Chapter 8 - Systems and Controls

Question 1

What is control risk?

Answer 1

the risk of internal controls not being able to prevent or detect material misstatements

Question 2

What would occur if control risk is low?

Answer 2

• rely on internal controls
• perform less substantive testing
• audit strategy is updated to reflect that fewer substantive procedures may be required

Question 3

What would occur if control risk is high?

Answer 3

• perform 100% substantive testing
• focus on tests of detail rather than analytical procedures

Question 4

What are limitations of controls?

Answer 4

• Human error
• Management override
• Collusion
• Non-routine transactions
• Outdated systems

Question 5

What is collusion?

Answer 5

Many of the internal controls we expect to see in a company revolve around segregation of duties, or having more than one person involved in a transaction. Work together to commit fraud

Question 6

Each system of internal control should contain how many components?

Answer 6

5 - Control environment
Entity’s risk assessment process
Monitoring
Information system
Control activties

Question 7

What is control environment?

Answer 7

how seriously management take internal controls

Question 8

What is risk assessment?

Answer 8

how management identifies the risks that require controls

Question 9

What are information systems?

Answer 9

how transactions get processed

Question 10

What are control activities?

Answer 10

the actual controls in place to mitigate the risks

Question 11

What are monitory of controls?

Answer 11

reviewing if the controls are effective or need changing

Question 12

The risk assessment process will involve what steps?

Answer 12

1. Identify relevant business risks
2. estimate the significance of the risks
3. assess the likelihood of occurrence
4. Decide on actions to address the risks

Question 13

What are internal control procedures?

Answer 13

controls put in place by the client within any system to try prevent or detect errors arising

Question 14

What is an example of a control procedure?

Answer 14

all timesheets have to be approved by supervisors, before going to payroll

Question 15

What are control objectives?

Answer 15

not the control themselves but what the control will be hoping to achieve. trying to ensure something good happens or something bad doesn’t happen

Question 16

What is an example of control objectives?

Answer 16

to ensure no fake overtime gets paid

Question 17

What are risks?

Answer 17

control objectives in reverse

Question 18

What is an example of risks?

Answer 18

that overtime is paid for that was never worked

Question 19

What is test of control?

Answer 19

tests performed by the auditor to see if a control is working

Question 20

What is an example of test of control?

Answer 20

pick a sample of timesheets to see if they have been signed as approved

Question 21

What are the 5 types of control activities set out in the auditing standards?

Answer 21

• authorisation (preventative control)
• reconciliations (detective control)
• verifications
• physical or logical controls
• segregation of duties

Question 22

Computer controls fall into what 2 categories?

Answer 22

• general controls
• information processing controls

Question 23

What are general IT controls?

Answer 23

support the continued proper operation of the IT environment, including effective functioning of the information processing controls and the integrity of information in the information system

Question 24

What are examples of general controls?

Answer 24

Password protection
Back-up procedures
Disaster recovery procedures
Virus checks
Firewalls
Staff training

Question 25

What are examples of information processing controls?

Answer 25

• range checks
• batch controls
• sequence checks

Question 26

What are information processing controls?

Answer 26

relate to the processing of information in IT applications or manual processes that directly address risks to the integrity of information

Question 27

Procedures used to obtain evidence regarding the design and implementation of controls include?

Answer 27

• enquiries of relevant personnel
• observing the application of controls
• Tracing a transaction through the system to understand what happens
• inspecting documents, such as internal procedure manuals.

Question 28

How do we document client systems?

Answer 28

• Narrative notes
• Flow charts
• Internal control questionnaire (ICQ)
• Internal control evaluation (ICEQ)

Question 29

What are narrative notes?

Answer 29

tell a story about how the system works

Question 30

Give one advantage and one disadvantage of narrative notes.

Answer 30

ADV - can be completed by a junior member of the team
DIS - Important sections might be missed out

Question 31

What are flow charts?

Answer 31

a diagrammatical representation of the system

Question 32

Give one advantage and one disadvantage of flow charts.

Answer 32

ADV - show key elements only
DIS - Staff need training, hard to amend

Question 33

What are Internal control questionnaires (ICQ)?

Answer 33

a list of common controls and the client is asked whether they have them in place. Closed questions e.g., Does.

Question 34

Give one advantage and one disadvantage of ICQs.

Answer 34

ADV - Can assess strength of system, junior staff can complete it quickly
DIS - Client knows expected answer

Question 35

What are internal control evaluations (ICEQ)?

Answer 35

a list of risks and the client is asked to explain the controls they have in place to mitigate them. Open questions, e.g, How.

Question 36

Give one advantage and one disadvantage of ICEQs.

Answer 36

ADV - can appraise unusual systems
DIS - need more senior staff to complete

Question 37

Test of controls are performed when?

Answer 37

only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct a material misstatement in a relevant assertion

Question 38

Controls will only be worth testing when?

Answer 38

if they are designed appropriately in the first place and implemented

Question 39

A test of control involves what?

Answer 39

the auditor obtaining evidence that the client has implemented the controls and that they have worked effectively, during the period.

Question 40

Typical methods of controls testing include?

Answer 40

• observation of control activities
• inspection of documents recording performance of the control
• using test data

Question 41

When are deficiencies significant?

Answer 41

if they are likely to lead to material misstatement, result in fraud, relate to a subjective balance or relate to areas where there is a high volume of activity

Question 42

If the auditor find deficiencies in the internal controls, they must communicate them to who?

Answer 42

mangement

Question 43

If the auditor find significant deficiencies in the internal controls, they must communicate them to who?

Answer 43

those charged with governance (usually the audit committee)

Question 44

How are deficiencies communicated?

Answer 44

in a report to management or management letter. This is presented in a table format as an appendix to the covering letter

Question 45

What will the covering letter explain?

Answer 45

what is being communicated and sets out the limitations of the report

Question 46

What will the report to management look like?

Answer 46

• Deficiencies
• Implications
• Recommendations
• Management response

Question 47

When answering an exam question on control deficiencies what information should we look out for?

Answer 47

Look for information which indicates:
- controls are missing, e.g., sales orders are not sequentially numbered
- controls are not effective, e.g., bank recs are supposed to be performed but often dont

Question 48

How would we tailor our answer when giving recommendations?

Answer 48

Try and recommend which person in the company should perform the control and how frequently. Suggest everything that needs to happen to make the control effective

Question 49

What are direct controls?

Answer 49

control procedures which are properly designed, in place and working effectively at addressing the risk of material misstatement at the assertion level

Question 50

How would we tackle a question relating to direct controls?

Answer 50

Read the scenario and looks for controls being mentioned, such as reconciliations being performed, authorisation of transactions, segregation of duties, restricted access to valuable items etc

Question 51

What is a control?

Answer 51

an activity performed that is in addition to the normal processing of the system, to ensure that the system operates as it should

Question 52

What is a test of control?

Answer 52

an audit procedure which will provide evidence as to whether the control procedure is in place and working effectively

Question 53

What is the sales system sequence?

Answer 53

1. order received
2. goods despatched
3. invoice sent
4. sale recorded
5. cash received

Question 54

What is the purchase system sequence?

Answer 54

1. Order placed
2. Goods received
3. Invoice received
4. Purchase recorded
5. Payment