C. Internal controls Flashcards
what is the definition of internal controls?
whole system of controls, financial and otherwise, established by the management in order to carry out the business of the enterprise in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets, prevent and detect fraud and error, and secure as far as possible the completeness and accuracy of the records
a system for management to control certain risks and therefore help businesses achieve their objectives
who is responsible for internal control?
the board of directors
employees have some responsibility
what are the elements of a sound system of internal control according to the Turnbull Report?
an internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together:
- facilitate its effective and efficient operation by enabling it to respond appropriately to significant risks
- help ensure the quality of internal and external reporting
- help ensure compliance with applicable laws and regulations
the system of internal control will include:
- control activities
- information and communications processes
- processes for monitoring the continuing effectiveness of the system
the system of internal control should:
- be embedded within operations
- be able to respond to changing risks
- include procedures for reporting failings or weaknesses
according to the Turnbull report, does a sound system of internal control eliminate human error?
no, reduces but cannot eliminate the possibility of poor judgement in decision making, human error
can be deliberately circumvented and occurrence of unforeseeable circumstances
reasonable but not absolute assurance
what is COSO?
Committee of Sponsoring Organisations
what are the 5 elements of COSO?
CONTROL ENVIRONMENT
-management’s attitude, actions and awareness of the need for internal controls -tone from the top
RISK ASSESSMENT
- need to identify and assess risks in respect of established objectives
- assessment should consider internal and external factors and distinguish between controllable and uncontrollable risks
CONTROL ACTIVITIES = internal control
-after identification, actual specific control actives can be undertaken to reduce those risks
INFORMATION AND COMMUNICATION
-to operate the internal controls, they need quality information
MONITORING
- if system not monitored it will be very difficult to assess whether it is out of control and needs amendment
- this element of an internal control system is associated with internal audit, as well as general supervision
how can management try to summarise their commitment to controls?
- behave with integrity and ethics
- maintain an appropriate culture in the organisation
- set up a a good structure
- set proper authorisation limits
- employ appropriately qualified staff and conduct staff training
what are typical control activity processes?
- having a defined organisation structure
- having contracts of employment
- establishing policies
- setting up a suitable discipline and reward system
- ensuring a system of performance appraisal and feedback
what does the Institute of Internal Auditors define the control environment as?
the attitude and actions of the board and management regarding the significance of control within the organisation
provides discipline and structure for the achievement of the primary objectives of the system of internal control
MOST IMPORTANT
what are the principles that underpin the control environment component?
- the organisation shows a commitment to ethical values
- the board has appropriate expertise and oversee the five competencies
- management must establish an appropriate organisational structure to help achievement of the objectives
- human resource policies and practices to help attract, develop and retain suitable talent
- accountability of employees for their areas of responsibility
what are the internal factors to consider during COSO risk assessment?
e.g. complexity of the organisation, organisational changes, staff turnover levels and the quality of staff
what are the external factors to consider during COSO risk assessment?
changes in the industry and economic conditions, tech changes
what are the principles that underpin the risk assessment component of COSO?
- clear objectives to allow risk assessment and identification
- that risk identification and analysis does take place across the entity
- the potential for fraud arising in pursuit of the stated objectives must be considered
- the internal controls system must be reviewed for changes in the external environment
what are control activities?
policies and procedures that ensure that the decisions and instructions of management are carried out
e.g. authorisations, verifications, reconciliations, approvals
what are the principles that underpin the control activities component?
- select appropriate controls to mitigate the risks to the achievement of objectives
- specifically controls over technology are included
- policies and procedures establish how the controls are implements
what are the 4 COSO categories of objective setting?
strategic, operational, reporting and compliance
what are the 3 operational features of a sound internal control system from the Turnbull guidance?
embedded within operations and not treated as a separate exercise
able to respond to changing risks within and outside the company
includes procedures for reporting control failings or weaknesses
what are some examples of details of controls?
SOAPSPAM
SEGREGATION OF DUTIES:authorisation, handling asset and recording transaction for purchase cycles
PHYSICAL CONTROLS:e.g. safe, inventory checks
AUTHORISATION AND APPROVAL
MANAGEMENT CONTROL:top level reviews and activity controls
SUPERVISION
ORGANISATIONAL STRUCTURE
ARITHMETIC AND ACCOUNTING:double checking
PERSONNEL CONTROLS: training, induction, selection
what 3 broad categories could controls be classified as?
