Chapter 5 - Introduction to internal control and information flows

Question 1

What is the definition of internal control?

Answer 1

Internal control: ‘The process designed, implemented and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to:
 Effectiveness and efficiency of operations
 Reliability of financial reporting,
 Compliance with applicable laws and regulations.

Question 2

What are the 3 main reasons for implementing internal controls?

Answer 2

These are our objectives
Internal controls minimise business risks, ensure the effective functioning of the company, and help the company comply with laws and regulations

Question 3

What are some inherent limitations of internal control? (4)

Answer 3

CHEW

COLLUSION
HUMAN ELEMENT
EXPENSE
WEIRD TRANSACTION

Collusion - 2 or more people working together to bypass a control
Human element - Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective e.g. mistyping, leaving door open
Expense - Controls can be expensive, is it worth having the control. Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective
Weird Transactions - Controls are generally designed to deal with what routinely happens. For an unusual transaction the control may not be relevant or exist

Question 4

How is collusion an inherent limitation of internal control?

Answer 4

Collusion - 2 or more people working together to bypass a control

Question 5

How is human element an inherent limitation of internal control?

Answer 5

Human element - Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective e.g. mistyping, leaving door open

Question 6

How is expense an inherent limitation of internal control?

Answer 6

Expense - Controls can be expensive, is it worth having the control. Some controls are only as good as the people operating them. If a mistake is made on implementing the control, the control may be ineffective

Question 7

How is weird transaction an inherent limitation of internal control?

Answer 7

Weird Transactions - Controls are generally designed to deal with what routinely happens. For an unusual transaction the control may not be relevant or exist

Question 8

CHEW

Answer 8

These are the 4 limitations of internal controls

COLLUSION
HUMAN ELEMENT
EXPENSE
WEIRD TRANSACTION

Question 9

What is the control environment, and why is it significant?

Answer 9

The control environment includes governance functions and management’s attitudes, setting the tone of an organisation and influencing the control consciousness of its people. It is fundamental in supporting a robust internal control system.

3 A’s = Attitudes, Awareness and Actions

Question 10

What are the 5 components of internal controls?

Answer 10

CRIME

CONTROL ACTIVITIES
RISK ASSESSMENT
IT SYSTEM + COMMS
MONITORING
ENVIRONMENT

CONTROL ACTIVITIES
RISK ASSESSMENT
IT SYSTEM + COMMS
MONITORING
ENVIRONMENT
- control environment on 3A’s
- audit committee

Question 11

CRIME

Answer 11

These are the 5 components of internal controls

CONTROL ACTIVITIES
RISK ASSESSMENT
IT SYSTEM + COMMS
MONITORING
ENVIRONMENT

Question 12

crimE - ENVIRONMENT
What importance does the strength of a control environment have on auditors?

Answer 12

The control environment is therefore very important to the auditors and they will evaluate it as part of their risk assessment process. If the control environment is strong, then auditors will be more inclined to rely on the controls system in the entity than if it is weak.

WEAK = MORE SUBSTANTIVE TESTING

Question 13

crimE - ENVIRONMENT
Do all companies have an audit committee?

Answer 13

It is required for listed companies and is a best practice for large companies to ensure proper oversight.

Rules are generally stricter for limited companies

Question 14

crimE - ENVIRONMENT
What role does an audit committee play in the control environment?

Answer 14

An audit committee, a subcommittee of the board, oversees the internal control structure, financial reporting, and compliance with laws, often supporting both internal and external audits

Question 15

crimE - ENVIRONMENT
Who typically comprises the Audit Committee?

Answer 15

The Audit Committee is made up of Non-Executive Directors (NEDs).

These are independent people who advise. Usually paid a fixed fee, not employed full time. Do not participate in daily management but provide independent oversight and advice. Their role is to challenge and provide objective perspectives on management’s decisions. Are expected to remain independent and objective, as they provide an external viewpoint to avoid potential conflicts of interest. Represent shareholder interests and focus on governance, risk management, and ensuring accountability. They may chair subcommittees like the Audit, Remuneration, or Nomination Committees.

Question 16

crimE - ENVIRONMENT
What is the difference between an executive vs non-executive director?

