Chapter 5 - Introduction to internal control and information flows

Question 1

What is the definition of internal control?

Answer 1

Internal control: ‘The process designed, implemented and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to:
 Effectiveness and efficiency of operations
 Reliability of financial reporting,
 Compliance with applicable laws and regulations.

Question 2

What are the 3 main reasons for implementing internal controls?

Answer 2

These are our objectives
Internal controls minimise business risks, ensure the effective functioning of the company, and help the company comply with laws and regulations

Question 3

What are some inherent limitations of internal control? (4)

Answer 3

CHEW

COLLUSION
HUMAN ELEMENT
EXPENSE
WEIRD TRANSACTION

Collusion - 2 or more people working together to bypass a control
Human element - Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective e.g. mistyping, leaving door open
Expense - Controls can be expensive, is it worth having the control. Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective
Weird Transactions - Controls are generally designed to deal with what routinely happens. For an unusual transaction the control may not be relevant or exist

Question 4

How is collusion an inherent limitation of internal control?

Answer 4

Collusion - 2 or more people working together to bypass a control

Question 5

How is human element an inherent limitation of internal control?

Answer 5

Human element - Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective e.g. mistyping, leaving door open

Question 6

How is expense an inherent limitation of internal control?

Answer 6

Expense - Controls can be expensive, is it worth having the control. Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective

Question 7

How is weird transaction an inherent limitation of internal control?

Answer 7

Weird Transactions - Controls are generally designed to deal with what routinely happens. For an unusual transaction the control may not be relevant or exist

Question 8

CHEW

Answer 8

These are the 4 limitations of internal controls

COLLUSION
HUMAN ELEMENT
EXPENSE
WEIRD TRANSACTION

Question 9

What is the control environment, and why is it significant?

Answer 9

The control environment includes governance functions and management’s attitudes, setting the tone of an organisation and influencing the control consciousness of its people. It is fundamental in supporting a robust internal control system.

3 A’s = Attitudes, Awareness and Actions

Question 10

What are the 5 components of internal controls?

Answer 10

CRIME

CONTROL ACTIVITIES
RISK ASSESSMENT
IT SYSTEM + COMMS
MONITORING
ENVIRONMENT
- control environment on 3A’s
- audit committee

Question 11

CRIME

Answer 11

These are the 5 components of internal controls

CONTROL ACTIVITIES
RISK ASSESSMENT
IT SYSTEM + COMMS
MONITORING
ENVIRONMENT

Question 12

crimE - ENVIRONMENT
What importance does the strength of a control environment have on auditors?

Answer 12

The control environment is therefore very important to the auditors and they will evaluate it as part of their risk assessment process. If the control environment is strong, then auditors will be more inclined to rely on the controls system in the entity than if it is weak.

WEAK = MORE SUBSTANTIVE TESTING

Question 13

crimE - ENVIRONMENT
Do all companies have an audit committee?

Answer 13

It is required for listed companies and is a best practice for large companies to ensure proper oversight.

Rules are generally stricter for limited companies

Question 14

crimE - ENVIRONMENT
What role does an audit committee play in the control environment?

Answer 14

An audit committee, a subcommittee of the board, oversees the internal control structure, financial reporting, and compliance with laws, often supporting both internal and external audits

Question 15

crimE - ENVIRONMENT
Who typically comprises the Audit Committee?

Answer 15

The Audit Committee is made up of Non-Executive Directors (NEDs).

These are independent people who advise. Usually paid a fixed fee, not employed full time. Do not participate in daily management but provide independent oversight and advice. Their role is to challenge and provide objective perspectives on management’s decisions. Are expected to remain independent and objective, as they provide an external viewpoint to avoid potential conflicts of interest. Represent shareholder interests and focus on governance, risk management, and ensuring accountability. They may chair subcommittees like the Audit, Remuneration, or Nomination Committees.

Question 16

crimE - ENVIRONMENT
What is the difference between an executive vs non-executive director?

