Exploratory Study on the Importance of Internal Control in Auditing

The main goal of internal controls is to protect, achieve, and support an organization's objectives. Internal control plays a crucial role in ensuring effective and efficient operations, reliable financial reporting, and compliance with laws and regulations. The COSO framework provides a comprehensive guide for implementing effective internal control measures. Weak internal control can lead to poor company performance and low-quality accounting. Internal control is closely linked to the audit process, and auditors rely on internal control systems to ensure the accuracy and reliability of financial statements. There are three types of control - preventive, detective, and corrective - that help mitigate risks and address issues. Several determinants contribute to the effectiveness of internal control systems, but there are limitations to these systems, such as the difficulty of preventing or detecting errors and fraud. This research is intended to address the challenges and improve the effectiveness of internal control systems.


Introduction
The research in the domain of Internal Control (IC) is growing and has examined various aspects of the study area, including the creation and execution of internal controls.Nevertheless, ongoing scandals and failures in numerous companies worldwide (such as Enron and WorldCom) demonstrate that the problem of risk and how to minimize it through internal control efforts is still unresolved (Cachay et al., 2022).The concepts of internal control and management control are closely linked.Management control is focused on guiding organizations toward achieving their short-term and long-term objectives within their organizational environment (Abernethy et al., 2022).Internal control plays a role in this by ensuring that operations are effective and efficient, financial reporting is reliable, and compliance with laws, regulations, and policies is maintained (Alaraji, 2020).Internal control is the mechanism by which organizations create an environment that promotes honesty and discourages fraudulent behavior by both management and employees.The various aspects of an organization's internal control are assessed during the planning stage of an independent financial statement audit (Fadzil et al., 2005).In the fields Vol 14, Issue 6, (2024) E-ISSN: 2222-6990 To Link this Article: http://dx.doi.org/10.6007/IJARBSS/v14-i6/21376DOI:10.6007/IJARBSS/v14-i6/21376 Published Date: 12 June 2024 of accounting and auditing, internal control is a process that ensures an organization achieves its goals in terms of operational effectiveness, efficiency, accurate financial reporting, and compliance with laws, regulations, and policies.Internal control is a broad concept that encompasses all measures taken to manage risks within an organization.It involves integrating the activities, plans, attitudes, policies, and efforts of department employees to provide reasonable assurance that the department will successfully fulfill its mission (Piskunov & Tarasova, 2021).The internal control system can be broadly defined as a system that aims to protect a company's assets, ensure the accuracy and reliability of accounting information and reports, and improve operational effectiveness.It includes various methods and assessments to determine if operations align with management policies, establishes a chart of accounts and reporting system, and defines duties, authority, and responsibilities within the organization.Essentially, it is a process created and implemented by management and employees to provide reasonable assurance in achieving specific objectives (Kamil & Ahmed, 2020).
According to COSO, it is a set of methods controlled by senior management and the board of directors to provide limited assurance in financial reporting reliability, operational effectiveness and efficiency, and compliance with laws and regulations.Researchers describes internal control as a comprehensive system of controls, both financial and nonfinancial, established for conducting business, including internal checks, internal audits, and other control measures (Kabuye et al., 2019).Internal control, which is one of the primary responsibilities of management, involves overseeing operations to ensure they are carried out as intended.If any deviations occur, the control process identifies the reasons behind them and takes appropriate actions to rectify the situation (Younas & Kassim, 2019).This is a review paper that focuses on the importance of internal control in auditing.The paper highlights the background of internal control and its development, followed by a discussion on the weak internal control and possible reasons, internal control and auditing, types of control, Effective internal control determinants, limitations of internal control, and finally conclusion.

