Professional Documents
Culture Documents
Internal Controls Introduction
Internal Controls Introduction
Internal Controls Introduction
TO DISCUSS:
• Chapter 9 and 12 of Dynamic Auditing
• ISA 265, 315, 330
KNOWLEDGE QUIZ
• What is the definition of internal controls?
• Changes in the
regulatory/operating environments
can lead to added competitive
pressures and an added RMM
• New personnel may lack an
understanding of the internal
controls
• Significant and rapid changes in
information systems could lead to
personnel being unfamiliar with the
system and therefore making
mistakes
SEGREGATION OF DUTIES
PHYSICAL SAFEGUARDING
DOCUMENT DESIGN
STATIONERY CONTROL
INSURANCE
SUPERVISION OF DAY-TO-DAY
TRANSACTIONS BY SENIOR RESPONSIBLE
PERSONS
STEP ONE: Identify the risks associated with a particular system – WHAT COULD
GO WRONG?
STEP TWO: Formulate the control objectives for the particular system. – WHAT
DOES MANAGEMENT WANT THE SYSTEM TO ACHIEVE?
STEP THREE: Use the five component of a system of internal control to design a
proper system of internal control to address the risks and control objectives. After
the design the control should be implemented, maintained and monitored. – HOW
WILL MANAGEMENT ACHIEVE THIS?
VALIDITY
All recorded transaction are valid and COMPLETE NESS
supported by sufficient documentation All valid transactions are recorded and no
and evidence, including the necessary transactions are left out
authorisation.
ACCURACY
All transactions and transactions
documentation are recorded at the correct
quantity and price and are arithmetically
correct
EXAMPLE – HOW TO DESIGN A SYSTEM OF CONTROLS
New customers who are To ensure that new Customers completes a credit
application form and submits
not creditworthy are customers are trade references.
accepted and provided creditworthy and would
credit. therefore be able to Credit controller performs
settle the debts they background checks on
customers trade references
incur – Validity and confirms credit status with
credit bureaus.
In what phase of the audit does the auditor focus on internal controls?
REMEMBER DURING THE PLANNING YOU FIRST DETERMINE WHETHER ANY RISKS
IDENTIFED DURING THE RISK ASSESSMENT ARE SIGNIFICANT. YOU DO THIS BEFORE
ANY CONTROLS ARE TAKEN INTO ACCOUNT
STAGES OF THE AUDIT
1 PRE-ENGAGEMENT ACTIVITIES
Client investigation
Skills and competence
Establish terms of engagement
2
OVER ALL PLANNING
Understand the entity’s
Understand the entity internal controls,
and its environment including the information
systems
Set planning materiality
And overall audit
strategy
Risk of material
Evaluate inherent risks Evaluate Control risks
misstatement
STAGES OF AN AUDIT
2 DETAILED PLANNING
Risk of material
Evaluate inherent risks Evaluate Control risks misstatement per
significant
account/process
Non significant
accounts =
Analytical review Determine nature, timing and
extent of test of controls and
procedures substantive procedures
Stages of the audit process
Substantive
procedures ISA
500,501,505,510,5
Perform AND evaluate test of controls and substantive procedures 20,530,540,550,58
0,600,610,620,
IAPSs
1005,1010,1012,1
013,SSAAPS 4,
1100
• System description – Description of the system and the controls in the system
• System flow charts – Diagrammatical presentation of the functions and controls
procedures in a system.
RISK ASSESSMENT PROCEDURES AND TEST OF
CONTROLS
What is the difference between risk assessment procedures and test of controls?
TEST OF CONTROLS
EXTENT
Determined by:
NATURE = Assessment of
materiality
TIMING
= Inspection = Assessed risk
= Depend on the
= Observation = Degree of assurance
auditor’s objective
= Enquiry the auditor plans to
= Should cover the
= Re-performance obtain
whole period
= Combination of above
Items can be selected
using professional
judgement or statistical
methods
TEST OF CONTROLS EXAMPLE (NATURE)
The goods are received by two persons who Enquire of the goods receipt
Enquire and observe whether a separate department existEnquire and observe
count and inspect them for quality personnel how the control
whether a separate department exist
function. Observe on a
secretive basis whether the
controls are complied with.
One receipt of the goods the goods received Observe the receipt of goods
personnel prepare a GRN and sign it as proof of and determine whether the
the fact that the goods were counted and controls are complied with.
inspected Inspect the signatures on the
GRN as proof
TEST OF CONTROL EXAMPLE (DIRECTION OF
TESTING)
DEFICIENCY
= Control is designed, implemented SIGNIFICANT DEFICIENCY
or operated in such a way that it is = deficiency or a combination of
unable to prevent or detect and deficiencies in internal control that
correct misstatements in the AFS on in the auditor’s professional
a timely basis judgement is of sufficient
= Control necessary to prevent or importance to merit the attention
detect and correct misstatements in of those charged with governance
the AFS on a timely basis is missing
COMMUNICATING DEFICIENCIES IN INTERNAL ISA
265
CONTROL TO THOSE CHARGED WITH GOVERNANCE
AND MANAGEMENT
Communication if SIGNIFICANT DEFICIENCIES should be:
• In writing
• Could be preceded by some form of oral communication to assist
management or those charged with governance to take remedial action
• Should take place on a timely basis
• Include a description of the deficiencies and explanation of their potential
effects
• Include sufficient information to enable those charged with governance and
management to understand the context of the communication
• Should be to the CEO/CFO in the case of reporting to management
ISA
COMMUNICATING DEFICIENCIES IN INTERNAL 265
CONTROL TO THOSE CHARGED WITH GOVERNANCE 230
AND MANAGEMENT
What if the deficiency still exist because management has chosen not to remedy
them?