Answer 16

Executive Director - Employees, standard pay e.g. CEO, CFO, COO, CIO, CTO
Are involved in the day-to-day management of the company and are responsible for executing the company’s strategic goals. May not be as independent due to their direct involvement in the company’s operations. Represent the management’s perspective and bring insights into operational and strategic issues.

Non-Executive Director - These are independent people who advise. Usually paid a fixed fee, not employed full time. Do not participate in daily management but provide independent oversight and advice. Their role is to challenge and provide objective perspectives on management’s decisions. Are expected to remain independent and objective, as they provide an external viewpoint to avoid potential conflicts of interest. Represent shareholder interests and focus on governance, risk management, and ensuring accountability. They may chair subcommittees like the Audit, Remuneration, or Nomination Committees.

Question 17

crimE - ENVIRONMENT
What is one of the key responsibilities of the Audit Committee concerning financial statements?

Answer 17

Ensuring the integrity of the financial statements, often with the help of an external auditor.

Question 18

crimE - ENVIRONMENT
What is the Audit Committee’s role in internal controls?

Answer 18

They ensure that internal controls and risk management systems are robust, often with the assistance of an internal auditor.

Question 19

crimE - ENVIRONMENT
How does the Audit Committee assess the objectivity of the external auditor?

Answer 19

By reviewing the length of service, remuneration, and any non-audit services provided.

Question 20

crimE - ENVIRONMENT
What is one of the Audit Committee’s responsibilities related to external auditors?

Answer 20

They recommend the appointment and removal of external auditors.

Question 21

crimE - ENVIRONMENT
What aspects of the internal audit does the Audit Committee monitor and review?

Answer 21

The committee reviews the internal audit’s skill and experience, resources, and independence.

Question 22

cRime - RISK ASSESSMENT
What is the purpose of a company’s risk assessment process?

Answer 22

Risk assessment involves identifying business risks that could impact the entity’s objectives and determining actions to mitigate those risks.

BUSINESS RISK A risk resulting from significant conditions, events, circumstances, actions or inactions
that could adversely affect an entity’s ability to achieve its objectives and execute its strategies.

Question 23

cRime - RISK ASSESSMENT
Define “Business Risk.”

Answer 23

A risk resulting from significant conditions, events, circumstances, actions or inactions
that could adversely affect an entity’s ability to achieve its objectives and execute its strategies.

Question 24

cRime - RISK ASSESSMENT
What are the process of a risk assessment? (4) Who would establish the process? (1)

Answer 24

Those charged with governance (TCWG) should establish the following process:

1. Identification of business risk
   - Risk register
2. Estimate Impact
3. Assess likelihood
4. Actions to manage

Question 25

cRime - RISK ASSESSMENT
Why are auditors interested in business risks?

Answer 25

Because business risks that threaten the business can also pose a risk of financial statement misstatements.

Question 26

crIme - IT SYSTEM + COMMS
What is the purpose of the information system and communication in internal control?

Answer 26

It includes the financial reporting system and consists of procedures by which transactions are initiated, recorded, processed, corrected, and reported.

Question 27

crIme - IT SYSTEM + COMMS
Why is the information system important to auditors?

Answer 27

Auditors are concerned with the reliability of the information system as it impacts the accuracy and integrity of financial statements.

Question 28

crIme - IT SYSTEM + COMMS
What does ‘Initiated’, ‘Recorded’, ‘Processed’, ‘Corrected’ and ‘Reported’ mean in the context of information systems?

Answer 28

INITIATED - It refers to how a transaction is known to have occurred, requiring a source document like an invoice as evidence.
RECORDED - It ensures that debits and credits are posted correctly, and checks if the system verifies correct entries.
PROCESSED - Information flows from the nominal ledger to the trial balance to the financial statements, and the system’s ability to maintain accuracy throughout is assessed.
CORRECTED - It involves ensuring that journal entries are approved, authorised, and any manual postings have restrictions to maintain accuracy.
REPORTED - It is the final stage where the financial statements are generated from the processed information.

Question 29

crIme - IT SYSTEM + COMMS
What are information processing controls, and why are they important?

