Chap 5: Introduction to internal control

Internal control

- Process designed, implemented, maintained to mitigate risks to the business and ensure that the business
operates effectively efficiently

Reasons for internal controls:

- Minimising business risks

- Ensure business run effectively and efficiently
- Compliance with law and regulations

Limitations of internal controls

- Human element
- Collusion
- Unusual transactions

Components of internal controls

- Control environment
- Control activities
- Information system
- Risk assessment
- Monitoring of controls

Control environment:

- Definition: governance and management functions and awareness, attitude and actions of those charged
with governance, management to internal controls and its importance.

Audit committees is an important aspect of control environment:

- Comprise of non-executive directors

- Responsibility of audit committees:
+ Review integrity of FSs and formal announcements relating to company’s performance
+ Review internal financial controls and company’s risk management system
+ Monitor and review effectiveness of company’s internal audit
+ Make recommendations to the board in relation to the external auditor
+ Monitor the independence of the external auditor
+ Implement policy on provision of non-audit services by the external auditor
- Key issue for audit committees:
+ Financial statements, information system
+ Supervising the identification of risks and monitoring of controls

Risk assessment process

- Identify relevant business risks. Business risks are risks that could affect an entity’s ability to achieve its
objectives, strategies or wrong objectives, strategies (remember the primary objective of n profit-oriented
organization is maximizing profit and shareholders’ wealth)
- Estimate significance (impact)
- Assess the likelihood
- Decide actions

Information system

- Process of initiate, record, process and report entity transactions and maintain accountability of assets,
liabilities and equity
- Auditor will be interested in
 + Classes of transactions that are significant to financial statements
+ Procedures that transactions are initiated, recorded, processed, corrected and reported
+ Related accounting records and supporting information
+ How information system captures events other than transactions, but significant to the FSs
+ Process of preparing FSs

Types of control activities

- Authorisation
+ Approval of transactions/documents
- Performance review
+ Actual vs budget
+ Relating different sets of data
+ Internal data vs external data
+ Review of functional and activity performance
- Information processing
+ Controls to check accuracy, completeness and authorization of transactions. Include: general controls,
application controls
- Physical controls
+ Physical security
+ Authorisation for access
+ Periodic counting
- Segregation of duties
+ Assigning different individual the responsibilities of:
 Authorising transactions
 Recording transactions
 Custody of assets

Application controls: controls relate to business process level

- Control over input: completeness

+ Manual or programmed agreement of control totals
+ Document counts
+ One-for-one checking of processed output to source documents
+ Matching input to an expected input control file
+ Procedures over resubmission of rejected data
- Control over input: accuracy
+ Check data field
+ Scruitiny of output and reconcile to source
+ Agreement of control totals
- Control over input: authorization
+ Ensure information input was authorized and input by authorized personnel
- Control over processing
+ Similar controls to input must be completed when input is completed
+ Screen warning
- Controls over master files and standing data
+ Checking master files to source documents
+ Cyclical review all master files and standing data
+ Record counts
+ Controls over the deletion of accounts that have no current balance (closed items)

General controls: controls relate to many applications

- Development of computer applications:

+ Standards over system design, programming and documentation
 + Full testing procedures
+ Approval by computer users and management
+ Segregation of duties for design and testing
+ Installation procedures
+ Training staff
- Prevention or detection of unauthorized changes to programs
+ Segregation of duties: people who authorize access and who make changes to program
+ Full records of changes
+ Password protection
+ Restricted access to central computer
+ Maintenance of program logs
+ Virus checks
+ Back-up copies
+ Control copies of program
+ Stricter controls by use of read only memory
- Testing and documentation of program changes
+ Complete testing procedures
+ Documentation standards
+ Approval of changes
+ Training staff
- Controls to prevent wrong programs or files being used
+ Operation controls
+ Libraries of programs
+ Proper job scheduling
- Controls to prevent unauthorized amendments to data files
+ Set password
- Controls to ensure continuity of operation
+ Storing extra copies of programs and data files
+ Protection of equipment
+ Back-up power sources
+ Emergency procedures
+ Disaster recovery procedures
+ Maintenance agreements, insurance

Cyber security risks:

- Human threats
- Fraud
- Deliberate sabotage
- Viruses and other corruptions
- Malware
- DoS attack

ICAEW’s suggestions for organisations to combat cyber risk

- Communication is a key barrier to common understanding and discussion

- Organisational structures need to define responsibility and accountability for cyber
- security.
- Board-level accountability for cyber risks needs to be determined
- Non-executive directors and audit committees also need to play a part

