess the adequacy and test the effectiveness of IT controls. IT
controls are divided into general and application controls.

5.5.1 IT General controls

IT general controls relate to the IT environment as a whole. These controls are not
software (application) specific and control the environment in which system and
application software operates. IT general controls are defined as having pervasive
effects, which means that if they are weak or absent, they may negate the effects of the
application controls. In an IT environment, the presence of effective general controls as
part of the internal control structure is vital. The evaluation thereof by the modern internal
auditor should be seen as very important, in order to ensure that the correct control
climate will be in place. Examples of IT general controls include:
• organisational controls related to IT personnel;
• standard operating procedures for systems;
• system documentation controls;
• system development and program change controls;
• hardware and software controls; and
• security controls related to IT.
5.5.2 Application controls
Application control activities, which consist of both manual and ICT control activities, are
those control activities that specifically relate to an application or transaction cycle. The
effective functioning of application control activities depends on the functioning of the
general control activities in the ICT environment.
The characteristics of application control activities are that:
l they include both user and technical procedures; and
l they are present during data input, processing and output.
The specific control activities will depend on the type of transactions, method of input and
processing, as well as the stage in the processing cycle.
The role of control activities in ICT systems can be set out as follows:
l Systems objectives are achieved by using application and general control activities
which prevent, detect and correct errors during each phase in the transaction cycle.
l Application control activities are specifically created for each accounting system.
l General control activities create the environment in which the application control
activities can function.
l Application control activities can be divided into preventive, detective and corrective
control activities during each phase of the transaction cycle.
The audit trail consists of the input, processing and output documentation and file data
that allows for the review of the processing of a transaction. Audit trails will differ
depending on the method of input, processing and output that is used. The auditor must
follow the logical steps of the transaction. The data, transaction and steps must then be
interconnected.
Application control activities will be discussed for each phase of transaction processing.
Two main types of systems can be distinguished, namely the so called “batch system”
and the “on-line system”. Variations on these two systems can be found, for example,
organisation A operates an on-line system which is preceded by a number of manual
actions and the issuing of documentation, while organisation B operates an on-line
system, in which no source documents are present. The control activities that are
implemented in these two systems will obviously be different.
In order to simplify the study of control activities, ICT is discussed per phase in transaction
processing, as figure 2.4 below indicates, with a distinction being made between
preventive, detective and corrective control activities for each phase.
 Data Data Batch data
capture preparation input

OR Output
Processing

Online data
input
Data
capture

Figure 2.5: Phases in the processing of a transaction

5.5.2.1Data capturing
5.5.2.1.1 Definition
Data capturing normally entails a manual action (exceptions do however exist), which
includes the initiation, recommendation, authorisation, review and preparation of
documentation which constitutes the transaction. Data capturing is mainly of importance
in batch systems to ensure reliability and accuracy of data prior to the data being entered
into the computer system. Examples include customers completing an application form,
for example, when opening a new bank account. Normally this is done by completing a
document in pen (filling in the fields on the form for date of birth, identity number,
addresses). All the application forms will have to be entered into a system and converted
into electronic format at a later stage.
However, as mentioned, data capturing does not always have to be the manual
completion of a document. Consider the numerous examples where application forms
can be completed electronically, on-line. Even though there is no paper document, this
still represents data capturing, as the data is captured for the first time and constitutes
the
beginning of a process or transaction where data will make its way through the ICT
system.

