4 - internal controls and tests of controls

Question 1

what purpose do internal processes and procedures serve?

Answer 1

they are in place to reduce uncertainty throughout the business.

Question 2

why is supporting documentation needed throughout internal processes in a business?

Answer 2

to mitigate the risks of failing to meet business objective of profit maximisation.

Question 3

what is the definition of internal control as in ISA 315?

Answer 3

process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

Question 4

what are ‘controls’ and what are they for?

Answer 4

‘controls’ refers to any aspects of one or more components of internal control. essentially, controls designed to prevent, detect or correct events the company doesn’t wish to happen.

Question 5

how is the effectiveness of accounting/control systems related to control risk?

Answer 5

lack of controls or inadequately implemented controls increase control risk and thus risk of material misstatement.

control risk = risk controls don’t work as planned. internal controls mitigate internal risk.

Question 6

what is the relationship between the level of control risk and the extent of substantive testing?

Answer 6

level of control risk influences the extent of substantive procedures

lower risk means less need for substantive testing

even in a well controlled entity some substantive testing still required - ISA 330.

Question 7

how should principle risks be determined?

Answer 7

board should focus on those risks that, given company’s current position, could threaten company’s business model/future performance/solvency or liquidity, irrespective of how they are classified or from where they arise.

board should treat these risks as principle risks and establish clearly extent to which they are to be managed/mitigated.

Question 8

what are the board’s responsibilities for risk management and internal control?

Answer 8

ensure design and implementation of appropriate risk mgment and internal control systems that identify the risks facing the company and enable the board to make a robust assessment of the principal risks.

determine nature and extent of principle risks faced and those risks which org is willing to take in achieving strategic objectives (risk appetite).

ensuring appropriate culture and reward systems have been embedded throughout org

agreeing how principal risks should be mged or mitigated to reduce likelihood of their incidence or their impact

monitoring and reviewing the risk mgement and internal control systems, and the mgment’s process of monitoring and reviewing, and satisfying itself that they are functioning effectively and that corrective action is being taken where necessary

ensuring sound internal and external information and communication processes and taking responsibility for external communication on risk management and internal control

Question 9

what are the 5 components of an internal control system as in ISA 315?

Answer 9

control environment

risk management process

entity’s process to monitor system of internal control

information system and communication

control activities

Question 10

what is the control environment in an internal control system?

Answer 10

governance and management functions. attitudes, awareness and actions of management, sets tone by creating culture of honest and ethical behaviour, provides appropriate foundation for other components of internal control.

Question 11

what is the risk assessment process in an internal control system?

Answer 11

how management identifies risks and decides upon actions to manage them

Question 12

what should be in an entity’s process to monitor its system of internal control?

Answer 12

assess design and operation of controls over time, ongoing monitoring as part of regular management activity, separate monitoring may be performed by internal audit function.

Question 13

what does the information system in an internal control system consist of?

Answer 13

infrastructure, software, people, procedures, data; related accounting records, supporting info and specific accounts in the financial statements that are used to record, process and report transactions.

Question 14

what are control activities?

Answer 14

policies and procedures that help ensure that management directives are carried out. categories most relevant to audit are: performance reviews, info processing, physical controls, segregation of duties.

Question 15

what are the key issues with internal control in smaller entities?

Answer 15

less segregation of duties due to less number of staff, mgment override of control
auditor will often choose or be forced to turn to substantive procedures to gain sufficient appropriate audit evidence.

Question 16

what is the audit committee responsible for?

Answer 16

reviewing internal financial controls, monitoring effectiveness of internal audit function.

Question 17

how can the audit committee help in respect to internal controls?

Answer 17

therefore critical role in ensuring internal controls appropriate and operating effectively. but also, given business risks ultimately reflected in financial outcomes, committee should be concerned with risk assessment generally. in practice often titled as audit adn risk committee.

therefore, committee effectively has oversight responsibility for all aspects of control.

Question 18

what are the two organisational controls?

Answer 18

segregation of duties

physical controls

Question 19

what is segregation of duties?

Answer 19

personnel having separate duties and responsibilities, inherent in many aspects of control.

ensures ‘two pairs of eyes’ involved so increasing error detection and reducing risk of fraud.

temporal segregation - rotation of roles so one person not indefinitely responsible for particular activities. ensuring personnel take vacation allowance.

manifested in computer area, through separation of ability to enter data from ability to programme system.

Question 20

what are physical organisational controls?

Answer 20

often refers to security or safe custody of assets, e.g. stock/NCAs/financial assets.

not just in the sense of protecting from theft, physical controls include protection against loss of value from natural or deliberate damage like floods or fires.

Question 21

what are things can limit effectiveness of internal control?

Answer 21

even with best system of internal control, no guarantee that an entity will be able to fulfil all its objectives and be fully protected from fraud and error.

1. entity changes faster than control environment
   e.g. growth means senior staff no longer have time for approvals - has process been replaced? new products not subject to same level of control.
2. human error
   multiple errors should be necessary for control failure
3. deliberate non compliance (collusion/mgment override)
4. cost v benefit
   e.g. monthly vs yearly inventory counts - controls are costly
5. small businesses
   segregation may not be possible due to lack of staff, then owner/mgr should be more closely involved.