- financial controls
- non-financial quantitative controls
- non-financial qualitative controls
what are financial controls?
controls express financial targets and spending limits
e.g. budgetary control, control over sales, purchases, payroll and inventory cycles
what are the objectives of controls in the sales cycle?
- sales are made to valid customers
- sales are recoded accurately
- all sales are recorded
- cash is collected within a reasonable period
what are the objectives of controls for bank and cash?
- cash balances are safeguarded
- cash balances are kept to a minimum
- money can only be extracted from bank accounts for authorised purposes
what might controls over human resources include?
- recruitment policies including the completion of an application form and the checking of relevant qualifications
- references being taken up prior to appointment
- continuous training
- eligibility to work in the country
- contract of employment
what are some examples of controls over the distribution department?
- HR controls
- signed goods received and goods despatches notes
- regular inventory counts
- monitored CCTV cameras around the distribution depot
- security guards at exits
- bag searches when staff leave their shift
what are non-financial quantitative controls?
controls focus on targets against which performance can be measured and monitored
e.g. balances scorecard targets and TQM quality measures
feedback loop essential
what is the feedback loop in non-quantitative controls?
- performance target
- actual result recorded
- compared with target
- control action taken
what are non-financial qualitative controls?
these form day-to-day controls over most employees in organisations
e.g. employee training, management control methods, physical controls. project management
what is the Bribery Act?
non financial control
1st July 2011 in the UK
bring UK in line with international norms on anti-corruption legislation
offences:
- give or receive a bribe
- failing to prevent a bribe
prosecuted by the Serious Fraud Office
can prosecute both domestic and foreign companies with UK presence
could face 10 years in prison and unlimited fine
What are the steps to developing an adequate control system?
- ascertain the objectives
- research regarding the current systems
- research new controls
- implement new controls
what are the costs of an internal control system?
time of management involved in the design of the system
implementation:
- costs of IT consultants to implement new software
- training all staff in new procedures
maintenance of system:
- software upgrades
- monitoring and review
what are the benefits of an internal control system?
reduction of the risks and achievement of business objectives
what are the limitations of internal control systems?
- over-reliance on any system
- can’t turn a poor manager into a good one
- at risk from mistakes and errors
- can be by-passed by collusion and management override
- controls are only designed to cope with routine transactions and events
- resource constraints in provision of internal control systems, limiting their effectiveness
what is fraud?
dishonestly obtaining an advantage, avoiding an obligation or causing a loss to another party
intentional act
what are some examples of fraud?
- theft of cash
- employee fraud against employers
- crimes against investors, consumers and employees:expense claims
- crimes against financial institutions:fraudulent insurance claims
- crimes against government:benefits fraud, tax evasion
- crimes by professional criminals : money laundering
- e-crime by people using computers e.g. spamming, copyright crimes
what are the prerequisites for fraud?
- dishonesty on the part of the perpetrator
- opportunity for fraud to occur
- motive for fraud
what 2 categories for fraud indicators fall into?
warning signs
fraud alerts
what are warning signs of fraud?
organisational indicators of fraud risk
- absence of anti-fraud policy and culture
- inadequate recruitment processes and absence of screening
- dissatisfied employees who have access to desirable assets
- poor physical security of assets
- rapid changes in information technology
what are fraud alerts?
specific events or red flags, which may be indicative of fraud
- anonymous emails
- emails sent at odd times
- discrepancy between earnings and lifestyle
- unusual behaviour
- alteration of docs
- subsidiary ledgers which don’t reconcile
- inappropriate use of journals
what are the 3 key elements of a fraud management strategy?
prevention
detection
response
together they result in fraud deterrence
what are some methods of fraud prevention?
anti-fraud culture
risk awareness
whistleblowing
sound internal control systems
WARS
how can you apply the COSO model to fraud prevention
control environment: management show active interest in prevention and detection
risk recognition and assessment:identify risk areas, activities where risk might be high e.g. cash handling, assess risk
control activities and procedures:
information:monitoring and reporting:info to the top so they can manage and investigate, revise controls
iterative process
what are some examples of fraud detection?
performing regular checks
warning signals/fraud risk indicators:
- failures in internal control procedures
- lack of information provided to auditors
- unusual behaviour by individual staff members
- accounting difficulties
whistleblowers
how are most frauds discovered?
accidentally
as a result of information received (whistleblowing)
what are some examples of fraud response?
response plan:
- internal disciplinary action
- civil litigation
- criminal prosecution
- responsibliities
what is the purpose of internal auditors investigating fraud ?