Answer 29

These are automated or manual procedures at the business process level that ensure data integrity, covering completeness, existence, and accuracy. Exist WITHIN your system.
They relate to input, processing, or output data.

Question 30

crIme - IT SYSTEM + COMMS
What do information processing controls relate to?

Answer 30

They relate to input, processing, or output data.

Question 31

crIme - IT SYSTEM + COMMS

Question 32

crIme - IT SYSTEM + COMMS
What are controls over input completeness?

Answer 32

They ensure all data is captured, such as one-for-one checking of processed output to source documents and running exception reports.

Question 33

crIme - IT SYSTEM + COMMS
What are controls over input accuracy/integrity?

Answer 33

These include programs to verify data fields with checks like digit verification, reasonableness tests, existence checks, character checks, and permitted ranges.

 Digit verification (eg reference numbers are as expected)
 Reasonableness test (eg VAT to total value)
 Existence checks (eg customer name)
 Character checks (no unexpected characters used in reference)
 Permitted range (no transaction processed over a certain value)

Question 34

crIme - IT SYSTEM + COMMS
What are controls over input authorisation?

Answer 34

They ensure information input is authorised, such as requiring digital signatures or passwords from authorised personnel.

Question 35

crIme - IT SYSTEM + COMMS
What are controls over processing of inputs?

Answer 35

Controls that ensure processing is completed, like screen warnings to prevent logging out before processing is done.

Question 36

Crime - CONTROL ACTIVITIES
Define control activities in an internal control system

Answer 36

Control activities are actions by management to prevent or detect fraud and errors, safeguarding assets and ensuring accurate financial reporting

Question 37

Crime - CONTROL ACTIVITIES
PARIS V

Answer 37

Physical or logical controls e.g. security
Authorisation procedures e.g. journals/time sheets
Reconciliations e.g. bank
Information processing and general IT controls e.g. passwords
Segregation of duties
Verifications

See Ch 3 for more FCs

Question 38

Crime - CONTROL ACTIVITIES
What are general controls in information systems?

Answer 38

AROUND THE SYSTEM

General controls: Policies and procedures that relate to many applications and support the effective function of the information processing controls by helping to ensure the continued proper operation of information systems.

Policies and procedures that support the function of information processing controls and ensure the continued proper operation of information systems.

Question 39

Crime - CONTROL ACTIVITIES
What are some controls involved in the “Development of computer applications”?

Answer 39

Standards for systems design, full testing procedures, approval by users and management, and staff training in new procedures.

Standards over systems design, programming and documentation
 Full testing procedures prior to use
 Approval by computer users and management
 Training of staff in new procedures

Question 40

Crime - CONTROL ACTIVITIES
What is a key control to prevent or detect unauthorised changes to programs?

Answer 40

Password protection, restricted access to the central computer, and use of virus checks.

 Password protection of programs so that access is limited to computer operations staff
 Restricted access to central computer by locked doors, keypads
 Virus checks on software: use of anti-virus software and policy prohibiting use of non-authorised programs or files

Question 41

Crime - CONTROL ACTIVITIES
Why is “Testing and documentation of program changes” important in general controls?

Answer 41

To ensure new systems work correctly, with testing, proper documentation, and approval by users and management.

 Complete testing procedures
documentation of program changes
 Documentation of new systems
 Approval of changes by computer users and management

Question 42

Crime - CONTROL ACTIVITIES
What is an example of a control to prevent unauthorised amendments to data files?

Answer 42

Using passwords and built-in controls to prevent unauthorised data changes.

Question 43

Crime - CONTROL ACTIVITIES
How can a company ensure continuity of operations through general controls?

Answer 43

By storing extra copies of programs off-site, protecting equipment, having backup power sources, and maintaining disaster recovery procedures.

Question 44

Crime - CONTROL ACTIVITIES
What are some backup measures included in general controls?

Answer 44

Back-up power sources, back-up copies of programs stored off-site, and emergency procedures.

Question 45

Crime - CONTROL ACTIVITIES
What types of maintenance agreements are part of ensuring continuity of company operations?

