Professional Documents
Culture Documents
Chapter 5 Audit
Chapter 5 Audit
Chapter 5 Audit
https://www.gaodun.com/uploads/soft/140619/2012%E5%B9%B4A
CCA%E6%95%99%E6%9D%90F8.pdf –Page 107
https://vipss.yolasite.com/resources/PCC_BOOKS/Auditing%20and
%20Assurance.pdf –Page 113
https://artlandsresources.com/wp-content/uploads/2017/09/BPP-
ACCA-F8-Audit-and-Assurance-Book-2017-Freebooks.pk_.pdf
-Page 195
file:///C:/Users/obeid/Desktop/New%20folder/audit/auditing
%20and%20assurance%20services%20pdf.pdf - Page 204
file:///C:/Users/obeid/Desktop/New%20folder/audit/Principles%20of
%20Auditing_%20An%20Introduction%20to%20International
%20Standards%20on%20Auditing%20(2nd%20Edition)
%20%20%20(%20PDFDrive%20)%20(1).pdf -Page 250
1. The importance of Internal Control
The responses at the assertion level involve the auditor selecting appropriate audit procedures
as per assessment.
a. Inherent risk
b. Control risk
Internal control is a process. It is a means to an end, not an end in itself. Internal control is
affected by people. It’s not merely policy manuals and forms, but people at every level of an
organization. It is also dynamic, operating every day within an entity’s operating structure, which
evolves as the entity and its environment constantly change. Internal control can be expected to
provide only reasonable assurance, not absolute assurance. Internal control is geared to the
achievement of objectives in one or more separate but overlapping categories. Internal Audit’s
responsibilities include internal controls over strategy and operating effectiveness and regulatory
compliance, as well as reliability of financial reporting.
Internal control are a part of the internal control systems. Internal control is designed to achieve
management objectives in three categories. In the financial reporting category, the management
objectives are related to producing reliable financial reports and safeguarding assets. In the
operations category, some examples of management objectives are maintaining a good business
reputation, ensuring a positive return on investment, increasing market share, promoting new
product innovation, and using assets effectively and efficiently. In the compliance category, the
broad management objective is to comply with laws and regulations that affect the entity.
External auditors are primarily concerned with the financial reporting category.
Some controls related to operations and compliance can also be relevant to the external audit. For
example, controls over the completeness and accuracy of key nonfinancial information such as
scrap reports can be relevant if the audit team uses such information in completing their
analytical procedures or to provide evidence about the valuation assertion for inventory.
Compliance controls related to laws and regulations directly affecting the financial statements
(e.g., income taxes) are also relevant to the external audit.
The internal control audit is conducted along with the financial statement audit as part of
an overall integrated audit process. In essence, the public accounting firm employs one
integrated audit process that culminates in the issuance of two opinions: one on the
entity’s financial statements and one on the effectiveness of the entity’s internal control
over financial reporting. With ‘system based approach’ the auditor relies on the
accounting systems and the related controls to ensure that the transactions are properly
recorded.
a) If the systems and internal controls are adequate, the transactions should be
processed correctly.
Internal auditors' responsibilities typically include ensuring the adequacy of the system of
internal control, the reliability of data, and the efficient use of the organization's
resources. Internal auditors identify control problems and develop solutions for
improving and strengthening internal controls. Internal auditors are concerned with the
entire range of an organization's internal controls, including operational, financial, and
compliance controls.
Audit team should evaluate whether the client has implemented control activities that are
specifically designed to address each fraud risk identified during the planning stage.
These might include control activities that are designed to address risks of fraud to
specific financial statement accounts or more generally, control activities that are
designed to promote a culture of honest and ethical behavior. For example, the audit team
should evaluate the controls related to the use of period-end journal entries, which have
been used in the past to commit frauds at companies. Internal control will also be
evaluated by the external auditors. External auditors assess the effectiveness of internal
control within an organization to plan the financial statement audit. In contrast to internal
auditors, external auditors focus primarily on controls that affect financial reporting.
External auditors have a responsibility to report internal control weaknesses (as well as
reportable conditions about internal control) to the audit committee of the board of
directors.
The auditors evaluate the effectiveness of the internal control structure of a business
organization and determine whether the business policies and activities are followed
properly. The communication network helps an effective internal control structure in
execution. And all officers and employees are part of this communication network.
The degree of reliance on the system depends upon the effectiveness of internal control
system; therefore, the Auditor should review and evaluate the internal control system of
an organization to prepare his audit Program. The auditor should try to reach a judgment
about how strong (or weak) the internal controls, in order to make a decision about the
amount of testing that should be carried out in the audit.
The degree of effectiveness of an internal control system will depend on the following
two factors:
The final reason for evaluating an entity’s internal control is to assess the
risk of material misstatement (RMM) for each relevant assertion. The
assessment of RMM at the assertion level is completed for all financial
statement audits in order to give the audit team a basis for planning the
audit and determining the nature, timing, and extent of further audit
procedures to be conducted for the financial statement audit.
RMM is composed of inherent risk and control risk. Inherent risk,is the
susceptibility of an account to misstatement. The control risk is the probability
that an entity’s controls will fail to prevent or detect material misstatements due to
errors or frauds that would otherwise have entered the system. The audit team
assesses control risk to determine RMM for each relevant assertion identified in
the audit plan; the higher the assessment of control risk, the higher the assessment
of RMM. Most audit teams express their control risk assessment decision with
descriptive terminology (e.g., high, moderate, low), which recognizes the
imprecise nature of evaluating risk. An audit team’s assessment of control risk as
high implies that the controls are not effective at preventing or detecting material
misstatements and could not be relied upon by the audit team.
a) Test the underlying internal control systems themselves, using tests of controls
b) Perform some tests on the transactions and balances in the financial statements.