- establish the facts
- establish how the fraud occurred and initially went undetected
- consider whether anyone else might have been involved in the fraud
- establish or estimate the size of the loss
what recommendations might an auditor give in light of fraud findings?
- existing internal controls are not sufficient to limit risk so introduce stronger controls
- existing internal controls are sufficient to limit risk but applied inadequately or were ignored in the past
what is the definition of an internal audit?
independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls
what is the context of an internal audit in the Turnbull report as a management review of controls?
- integral part of management’s role
- identification, evaluation and management of all key risks facing the organisation
- effectiveness of internal control- financial, operational, compliance and risk management controls
- communication of risk objectives
- action to be taken if weakness found
Risk management vs internal audit: what is being tested?
internal audit: testing and evaluating controls
RM: own entire risk management process
Risk management vs internal audit: what is the key activity?
IA: special investigations as directed by mgmt
RM: maintain risk register
Risk management vs internal audit: what support would the ream provide?
IA: support and assist senior mgmt in projects, some outside risk mgmt arena
RM: lead in developing risk response strategy
Risk management vs internal audit: what is the end result?
IA: contribute to risk identification
RM: provide training and development in risk management matters
who are the 3 different parties involved in the process review of internal audit?
risk management
managers
auditors
what factors affect the need for an internal audit department?
- the scale, diversity and complexity of the company’s activities
- the number of employees
- cost/benefit considerations
- changes in the organisational structures, reporting processes or underlying information systems
- changes in key risks could be internal or external in nature
- problems with existing internal control systems
- an increased number of unexplained or unacceptable events
how does the scale, diversity and complexity of the company’s activities affect the need for internal audit?
larger, more diverse and the more complex a range of activities is, the more there is to monitor
how does the number of employees affect the need for internal audit?
as a proxy for size, no/ employees signifies that larger organisations are more likely to need internal audit to underpin investor confidence than smaller concerns
how does the cost/benefit considerations the need for internal audit?
must be sure benefits outweigh costs
how does the changes in the organisational structures, reporting processes or underlying information systems affect the need for internal audit?
any internal (or external) modification is capable of changing the complexity of operations and, accordingly, the risk
how does the changes in key risks could be internal or external in nature affect the need for internal audit?
the introduction of a new product, entering a new market, a change in any of the PESt/PESYEL factors or changes in the industry might trigger the need for internal audit
how does the problems with existing internal control systems affect the need for internal audit?
any problems with existing systems clearly signify the need for a tightening of systems and increased monitoring
how does the an increased number of unexplained or unacceptable events affect the need for internal audit?
system failures or similar events are a clear demonstration of internal control weakness
what are the expectations of an internal audit?
- formal plan of all audit work that is reviewed by the head of audit and the board/audit committee
- the audit plans should be reviewed at least annually
- each engagement should be conducted appropriately
- progress of the audit should be monitored by head of internal audit
What are the IASB standards for internal audit work?
attribute standards:characteristics of org and the parties performing internal auditing activities
performance standards:nature of auditing activities and quality criteria
what are the attribute standards of internal audit?
INDEPENDENCE:free from interference
OBJECTIVITY: no bias, conflict of interest
PROFESSIONAL CARE:knowledge of the key IT risks and controls
what are the performance standards of internal audit?
MANAGING INTERNAL AUDIT
- head should manage the internal audit
- establish risk-based plans to decide the priorities
- plans reviewed at least annually and submitted for board approval
RISK MANAGEMENT
-identify and evaluate significant risk exposures and contribute to the improvement of risk management and control systems
CONTROL
-help maintain control system by evaluating the effectiveness and efficiency of controls, and by promoting continuous improvement
GOVERNANCE
-assess the corporate governance process and make recommendations
INTERNAL AUDIT WORK
- identify, analyse, evaluate and record sufficient information to achieve the objectives of the engagement
- conclusions should be based on suitable analysis and evaluation
COMMUNICATING RESULTS
-communicate the results of their engagement, including conclusions, recommendations and action plans
what are some structural measures in place to protect the independence of external audits?
- internal auditors should be independent of exec management
- head of internal audit should report directly to a senior director
- head of IA should have direct access to the chairman and the audit committee
- accountable to the A committee
- could outsource internal audit function
what are the advantages of outsourcing internal audit?
- greater focus on COST and EFFICIENCY of the internal audit function
- staff may be drawn from a broader range of expertise
- RISK of staff turnover is passed to the outsourcing firm
- SPECIALIST skills may be more readily available
- COSTS of employing permanent staff are avoided
- may improve INDEPENDENCE
- access to new market place TECHNOLOGIES
- REDUCED MANAGEMENT TIME in administering an in-house department
what are the disadvantaged of outsourcing internal audit?