Monitoring of controls

- Often taken by internal audit

- For smaller entities which does not have internal audits, company may make use of external audit
Source of information about controls:

- Manual or SOP (standard operating procedures) of control activities

- Copies of internal control policies
- Enquiry company’s staff
- Last year audit working papers (do note that control system of client may change this year)

Recording of controls

- Narrative notes: good for things simple, background information

- Questionnaires and checklists: good for memories and to cover all bases
- Digrams: good when things is more complex.
+ Flowcharts: recording systems
+ Organisational charge, family tree: recording relationships, reporting lines

Walk through procedures

- Tracing a few transactions through the financial reporting system

- Confirm that auditor has correctly understanding on how the controls are supposed to operate.
- Not test of controls
 Chap 6: Revenue system

Ordering

Risk Control objectives

Orders may be taken from customers who are Goods and services are only supplied to
not able to pay customers with good credit ratings
Orders maybe taken from customers who are Customers are encouraged to pay promptly
unlikely to pay for a long time
Orders may not be recorded properly and Orders are recorded correctly
therefore not fulfilled and customers might be Orders are fulfilled
lost
- Controls
+ Segregation of duties: credit control, invoicing, inventory despatch
+ Authorisation of credit terms
+ Authorisation for changed in other customer data
+ Orders only accepted from customers with no credit problems
+ Sequential numbering of order documents
+ Correct prices quoted to customers
+ Matching customer orders with production orders and dispatch records. Investigate if orders not matched
+ Dealing with customer queries
- Test of controls
+ Check that references are being obtained from all new customers
+ Check that all new accounts on the receivable ledger have been authorized
+ Check that orders are only accepted from customers who are within their credit terms and credit limits
+ Check that customer orders are being matched with production orders and dispatch records.

Despatch and invoicing

Risk Control objectives

Goods may be despatched but not recorded so All despatches of goods are recorded
they are lost to the business.
Goods may be despatched but not invoiced for. All invoices raised relate to goods and services
supplied by the business
Invoices may be raised in error with resulting All goods and services sold are correctly
customer dissatisfaction invoices
Invoices may be wrongly cancelled by credit Credit notes are only given for valid reasons
notes resulting in loss to the business
- Controls
+ Authorisation of dispatch of goods
+ Examination of goods outwards: quantity, quality, condition
+ Recording all goods despatched
+ Agree dispatch records to customer orders and invoices
+ Pre-numbering of dispatch records and regular checks on sequence
+ Condition of returns checked
+ Recording of goods returned and goods returned notes (GRNs)
+ Signature of dispatch records by customers
+ Preparation of invoices and credit notes
+ Inventory records updated
+ Matching of sales invoices with dispatch records and sales orders
+ Regular review for dispatch records not matched by invoices
- Test of controls
+ Verify details of trade sales or goods dispatch records with sales invoices
+ Verify details of trade sales with entries in inventory records
+ Verify non-routine sales
 + Verify credit notes
+ Test numerical sequence of dispatch records. Investigate any missing number
+ Test numerical sequence of invoices and credit notes, enquire into missing numbers and
inspect copies of those cancelled
+ Test numerical sequence of order forms and enquire into missing numbers
+ Check that despatches of goods free of charge or on special terms have been authorised
by management

Recording

Risk Control objectives

Invoiced sales may not be properly recorded All sales that have been invoiced are recorded
in the nominal ledger
Cut-off is applied correctly
Credit notes might not be properly recorded All credit notes that have been issued are
recorded in the nominal ledger
Sales might be recorded in the wrong customer All entries in the receivable ledger are made to
accounts the correct receivable ledger accounts
Debts might be included in receivables that are Potentially irrecoverable receivables are
not collectable identified
- Controls
+ Segregation of duties: recording sales, maintaining customer accounts, preparing statements
+ Recording of sales invoices sequence and control over spoilt invoices
+ Matching cash receipts with invoices
+ Retention of customer remittance advices
+ Separate recording of sales returns, price adjustment, …
+ Cut-off procedures
+ Regular preparation of trade receivables statements
+ Checking of trade receivables statements
+ Safeguarding of trade receivables statements
+ Review and follow-up overdue accounts
+ Authorisation of writing off irrecoverable receivables
+ Analytical review receivables account and profit margin
- Test of controls
+ Check entries with invoices and credit notes respectively
+ Check additions and cross casts
+ Check additions and balances carried down
+ Note and enquiry into contra entries
+ Check accounts to see if credit limits have been observed
+ Check that trade receivables statements are prepared and sent out regularly
+ Check that overdue accounts have been followed up
+ Check that all irrecoverable receivables written off have been authorized by management.