Where system of control is weak, auditor will have to carry out extensive substantive
procedures, this approach is called as transaction-based approach.
The audit team assesses control risk to determine RMM for each relevant assertion
identified in the audit plan. The higher the assessment of control risk, the higher the
assessment of RMM. In this situation, the audit team would more likely use substantive
tests of details designed to obtain the highest quality of external evidence ( nature ) at or
near the entity’s fiscal year-end ( timing ) with large sample sizes ( extent ).
When the internal controls are strong, he will carry tests on the control and needs a
smaller amount of substantive procedures, this approach is called as system based
approach.
An audit team’s assessment of control risk as low implies that the controls are effective at
preventing or detecting material misstatement and could possibly be relied upon by the
audit team. In this situation, the audit team might be able to use tests of detail or a less
time-consuming substantive analytical review to obtain external evidence (nature) at an
interim date before the entity’s fiscal year-end ( timing ) with much smaller sample sizes
( extent ).
2. The elements of Internal Control
Internal Audit also pursues these objectives as part of the internal monitoring system. An
internal control system is shaped by the characteristics of different internal control components,
which are necessary to achieve the above key objectives.
5. Monitoring of Controls
The five components should not operate independently of each other. Instead, they should be
considered as working in an interrelated manner to support the internal control system’s overall
effectiveness.
The auditor should confirm that his understanding is correct by performing ‘walk-
through’ tests on each major transaction type.
Walk through testing involves the auditor selecting a small sample size of
transactions apply the procedure on it in order to test whether his understanding
of the process is correct.
The ‘control environment’ is often regarded as the general ‘attitude’ to internal control of
management and employees in the organization. The control environment sets the tone of
the organization. It is the foundation for all other components of internal control. It
provides discipline and structure to all participants and stakeholders. Control
environment factors include the integrity, ethical values, and competence of the entity’s
people.
Sound integrity and ethical values, particularly of top management, are developed
and understood and set the standard of conduct for financial reporting. These
include essential elements which influence the effectiveness of the design,
administration and monitoring of controls.
The proper functioning of any system depends on the honesty of those operating
it. The personal characteristics of the personnel involved are important features in
establishing and maintaining a system of internal control.
Commitment to competence
The company retains individuals who are competent in financial reporting and
related oversight roles. Management's consideration of the competence levels for
particular jobs and how those levels translate into requisite skills and knowledge
are considered. The proper functioning of any system depends on the competence
of those operating it. The qualifications, selection and training of the personnel
involved are important features in establishing and maintaining a system of
internal control.
Participation of management
Organizational structure
The auditor shall assess whether these elements of the control environment have been
implemented using a combination of enquiries of management and observation and inspection.
Without a strong control environment, the control system as a whole is likely to be weak.
The control environment has a “pervasive” effect on the reliability of financial reporting
because control environment impacts all other components of an organization’s internal
control system. Because the control environment sets the overall foundation for internal
control, professional auditing standards require an auditor to obtain an understanding of
the control environment on all engagements. The results emphasize the importance of
both the tone at the top and the functioning of its board of directors and the audit
committee of that board to the control environment.
Significant business risks are any events or omissions that may prevent the entity
from achieving its objectives.
The entity faces business risk. Business risk are factors, events, and conditions that can
prevent the organization from achieving its business objectives, including effective
financial reporting. Management must first clearly articulate its objectives to identify and
assess the risk of failure for the company to meet its objectives. These range from overall
strategy to specific entity and activity-level objectives.
Management should take steps to identify risks, estimate their significance and
likelihood, and consider how to manage the risks. By setting management objectives,
management can identify critical success factors and institute policies and procedures to
ensure that they are met.
In completing their work, the audit team members seek to understand whether
management is specifying financial reporting objectives with sufficient clarity and
criteria to enable the identification of risks of material misstatement in financial
reporting, in particular due to fraud.
It needs to be identified in which department is the risk. The risk can be in any
department for example poor advertising due to marketing department,
operational, cash flow volatility due to purchasing, poor logistics due to supply
and chain management, finance department, HR department hire unqualified
employees reducing efficiency of the business. Potential Problems could be
identified by reviewing goals and objectives. Potential problem areas could be
determined by:
Assessing risks
Assessing risk means deciding whether the risks are significant. An audit client’s
risk assessment process should relate to all its objectives. The professional
standards require the auditor to specifically gain an understanding of the process
as it relates to financial reporting risks, including fraud risk. When gaining such
an understanding, the auditor should determine whether management is actually
assessing the likelihood of fraud risks and how they are managing such risks.
Risks are assessed in terms of likelihood. It is the chances of the risk occurring.
Chances is multiplied with significance to identify the risk that causes most
damage or expense for the company.
Managing risks:
Once risk is identified, the audit team also would like to see that management has
a basis for determining how to manage the identified risks. Managing risk means
developing and implementing controls and other measures to deal with those
risks.
Information system is used to reduce risk .A written narrative or flow chart could
be used to explain how the problem is supposed to be handled by describing each
activity or transaction within the cycle. The following could be described in the
narrative:
Review the information available in policy and procedure manuals to find out
ways to reduce risk. Written materials such as organizational charts, job
descriptions, reviews, checklists, department records, and reports could also be
used to review the methods to reduce problem. Supplement written sources
through conversations with and observations of appropriate staff could help in
providing a suggestion to reduce risk. The problem is identified and reduced.
Finally, communicate the process to be sure every action to reduce risk is
understood.
If the entity has established such a process, the auditor shall obtain an understanding of it. If
there is not a process, the auditor shall discuss with management whether relevant business risks
have been identified and how they have been addressed.
