Professional Documents
Culture Documents
AUE2602 Lesson 2 2023
AUE2602 Lesson 2 2023
INTERNAL CONTROL
Topic overview
In topic 1 you learnt about corporate governance and statutory matters. The
aim of this topic is to explain and apply the theory of internal control as an
important aspect of corporate governance. We will explain this according to the
objectives and the components of internal control in chapter 5 of Auditing notes.
We will also explain and apply general and application controls in a
computerised environment as part of control activities in chapter 8 of Auditing
notes.
We will cover the need for the external auditor to understand a client's internal
control in order to identify significant risks.
1
Learning outcomes
2
LESSON 2.1
INTERNAL CONTROL
INTRODUCTION
STUDY
● Richard et al (2021:5/2–5/3), section 1
The way in which the system of internal control is designed and maintained
varies with the size and complexity of the entity concerned, as well as with
the risks faced by the particular entity.
ACTIVITY 1
Identify and explain six key characteristics of internal control that you have
learnt.
From the above aspects of internal control it is clear that although the board of
directors is responsible overall for the governance of risk, everyone in the
3
business carries responsibility for the implementation and execution of internal
controls.
STUDY
• Richard et al (2021:5/4), section 3
STUDY
• Richard et al (2021:5/3–5/4), section 2
ACTIVITY 2
Management designs an internal control system, which theoretically
addresses risk. List four inherent limitations of internal control and 2
circumventions of internal controls and provide an example of each.
Now that you are familiar with how you should study, remember to always
compare your answers with those provided in the feedback after you have
attempted them on your own first.
4
SUMMARY
In this lesson we explained the definition and limitations of internal control. We
also explained that internal control is a response to risk and that the entity’s
objectives are achieved by implementing internal controls.
After you have worked through the lessons and study material, you
should be able to
• explain and apply the theory of internal control and internal control
objectives with reference to management assertions
• explain the limitations of internal control
5
LESSON 2.2
INTRODUCTION
1. control environment
2. risk assessment process
3. information system and communication
4. control activities
5. monitoring of controls
STUDY
• Richard et al (2021:5/5), section 4
• Richard et al (2021:8/4–8/10), section 2
https://web.microsoftstream.com/video/7a82e27a-7771-48cf-9f2a-
c910510c3a71
Let’s look at the five components of internal control now in more detail.
6
2.2.1 CONTROL ENVIRONMENT
STUDY
• Richard et al (2021:5/5–5/6), section 5.1.4.1
For financial reporting purposes, the entity’s risk assessment process includes
how management identifies business risks relevant to the preparation of
financial statements in accordance with the entity’s applicable financial
reporting framework, estimates their significance, assesses the likelihood of
their occurrence and decides on actions to manage them and their results
(IFAC 2019:88). For example, the entity’s risk assessment process may
address how the entity considers the possibility of unrecorded transactions or
identifies and analyses significant estimates recorded in the financial
statements (IFAC 2019:88).
STUDY
• Richard et al (2021:5/7–5/8), section 5.1.4.2
7
STUDY
• Richard et al (2021:5/8–5/9), section 5.1.4.3
Each day numerous transactions with financial implications occur and are
processed, for example transactions when the entity sells food, buys materials
or even pays salaries. The accounting system documents the path that each
transaction follows in the entity from where the transaction is initiated to the
inclusion of an amount or disclosure in the financial statements.
Initiate
Record
Process
Report
Figure 2.2.1: Typical four stages of every transaction
From the initiation to the reporting of transactions and the inclusion in the
financial statements, transactions flow through various business processes,
also referred to as transaction cycles. The following transaction cycles are
identified. We will discuss the processes in more detail in topics 3-8.
8
Revenue
and
receipts
cycle
Finance Acquisitions
and and
investment payments
cycle Transaction cycle
cycles
Inventory
Payroll and
and
personnel
production
cycle
cycle
STUDY
• Richard et al (2021:5/9–5/11), section 5.1.4.4
General principles
Control activities are the actions which are carried out to manage or reduce
risks (Richard et al 2021:5/11) and to achieve the entity’s objectives of
providing reliable financial reporting, have effective and efficient operations and
comply with the laws and regulations.