5.5.2.1.2 Risks
Risks present during data capturing include:
l Omission of valid transactions – A document is not completed and entered at all
or is not fully completed.
l Inaccurate source data – The document, whether manual or electronic is
completed but the date on the document is incorrect, for example, a person enters
his or her date of birth as 07/08/82 where the actual date is 8 July 1982. If no control
is present, the wrong date will end up on the database of the organisation.
l Transaction captured in the wrong accounting period – Because there is a time
delay between capturing data, especially where manual forms are used, and the
subsequent entry and processing of the data on the document by the system,
transactions might be processed and posted in the wrong accounting period,
even though they occurred in an earlier period.
l Incorrect valuation and/or classification – When data is captured for the first
time, the risk of incorrectly valuating or classifying a transaction is very high. Think
of an example where a retailer writes out a manual invoice to a customer and
calculates the total and tax by himself. In addition, the retailer should take into
account discounts (whether bulk or cash) and indicate those on the written invoice.
Any error in calculations or wrong classification of the discount will end up on the
system when the manual invoices are entered and electronically processed at a
later stage.
l Invalid transactions captured – Source documents that should not be used for
capturing information are completed, or customers complete the wrong forms on-
line and submit them.
l Valid transactions are captured twice – This is a high risk where physical source
documents are used. Sometimes a person will complete a form, make a mistake
and start completing a new form, the risk here is that both forms, essentially relating
to a single transaction, are allowed to flow through the process.
l Valid transactions may get lost – A completed manual form may not end up in the
right place or be included in the right batch to follow its intended process. In today’s
on-line environment, ICT often happens that customers complete forms or
documents on-line and press the submit button but breaks in the connection or other
interferences cause the transaction to be lost and never reach its destination where
ICT would have been the source for the next step in the process.

5.5.2.1.3 Preventative control activities

l User procedure manuals – Assist in consistent data capturing by indicating
information required on documents, the flow of documents, time schedules, control
over documents, the extent of review and authorisation required, to name a few.
l Design of documentation – Documents should be printed in special formats
(copies in various colours and certain copies perforated). As much data as possible
should be pre-printed on the document (organisation name, tax number) and all
documents should be pre-numbered. Fields that should be completed should be
clearly indicated, and where possible should give an indication of the format required.
For example, for the date, most forms will indicate DD/MM/YYYY to lead the person
completing the form to use the correct sequence and format.
l Security over forms – Unused document books are controlled by a stationary
register, while partially used books are controlled and kept in safe custody. This
addresses the risk of invalid transactions being captured.
l Other control activities – Include the identification of the preparer, proper
segregation of duties relating to authorisation and proper evidence of
authorisation (for example, the use of stamps as proof of authorisation should be
used in conjunction with signatures).

5.5.2.1.4 Detective control activities

l Proper review and authorisation of documents.

5.5.2.1.5 Corrective control activities

l Written error correction procedures should be included in the user manual. It is
important to remember that source documents which are being corrected and
resubmitted, must first be checked and corrections should be initialled.

5.5.2.6 Audit trail

The internal auditor has access to evidence of what occurred during this stage as follows:
l The source document itself – Where manual documents were completed.
l A transaction list – This can be prepared where documents were electronically
completed, to indicate all the transactions/documents completed. In most cases
flagged items on the list can be printed out to give the internal auditor the original
electronically completed data.

5.5.3 Batch data preparation and input

5.5.3.1 Definition
Batch data preparation entails the collection of data in batches and the preparation of
data by converting and coding it in computer-readable form. These actions take place
prior to the actual processing of the data by the ICT system. Batch data input refers to
the on-line input of batch data from machine-readable media into the primary storage
medium from where it will be processed. ICT is important to mention that most people
incorrectly refer to the entry of a document or form as data capturing. Remember, the
data was captured when the document was completed, that was the first step. The
manual document is converted to electronic format by entry.

5.5.3.2 Risks
l Source data may be incorrect – Incorrect data was not prevented, detected or
corrected during the capturing stage and reached this stage. Unless it is identified
here, it will be submitted for processing.
l Transaction may be omitted during data preparation – As documents are
batched and prepared to be sent to the next stage, some transactions and
documents might be excluded either intentionally or unintentionally.
l Incorrect valuation and/or classification of data may take place during
conversion and coding – The source data is correct but during entry, the wrong
data is keyed in, either intentionally or unintentionally.
l Transactions are converted more than once – This is a common risk both for
manual documents and where the source data was initially captured electronically.
Examples include the same application form at the bank being entered twice or a
form completed by a person on-line being submitted twice.
l Unauthorised transactions are added – A document or transaction that was not
created in the data capturing stage is either entered into the batch for capturing (a
fake document) or a transaction is entered into the system (data entry) that does
not exist in the source data.

5.5.3.3 Preventative control activities

l Batch control activities – Calculating control totals, allocating a batch number,
limiting the number of documents per batch and maintaining control totals in a log
book. This is done prior to the documents being sent for capturing. The following
batch totals should be calculated:
• Document/record count: The number of documents in the batch.

