ISA 400: “Internal control system” means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. The internal control system extends beyond those matters which relate directly to the functions of the accounting system and comprises:

 (a) “The control environment”

Which means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance in the entity. The control environment has an effect on the effectiveness of the specific control procedures. A strong control environment, for example, one with tight budgetary controls and an effective internal audit function, can significantly complement specific control procedures. However, a strong environment does not, by itself, ensure the effectiveness of the internal control system. Factors reflected in the control environment include:

  • The function of the board of directors and its committees.
  • Management’s philosophy and operating style.
  • The entity’s organizational structure and methods of assigning authority and responsibility.
  • Management’s control system including the internal audit function, personnel policies and procedures and segregation of duties.

(b) “Control procedures” which means those policies and procedures in addition to the control environment which management has established to achieve the entity’s specific objectives. Specific control procedures include:

Reporting, reviewing and approving reconciliations.

Checking the arithmetical accuracy of the records.

Controlling applications and environment of computer information systems, for example, by establishing controls overchanges to computer programs

Access to data files.

Maintaining and reviewing control accounts and trial balances.

Approving and controlling of documents.

Comparing internal data with external sources of information.

Comparing the results of cash, security and inventory counts with accounting records.

Limiting direct physical access to assets and records.

Comparing and analyzing the financial results with budgeted amounts.


This is a fertile area for examiners. Invariably in every examination paper set on auditing there

will always be a question on internal controls.

We will consider the definition, the theory, the practice and its impact on the accountant being

audited and the accountant who is doing the auditing.

 The management is concerned that errors and irregularities should not occur because if they did occur they would result either in the loss of assets or the production of accounting records that are unreliable in that they will fail to disclose a true and fair view of the financial position and the results from operations of the entity concerned.

 Meaning of the definition

 a) Orderly and efficient manner: An organization that is run in an orderly and efficient manner is able to satisfy the needs of its managers, shareholders, auditors, customers, suppliers and anybody else interested in the operations of the entity. It will be able to satisfy the needs of its production facilities. The results of orderliness include the timely production of information that is reliable, they also include the cooperation of all parties concerned. An organization that is run in a disorderly and inefficient manner will soon degenerate into chaos and would probably have to close down sooner or later. This is important to the auditor in that where the organization is well run he will expect reliable information timely received or provided and he will receive the cooperation of the management, the staff and other third parties from whom he may seek representations. This reduces the amount of detailed work the auditor has to do.

 b) Ensure adherence to management policy: Every organization must have aims or objectives. For a company these are usually to be found in its Memorandum and Articles of Association. The management is charged with the responsibility of designing policies that will enable the organization's objectives to be achieved. So the management must set policies that have to be followed or adhered to, to achieve the objectives of the organization. To do this, management identifies broad policies such as: the industry in which to operate, the products to produce, where the factory is to be located and which market its products are aimed at. Management also sets detailed policies such as the number of accounts clerks to be employed and their remuneration. For the auditor adherence to management policy places the whole organization in perspective. Only if the auditor understands the organization's objectives and the policies adopted by the management to achieve those objectives will he be able to determine whether measured against those objectives, the accounts give a true and fair view. The policies adopted particularly in determining the values attached to assets and liabilities and the amounts to be charged as revenue or expenditure in the profit and loss account must be in accordance with generally accepted accounting principles.

 c) Safeguard the assets: The assets are the resources of the organizations. They must therefore be protected from loss. This protection can be done directly i.e. physically locking the assets under lock and key and trying to prevent their deterioration or safeguarding can be done indirectly through records and documentation. Safeguarding the assets means restricting access to the assets. Indirect restriction means that access to the assets should be through authorised documentation. For the auditor, the accounts cannot give a true and fair view if he cannot confirm that the assets concerned actually exist and have the value attributed to them.

 d) Secure as far as possible the completeness and accuracy of the records. It is difficult to control any business unless you have got reliable and accurate records. Business decisions cannot be made unless all the transactions have been completely and accurately processed and recorded. The Companies Act requires proper records being kept for all the company's transactions and activities. It further requires that these records should be such that accounts that give a true and fair view can be extracted from them. Therefore, the organization must keep reliable records and therefore the management must take the appropriate steps to ensure that it secures as far as possible the completeness and accuracy of the records. For an auditor, his interests in this element of internal control arises out of his statutory responsibility to investigate and report whether proper books of accounts have been kept, whether the accounts he is examining are in agreement with those books, and whether the Companies Act requirements have been complied with in all material respects. He therefore has a direct interest in complete and accurate records.