STUDY
• Richard et al (2021:5/11–5/16), section 5.1.4.5
• approval, authorisation
• segregation (division) of duties
• isolation of responsibility
9
• physical or logical controls
• reconciliation
• verification
Also note that the control activities can be preventive, detective or corrective
in nature.
ACTIVITY 3
Twinkles Groceries (Pty) Ltd is a large local grocery store. At the start of a
cashier’s shift, the cashier must use a username and password to log onto
his/her till. If the cashier accidentally makes a mistake, for example scans an
item twice, he/she has to call the manager to authorise a correction. The
manager will first ask what happened and determine if the information provided
is true, before entering a password. When all the items have been scanned,
the total amount due is automatically calculated and shown on the screen. At
the door to the store, a security guard will check the customer’s bag of
groceries against the customer's till slip.
REQUIRED
Identify the internal controls implemented by Twinkles and link each of them to
a type of control activity.
ACTIVITY 4
1. For each of the six types of control activities, give an example of what
could go wrong (risks) in the absence of the effective working of the
control activity.
ACTIVITY 5
Internal control
You have been assigned to the task of completing SoftWorld (Pty) Ltd’s internal
control questionnaire. The following policies and procedures implemented
have been noted regarding the internal control of the firm:
10
a) Regular meetings are held at divisional and departmental levels to consider
the risks at specific levels within the organisation.
b) Weekly reports on invoicing and debt collection are produced by the online
system and are reviewed by management.
c) When goods are delivered by a supplier, the receiving clerk counts the
goods and then signs the delivery note as proof that he was responsible
for receiving the delivery.
f) The entity operates within specific operating guidelines and time is taken
by management to create and implement systems and procedures.
REQUIRED
Based on the information given regarding the entity's internal control, do the
following:
11
• Identify the risks associated with a particular transaction or
class of transactions (things that could go wrong).
1. Identify risk
Determine the risks associated with each class of transactions flowing through
the accounting system.
12
Step 2: Formulate the control objectives
Note: It is vital that you understand the generic meaning of the three
control objectives, as they are the foundation on which entities, business
cycles and the accompanying accounting systems are built.
Once the risks have been identified and the control objectives for every class
of transaction have been formulated, the next step is to design a system of
internal control. The control objective indicates what management wants to
achieve to address the risk, and the internal control is how management
intends to achieve the control objective.
Some of the internal controls that an entity implements will be more important
from a financial reporting perspective than others. As discussed in lesson 2.1,
the objectives of internal control include
13
• reliability of the entity’s financial reporting (financial objectives)
• effectiveness and efficiency of its operations (operational objectives)
• compliance with applicable laws and regulations (compliance
objectives)
Remember to do the activities dealing with the content of this topic before
continuing with the rest of your studies. Keep your answers and notes in a
notebook that you know won't get lost so that you are able to refer to
them again when you do your revision.
SUMMARY
In this lesson we explained the five components of internal control.
After you have worked through the lessons and study material, you
should be able to
• explain the theory of internal control and internal control objectives with
reference to management assertions
• describe the five components of internal control
• describe the process that should be followed to ensure that proper risk
management takes place
• list and briefly explain the various risk responses available to
management to address risk
• identify and describe the various control activities (internal control
measures) that can be implemented to ensure that risk is mitigated
appropriately
• explain why a system of internal control can only provide reasonable
assurance about the achievement of the entity’s control objectives
• list, explain and identify the generic control objectives
• describe the relationship between control objectives and assertions
• explain and illustrate the process that should be followed to design a
proper system of internal control
• match risks to control objectives
• describe the relationship between control objectives and internal control
14
LESSON 2.3
INTRODUCTION
General and application controls in a computerised environment are an integral
part of the total system of internal control of an entity and touch on all
components of internal control.
Although the information system component is not evident under general and
application controls, the information system underlies internal controls in a
computerised environment, as this is where the controls are implemented.