• Financial total (or other comprehendible total): Rand value of all the
transactions in the batch (or total hours worked on all clock cards).

• Hash total: The total of the fields that would not normally be added. This
total usually ensures the correct allocation of transactions.

The following credit sales transactions are included in a batch of invoices:

Account number: Transaction value:
26354 234,00
26467 635,95
36585 564,65
86954 968,32
53244 546,38
Calculated batch control totals for this batch:
Document count = 5
Financial total = 2 949,30
Hash total = 229 604 (Account numbers added).

l Transmission documents – Cover document accompanies batch and indicates

control totals, recipient and sender as well as content.
l Written instruction – Standard procedures in respect of the entering of data, the
operations of devices and the actions taken on the basis of error messages result
in uniformity.
l Low error environment – Includes well-trained personnel, proper seating, lighting,
equipment and minimal noise.
l Drop down menus – These, where applicable, limit the options available where
information is entered into the computer.
l Review of input data for accuracy and completeness – Review of the batch on
receipt thereof and comparing it with transmission ticket and batch totals.
l To avoid transaction or documents from being entered into the system twice –
All manual documents should be stamped “CAPTURED” once the information has
been converted to electronic format to avoid the same document being entered
again. In an on-line system, especially with Internet transactions, a warning is
usually displayed at the submit button, explicitly stating that the button should only
be pressed once.

5.5.3.4 Detective control activities

l Reviewing batch control activities – Prior to capturing the batched documents, a
comparison should be done between the totals and information on the transmission
document and the received source documents.
l Transmittal and route slips – Signed by recipients of the batch and returned to
sender as proof of receipt.
l Input validation during the capturing of the documents – (To convert to computer
readable format), these tests (or control activities) known as validation tests, are
programmed control activities and include:
• Data classification and transaction codes – Code indicates transaction type,
for example, 01 = sale and 02 = payment.

• Sign test – Certain fields can only contain either a positive or a negative value,
for example, quantity received can only be positive.

• Value test – Certain fields always have the same value, for example, cash
discount will always be R0 in a credit sale.

• Alpha test – Certain fields only consist of alphabetical letters, for example,
client name.

• Numeric test – Certain fields always consist of numeric characters, for ex-
ample, quantity, hours worked, identity number.

• Alphanumeric test – Field should consist of both numbers and letters, for
example, address.

• Field size test – A field may only consist of a fixed number of characters, for
example, a field for an identity number will only allow 13 characters to be
entered.
• Limit test – The value of a field may not exceed a predetermined value, for
example, a field for normal hours worked in a payroll system is limited to 40.

• Field presence test – From a preventative approach the cursor automatically

jumps to the next field and will not continue unless data is entered. From a
detective point of view, the record is checked for any field (compulsory fields)
left blank after the data is captured but before processing and an error
message appears.

• Invalid data combination test – With reference to other fields, the validity of
data is tested, for example, no data could be entered in the overtime field of
a payroll programme unless the normal hours worked field is 40. This test is
also widely used in credit sales programmes to compare the value of a sale to
the field “credit available”.

• Control or check digit – Last digit of a code that verifies the correctness of the
preceding digits. This test is widely used for credit card numbers, account
numbers and identity numbers. Various methods for calculating check digits
exist. An example of one such method follows on the next page.

• Sequence test – Certain documents are pre-numbered and a sequence test

performed by the system will identify missing documents. This can also be
applied to employee numbers, etc. Note that when a check digit control is
applied, sequence testing can in limited circumstances only be applied on
characters excluding the check digit.

• Key verification – Duplicate input of data and the comparison of the two sets
of data.

• The computer will recalculate control totals for the batch, based on the
documents entered. This total is compared to the manual total reviewed (or
entered) prior to the start of capturing to ensure the accuracy of data
entered.

Calculating a check digit

1. Take an account number, for example, 25635.
2. Multiply each character in the customer number with a digit weight (indicating the
character’s position in the sequence) plus 1 (in this example we have five characters, the
highest digit weight will thus be 6, being 5 + 1).
2 5 6 3 5
× 6 5 4 3 2
12 25 24 9 10
3. Add the total (12 + 25 + 24 + 9 + 10) = 80
 4. Divide by a modulus of 11 and subtract the total from the next higher multiple of 11 to
get the self-checking digit. (80/11 = 7 – ignore anything after the decimal, the next higher
multiple would thus be 8). Thus 8 × 11 = 88. To calculate the check digit, we subtract 80
from 88. The check digit = 8.
5. New account number = 256358.

