5: Introduction to internal control Flashcards
Define internal control
The process implemented by those charged with governance and managment to provide reasonable assurance about the achievement of an entitys ovjective with regards to:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Give reasons for internal controls
- Minimising the company’s business risks
- Ensure continuing effective functioning of company (going concern)
- Ensuring the company complies with relevant laws and regulations
What are the limitations of internal controls
CHUE
Collusion - two or more people working together to bypass a control
Human element - Some controls are only as good as the people operating them.
Unusual transactions - controls are generally designed to deal with what routinely happens. For an unusual transaction, the control may not be relevant or exist.
Expense - expensive to run may outweigh risk
What are the components of internal control?
CRIME
Control activities
Risk
Information systems
Monitoring
Environment control (Control environment)
Explain Control environment
includes the governance and management functions and attitudes, actions of those charged with g&m concerning the entity’s internal control. Sets te tone of an organisation e.g. culture/ example set from the top.
If control environment is strong then auditors will be more inclined to rely on controls system in the entity than if it is weak.
Audit committee is an important aspect
Explain audit committee as an aspect of control environment
Made up of non-executive directors, responsible for ensuring integrity of F/S and that I/C and risk management systems are robust. Specifically they:
- Monitor and review effectiveness of the internal audit
- Recommend appointment and removal of external auditors
- Review objectivity/independence of external auditor
Explain the entity’s risk assessment process
Business risk is a risk resulting from signigicant conditions, events, circumstances, actions that could adversely affect an entity’s to achieve its objectives. Those charged with governance should establish the following process:
- Identify business risk -> estimate impact on business -> assess likelihood -> actions to manage e.g. avoid, accept, manage.
Why are auditors interested in business risks?
Issues which pose threats to the business may be a risk of F/S being misstated
Explain the information system and communication
- Includes financial reporting system, procedures by which transactions are recorded, processed, corrected and reported. Also the process of preparing the financial statements. The auditor will be concerned with the reliability of these systems.
In short: reporting of transactions and preparation of F/S with regards to reliability of these
Explain control activities
Activities initated by those charged with governance to safeguard company asets by detecting/preventing fraud and error.
PARIS - V
Physical or logical controls
Authorisation/approvals
Reconcilliation
Information processing and general
Segregation of duties
Explain and give examples of physical controls
Involves physical counting, locking and security of assets
e.g. ensuring company safe is locked at all times
Explain and give examples of authorisation
Approval of transactions/documents e.g. overtime should be approved by department manager, purchase orders by purchasing manager etc.
Explain and give examples of Reconciliations
Comparing two or more data elements e.g. comparing transactions in the bank statement with those in the accounting system (bank rec)
Explain and give examples of Information processing and general IT controls
Internal controls in a computerised environment including both manual and automatic procedures designed into programs.
e.g. controls to check accuracy, completeness and authorisation of transactions
Explain information processing controls (crIme)
Give 3 examples
Manual or automated procedures that ty[ically operate at a business process level. Can be preventative or detective in nature and designed to ensure integrity of information.
- Controls over input completeness e.g. one - for-one checking of processed output to source documents
- Controls over input accuracy/integrity e.g. programs to check data fields, digit verification, character tests
- Controls over input authorisation - manual and automatic checks to ensure information input was input by authorised personal (i.e. digital signature/password)
- Controls over processing of input - screen warnings preventing people logging out before processing is complete
- Controls over master files and standing data - reviewing paytoll records to individual employee personnel files.
What are general controls
Policies and procedures that relate to many applications ensuring the proper operation of information systems.
- Development of computer applications - systems design, programming and documentation
- Prevention or detection of unauthorised changes to programs - Password protection, restricted access, virus checks
- Testing and documentation of program changes - complete testing procedures, documentation of new systems, approval of changes.
- Controls to prevent unauthorised amendments to data files - passwords
- Controls to ensure continuity of company operations - Storing extra copies of programs and data files off site, back up copies, protection of equipment.
Explain the entity’s system to MONITOR the system of internal controls
An entity should review its overall control system to ensure that it still meets its objectives and operates effectively/efficiently. Carried out by internal audit usually, will often produce a management report outlining deficiencies.
Where do auditors obtain information about I/C from?
A variety of sources:
- Company may have manuals of I/C and copies of policies or minutes of meetings of the risk assessment group.
- PY audit file for record of previous controls and their deficiencies.
- Auditors will talk to people involved with I/C to gain info
- Observation - auditor watches operations at a company to identify the control activities being put into action.
Give the 3 ways internal controls are recorded and give adv/disadv of these
Narrative notes
+Good for short notes on simple systems and background info
- Less good when things are complex and diagrams are used
Questionnaires and checklist
+Good as aide memoires to ensure all bases are covered
- Mechanical approach meaning important extra question is never asked
- Tick boxes often get ticked whether the brain is engaged or not
Diagrams
+ Flowcharts for complex systems makes easier to understand
+ Organisational charts
- Not easy to draw
What is walk through testing
Involves tracing a few transactions through the financial reporting system from order to payment.
Give comparisons of internal v external auditors
Role
- Internal - To improve efficiency / effectiveness of operations – part of overall internal control / risk management system (corporate governance)
- External - To give opinion on truth / fairness of financial statements (reasonable assurance)
Relationship with company
IN - May be internal (employee) or external (consultant / accountancy firm). Should be objective / independent regarding actual work performed
- EX - Must be external (accountancy firm authorised to sign audit reports). Must be independent – undermines value of assurance if not.
Reporting line(s)
- IN: Depends on nature of work: may report to Board / Audit Committee / Departmental Head / CEO
-EX: Reports to company’s shareholders
Authority
- No legal obligation. Listed companies – Corp Gov guidelines: have internal audit or review annually. Unlisted companies – may have internal audit if sufficient resources, but many don’t
- Required to have audit by law. Company Law requires companies to give external auditor access to information / explanations / books and records
Responsibilities -
- IN: Can be wide / varied:
* Monitoring / testing internal controls
* 3E reviews (explain)
* Specific project (e.g…)
* Compliance assignment (e.g…)
Ex: Statutory audit: give reasonable assurance to shareholders re: financial statements. Some items specifically reported on, others reported by exception
Scope of work does NOT include:
IN - Designing / implementing internal controls / internal control system – too involved / not objective
- Management decision making
EX: Giving opinion on internal controls
- Management decision making
- Improving efficiency / effectiveness of operations