Background
The concept of internal control has its roots in the early 20th century in the US, when financial statement audits were first introduced.However, the interpretation of internal control has evolved over time due to changes in the business environment.The concept originated during the Spanish-American war, which brought significant changes to the US business environment (Vandervelde et al., 2012).This led to the introduction of "sample testing" and the establishment of system checks, marking the birth of internal control.In the 1930s and 1940s, financial statement audits became mandatory, with auditors inspecting financial statements for compliance with laws and principles (Younas, 2022).As businesses grew larger and more complex, the importance of business management in the auditing process became evident (Younas & Kassim, 2019).
In 1949, the American Institute of Certified Public Accountants (AICPA) published a special report on internal control, highlighting the importance of safeguarding assets and ensuring the accuracy of financial data (Piskunov & Tarasova, 2021).This report expanded the scope of management function and auditor responsibility.In 1977, following the Watergate and Lockheed scandals, internal control became mandatory for the first time through the Foreign Corrupt Practices Act (FCPA).At this point, internal control had become an essential tool in the audit process.In 1980, the AICPA Treadway Commission issued a report on fraudulent financial reporting, further emphasizing the importance and necessity of internal control (Koo & Ki, 2020).Finally, in 1992 COSO framework (Committee of Sponsoring Organizations of the Treadway Commission) was developed with the aim of creating effective control systems (Younas & Kassim, 2019).The purpose of this framework was to improve the internal control systems of companies of all sizes.It was believed that implementing this framework would help organizations reduce deviations and adopt best practices, ultimately leading to the achievement of their objectives (Alaraji, 2020).COSO consists of five interconnected components: control activities, control environment, information and communication, risk assessment, and monitoring.In 2013, COSO's Board of Directors added 17 internal control principles to the existing five components, recognizing their significance in assessing the overall effectiveness of the framework (Henk, 2020).

a. Control Environment
The control environment is crucial for internal control as it sets the overall tone of the organization and influences how employees perceive and prioritize control measures.It serves as the foundation and structure for planning, organizing, leading, and controlling within the organization (Kupec et al., 2021).The responsibility for carrying out these functions lies with top managers, who ensure that the system operates effectively and that policies are implemented throughout the organization.According to COSO (2013), there are five key principles that are relevant to the control environment of a company: 1) Demonstrating a commitment to integrity and ethical values, and 2) Ensuring that the board of directors is independent of management and exercises oversight responsibility for internal control.3) Implementation of a well-functioning framework, which includes clear lines of communication and appropriate roles and duties.4) Dedication to attracting, nurturing, and retaining skilled staff members.5) Ensuring that employees are held accountable for their internal control obligations (Chang et al., 2020).

b. Risk Assessment
Risk assessment is the process of recognizing, examining, and responding to risks that come from both internal and external sources and pose a threat to the accomplishment of organizational goals.In order for businesses to thrive, they must all evaluate and address risks that arise from both within and outside the company (Vu et al., 2020).Regardless of the size of a business, it is exposed to risks such as competition, changes in customer behavior, regulatory changes, and shifts in the economic and political landscape.Therefore, managers should identify, analyze, and evaluate the potential impact these risks may have on their companies and take proactive measures to minimize their effects (Fadzil et al., 2005).According to COSO (2013), there are five fundamental principles that companies should follow when conducting effective risk assessments.These principles include clearly defining objectives to facilitate the identification and evaluation of risks related to organizational goals, identifying and analyzing risks to determine how they can be managed, considering the potential for fraud in relation to goal achievement, and identifying and evaluating changes that could impact internal control (Chang et al., 2020).

c. Control Activities
Control activities refer to the policies and procedures implemented by an organization to reduce the risk of not achieving its objectives.These measures ensure that management directives are followed and include various procedures such as approval processes, transaction verification, accounting record reconciliations, activity reviews, asset protection, and segregation of duties (Liu & Li, 2021).According to COSO, there are three fundamental principles of control activities: selecting and developing general control measures to mitigate risks, implementing control measures for technology to support objectives, and deploying control activities through policies and procedures (Chalmers et al., 2019).

d. Information and Communication
According to COSO (2013), managers need information at all levels of organizations to help them achieve organizational goals.For this information to be successful, it must be of high quality and be distributed throughout the entire organizational structure in a timely and effective manner.Information systems are tools that are used to improve compliance, financial reporting, and operational efficiency processes (Park et al., 2021).Information systems deal with both internal and external data.Information from both within and outside of companies enhances the decision-making processes in business (COSO, 1992).Effective communication should flow down, up, and across the different levels of hierarchy within companies (Janvrin et al., 2012).When top management communicates information, it should be clear, and authentic, and promote inclusiveness and responsibility.This should also involve empowering and delegating when appropriate.Communication should not only be one-way, but employees should also have effective means to communicate information to top management.Successful communication should also involve external stakeholders (Nguyen, 2020;Vu et al., 2020).According to COSO (2013), there are three basic principles of effective communication; 1) Using relevant information to support the functioning of other internal control components.2) Internally communicating the necessary information to support the functioning of other internal control components.3) Communicating with external parties about matters that affect the functioning of other internal control components (Park et al., 2021).

e. Monitoring
Monitoring is the process of checking if all aspects of internal control, including the principles within each aspect, are in place and working as intended.It assesses how well the internal control system is meeting organizational objectives by consistently evaluating and monitoring the company's performance (Babel & Heda, 2017).This can be achieved by having a proactive management team that collaborates with subordinates to address deficiencies and identify potential issues.The scope and frequency of evaluation and monitoring procedures should be determined based on risk assessment.The last two principles of COSO involve conducting ongoing evaluations to ensure internal control components are present and functioning correctly and promptly communicating any deficiencies to those responsible for corrective action, such as senior management and audit committees (Christensen, 2022).