STUDY
• Richard et al (2021:8/3–8/10)
15
Physical access controls
Access controls
Logical access controls
Social media
Disaster recovery
System development and
implementation controls Backup strategy
In-house development
Packaged software
System software and operating
controls
Retiring application
Before you turn to your textbook, watch the following video by clicking
on the link below.
https://web.microsoftstream.com/video/7237c3ba-0b3a-4bd1-a813-
57bb91f8a54e
This video is part 1 of 3 that discusses the application and general controls.
16
The following topics are discussed in this video:
• difference between application and general controls
• summarised overview of general controls
• introduction to application controls
STUDY
• Richard et al (2021:8/10–8/40)
Do you use the same password for all your accounts? Have you
changed your passwords recently and what password controls were present?
ACTIVITY 6
Access controls in a computerised environment are important as the
consequences of unauthorised access to a system can be disastrous for a
company.
REQUIRED
1. Describe the physical access controls that should be present to ensure
proper internal control in a computerised environment.
2. Give examples of preventive logical access controls in a computerised
environment.
3. Explain what control over passwords entails as part of logical access
controls.
The stages through which a transaction flows through the system can be
described as input, processing and output, and application controls can be
described in terms of these activities, e.g. an application control relating to
input.
17
store only standing information and balances, e.g. the debtors masterfile will
contain the debtor’s name, address, contact details, credit limit, etc. The
masterfile is a very important part of producing reliable information and must
be strictly controlled.
Completeness is concerned with ensuring that data and transactions are not
omitted or incomplete.
Before you turn to your textbook, watch the following video by clicking
on the link below.
https://web.microsoftstream.com/video/d66be3f6-b2fe-43bb-b99d-
ca586cfd80c1
This video is part 2 of 3 that discusses the application and general controls.
The following topics are discussed with examples in this video:
• different types of application controls
• access controls
• screen aids
• program controls
Part 3 of 3
https://web.microsoftstream.com/video/4709cb02-1f0a-490a-8c33-
fad8806cf006
18
The following topics are discussed in this video:
▪ batch controls
▪ process controls
• output controls
▪ objectives of application controls, being accuracy, completeness,
occurrence and authorisation
▪ examples of exam-type questions
STUDY
• Richard et al (2021:8/40–8/54), sections 8.3.1–8.3.5
ACTIVITY 7
The following control techniques and application controls, applicable to the
input stage through which a transaction flows through the system, are
mentioned in your textbook by Richard et al (2021:8/40–8/53):
• access control
• authorisation
• batching
• screen aids and related features
• program controls relating to input
• existence/validity checks
o validation checks
o matching checks
o data approval/authorisation checks
o reasonableness and limit checks
o dependency checks
o format checks
o check digits
o sequence checks
o logs and reports
o override reports
o activity reports
o access/access violation reports
o audit trails
REQUIRED
Link the control techniques and application controls mentioned to the objective
of the control, being either occurrence and authorisation, completeness or
accuracy.
ACTIVITY 8
19
Describe the application controls that the management of company X should
implement to ensure the completeness of amendments to a masterfile in the
computerised accounting system.
SUMMARY
In this lesson we explained general and application controls in a computerised
environment as part of a system of internal control.
After you have worked through the lessons and study material, you should be
able to explain, describe, discuss and apply
20
LESSON 2.4
INTRODUCTION
The external auditor obtains an understanding of a client's system of internal
control as part of his/her external audit.
STUDY
• Richard et al (2021:7/13–7/18)
STUDY
• Richard et al (2021:7/18–7/19)
ACTIVITY 9
Name the six factors that the auditor should consider when assessing whether
a risk is a significant risk.
SUMMARY
In this lesson we explained the need for the external auditor to understand
internal control in order to identify significant risks.
21
After you have worked through the lessons and study material, you
should be able to discuss the need for the external auditor to obtain an
understanding of a client’s internal control in order to identify significant risks.
CONCLUSION
In this topic, Internal control, we explained and applied the theory of internal
control according to its five components. We explained that internal control is
designed to address and limit potential risks. We also discussed internal control
from the perspective of the external auditor.
22