Chapter 7 Flashcards
Explain the seven generally accepted objectives of internal control activities.
Internal controls are designed and implemented to ensure that transactions are real, recorded, correctly valued, classified, summarized, and posted, and timely.
Understand and describe the elements of internal control at the entity level.
Transaction-level controls are controls that impact a particular transaction or group of transactions. Transactions in this sense refer to transactions that are ordinarily recorded in the general ledger for the client and span from initiation of the transaction through to the reporting of the transaction in the financial statements. Transaction-level controls are those controls that respond to things that can go wrong with transactions.
Explain the different techniques used to document internal controls.
The most common forms of documentation are narratives, flowcharts, combinations of narratives and flowcharts, and checklists and preformatted questionnaires.
Explain the importance of identifying strengths and weaknesses in a system of internal controls
An important outcome of understanding a client’s system of internal controls is the ability to make observations, draw conclusions, and offer recommendations regarding the strengths and weaknesses observed. CAS 260 and CAS 265 require auditors to provide those charged with governance with timely observations arising from the audit. This is generally done through a management letter.
Explain how to communicate internal control strengths and weaknesses to those charged with governance.
A management letter (sometimes also referred to as a letter of recommendations) is a deliverable prepared by the audit team and provided to the client (including those charged with governance). It informs the client of the auditor’s recommendations for improving its internal controls.
Define internal control.
Internal control is the process designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control. Controls include entity-level controls and transaction-level controls
Why is it important to understand (and assess) internal controls?
Because when controls are effective, the organization is more likely to achieve its strategic and operating objectives. Internal control is a very broad concept and encompasses all of the elements of an organization—its resources, systems, processes, culture, structure, and tasks. When these elements are taken together, they support the organization to achieve its objectives.
Where internal controls put in place by management agree closely with the theoretical framework, the internal controls may be described as _______. However, where internal controls do not agree closely with the theoretical framework, they may be described as _____.
strong, weak
Internal control, no matter how effective, can only provide an entity with reasonable assurance in achieving its financial reporting objectives. There are inherent limitations of internal control. These include:
human error that results in a breakdown in internal control
ineffective understanding of the purpose of a control
collusion by two or more individuals to circumvent a control
a control within a software program being overridden or disabled.
Internal control consists of five components
- the control environment
- the entity’s risk assessment process
- the information system, including the related business processes, relevant to financial reporting, and communication
- control activities
- monitoring of controls.
Gaining an understanding of the entity-level internal control components helps in
establishing the appropriate level of professional scepticism, gaining an understanding of the client’s business and financial statement risks, and making assessments of inherent risk, control risk, and the combined risk of material misstatement, which, in turn, determines the nature, timing, and extent of audit procedures.
The control environment also sets the foundation for effective internal control, providing discipline and structure, and includes the following elements
Communication and enforcement of integrity and ethical values
Commitment to competence (onsidering the skill levels required for particular positions within the organization and making sure that staff with the required skills are hired and matched to the right jobs)
Participation by those charged with governance
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility.
Human resource policies and practices.
The top five HR issues are:
- talent management and succession planning
- ethics/tone at the top
- regulatory compliance
- pay and performance alignment
- employee training and development.
One aspect of HR risk that is closely related to financial statement auditing is the effect
of HR policies on promoting and communicating ethical values throughout the organization and ensuring that the appropriate “tone at the top” trickles down through the organization
For financial reporting purposes, the entity’s risk assessment process includes
how management identifies risks relevant to the preparation of the financial statements to ensure a fair presentation in accordance with the entity’s applicable financial reporting framework. For identified risks, management estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them.
Risks relevant to financial reporting include
xternal and internal events and circumstances that may occur and adversely affect an entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. For example, new accounting pronouncements and significant changes to the financial reporting standards (such as the change from local accounting standards to IFRS) are externally created risks relevant to the entity’s financial reporting.
The role of information systems
is to capture and exchange the information needed to conduct, manage, and control an entity’s operations. The quality of information and communication affects management’s ability to make appropriate decisions in controlling the organization’s activities and to prepare reliable financial statements.
Control activities
are policies and procedures that help ensure that management’s directives are carried out.
Generally, control activities that may be relevant to an audit may be categorized as policies and procedures pertaining to the following:
Performance reviews Information processing Authorization controls Account reconciliations Physical controls Segregation of incompatible duties
In understanding the client’s control activities at the entity level, consideration is given to factors such as:
the extent to which performance of control activities relies on IT
whether the necessary policies and procedures exist with respect to each of the entity’s activities, including IT security and system development
the extent to which controls included in the organization’s policies are being applied
whether management has clear objectives in terms of budget, profit, and other financial and operating goals, and whether these objectives are clearly written, communicated throughout the entity, and actively monitored
whether planning and reporting systems are in place to identify variances from planned performance and communicate such variances to the appropriate level of management
whether the appropriate level of management investigates variances and takes appropriate and timely corrective actions
to what extent duties are divided or segregated among different people to reduce the risk of errors, fraud, or manipulation of results
whether software is used to control access to data and programs and, if so, the extent to which segregation of incompatible duties is achieved by implementing these software controls
whether periodic comparisons are made of amounts recorded in the accounting system with physical assets
whether adequate safeguards are in place to prevent unauthorized access to or destruction of documents, records, and assets.