- possible CONFLICT OF INTEREST if provided by the external auditors
- pressure on the INDEPENDENCE of the outsourced function
- risk of LACK OF KNOWLEDGE and understanding of the organisation
- the decision may be based on cost with the EFFECTIVENESS of the function being reduced
- FLEXIBILITY and AVAILABILITY may not be as high as with as in-house function
- LACK OF CONTROL over standard of service
- risk of BLURRING OF ROLES between internal and external audit
how can we minimise risks when outsourcing internal audit?
- controls over acceptance of internal audit contracts to ensure no impact on independence or ethical issues
- regular reviews of the quality of audit work performed
- separate departments covering internal and external audit
- clearly agreed scope, responsibilities and reporting lines
- performance measures, management information and risk reporting
- procedure manuals for internal audit
how can the efficiency of internal audit be assessed?
by comparing actual costs and output against a target, such as:
- the cost per internal audit day
- the cost per audit report
- the number of audit reports produced
how can the effectiveness of internal audit needs be measured?
identifying evidence of improvements in internal control
what might the contents of an internal audit report be?
EXEC SUMMARY
- main objectives
- scope of audit
- work performed in brief
- results
SCOPE
-detail methodology
OBSERVATIONS and RECOMMENDATIONS
- testing observations
- what to put in place
RECS GRADED BY IMPORTANCE
-difference levels
STATEMENT OF RESPONSIBILITY
- detail Auditing Standards
- sign off from auditor
internal vs external audit, role required by who?
EA: statute, for limited companies
IAL directors and shareholders, usually in larger organisations
internal vs external audit, appointed by who?
EA:shareholders or directors
IA:directors, via the Chief Internal Auditor
internal vs external audit, reports to who?
EA:shareholder (primary duty) and management (professional responsibility)
IA:directors, via the CIA
internal vs external audit, reports on?
EA:financial statements
IA:internal controls mainly
internal vs external audit, forms opinions on?
EA:true and fair view and proper presentation
IA: adequacy of ICS and a contribution to the EEE use of resources
internal vs external audit, scope of assignment?
EA:unlimited, to fulfil statutory obligation
IA:prescribed by directors
what is the relationship between the internal and external audit?
external auditors should take into account the following when planning their audit:
- STATUS of internal audit within organisation
- SCOPE of internal audit function
- whether management ACT on recs of internal audit
- technical COMPETENCE of internal auditors
- OBJECTIVES of internal audit
- due PROFESSIONAL CARE demonstrated in internal audit work
what is the management letter?
auditor produces letter that usually includes a list of ‘issues’ that the auditor came across during the course of his audit work
table of:
- issues concerning the auditor i.e control that can be improved
- recommendations to implement or improve the controls
what actions must be taken from the management letter?
- implement control
- improve control
within a time frame then revisited
management must respond to auditor’s queries
who is responsible for detecting material fraud?
the external auditor
-purpose is to identify material misstatements in the financial statements in order to ensure that they give a true and fair view
- have no responsibility for immaterial frauds
- if identifies, will be reported to internal audit/directors
is fraud investigation an auditor’s primary objective?
no, company is responsible
it is their duty to report a fraud if during the course of their work they identify fraudulent activities
what a re the steps that should be taken during a fraud investigation?
1) ascertaining the facts of the fraudulent activity
2) gathering evidence of the crime-documentary, interviews with witnesses, observational
3) corroborating the evidence
4) consider whether you have the right of access to the evidence you require. Many cases have been thrown out of court because evidence has been inappropriately obtained
5) maintaining confidentiality so that the perpetrator doesn’t realise that are being investigated
6) consider the cost of the investigation versus the value of the fraud, although ethically all frauds should be stopped
7) consider the loss of reputation if the fraud becomes public
what is a compliance audit?
- check the implementation of written rules, regulations and procedures
- used originally for financial transactions, because the government (tax authorities) needed assurance that the financial figures were correct
- concept of compliance has been extended to other areas, such as regulatory inspections and quality audits, where there is a requirement to verify that activities are being performed in strict compliance with approved standards and procedures
what is a transactions audit?
- involved checking of a sample of transactions against documentary evidence
- can be used where controls are weak or where transactions are high risk
what is a risk-based audit?
