CH 5 AND 6 :Internal controls

Question 1

Define internal controls

Answer 1

-These are procedures adopted and implemented by the company to prevent, detect and correct misstatements caused by fraud, error or irregularity.

Question 2

error

Answer 2

-An unintentional mistake made genuinly

Question 3

Irregularity

Answer 3

-An action that is contrary to the accounting principle.

Question 4

Why do auditors need to know about I.C ?

Answer 4

• They need to know about I.C because I.C affect the F.S and auditors rely upon the I.C system to understand whether the F.S is materially misstated or not.
• If internal controls of the company are weak then it leads to high ROMM, hence more audit work and procedures have to be performed and vice versa.

Question 5

Components of an Internal control system

Answer 5

-Internal control system is made up of CRIME
-CRIME stands for:-
# control activities
# risk assessment
# information system and communication
# monitoring of internal controls
# control environment

Question 6

CRIME : Control activities

Answer 6

• These are procedures implemented to carry out mgmt. directives and reduce business risk
• Control activities are ACCA PAS

Question 7

What is ACCA PAS ?

Answer 7

-ACCA PAS stands for:-

1. Authorisation: All events and transactions that place should be authorised by the senior mgmt. personnel to avoid unnecessary expenses and fraud.
2. Computer controls: Such as passwords and usernames should be used to log into computers to avoid unauthorised access to sensitive info and do regular backups of info to avoid loss of info.
3. Comparison: Comparing actual info with forecasted/budgeted info or industry avg. and estimates to identify inconsistencies and investigate them
4. Accounting reconcilation: To ensure 2 sets of records from different sources agree to ensure completeness and accuracy of transactions.
5. Physical controls: Such as CCTVs, and security guards. clock in and out process/biometric access.
6. Arithmetic controls: to check the accuracy of the figures reported in F.S.
7. Segregation of duties : To divide and distribute responsibilities evenly amongst staff to avoid one person from carrying out every activity in the company.

Question 8

CRIME: Risk assessment

Answer 8

-How mgmt. assesses business risk and reduces it to an acceptable level.

Question 9

Business risk

Answer 9

• The risk of the company not achieving its objectives and goals such as maximising shareholder wealth or profit.
• It is made up of 3 risks: compliance risk, operational risk and financial risk.

Question 10

Compliance risk

Answer 10

-the risk of the company not complying with industry laws and regulations and laws of the jurisdiction in which it is based.Thus, leading in the company paying fines and penalties and at the worst case the company losing its license to operate.

Question 11

Operational risk

Answer 11

-The risk associated with the operations of the business such as the business losing its key customer to its competitor or its major supplier refusing to supply materials as they are upset with the company’s style of delayed payments or key mgmt. personnel leaving the company.

Question 12

Financial risk

Answer 12

-The risk associated with cashflows issues faced by the company, liquidity status and going concern issues.

Question 13

CRIME: Information system and communications

Answer 13

• This consists of infrastructure, people, data, accounting records, systems and software used to record, process and report items in the F.S.
• How reliable and strong are the components of information system and communication to report items in the F.S

Question 14

CRIME: Monitoring of internal controls

Answer 14

• It is an ongoing activity carried out by either the internal audit dept. or by external experts.
• It is carried out to assess the operating effectiveness of I.C and mgmt.’s responses to deficiencies found in the system.

Question 15

CRIME: Control environment

Answer 15

• It’s about the mgmt.’s attitude towards designing, implementing and monitoring I.C
• Does mgmt. override internal controls by abusing their authority.
• The control environment sets out the tone and culture of the organisation.

Question 16

What are direct controls ?

Answer 16

• These are controls that are sufficient and precise to prevent, detect and correct misstatements.
• These are primarily controlled activities and information systems and communications.

Question 17

What are indirect controls ?

Answer 17

• These are controls that exist to support direct controls.
• These are primarily risk assessment, monitoring of controls and control environment.
• However, both direct controls and indirect controls are interchangeable.

Question 18

Limitations of I.C system

Answer 18

1. Human error
2. It is expensive
3. Controls for unforeseen circumstances may not exist.
4. Employees collusion
5. Mgmt. could override controls

Question 19

1.limitation of I.C : Human error

Answer 19

• Company may have adequate controls however, an error could be made in applying the controls manually.This is an inherent limitation and does not have anything to do with the effectiveness of I.C.
• Such as employee is given the task of checking the accuracy of figures in the F.S and they do not check properly.

Question 20

limitation of I.C : it is expensive

Answer 20

-It is expensive for mgmt. such as implementing a control activity like segregation of duties req.s mgmt. to employ more people and a lot of funds are invested initially in systems.However, the company in the long-term has more benefits to gain.

Question 21

limitation of I.C : Controls for unforeseen circumstances may not exist

Answer 21

• Mgmt. might have not designed controls for non-routine transactions to safeguard the company.
• Professional judgement is req. to decide the type of I.C that need to be implemented.As there could be systems only designed to deal with routine transaction and there could be inadequate controls for infrequent events.

Question 22

limitation of I.C : Employees collusion

Answer 22

-Despite the effectiveness of an I.C system there could be issues if the morale of the employees is poor. Thus, leading to employees manipulating the I.Cs for their personal gain by colluding together.

Question 23

limitation of I.C : Mgmt. overriding I.C

Answer 23

-Irrespective of how effective and strong the I.C of an organisation could be if the mgmt. overrides control by abusing their authority for personal gain.Then I.C are not effective

Question 24

How does I.C fit in the planning stage of audit ?

