Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

F8 > 9 Internal control > Flashcards

9 Internal control Flashcards

1
Q

What is internal control?

A

Internal control is the process designed, implemented and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 5 components of internal control

A

• The control environment • The entity’s risk assessment process • The information system relevant to financial reporting • Control activities • Monitoring of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Give an example of a control environment

A

Control environment includes the governance and management functions and the attitudes, awareness and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ISA 315 states that auditors shall have an understanding of the control environment. As part of this understanding, the auditor shall evaluate whether:

A

(a) Management has created and maintained a culture of honesty and ethical behaviour. (b) The strengths in the control environment provide an appropriate foundation for the other components of internal control and whether those components are not undermined by deficiencies in the control environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The following table illustrates the elements of the control environment that may be relevant when obtaining an understanding of the control environment. Give an example of Communication and enforcement of integrity and ethical values

A

Essential elements which influence the effectiveness of the design, administration and monitoring of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The following table illustrates the elements of the control environment that may be relevant when obtaining an understanding of the control environment. Give an example of Commitment to competences

A

Management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The following table illustrates the elements of the control environment that may be relevant when obtaining an understanding of the control environment. Give an example of Participation by those charged with governance

A

• Independence from management • Experience and stature • Extent of involvement and scrutiny of activities • Appropriateness of actions and interaction with internal and external auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The following table illustrates the elements of the control environment that may be relevant when obtaining an understanding of the control environment. Give an example of Participation by Management’s philosophy and operating style

A

• Approach to taking and managing business risks • Attitudes and actions towards financial reporting • Attitudes towards information processing and accounting functions and personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The following table illustrates the elements of the control environment that may be relevant when obtaining an understanding of the control environment. Give an example of Participation by Organisational structure

A

The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled and reviewed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The following table illustrates the elements of the control environment that may be relevant when obtaining an understanding of the control environment. Give an example of Participation by Assignment of authority and responsibility

A

How authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The following table illustrates the elements of the control environment that may be relevant when obtaining an understanding of the control environment. Give an example of Human resource policies and practices

A

Recruitment, orientation, training, evaluating, counselling, promoting, compensation and remedial actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Entity’s risk assessment process. ISA 315 says the auditor shall obtain an understanding of whether the entity has a process for:

A

• Identifying business risks relevant to financial reporting objectives • Estimating the significance of the risks • Assessing the likelihood of their occurrence • Deciding on actions to address those risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define the information system relevant to financial reporting component of internal control

A

The information system relevant to financial reporting is a component of internal control that includes the financial reporting system, and consists of the procedures and records established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The auditor shall obtain an understanding of the information system relevant to financial reporting objectives, including the following areas:

A

• The classes of transactions in the entity’s operations that are significant to the financial statements • The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed, corrected, transferred to the general ledger and reported in the financial statements • The related accounting records, supporting information and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting transactions • How the information system captures events and conditions, other than transactions, that are significant to the financial statements • The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures • Controls surrounding journal entries, including non-standard journal entries used to record nonrecurring, unusual transactions or adjustments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Conforming amendments to ISA 315 published in 2015 point out that as well as understanding how information is obtained from within the general and subsidiary ledgers, auditors must gain an understanding of the system relating to information obtained outside of the ledgers. Such information may include information disclosed in the financial statements, which has been derived from:

A

• Lease agreements disclosed in the financial statements • The entity’s risk management system • Fair value reports produced by management’s experts • Calculations and models developed about accounting estimates, including internal assumptions about assets’ useful lives and external interest rates • Sensitivity analyses performed by management to consider alternative assumptions • The entity’s tax records • Analyses to support management’s assessment of the going concern assumption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are control activities?

A

Control activities are those policies and procedures that help ensure that management directives are carried out.. Control activities include those activities designed to prevent or to detect and correct errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Give examples of control activities and provide explanations and categorise them: Approval and control of documents

A

Transactions should be approved by an appropriate person. For example, overtime should be approved by departmental managers. Authorisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Give examples of control activities and provide explanations and categorise them: Controls over computerised applications

A

Information processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Give examples of control activities and provide explanations and categorise them: Checking the arithmetical accuracy of records

A

For example, checking to see if individual invoices have been added up correctly. Information processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Give examples of control activities and provide explanations and categorise them: Maintaining and reviewing control accounts and trial balances

A

Performance review Control accounts bring together transactions in individual ledgers. Trial balances bring together transactions for the organisation as a whole. Preparing these can highlight unusual transactions or accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Give examples of control activities and provide explanations and categorise them: Reconciliations

A

Information processing:
Reconciliations involve comparison of a specific balance in the accounting records with what another source says the balance should be; for example, a bank reconciliation. Differences between the two figures should only be reconciling items (resulting from eg timing differences).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Give examples of control activities and provide explanations and categorise them: Comparing the results of cash, security and inventory counts with accounting records

