Chapter 5 Introduction to internal control Flashcards
1.1 What is internal control
Internal control is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of objectives regarding the reliability of financial reporting, effectiveness of operations and compliance with law.
Internal control is designed to address identified business risks that threaten the achievement of these objectives.
1.2 Purpose of internal control
Internal controls help an organisation to achieve its objectives and mitigate the business risks it faces.
1.3 Limitations of internal controls
No system of internal controls will mitigate risks entirely due to limitation of controls such as human error, unusual transactions tend to be outside the scope of control systems, collusion, and special considerations in small companies (lack of documentation and limited staff make segregation of duties difficult).
1.4 Internal controls in the annual report
The directors of companies applying the UK corporate governance code are required to report on risk management and internal controls systems in the company’s annual report.
1.5 Overview of an internal control system
ISA 315 sets out the following components of internal control:
- Control environment
- Risk assessment process
- Information system
- Control activities
- Monitoring
2.1 What is the control environment
The control environment is the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity. The following may indicate a strong control environment:
- The existence of an audit committee
- An internal audit function
- Effective documentation of control systems
- The importance of controls communicated to all staff members
- No management override of controls
- Recruitment of employees with integrity
Strong control environment means auditors are more likely to rely on controls as a source of audit evidence.
2.2 Audit committee
An audit committee is a subsection of the board of directors which has an interest in the accounting and finance activities of the company. Key features of the committee include:
- Compromised of non-executive directors
- Requirement for UK listed companies under the UK corporate governance code
- Required to have written terms of reference
- Oversees the financial statements, internal audit, and external audit
The audit committee reports to the company’s shareholders in the annual report.
3.1 Risk assessment process
The process by which management in a business identified business risks relevant to financial reporting objectives and decides what actions to take to address those risks. Internal controls should be designed to address identified risks.
Identify risks – estimate the significance of the risks – access likelihood of occurrence – decide on the actions to address the risk.
4.1 Information systems
Information systems relevant to financial reporting objectives include the procedures and records designed to initiate, record, process and report entity transactions and maintain accountability for the related assets, liabilities, and equity. Auditors are interested in:
- Identifying significant classes of transactions
- Systems for preparing financial statements
- The accounting software used
- Related accounting records and supporting information
- Roles and responsibilities allocated to personnel
- Danger of internal controls being overridden at the financial statement preparation stage
5.1 Control activities
ISA 315 sets out five types of control activities:
- Authorisation: important to ensure that only valid transactions are recorded
- Performance reviews: identify unexpected items that could indicate errors in accounting information
- Information processing: designed to check the completeness and accuracy of information. Include checks on sales invoices, bank reconciliations and controls on computerised systems.
- Physical controls: involve restriction of access to assets or data. Also include counting assets and comparing with the recorded amount
- Segregation of duties: different staff responsible for authorising and recording transactions.
- Computer controls: two categories of general controls and application controls.
5.2 Computer controls: general
These are policies and procedures relating to applications and support the function of application controls by ensuring the continued proper operation of information systems. They include:
- Controls over system design, programming, and documentation
- Testing system performance
- Staff training
- Password protection
- Restricting physical access to central computers
- Virus checks
- Backup copies stored off-site
- Disaster recovery procedures
5.3 Computer controls: application controls
Application controls are manual or automated procedures that apply to individual areas in a system. Examples include:
- Controls over input completeness: such as sequence checks and document counts, one to one checking of processed output to source documents and hash totals and batch totals
- Controls over input accuracy: such as hash total and batch totals, reasonableness tests, character tests and range checks
- Controls over input authorisation: manual checks to ensure information was authorised
- Controls over standing data: one to one checking of amendments to source documents and periodic review of all standing data
5.4 Cyber security risk
Key risks to an entities IT systems include hacking, theft of funds, deliberate sabotage, viruses, and denial of service attacks. The ICAEW cyber security publication makes suggestions to combat cyber risks such as:
- Improve communication about cyber risks and how to manage them
- Define who is responsible and accountable for cyber security in the organisation
- Assign board level accountability
- Non-executive directors/audit committees should monitor the actions of the executive related to cyber security
6.1 Monitoring controls
Internal controls should be continually monitored to ensure effectiveness.
- Directors should decide whether they are adequate for the changing environment and business risks
- They should be monitored at all levels
- Internal audit may recommend new systems as a result of weaknesses
- External audit may highlight weaknesses as part of their audit work
7.1 Consideration of internal controls when planning the audit
Auditors need to gain an understanding of the system and controls; this means the audit can assess the level of control risk and determine the audit approach to take.