Industry developments may pose a risk. For example, a potential related business
risk might be that the company does not have the personnel or expertise to deal
with the changes in the industry. The changes in nature of the entity's business,
for example, in the products and services, the complexity of its capital structure,
the significance of related parties and the number of locations and geographical
spread of its production facilities
New personnel
Risk increases during a time of change, for example, turnover in personnel. The
quality of personnel should commensurate with their responsibilities and duties.
If ot does not, a risk is imposed on the business. New personnel may need to be
considered while answering the following questions:
Rapid growth
Business may have a problem coping with the changing and developing world.
For example, the company has a rigid top management that does not want to
develop itself with the changing world. This may cause problems to attract and
expand the business.
New technology
The world is a developing and changing place. There are new technologies being
made. Business that do not adopt the new technologies may have difficulty in
competing with their competitors. They may face loss and customers of the
business may interact with the competitor due to competitor’s ability to adapt to
the changing world.
New business models, products or activities
New products and services, for example, a potential related business risk might be
that the new product or service will not be successful.
Corporate restructurings
The effects of implementing a strategy, particularly any effects that will lead to
new accounting requirements may pose a risk. Financing requirements may pose a
risk. For example, a potential related business risk might be the loss of financing
due to the company’s inability to meet financing requirements.
This aspects of the auditor’s work will involve identifying and understanding the
following:
The classes of transactions in the entity's operations that are significant to the
financial statements are considered.
How these transactions and other events relevant to the financial reporting
process are ‘captured’ by the entity;
Communication also involves expectations, responsibilities of individuals and
groups, and other important matters. Specific duties must be made clear, and
people need to know how their activities relate to the work of others. People also
need to know what behavior is expected. The auditor shall obtain an
understanding of how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting. Controls
surrounding journal entries, including non-standard journal entries used to record
nonrecurring, unusual transactions or adjustments are considered.
The procedures, within both IT and manual systems, by which those transactions
are initiated, recorded, processed, corrected, transferred to the general ledger and
reported in the financial statements are considered.
The accounting records used, both manual and computerized, to support the
figures appearing in the financial statements;
The financial reporting process used to prepare the entity's financial statements,
including significant accounting estimates and disclosures will be seen. The
external reports are the financial information for outside investors, creditors, and
others Auditors often follow audit trail from source documents frontward and
backward, identifying and testing relevant control activities along the way. They
follow it backward from the financial reports to the source documents to
determine whether everything in the financial reports is supported by appropriate
source documents (the occurrence assertion). They follow it forward from source
documents to reports to determine whether everything that happened (i.e.,
transactions) was recorded in the accounts and reported in the financial statements
(the completeness assertion).
Once risks to management’s objectives have been identified, internal control activities need to be
established to eliminate, mitigate, or compensate for the risks. Control activities are specific
actions a client’s management and employees take to help ensure that management’s directives
are carried out.
The professional standards require the audit team members to document their understanding of
the internal control system, which includes their understanding of whether management has
implemented control activities that are sufficient to address the risks of material misstatement for
each relevant assertion.
The audit team members begin the process by considering what they learned about the internal
control activities as they were gaining an understanding of the other components of the internal
control system in particular, the control environment and risk assessment. The next step in the
process requires the audit team members to document their understanding of the extent to which
each of the client’s control activities has been designed to support a relevant financial statement
assertion by mitigating a risk of material misstatement. If their assessment is positive, the audit
team might want to consider testing the control activity in the hopes of relying on it to reduce
substantive testing for the relevant assertion that was supported.
Policies and other procedures included in the control environment is used to ensure
that the entity’s objectives are achieved. Have the policies related to reliable financial
reporting been documented and communicated throughout the company?
Control procedures may be divided into two elements: a policy establishing what should
be done and procedures to effect that policy. A policy, for example, might be that a
securities dealer retail branch manager must monitor customer trades. The control
procedure is a review of a computer printout of daily trade activities by the customer,
performed in a timely manner and with attention given to the nature and volume of
securities traded. Control procedures implement the control policies by specific routine
tasks, performed at particular times by designated people, held accountable by adequate
supervision and evidence of performance
Financial reporting control activities are imposed on the accounting system for the purpose of
preventing, detecting, and correcting errors and frauds that could enter and flow through to the
financial statements
Preventive controls are designed to stop an errors or anomalies from occurring. The
preventive controls are procedures that prevent misstatements before they occur. It ensures
hiring competent people, limiting access, requiring approval, separating duties, etc.
Preventive control are preferable to detective controls.
It ensures:
Detective controls are designed to find errors or irregularities after they have occurred.
Detective controls are procedures that detect misstatements after they occur.
In some sense, all control activities can be thought of as preventive controls because the
possibility of being caught by a detective control might prevent someone from committing an
error or a fraud.
Exception reports are computerized reports to identify unexpected results or unusual
conditions that require follow-up.
Reconciliations occurs when an employee relates different sets of data to one another,
identifies and investigates differences, and take corrective action, when necessary.
Periodic audits: Both internal audit and independent external audit are done to detect
error, irregularities and non-compliance with laws and regulations.
Corrective Controls are designed to prevent errors and irregularities from recurring once
they are discovered. For example:
Policies and procedures for reporting errors and irregularities so they can be
corrected
Performance reviews: These include reviews and analyses of actual performance against
budgets, forecasts and prior period performance, most done by management as
Management Control.
Performance reviews are independent checks on performance by a third party not directly
involved in the activity. These are sometimes called internal verification, these reviews
include reviews of actual performance versus budgets; surprise checks of procedures;
periodic comparisons of accounting records and physical assets; and a review of
functional or activity performance.