Weak Internal Control and Possible Reasons
The definition of a high-quality internal control system remains unclear, despite its importance.Regulators around the world have targeted different aspects, such as board oversight and audit committee expertise, but the design of internal controls varies greatly among organizations (Koo & Ki, 2020;Younas & Kassim, 2022).Previous research has primarily focused on identifying when internal controls are ineffective, meaning they cannot ensure error-free financial statements or prevent management influence.These ineffective controls are commonly referred to as "material weaknesses" and can be categorized as either account-specific or company-wide (Park et al., 2021).Although weaknesses in individual accounts can be examined and verified, weaknesses at the company level are more challenging to assess.These weaknesses not only raise doubts about management's capability to produce accurate financial reports but also question their ability to effectively manage the business.The causes of these weaknesses also vary, with accountspecific weaknesses stemming from specific attributes, while company-wide issues arise from a lack of resources or experience to maintain comprehensive control systems (Kupec et al., 2021).While it is possible to analyze and confirm weaknesses in individual accounts, it is more difficult to evaluate weaknesses at the company level.These weaknesses not only cast doubt on the management's competence in generating accurate financial reports but also raise concerns about their ability to efficiently run the business (Caplan, 1999).The reasons behind these weaknesses differ as well, with weaknesses in specific accounts being a result of particular characteristics, while broader issues at the company level stem from a lack of resources or expertise in maintaining comprehensive control systems (Leng & Zhang, 2014).Research indicates that the reporting of existing material weaknesses is influenced by both the motivation to detect and disclose them, as well as the governance environment of the company.Studies suggested that inadequate commitment of resources for accounting controls is often associated with poor internal control (Vandervelde et al., 2012).Based on the COSO framework, it is expected that weaknesses in internal controls will lead to poor company performance and low-quality accounting.As a result, there has been a significant amount of research examining the impact of weak internal controls (Janvrin et al., 2012;Park et al., 2021).One area of research specifically looks at the quality of financial reporting and consistently finds that defective internal controls have a negative relationship with the accuracy and reliability of financial statements.

Internal Control and Auditing
Executives who are primarily responsible for internal controls, the audit committee, and the board of directors also have a role in monitoring internal controls.According to SEC regulations, external auditors are also interested in internal controls and have been required to consider them in audits since 1941.The audit risk model states that auditors lower audit risk by evaluating the inherent and control risks and deciding on the appropriate number of substantive tests and reliance on the client's internal control system (Christensen, 2022).Internal control in auditing is a crucial part of the overall audit process.The internal control system helps auditors provide the highest level of assurance to stakeholders regarding the accuracy and reliability of financial statements.The audit of internal control over financial reporting is closely linked to the audit of financial statements (Liu & Li, 2021).There are several steps involved in the external auditor's audit process for an organization, and internal control plays a significant role in these steps.Auditors gain an understanding of the client and its operating environment, including the internal control system, and perform various audit procedures.They use risk assessment procedures and gather evidence to assess the risk of significant errors or misstatements (Christensen, 2022).It is the auditor's responsibility to comprehend the business environment and management structure, as well as gather sufficient information about management's approach and actions regarding the control environment (Park et al., 2021).Auditors should also understand how the client identifies and addresses business risks, which helps them identify the risk of significant errors or misstatements.Additionally, auditors need to actively monitor the organization's structure for any changes that could potentially lead to information manipulation (Chalmers et al., 2019).The purpose of internal control is to assist the organization in attaining its desired goals or objectives.The COSO Framework plays a crucial role in implementing internal controls and facilitating the achievement of these goals through enhanced organizational performance and governance.It is essential for all structures within the organization to adhere to the principles of internal control.These principles should also be applicable and suitable for the specific organization.By following these principles, the organization can establish valuable and effective internal control measures (Janvrin et al., 2012).