Answer 45

Agreements for regular maintenance and insurance to protect against loss or damage.

Question 46

criMe - MONITORING
Why should an entity review its overall control system?
What happens if an entity’s control system is not reviewed and corrected as needed?

Answer 46

To ensure it still meets its objectives, operates effectively and efficiently, and allows timely corrections if needed.
The control system may not operate optimally, potentially leading to inefficiencies and risks.

Question 47

criMe - MONITORING
This is often a role of the internal audit department within the company.

Answer 47

This is often a role of the internal audit department within the company.

Question 48

criMe - MONITORING
What is a management report in the context of an audit?
What does this look like?

Answer 48

A report produced by auditors at the end of an audit, outlining any deficiencies observed in the internal controls.

Looks like
1. Deficiency - This is the weakness
2. Consequence - What could happen as a result of the deficiency (COULD)
3. Recommend - What would you recommend (SHOULD)

Question 49

criMe - MONITORING
What is the responsibility of auditors regarding control deficiencies according to ISAs?

Answer 49

Auditors are required to identify control deficiencies and communicate them to those charged with governance.

Question 50

How do auditors obtain information about internal controls?

Answer 50

Through company manuals, records from previous years (e.g. management letter), discussions with internal control personnel, and observation of control activities.

Records from previous years - It helps auditors understand the historical context of controls and identify any recurring issues.

Question 51

What role does observation play in understanding internal controls?

Answer 51

Auditors observe operations to see control activities being implemented in practice, which helps validate their effectiveness.

Question 52

What are the three types of documents used for recording internal controls?

Answer 52

Narrative notes, questionnaires and checklists, and diagrams.

NN - They are good for simple systems and providing background information but are less effective for complex systems.
Q&C - They ensure all bases are covered as an aide-memoire but can be mechanical, causing important questions to be missed or simply ticked off.
D - They are useful for complex systems, like flowcharts for processes, organizational charts, and family trees for related party transactions.

Question 53

When are “Narrative Notes” useful for recording internal controls?

Answer 53

They are good for simple systems and providing background information but are less effective for complex systems.

Question 54

What are the advantages and limitations of using “Questionnaires and Checklists” for recording internal controls?

Answer 54

They ensure all bases are covered as an aide-memoire but can be mechanical, causing important questions to be missed or simply ticked off.

Question 55

In what scenarios are “Diagrams” most helpful for recording internal controls?

Answer 55

They are useful for complex systems, like flowcharts for processes, organizational charts, and family trees for related party transactions.

Question 56

What is a walk-through test in internal control evaluation?

Answer 56

A walk-through test involves tracing a few transactions through the financial reporting system to verify the auditor’s understanding of controls.

Question 57

Which one of the following is a reason that organisations have effective systems of control? To assist the organisation in:
A Maximising profitability
B Maximising operating efficiency
C Reducing time required for the statutory audit
D Minimising audit risk

Answer 57

B Maximising operating efficiency

Question 58

The following are examples of internal controls which operate at Searson plc. For each example, select the one type of control activity which it illustrates.
Authorisation
Reconciliation
Information processing
Physical

(1) The financial controller investigates the exception report of unmatched transactions from the electronic banking system

(2) Searson regularly counts its high risk/high value inventory on a monthly basis and compared with amounts in the accounts

(3) Searson regularly compares its trade payable ledger to supplier statements, discrepancies are resolved to make sure they agree

Answer 58

(1) The financial controller investigates the exception report of unmatched transactions from the electronic banking system
INFORMATION PROCESSING

(2) Searson regularly counts its high risk/high value inventory on a monthly basis and compared with amounts in the accounts
PHYSICAL

(3) Searson regularly compares its trade payable ledger to supplier statements, discrepancies are resolved to make sure they agree
RECONCILIATION

Question 59

Most entities use IT systems for financial reporting and operational purposes. Controls operating in an IT environment can be split into general controls and information processing controls.
Which two of the following are information processing controls?
A Permitted range
B Digit verification
C Passwords
D Virus checks

