Chapter 2

Control
1. The Importance of Control to the Internal Auditor
2. Standard 2120 Control
3. Access and Reporting on Control
4. Control Defined
5. Internal Control Models
6. The Systems Auditability and Control Study
7. Preventive, Detective, and Corrective Controls
8. Eliminating Probability Not Possibility of Controls
9. Benefits of Control
10. Systems of Control
11. Importance of Control
12. Internal Control Standards
13. Characteristics of Controls

Tambun Hutabarat 1
 Chapter 2
Control
13. Means of Achieving Control
14. The Impact of regulation on Control
15. The Internal Auditors Role
16. Internal Auditor Reports on Internal Controls
17. The Cycle Approach to Internal Accounting Controls
18. The Impact of Reengineering on Internal Controls
19. Reduction of Controls The Virtual Organization
20. The Audit of Controls
21. Auditing COSO
22. Control Risk Audit Aspects
23. Management Functions and Control
24. Over Controling

Tambun Hutabarat 2
 Chapter 2 Control
1. The Importance of Control to the Internal Auditor

Managers to make sure that their operating objectives will be met.

Every activity within an organization works on two levels, within two system:
- operating sytem
- control system

2. Standard 2120 Control

Original standards had been completed 1978 :

- expand the concept of auditing for control
- to treat control adequacy (properly designed)
- Effectiveness (working as intended)
- quality (the achievement of the organizations goals and objectives)
- utility (being used)
- the new standards 2120 by Standards for The Professional Practice of Internal Auditing
(Altamonte Springs, FL: The Institute of Internal Auditors, 2001)
Standard 2120 Control
The internal audit activity should assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous inprovement.
Tambun Hutabarat 3
 Chapter 2 Control
2. Standard 2120 Control

Standard 2120 .A1 Based on the result s of the risk assessment, the internal
audit activity should evaluate the adequacy and effectiveness of controls
encompassing the organizations governance, operations, and information
systems. This should include:

1. Realibility and integrity of finincial and operational information.

2. Effectiveness and efficiency of operations.
3. Safequarding of assets.
4. Complience with laws, regulations, and contracts.
Standard 2120 .A2 Internal auditors should ascertain the extent to which
operating and programs goals and objectives have been established and
conform to those of the organization.
Standard 2120 .A3 Internal auditors should review operations and program
to acertaint the extent of which results are consistent with established goals
and objectives to determine wether operations and programs are being
implemented or performed as intended.
Tambun Hutabarat 4
 Chapter 2 Control
2. Standard 2120 Control
2120 .A4 Adequate criteria are needed to evaluate controls. Internal
auditors should ascertaint the extent of which management has established
adequate criteria to determine wether objectives and goals have been
accomplished. If adequate, internal auditors should use criteria in their
evaluation. If inadequate, internal auditors should work with management to
develop appropriate evaluation criteria.
2120 .A4-1. The Practice Advisory augmenting this standard on Control Criteria
expresses this well and provides more specific provisions.
3. Access and Reporting on Control
The Practice Advisory 2120.A1-1, Accessing and Reporting on Control
Process, provide more detail relative to the determination of the adequacy and
effectiveness of the control process and the responsibility of the chief audit
executive to convey this assessment information to senior management and the
audit committee. The Practice Advisory outlines the work of the chief audit
executive to:

Tambun Hutabarat 5
 Chapter 2 Control
1. Develpo an audit plan to provide adequate and sufficient evidence.
2. Consider relevant work that can be provided by the others.

3. Evaluate the proposed plan from two view points:

- Adequacy across organizational entities.
- Inclusion of variety of transaction and business process types.
The plan should provide for an audit that evaluates the effectiveness of the system of controls.
The considerations in making this evaluation are:
1. Were significant discrepancies or weakness found?
2. If so, were corrections or improvements made?

3. Do the discoveries and their consequences lead to a conclusion that there is an unacceptable
level of business risks?
The report on the evaluation should identify the role played by the control process in
achievement of the organizations objectives and should state that:
1. There were no weaknesses found
2. There were weaknesses and thier impact on the level of risk and the achievement of the
organizations objectives.