- a systems audit in which the auditors use their judgement to decide on the level of risk that exists in different areas of the system, and to plan their audit tests so that more effort is directed towards the most risky areas
- less time and effort is spent on elements of the system that are relatively ‘safe’
what is a quality audit?
- systematic investigation to establish whether quality objectives are being met
- quality audit might look into the system for setting quality standards, the relevance of those standards, the system for comparing actual performance against the quality standards and whether the quality controls work effectively
what is a post-completion audit?
- independent appraisal of the measure of success of a project
- cover the project throughout its lifecycle from the planning and implementation stages through to performance after commissioning
- review should take place at some time after the project or precess has been completed or is being used
- provide feedback on success of a project
- acts as a learning tool
who usually performs a post-completion audit?
internal audit, as long as they weren’t involved in the original design of the project itself
judge based on quality, time and cost
what is a VFM audit?
whether proper arrangements have been made for securing economy, efficiency and effectiveness in the use of resources
- achieving VFM is manager’s responsibility
- commonly associated with public sector jobs
what are the 3 Es of a VFM audit?
ECONOMY:obtaining the required resources at the lowest cost
EFFICIENCY:using the minimum quantity of resources to achieve a given quantity and quality of output
EFFECTIVENESS: when the output from a system achieves its intended aims and objectives
what are the problems with VFM audits?
- difficult to measure outputs, esp for govt e.g. education
- objectives of the activity might be difficult to establish
- focus must be either on economy and efficiency OR on effectiveness as cost and quality interlinked
- quality might be ignored when economy and efficiency are measured
what is an environmental audit?
evaluation of how well the company is safeguarding the environment and meeting regulatory requirements
-‘accounting’ trained auditor could be asked to perform one of these auditors but unlikely to have skillset
what is a social audit?
looks at the company’s contribution to society and the community
-could confirm statements made by the directors or make recommendations for social policies that the company should perform
contributions could be made through:
- donations
- sponsorship
- employment practices
- education
- health and safety
- ethical investments
what does an environmental report usually contain information about?
- sustainability
- targets achieved
- compliance with regulations
- emissions
- industrial legacies
- obtaining ISO 14001 (environmental management systems)
-included in the annual report
who conducts an environmental audit?
internal audit then verified by external auditors/assessors
what is a management (operational) audit?
an objective and independent appraisal of the effectiveness of managers and the corporate structure in the achievement of the entities’ objectives and policies
aim: identify existing and potential management weakness and recommend ways to rectify them
- this type of audit would require the use of very experiences staff who understand the nature of the business
what are the possible objectives of a management audit?
- re-focusing resources towards ‘mission-critical’ objectives
- improving efficiency
- improving the effectiveness of management support tools
- assessing the appropriate levels of service for an activity or operation
- identifying cost savings
- identifying opportunities to enhance revenue
- improvements in governance
what are some of the elements of a management audit?
- review of policies and procedures
- general review of workloads, work methods and work flows
- evaluation of systems and processes
- review of management practices
- review of resource utilisation
- detailed cost analysis
what could the findings of a management audit focus on?
- lack of technical competence or knowledge of the business amongst managers, and insufficient management training
- an unwillingness to delegate
- regular failure to achieve standards or targets
- inadequate management ISs
- poor communications within or between departments
- poor management/staff relationships
- an absences of clear leaderships
- an absence of clear leadership
- a failure by management to make good decisions
what is a systems based audit?
audit of internal controls within an organisation
- associated with the audit of accounting systems
- identify weaknesses int he system
what are the steps of a system-based audit?
- Identify the objective of each system
- identify the procedures
- identify why the system might not meet its objectives
- identify ways to manage the above
- identify if current controls are adequate
- report on the above
what are the planning stages of the audit process?
agree the objectives of the audit plan the audit find out about systems and controls confirm the operation of the system assess if controls are adequate
what are the testing stages of the audit process?
test compliance with controls
test application of controls
what is the reporting stage of the audit process?
review, report and recommend
how often should there be an audit programme?
one for each financial year, in which the internal auditors set out which activities or operations they will audit and the purpose of the audit
what are the elements of an audit plan?
OBJECTIVES of the audit
-e.g. check internal controls are adequate
CONDUCT OF THE AUDIT
- need to decide what information to collect
- decisions have to be made about
- -how to collect and record evidence
- -how much evidence to collect
RESOURCES and TIMING
-auditors should assess how much time and effort will be required to carry out the audit and schedule the work accordingly
what is the risk-based approach of audit?