Answer 59

A Permitted range
B Digit verification

Question 60

1 ISA (UK) 315, Identifying and Assessing the Risks of Material Misstatement states that a system of internal control in an organisation consists of five components: the control environment, the entity’s risk assessment process, the entity’s process to monitor the system of internal control, the information system and communication, and control activities.
For each of the following examples, select the component which it illustrates. The process of preparing the financial statements
A Control environment
B Information system and communication
C Control activities
Locking the inventory storeroom
D Control environment
E Information system and communication
F Control activities

Answer 60

B Information system and communication
F Control activities
The process of preparing the financial statements forms part of the information processing system. Locking the inventory storeroom is a specific control activity.
None of the above relate to the control environment, which refers to the management style and
philosophy towards controls.

Question 61

5 Which one of the following is not part of an entity’s risk assessment process?
A Identify relevant business risks
B Estimate the impact of risks
C Assess the likelihood of occurrence
D Decide upon actions to manage the risks
E Report the process to the auditors

Answer 61

E Report the process to the auditors
Reporting the process to the auditors is part of the external audit process and not part of the internal risk assessment process.

Question 62

7 The following are examples of internal controls which operate at Badweather plc. For each example, select the type of control activity which it illustrates.
The financial controller counts petty cash on a monthly basis.
A Authorisation and approval
B Verification
C Physical or logical control

There are two keys to the locked finance department safe: one held by the finance director and the other by the managing director.
D Authorisation and approval
E Verification
F Physical or logical control

Answer 62

7 Correct answer(s):
C Physical or logical control
Correct answer(s):
F Physical or logical control
Both are physical controls which are categorised under the control type of physical or logical controls. SAMPLE EXAM

Question 63

8 The following are examples of internal controls which operate at Castle Ltd.
For each example, select the type of control activity which it illustrates.
The financial controller compares the results of petty cash counts with the accounting records.
A Physical or logical controls
B Reconciliations
C Segregation of duties
The receivables ledger clerk posts invoices to the receivables ledger. The cash clerk posts cash receipts to the receivables ledger.
D Physical or logical controls
E Reconciliations
F Segregation of duties

Answer 63

Correct answer(s):
A Physical or logical controls
Comparing balances from petty cash counts with the accounting records is a physical control, because it involves the ‘periodic counting and comparison with amounts shown on control records’ (ISA (UK) 315).

Correct answer(s):
F Segregation of duties
Having separate clerks recording sales invoices and posting cash receipts in the sales ledger reduces the risk of fraud and error (is therefore a segregation of duties control). SAMPLE EXAM

Question 64

9 The following are examples of computer controls which operate at Goody plc. For each example, select the type of computer control which it illustrates.

Storing extra copies of programs and data files off-site
A General IT
B Information processing

Programmes to check data fields on input transactions
C General IT
D Information processing

Manual checks to ensure that input data was authorised
E General IT
F Information processing

Answer 64

Correct answer(s): A General IT
Storing extra copies of programs and data files off-site is a general control as it supports the effective functioning of information processing controls.
Correct answer(s):
D Information processing
Checking data fields on input transactions relates specifically to the processing of individual IT applications, and is not part of the IT environment.
Correct answer(s):
F Information processing
Manual checks to ensure that input data was authorised relate specifically to the processing of individual IT applications, not the IT environment as a whole.

Question 65

12 Most entities make use of IT systems for financial reporting and operational purposes. Controls operating in an IT environment can be split into general IT controls and information processing controls.
Which one of the following is an information processing control?
A Training staff in new IT procedures
B Taking back-up copies of programs
C Maintenance agreements over IT equipment
D Cyclical reviews of all master files

Answer 65

D Cyclical reviews of all master files
Cyclical reviews of the master files are an information processing control. The remainder of the options available are general controls.

