AA - Internal control

The Auditors Approach to Internal Controls

UNDERSTANDING OF CONTROL:

A control is a procedure put in place to achieve company’s objectives. For any organisation to run well it
needs sound control systems in place.

OBJECTIVES OF CONTROL SYSTEMS:

- To ensure accurate accounting records;

- To safeguard assets held by the organisation;
- To prevent and detect fraud;
- To ensure an efficient working environment.

LIMITATIONS OF CONTROL SYSTEM:

- Human error;
- Fraudulent collusion;
- Abuse of authority.

AUDITOR’S EXPECTATION OF INTERNAL CONTROL SYSTEM:

ISA 315: Auditors must understand the client’s internal controls. In particular:

- To assess whether control system is strong or weak;

- Develop an understanding of what is expected from control system;

To give a benchmark of what is a good control system, ISA 315 provides 5 components of an internal control
system:
 - Control activities - all individual procedures and policies of the system (authorisation, performance review,
accounting reconciliations, segregation of duties, IT controls, physical controls);
- Risk assessment procedures - procedures to identify and manage business risks;
- Information systems - organised system for collection, organisation, storage and communication of
financial information;
- Monitoring of controls - role of internal auditor;
- Environment - overall control environment of the entity.

AUDITOR’S WORK AND APPROACH:

The aim of the auditor is to assess whether internal control would ensure material misstatements are identified
and corrected. Poor control system increases the risk of material misstatements.

Step by step approach of control systems review:

1) Identify and understand the control system. Methods used: enquiry, inspection, observation.
2) Document the system. Methods used: detailed notes, flowcharts.
3) Assess the system. Identify whether it is strong or weak through enquiry, inspection, observation sending
questionnaires (ICQ’s or ICEQ’s).
4) Report any issues identified and provide recommendations.
5) Gather evidence for a strong control system in a form of control tests or control procedures.
6) Decide how much further audit work is needed to form the audit opinion.
7) Perform substantive procedures.
 AA - Internal control
Identifying and Reporting Internal Control Deficiencies

HOW THE AUDITOR IDENTIFIES DEFICIENCIES:

1) Each system must be reviewed and understood by the auditor;

2) Then the system is documented for evidence;
3) It is decided whether the system can cause material misstatements;
4) Auditor identifies if there are any issues with the way the system operates;
5) Using their skills auditors may notice control activities that are missing.

All this gives the auditor opportunity to find deficiencies within the system.
Note: For every control deficiency found the auditor has an obligation to provide recommendation about how the
entity could improve that control.

THE MANAGEMENT REPORT:

Report to those charged with governance = Management letter = Management report.

ISA 265: Significant deficiencies should be communicated in writing to the entity’s management.

The management report is addressed to the directors and:

- Contains all deficiencies found during the audit;

- Explains the impact of deficiencies;
- Provides recommendations.

Specific information in management report:

- Report is not a comprehensive list of all deficiencies, it contains only those found by the auditor;
- Information is solely for the use of the company;
- Nothing within the report should be disclosed to a third party without written auditor’s permission;
- No responsibility is assumed to any other parties.
TIMING OF COMMUNICATING DEFICIENCIES:

Management report is usually communicated at the end of the audit.

 AA - Audit and Assurance
Control Cycles

KEY CONTROL CYCLES

Control cycles are systems linked to financial statements that have an impact on whether the financial
statements are true and fair. They are:

● Sales; ● Inventory;

● Purchases; ● Payroll; and

● Assets; ● Cash;

SALES CYCLE

Stage # Control objective Example of risk Controls put in place

1. Order is All orders are processed.
received
Orders are accepted for
customers who can pay.
An order is taken for a
customer who has exceeded
their credit limit.
The order is not recorded
properly.
Access to customer
accounts where credit limits
can be reviewed.

2. Goods are Goods dispatched are on The goods sent out are for Original order must be
dispatched time to the right customer. the wrong quantity. agreed to the dispatch note
and goods. This check must
All goods are sent out. be signed.
3. Invoice is All goods have been A customer was not invoiced Sequentially numbered copy
prepared and invoiced for. for the right product. of dispatch note is sent to
sent accountants and reviewed
The amounts are correct. by them.

4. Transaction Include all invoices on the Sales are not recorded Invoices are sequentially
is recorded system. accurately or recorded in the numbered.
wrong period.
The amounts are correct. Regular check of the system
for missing invoices.

5. Cash is Cash is received on a timely The cash is not paid on time. Perform credit control
received basis. procedures: analyse overdue
debts, chase customers for
Cash is recorded correctly in payments.
the correct account.