Test
Account number entered as 253658 (transposition of the 6 and 3):
2 5 3 6 5 8
× 6 5 4 3 2 1
12 + 25 + 12 + 18 + 10 + 8 = 85
85/11 = 7 (ignore anything after the decimal) and the remainder is 8 (7 × 11 = 77 and the
difference between 77 and 85 is 8 (this should be zero and indicates an invalid account
number).
Entered correctly as 256358:
2 5 6 3 5 8
× 6 5 4 3 2 1
12 + 25 + 24 + 9 + 10 + 8 = 88
88/11 = 8 and the remainder is 0 (8 × 11 = 88 and 88 – 88 = 0).
If the remainder is 0 ICT indicates a valid account number.

5.5.3.5 Corrective control activities

l Accept the batch only if all transactions are correct – Rejected transactions are
first referred back and corrected before the batch will be accepted. This will be
applied where delayed processing can occur.
l Accept valid and rejected transactions – But attach an error message to incorrect
transactions. The transactions are accepted temporarily and an error message will
appear on the error log to be corrected at a later stage. Applicable in cases where
processing needs to continue, for example, debtors’ master file is to be updated.
l Accept only valid transactions – Only valid transactions are accepted and
erroneous transactions are excluded from processing. Applied where errors in a
batch can be identified and related to specific documents.
l Upstream resubmission is when the rejected transactions must pass through the
whole system again and are subjected to all the control activities discussed above.

5.5.3.6 Audit trail

The internal auditor can use the following sources to review evidence created during this
process:
l Printout of validated transaction for each batch with corresponding batch totals
to ensure that all source documents in a batch were completely and accurately
entered into the system.
l Printout of rejected transactions and batches – This will provide the internal
auditor with a list of all entries that failed any of the control activities discussed
above, and provide a reference to the internal auditor to investigate these further by
 referring back to the source of the document or transaction. Most systems will also
provide an error code that will indicate the reason for rejection. A good example will
be an error code indicating that a transaction already exists based on the transaction
number, indicating the possibility that the original document was never stamped
“CAPTURED” and was therefore presented for a second round of entry.
l Transaction files, on magnetic disk or system memory, of both valid and
rejected transactions – The computer system keeps excellent records of all
activities and entries made and this provides a valuable source of evidence for the
internal auditor to do comparisons and reviews of information entered on the
system.

5.5.4 Processing
5.5.4.1 Definition
Processing is the internal computer function where calculations are effected on data in
accordance with the instructions of the program.

5.5.4.2 Risks
l Errors occur as a result of incorrect calculations – As a result of incorrect
processing and reference tables in a computer program, mathematically processing
transactions using this incorrect logic may lead to mistakes. An example will be
where the payroll is processed and the system applies the incorrect tax rate for the
tax deduction or adds certain deductions from the gross amount instead of
subtracting them. There will be a consistency in the error, as computer systems will
apply this programming error to all the payroll transactions processed.
l Errors may result from incorrect processing logic – The flow of processing
might be incorrect. For example, in a payroll system the system is programmed to
first calculate tax and then all other deductions. This will lead to the incorrect tax
amount being deducted, as we first need to process the tax deductible items such
as retirement contributions and medical aid before the tax rate is applied.
l The wrong file may be used in processing – The master file with new unit prices
must be used from 1 January, but the previous file is still used and all sales
transaction are processed at the incorrect price.
l The wrong record may be updated – Debtor number 73211 is used instead of
debtor 732111 and the transaction is incorrectly posted.
l Incorrect table values or factors may be used – Previous year’s tax tables
applied to a payroll program.
l Wrong default values may be used – Interest calculated on all outstanding
accounts, instead of accounts in arrears for more than one month only.
l Wrong version of a program may be used – An updated program with new
functionalities to meet changing business demands is not used when it should have
been implemented and used.
l A transaction may be automatically generated that does not conform to
normal policies – This is generally applicable to enterprise resource planning
 (ERP) systems, these will be discussed later in this chapter. The program may
automatically generate orders for certain products, even though inventory is not at
re-order level.

