5: Internal Control Flashcards
What is internal control?
A system designed, implemented and maintained to provide reasonable assurance about the achievement of the entity’s objectives, with regards to reliability and compliance
Help an organisation to achieve its objectives and mitigate the business risks
5 examples of controls
Quality control - prevent poor quality goods
Credit control - limit the level of bad debts
Controls over inventory ordering - prevent stock-outs
Compliance with laws and regulations - normally by implementing policies
Controls over payroll - people paid right amount
Limitations of internal controls?
Human error
Unusual transactions tend to be outside the scope of controls systems
Collusion
Management override
Special considerations in small companies (informal nature of docs/ limited numbers of staff make segregation difficult)
What are the requirements of directors with internal controls reporting?
Directors applying to the UK Corporate Governance Code are required to report on risk management and systems of internal control in Annual Report
What are the 5 components of internal control?
- Control Environment
- Entity’s Risk Assessment Process
- Information System and Communication
- Control Activities (the actual controls)
- Monitoring
CRIME!
What is a control environment?
Includes the governance and management functions
And the attitudes, awareness and actions of those charged with governance and management
Concerning the entity’s internal control and its importance in the entity
What indicates a strong control environment?
Existence of an Audit Committee
Internal Audit Function
Effective documentation of control systems
Importance of controls communicated to all staff members
No management override of controls
Recruitment of employees with integrity
What is an Audit Committee and what are the key features?
A subsection of the board of directors which has a particular interest in the accounting and finance activities of the company
- compromised of non-exec directors (cannot play role in day to day activity)
- oversees the financial statements, internal audit and external audit
- A requirement under UK Corporate Governance Code
- Required to have written terms of reference
Reports to the company’s shareholders in Annual Report
What is business risk?
A risk resulting from significant conditions, events, circumstances etc, that could adversely effect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies
What 7 circumstances could cause business risk?
Changes in operating enviro
New personnel
New or revamped info system
Rapid growth or restucturing
New technology
New business models, products or activities
Expanded foreign operations
What is information system and communication?
Includes the financial reporting system,
Consists of the procedures and records established to initiate, record, process and report entity transactions
And maintain accountability for the related assets, liabilities and equity
What are the 6 things auditors are interested in in relation to Information System and Communication?
Identifying significant classes of transactions
Systems for preparing financial statements
Accounting software used
Related accounting records and supporting info
Roles and responsibilities allocated to personnel
Danger of internal controls being overriden
What are the two broad categories of controls?
And then, the 5 different types of controls?
Preventative controls - prevents errors occuring
Detective controls - identify that an error has occurred and prevent it
5 types:
- Authorisation and approval
- Reconciliation
- Verifications
- Physical or logical controls
- Segregation of duties
What is an ‘authorisation and approval’ control?
Affirms a transaction is valid, and typically takes the form of an approval by a higher level of management, or of verification and a determination if the transaction is valid
- supervisor approving an expense
- finance director reviewing the signing bank reconciliations
What is ‘reconciliations’ control?
Compare two or more data elements. DATA WITH DATA.
If differences identified, action taken to bring this INTO AGREEMENT.
Address the completeness or accuracy of transactions.
- comparing sales report against total revenue
- doing bank reconciliations
What is ‘verifications’ control?
Controls two or more ITEMS with each other, or compare an item with a policy
Involves a follow up action when the items do not match or not consistent
Address completeness, accuracy or validity of transactions
- comparing monthly expenditure with budgeted expenditure
- comparing hotel rates
- agreeing a dispatch note
A check on reasonableness, items do not have to match!!
What is ‘physical or logical’ control?
Encompass the physical security of assets
Such as secured facilities over access to assets and records
Authorisation for access to computer programs and data files
- physical counting of petty cash
- numerical sequence check
- electronic tagging of inventory
- banking cash immediately
What is ‘segregation of duties’ control?
Assigning different people the different responsibilities of authorising transactions, recording transactions and maintaining custody of assets
Reduces the opportunities for any person to be in a position to both perpetrate and conceal errors or fraud
- inventory count being carried out by two teams
- person who requisitions the purchase of goods is different to the person who approves the purchase
Computer controls: what are ‘general IT’ controls?
Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including continued effective functioning of IT processing controls integrity of info
Computer controls: ‘information processing’ controls?
Controls related to the processing of information in IT applications or manual information process
That directly address the integrity of the information (ie. accuracy)
- input completeness
- input accuracy
- input authorisaoon
- standing data
5 cyber security risks, and 4 mitigation methods?
Hacking
Fraudulent theft of funds
Deliberate sabotage
Viruses, malware and other corruption
Denial of service attack
- improve coms about cyber risks
- define who is responsible and accountable for cyber security
- assign board level accountability
- monitor the actions of the executive
How should internal controls be monitored?
Directors should decide is controls are still adequate
Controls should be monitored at all levels
Internal audit may recommend new systems
External audit may highlight deficiencies
What three kinds of notes could be chosen for documenting internal controls?
Auditor MUST document their understanding of the client’s internal controls
Narrative notes
- good for juniors, bad for complex controls
Questionnaires or checklists
- easy to complete
- may overstate, not tailored to clients
Diagrams or flowcharts
- best for complex systems
- complex and time consuming
What is a walkthrough test?
A test done by the auditor to confirm their understanding of the client’s internal control systems
