Chapter 3 - Internal Control Flashcards
What are the 5 elements of internal control systems?
1) Control Environment
2) Risk Assessment process
3) Entity’s process to monitor the system of internal control
4) The information system and communication
5) Control Activities
What are features of the control environment?
Attitudes, awareness, actions of those charged with governance and mgmt concerning internal control - sets the tone of organisation, influencing consciousness of its people
What are features of the risk assessment process?
Auditor needs to determine whether the entity has a process for identifying and controlling the risks in the business
What are the features of an entity’s process to monitor the system of internal control?
Mmgts monitoring of controls includes considering whether they are operating as intended and modified as appropriate for changes
What are the features of an entities information system and communication?
Evaluating whether the information system and communication appropriately support the preparation of the FS and understanding how information flows through the information system
What are features of the control activities?
1) Authorisation and approval
2) Physical (logistical controls)
3) Segregation of duties
4) Verification controls
5) Reconciliations
What is an example of direct control activities?
Controls over inventory count - direct controls will give good evidence about material misstatements in FS
What is an example of indirect controls?
Manager reviewing sales reports, controls completeness in FS but does not directly contribute to ensuring they are. Indirect controls are less effective in preventing, detecting or correcting material misstatements.
What are 5 limitations to internal controls?
1) Costs of controls may outweigh benefits so controls are not implemented
2) Many controls only cover routine transactions so non-routine transactions may not be subject to controls
3) Human error
4) Staff collusion
5) Management override of controls - controls bypassed
What steps would an auditor take if they found internal controls to be ineffective?
1) Report to mgmt
2) Full substantive testing on year end balances
What steps would an auditor take if they found the controls to be effective?
1) Test controls
2) Auditor can reduce substantive testing on year end balances
What are the three ways auditors record internal control systems?
1) Narrative notes
2) Flowcharts
3) Questionnaires
What are the advantages and disadvantages of internal control systems?
Advantage:
Simple and quick to record
Easy to understand for all of the audit team
Disadvantage:
Can be cumbersome, especially if system is complex
Can make it more difficult to identify missing internal controls as notes record details but do not identify control exceptions clearly
What are the advantages and disadvantages of flow charts?
Advantage:
Easier to identify missing internal controls
Visual aid can make it easier to record complex systems
Disadvantage:
Time consuming to prepare
Needs training to understand
What are advantages and disadvantages of questionnaires?
Advantages:
1) Quick to prepare, cost effective
2) All controls in system are considered and recorded (missing controls clearly highlighted)
3) Simple to complete
Disadvantages:
1) Company could easily overstate levels of controls
2) Needs to be tailored for each client otherwise unusual controls may be missed
What does an auditor perform once the clients internal control system has been documented?
Walkthrough test - following one transaction through each stage of the accounting process to ensure systems and controls operate as documented (not a test of control)
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that customer orders are not received or properly recorded - therefore sales are understated (receipt of customer order)
Objective of control - ensure sales are properly accounted for
Control procedures:
1) Orders taken should be recorded on a pre-numbered multipart document generated by computer - one part could form invoice and one could go to despatch department
2) Regular checks performed on completeness of sequence of pre-numbered documents, any documents unaccounted for should be traced and investigated
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that a customer is unable to pay - therefore bad debts (receipt of customer order)
Objective of control - to ensure that goods are sold on credit only to customers who can pay
Control procedures:
1) Credit limits should be checked - any orders that exceed credit limits should be rejected
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that a orders are placed without inventory available for despatch - therefore unfulfilled orders (receipt of customer order)
Objective of control - Ensure that inventory is available for despatch
Control procedure:
1) Availability of inventory should be checked so that orders cannot be taken for good with nil/low inventory
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that a good despatched are not the correct good ordered by customer? (Despatch of customer order)
Objective of control - To ensure that good are despatched are those that are ordered
Control procedure:
1) All good despatched should be accompanied by a Goods Despatch Note
2) the GDN should be matched to the original customer order
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that a good despatched of poor quality? (Despatch of customer order)
Objective of control - Ensure that satisfactory quality is dispatched
Control procedures:
1) Random control check should be performed on randomly selected despatches
2) Customer should sign and return GDN as acceptance of goods
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that customers are not invoiced correctly? (Invoicing of customer)
Objective of control - To ensure that invoices are raised correctly
Control procedure:
1) Sales invoice should be raised rom/matched to the GDN
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that invoices are not recorded in the ledger at all? (Invoicing of customer)
Objective of control - To ensure that are invoices are properly included
Control procedure:
1) All sales invoices should be prenumbered
2) All invoices should be posted to the sales day book, accounts receivable ledger and the accounts receivable control account
3) Regular checks should be performed on completeness of sequence of pre-numbered invoices.