Answer 16

Executive Director - Employees, standard pay e.g. CEO, CFO, COO, CIO, CTO
Are involved in the day-to-day management of the company and are responsible for executing the company’s strategic goals. May not be as independent due to their direct involvement in the company’s operations. Represent the management’s perspective and bring insights into operational and strategic issues.

Non-Executive Director - These are independent people who advise. Usually paid a fixed fee, not employed full time. Do not participate in daily management but provide independent oversight and advice. Their role is to challenge and provide objective perspectives on management’s decisions. Are expected to remain independent and objective, as they provide an external viewpoint to avoid potential conflicts of interest. Represent shareholder interests and focus on governance, risk management, and ensuring accountability. They may chair subcommittees like the Audit, Remuneration, or Nomination Committees.

Question 17

crimE - ENVIRONMENT
What is one of the key responsibilities of the Audit Committee concerning financial statements?

Answer 17

Ensuring the integrity of the financial statements, often with the help of an external auditor.

Question 18

crimE - ENVIRONMENT
What is the Audit Committee’s role in internal controls?

Answer 18

They ensure that internal controls and risk management systems are robust, often with the assistance of an internal auditor.

Question 19

crimE - ENVIRONMENT
How does the Audit Committee assess the objectivity of the external auditor?

Answer 19

By reviewing the length of service, remuneration, and any non-audit services provided.

Question 20

crimE - ENVIRONMENT
What is one of the Audit Committee’s responsibilities related to external auditors?

Answer 20

They recommend the appointment and removal of external auditors.

Question 21

crimE - ENVIRONMENT
What aspects of the internal audit does the Audit Committee monitor and review?

Answer 21

The committee reviews the internal audit’s skill and experience, resources, and independence.

Question 22

cRime - RISK ASSESSMENT
What is the purpose of a company’s risk assessment process?

Answer 22

Risk assessment involves identifying business risks that could impact the entity’s objectives and determining actions to mitigate those risks.

BUSINESS RISK A risk resulting from significant conditions, events, circumstances, actions or inactions
that could adversely affect an entity’s ability to achieve its objectives and execute its strategies.

Question 23

cRime - RISK ASSESSMENT
Define “Business Risk.”

Answer 23

A risk resulting from significant conditions, events, circumstances, actions or inactions
that could adversely affect an entity’s ability to achieve its objectives and execute its strategies.

Question 24

cRime - RISK ASSESSMENT
What are the process of a risk assessment? (4) Who would establish the process? (1)

Answer 24

Those charged with governance (TCWG) should establish the following process:
1. Identification of business risk
2. Estimate Impact
3. Assess likelihood
4. Actions to manage

1. Identification of business risk
   - Risk register
2. Estimate Impact
3. Assess likelihood
4. Actions to manage

Question 25

cRime - RISK ASSESSMENT
Why are auditors interested in business risks?

Answer 25

Because business risks that threaten the business can also pose a risk of financial statement misstatements.

Question 26

crIme - IT SYSTEM + COMMS
What is the purpose of the information system and communication in internal control?

Answer 26

It includes the financial reporting system and consists of procedures by which transactions are initiated, recorded, processed, corrected, and reported.

Question 27

crIme - IT SYSTEM + COMMS
Why is the information system important to auditors?

Answer 27

Auditors are concerned with the reliability of the information system as it impacts the accuracy and integrity of financial statements.

Question 28

crIme - IT SYSTEM + COMMS
What does ‘Initiated’, ‘Recorded’, ‘Processed’, ‘Corrected’ and ‘Reported’ mean in the context of information systems?

Answer 28

INITIATED - It refers to how a transaction is known to have occurred, requiring a source document like an invoice as evidence.
RECORDED - It ensures that debits and credits are posted correctly, and checks if the system verifies correct entries.
PROCESSED - Information flows from the nominal ledger to the trial balance to the financial statements, and the system’s ability to maintain accuracy throughout is assessed.
CORRECTED - It involves ensuring that journal entries are approved, authorised, and any manual postings have restrictions to maintain accuracy.
REPORTED - It is the final stage where the financial statements are generated from the processed information.