Transaction Level Internal Controls
Processing orders
Risks
- Orders are processed to the wrong customer
- Orders are accepted from customers with no approved credit history or credit limit
Example Control
- Review of orders processed each day by an independent staff member (for example, a salesperson)
Three-way match of order, shipping document, and invoice before dispatch of goods
- Application control that will only allow orders to be processed for existing approved customers with enough unused credit
Transaction Level Internal Controls
Approving credit
Risks
- Credit is approved for customers unable to pay
- Credit limits are set too high or too low
- Credit limits are exceeded
Example Control
- Credit manager review and authorization of credit application
- Credit manager review of credit limits on a quarterly basis
- Application control requires approval for exceeding credit limits (orders are not processed until exception report generated, reviewed, and approved by credit manager)
Transaction Level Internal Controls
Shipping goods
Risks
- Products are shipped without shipping documents being generated
- Unauthorized shipments may be made
- Goods are shipped to the wrong customer
Example Control
- Application control generates shipping and delivery documentation when order is processed
Three-way match of order, shipping document, and invoice before dispatch of goods
- Person dispatching is not the same as person filling the order (segregation of duties)
Three-way match of order, shipping document, and invoice
Access to shipping area is limited to authorized personnel
- Warehouse staff review delivery address against customer master file
Transaction Level Internal Controls Invoicing customers (Risks)
- Invoices are not correct as to the quantities of goods shipped
- Invoices are raised twice (or more) for the same order, or fictitious invoices are created
- Shipments are made but never invoiced
- Wrong unit prices are used on the invoices
- Quantity times price is incorrectly calculated
- Discounts (such as volume rebates) are incorrectly applied
- Invoices do not add correctly
- Shipping documents and invoices do not reflect correct transaction dates
Transaction Level Internal Controls Invoicing customers (Example Controls)
- Quantities per shipping document marked as correct when picked by warehouse staff
Three-way match of order, shipping document, and invoice
Invoices automatically generated from order and dispatch document - Three-way match of order, shipping document, and invoice
All orders are assigned a sequential number. System prevents duplicate numbers from being used.
-Three-way match of order, shipping document, and invoice.
Review shipping documents that have not been matched with an invoice
- Approved master price list automatically used by application as source for invoice pricing.
Access to update master price list is restricted to only authorized personnel. - Application is programmed to calculate correctly
- Sales manager approves all discounts
- Application is programmed to calculate correctly
- Application cannot be modified as to date of transaction (set by calendar) without approval.
Transaction Level Internal Controls
Recording sales and trade receivables (Risks)
- Sales are recorded in the wrong period
- Sales tax, GST, HST, discounts, rebates, and other invoice adjustments are coded to the wrong general ledger account
- Invoices are posted to the wrong customer account
- Fictitious sales are posted
- Sales are not recorded in the sales subsidiary ledger
- Total recorded sales in the sales subsidiary ledger is not recorded in the general ledger
- There are duplicate postings
Transaction Level Internal Controls
Recording sales and trade receivables (Example Controls)
- Date recorded is set by date of transaction in software; therefore, invoice dates cannot be changed without approval
- Application control (driven by approved chart of accounts) within the accounting software used
- Accounts receivable statements are sent to customers monthly and issues promptly resolved
- Three-way match of order, shipping document, and invoice.