- most audits carried out using this approach
- auditor assesses whereabout of the key risks and then concentrates audit efforts on these key risks
- more efficient and effective at achieving its objectives
what is a key way for an auditor to identify risk?
benchmarking:comparing one’s business processes to best practice from other industries
what is process benchmarking?
focuses on observation and investigation on business processes with a goal of identifying and observing the best practices from one or more benchmarked firms
-common in back-office processes where outsourcing is a consideration
what is product benchmarking?
designing new products or upgrades to current ones
can involve reverse engineering which involves taking apart competitors products to assess wekaness/strengths
what is functional benchmarking?
focus its benchmarking on a single function e.g. production
unlikely to be complex function as hard to compare in cost and efficiency terms
what is competitor benchmarking?
involves studying the leading competitor or the company that best carried out a specific function
what is environmental benchmarking?
process of collecting, analysing and relating environmental performance data of the comparable activities with the purpose of evaluating and comparing performance between or within the entities
entities can include processes, buildings or companies
could be internal within organisation departments or eternal between competing entities
how can financial statements be used as a benchmark?
- performing ratio analysis:profit, liquidity, return, efficiency
- spot anomalies
- spot risks
- investigate these
what are the different types of audit risk?
inherent risk
control risk
detection risk
what is inherent risk?
risk of the activity or operation, ignoring the controls in the system
related to both severity and the incidence of the risk
what does the size of an inherent risk depend on?
- size of the operations unit
- size of the expenditure budget
- the nature of the assets used or handles
- the extent to which procedures are computerised
what is the quality of control?
perceived quality of the existing controls for the activity
what is the confidence in the quality of control affected by?
- the apparent effectiveness of management and supervision
- pressures on management to achieve targets
- changes in the system activities and procedures
- changes in key personnel
- a high staff turnover
- rapid expansion in operations and the volume of transactions handles
- length of times since last audit: confidence diminished over time
how should auditors give priority in an audit plan?
priority for audit are those where the inherent risk is high and the quality of control is low
what is control risk?
risk that the existing controls are not sufficient to prevent or detect a material misstatement
what is a detection risk?
risk that the auditors’ substantive tests will not reveal a materially incorrect amount in the financial statements, if such an error exists
what is materiality?
commission or misstatement of its value would be likely to influence a user of the financial statement
- has a quantitative and qualitative component
- considered in relative terms
what sources can the auditor use to ascertain how the systems operate?
flowcharts
-examined or created
interviews/questionnaires
- describe how they use it
- can see inefficiencies
systems documentation
- find documentation of the system
- best for computerised systems
- lease well understood by users
observation
-the operation of the system can be observed
how can auditors ascertain controls?
could use standard control questionnaires
- structures so as they identify all key internal controls
- enable the auditor to assess the quality of the controls
what might a flowchart be used to record?
- sequence of activities and checks within an operation or procedure
- which individuals carry out each procedure or check
what are the advantages to using a flow cahrt?
- more often effective at presenting information in an understandable form than a narrative description
- if there are weaknesses in the controls within an operation, these might be easier to identify by studying a flowchart
what is a questionnaire?
list of questions used to gather info
- ideally yes or no
- leave room to expand
help the auditor both to:
- establish the facts
- identify potential control weaknesses
what are the types of audit testing?
compliance testing
substantive testing
analytical review
what is compliance testing?
test of controls
- ensure they operate correctly
- spot any material weaknesses
what should the results of a compliance test indicate?
whether:
- controls are effective
- controls are ineffective in practs
what is substantive testing?
test of balances or transactions
- concentrate on output coming out as expected
- associated with finance systems
what is the purpose of the substantive tests?
- confirm that the controls are effective
- where the controls are ineffective, to establish the apparent consequences
what words should be used and avoided in an audit option?
use:
- analyse
- reconcile
- observe
- monitor
- sample
avoid:
-check
what is an analytical review?
examination of ratios, trends and changes in balances
investigate causes of abnormalities
what is sampling?
testing a proportion to gain assurance about the population as a whole
what is audit sampling?
application of audit procedures to less than 100% of the items within an account balance or class of transactions to obtain and evaluate evidence about some characteristic of the items selected in order to forma conclusion on the population
what risks occur with sampling?
sampling risks: different to result if whole population tested
non-sampling risk:may use inappropriate methods or misinterpret evidence that the test results give so fail to recognise an error (avoidable)
why is the analytical review the most important type of test?
can be used at planning ,substantive testing and overall review stages of an audit
what are some examples of the following types of ratios: profitability efficiency liquidity return
profitability: GPM, net profit
efficiency: receivables, inventory, payable days
liquidity: current ratio, quick ratio, gearing
return: ROCE, ROE
how can analytical reviews be used at the planning stage of an audit?