A

Performance Review: For example, in a physical count of petty cash, the balance shown in the cash book should be the same as the amount held.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Give examples of control activities and provide explanations and categorise them: Limiting physical access to assets and records

A

Physical control: Only authorised personnel should have access to certain assets (particularly valuable or portable ones), eg ensuring that the inventory stores locked are unless store personnel are there.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Give examples of control activities and provide explanations and categorise them: Segregation of duties

A

Segregation of duties: Assigning different people the responsibility of authorising transactions, recording transactions and maintaining custody of assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Define Segregation and what has it got to do with fraud

A

Segregation implies a number of people being involved in the accounting process. This makes it more difficult for fraudulent transactions to be processed (since a number of people would have to collude in the fraud), and it is also more difficult for accidental errors to be processed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Segregation should take place in various ways:

A

(a) Segregation of function. The key functions that should be segregated are the carrying out of a transaction, recording that transaction in the accounting records and maintaining custody of assets that arise from the transaction. (b) The various steps in carrying out the transaction should also be segregated. We shall see how this works in practice when we look at the major transaction cycles in Chapter 10. (c) The carrying out of various accounting operations should be segregated. For example, the same staff should not record transactions and carry out the reconciliations at the period end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the monitoring of controls?

A

Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It includes assessing the design and operation of controls on a timely basis and taking necessary corrective actions modified for changes in conditions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

the auditor will often choose or be forced to turn to substantive procedures to gain sufficient appropriate audit evidence when auditing a smaller entity. This can often mean use of:

A

• Confirmations • Agreeing samples related to different financial statement areas to source documents • Analytical procedures where these are considered suitable

29
Q

Any internal control system can only provide the directors with reasonable assurance that their objectives are reached, because of inherent limitations. These include:

A

• The costs of control not outweighing their benefits • The potential for human error • Collusion between employees • The possibility of controls being bypassed or overridden by management • Controls being designed to cope with routine and not non-routine transactions

30
Q

What are the key factors in the limitations of control systems in smaller companies

A

These factors demonstrate why auditors cannot obtain all their evidence from tests of the systems of internal control. The key factors in the limitations of control systems are human error and potential for fraud.

31
Q

Auditors are only concerned with assessing policies and procedures which are relevant to the financial statements. Auditors shall:

A

• Assess the adequacy of the accounting system as a basis for preparing the accounts • Identify the types of potential misstatements that could occur in the accounts • Consider factors that affect the risk of misstatements • Design appropriate audit procedures

32
Q

Recording accounting and control systems. There are several techniques for recording the assessment of control risk; that is, the system. One or more of the following may be used depending on the complexity of the system.

A

• Narrative notes • Questionnaires • Flowcharts • Checklists

33
Q

In respect of questionnaires, you should note that there are two types, each with a different purpose two types of questionnaires

A

(a) Internal Control Questionnaires (ICQs) are used to ask whether controls exist which meet specific control objectives. (b) Internal Control Evaluation Questionnaires (ICEQs) are used to determine whether there are controls which prevent or detect specified errors or omissions.

34
Q

What is the purpose of narrative notes?

A

The purpose of narrative notes is to describe and explain the system, at the same time as making any comments or criticisms which will help to demonstrate an intelligent understanding of the system.

35
Q

What are the advantages of Narrative notes?

A

They are relatively simple to record and can facilitate understanding by all audit team members
They can be used for any system due to the method’s flexibility.
Editing in future years can be relatively easy if they are computerised.

36
Q

What are the disadvantages of Narrative notes?

A

Describing something in narrative notes can be a lot more time consuming than, say, representing it as a simple flowchart, particularly where the system follows a logical flow
They are awkward to update if written manually.
It can be difficult to identify missing internal controls because notes record the detail of systems but may not identify control exceptions clearly.

37
Q

Define flowcharts

A

graphic illustrations of the physical flow of information through the accounting system.

38
Q

Advantages of flowcharts

A

After a little experience they can be prepared quickly.They eliminate the need for extensive narrative and can be of considerable help in highlighting the salient points of control and any deficiencies in the system. They generally ensure that the system is recorded in its entirety, as all document flows have to be traced from beginning to end. Any ‘loose ends’ will be apparent from a cursory examination. As the information is presented in a standard form, they are fairly easy to follow and review.

39
Q

Disadvantages of flowcharts

A

They are most suitable for describing standard systems. Procedures for dealing with unusual transactions will normally have to be recorded using narrative notes. Major amendment is difficult without redrawing. Time can sometimes be wasted by charting areas that are of no audit significance.