Tambun Hutabarat 6
 Chapter 2 Control
4. Control Defined
Early Definitons

Control first appeared in the English lexicon around 1600 and was defined as the copy of a roll
[of account], a parallel [sic] of the same quality and content with the original.Samuel Johnson
sums up this original meaning as a register or account kept by the another officer, that each may
be examine by the other.

The importance of control to auditors (or internal check as it was first called) was recognized by
L.R. Dicksee as early as 1905. He pointed out that a suitable system of internal check should
eliminate the need for a detail audit. He viewed control as a composite of three elements:
division of work, the use of accounting records, and the rotation of personnel.
In 1930 George E. Bennet more narrowly defined internal control this way:
A system of internal check may defined as the coordination of a system of accounts and related
office procedures in such a manner that the work of one employee independently performimg his
own prescribed duties continually checks that work of another as to certaint elements involving
the possibility of fraud.

Tambun Hutabarat 7
 Chapter 2 Control
4. Control Defined
Early Definitons

IN 1949 a special report titled Internal control Elements of a Coordinated System and Its
Importance to Management and the Independent Account,by the American Institute of Certified
Public Accountants (AICPA) Committee on Auditing Procedure, broadened the definition of
internal auditor.
Internal control comprises the plan of organization and all of the coordinate methods and
measures adopted within a business to safequard its assets, check the accuracy and reliability of
its accounting data, promote operational efficiency, and encourage adherence to prescribed
managerial policies. This definition [continued the committee] possibly is broader than the
meaning sometimes attributed to the term. It recognizes that a system of internal control extends
beyond those matters which relate directly to the functions of the accounting and financial
deprtement.

Internal control comprises the plan of organization and all of the coordinate methods and
measures adopted within a business to safequard its assets, check the accuracy and
reliability of its accounting data, promote operational efficiency, and encourage adherence
to prescribed managerial policies. This definition [continued the committee] possibly is
broader than the meaning sometimes attributed to the term. It recognizes that a system of
internal control extends beyond those matters which relate directly to the functions of the
accounting and financial deprtement.
Tambun Hutabarat 8
 Chapter 2 Control
4. Control Defined
Definitons for Public Accountants

Independent auditors in the United States, however, saw the definition as too broad for their
purposes. After all, they were primarily concerned with internal control as its relates to the
reliability of financial statements or to the aims of authorization, accounting, and asset
safequarding. So internal control was subdivided into administrative control and accounting
control. These were defined in Section 320.27-.28 (1973) of the AICPAS Professional Standards,
taken from Statement of Auditing Standrads (SAS) No. 1:

Administrative control includes, but is not limited to, the plan of organization and the
procedures and records that are concerned with the decision processes leading to
managements authorization of transactions. Such authorization is a mangament function
directly associated with the responsibility for achieving the objectives of the organization and
is the starting point for eatblishing accounting control of transactions.
Accounting control comprises the plan of organization and the procedures and records that
are concerned with the safequarding of assets and the realibility of financial records and
consequently are designed to give reasonable assurance that:

a. Transactions are executed in accordance with managements general or specific

authorization.

Tambun Hutabarat 9
 Chapter 2 Control
4. Control Defined
b. Transactions are recorded as necessary (1) to permit preparation of financial statment s
in conformity with generally accepted accounting principles or any other criteria
applicable to such statements and (2) to maintain accountability for assets.
c. Access to assets in permitted only in accordance with managements authorization.
b. The recorded accountability for assets is compared with the existing assets at reasonable
intervals and appropriate actions is taken with respect to any differences.
SAS 78 Expands AICPA Definition of Internal Control
Effective for audits of financial statements for period beginning on or after January 1, 1977 the
American Institute of Certified Public Accountants has revised its statement of internal control as:
Internal control is a process affected by an activitys board of directors, management or
other personnel designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:

a. reliability of financial reporting

b. effectivesness and efficiency of operations; and
c. complience with applicable laws and relations.

Tambun Hutabarat 10
 Chapter 2 Control
4. Control Defined
This three areas are subject to specific types of audit in the same order:

a. Annual auditing of financial statements

b. Auditing of operations in relation to objectives and desired outcomes.
c. Auditing of complience (presumably as a seperate audit or in conjunction with audits in
a and b above).
The SAS also defines internal control as consisting of the five interrelated component parts of the
COSO statement:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communications
5. Monitoring

Tambun Hutabarat 11