5: Internal Control

Question 1

What is internal control?

Answer 1

A system designed, implemented and maintained to provide reasonable assurance about the achievement of the entity’s objectives, with regards to reliability and compliance

Help an organisation to achieve its objectives and mitigate the business risks

Question 2

5 examples of controls

Answer 2

Quality control - prevent poor quality goods

Credit control - limit the level of bad debts

Controls over inventory ordering - prevent stock-outs

Compliance with laws and regulations - normally by implementing policies

Controls over payroll - people paid right amount

Question 3

Limitations of internal controls?

Answer 3

Human error

Unusual transactions tend to be outside the scope of controls systems

Collusion

Management override

Special considerations in small companies (informal nature of docs/ limited numbers of staff make segregation difficult)

Question 4

What are the requirements of directors with internal controls reporting?

Answer 4

Directors applying to the UK Corporate Governance Code are required to report on risk management and systems of internal control in Annual Report

Question 5

What are the 5 components of internal control?

Answer 5

1. Control Environment
2. Entity’s Risk Assessment Process
3. Information System and Communication
4. Control Activities (the actual controls)
5. Monitoring

CRIME!

Question 6

What is a control environment?

Answer 6

Includes the governance and management functions

And the attitudes, awareness and actions of those charged with governance and management

Concerning the entity’s internal control and its importance in the entity

Question 7

What indicates a strong control environment?

Answer 7

Existence of an Audit Committee

Internal Audit Function

Effective documentation of control systems

Importance of controls communicated to all staff members

No management override of controls

Recruitment of employees with integrity

Question 8

What is an Audit Committee and what are the key features?

Answer 8

A subsection of the board of directors which has a particular interest in the accounting and finance activities of the company

• compromised of non-exec directors (cannot play role in day to day activity)
• oversees the financial statements, internal audit and external audit
• A requirement under UK Corporate Governance Code
• Required to have written terms of reference

Reports to the company’s shareholders in Annual Report

Question 9

What is business risk?

Answer 9

A risk resulting from significant conditions, events, circumstances etc, that could adversely effect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies

Question 10

What 7 circumstances could cause business risk?

Answer 10

Changes in operating enviro

New personnel

New or revamped info system

Rapid growth or restucturing

New technology

New business models, products or activities

Expanded foreign operations

Question 11

What is information system and communication?

Answer 11

Includes the financial reporting system,

Consists of the procedures and records established to initiate, record, process and report entity transactions

And maintain accountability for the related assets, liabilities and equity

Question 12

What are the 6 things auditors are interested in in relation to Information System and Communication?

Answer 12

Identifying significant classes of transactions

Systems for preparing financial statements

Accounting software used

Related accounting records and supporting info

Roles and responsibilities allocated to personnel

Danger of internal controls being overriden

Question 13

What are the two broad categories of controls?

And then, the 5 different types of controls?

Answer 13

Preventative controls - prevents errors occuring

Detective controls - identify that an error has occurred and prevent it

5 types:
- Authorisation and approval
- Reconciliation
- Verifications
- Physical or logical controls
- Segregation of duties

Question 14

What is an ‘authorisation and approval’ control?

Answer 14

Affirms a transaction is valid, and typically takes the form of an approval by a higher level of management, or of verification and a determination if the transaction is valid

• supervisor approving an expense
• finance director reviewing the signing bank reconciliations

Question 15

What is ‘reconciliations’ control?

Answer 15

Compare two or more data elements. DATA WITH DATA.

If differences identified, action taken to bring this INTO AGREEMENT.

Address the completeness or accuracy of transactions.

• comparing sales report against total revenue
• doing bank reconciliations

Question 16

What is ‘verifications’ control?

Answer 16

Controls two or more ITEMS with each other, or compare an item with a policy

Involves a follow up action when the items do not match or not consistent

Address completeness, accuracy or validity of transactions

• comparing monthly expenditure with budgeted expenditure
• comparing hotel rates
• agreeing a dispatch note

A check on reasonableness, items do not have to match!!

Question 17

What is ‘physical or logical’ control?

Answer 17

Encompass the physical security of assets

Such as secured facilities over access to assets and records

Authorisation for access to computer programs and data files

• physical counting of petty cash
• numerical sequence check
• electronic tagging of inventory
• banking cash immediately

Question 18

What is ‘segregation of duties’ control?

Answer 18

Assigning different people the different responsibilities of authorising transactions, recording transactions and maintaining custody of assets

Reduces the opportunities for any person to be in a position to both perpetrate and conceal errors or fraud

• inventory count being carried out by two teams
• person who requisitions the purchase of goods is different to the person who approves the purchase

Question 19

Computer controls: what are ‘general IT’ controls?

Answer 19

Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including continued effective functioning of IT processing controls integrity of info

Question 20

Computer controls: ‘information processing’ controls?

Answer 20

Controls related to the processing of information in IT applications or manual information process

That directly address the integrity of the information (ie. accuracy)

• input completeness
• input accuracy
• input authorisaoon
• standing data

Question 21

5 cyber security risks, and 4 mitigation methods?

Answer 21

Hacking
Fraudulent theft of funds
Deliberate sabotage
Viruses, malware and other corruption
Denial of service attack

• improve coms about cyber risks
• define who is responsible and accountable for cyber security
• assign board level accountability
• monitor the actions of the executive

Question 22

How should internal controls be monitored?

Answer 22

Directors should decide is controls are still adequate

Controls should be monitored at all levels

Internal audit may recommend new systems

External audit may highlight deficiencies

Question 23

What three kinds of notes could be chosen for documenting internal controls?

Answer 23

Auditor MUST document their understanding of the client’s internal controls

Narrative notes
- good for juniors, bad for complex controls

Questionnaires or checklists
- easy to complete
- may overstate, not tailored to clients

Diagrams or flowcharts
- best for complex systems
- complex and time consuming

Question 24

What is a walkthrough test?

Answer 24

A test done by the auditor to confirm their understanding of the client’s internal control systems