5: Introduction to internal control

Question 1

Define internal control

Answer 1

The process implemented by those charged with governance and managment to provide reasonable assurance about the achievement of an entitys ovjective with regards to:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations

Question 2

Give reasons for internal controls

Answer 2

• Minimising the company’s business risks
• Ensure continuing effective functioning of company (going concern)
• Ensuring the company complies with relevant laws and regulations

Question 3

What are the limitations of internal controls

Answer 3

CHUE

Collusion - two or more people working together to bypass a control
Human element - Some controls are only as good as the people operating them.
Unusual transactions - controls are generally designed to deal with what routinely happens. For an unusual transaction, the control may not be relevant or exist.
Expense - expensive to run may outweigh risk

Question 4

What are the components of internal control?

Answer 4

CRIME

Control activities
Risk
Information systems
Monitoring
Environment control (Control environment)

Question 5

Explain Control environment

Answer 5

includes the governance and management functions and attitudes, actions of those charged with g&m concerning the entity’s internal control. Sets te tone of an organisation e.g. culture/ example set from the top.

If control environment is strong then auditors will be more inclined to rely on controls system in the entity than if it is weak.

Audit committee is an important aspect

Question 6

Explain audit committee as an aspect of control environment

Answer 6

Made up of non-executive directors, responsible for ensuring integrity of F/S and that I/C and risk management systems are robust. Specifically they:
- Monitor and review effectiveness of the internal audit
- Recommend appointment and removal of external auditors
- Review objectivity/independence of external auditor

Question 7

Explain the entity’s risk assessment process

Answer 7

Business risk is a risk resulting from signigicant conditions, events, circumstances, actions that could adversely affect an entity’s to achieve its objectives. Those charged with governance should establish the following process:
- Identify business risk -> estimate impact on business -> assess likelihood -> actions to manage e.g. avoid, accept, manage.

Question 8

Why are auditors interested in business risks?

Answer 8

Issues which pose threats to the business may be a risk of F/S being misstated

Question 9

Explain the information system and communication

Answer 9

• Includes financial reporting system, procedures by which transactions are recorded, processed, corrected and reported. Also the process of preparing the financial statements. The auditor will be concerned with the reliability of these systems.

In short: reporting of transactions and preparation of F/S with regards to reliability of these

Question 10

Explain control activities

Answer 10

Activities initated by those charged with governance to safeguard company asets by detecting/preventing fraud and error.

PARIS - V
Physical or logical controls
Authorisation/approvals
Reconcilliation
Information processing and general
Segregation of duties

Question 11

Explain and give examples of physical controls

Answer 11

Involves physical counting, locking and security of assets
e.g. ensuring company safe is locked at all times

Question 12

Explain and give examples of authorisation

Answer 12

Approval of transactions/documents e.g. overtime should be approved by department manager, purchase orders by purchasing manager etc.

Question 13

Explain and give examples of Reconciliations

Answer 13

Comparing two or more data elements e.g. comparing transactions in the bank statement with those in the accounting system (bank rec)

Question 14

Explain and give examples of Information processing and general IT controls

Answer 14

Internal controls in a computerised environment including both manual and automatic procedures designed into programs.
e.g. controls to check accuracy, completeness and authorisation of transactions

Question 15

Explain information processing controls (crIme)
Give 3 examples

Answer 15

Manual or automated procedures that ty[ically operate at a business process level. Can be preventative or detective in nature and designed to ensure integrity of information.

• Controls over input completeness e.g. one - for-one checking of processed output to source documents
• Controls over input accuracy/integrity e.g. programs to check data fields, digit verification, character tests
• Controls over input authorisation - manual and automatic checks to ensure information input was input by authorised personal (i.e. digital signature/password)
• Controls over processing of input - screen warnings preventing people logging out before processing is complete
• Controls over master files and standing data - reviewing paytoll records to individual employee personnel files.

Question 16

What are general controls

Answer 16

Policies and procedures that relate to many applications ensuring the proper operation of information systems.
- Development of computer applications - systems design, programming and documentation
- Prevention or detection of unauthorised changes to programs - Password protection, restricted access, virus checks
- Testing and documentation of program changes - complete testing procedures, documentation of new systems, approval of changes.
- Controls to prevent unauthorised amendments to data files - passwords
- Controls to ensure continuity of company operations - Storing extra copies of programs and data files off site, back up copies, protection of equipment.

Question 17

Explain the entity’s system to MONITOR the system of internal controls

Answer 17

An entity should review its overall control system to ensure that it still meets its objectives and operates effectively/efficiently. Carried out by internal audit usually, will often produce a management report outlining deficiencies.

Question 18

Where do auditors obtain information about I/C from?

Answer 18

A variety of sources:
- Company may have manuals of I/C and copies of policies or minutes of meetings of the risk assessment group.
- PY audit file for record of previous controls and their deficiencies.
- Auditors will talk to people involved with I/C to gain info
- Observation - auditor watches operations at a company to identify the control activities being put into action.

Question 19

Give the 3 ways internal controls are recorded and give adv/disadv of these

Answer 19

Narrative notes
+Good for short notes on simple systems and background info
- Less good when things are complex and diagrams are used

Questionnaires and checklist
+Good as aide memoires to ensure all bases are covered
- Mechanical approach meaning important extra question is never asked
- Tick boxes often get ticked whether the brain is engaged or not

Diagrams
+ Flowcharts for complex systems makes easier to understand
+ Organisational charts
- Not easy to draw

Question 20

What is walk through testing

Answer 20

Involves tracing a few transactions through the financial reporting system from order to payment.

Question 21

Give comparisons of internal v external auditors

Answer 21

Role
- Internal - To improve efficiency / effectiveness of operations – part of overall internal control / risk management system (corporate governance)
- External - To give opinion on truth / fairness of financial statements (reasonable assurance)

Relationship with company
IN - May be internal (employee) or external (consultant / accountancy firm). Should be objective / independent regarding actual work performed
- EX - Must be external (accountancy firm authorised to sign audit reports). Must be independent – undermines value of assurance if not.

Reporting line(s)
- IN: Depends on nature of work: may report to Board / Audit Committee / Departmental Head / CEO
-EX: Reports to company’s shareholders

Authority
- No legal obligation. Listed companies – Corp Gov guidelines: have internal audit or review annually. Unlisted companies – may have internal audit if sufficient resources, but many don’t
- Required to have audit by law. Company Law requires companies to give external auditor access to information / explanations / books and records

Responsibilities -
- IN: Can be wide / varied:
* Monitoring / testing internal controls
* 3E reviews (explain)
* Specific project (e.g…)
* Compliance assignment (e.g…)
Ex: Statutory audit: give reasonable assurance to shareholders re: financial statements. Some items specifically reported on, others reported by exception

Scope of work does NOT include:
IN - Designing / implementing internal controls / internal control system – too involved / not objective
- Management decision making
EX: Giving opinion on internal controls
- Management decision making
- Improving efficiency / effectiveness of operations