PURCHASE CYCLE

Stage # Control objective Example of risk Controls put in place

1. Requisition Ensure goods are requested The requisition note may not Requisitions must be sent by
and are for business be received by the email to the purchasing
purposes. purchasing department. department who must
respond when they make the
order.

2. Order is Ensure suppliers are A supplier is not reliable and Select a supplier from an
placed checked for reliability, quality delivers late, leading to a authorised supplier list.
and price. delay in production.

Ensure orders are made

considering disruptions to
production.

3. Goods are Ensure only goods ordered
received are received and accepted.
Ensure goods are received
on time.
Goods received have not Goods should be inspected
been ordered by the and agreed to the delivery
company. note and purchase order.

4. Invoice is Ensure invoices received are The invoice is not for goods Invoice is matched with the
received for goods received. ordered. corresponding purchase
order and requisition note.
Goods received are for
 business purposes.

Amounts and products are

correct.

5. Invoice is Ensure all invoices are
recorded recorded accurately and in
the correct period.
Invoice may be missed, thus,
purchases and payables
may be understated.
Allocate sequential number
to each invoice.
Check the system regularly
for missing invoices.

6. Payment is Ensure payments are made The payment is not made Review the aged payables
sent on time for the correct and the supplier may no list regularly for older debts
amounts, for goods ordered longer grant credit. and ensure they are paid on
and received. time.

ASSETS CYCLE
The control system for assets would work in the same way as the purchase system. However, there would be
some additional controls required:

● Authorisation of costs by a senior level of management; and

● Use of the asset register. This spreadsheet will record date, cost, depreciation, carrying value, location
and disposal date, and proceeds in relation to the assets. It must be updated, reviewed regularly and
compared to the accounting system to ensure there are no errors.

INVENTORY CYCLE

Key objective: To keep inventory safe and maintain its value.

The risks are:

 ● Goods could be stolen;

● Goods could be damaged;

● Goods may become obsolete.

Storage controls are:

● Increased security measures such as CCTV, alarm systems, and security guards;

● Restricted access to the warehouse;

● Swipe card access or fingerprint recognition at entry points;

● Practical packaging of inventory items;

● Shelving for organised storage;

● Training for handling of items;

● First in first out system for items being dispatched;

● Not to hold excessive amounts of inventory;

● Regular monitoring of aged inventory list for old, slow-moving items;

● Special offers potentially to shift items that are not selling faster.

Controls over monitoring of inventory count should also be implemented. Important elements of the inventory
count are:

● The people counting - they should be objective (i.e., no warehouse staff);

● The admin or paperwork;

● The count itself; and

● The end process of the count.

There are 2 key pieces of paperwork to be made:

1. The count instructions: They should be clear and easy to follow. They should be given out before the
count and the staff should be briefed so they fully understand what they are to do.

2. The count sheets: They should be sequentially numbered. Spare sheets for inventory found not on
them, should also be pre-numbered so sheets cannot go missing. The count sheets should be signed
out and divided between the teams.

Additional controls over inventory count:

● Count staff should inspect inventory for evidence of damage which could affect the valuation and flag
this on the count sheets or inform the count supervisor;

● Areas can be marked once counted to also reduce the risk of mistakes; and

● At the end of the count, the sheets should all be signed back in and the sequence checked to ensure no
inventory sheets are missing.
PAYROLL CYCLE

Stage # Control objective Example of risk Controls put in place

1. Fixed and Ensure that data is kept Including fraudulent working CCTV over the clock card
variable data is secure and only authorised hours, as information is area as a deterrent.
recorded access is allowed. opened to manipulation.
Authorisation of overtime
Risk of unauthorised access. from a senior official.

Supervision of employees.

2. Calculations The software is up-to-date System is not updated. Regular checks on

are made by and checked for updates. calculations, taking samples
the system and making recalculations.

3. Outputs Ensure that data is kept Risk of unauthorised access. Secure password access.
from system secure and only authorised
are created access is allowed. Access only by those
authorised.

Sending payslips straight to

employees' homes.

Payroll report is reviewed by

manager.

4. Payments Payments are correct, made Payment is missing or not Payment sheets are
are made on time and to valid made on time reviewed by manager.
employees.
Deadlines for submissions
are identified.
CASH CYCLE

Stage # Control objective Example of risk Controls put in place

1. Payment is Cash is kept to a minimum. Cash is stolen. Use imprest system for petty
requested cash.
Payments can only be made Unauthorised payments are
with proper authorisation. made. All payments must be
2. Payment is authorised.
authorised Payments are for business Payments are made for
purposes only. personal purposes. Cash book and petty cash
book are reviewed regularly.
3. Payment is Cash is protected from theft.
made Cash is kept in safe.
Cash is banked regularly.
Implement procedures to
4. Transaction
avoid theft.
is recorded