Question 29

crIme - IT SYSTEM + COMMS
What are information processing controls, and why are they important?

Answer 29

These are automated or manual procedures at the business process level that ensure data integrity, covering completeness, existence, and accuracy. Exist WITHIN your system.
They relate to input, processing, or output data.

Question 30

crIme - IT SYSTEM + COMMS
What do information processing controls relate to?

Answer 30

They relate to input, processing, or output data.

Question 31

crIme - IT SYSTEM + COMMS

Question 32

crIme - IT SYSTEM + COMMS
What are controls over input completeness?

Answer 32

They ensure all data is captured, such as one-for-one checking of processed output to source documents and running exception reports.

Question 33

crIme - IT SYSTEM + COMMS
What are controls over input accuracy/integrity?

Answer 33

These include programs to verify data fields with checks like digit verification, reasonableness tests, existence checks, character checks, and permitted ranges.

 Digit verification (eg reference numbers are as expected)
 Reasonableness test (eg VAT to total value)
 Existence checks (eg customer name)
 Character checks (no unexpected characters used in reference)
 Permitted range (no transaction processed over a certain value)

Question 34

crIme - IT SYSTEM + COMMS
What are controls over input authorisation?

Answer 34

They ensure information input is authorised, such as requiring digital signatures or passwords from authorised personnel.

Question 35

crIme - IT SYSTEM + COMMS
What are controls over processing of inputs?

Answer 35

Controls that ensure processing is completed, like screen warnings to prevent logging out before processing is done.

Question 36

Crime - CONTROL ACTIVITIES
Define control activities in an internal control system

Answer 36

Control activities are actions by management to prevent or detect fraud and errors, safeguarding assets and ensuring accurate financial reporting

Question 37

Crime - CONTROL ACTIVITIES
PARIS V

Answer 37

Physical or logical controls e.g. security
Authorisation procedures e.g. journals/time sheets
Reconciliations e.g. bank
Information processing and general IT controls e.g. passwords
Segregation of duties
Verifications

See Ch 3 for more FCs

Question 38

Crime - CONTROL ACTIVITIES
What are general controls in information systems?

Answer 38

AROUND THE SYSTEM

General controls: Policies and procedures that relate to many applications and support the effective function of the information processing controls by helping to ensure the continued proper operation of information systems.

Policies and procedures that support the function of information processing controls and ensure the continued proper operation of information systems.

Question 39

Crime - CONTROL ACTIVITIES
What are some controls involved in the “Development of computer applications”?

Answer 39

Standards for systems design, full testing procedures, approval by users and management, and staff training in new procedures.

Standards over systems design, programming and documentation
 Full testing procedures prior to use
 Approval by computer users and management
 Training of staff in new procedures

Question 40

Crime - CONTROL ACTIVITIES
What is a key control to prevent or detect unauthorised changes to programs?

Answer 40

Password protection, restricted access to the central computer, and use of virus checks.

 Password protection of programs so that access is limited to computer operations staff
 Restricted access to central computer by locked doors, keypads
 Virus checks on software: use of anti-virus software and policy prohibiting use of non-authorised programs or files

Question 41

Crime - CONTROL ACTIVITIES
Why is “Testing and documentation of program changes” important in general controls?

Answer 41

To ensure new systems work correctly, with testing, proper documentation, and approval by users and management.

 Complete testing procedures
documentation of program changes
 Documentation of new systems
 Approval of changes by computer users and management

Question 42

Crime - CONTROL ACTIVITIES
What is an example of a control to prevent unauthorised amendments to data files?

Answer 42

Using passwords and built-in controls to prevent unauthorised data changes.

Question 43

Crime - CONTROL ACTIVITIES
How can a company ensure continuity of operations through general controls?

Answer 43

By storing extra copies of programs off-site, protecting equipment, having backup power sources, and maintaining disaster recovery procedures.

Question 44

Crime - CONTROL ACTIVITIES
What are some backup measures included in general controls?

Answer 44

Back-up power sources, back-up copies of programs stored off-site, and emergency procedures.