Cash collection

- Risk: money received but not recorded or banked

- Objectives:
+ All monies received are recorded
+ All monies received are banked
- For controls and test of control related to cash, as there are various controls and test of controls over cash
(because this is a sensitive item), kindly refer to tables within pages 125-127. It is not necessary to remember
everything but remember as much keywords as possible. And through practicing QB, you will remember
those easier and even automatically remembered.
 Chap 7: Purchases system

Ordering

Risk Control objectives

Unauthorised purchases may be made for All orders for goods and services are properly
personal use authorized and duly processed. All orders are
for goods and services actually required by the
company
Goods and services might not be obtained on Orders are only made with authorized suppliers
the most advantageous terms Orders are made at competitive price
- Controls
+ Segregation of duties: requisition and ordering
+ Central policy for choice of suppliers
+ Evidence required of requirement for purchase
+ Orders forms prepared only when a pre-numbered purchase requisition has been received
+ Authorisation of order forms
+ Pre-numbered order forms
+ Safeguarding of blank order forms
+ Review of outstanding orders
+ Monitoring of supplier terms
- Test of controls
+ Review list of suppliers and check a sample of orders made
+ Check sequence of pre-numbered order forms
+ Check orders are supported by a purchase requisition
+ Review security arrangements over blank orders

Goods inward and recording of invoices

Risk Control objectives

Goods may be misappropriated for private use All goods and services received are used for the
company’s purposes, and not private purposes
Goods may be accepted that have not been Goods and services are only accepted if they
ordered have been ordered, and the order has been
authorized
Invoices may not be recorded resulting in non- All goods and services are accurately recorded
payment Liabilities are recognized for all goods and
services that have been received.
Receipt of goods and services is necessary in
order for a liability to be recorded
Cut-off is applied correctly to the payables
account
The company may not take advantage of the All credits to which the company is entitled are
full period of credit that is available claimed and received.
The company may not record credit notes All credit notes that are received are recorded
resulting in paying invoices unnecessarily in the nominal ledger.
- Controls
+ Examination of good inwards: quantity, quality, condition
+ Recording arrival and acceptance of goods
+ Comparison of goods received records with purchase orders
+ Referencing of supplier invoices: numerical sequence and supplier reference
+ Checking suppliers’ invoices
+ Recording return of goods
+ Procedures for obtaining credit notes from suppliers
+ Segregation of duties: accounting and checking functions
+ Prompt recording of purchases and purchase returns ledger
 + Regular maintenance of payables ledger
+ Comparision of monthly statements of account balance from suppliers with payables balances
+ Review of classification of expenditure
+ Matching of goods received records and invoices and accrual for any goods received but not invoiced.
- Test of controls:
+ Check invoices for goods are:
 Supported by goods and received records
 Entered in inventory records
 Priced correctly
 Referenced properly with number, supplier code
 Correctly coded by type of expenses
 Trace entry in record of goods returned and see credit note duly received from supplier, for invoices not
passed due to defects or discrepancy
+ Check calculations and additions
+ Check entries in payables
+ Credit note: verify the correctness, check entries in inventory records, record of returns, payables ledgers
and verify that they are correctly analysed
+ Check for returns that credit notes are duly received from the suppliers
+ Test numerical sequence and enquire into missing numbers of: purchase requisition, goods received
records, suppliers’ invoices, purchase orders, goods returned notes
+ Obtain explanation for items which have been outstanding for a long time: unmatched purchase
requisition, unmatched purchase orders, unmatched goods received records, unrecorded invoices
+ Verify that invoices and credit note recorded in the purchases account are: initialed for prices, calculations
and extensions, cross-ref to purchase orders, goods received records, authorized for payment
+ Check additions
+ Check postings to nominal ledger accounts
+ Examine nominal ledger account for unusual entries
+ For a sample for supplier accounts: test check additions and carried forward balances, note and enquire
into all contra entries

Payment

- Risk
+ False invoices are paid in error
+ Invoices are paid too soon
+ Payments is not correctly recorded
+ Credits are not correctly recorded
+ Payments are not recorded in the correct period
- Objectives
+ All expenditure is for goods that are received
+ All expenditure is authorized
+ All expenditure that is made is recorded correctly in the nominal ledger
+ Payments are not made twice for the same liability
- For controls and test of control related to cash, as there are various controls and test of controls over cash
(because this is a sensitive item), kindly refer to tables within pages 141-143. It is not necessary to remember
everything but remember as much keywords as possible. And through practicing QB, you will remember
those easier and even automatically remembered.