40
Q

Internal Control Questionnaires (ICQs): The major question which ICQs are designed to answer is ‘How good is the system of controls?’ Although there are many different forms of ICQ in practice, they all conform to the following basic principles.

A

(a) They comprise a list of questions designed to determine whether desirable controls are present (possible desirable controls are considered for each major transaction cycle in Chapter 10). (b) They are formulated so that there is one list of questions to cover each of the major transaction cycles.

41
Q

Examples of Internal Control Questionnaires (ICQs):

A

a) Are supplies examined on arrival as to quantity and quality? (b) Is such an examination evidenced in some way? (c) Is the receipt of supplies recorded, perhaps by means of goods inward notes? (d) Are receipt records prepared by a person independent of those responsible for: (i) Ordering functions? (ii) The processing and recording of invoices?

42
Q

Explain Internal Control Evaluation Questionnaires (ICEQs)

A

This is achieved by reducing the control criteria for each transaction stream down to a handful of key questions (or control questions). The characteristic of these questions is that they concentrate on the significant errors or omissions that could occur at each phase of the appropriate cycle if controls are weak. The

43
Q

Examples of ICEQs

A

(a) Goods or services could not be received without a liability being recorded? (b) Receipt of goods or services is required in order to establish a liability? (c) A liability will be recorded: (i) Only for authorised items? (ii) At the proper amount? (d) All payments are properly authorised? (e) All credits due from suppliers are received?

44
Q

Advantages of ICQs and ICEQs

A

If drafted thoroughly, they can ensure all controls are considered. They are quick to prepare. They are easy to use and control. Because they are drafted in terms of objectives rather than specific controls, ICEQs are easier to apply to a variety of systems than ICQs. Answering ICEQs should enable auditors to identify the key controls which they are most likely to test during control testing. ICEQs can highlight deficiencies where extensive substantive testing will be required.

45
Q

Disadvantages of ICQs and ICEQs

A

The principal disadvantage is that they can be drafted vaguely, hence misunderstood and important controls not identified. They may contain a large number of irrelevant controls. They may not include unusual controls, which are nevertheless effective in particular circumstances.
They can give the impression that all controls are of equal weight. In many systems one NO answer (for example lack of segregation of duties) will cancel out a string of YES answers.
The client may be able to overstate controls.

46
Q

What shares the same benefits as ICQs and ICEQs

A

Checklist

47
Q

Tests of control are tests performed to obtain audit evidence about the effectiveness of the:

A

• Design of the accounting and internal control systems, ie whether they are suitably designed to prevent, or detect and correct, material misstatement at the assertion level; and • Operation of the internal controls throughout the period.

48
Q

Tests of control are distinguished from substantive tests which are designed to detect material misstatements in the financial statements. Tests of control may include the following.

What should an Auditor consider:

A

(a) Inspection of documents supporting controls or events to gain audit evidence that internal controls have operated properly, eg verifying that a transaction has been authorised (b) Enquiries about internal controls which leave no audit trail, eg determining who actually performs each function, not merely who is supposed to perform it (c) Reperformance of control procedures, eg reconciliation of bank accounts, to ensure they were correctly performed by the entity (d) Examination of evidence of management views, eg minutes of management meetings (e) Testing of internal controls operating on computerised systems or over the overall IT function, eg access controls (f) Observation of controls to consider the manner in which the control is being operated.

• How controls were applied • The consistency with which they were applied during the period • By whom they were applied

49
Q

A deficiency in internal control exists when:

A

a) A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or (b) A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing. A significant deficiency in internal control is a deficiency or combination of deficiencies in internal control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged with governance.

50
Q

ISA 265 includes examples of matters to consider when determining whether a deficiency in internal control is a significant deficiency.

A

• The likelihood of the deficiencies resulting in material misstatements in the financial statements in the future • The susceptibility to loss or fraud of the related asset or liability • The subjectivity and complexity of determining estimated amounts • The amounts exposed to the deficiencies • The volume of activity that has occurred or could occur • The importance of the controls to the financial reporting process • The cause and frequency of the exceptions identified as a result of the deficiencies • The interaction of the deficiency with other deficiencies in internal control

51
Q

The ISA also lists examples of indicators of significant deficiencies in internal control, which include the following:

A

• Evidence of ineffective aspects of the control environment • Absence of a risk assessment process • Evidence of an ineffective entity risk assessment process • Evidence of an ineffective response to identified significant risks • Misstatements detected by the auditor’s procedures that were not prevented, or detected and corrected, by the entity’s internal control • Restatement of previously issued financial statements that were corrected for a material misstatement due to fraud or error • Evidence of management’s inability to oversee the preparation of the financial statements.