Management has primary responsibility for ensuring that the organization’s objectives are
being met. Performance reviews require management’s active participation in the
supervision of operations. Management’s study of budget variances with follow-up action
is an example of a performance review. Management that performs frequent performance
reviews has more opportunities to detect errors in the records than management that does
not. The frequency, of course, is governed by the costs and benefits.
Application controls
General IT controls
General controls are policies and procedures that relate to many
applications and support the effective functioning of application controls by
helping to ensure the continued proper operation of information systems.
Some examples of general controls are controls over data center and
network operations, controls over system software acquisition, controls
over access to the computer software (password controls), change and
maintenance controls, access security, and application system acquisition
and development controls. A good example of a general control in
accounting software is an error message if there is a problem in using the
operating system (e.g. “Please insert a CD-ROM in Drive D”). In manual
systems, general controls are controls over proper authorization of
transactions and activities.
Physical Controls: These includes control over the physical security of assets and records
to prevent unauthorized use, theft or damage.
Physical controls are procedures to ensure the physical security of assets. Assets and
records that are not adequately protected can be stolen, damaged, or lost. In highly
computerized companies damaged data files could be costly or even impossible to replace.
For these reasons only individuals who are properly authorized should be allowed access
to the company’s assets.
Direct physical access to assets may be controlled through physical precautions, for
example: storerooms guard inventory against pilferage; locks, fences and guards protect
other assets such as equipment; and fireproof safes and safety deposit vaults protect assets
such as currency and securities.
Physical access to assets and important records, documents, and blank forms should be
limited to authorized personnel. Assets such as inventory and securities should not be
available to persons who have no need to handle them. Likewise, access to records should
be denied to people who do not have a record-keeping responsibility for them. Some blank
forms are very important for accounting and control, and their availability should be
restricted. For example, someone not involved in accounting for payroll should not be able
to pick up blank time cards. Only authorized persons should be able to obtain blank
checks after signing for them. Sometimes access to blank forms is the equivalent of access
to an important asset. For example, someone who has access to blank checks has a
measure of actual custody and access to cash.
One part of the sales system at Dolally operates as set out below:
Orders are received by telephone. On receipt of an order a clerk enters the details into the
system.
The system checks that the goods are available and, if so, a despatch note is produced
and e-mailed to the distribution centre.
Distribution centre staff pack the goods and despatch them with two copies of the
despatch note.
On receipt of the goods the customer signs the despatch notes and one copy is returned
to the accounts department at Dolally.
The accounts department flag up the despatch note on the system to indicate that the
goods have been delivered and the system automatically produces an invoice and e-mails
it to the customer.
An exception report of un-invoiced despatch notes is produced weekly.
Required
Set out an example of each of the above five types of control activities set out in ISA 315 as
they might operate in Dolally’s system.
Performance reviews: Management should compare budgeted sales to actual sales on a
monthly basis (provided that the budgets are reliable, this would detect where significant
sales had not been recorded).
Information processing – application: Manual follow up of the exception report of un-
invoiced despatch notes.
Information processing – general IT: Controls over the development and testing of the
sales system to ensure it will lead to accurate processing (such as documentation and
testing of any changes to programs).
Physical controls access controls over the sales price master files such as access only
being possible via a high-level password, known only to senior employees (such as the
sales director) (as invoices are produced automatically by the system it is important that
the integrity of this file is maintained).
Segregation of duties: Different employees should be responsible for taking and inputting
orders, despatching goods and flagging up the despatch note.
Tutorial note: There are a number of other possible examples other than those set out
above
Has the audit client taken full advantage of significant advances in information technology by
using entirely automated control activities whenever it is efficient and effective is seen while
using IT.
General IT controls
The boards have developed an IT tool for analyzing and evaluating the internal controls,
which is intended to support compliance with the requirements of the applicable financial
framework reporting system. General IT controls are policies and procedures that relate
to many different applications.
General IT controls assure that access to the computer system is limited to people who
have a right to the information. Appropriate delegation of authority sets limits on what
levels of risk are acceptable and these limits determine the discretion of the employees
delegated to authorize the main types of business transactions. Authorization may be
general or specific. An example of general limits set by policy is product price lists,
inventory reorder points, and customer credit limits. Specific authorization may be made
on a case-by-case basis such as authorization of reduction in the price of a dress with
buttons missing in a retail-clothing store.
If General IT controls are weak, it is unlikely that the processing undertaken by the
system will be complete and accurate.
The auditor will therefore firstly review and test the general IT controls, in order to reach
a conclusion on their effectiveness.
If control risk is assessed as low then he will then move on and test application controls,
to decide if he can rely on specific systems and reduce it substantive testing.
Application Controls
Application control apply to the processing of individual transactions. There are several
standard application controls. The chart of accounts is an important application control
because it provides the framework for determining the information presented on to
financial statements and budgets. The most widely applicable control device is the use of
serial numbers on documents and input transactions. Serial numbers provide control over
the number of documents issued. Checks, tickets, sales invoices, purchase orders, stock
certificates, and many other business papers use this control. Documents should be
recorded immediately because long periods between transaction and recording increase
the chance of misstatement. Systems manuals for computer accounting software should
provide sufficient information to make the accounting functions clear.
Example where authorization control is applied: Any customer of a bank can create and
use an identity (e.g., a user name) to log into that bank's online service but the bank's
authorization control must ensure that only you are authorized to access your individual
account online once your identity is verified.
Arithmetic control are checking the arithmetic accuracy of records. For example
checking invoices from suppliers, to make sure that the amount payable has been
calculated properly.
Accounting controls are maintaining and reviewing accounts and trial balances. These
are provided within accounting procedures to ensure the accuracy or completeness of
records.
