Chapter 8 - Systems and Controls Flashcards
What is control risk?
the risk of internal controls not being able to prevent or detect material misstatements
What would occur if control risk is low?
- rely on internal controls
- perform less substantive testing
- audit strategy is updated to reflect that fewer substantive procedures may be required
What would occur if control risk is high?
- perform 100% substantive testing
- focus on tests of detail rather than analytical procedures
What are limitations of controls?
- Human error
- Management override
- Collusion
- Non-routine transactions
- Outdated systems
What is collusion?
Many of the internal controls we expect to see in a company revolve around segregation of duties, or having more than one person involved in a transaction. Work together to commit fraud
Each system of internal control should contain how many components?
5 - Control environment
Entity’s risk assessment process
Monitoring
Information system
Control activties
What is control environment?
how seriously management take internal controls
What is risk assessment?
how management identifies the risks that require controls
What are information systems?
how transactions get processed
What are control activities?
the actual controls in place to mitigate the risks
What are monitory of controls?
reviewing if the controls are effective or need changing
The risk assessment process will involve what steps?
- Identify relevant business risks
- estimate the significance of the risks
- assess the likelihood of occurrence
- Decide on actions to address the risks
What are internal control procedures?
controls put in place by the client within any system to try prevent or detect errors arising
What is an example of a control procedure?
all timesheets have to be approved by supervisors, before going to payroll
What are control objectives?
not the control themselves but what the control will be hoping to achieve. trying to ensure something good happens or something bad doesn’t happen
What is an example of control objectives?
to ensure no fake overtime gets paid
What are risks?
control objectives in reverse
What is an example of risks?
that overtime is paid for that was never worked
What is test of control?
tests performed by the auditor to see if a control is working
What is an example of test of control?
pick a sample of timesheets to see if they have been signed as approved
What are the 5 types of control activities set out in the auditing standards?
- authorisation (preventative control)
- reconciliations (detective control)
- verifications
- physical or logical controls
- segregation of duties
Computer controls fall into what 2 categories?
- general controls
- information processing controls
What are general IT controls?
support the continued proper operation of the IT environment, including effective functioning of the information processing controls and the integrity of information in the information system
What are examples of general controls?
Password protection
Back-up procedures
Disaster recovery procedures
Virus checks
Firewalls
Staff training
What are examples of information processing controls?
- range checks
- batch controls
- sequence checks
What are information processing controls?
relate to the processing of information in IT applications or manual processes that directly address risks to the integrity of information
Procedures used to obtain evidence regarding the design and implementation of controls include?
- enquiries of relevant personnel
- observing the application of controls
- Tracing a transaction through the system to understand what happens
- inspecting documents, such as internal procedure manuals.
How do we document client systems?
- Narrative notes
- Flow charts
- Internal control questionnaire (ICQ)
- Internal control evaluation (ICEQ)
What are narrative notes?
tell a story about how the system works
Give one advantage and one disadvantage of narrative notes.
ADV - can be completed by a junior member of the team
DIS - Important sections might be missed out
What are flow charts?
a diagrammatical representation of the system
Give one advantage and one disadvantage of flow charts.
ADV - show key elements only
DIS - Staff need training, hard to amend
What are Internal control questionnaires (ICQ)?
a list of common controls and the client is asked whether they have them in place. Closed questions e.g., Does.
Give one advantage and one disadvantage of ICQs.
ADV - Can assess strength of system, junior staff can complete it quickly
DIS - Client knows expected answer
What are internal control evaluations (ICEQ)?
a list of risks and the client is asked to explain the controls they have in place to mitigate them. Open questions, e.g, How.
Give one advantage and one disadvantage of ICEQs.
ADV - can appraise unusual systems
DIS - need more senior staff to complete
Test of controls are performed when?
only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct a material misstatement in a relevant assertion
Controls will only be worth testing when?
if they are designed appropriately in the first place and implemented
A test of control involves what?
the auditor obtaining evidence that the client has implemented the controls and that they have worked effectively, during the period.
Typical methods of controls testing include?
- observation of control activities
- inspection of documents recording performance of the control
- using test data
When are deficiencies significant?
if they are likely to lead to material misstatement, result in fraud, relate to a subjective balance or relate to areas where there is a high volume of activity
If the auditor find deficiencies in the internal controls, they must communicate them to who?
mangement
If the auditor find significant deficiencies in the internal controls, they must communicate them to who?
those charged with governance (usually the audit committee)
How are deficiencies communicated?
in a report to management or management letter. This is presented in a table format as an appendix to the covering letter
What will the covering letter explain?
what is being communicated and sets out the limitations of the report
What will the report to management look like?
- Deficiencies
- Implications
- Recommendations
- Management response
When answering an exam question on control deficiencies what information should we look out for?
Look for information which indicates:
- controls are missing, e.g., sales orders are not sequentially numbered
- controls are not effective, e.g., bank recs are supposed to be performed but often dont
How would we tailor our answer when giving recommendations?
Try and recommend which person in the company should perform the control and how frequently. Suggest everything that needs to happen to make the control effective
What are direct controls?
control procedures which are properly designed, in place and working effectively at addressing the risk of material misstatement at the assertion level
How would we tackle a question relating to direct controls?
Read the scenario and looks for controls being mentioned, such as reconciliations being performed, authorisation of transactions, segregation of duties, restricted access to valuable items etc
What is a control?
an activity performed that is in addition to the normal processing of the system, to ensure that the system operates as it should
What is a test of control?
an audit procedure which will provide evidence as to whether the control procedure is in place and working effectively
What is the sales system sequence?
- order received
- goods despatched
- invoice sent
- sale recorded
- cash received
What is the purchase system sequence?
- Order placed
- Goods received
- Invoice received
- Purchase recorded
- Payment