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that some items are not posted, or are posted incorrectly to the ledgers? (Invoicing of customer)
Control objective - Ensure all items are correctly and accurately recorded
Control procedures:
1) Receivabales ledger and receivables control account should be reconciled each month and reviewed.
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that customers do not pay or pay late? (Collection of cash)
Objective of control - customers pay on a timely basis
Control procedures:
1) Credit control department should ensure that all debts are paid promptly by sending out regular statements and chasing overdue debts
What is the ‘objective of control’ and the ‘control procedures’ in response to the sales risk that funds received are incorrectly allocated? (Collection of cash)
Control Objective - Ensure funds are correctly allocated
Control procedure:
1) Banks transfers should be matched with individual transactions
What is the ‘objective of control’ and the ‘control procedures’ in response to the cash/cheques sent through the post go missing? (Collection of cash)
Control objective - cheques and cash do not go missing
Control procedures:
1) Segregation of duties in post room so cheques cannot be stolen
2) Cheques recorded and banked promptly
3) Bank reconciliation should be performed on monthly basis in order to ensure company’s cash records are complete
What is the ‘objective of control’ and the ‘control procedures’ in response to the purchase risk that goods are ordered without proper authorisation? (Purchase order raised)
Control objective - Ensure that good are ordered are properly authorised
Control procedure:
1) Purchase orders (PO’s) should be sequentially numbered and sequence checked regularly
2) All PO’s must be authorised by responsible official
What is the ‘objective of control’ and the ‘control procedures’ in response to the purchase risk that goods are ordered from an unauthorised sauce? (Purchase order raised)
Control objective - Ensure that goods are ordered from authorised suppliers
Control procedure:
1) Only authorised suppliers are used from a preferred supplier list
2) If there is no authorised supplier, a tender should be invited and the best value supplier selected
What is the ‘objective of control’ and the ‘control procedures’ in response to the purchase risk that the supplier sends goods that are incorrect or substandard? (Receipt of goods)
Control objective - Ensure that goods are received are as ordered in terms of quantity and quality
Control procedure:
1) All goods recieved should be checked for quality and quantity
2) A prenumbered Goods Reived Note should be matched and matched to PO.
What is the ‘objective of control’ and the ‘control procedures’ in response to the purchase risk that goods received are not added to inventory? (Receipt of goods)
Control objective - Ensure goods received are added to inventory
Control procedures:
1) Inventory systems should be updated if goods are for resale. If items are for business use, the correct entry should be made to non-current assets etc.
