Chapter 5 - Introduction to internal control

Question 1

Define internal control.

Answer 1

The process designed, implemented and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

The term ‘controls’ refers to any aspects of one or more of the components of internal control.

Question 2

What are three reasons for internal controls?

Answer 2

minimising the company’s business risks

ensuring the continuing effective functioning of the company

ensuring the company complies with relevant laws and regulations

Question 3

What are three limitations of internal controls?

Answer 3

Human element

Collusion

Unusual transactions - Internal controls are generally only designed for routine, normal transactions

Difficult for small companies - Small companies generally have fewer employees than larger companies, meaning that there are fewer people to
involve in the internal control system. In a small company, if its staff capacity is not such to ensure that lots of people are involved in the internal control system, then the control system will be weaker.

Question 4

What are the five components of internal control?

Answer 4

The control environment

The entity’s risk assessment process

The information system

Control activities

Control systems

Question 5

Define the control environment.

Answer 5

The control environment includes the governance and management functions and the attitudes, awareness and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people.

Question 6

What is the audit committee?

Answer 6

The audit committee is an important aspect of the control environment of the company. It is a sub-committee of the board of directors responsible for overseeing an entity’s internal control structure, financial reporting and compliance with relevant laws and regulations.

Question 7

What is the audit committee comprised of?

Answer 7

The audit committee is comprised of non-executive directors. It is a requirement in UK listed companies under the rules of the UK Corporate Governance Code.

Question 8

What does the UK Corporate Governance Code require the audit committee to have in terms of written terms of reference?

Answer 8

To review the integrity of the financial statements of the company and formal announcements relating to the company’s performance.

To review the company’s internal financial controls and the company’s risk management systems

To monitor and review the effectiveness of the company’s internal audit function (if relevant)

To make recommendations to the board in relation to the external auditor.

To monitor the independence of the external auditor.

To implement policy on the provision of non-audit services by the external auditor.

Question 9

Define the entity’s risk management process.

Answer 9

A component of internal control that is the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof.

Identify relevant business risks –> Estimate the significance of the risks –> Assess the likelihood of occurrence –> Decide upon actions

Question 10

Define business risk.

Answer 10

Risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

Internal controls are implemented to minimise business risk.

Question 11

Define Information system relevant to financial reporting.

Answer 11

A component of internal control that includes the financial reporting system, and consists of the procedures and records established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity.

Question 12

What aspects of the information system will auditors be interested in?

Answer 12

the classes of transactions that are significant to the entity’s financial statements

the procedures by which transactions are initiated, recorded, processed, corrected and reported

the related accounting records and supporting information

how the information system captures events other than transactions that are significant to the financial statements

the process of preparing the financial statements

Question 13

Define control activities.

Answer 13

They are the policies and procedures that help ensure that management directives are carried out.

Question 14

What are five types of control activities?

Answer 14

Authorisation - Approval of transactions/documents

Performance reviews - Review and analysis of actual performance versus budgets, relating different sets of data to one another, comparing internal data with external sources of information, review of functional or activity performance.

Information processing - Controls to check the accuracy, completeness and authorisation of transactions.

Physical controls - Physical security of assets, authorisation for access to computer programs and data files, periodic counting and comparison with the amount shown on accounts.

Segregation of duties - Assigning different individuals the responsibilities of authorising transactions, recording transactions and maintaining custody of assets.

Question 15

What are the two types of information processing controls in a computerised environment?

Answer 15

Application controls

General controls

Question 16

Define application controls

Answer 16

Manual or automated procedures that typically operate at a business process level. Application controls can be preventative or detective in nature and are designed to ensure the integrity of the accounting records. Accordingly, application controls relate to
procedures used to initiate, record, process and report transactions or other financial data.

Question 17

Define general controls

Answer 17

Policies and procedures that relate to many applications and support the effective function of application controls by helping to ensure the continued proper operation of information systems.

Question 18

What are six examples of general controls?

Answer 18

Development of computer applications

Prevention or detection of unauthorised changes to programs

Testing and documentation of program changes

Controls to prevent wrong programs of files being used

Controls to prevent unauthorised amendments to data files

Controls to ensure continuity of operations

Question 19

What are six aspects of the development of computer applications [general controls]?

Answer 19

Standards over systems design, programming and documentation

Full testing procedures using test data

Approval by computer users and management

Segregation of duties so that those responsible for design are not responsible for testing

Installation procedures so that data is not corrupted in transition

Training of staff in new procedures and availability of adequate documentation

Question 20

What are nine aspects of prevention or detection of unauthorised changes to programs [general controls]?

Answer 20

Segregation of duties

Full records of program changes

Password protection of programs so that access is limited to computer operations staff

Restricted access to central computer by locked doors, keypads

Maintenance of program logs

Virus checks on software: use of anti-virus software and policy prohibiting use of non-authorised programs or files

Back-up copies of programs being taken and stored in other locations

Control copies of programs being preserved and regularly compared with actual programs

Stricter controls over certain programs (utility programs) by use of read only memory

Question 21

What are four aspects of testing and documentation of program changes [general controls]?