- identify risks
- help decide the level of testing
- decide nature and timing
how can analytical reviews be used at the overall review stage of an audit?
procedures are used to conclude whether the area being tested is consistent with the auditors’ knowledge of the business entity and the expected results
when is it difficult to use analytical review method?
when there have been lots of one-off events in the year as there is nothing to compare them with
how is analytical review useful?
can help create an expectation if operations are significantly different from before and more so if the changes haven’t been planned for
what features are common in the audit report?
objectives of the audit work
summary of the process undertaken by the auditor
results of tests carried out
audit opinion (should be cost effective and practical)
recommendations for action
what happens if the residual risk will not be reduced with the auditor reommendation?
the recommendation is not worthwhile
how is the recommendation commented on?
head of internal audit meets head of department
head will discuss points raised
can make their own arguments
how is the internal audit report circulated
after discussing with manager of department, submit report for review within internal audit and then send to audit committee
remains confidential within organisation
what audits are carried out on computer systems?
- check whether the system is achieving its intended objectives
- in the case of accounting systems, to check that the information produced by the system is reliable
what are the problems of auditing computer systems?
lack of primary records encoded date loss of audit trail overwriting of data program controls concentration of controls in the IT department
why could concentration of controls in the IT department?
in large computer systems, many of the controls over data are concentrated int he central IT department
can be a potential weakness in the control system, if users are not aware of an accidental or deliberate corruption of data or programs
how could a lack of primary records be an issue when auditing computer systems?
document originating a transaction might not be creates
e.g. telephone order keyed in, call cant be traced
how could encoded data pose a problem to auditing computer systems?
risk of error in input details so effectiveness of program controls, such as data validation checks, to prevent the acceptance of incorrect data by the system, especially changes to standing data on a master file
how could loss of audit trail pose a problem to auditing computer systems?
should be evidence during processing of transaction in accounting system
in manual system, evidence provided by hard copy
computer systems minimise paper so no hard copy originals
how can overwriting of data be an issue for auditing computer systems?
when data are stored on a magnetic file, the file will eventually be overwritten with new data
if auditor needs some of the data to carry out tests, it will be necessary to take steps to make the data available
the auditor might therefore need to take copies of data files during the course of the year, and retain them for audit purposes
how can program controls be an issue for audit of computer systems?
the auditor has to test the controls in the computer system on which they intend to rely.
This means that testing the controls written into the computer programs
to do this, it will be necessary to use computer-assisted audit techniques
what are the characteristics of errors?
- no one-off errors unless deliberate amendment of individual items
- systematic errors which repeat across all transactions
- higher danger that input errors will not be detected
what are the 2 audit approach options for computer auditing?
- through the computer
- round the computer
what is the round the computer approach?
the auditor does not attempt to understand the operation of the computer system, but rather treats it as a ‘black box’
to audit the system, the auditor matches up inputs to predicted outputs to ensure that the outputs are being processed correctly
what are the advantages of the round the computer approach?
does not require high level of expertise of IT in the audit teams
when criteria have to be met for the round the computer approach to be suitable?
- computer processing is relatively simple
- audit trail is clearly visible
- substantial amount of up-to-date documentation exists about how the system works
what are the problems with auditing around the computer?
- computer files and programs are not tested, hence there is no direct evidence that program is working as documented
- errors are found it may be impossible to determine why they have happened
- all discrepancies between predicted and actual results must be fully resolved and documented no matter how small
what is the through the computer approach?
interrogates the computer files and computer controls and relies much more on the processes that the computer uses
auditor follows the audit trail through the internal computer operations and attempts to verify that the processing controls are functioning correctly
controls are directly tested and the accuracy of computer based processing of input data is verified
utilises different CAATs
what are the pros and cons of the computer approach?
requires more expertise and a longer set up time but of a very good quality
what is a CAAT?
computer-assisted audit techniques are methods of using a computer to carry out an audit of a computer system
what are the 2 main categories of CAAT?
audit software, such as audit interrogation software
test data
what is audit software?
consists of computer programs used by auditors to interrogate the files of a client
normally the client’s data files are input into the audit software program on the auditors’ computer and the auditor can then test those files
what are some examples of what audit software can do?