Accounting Controls which ensure that all authorized transactions are allowed in the
accounting records, they are properly entered, and are not deleted or amended without
proper authorization.
Examples include entries in journals then ledgers, posting reference in journals, rotation
of accounting personnel, listing of mail receipts, cash register tapes, reconciliation of
bank statements, etc. Example of accounting control includes using control account
reconciliations to check the accuracy of trade receivables or trade payables.
Existence checks that will only allow data to be input for valid account codes. This is
useful in a sales or purchases system.
Sequence checks will highlight gaps in data both within and between batches.
For example, specific inventory controls are different from internal controls over payroll.
Segregation of duties
Segregation of duties seeks to prevent persons with access to readily realizable assets from being
able to adjust the records that record and thereby control those assets. This means dividing the
work to be done between two or more individuals. Segregation implies a number of people being
involved in the accounting process.
Purpose: Work done by one individual acts as a check on the work of other, reduces the risk of
error or fraud. Duties are divided, or segregated, among different people to reduce the risks of
error or inappropriate actions. For instance, responsibilities for authorizing transactions,
recording them, and handling the related assets (called custody of assets) are divided.
It is more difficult for a person to commit fraud , because a colleague may identify suspicious
transactions by a colleague who is trying to commit a fraud. This makes it more difficult for
fraudulent transactions to be processed since a number of people would have to collude in the
fraud. It is also more difficult for accidental errors to be processed since the more people are
involved, the more checking there can be.
Segregation of duties is an essential element of control. Let us use the example of wages.
Authorization is required for hiring of staff and is a function of the personnel department. The
receipt of paychecks and issuance of them to the employees is handled by work supervisors. The
accounting department handles the recording of the time records and the payroll in the payroll
journals.
The purchasing of inventory involves several different tasks. Someone has to initiate a purchase
requisition for a new supply of inventory. Someone has to place a purchase order with a supplier.
Someone has to check that the items are delivered by the supplier. Someone has to record the
amount payable in the accounting system, and someone has to make the payment at the
appropriate time.
Control risks include the risks that inventory will be ordered when it is not needed, that the
supplier will not deliver any inventory or will deliver the incorrect quantity, or that the supplier
will be paid too much or will be paid for items that he has not delivered.
Additional controls will also be applied. Segregation of duties entails three fundamental
functions that must be separated and adequately supervised:
1 Authorization is the delegation of initiation of transactions and obligations on the company’s
behalf. For example, there should be authorization controls, and both the placing of a purchase
order with the supplier and the payment to the supplier should be authorized at an appropriate
level of management.
3 Recording is the creation of documentary evidence of a transaction and its entry into the
accounting records
Physical security of computer equipment and restricting access to the organization’s data and
computer application files are also important in achieving effective internal control. Logical
access controls are tools and procedures used for identification, authentication, authorization and
accountability in computer information systems. Access controls help prevent the improper use
or manipulation of data files, unauthorized use of computer programs, and improper use of the
computer equipment.
Local access control can be embedded with operating systems, applications, add-on
security packages or database or telecommunication management systems. Locked
doors, security passes, passwords, and check-in logs can be used to limit access to the
computer system hardware A very important general control is back-up and recovery
procedures, as anyone who has had a system go down without current records being
adequately backed up will tell you.
Logical access controls depends on the in-built security facilities. Physical controls
such as locks on the doors to the computer room and locked cabinets for software and
back-up tapes protect the tangible components of a computer system
Additional access control can be gained through the appropriate use of proprietary
security programs. Access controls are general or application controls such as
passwords that allow only authorized people admittance to the computer software on line.
Unique login identifiers and authenticated password can be used.
One way to detect inappropriate computer usage is by specifying a planned schedule for
running large-scale computerized applications. A schedule can help detect unauthorized
access because most software can produce usage reports that can be compared to the
planned schedule. Applications that are being run at unauthorized times can then be
investigated for inappropriate use of computer resources.
Help to ensure data is transmitted both intact and also securely without fear of breach of
confidentiality. It includes:
Data encryption
A log file is a file that records even taking place in the execution of a system.
For generation of an audit trial to understand the activity and to diagnose problems.
Control environment: if management show a little concern for risks and controls, it is
probable that the entire system of internal controls will be weak and ineffective.
Computational work and risk of computational error: weakness in procedures and for
making and checking calculations, e.g; service charges to customers.
Categorization of Controls
For exam purposes there is often a focus on controls that can be tested directly. Most, but not all
of these fall under the heading of control activities and a useful categorisation for exam purposes
might be as follows:
Segregations of duties: segregating those with access to records and those with
access to assets to prevent fraudulent collusion;
Physical controls: limiting access to assets and records to prevent
misappropriation;
Arithmetical and accounting controls: including computerised and manual
controls over the completeness and accuracy of records (input to systems,
processing and output) and maintaining reconciliations, control accounts and trial
balances;
Authorisation and approval: of documents, credit limits and changes to software,
for example;
Monitoring controls: use of budgets, forecasts and variance analysis and the use
of internal audit to establish whether controls are being applied, are effective and
to make recommendations for improvement.
The first step involves determination of the control and procedures laid down by the
management. The auditor may ascertain the character, scope and efficacy of the control system
by reading company manuals, studying organization charts and flow charts and by making
suitable enquiries from the officers and employees. Considerable skill and knowledge maybe
called to acquaint auditor about how all the accounting information is collected and processed
and to learn the nature of controls that makes the information reliable and protect the company’s
assets. In many cases, very little of this information is available in writing; the auditor must ask
the right people the right questions if he is to get the information he wants. It would be better if
he makes written notes of the relevant information and procedures contained in the manual or
ascertained on enquiry.