Review of journal entries and supporting documentation for any journal entries posted to the sales account
- Application control within the accounting software used
- Application control within the accounting software used
Monthly sales and trade receivables reconciliation between the subsidiary ledgers and general ledger - Monthly sales and trade receivables reconciliation between the subsidiary ledger and general ledge
Transaction Level Internal Controls
Processing cash receipts
Risks
- Missing cash receipts due to loss or theft
- Cash receipts are recorded at incorrect amount
- Cash receipts posted to wrong customer account
Example Controls
- Cheque pre-listing prepared
Cheques endorsed immediately when received
Cheque pre-list is reconciled to the cash receipts
Accounts receivable statements are sent to customers monthly and issues promptly resolved
- Preparation and review of the monthly bank reconciliation
- Accounts receivable statements are sent to customers monthly and issues promptly resolved
A typical sales process for a client that sells goods includes the following activities:
Accepting and processing orders Authorizing credit Shipping goods Invoicing customers Recording sales and trade receivables Processing cash receipts Writing off uncollectable accounts and providing for bad debts
A typical purchasing and payables cycle includes the several activities
Requisition Purchasing Receiving Invoice processing Recording purchases and payable Disbursements
Purchasing process example risks and controls
Purchase requisition
Risks
- Unauthorized purchases are made
Example Control
- Purchase requisitions are prepared by authorized person
Spending limits are set based on level of authority
Purchasing process example risks and controls
Purchasing
Risks
- Purchases are made but they are not recorded in the general ledger for inventory, assets, expenses, or payables
- Purchases are recorded in the general ledger but the goods are never received
- Purchases of unwanted goods are made
Example Control
- Three-way match between purchase order, receiving report, and invoice
Supplier statements reconciled monthly
- Three-way match between purchase order, receiving report and invoice
Regular inventory counts
- All purchase orders are approved by purchasing manager
Purchasing process example risks and controls
Receiving
Risks
- Goods are received that were not ordered
- Goods are damaged when they are received into the warehouse
Example Controls
- Three-way match between purchase order, receiving report, and invoice
- Damaged goods are rejected by warehouse manager, and payables clerk and purchasing officer are notified
Purchasing process example risks and controls
Invoicing
Risks
- The wrong price is charged on the purchase invoice by the supplier
- The wrong amount is paid against an invoice
Example Controls
- Invoice prices are checked against approved purchase orders and master price lists
- All relevant documentation (invoice and cheque) is reviewed and approved by two people
Supplier statements reconciled monthly
Purchasing process example risks and controls
Recording purchases and related items
Risks
- Purchases are recorded in the wrong period
- Sales tax, HST, discounts, rebates, and other invoice adjustments are posted to the wrong general ledger account
- Purchases are not recorded in the purchase journal
- Total recorded purchases in the payables subsidiary ledger is not recorded in the general ledger
- There are duplicate postings
Example Controls
- Date recorded is set by date of transaction in software; therefore, invoice dates cannot be changed without approval
- Application control (driven by approved chart of accounts) within the accounting software used
- Application control within the accounting software used
- Application control within the accounting software used
Monthly purchases journal reconciled to the accounts payable sub-ledger
- Monthly purchases and trade payables reconciliation between the subsidiary ledger and general ledger
Purchasing process example risks and controls
Cash disbursements
Risks
- Cash disbursements are made but not recorded
- Cash disbursements are recorded but not made
- Cash disbursements are recorded at incorrect amounts
- Cash disbursements are posted to wrong vendor account
Example Controls
- Use and review of sequential cheques
- Supplier statements reconciled monthly
Preparation and review of the monthly bank reconciliation
- Cash disbursement journal reconciled to total of cheques issued
Vendor statement reconciliations
Preparation and review of the monthly bank reconciliation
- Supplier statements reconciled monthly
A typical payroll process for a client includes the following activities:
Hiring of personnel
Timekeeping
Compilation of the payroll
Payroll processing
Payroll process example risks and controls
Hiring of personnel
Risks
- Fictitious employees are added to the payroll
Example Controls
- Restrict access to payroll master file
Only authorized employees added to payroll master
Payroll process example risks and controls
Timekeeping
Risks
- Employees may be paid for hours not worked
Example Controls
- Hours worked tracked by time clock
Departmental manager approves hours worked
Payroll process example risks and controls
Compilation of the payroll
Risks
- Payroll data may be incorrect due to the use of incorrect wage rates
- Payroll data not calculated correctly
- Payroll benefits and withholding taxes not calculated correctly
Example Controls
- Review payroll expenses to budget
Approved wage rates in payroll master file compared to approved wage rate per employee file
- Application is programmed to calculate correctly
- Application is programmed to calculate correctly
Payroll process example risks and controls
Payroll processing
Risks
- Journal entry is not recorded
- Incorrect journal entry is recorded
Example Control
- Review payroll expenses to budget
Reconcile payroll register to general ledger
Reconcile tax remittances to tax filings
- Review payroll expenses to budget
Journal entry is reviewed before posted
What is the difference between entity-level controls and transaction controls?
As explained previously, entity-level internal controls are at the entity-wide or whole-of-organization level and have the potential to impact all of the processes management puts in place for the entire organization. This includes controls that may not have a direct impact on the financial statements.
Transaction controls have a direct impact on the financial statements.
Examples of significant deficiencies include the following
evidence of an ineffective control environment, such as identification of management fraud
absence of a risk assessment process within the entity
evidence of an ineffective entity risk assessment process
evidence of an ineffective response to identified significant
misstatements that were not prevented or detected by the entity’s internal control
evidence of management’s inability to oversee the preparation of the financial statements.