Question 66

16 ISA (UK) 315 (Revised) states that an internal control system in an organisation consists of five components: (i) Control environment; (ii) The entity’s risk assessment process; (iii) The entity’s process to monitor the system of internal control; (iv) The information system and communication; and (v) Control activities.
For each of the following examples, select the component which it illustrates. Training programme for all staff
A Control environment
B Control activities
C The entity’s process to monitor the system of internal control
Review of actual performance against budget
D Control environment
E Control activities
F The entity’s process to monitor the system of internal control

Answer 66

Correct answer(s):
A Control environment
Training programme for all staff is part of the control environment.
Correct answer(s):
E Control activities
Review of actual performance versus budget is a control activity.

Question 67

19 The following are examples of internal controls which operate at Elm plc. For each example, select the type of control activity which it illustrates.
The financial controller signs an expense report after reviewing whether the expenses seem reasonable and within policy.
A Verification
B Authorisation and approval

The payables ledger clerk posts invoices to the payables ledger. The cash clerk posts cash payments to the payables ledger.
C Segregation of duties
D Verification

Answer 67

Correct answer(s):
B Authorisation and approval
This is an example of an authorisation and approval control. A verification control would compare two or more items with each other or compare an item with a policy, and will probably involve a follow-up action when the two items do not match or the item is not consistent with policy (although unlike reconciliation activities which aim to bring two different items into agreement, verification activities may not result in items matching, provided the reason for this is considered acceptable).
Correct answer(s):
C Segregation of duties
Having separate clerks recording purchase invoices and posting cash payments in the payables ledger reduces the risk of fraud and error (so this is therefore a segregation of duties control).

Question 68

20 The following are examples of computer controls which operate in the payroll system at Dobson Ltd. For each example, select the type of computer control which it illustrates.
Password protection limiting access to data
A General IT
B Information processing
Range checks on payroll processing
C General IT
D Information processing
Manual checks to ensure that timesheets are authorised before details are processed
E General IT
F Information processing

Answer 68

Correct answer(s):
A General IT
Correct answer(s):
D Information processing. Range checks are application controls within information processing, ensuring that data entered falls within a predefined range (e.g., salary limits in payroll).
Correct answer(s):
F Information processing
Password protection constitutes a general IT control. The remaining controls are information processing controls.

Question 69

Which three of the following are general IT controls?
A Disaster recovery procedures
B Back-up copies of programs stored at an alternative safe location
C Procedures for resubmission of rejected data
D Staff training in the use of new/revised programs

Answer 69

A Disaster recovery procedures
B Back-up copies of programs stored at an alternative safe location
D Staff training in the use of new/revised programs
Procedures for resubmission of rejected data are an information processing control.

Question 70

24 An effective system of internal control requires segregation of basic functions. Which three of the following functions should ideally be segregated?
A Authorisation of transactions
B Preparation of financial statements
C Custody or handling of assets
D Budgetary control
E Recording of transactions

Answer 70

A Authorisation of transactions C Custody or handling of assets E Recording of transactions
Authorisation of transactions, custody or handling of assets and recording of transactions are the three functions which should ideally be separated such that no one person can initiate the transaction, record that transaction in the accounting records and have custody of assets which arise from that transaction. For fraud to take place, with such segregation of duties, there would have to be significant collusion. Preparing financial statements is a function which follows from the recording of transactions and effective budgetary control can only take place once there is confidence in the
integrity of data coming from effective systems of internal control.

Question 71

25 An audit committee is a committee with responsibility for audit-related matters. Which one of the following could be members of an effective audit committee?
A Executive directors only
B Non-executive directors only
C Non-executive directors and internal auditors
D Non-executive directors and external auditors

Answer 71

B Non-executive directors only
An audit committee is made up of non-executive directors only.

Question 72

26 ISA (UK) 315 (Revised), Identifying and Assessing the Risks of Material states that a system of internal control in an organisation consists of five components: (i) Control environment; (ii) The entity’s risk assessment process; (iii) The entity’s process to monitor the system of internal control; (iv) The information system and communication; and (v) Control activities.
For each of the following examples, select which component is illustrated. The entity’s organisational structure
A Control environment
B Control activities
C The entity’s process to monitor the system of internal control
Review by management of monthly bank reconciliations
D Control environment
E Control activities
F The entity’s process to monitor the system of internal control

Answer 72

Correct answer(s):
A Control environment

Correct answer(s):
F The entity’s process to monitor the system of internal control
The entity’s organisational structure is part of the entity’s control environment. The entity’s process to monitor the system of internal control involves a review of the effectiveness of controls and whether they need to be improved – hence a review by management of monthly bank reconciliations is part of that monitoring process.