The auditor shall obtain an understanding of the major activities that the entity uses to
monitor internal control over financial reporting, including those related to control
activities relevant to the audit, and how the entity initiates corrective actions to
deficiencies in its controls.
If the entity has an internal audit function, the auditor shall obtain an understanding of the
nature of its responsibilities, its organizational status and the activities performed / to be
performed. The auditor shall also obtain an understanding of the sources of the
information used in the monitoring activities and the basis on which management
considers it reliable.
The auditor should carry out an evaluation of the systems and to conduct an audit risk
assessment. It helps in identifying audit approach. There are two approaches:
To facilitate the accumulation of the information necessary for the proper review and evaluation
of internal controls, the auditor can use one of the following to help him to know and assimilate
the system and evaluate the same :
Narrative notes;
Questionnaire; and
Flow chart.
2.13 Narrative Notes
It is a written description of the control system and the controls that are in place.
Narrative note is a complete and exhaustive description of the system as found in
operation by the auditor. Actual testing and observation are necessary before such a
record can be developed.
It is Simple to prepare.
It is Time consuming
Flowcharts show the flow of work by showing how documents are transferred within a
system
It is also necessary for the auditor to study the significant features of the business carried
on by the concern; the nature of its activities and various channels of goods and materials
as well as cash, both inward and outward; and also a comprehensive study of the entire
process of manufacturing, trading and administration. This will help him to understand
and evaluate the internal controls in the correct perspective.
Advantages are:
Limitations are:
It can only be suitable for describing standard systems rather than recording
systems with unusual transactions.
It is time consuming process since an auditor must learn about the operating
personnel involved in the system and gather samples of relevant documents.
2.14 Questionnaires
A standard questionnaire is a list of questions about controls in a particular aspect of
operations or accounting.
A ‘yes’ answer to a question indicates a control strength while a ‘no’ answer to a question
indicates a control weakness. Yes’ answer denotes satisfactory position and a ‘No’
answer suggests weakness. A provision is made for an explanation or further details of
‘No’ answers. In respect of questions not relevant to the business, ‘Not Applicable’ reply
is given.
ICQs help in providing means in recording systems, assist in the evaluation process and
gain an overall picture of the reliability of the system under review.
Disadvantages of a Questionnaire
It is time-consuming.
Advantages of a Questionnaire
Example
For example, for credit worthiness of potential new customers, a questionnaire including
the following questions could be made:
Example
As part of his evaluation of internal controls, the auditor wishes to establish each of the
following: (a) That the correct product prices are charged on sales invoices to customers.
(b) That raw materials delivered are of the correct specification and in the correct quantity.
Required Draft ICQ questions that could be used to establish the existence of appropriate
controls.
Answer
a) Is a check carried out to match the price on a sales invoice to the Yes/No
official price list?
b) Are raw materials counted and checked against the purchase order Yes/No
when the materials are delivered?
Internal control provides reasonable assurance, not absolute assurance, that management’s
objectives will be achieved. Because people operate the controls, breakdowns can occur. Internal
control can help prevent and detect many errors, but it cannot guarantee that they will never
happen. Several limitations to internal control systems prevent management from obtaining
complete assurance that controls are absolutely effective:
Human error due to mistakes in judgment, fatigue, and carelessness can still occur.
Although controls are implemented to prevent and detect errors, deliberate circumvention
by people in the system can still occur.
Existence of collusion.
The safeguard of segregation of duties can help deter fraud. However, if employees
decide to perpetrate frauds by collusion, or management commit fraud by overriding
systems, the accounting system will not be able to prevent such fraud
Many of the controls which would be relevant to a large entity are neither practical nor
appropriate for a small company which often have simple internal control systems. For a small
company, the most important form of internal control is generally the close involvement of the
directors or proprietors.
However, it is also important to note that close involvement by management will enable them to
override controls and, if they wish, to exclude transactions from the records. Auditors can also
have difficulties, not because there is a general lack of controls but because the evidence
available as to their operation and the completeness of the records is insufficient. For example,
an owner-manager may well perform an independent review of payroll records, but will not sign
and date to indicate the review has taken place, and may not document the investigation of
anomalies or how problems were resolved. Therefore it is very difficult for the auditor to obtain
evidence that a control is operating effectively, even if it is.
Segregation of duties will often appear inadequate in enterprises having a small number of staff.
Similarly, because of the scale of the operation, organisation and management controls are likely
to be rudimentary at best.
As discussed above, the onus is on the proprietor, by virtue of their day to day involvement, to
compensate for this lack. This involvement should encompass physical, authorisation,
arithmetical and accounting controls as well as supervision.
Where the manager of a small business is not the owner, the manager may not possess the same
degree of commitment to the running of it as an owner-manager would. In such cases, the
auditors will have to consider the adequacy of controls exercised by the shareholders over the
manager in assessing internal control.
Audit evidence for elements of the control environment in smaller entities may not be available
in documentary form, in particular where communication between management and other
personnel may be informal but effective. However, although not documented, small companies
may develop a culture that emphasises the importance of integrity and ethical behaviour through
verbal communication and where management sets a good example. As a result, the attitudes,
awareness and actions of management are very important to the auditor's understanding of a
smaller entity's control environment.
Although size and economic considerations in smaller entities often reduce the opportunity for
formal control activities, there is still likely to be some evidence available in relation to internal
controls. Some basic control activities are likely to exist for the main transaction cycles, such as
revenues, purchases and payroll costs.
In a small company, often management's sole authority for approval of, for example, purchases
and payments can provide strong control over important account balances and the auditor can
seek to test and rely on these controls. These key controls lessen or remove the need for more
detailed control activities and if the auditor can gain enough evidence that these key controls are
operating effectively substantive testing can be reduced.