Types of Control
There are three types of control: preventive, detective, and corrective.Preventive measures are mechanisms that forecast potential issues in advance and proactively make adjustments.They serve to thwart the occurrence of errors, omissions, or malicious actions.Illustrative instances of preventive measures encompass employing well-structured documents to forestall errors, establishing appropriate procedures for transaction authorization, and exclusively deploying qualified personnel, such as the segregation of duties (Koo & Ki, 2020).As per the 2012 Office of Internal Audit and Institutional Risk Management definition, these are intended to uncover errors or irregularities after they have already taken place.Examples of detective measures include; Performance Reviews refer to management conducting comparisons of current performance against budgets, forecasts, prior periods, or other benchmarks (Chang et al., 2020).This assessment helps gauge the degree to which goals and objectives are being met and identifies unexpected results or unusual conditions that warrant further examination.Whereas reconciliation refers to an employee correlating various sets of data with one another, detecting disparities, and initiating an investigation followed by corrective action when deemed necessary (Caplan, 1999).These measures are aimed at reducing the consequences of a threat, pinpointing the root cause of an issue, rectifying errors stemming from the problem, and addressing issues uncovered by detective measures.They also involve adjustments to the processing system(s) to reduce the likelihood of future problems.Corrective measures aim to return the system or process to its state before a harmful event occurs (Hamshari et al., 2021).For instance, in a scenario where evidence indicates that payment data has been tampered with, a business might carry out a complete system restoration from backup tapes.

Effective Internal Control Determinants
Several researchers pointed out the various determinants of effective control systems.These determinants are documentation, verification, supervision, safeguarding assets, personal controls, and reporting (Koo & Ki, 2020).Documentation is an essential tool for an effective internal control system.The documentation required to be complete, accurate, and recorded in time which assists managers in controlling operations (Kabuye et al., 2019).Verification is another important determinant of an internal control system which refers to competencies, accuracy, validity, and authenticity of information.Verification enables management to ensure that activities are being done in accordance with directives (Park et al., 2021).Another important element is supervision which allows professionals to plan and manage governance activities and ensure the minimum errors.Duties are clearly communicated, and responsibilities are visibly assigned to all members (Wang et al., 2021).Safeguarding assets is another important factor of an internal control environment where restricted access to resources and information assists in reducing unauthorized use or loss of assets (Zhang, 2022).Another important determinant of internal control is personal control which highlights the importance of perceptions of personal control and the people around the control system of the organization.The last important determinant of effective control is reporting, which is a means of communication (Christensen, 2022).Reporting helps in monitoring when providing information about achievements of goals, end results, and specific issues.

Limitations of Internal Control
Internal controls provide reasonable assurance that the management's objectives in establishing the system are achieved.However, there are limitations to internal control systems.These limitations include the difficulty of preventing or detecting errors and fraud when there is collusion between multiple individuals.Control can also be bypassed through fraudulent collusion with external parties or employees of the organization.Additionally, there is a risk that the person responsible for exercising control may abuse their authority, such as in the case of authorization controls being misused (Fadzil et al., 2005).The financial accountability handbook also highlights limitations such as controls being primarily focused on usual transactions, potentially allowing unusual transactions to escape rigorous control.Collusion by staff for personal gain or other motives, as well as the potential for human error, are also factors that can undermine control systems.These errors can be caused by the stress of the working environment, staff taking shortcuts instead of following procedures, carelessness, poor judgment, or lack of knowledge (Chang et al., 2020).Lastly, controls must be cost-effective, as the cost of implementing control procedures should not outweigh the potential loss due to fraud or error.

Conclusion
The research in the domain of internal control is growing and has examined various aspects of the study area.However, ongoing scandals and failures in numerous companies worldwide demonstrate that the problem of risk and how to minimize it through internal control efforts is still unresolved.Internal control plays a crucial role in ensuring that operations are effective and efficient, financial reporting is reliable, and compliance with laws, regulations, and policies is maintained.The COSO framework provides a comprehensive guide for implementing effective internal control measures.The control environment, risk assessment, control activities, information and communication, and monitoring are key components of internal control.Weak internal control can lead to poor company performance and lowquality accounting.Internal control is closely linked to the audit process, and auditors rely on internal control systems to provide assurance regarding the accuracy and reliability of financial statements.There are three types of control -preventive, detective, and corrective -that help mitigate risks and address issues.Several determinants contribute to the effectiveness of internal control systems, including documentation, verification, supervision, safeguarding assets, personal controls, and reporting.However, there are limitations to internal control systems, such as the difficulty of preventing or detecting errors and fraud, the potential for collusion, the risk of abuse of authority, and the potential for human error.Overall, internal control is a critical aspect of organizational management and governance, but ongoing research and efforts are needed to address the challenges and improve the effectiveness of internal control systems.