Question 73

Define Control Activities and Monitoring

Answer 73

Control Activities:
Definition: Control activities are the specific actions or procedures designed to address risks and ensure objectives are achieved. These are typically operational in nature and are performed at various levels within the organisation.
Examples:
Requiring dual approval for payments.
Performing reconciliations (the act of reconciling itself, not the review).
Automated checks or controls in IT systems.

Monitoring:
Definition: Monitoring focuses on assessing whether the internal control system, including control activities, is effective and functioning as intended over time. It involves evaluating the operation of controls to identify deficiencies or areas for improvement.
Examples:
Reviewing reconciliations to ensure they were performed accurately.
Following up on control deficiencies identified in internal audits.
Reviewing performance metrics to ensure controls are working as intended.

Question 74

Why is Reviewing Bank Reconciliations Considered Monitoring?

Answer 74

The review by management of monthly bank reconciliations is not the act of performing the reconciliation itself, but rather evaluating the quality and accuracy of that control (the reconciliation). This is a monitoring activity, because:
It assesses whether the reconciliation process (a control activity) was properly performed.
The purpose of the review is to ensure that the control is functioning and detect deficiencies or errors in the process.

If it Were a Control Activity:
If the example was about performing the reconciliation itself, then it would be classified as a control activity. However, in this case, reviewing the reconciliation shifts the focus to monitoring the effectiveness of the control.

Question 75

30 ISA (UK) 315 (Revised) Identifying and Assessing the Risks of Material Misstatement states that a system of internal control in an organisation consists of five components: (i) Control environment; (ii) The entity’s risk assessment process; (iii) The entity’s process to monitor the system of internal control; (iv) The information system and communication; and (v) Control activities.
For each of the following examples, select which component is illustrated. The entity’s internal audit function
A Control environment
B Control activities
C The entity’s process to monitor the system of internal control
The audit committee
D Control environment
E Control activities
F The entity’s process to monitor the system of internal control

Answer 75

30 Correct answer(s):
C The entity’s process to monitor the system of internal control
The internal audit function monitors internal controls that are already in operation.
Correct answer(s):
D Control environment
The audit committee is part of the control environment as it contributes to the status of internal controls within an organisation.

Question 76

32 For each of the following statements about audit committees, select whether the statement is true or false.
Audit committees are responsible for recommending the appointment of the external auditor.
A True
B False
One of the roles of the audit committee is to review the integrity of formal announcements relating to the company’s performance.
C True D False

Answer 76

Correct answer(s): A True
The external auditor is appointed by shareholders, but the audit committee makes recommendations in relation to this.
Correct answer(s): C True
The audit committee reviews the integrity of the financial statements of the company and formal announcements relating to the company’s performance.

Question 77

33 Which two of the following are controls over input completeness?
A Document counts
B Manual check to ensure input was by authorised personnel
C Screen warning to prevent logout before processing is complete
D Programmed matching of input to an expected input control file

Answer 77

A Document counts
D Programmed matching of input to an expected input control file
All options are examples of information processing controls. Document counts ensure that the expected number of documents is submitted, and hence that the documents are complete.
A manual check to ensure input was by authorised personnel is a control over input authorisation, not completeness.
A screen warning to prevent logout before processing is complete is a control over input processing.
A programmed matching of input to an expected input control file is a control over input completeness (this is similar in principle to a document count).

Question 78

35 The following are examples of computer controls which operate at Mesa plc. For each example, select the type of computer control which it illustrates. Approval of new applications by a sample of users and by management
A General IT
B Information processing
Virus checks on software on employees’ computers
C General IT
D Information processing
A check that all data entered in a field contains the correct number of digits
E General IT
F Information processing

Answer 78

Correct answer(s): A General IT
Approval of applications by a sample of users and by management is a general IT control related to the development of computer applications.
Correct answer(s):
C General IT
Virus checks on software on employees’ computers is a general IT control. Correct answer(s):
F Information processing
A check that all data entered in a field contains the correct number of digits is an information processing control, since it relates to the processing of data in a particular field in a particular application.