Answer 24

1. Auditors will perform risk assessement (audit risk) and will understand the entity and its environment : understand I.C system of the entity.
2. Document your understanding of I.C system parallelly
3. Verify your documentation by performing walkthrough tests
4. Test internal control to assess whether it is designed appropriately and operates effectively.
5. Report internal control deficiencies to TCWG and mgmt.
6. Decide the impact on audit approach and plan.

Question 25

How to document I.C ?

Answer 25

• 3 ways to document I.Cs are:-
  1. Narrative notes
  2. Flowcharts
  3. Questionnaires: ICQs and ICEQs

Question 26

What are narrative notes ?

Answer 26

-It is a detailed description of how the internal controls operate over various areas of the F.S.

Question 27

PROS and CONS: Narrative notes

Answer 27

PROS:-
#It is quick and simple to record
#It can easily be understood by all members,including juniors in the audit team.

CONS:-
$ It is cumbersome for recording complex and massive systems.
$ It does not help in identifying missing controls as the notes record only details.Hence, it does not help in identifying expectation of controls in the I.C system over certain areas.

Question 28

Flowcharts

Answer 28

• It is a diagrammatic representation of the internal control system.
• It helps auditor in identifying the flow of transactions from where the transaction starts and ends
• It helps in easily identifying problems in the I.C system.

Question 29

PROS and CONS: Flowcharts

Answer 29

PROS:
# The visual aid makes it easier to record complex and massive systems.
#It helps auditor in identifying easily missing controls as everything is  clear and visibly shown.

CONS:
$ It is time-consuming to prepare
$ It req.s additional training to be provided in understanding the entity’s I.C and preparing in the form of flowcharts.

Question 30

Questionnaires

Answer 30

• A list of written questions
• ICQs: to determine whether a particular control exists or not : close-ended questions.
• ICEQs: to determine the operating effectiveness of the I.Cs implemented : open-ended questions

Question 31

PROS and CONS: Questionnaires

Answer 31

PROS:
#It can be easily applied to a variety of systems or cycles because it is drafted in terms of objectives : can be customised: ICEQ
#It can be easily used and can be given to juniors to complete it as it is already pre-configured in the system.

CONS:
$ If drafted vaguely, then it can be misunderstood and important controls might not be identified.
$ Mgmt. could overstate controls: ICQs
$It may contain a large no. of irrelevant controls
$May not cover unusual controls which nevertheless are effective in particular scenarios.

Question 32

Control objective

Answer 32

-What the company wishes to achieve to reduce business risk

Question 33

Control procedure

Answer 33

-How the company plans to achieves its control objective

Question 34

Test of controls

Answer 34

-These are tests performed by the auditor to assess the operating effectiveness of the I.Cs.

Question 35

Standing data

Answer 35

• This is data that is held for long-term use and is changed less frequently.
• Such as employee’s bank A/C details, hourly wage rates /weekly wage rates and employee’s job position

Question 36

Objectives of payroll system

Answer 36

• To ensure salaries and wages are paid on time
• To ensure that salaries and wages are paid to the right people
• To ensure that salaries and wages are paid at the correct rates and terms.

Question 37

Control procedures : Standing data

Answer 37

1. ’ READ’ and ‘AMEND’ access should be restricted and available to only those responsible officials who have the need and authorised cause to access the information.
2. Maintain a log of attempts to know who has logged in and at what time and have it reviewed by a senior responsible official on a regular basis.
3. Match standing data to personal files periodically.

Question 38

Control procedures: Appointment and leavers

Answer 38

1. Appointment of any staff whether it is temporary or permanent should be made by the HR dept. which is seperate from the payroll dept.
2. HR dept. should be separate from the payroll dept and should have separate and different responsibilities.
3. There should be formal process for appointing employees such as interview held by interview manager to provide a formal written notification to the senior official responsible for starters/leavers.
4. Increases in pay should be proposed by the HR dept. and can should only be formally agreed by the board of directors
5. Update starter/leavers details on a timely basis. By having procedures to have starter/leaver details added or deleted from the master file as soon as the employee joins and leaves the company.

Question 39

How to determine significant deficiencies in the I.C system?

Answer 39

• The likelihood of the deficiency leads to material misstatement in the F.S
• The susceptibility to loss or fraud of the related asset or liability.
• The subjectivity and complexity arising in determining the estimated amounts.
• The importance of I.C to the financial reporting process

Question 40

How are significant deficiencies reported to TCWG and mgmt. ?

Answer 40

-It ir reported through a mangement letter.

Question 41

Management letter

Answer 41

• It expresses that the weaknesses found are not necessarily all weaknesses but only those identified as significant in the system.
• It is to be used solely for mgmt. purposes and should not be disclosed to any thrid parties.

Question 42

Why is it importance for auditor to communicate with TCWG ?

Answer 42

• To assist both auditor and TCWG in understanding easily matters related to audit.
• To obtain necessary information from TCWG such as understanding of the entity and their help to gain access to documents which mgmt. is refusing to share with the auditor.
• To help TCWG fulfil their duty of overlooking the financial reporting process to reduce ROMM in the F.S.
• To allow effective 2-way communication between auditor and TCWG.

Question 43

What matters should auditor communicate with TCWG ?

Answer 43

• The planned approach to audit and audit timetable should be explained.
• To discuss risk or non-compliance and fraud
• To report any suspicions of fraudulent activities or serious non-compliance with laws.
• To discuss significant matters
• To report and discuss significant deficiencies found in the I.C system.
• To give confirmation that members complied with code of ethics at all times and placed appropriate safeguards for any ethical threats identified: only for listed clients
• Key audit risks identified during the planning stg.