Question 22

what should an auditor be able to identify and understanding in an accounting system?

Answer 22

major classes of transactions

how recording of transactions is initiated

significant accounting records, supporting docs and accounts

the accounting and financial reporting process

but also understand the entity’s controls in these areas - so they can assess risk through testing controls.

Question 23

what are the three tests of controls?

Answer 23

walk-through tests

to understand how system works and what kind of controls are in place by tracing a few transactions through accounting and reporting system

tests of controls

evaluate effectiveness of controls (in preventing, detecting, correcting misstatements) and thus control risk, through variety of tests on a greater number of transactions/balances

substantive procedures

to detect material misstatement through analytical procedures and/or a sample of transactions and balances (extent determined by level of control risk)

Question 24

when should tests of controls and substantive procedures be performed?

Answer 24

effective audit approach involves combination of tests of controls and substantive procedures, per ISA 330:
irrespective of assessed risks of material misstatement, auditor should design and perform substantive procedures for each material class of transactions, account balance and disclosure.

reasons substantive tests should always be performed:
reliability of auditor’s assessment of all risks of material misstatement
limitations of internal control, including mgment override

Question 25

how should an auditor decide what type of audit tests to do?

Answer 25

start with walkthrough test.

if no/poor controls, do substantive procedures, including tests of detail.

if there are controls in place, move to tests of controls. if low control risk, move to substantive procedures. if high, move to substantive procedures and include tests of detail.

Question 26

what are some tests of controls?

Answer 26

tests of information/audit trail

testing of outputs

block testing

interviews with company staff (inquiry)

observation

re-performance of control procedures

examination of management reviews

testing reliability of budgets prepared by management

Question 27

how does a test of information/audit trail work?

Answer 27

selected transactions from various stages. test through inquiry and inspection of records and documents. if complex computer system with little hard copy documentation can use re-performance with computer to establish completeness of the audit trail

Question 28

what is testing of output?

Answer 28

check sample of outputs against source determination, potentially re-performing supervisory checks

Question 29

what is block testing?

Answer 29

test one aspect of the system: quick visual inspection of sizeable block of transactions. e.g. if both sales person and customer should sign off sales order, can relatively quickly check if x amount all signed

Question 30

how can interviews with company staff help an auditor?

Answer 30

enables access to a range of relevant information depending on interviewee.
mgment - overview of control environment and activities
staff - asking about understanding of what control procedures they should be performing, what they actually do and asking for evidence

don’t underestimate potential for honest revelation of inappropriate practice

while need to exercise professional scepticism, vital to use interviewing style conducive to openness and honesty.

interviewee may have negative preconceptions about auditor and their role

Question 31

how does re-performance of control procedures reduce risk?

Answer 31

e.g. auditors prepare bank reconciliations to test that client reconciliations are properly prepared

if agree, greater confidence that control procedures are adequate

Question 32

what is examination of management reviews?

Answer 32

manifested at different levels of mgment

lower levels - evidence of day to day supervision and approval/authorisation

higher levels - evidence of review meetings e.g. with internal audit

Question 33

why is testing reliability of budgets prepared by management helpful?

Answer 33

budgets are important tool for planning and control. periodic analysis of variance can identify deviations from plan for which mgment seek explanations to inform corrective action.

assessing budget prep and use provides evidence of mgment control

furthermore, budget info about future can be used to test present assertions - e.g. going concern, likely sales of stock or collection of recievables

therefore, need to assess reliability of budgets. were predictions about saleability of stock/collectability of receivables borne out by actual events?

Question 34

what is the approach to audit when the client is computer-based?

Answer 34

approaches generally same in principal whether manual or computer-based except where indicated. worth nothing some terminology associated with historical development of audit:

auditing around the computer = treat as black box, focus on inputs and outputs

auditing through computer = examine integrity of processing, part of holistic system with inputs and outputs, use own programmes to interrogate routines and data (computer-assisted audit)

auditing with computer = auditor exploits computing power to manage audit process, e.g. admin processes and to perform audit tasks.

Question 35

what is ISA 260 - responsibility of auditor to communicate with those charged with governance?

Answer 35

part of this responsibility is

to provide those charged with governance with timely observations arising from the audit that are significant and relevant to their responsibility to oversee the financial reporting process

Question 36

when should auditor be communicating with those charged with governance?

Answer 36

end of interim audit an important stage for such reporting

dealing with results in terms of controls

so-called ‘management letter’ from auditor

covered by ISA 265

Question 37

what is the management letter?

Answer 37

title and intended recipients clearly stated with introduction explaining why letter is being written

state responsible officials with whom content has been discussed; to ensure no misunderstanding and proposed remedial actions are appropriate, highlighting any disagreements and stating no reason to doubt integrity of officials.

principal issues outstanding (not matters cleared already): main conclusions, detailed comments: brief description, possible consequences and recommendations.

indication of willingness to discuss and request for a response

Question 38

what is the scope of the management letter?

Answer 38

scope: key internal control matters to be reported are those that have or could result in significant misstatements.

if issues reported in previous mgment letters but not rectified - highlight and seek reasons

consider excluding matters where there are questions over integrity or competence of management. these may need to be taken directly to audit committee.