5.5.4.3 Preventative control activities

Reliance is placed on general control activities and input control activities for the
prevention of errors during processing to ensure that only valid and accurate data is
processed. Systems development and program change control activities, library control
activities and standard operating procedures are general control activities that are of
importance to ensure correct processing.

5.5.4.4 Detective control activities

l Processing activity report – Provides a record of programs and data used during
processing and is indirect evidence of what happened during processing.
l Validation test to detect data errors:
• File label check: Internal file label checked to ensure correct version.

• Record identification check: With a sequentially organised master file, the

primary key of each record is checked to ensure that the next record is in fact
the logically correct record (numerical sequence).

• Transaction code test: Determines the relevant subroutine for the

transaction.

• Anticipation control: The program expects further input.

l Validation test to detect processing errors:
• Arithmetic accuracy tests: These include double arithmetic (calculations are
done twice), reverse multiplication (the results of a multiplication are divided
by the multiplier and compared) and overflow checks (computations where
the
results contain too many digits for the assigned storage location and are
stored separately with a corresponding error message).

• Dual field input: Data is entered in two separate but related fields (inventory
sold is credited on the sales account and the stock records are adjusted
accordingly – at the end of the day the two accounts are compared).

• Data reasonableness test: Results of processing fall outside a set of expected

results (only certain inventory numbers may be used at a certain plant).

• Data limit test: Results must be equal or less than a certain value.

• Cross-footing: Cross casting and balancing by the system after processing

(gross payroll less deductions equals net pay).
 • Other validation tests (discussed as part of input) can also be applied. ICT is
important to remember that these tests (for example, limit test, numeric test)
are now applied to the field that contains the results of processing.
l Systems balancing control activities:
• Subsystems totals: The totals of different subsystems are compared with each
other (total hours paid in the wage system must equal total hours allocated
to a project plus idle time as indicated by the job costing system).

• Run-to-run totals: Normal balancing of opening balance, plus additions,

minus subtractions should, for example, equal the closing balance of the
master file for debtors.

5.5.4.5 Corrective control activities

l Error detected by validation tests during processing and corrected with the current
batch (a unique number is allocated to the error which is written to a suspense file
and final processing and updating takes place when the error is resubmitted).
l Error detected by validation tests during processing and removed from the current
batch.
l Error detected after processing (noted manually in an error log and corrected at a
later stage).

5.5.4.6 Audit trail

It is impossible for the internal auditor to observe the step of actual processing in the
system, however, the system can produce evidence of what occurred during this step. In
most cases, the auditor can review the following to gain an understanding of what
happened during processing:
l Processing activity report – Which gives a summary of all activities and steps that
were executed during processing.
l Program documentation – By reviewing the original program documentation, the
internal auditor can gain an understanding of the flow and actions that occur during
processing.
l File activity data – Reviewing which files were updated after processing, the
internal auditor finds evidence that transaction that were processed reached their
final and correct destination.
l Break points – These are control totals which are calculated throughout
processing, so that when a disruption occurs, processing only has to restart at the
breakpoint.

5.5.5 Output
5.5.5.1 Definition
Output refers to the storing of data after processing took place on one or more storage
media, such as a database, computer readable format (disks), printouts or microfilm.
 Nature of Internal Audit Work 5
5.5.5.2 Risks
l Output received by users may be inaccurate or incomplete – Although
everything might have been correct to this point, a user might ask for a printout of
certain information that is now on the data files and this printout might be incomplete,
or might be of a previous version of the file.
l Output may be distributed or displayed to unauthorised individuals – The
results of processing may end up in the wrong hands, for example, an unauthorised
person received a printed copy of the final payroll processed for this month and sees
the earning of all the employees in the organisation. In the case of electronic access,
an unauthorised person obtains access to the classified pricing information in the
supplier file on the database.

5.5.5.3 Preventative control activities

l Procedures for the handling of output
• Distribution checklists (identifies the printout to be sent to the authorised
recipient and when ICT is to be done).

• Transmittal sheets (attached to each printout to identify the report and its
destination).

• Distribution logs (serves as evidence of distribution).

• Report release forms (user must sign the report release form in
acknowledgement of receipt).
l Workstation display control activities – General control activities regarding
workstation security must ensure only authorised access is granted.