However, because of the factors discussed in the preceding section, the auditor will often choose
or be forced to turn to substantive procedures to gain sufficient appropriate audit evidence when
auditing a smaller entity. This can often mean use of:
Confirmations
Agreeing samples related to different financial statement areas to source
documents
Analytical procedures where these are considered suitable
From the above, it can be observed that control is entirely centralised with the owner and
there is no significant delegation of duties.
Small and midsize entities may implement the control environment factors differently
than larger entities. For example, smaller entities might not have a written code of
conduct but instead develop a culture that emphasizes the importance of integrity and
ethical behavior through oral communication and by management example. Similarly, a
smaller entity may not have an independent or outside member on its board of directors.
For smaller entities, the risk assessment process is likely to be less formal
and less structured. Although all entities should have established financial
reporting management objectives, they may be recognized implicitly rather
than explicitly in smaller entities.
Auditor will often see management involvement as only a partial substitute for ‘normal’
control system.
The following problems may arise when control system rely excessively on the
involvement of the senior management:
Management may lack the expertise necessary to control the entity effectively.
The auditor needs to obtain the same degree of assurance in order to give an unqualified opinion
on the financial statements of both small and large entities. However, many controls which
would be relevant to large entities are not practical in the small business. For example, in small
business accounting work may be performed by only a few persons. These persons may have
both operating and custodial responsibilities, and segregation of functions may be missing or
severely limited. Inadequate segregation of duties may, in some cases, be offset by
owner/manager supervisory controls which may exist because of direct personal knowledge of
the business and involvement in the business transactions. In circumstances where segregation of
duties is limited or evidence of supervisory controls is lacking, the evidence necessary to support
the auditor’s opinion on the financial information may have to be obtained largely through the
performance of substantive procedures
4. EVALUATION OF CONTROLS AND AUDIT RISK
ASSESSMENT
2 stage process
Whether the controls are applied properly, and so whether they are actually working and
operating effectively.
If ‘paper’ review shows major weaknesses, the audit approach will have to focus on tests
of transactions (substantive tests) rather than on tests of control (a system-based
approach)
If the controls appear to be acceptable on paper, the auditor has to perform tests of
control.
If tests indicate that the controls are operating effectively, audit can be system based with
lower substantive testing.
ISA 330 requires that the substantive procedures are carried out for each material class of
transactions, account balances and disclosures.
4.3 Management Letter
American Institute of Certified Public Accountants (AlCPA) says; the plan of organization and
all of the coordinate methods and measures adopted within a business safeguard its assets, check
the accuracy and reliability of its accounting data, promote operational efficiency and encourage
adherence to preserved managerial policies.
For example;
In small business organizations, generally, the owner-manager controls the total activities of his
business by his personal supervision and direct participation. The owner generally purchases
required business materials and other properties. He himself gives the appointment of employees,
completes the contract with them through discussion and also keeps, constant watch over their
activities. He himself signs cheques for payments in different heads. Since the signs all the
cheques, he can easily have an idea of what commodities, assets, and services he is signing for.
But with the expansion of business, the appointment of additional employees and officers is
needed and the scope of business also widens. Under such conditions, it becomes almost
impossible on the part of the manager to perform all the activities of the business alone for which
he is to delegate authority and so his overall control tends to decrease. The owner needs an
internal control system to ensure that his overall control remains same.
1. Control Environment
This step ensures that an environment is buildup in which whatever operation is done by the
organization is automatically monitored and controlled by the environment.
The control environment is arguably the most important component because it sets the tone
for the organization. Factors of the control environment include employees' integrity, the
organization's commitment to competence, management's philosophy and operating style,
and the attention and direction of the board of directors and its audit committee. The control
environment provides discipline and structure for the other components.
The core of any organization is its people – their individual attributes, including integrity,
ethical values and competence – and the environment in which they operate. They are the
engine that drives the organization and the foundation on which everything rests. Effectively
controlled organizations set a positive "tone at the top" and strive to:
Train staff to understand and use appropriate management controls in all areas.
Provide structure and process for implementing these controls.
Internal controls are likely to function well if management believes that those controls are
important and communicates that view to employees at all levels. If management views controls
as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be
communicated. Despite policies to the contrary, employees will then view internal controls as
"red tape" to be "cut through" to get the job done. An effective internal control environment:
Sets the tone of an organization influencing the control consciousness of its people
Is an intangible factor that is the foundation for all other components of internal control,
providing discipline and structure
Describes "organizational culture"
Includes a commitment to hire, train, and retain qualified staff
Encompasses both technical competence and ethical commitment
2. Entity’s Risk Assessment Process.
After setting up the objective of business, external and internal risks are to be assessed. The
management determines risk controlling means after examining the risks related to every
objective.
Risk assessment refers to the identification, analysis, and management of uncertainty facing
the organization. Risk assessment focuses on the uncertainties in meeting the organization's
financial, compliance, and operational objectives. Changes in personnel, new product lines,
or rapid expansion could affect an organization's risks.
A risk is anything that endangers the achievement of an objective. Always ask: What can go
wrong? What assets do we need to protect?
• Risk assessment is the process used to identify, analyze, and manage the potential risks
that could hinder or prevent an agency from achieving its objectives.
• Risk increases during a time of change, for example, turnover in personnel, rapid growth,
or establishment of new services.
• Other potential high risk factors include complex programs or activities, cash receipts,
direct third party beneficiaries, and prior problems.
Management must be aware of and deal with the risks the organization faces. It must set
objectives, integrated with other activities so that the organization is operating in concert.