- extract a sample according to specified criteria
- calculate ratios and select those outside the criteria
- check calculations
- prepare reports
- produce letters to send out to customers /suppliers
- follow items through a computerised system
- search for underlying relationships and check for fraud
what are audit packages generally designed to do?
- read computer files
- select information
- perform calculations
- create data files
- print reports in a format specified by the auditor
what are the pros and cons of an audit software
enables large volumes of data to be process very quickly and accurately
can take a long time to set up the systems with the client data and it will require expertise
how can CAAT help with fraud detection?
- comparing the home addresses of employees with the addresses of suppliers, to identify employees who are also suppliers
- searching for duplicate cheque numbers
- analysing the sequence of transactions to identify missing invoices or cheques
- identifying suppliers with more than one supplier code or mode than one mailing address
- finding several suppliers all with the same address
- listing payments for transactions that fall just within the spending authorisation limit of the individual who has authorised the payment
what are the benefits of CAATs?
- force auditor to rely on programmed controls during the audit, only way to test controls
- large number of items can be tested quickly and accurately
- test original documentation instead of print outs, therefore the authenticity of the document is more valid this way
- after initial set-up costs, using CAATs are likely to be cost-effective, as the same audit software can be used each year as long as the system doesn’t change
- allow the results from using CAATs to be compared with ‘traditional’ testing
what are the weaknesses of CAATs?
- will be limited depending on how well the computer system is integrated. More integration, the better use of CAAT [ensure understanding of system to assess whether audit software is relevant]
- takes time to design CAATs tests therefore may not be cost-effective if the auditor is dealing with a bespoke system, as there may be a lot of set-up costs [CBA analysis of audit software]
- if the company you are auditing cannot confirm all system documentation is available, the the auditors will be unable to perform the tests effectively due to lack of understanding [do not use audit software until these have been identified]
- if there is a change in the accounting year, or from the previous year, then the audit software will have to be reset and designed, therefore may be costly[CBA from audit point of view should be carried out prior to deciding to use the audit software]
what is an embedded audit facility?
written into a program, particularly in on-line/real-time systems.
carry out automatic checks or provide information for subsequent audit
what type of audit checks/ information might an embedded audit facility provide?
- extracting and storing information for subsequent audit review, with sufficient details to give the auditor a proper audit trail
- identifying and recording items that are of some particular audit interest, as specified by the auditor
what is test data?
can be used by inputting the data into the system and checking whether it is processed correctly
expected results can be calculated in advance, and checked against the actual output from the system
auditors might include some invalid data in the tests, which the system should reject
when should test data be used?
only if the auditor is intending to do a ‘test of controls’ audit, and it must be considered cost effective
what is live dtata?
test data are processed during a normal production run
what is dead data?
test data are processed outside the normal cycle
what are the stages involved in using test data?
1) gain a thorough understanding of how the system being tested is supposed to work and controls that are included in it
2) devise the test data set. This should be a set of data containing both valid and invalid items. The controls in the system should identify the invalid items
3) Run the test data. This can be ‘live’ or ‘dead’
4) evaluate the results. It is important that the auditor fully evaluates the results of the test data and does further work if unexpected results occur
Between live and dead data, which runs five more reliable results but are more risky to operate?
live data is more reliable but more risky
what are the risks with test data? what controls can be used to avoid this?
- damage to the system as the system is tested to its limits [ensure auditors understand the system and have software support]
- corruption of the systems data if test data are not properly removed [ensure process for data removal]
- system down time if ‘dead’ data used [establish when system can be used with minimum disruption to the business]
what are some examples of test data for revenue?
- input order that would exceed client limit:should pop up query asking if you wish to proceed
- input negative number of items on an order:should flag up negative number
- input incomplete customer details:system should not process order unless all information is completed
- inout an excessive amount:there are reasonable checks in the system to identify possible input errors
what are some examples of test data for purchases?
- raise an order from a supplier not on list:query should be raised about whether to proceed
- process an order with an unauthorised staff ID:system should reject the process altogether or send the request through to an appropriate person for authorisation
- try and make changes to the supplier standing data using the ID of someone who is not authorised to do so:system should reject the process altogether or send the request through to an appropriate person for authorisation
what are some examples of test data for payroll?
- try and set up a new employee up on the payroll system using an unauthorised ID:system should reject the process altogether or sent the request through to the appropriate person for authorisation
- try and make employee change of details sing an unauthorised ID: system should reject the process altogether or send the request through to an appropriate person for authorisation
- make an excess change e.g. salary change:system should have parameters in place to question this amount, and maybe reject it due to it being outside the normal range