2) GRN should be initialled to show inventory updated
What is the ‘objective of control’ and the ‘control procedures’ in response to the purchase risk that suppliers invoice for the incorrect product quantity or price? (Receipt of purchase invoice)
Control Objective - to ensure that correct product, quantities and prices are invoiced
Control procedure:
1) All invoices received should be checked back to PO and GRN
What is the ‘objective of control’ and the ‘control procedures’ in response to the purchase risk that invoices are not included in the accounts? (Receipt of purchase invoice)
control objective - to ensure that invoices are included in the accounts
control procedure:
1) Invoices should be added to the purchase day book
2) Purchase day book should be posted to the nominal ledger/purchase ledger
3)Supplier statements should be reconciled back to the purchase ledger
What is the ‘objective of control’ and the ‘control procedures’ in response to the purchase risk that payments are made to the incorrect supplier/incorrect amount? (payment of purchase invoice)
Control objective - ensure payments are made to correct suppliers and for correct amounts
Control procedures:
1) Payments whether cheque or bank transfer should be authorised by a responsible official and counter signed over a certain amount
2) All paid invoices should be stamped paid
3) Purchase ledger should be updated promptly/automatically
4) Purchase ledger should be reconciled to nominal ledger monthly
What is the ‘objective of control’ and the ‘control procedures’ in response to the inventory risk that Inventory is stolen?
Objective of control - inventory is stored securely
Control procedure:
1) Should be appropriate physical security
2) Should be regular manual checks to make sure that actual numbers agree to stock records
What is the ‘objective of control’ and the ‘control procedures’ in response to the inventory risk that inventory could be obsolete or slow moving?
Objective of control - ensure that inventory is current and saleable
Control procedure:
1)Regular review of stock listing to monitor slow moving items
2) There should be regular reviews of physical stock to check for damage
What is the ‘objective of control’ and the ‘control procedures’ in response to the inventory risk that inventory may run out?
Objective of control - ensure that inventory does not run out
Control procedure:
Regular review of re-order levels
What is the ‘objective of control’ and the ‘control procedures’ in response to the payroll risk that non bona fide employees are paid?
Objective of control - Ensure that only bona fide employees are paid
Control procedure: new employees entered onto or leavers removed from payroll system should authorised by responsible official - segregation of duties between human resources and payroll function
What is the ‘objective of control’ and the ‘control procedures’ in response to the payroll risk that employees are paid incorrect amounts?
Objective of control - ensure that employees are paid correct amount
Control procedure:
1) Time sheets reviewed for all employees
2) Overtime/bonuses should be properly authorised by appropriate manager
3) Changes in pay rates properly documented
4) Monthly payroll should be reviewed for reasonableness by appropriate manager
5) Exception reports generated and reviewed for pay over certain threshold
What is the ‘objective of control’ and the ‘control procedures’ in response to the payroll risk that Tax and NI are incorrectly calculated?
Objective of control - ensure that Tax and NI are correctly calculated
Control procedure:
1) Tax and NI should be calculated by trained official
2) Software used should be updated regularly to account for changes in legislation
What is the ‘objective of control’ and the ‘control procedures’ in response to the payroll risk that wages paid in cash may be stolen?
Objective of control - cash is properly secured
Control procedures:
1) Adequate security available
2) Staff must sign to confirm receipt of cash wages
3) Only pay staff directly into bank accounts
What is the ‘objective of control’ and the ‘control procedures’ in response to the bank and cash risk that petty cash is spent inappropriately?
Objective of control - Proper control of petty cash
Control procedure:
1) Expenditure should be appropriately authorised
What is the ‘objective of control’ and the ‘control procedures’ in response to the bank and cash risk that cash kept on premises could go missing?
Objective of control - petty cash is kept securely
Control procedure:
1) Appropriate security for petty cash
2) Imprest system that is regularly checked
What is the ‘objective of control’ and the ‘control procedures’ in response to the bank and cash risk that receipts go missing or payments are made to unauthorised persons?
Objective of control - Ensure that receipts are banked and all payments are made to bona fide persons
Control procedures:
1) Bank reconciliation should be performed at least once per month. This reconciliation should be reviewed and authorised
What are the two types of information processing controls that operate within a computer system and what is their nature?
Manual or automated and can be preventative or detective in nature and they aim to ensure transactions are input, processed or output completely, accurately and valid
What is the ‘objective of control’ and the ‘control procedures’ in response to the bank and cash risk that cheques are paid to unauthorised persons?