5.5.5.4 Detective control activities

l Control group
• Review output for completeness.

• Comparing transaction logs (processing) with input and workstation logs.

• Reconcile control totals after processing.

• Reconcile distribution log with the distribution checklist.

l User procedures
• Compare the transmittal sheets with the description of output/printout.

28
 Nature of Internal Audit Work 5
• Review the distribution checklist for the timely receipt of printouts and/or
electronic files.

• Review transactions list and compare with source documentation.

• Review the list of computer generated transactions (be aware of transactions

such as three payments of R90 000 each to the same supplier, although the
limit test of R100 000 per payment has been passed).
• Review the list of changes to the master file.
• Reconcile the batch totals per computer with totals originally calculated.
• Balance the totals of individual accounts with the control account.
• Reconcile computer balances to physical quantities, for example, inventory.
• Reasonableness tests (unexplained deviations from expected balances).
• End-of-report sentences to ensure completeness of printouts received or
“page 1 of 4”.
• On a test basis, completeness can also be checked by comparing entries in an
account to supporting documentation.

5.5.5.5 Corrective control activities

l Source errors should be returned to the user responsible for creating the source
documents.
l Processing errors are to be handled by technical staff.
l Error logs should be kept by the control group in order to control resubmission.

5.5.5.6 Audit trail

After data has been processed by the computer program, ICT is written to files. This is
the final stage in the road a transaction follows, and once on the file, the internal auditor
can use computer-generated printouts (where these printouts are requested by the
internal auditor, as in most cases the auditor will not have direct access rights to the
system) to review where and how the original transaction ended up:
l Master file data – If a transaction related to a debtor changing his or her address,
for example, the transaction started with the debtor completing a change of address
form. This form went through the whole process of data capturing (completing the
form manually), data entry (when the details on the form was converted to electronic
format), processing (when the entered information was applied to the debtors
master file during a processing run) and now finally, on the debtors master file, the

29
 Nature of Internal Audit Work 5
new address should appear. The auditor can print out the data to see if ICT reflects
the new address, or choose to access the debtors master file (only if the internal
auditor has such access rights) and verify the change without printing out the file.
l File balances – These can be reviewed for proof of the correct processing of
transactions related to transactions files.
l Accounting reports – These are summaries of accounting transactions that were
processed and posted on the system for a specified period, or for specific types of
accounting transactions, depending on the engagement objective.
l Management reports and reference reports – These are reports that provide
summarised information on events and transactions for certain periods. Examples
might include the quantity of a specific product sold in the last month, the revenue
from those sales, and a breakdown of the locations where the sales occurred.l
Error reports – These are reports of definite errors, in other words, transactions
that were not processed. A payroll transaction that was presented for processing,
but no such employee was found on the employee master file, would end up on the
error report as unprocessed, with a code for the reason why the system rejected the
transaction.
l Exception reports – These are reports on abnormal or unexpected results after
processing. The internal auditor should review the exception report as this is usually
a very convenient summary of high risk transactions. Exception and error reports
were discussed earlier in this chapter.

5.5.6 On-line input

5.5.6.1 Definition
On-line input refers to the input of individual transactions directly into the system through
a workstation, resulting in a high dependence on programmed control activities to detect
errors in input. An example is when you key in your withdrawal transaction at an ATM.

5.5.6.2 Risks
To explain the risk in on-line entry, let us use the example of a customer placing an order
telephonically with a call centre agent, who enters and submits the order details
immediately for processing:
l Transactions are not entered – The detail of the order transaction is not entered
into the system as the order is placed.
l Data entered into the workstation is inaccurate – The customer provides his or
her account number to the agent, but the agent enters the account number
incorrectly by transposing two numbers in the account or enters the quantity of the
order as 03 when ICT should be 30.

30
 Nature of Internal Audit Work 5
l Transaction entered in the wrong accounting period – The customer would like
to place an order for delivery next month, but the agent processes the transaction
immediately.
l Data entered at a workstation may be incorrectly valued or classified – The
wrong inventory codes are entered for products ordered or the wrong price is
entered.
l Invalid transactions are entered – The customer never places the order, but the
agent enters an order to meet sales targets for the month.
l Transactions are entered twice – After the data provided by the customer is
entered, the sales agent unintentionally hits the submit button twice and the order
is immediately processed twice by the system.
l Data entered at a workstation may be changed or lost during transfer – The
order never reaches the processing stage as a result of a disruption in the transfer
process, or the data is intercepted and changed – this risk is especially high in
today’s Internet environment.