Answer 21

Complete testing procedures

Documentation standards

Approval of changes by computer users and management

Training of staff using programs

Question 22

What are three aspects of controls to prrevent wrong programs or files being used [general controls]?

Answer 22

Operation controls over programs

Libraries of programs

Proper job scheduling

Question 23

What is an aspect of controls to prrevent unauthorised amendments to data file [general controls]?

Answer 23

Passwords to prevent unauthorised entry

Built in controls to permit changes

Question 24

What are six aspects of controls to ensure continuity of operations [general controls]?

Answer 24

Storing extra copies of programs and data files off-site

Protection of equipment against fire and other hazards

Back-up power sources

Emergency procedures

Disaster recovery procedures eg, availability of back-up computer facilities

Maintenance agreements and insurance

Question 25

Should general controls be reviewed before application controls?

Answer 25

Yes.

As application controls may be useless when general controls are ineffective, it will be more efficient to review the design of general controls first, before reviewing the application controls.

Question 26

What is the purpose of application controls?

Answer 26

The purpose of application controls is to establish specific control activities over the accounting applications in order to provide reasonable assurance that all transactions are authorised and recorded, and are processed completely, accurately and on a timely basis

Question 27

What are five examples of application controls?

Answer 27

Controls over input completeness

Controls over input accuracy

Controls over input authorisation

Controls over processing

Controls over master files and standing data

Question 28

What are five aspects of Controls over input completeness [Application controls]?

Answer 28

Manual or programmed agreement of control totals

Document counts

One-for-one checking of processed output to source documents

Programmed matching of input to an expected input control file

Procedures over resubmission of rejected data

Question 29

What are three aspects of controls over input accuracy [Application controls]?

Answer 29

Digit verification (eg, reference numbers are as expected)

Reasonableness test (eg, VAT to total value)

Existence checks (eg, customer name)

Character checks (no unexpected characters used in reference)

Necessary information (no transaction passed with missing information)

Permitted range (no transaction processed over a certain value)

Manual scrutiny of output and reconciliation to source

Agreement of control totals (manual/programmed)

Question 30

What are two aspects of Controls over input authorisation [Application controls]?

Answer 30

Manual checks to ensure information input was:

authorised
input by authorised personnel

Question 31

What are two aspects of Controls over processing [Application controls]?

Answer 31

Similar controls to input must be completed when input is completed, for example, batch reconciliations

Screen warnings can prevent people logging out before processing is complete

Question 32

What are four aspects of Controls over master files and standing data [Application controls]?

Answer 32

One to one checking of master files to source documents (such as payroll master files to individual employee personal files)

Cyclical reviews of all master files and standing data

Record counts (number of documents processed) and hash totals (for example, the total of all the payroll numbers) used when master files are used to ensure no deletions

Controls over the deletion of accounts that have no current balance

Question 33

What three application controls may an auditor wish to test?

Answer 33

Manual controls exercised by the user

Controls over system output

Programmed control procedures

Question 34

What are six cyber security risks that an organisation may face?

Answer 34

Human threats such as hacking.

Fraud

Deliberate sabotage

Viruses and other corruptions

Malware

Denial of Service (DoS) attack

Question 35

What are four suggestions in which organisations may combat cyber security risks?

Answer 35

Communication is a key barrier to common understanding and discussion.

Organisational structures need to define responsibility and accountability for cyber security.

Board-level accountability for cyber risks needs to be determined

Non-executive directors and audit committees also need to play a part

Question 36

What should an entity do in terms of monitoring of controls?

Answer 36

An entity should review its overall control system to ensure that it still meets its objectives, still operates effectively and efficiently, and that necessary
orrections to the system are made on a timely basis.

Question 37

What are three types of document which are used for recording the understanding of the business?

Answer 37

Narrative notes

Questionnaires/checklists

Diagrams

Question 38

What are narrative notes good for?

Answer 38

These are good for things like:

• short notes on simple systems
• background information

They are less good when things get more complex when diagrams tend to take over.

Question 39

What are questionnaires and checklists good for?

Answer 39

These are good as aide memoires to ensure you have all the bases covered

but

• can lead to a mechanical approach so that an important extra question is never asked
• tick boxes often get ticked whether the brain is engaged or not

Question 40

What do diagrams include and what are they good for?

Answer 40

These include:

• flowcharts
• organisation charts
• family trees
• records of related parties

Organisation charts and family trees are without doubt the best way of recording relationships, reporting lines, etc.

Flow charts of systems are an excellent and comprehensive way of recording systems, but they are time-consuming to construct and can be difficult for the reader to assimilate.

Question 41

Define walk-through procedure.

Answer 41

A procedure that involves tracing a few transactions through the financial reporting system.

Walk-through procedures would normally be performed near the start of the fieldwork stage of the audit. They involve tracing transactions from the very beginning to the very end, in order to confirm that the auditor has correctly understood how the controls are supposed to operate.

Question 42

Are walk-through procedures tests of controls?

Answer 42

No.

Walk-through procedures aim to test the auditor’s understanding and are not tests of controls.