Objective of control - Payments are only made to authorised persons
Control procedure:
1) At least two persons that sign cheques. Cheques should be kept in a secure location
What are 5 examples of information processing controls?
1) Mandatory input fields for websites
2) Checking arithmetical accuracy of records
3) Range/Limit checks on whether a customer has exceeded their credit limit
4) Edit checks of input data
5) Numerical sequence checks
What are some examples of general IT Controls?
1) Virus protection
2) Regular backups
3) Operating logs
4) Acquisition and maintenance of new hardware and software, as well as password controls
What is a test of control?
1) Evaluation of operating effectiveness of controls in preventing, detecting and correcting material misstatements.
How would an auditor test a control?
If auditor told purchase orders are authorised by responsible official - auditor would select sample and inspect for evidence of appropriate authorisation
What is the impact on the auditor if the internal controls are found to be strong?
The auditor can perform reduced substantive testing and more tests of control (control risk is lower - reduced chance that errors exist in FS)
Can the auditor recommend how a client can improve their controls?
Yes, and this adds value to the audit
What is the aim of a substantive test?
Ensure that there are no material misstatements at the assertion level in the client’s financial statements
When would an internal control system be deemed deficient?
1) If it’s designed, implemented or operated in such a way that is it unable to prevent, detect and correct misstatements in the FS on a timely basis
2) If it is missing
When would an internal control system be deemed significantly deficient?
1) Merits the attention of those charged with governance and is determined by:
1) Likelihood of deficiency leading to material misstatement
2) Susceptibility of loss or fraud
3) Cause and frequency of exceptions detected as result in deficiencies in controls
4) Volume of activity occurring in the account balance exposed to deficiency
How is the communication of significant deficiency communicated to the client?
in writing in a ‘report to management’ - highlighting deficiency in internal control, potential effects and recommendations
What are the four points to cover if drafting a covering letter?
1) Statement report is no comprehensive list of deficiencies, but only significant items that have come to light
2) Clarify report is sole use of company and no disclosures communicated to third party without consent of auditor
3) no responsibility is assumed by auditor to other third parties
What are the four factors to be taken into account when assessing the need for internal audit?
1) Size and complexity of the company
2) Scale and diversity of activities
3) Cost/benefit considerations
4) Desire of mgmt to have assurance and advice on risks and controls
Role of external auditor?
Objectives:
Form an opinion on whether sets of accounts are “true and fair”
Standards:
Must follow internal Standards of Auditing
Report to:
Shareholders via auditors report
Status:
Independent
Qualification:
Qualified accountant and member of recognised supervisory body
Role of internal auditor?
Objectives:
Improve company’s operations in terms of efficiency and effectiveness of internal controls
Standards:
Choose to use guidelines of Institute of Internal Auditors
Report to:
Board of Directors or audit committee
Status:
Objective
Qualification:
No formal qualifications required
What is the scope of the internal audit function?
1) Reviewing the internal controls of the business
2) Reviewing accounting systems of business
3) Reviewing key risk areas of business, including fraud
4) Preparing schedules for the external auditors
What are some advantages of outsourcing the internal audit department?
1) More independent
2) Industry experience and pool of qualified accountants available
3) Experienced auditors increase reliability of findings
4) Cheaper than having a full time presence
5) Quicker set up time
What are some disadvantages of outsourcing internal audit department?
1) Lack of client-specific knowledge
2) Loss of internal audit as training ground for new managers of business
3) Possible loss of control over how and when work is performed
4) Possible self-review threat if the external auditors are not being used
5) Potential confidentiality issues
What are the three E’s of an Value for Money Audit?
Economy - least cost with acceptable level of risk
Efficiency - best use of resources
Effectiveness - organisational objectives will be achieved
What is the formant and content of internal audit review reports?
1) Addressee - normally audit committee or board of directors
2) Terms of reference - who requested the report and what purpose of report is
3) Executive summary