Question 45

Crime - CONTROL ACTIVITIES
What types of maintenance agreements are part of ensuring continuity of company operations?

Answer 45

Agreements for regular maintenance and insurance to protect against loss or damage.

Question 46

criMe - MONITORING
Why should an entity review its overall control system?
What happens if an entity’s control system is not reviewed and corrected as needed?

Answer 46

To ensure it still meets its objectives, operates effectively and efficiently, and allows timely corrections if needed.
The control system may not operate optimally, potentially leading to inefficiencies and risks.

Question 47

criMe - MONITORING
This is often a role of the internal audit department within the company.

Answer 47

This is often a role of the internal audit department within the company.

Question 48

criMe - MONITORING
What is a management report in the context of an audit?
What does this look like?

Answer 48

A report produced by auditors at the end of an audit, outlining any deficiencies observed in the internal controls.

Looks like
1. Deficiency - This is the weakness
2. Consequence - What could happen as a result of the deficiency (COULD)
3. Recommend - What would you recommend (SHOULD)

Question 49

criMe - MONITORING
What is the responsibility of auditors regarding control deficiencies according to ISAs?

Answer 49

Auditors are required to identify control deficiencies and communicate them to those charged with governance.

Question 50

How do auditors obtain information about internal controls?

Answer 50

Through company manuals, records from previous years (e.g. management letter), discussions with internal control personnel, and observation of control activities.

Records from previous years - It helps auditors understand the historical context of controls and identify any recurring issues.

Question 51

What role does observation play in understanding internal controls?

Answer 51

Auditors observe operations to see control activities being implemented in practice, which helps validate their effectiveness.

Question 52

What are the three types of documents used for recording internal controls?

Answer 52

Narrative notes, questionnaires and checklists, and diagrams.

NN - They are good for simple systems and providing background information but are less effective for complex systems.
Q&C - They ensure all bases are covered as an aide-memoire but can be mechanical, causing important questions to be missed or simply ticked off.
D - They are useful for complex systems, like flowcharts for processes, organizational charts, and family trees for related party transactions.

Question 53

When are “Narrative Notes” useful for recording internal controls?

Answer 53

They are good for simple systems and providing background information but are less effective for complex systems.

Question 54

What are the advantages and limitations of using “Questionnaires and Checklists” for recording internal controls?

Answer 54

They ensure all bases are covered as an aide-memoire but can be mechanical, causing important questions to be missed or simply ticked off.

Question 55

In what scenarios are “Diagrams” most helpful for recording internal controls?

Answer 55

They are useful for complex systems, like flowcharts for processes, organizational charts, and family trees for related party transactions.

Question 56

What is a walk-through test in internal control evaluation?

Answer 56

A walk-through test involves tracing a few transactions through the financial reporting system to verify the auditor’s understanding of controls.

Question 57

Which one of the following is a reason that organisations have effective systems of control? To assist the organisation in:
A Maximising profitability
B Maximising operating efficiency
C Reducing time required for the statutory audit
D Minimising audit risk

Answer 57

B Maximising operating efficiency

Question 58

The following are examples of internal controls which operate at Searson plc. For each example, select the one type of control activity which it illustrates.
Authorisation
Reconciliation
Information processing
Physical

(1) The financial controller investigates the exception report of unmatched transactions from the electronic banking system

(2) Searson regularly counts its high risk/high value inventory on a monthly basis and compared with amounts in the accounts

(3) Searson regularly compares its trade payable ledger to supplier statements, discrepancies are resolved to make sure they agree

Answer 58

(1) The financial controller investigates the exception report of unmatched transactions from the electronic banking system
INFORMATION PROCESSING

(2) Searson regularly counts its high risk/high value inventory on a monthly basis and compared with amounts in the accounts
PHYSICAL

(3) Searson regularly compares its trade payable ledger to supplier statements, discrepancies are resolved to make sure they agree
RECONCILIATION

Question 59

Most entities use IT systems for financial reporting and operational purposes. Controls operating in an IT environment can be split into general controls and information processing controls.
Which two of the following are information processing controls?
A Permitted range
B Digit verification
C Passwords
D Virus checks

Answer 59

A Permitted range
B Digit verification