Management must also establish mechanisms to identify, analyze and manage the related risks
It has 4 steps in it which include:
Prepare a written narrative or flow chart explaining how the problem is supposed to be handled
by describing each activity or transaction within the cycle. Describe in the narrative: Who is
performing each step? What is involved in the step? Any resulting documentation, for example,
reports. Review the information available in policy and procedure manuals. Also, use written
materials such as organizational charts, job descriptions, reviews, checklists, department records,
and reports. Supplement written sources through conversations with and observations of
appropriate staff. Finally, "walk through" the process to be sure every item is understood.
3. Information System
Relevant information for taking decision are to be collected and reported in proper time. The
events that yield data may originate from internal or external sources. Communication is very
important for achieving management goals. The employees are to realize what is expected of
them and how their responsibilities are related to the activities of others. Communication of
the owners with outside parties’ like’s suppliers is also very important.
Information and communication encompasses the identification, capture, and exchange of
financial, operational, and compliance information in a timely manner. People within an
organization who have timely, reliable information are better able to conduct, manage, and
control the organization's operations.
Control activities are surrounded by information and communication systems. These systems
enable the organization’s people to capture and exchange the information needed to conduct,
manage and control its operations.
Obtain external and internal information, and provide management with necessary
reports on the organization’s performance relative to established objectives.
Provide information to the right people in sufficient detail and on time to enable them
to carry out their responsibilities efficiently and effectively.
Develop or revise information systems based on a strategic plan, linked to the
organization’s overall strategy, and responsive to achieving the entity-wide and
activity-level objectives.
Demonstrate support for developing necessary information systems by committing
adequate human and financial resources.
4. Control activities
The management establishes a controlling activities system to prevent risk associated with
every objective. These controlling activities include all those measures that are to be
followed by the employees.
Control activities include the policies and procedures maintained by an organization to
address risk-prone areas. An example of a control activity is a policy requiring approval by
the board of directors for all purchases exceeding a predetermined amount. Control activities
were once thought to be the most important element of internal control, but COSO suggests
that the control environment is more critical since the control environment fosters the best
actions, while control activities provide safeguards to prevent wrong actions from occurring.
Control policies and procedures must be established and executed to help ensure that
management directives are carried out. They help ensure that necessary actions are taken to
address risks to achievement of the organization’s objectives. Control activities occur
throughout the organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation of duties.
Review each cycle to determine whether existing controls are sufficient to avoid
potential problems.
Identify any outside policies or procedures in place to offset potential risks.
If controls do not exist or appear ineffective, establish new controls.
Identify any controls that are excessive or unnecessary and modify or eliminate them.
Remember that a good control environment is the first step toward establishing
effective controls.
Organizations establish policies and procedures so that identified risks do not prevent the
organization from reaching its objectives.
5. Monitoring Of Controls
When the internal control system is in practice, the organization monitors its effectiveness so
that necessary changes can be brought if any serious problem arises.
Monitoring refers to the assessment of the quality of internal control. Monitoring activities
provide information about potential and actual breakdowns in a control system that could
make it difficult for an organization to accomplish its goals. Informal monitoring activities
might include management's checking with subordinates to see if objectives are being met. A
more formal monitoring activity would be an assessment of the internal control system by the
organization's internal auditors.
The entire process must be monitored, and modifications made as necessary. This way, the
system can react dynamically, changing as conditions warrant. Ongoing monitoring occurs in the
course of operations. It includes regular management and supervisory activities, and other
actions personnel take in performing their duties. The scope and frequency of separate
evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures.
After implementing internal controls, organizations must monitor their effectiveness periodically
to ensure that controls continue to be adequate and continue to function properly. Management
must also revisit previously identified problems to ensure that they are corrected.
The COSO model is just one representation that can be used, and at its heart it
guides management through the implementation of a control framework that’s
measurable and targeted at reducing risk.
For example, to safeguard assets, does the client tag all computers with
identifying stickers and periodically take a count to make sure all
computers are present? Regarding the accounting system, is it
computerized or manual? If it’s computerized, are authorization levels set
for employees so they can access only their piece of the accounting
puzzle? For data, are backups done frequently and kept offsite in case of
fire or theft?
Internal control must be evaluated in order to provide management with some assurance
regarding its effectiveness. Internal control evaluation involves everything management does to
control the organization in the effort to achieve its objectives. Internal control would be judged
as effective if its components are present and function effectively for operations, financial
reporting, and compliance. The board of directors and its audit committee have responsibility for
making sure the internal control system within the organization is adequate. This responsibility
includes determining the extent to which internal controls are evaluated. Two parties involved in
the evaluation of internal control are the organization's internal auditors and their external
auditors. The auditors evaluate the effectiveness of the internal control structure of a business
organization and determine whether the business policies and activities are followed properly.
The communication network helps an effective internal control structure in execution. And all
officers and employees are part of this communication network.
An Auditor should ensure that certain rules and procedures are followed by the business unit he
is working on, in spite of the fact that a sound system of internal control is as sole responsibility
of the management. The Auditor can simply guide or help the management if he is asked to do
so, because he has no authority to prescribe such rules and procedures. He should consider:
ISA 315 emphasizes that establishing communications with the appropriate individuals within an
entity’s internal audit function early in the engagement, and maintaining such communications
throughout the engagement, can facilitate effective sharing of information. Internal control
system tells how the organization should work and ensure standardization in the company.
To be useful, information must be reliable and it must be communicated to those who need it.
For example, supervisors must communicate duties and responsibilities to the employees that
report to them and employees must be able to alert management to potential problems.
• Information must be communicated both within the organization and to those outside, for
example, vendors, recipients, and other constituents
• Communication must be ongoing both within and between various levels and activities of
the organization.
Conclusion of Ch : 3 and 5