52
Q

The auditor shall include the following in the written communication

A

(a) A description of the deficiencies and an explanation of their potential effects (but there is no need to quantify the effects) (b) Sufficient information to enable those charged with governance and management to understand the context of the communication, in particular that: (i) The purpose of the audit was for the auditor to express an opinion on the financial statements. (ii) The audit included consideration of internal control relevant to the preparation of the financial statements in order to design audit procedures appropriate in the circumstances, but not to express an opinion on the effectiveness of internal control. (iii) The matters being reported are limited to those deficiencies identified during the audit and which the auditor has concluded are sufficiently important to merit being reported to those charged with governance.

53
Q

In addition, the auditor may include the following information:

A

(a) A statement that if the auditor had undertaken more extensive procedures on internal control, more deficiencies might have been identified or some of the reported deficiencies need not have been reported. (b) The written communication is for the purpose of those charged with governance and may not be suitable for other purposes.

54
Q

Define General IT controls

A

General IT controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT controls commonly include controls over data centre and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development and maintenance.

55
Q

Define Application controls

A

Application controls are manual or automated procedures that typically operate at a business process level. Application controls can be preventative or detective in nature and are designed to ensure the integrity of the accounting records. Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data.

56
Q

Give examples of Development of computer applications

A

Standards over systems design, programming and documentation Full testing procedures using test data Approval by computer users and management Segregation of duties so that those responsible for design are not responsible for testing Installation procedures so that data is not corrupted in transition Training of staff in new procedures and availability of adequate documentation

57
Q

Give examples of Prevention or detection of unauthorised changes to programs

A

Segregation of duties Full records of program changes Password protection of programs so that access is limited to computer operations staff Restricted access to central computer by locked doors, keypads Maintenance of programs logs Virus checks on software: use of anti-virus software and policy prohibiting use of non-authorised programs or files Back-up copies of programs being taken and stored in other locations Control copies of programs being preserved and regularly compared with actual programs Stricter controls over certain programs (utility programs) by use of read-only memory

58
Q

Give examples of Testing and documentation of program changes

A

Complete testing procedures Documentation standards Approval of changes by computer users and management Training of staff using programs

59
Q

Give examples of Controls to prevent wrong programs or files being used

A

Operation controls over programs Libraries of programs Proper job scheduling

60
Q

Give examples of Controls to prevent unauthorised amendments to data files

A

Password protection Restricted access to authorised users only

61
Q

Give examples of Controls to ensure continuity of operation

A

Storing extra copies of programs and data files off-site Protection of equipment against fire and other hazards Back-up power sources Disaster recovery procedures eg availability of back-up computer facilities Maintenance agreements and insurance

62
Q

Give examples of Controls over input: completeness

A

Manual or programmed agreement of control totals Document counts One-for-one checking of processed output to source documents Programmed matching of input to an expected input control file Procedures over resubmission of rejected controls

63
Q

Give examples of Controls over input: accuracy

A

Programmes to check data fields (for example value, reference number, date) on input transactions for plausibility: • Digit verification (eg reference numbers are as expected) • Reasonableness test (eg sales tax to total value) • Existence checks (eg customer name) • Character checks (no unexpected characters used in reference) • Necessary information (no transaction passed with gaps) • Permitted range (no transaction processed over a certain value) Manual scrutiny of output and reconciliation to source Agreement of control totals (manual/programmed)

64
Q

Give examples of Controls over input: authorisation

A

Manual checks to ensure information input was: • Authorised • Input by authorised personnel

65
Q

Give examples of Controls over processing

A

Similar controls to input must be in place when input is completed; for example, batch reconciliations Screen warnings can prevent people logging out before processing is complete

66
Q

Give examples of Controls over master files and standing data

A

One-for-one checking Cyclical reviews of all master files and standing data Record counts (number of documents processed) and hash totals (for example, the total of all the payroll numbers) used when master files are used to ensure no deletions Controls over the deletion of accounts that have no current balance

67
Q

TESTING OF APPLICATION CONTROLS: Manual controls exercised by the user

A

If manual controls exercised by the user of the application system are capable of providing reasonable assurance that the system’s output is complete, accurate and authorised, the auditors may decide to limit tests of control to these manual controls

68
Q

TESTING OF APPLICATION CONTROLS: Controls over system output

A

If, in addition to manual controls exercised by the user, the controls to be tested use information produced by the computer or are contained within computer programs, such controls may be tested by examining the system’s output using either manual procedures or computers. Such output may be in the form of magnetic media, microfilm or printouts. Alternatively, the auditor may test the control by performing it with the use of computers

69
Q

TESTING OF APPLICATION CONTROLS: Programmed control procedures

A

In the case of certain computer systems, the auditor may find that it is not possible or, in some cases, not practical to test controls by examining only user controls or the system’s output. The auditor may consider performing tests of control by using computers, reprocessing transaction data or, in unusual situations, examining the coding of the application program.

F8 (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions