5 - Intro to internal control and information flows Flashcards
What is an internal control?
The process designed by those charged with governance and management to provide reasonable assurance about the achievement of a companies objectives. For example credit checking a credit customer before you do business with them or making sure overtime is authorised by the manager etc.
Effectiveness and efficiency of operations - Quality control and credit controls
Reliability of financial reporting - Reconciliations
Compliance with applicable laws and regulations
What are the reasons for IC’s
Minimise the companies risk
Ensure the continuing effective functioning of the company
Ensuring the company complies with relevant laws and regulations
Ensure reliable financial reporting
What are the limitations of IC’s
Expensive - no cost benefit of having IC.
Human element - only as good as the people operating them.
Collusion - segregation of duties means fraud can be spotted but these 2 people can work together to bypass the control
Unusual transactions - IC great for dealing with routine. Something unusual means a control for that may not exist
What are the 5 components of IC
Control environments
Entity’s risk assessment process
Info system and communication
Control activities
Entity’s system to monitor the system of internal controls
What is the control environment?
It’s how those charged with governance implement a positive attitude towards IC’s. Seniors influence rest of the company by following and respecting the IC’s. You may lead to lower risk, higher materiality so less testing and smaller samples
What role does the audit committee play? Control environments
A board of directors and NED’s (non executive directors). Should be a balance between the 2.
Audit committee always has only NED’s, no one else. They keep ED’s in check
AC is a must have for a listed company. Must be made up of NED’s only. 2 key roles are:
Ensure FS have integrity - straight forward and honest. They provide oversight of the external auditors. They could do this by reviewing their objectivity, make sure no bias through remuneration and should be a review of all the non audit services offered. Can also recommend appointment and removal of external auditors
Other role is to ensure IC of a company is effective. They oversee internal audit and oversee everything and makes sure everything is effective by monitoring and reviewing skills, resources and independence.
What is the entity’s risk assessment process?
Involves identification of the business risks the organisation faces.
Business risk: A risk resulting from significant conditions or actions that could badly effect an entity’s ability to reach its objectives.
People charged with governance should:
Identify business risks
Estimate their impact
Assess the likelihood
And what actions to manage the risk
What is the info system and communication?
It is a process in place for creating the FS
Management accounting is done through the year and then this process converts it into a FS which follows the companies act rules and IFRS rules?
Good process consists of:
Journals need to be signed off before posted and do you have a qualified FD and what software is used when drafting FS.
What are control activities?
Those charged with governance use these to safeguard the companies assets by detecting and preventing fraud and error
What are types of control activity? PARISV
Physical or logical controls - Physical counting, locking and security of assets. Ensuring company safe is locked at all times. Physically counting petty cash.
Authorisation and approvals - Approval of transactions or documents etc. Overtime should be approved by the purchasing manager etc.
Reconciliations - Comparing 2 or more data elements to find anomalies. For example, comparing transactions in the bank statement with those recognised in the accounting system
Info processing and general IT controls
Segregation of duties - Use different individuals for authorising, processing and maintaining assets etc. Staff who record transactions should not carry out reconciliations.
Verifications - Comparing an item with a policy (budget) and will involve a follow up action where there is a problem. Compare monthly expenditure to budget and investigate any differences
What are some examples of info processing controls?
Control over input completeness
Controls over input accuracy/integrity -
Digit verification (reference numbers are as expected)
Reasonableness tests (Compare VAT to total value)
Existence checks (customer name)
Character checks (no unexpected characters used in reference)
Permitted range (no transaction processed over a certain value)
Controls over input authorisation - Manual and auto checks to ensure input was by authorised people (passwords or signature)
Controls over processing of inputs - Screen warnings can prevent people logging out before processing is complete
Controls over master files and standing data - only some people can review payroll info or personnel files
What are examples of general controls?
Development of computer applications - Standards over system design, programming and documentation. For example, full testing procedures prior to use. Approval by computer users and management. Training of staff in new procedures
Testing and documentation of program changes - Complete testing procedures, Documentation of new systems and approval of changes by computer users and management
Prevention or detection of unauthorised changes to programs - Password protection of programs so that access is limited. Restricted access to central computer by locked doors and keypads. Virus checks on software / prohibiting use of non authorised content or files.
Controls to prevent unauthorised amendment to data files - such as passwords to prevent entry and built in controls to prevent changes.
Controls to ensure continuity of company operations - Storing extra copies, Protection of equipment against fires or other hazards, Back up power sources, Back up copies of programs being taken and stored in locations. Emergency procedures. Disaster recovery procedures. Maintenance agreements and insurance
Info about controls
Auditors will obtain info about IC from a variety of sources
Auditors should have a record of what the controls were in previous years and any prior problems.
Auditors also gain info by talking to people involved with IC at all stages and seeing what they know.
Observation - auditor will watch operations at a company to identify the control activities being put in place
Recording of internal controls
Auditors shall record the ICs they see. There are broadly 3 types of documents which are used
Narrative notes - Short notes on simple systems. Background info. They are less effective when things get more complex when diagrams tend to take over
Questionnaires and checklists - Good as they make sure you have all bases covered. But its a mechanical approach meaning extra questions never asked. Also tick boxes often get ticked whether the brain is engaged or not.
ICQ - Y N N/A.
ICEQ - Written response.
Diagrams
What are walk through tests?
Tracing back transaction from payment to delivery