Question 79

36 The auditor of Nile plc enquired about a low sales figure for December when carrying out an analytical review at the planning stage. In previous years December has typically been the month with the highest sales value. Nile sells a range of products, and all sales are made online through its website.
The directors explained that this was due to a cyberattack where a third party had deliberately overloaded the website and underlying servers preventing legitimate customers from purchasing online for a period during December.
Which one of the following best describes the method of cyberattack at Nile?
A A virus
B Denial of service
C Spyware
D Fraud

Answer 79

B Denial of service
The attack is a Denial of Service (DoS) attack. Such attacks are characterised by an attempt by attackers to prevent legitimate users (the customers) from using a service.

Question 80

37 It has become increasingly clear in recent years that cybersecurity is a major issue for most organisations.
LO 2f
For each of the following statements, select whether they are true or false in respect of cyberattacks and cybersecurity.
Audit committees are responsible for putting in place adequate provisions to safeguard the organisation against cyberattacks.
A True
B False
Organisational structures should define responsibility and accountability for cybersecurity.
C True
D False
It is generally easier for smaller organisations to introduce controls to mitigate the risks of cyberattacks than it is for larger organisations.
E True
F False

Answer 80

Correct answer(s): B False
Executive management are responsible for putting in place adequate provisions to safeguard the organisation against cyberattacks. Audit committees also need to play a part in tackling cybersecurity, by ensuring that the executive management have put in place adequate provisions and fulfilled their responsibilities.
Correct answer(s): C True
Organisational structures need to define responsibility and accountability for cybersecurity. In recent years there has been a growth in the number of entities operating information security functions.
Correct answer(s): F False
Creating new positions such as the chief information security officer role and introducing dedicated information security teams is often unviable for smaller entities. Larger organisations will normally have teams in place to help prevent and react to cyberattacks.

Question 81

Control Environment

Define
Key Features
Examples

Answer 81

Control Environment
Definition: The foundation of internal control, reflecting the overall attitude, awareness, and actions of management and governance regarding internal control’s importance.
Purpose: Sets the tone at the top of the organization, establishing discipline and structure for internal controls.
Key Features:
Organizational structure (e.g., roles, responsibilities, reporting lines).
Integrity and ethical values (e.g., codes of conduct).
Commitment to competence (ensuring employees are skilled).
Governance and management oversight (e.g., board of directors, audit committees).
Accountability mechanisms.
Examples:
The company’s organizational structure.
Management’s attitude toward internal controls.
A code of conduct for employees.

Question 82

Control Activities

Define
Key Features
Examples

Answer 82

Definition: Specific policies, procedures, and actions designed to mitigate identified risks and ensure objectives are achieved.
Purpose: Ensure that directives issued by management are carried out and reduce the likelihood of material misstatements in financial reporting.
Key Features:
Preventive controls (e.g., segregation of duties, approval processes).
Detective controls (e.g., reconciliations, reviews).
Manual or automated activities.
Focuses on operational effectiveness and efficiency.
Examples:
Requiring dual authorization for payments.
Range checks to ensure data integrity.
Physical controls over assets (e.g., locks, restricted access).

Question 83

The Entity’s Process to Monitor the System of Internal Control

Define
Key Features
Examples

Answer 83

Definition: The processes management uses to evaluate the effectiveness of the system of internal control over time and take corrective actions when necessary.
Purpose: Ensure that internal controls remain effective, adapt to changes, and address deficiencies.
Key Features:
Ongoing evaluations (embedded in regular operations).
Separate evaluations (periodic reviews or internal audits).
Reporting and remediation of deficiencies.
Examples:
Review of monthly bank reconciliations by management.
Regular internal audit checks on key controls.
Management’s review of exception reports for anomalies.