Dashboard
Chapter 2: Internal Controls and Information FlowsCertificate Level
Chapter 2: Internal Controls and Information Flows

65% Complete

Understood
Needs Study
Chapter 1: The Concept and Purpose of Assurance
Chapter 2: Internal Controls and Information Flows
Purpose and Learning Goals
2.1 What Are Internal Controls?
2.2 Types of Controls
2.3 Information Flows and Business Cycles
2.4 Identifying Control Deficiencies
2.5 Role of IT and Cybersecurity
2.6 Internal Controls and Assurance
Chapter 3: Business Cycle Controls
Chapter 4: Internal Audit and Corporate Governance
Chapter 5: Gathering Assurance Evidence
Chapter 6: Professional Ethics and Independence
Chapter 7: Sustainability, ESG, and Assurance
Chapter 8: Exam Practice and Integration
Purpose and Learning Goals

Internal controls are the systems and processes organisations use to protect their assets, ensure accurate financial reporting, and operate effectively. This chapter introduces the concept of internal controls, explains why they matter, and shows how to evaluate them.

By the end of this chapter, you will be able to:

  • Explain what internal control is and why it is essential.
  • Describe the key components of an internal control system.
  • Understand the flow of information through revenue, purchases, and payroll cycles.
  • Identify common deficiencies in controls and their implications.
  • Recognise the role of IT systems and cybersecurity in internal control.
  • Appreciate how internal controls link to assurance engagements.
2.1 What Are Internal Controls?

Internal controls are policies and procedures designed to help an organisation achieve three main objectives:

  1. Reliable financial reporting – ensuring financial information is accurate and complete.
  2. Effective operations – making sure resources are used efficiently and risks are managed.
  3. Compliance – following laws, regulations, and internal policies.

Example: A retail store requires two signatures on payments over £10,000. This control reduces the risk of fraud and error.

2.2 Types of Controls

Controls can be grouped in several ways:

By Timing:

  • Preventive controls – stop errors or fraud before they occur.
    e.g. Password protection for accounting systems.
  • Detective controls – find errors or fraud after they occur.
    e.g. Monthly bank reconciliations.
  • Corrective controls – fix problems once identified.
    e.g. Adjusting financial records after an error is found.

By Nature:

  • Physical controls – locks, security cameras, asset counts.
  • Logical/IT controls – passwords, access rights, encryption.
  • Authorisation controls – approval required before transactions.
  • Segregation of duties – no single person controls all stages of a transaction.
2.3 Information Flows and Business Cycles

Internal controls are most visible in the flow of information through business processes. Common cycles include:

  • Revenue cycle – from sales order → despatch → invoicing → cash collection.
  • Purchases cycle – from purchase order → goods received → invoice processing → payment.
  • Payroll cycle – from timesheets → authorisation → calculation → payment.

Each stage needs controls to prevent fraud and error.

Example: In the revenue cycle, segregation of duties means the person recording a sale should not also handle cash collection.

2.4 Identifying Control Deficiencies

No system is perfect. Weaknesses in internal controls can create risks such as:

  • Unauthorised transactions.
  • Inaccurate financial reporting.
  • Misappropriation of assets (fraud).
  • Breach of laws or regulations.

Auditors and assurance providers often document flows of information (using flowcharts, narratives, or internal control questionnaires) to identify gaps.

2.5 Role of IT and Cybersecurity

Modern businesses rely heavily on IT systems. IT introduces both opportunities and risks for controls:

  • Opportunities: automation reduces human error, faster reporting.
  • Risks: cyberattacks, data manipulation, unauthorised access.

Common IT Controls:

  • Access rights (who can view/change data).
  • System change logs.
  • Backups and recovery systems.
  • Encryption of sensitive data.

Auditors must assess both general IT controls (overall system environment) and application controls (specific to a transaction cycle).

2.6 Internal Controls and Assurance

In an assurance engagement, the strength of internal controls affects:

  • The risk of misstatement.
  • The level of testing required.
  • The reliance auditors can place on system-generated information.

Strong internal controls = reduced substantive testing (see section 5.5).

Weak internal controls = increased substantive testing (see section 5.5).

Test Your Understanding – Quick Check
  1. What are the three objectives of internal control?
  2. Give one example of a preventive control and one example of a detective control.
  3. Why is segregation of duties important?
  4. How do strong IT controls benefit the assurance process?