5.5.6.3 Preventative control activities

l Written instruction.
l Computer assisted procedures:
• Screen layouts should be user friendly and have drop down menus; and

• Computer dialogue, where the system asks you to confirm, and gives
messages as to what is expected of you.

5.5.6.4 Detective control activities

The following data input validation can be carried out where access to existing file data
is not possible (one-way transmission from workstation to processing computer and
finally the database):
l Classification and transaction code validity.
l Input validation tests (similar to batch input).
l Data echo test (data entered into the workstation is transmitted to the database and
then back to the workstation, after which the operator confirms the data was entered
correctly).
The following data input validation can be carried out where existing file data can be
referred to (information can be extracted from the database by the workstation):
l Record confirmation check (descriptive echoes) – Input is reduced drastically as
the debtors’ code is entered, for example, and his or her details appear on the
screen as extracted from the master file.

31
 Nature of Internal Audit Work 5
l Verifying data – Match data entered with existing data on file (inventory code
entered is compared to inventory codes on the inventory master file and the quantity
on hand is checked).
l Data approval test – Programmed approval by the system of a credit sales
transaction after comparing the value of the transaction to the available credit
balance.

5.5.6.5 Corrective control activities

l An error message is shown on screen.
l Error handling procedures are displayed – In certain circumstances the system may
make recommendations to the user as to how the error may be corrected.

5.5.6.6 Audit trail

Because entry, processing and output happens almost immediately, the auditor needs to
rely on individual transactions to obtain evidence, rather than on stages or processes. To
trace a transaction, the internal auditor has the following available:
l A unique identification number is allocated to each transaction (tracing and
identifying of a transaction through processing to the final reports and associated
files is possible).l A transaction list can be generated indicating all transactions
entered by the operator at a workstation for a certain period. It is important that each
list also contains totals for the transactions.

5.5.7 Master files

As mentioned earlier in the chapter, master file information represents information that is
mostly static and not subjected to frequent changes. ICT will also include balances,
where applicable and these are updated from the transaction files.
Using a bank account as example, master file information for a customer will include, for
example, the customer’s name, identification number, addresses (postal and residential,
if different), contact numbers and the account’s current balance, available credit limit and
daily transfer and payment limits. Apart from the balances that will frequently change as
the customer uses his or her bank account, the other information will not be subjected to
frequent changes. As such, control over master file information and associated changes
should be maintained more strictly than for transactional information. ICT is evident that
the integrity of personal information, credit limits and other important information should
be strictly controlled.
Controlling master file information is achieved through the following control activities:
l Limited read access to master file information granted to authorised persons only.
l Strict write access to a specific person, or persons, who can make changes to
master file information.

32
 Nature of Internal Audit Work 5
l Except for changes in balances that occur automatically through changes in the
transaction files, all other information should be subjected to the completion of a
request document for changes. This is sometimes referred to as master file
amendment form. Thus all changes should be recorded on a document first.
l Amendment forms should be authorised and signed before changes are affected to
the master file.
l Once these changes have been made to the master file, and independent person
should compare the document with the new information on the master file to ensure
the changes was made correctly.
l Logs of changes to master file information should frequently be reviewed to ensure
only valid changes were made to the master file.

Revisiting our bank account example, think of the process that needs to be followed to
change your address with the bank. As this is a master file change you will not be able
to change your address at an ATM or via Internet banking (which is used for trans-
actional purposes and only affect transaction files). You will have to physically visit a
branch, provide proof of identity and proof of the new address in document format, you
will also be requested to complete a form and duly sign the form. The form will also be
signed and stamped by a bank employee before being submitted to an authorised
person who will make the change on your master file. All these documents will also be
kept on file by the bank as evidence of the validity of the change made.

5.6 Assessing governance, risk and control

The primary responsibility for assessing governance, risk management and control lies
with internal and external audit. The responsibility of internal audit to assess governance,
risk management and control is covered in the definition of internal audit. As discussed
earlier in the chapter, external audit focus on the risks and controls associated with the
financial statements and financial operations whereas internal audit focuses on controls
beyond financial controls, based on a risk assessment.

5.7 Reporting
The internal audit activity performs assurance reviews on the governance, risk
management and control processes within the organisation and issues a report of the
result of its assurance reviews. The Chief Audit Executive is responsible for issuing the
report to the stakeholders. Stakeholders that have an interest in the internal audit report
are:

 The governing body

The internal audit report is used to discuss the state of the organisation’s
governance, risk management and control processes. It is the responsibility of the

33
 Nature of Internal Audit Work 5
governing body to provide oversight as needed to direct management in addressing
areas of concern and ensure continuous improvement.

 The audit committee

Their primary interest lies in the results of assurance services regarding risk
management and the effectiveness of control measures to address the risk. Internal
audit adds considerable value in reporting its findings, observations and
recommendations which in turn assists the audit committee with their oversight
responsibilities and decision making.

 Senior management
The recommendations made by internal audit assists senior management in
improving the control environment within the organisation to meet the objectives
related to governance, risk management and control.

 Operational management
The recommendations made by internal audit assists operational management in
improving effectiveness and efficiency of operational processes and systems
(including control activities) within the organisation.

 External audit
Results of internal audit reports assist external audit with their risk assessment and
planning of the financial audit. To ensure proper audit coverage and to minimise a
duplication of efforts, external audit is encouraged to consider the work of internal
audit.

5.8 Summary
It is management’s responsibility to design and implement an appropriate internal control
structure by using an internal control framework, such as COSO, to provide reasonable
assurance that the organisation’s risks are mitigated, and objectives are met. Control
weaknesses and/or non-adherence to current internal controls must be brought to
management’s attention and internal auditors should make appropriate recom-
mendations for improvement.

34
 Nature of Internal Audit Work 5
Annexure 1 – The ABC of controls
Type Description Example
a F Accounting Integrity and accuracy of the accounting Bank reconciliation
system and all financial reports being
generated.
b F Administrative Operations without any direct link to Review of production
accounting controls. report
c F Operational Dictate the manner in which various Organisational chart
activities are performed and affairs are
conducted.
d F Compliance Ensuring that policies, procedures, laws, Segregation of duties
rules and regulations are followed.
e F Legal Ensuring the organisation is operating Document disciplinary
within the boundaries of legislation and action
other government regulations.
f T Input Provide reasonable assurance that data Print out of access
received by the computer has been denied
authorised, etc.
g T Process Provide reasonable assurance that data File labels
processed by the computer has been
classified correctly.
h T Output Final check on accuracy of results of Reconciliation of input
computer process. and output
i O Directive Designed to produce positive results. Training of personnel
j O Preventive Prevent errors from occurring. Fire drill
k O Detective Detect errors after occurring. Fire alarm
l O Adaptive Can be adapted to various situations. Thermostat
m O Corrective Corrects problems identified by detective Fire extinguisher
controls.
n C Documentary Recording in writing the various activities Procedure manual
of the organisation.
o C Physical Things that can be seen and touched to Fence
prevent unfavourable activities from
occurring.
p C Manual Performed by people. Count of inventory
q C IT Security of data through a computer Encryption of message
system.
continued

35
 Nature of Internal Audit Work 5
Type Description Example
r OT Dysfunctional Control working properly as planned, but does Sensitive data in safe with
not accomplish what it was designed to key on desk
accomplish.
s OT Redundant Two or more controls accomplishing the same Show ID and use password
objective.
t OT Non-functional Control not operating properly. Door with broken lock
u OT Post-activity Eliminating the deviation in future cycles of the Quality check
process.
v OT Pre-activity Preventing the deviation in the cycle of the Using seat belt
process.
w OT Absent Lack of control in an area where One person performs all
error/irregularity could be prevented, corrected accounting functions
or detected.
x OT Safety Promoting safety of individuals and property. First-aid kit
y OT Environment Promoting the preservation of the environment Disposal of waste
in which the organisation operates.
z OT Limit Prohibits a significant deviation from occurring in Number of people allowed
a process or system. in elevator limited to 12
F = Functional, T = Time-frame, O = Objective, C = Classification and OT = Other

36