Internal control Flashcards
Internal control systems (5 elements)
Control environment - the attitudes, awareness and actions of management (tone of organisation)
Risk assessment process - does the entity have a process for identifying and controlling risks
Information systems - how transactions are recorded
Control activities - physical controls, segregation of duties, relevant authorisations, review of BvAs
Monitoring of controls - checking that controls are operating as intended
Limitations of internal controls
Cost of controls May not work for non-routine transactions Human error Collusion of staff Management override
3 common ways auditors record control systems (plus adv/dis)
Narrative notes - Adv = simple, quick, easy to understand. Dis = If system is complex may be difficult to describe, can miss control exceptions
Flowcharts - Adv = easy to identify missing controls, visual aid can be easy to understand. Dis = can be time consuming to prepare, may need training to prepare
Questionnaire - Adv = very quick as will have template ones, simple to complete. Dis = should be tailored to client, client could overstate level of controls
Walkthrough test
A way for auditors to confirm tests that have been recorded
Follow one transaction through every stage of the accounting process to endure system and controls operate as documented. This is NOT a test of control, just confirms system matches information told to auditors
Transaction cycles - Risk, Objective of control and Key control procedure
Sales - Receipt of customer order
3 risks
Risk: Orders not received or recorded properly = sales understated
Objective of control: To ensure that sales are properly accounting for
Key control: All orders taken should be recorded on an automatic pre-numbered system (produces order invoices). Regular checks should be performed for completeness of sequence of numbered invoices
Risk: Customer are unable to play
Objective of control: Goods only sold on credit for customers that can pay
Key control: Credit limit should be checked and no orders over a customers limit should be approved unless approved by credit control
Risk: Orders are accepted but no inventory
Objective of control: ensure inventory is available
Key control: Inventory should be checked so that orders cannot be taken with nil/low inventory
Transaction cycles - Risk, Objective of control and Key control procedure
Sales - Dispatch of customer order
2 risks
Risk: Good dispatched are not the correct goods ordered
Objective of control: To ensure goods dispatched are correct
Key control: All goods dispatched are accompanied by a goods dispatched note which should match the original order
Risk: Goods dispatched are poor quality
Objective of control: to ensure goods dispatched are of satisfactory quality
Key control: quality control check performed on a random sample if goods (check quality and quantity). Customers should sign and return a goods dispatched note to confirm acceptance
Transaction cycles - Risk, Objective of control and Key control procedure
Sales - Invoicing of customer order
2 risks
Risk: customers not invoiced or invoiced incorrectly
Objective of control: ensure invoices are raised correctly
Key control: invoice should be raised from/matched to GDN
Risk: sales invoices not recorded in ledgers
Objective of control: all invoices are recorded in ledgers
Key control: all invoices are pre-numbered, regular checks
Transaction cycles - Risk, Objective of control and Key control procedure
Sales - Collection of cash
3 risks
Risk: customers do not pay or pay late
Objective of control: customers pay on a timely basis
Key control: sending regular chasers / statement
Risk: funds received are recorded incorrectly
Objective of control: ensure they are recorded correctly
Key control: bank transfers should be matched to individual transactions
Risk: cash/cheques are lost
Objective of control: ensure they don’t get lost
Key control: should be recorded and cash immediately, monthly bank recs
Transaction cycles - Risk, Objective of control and Key control procedure
Purchases - purchase order raised
2 risks
Risk: goods ordered without authorisation
Objective of control: all orders should be authorised
Key control: all purchase orders are authorised by an appointed official
Risk: ordered from an unauthorised source
Objective of control: ensure all suppliers are authorised
Key control: authorised supplier list, if none exist then the best value supplier selected
Transaction cycles - Risk, Objective of control and Key control procedure
Purchases - receipt of goods
2 risks
Risk: suppliers send goods that are incorrect or substandard
Objective of control: ensure all orders are received in line with order (quality and quantity)
Key control: all goods are checked for quality and quantity
Risk: goods are not added to inventory
Objective of control: ensure goods are added to inventory
Key control: inventory systems should be updated if goods are for resale or added to non-current assets
Transaction cycles - Risk, Objective of control and Key control procedure
Purchases - receipt of purchase invoice
2 risks
Risk: suppliers invoice for the wrong amount
Objective of control: ensure correct amount and content
Key control: check invoices back to purchase order
Risk: invoices not included in accounts
Objective of control: ensure all invoices are included in accounts
Key control: invoices added to the ledgers
Transaction cycles - Risk, Objective of control and Key control procedure
Purchases - payment of purchase invoice
1 risk
Risk: payments are made to the incorrect supplier/incorrect amount
Objective of control: ensure payments are made of the correct amount and to the correct beneficiary
Key control: all payments should be authorised by responsible official, all paid invoices should recorded as paid
Transaction cycles - Risk, Objective of control and Key control procedure
Inventory - payment of purchase invoice
3 risks
Risk: inventory could be stolen
Objective of control: ensure inventory is stored securely
Key control: physical security (locks/cameras), regular manual checks
Risk: inventory could be obsolete or slow moving
Objective of control: ensure inventory is current and sell able
Key control: regular review of stock listings to monitor slow moving inventory, regular reviews for damaged stock
Risk: inventory may run out
Objective of control: ensure inventory does not run out
Key control: regular review of re-orders levels
Transaction cycles - Risk, Objective of control and Key control procedure
Payroll
4 risks
Risk: non bonafide employees are paid
Objective of control: ensure only bonafide employees are paid
Key control: all new employees are added immediately to payroll system and any leaving employees are removed, authorised official to approve payroll and segregation of duties to ensure controls
Risk: employees are paid incorrect amounts
Objective of control: ensure all employees are paid correct amount
Key control: time sheets reviewed, overtime and bonuses properly authorised, evidence for changes in pay rates, monthly payroll reviewed by responsible official
Risk: Tax and NI calculated incorrectly
Objective of control: ensure they are calculated correctly
Key control: should be calculated by a trained official, software should be updated regularly
Risk: wages paid in cash maybe stolen
Objective of control: ensure wages paid in cash are secure
Key control: adequate security, staff sign confirming receipt, pay staff directly to bank accounts
Transaction cycles - Risk, Objective of control and Key control procedure
Bank and cash
4 risks
Risk: cash on premises could go missing
Objective of control: ensure petty cash is secure
Key control: appropriate security (locked draw/safe), regularly checked
Risk: petty cash spent incorrectly
Objective of control: ensure proper control of petty cash
Key control: expenditure should be appropriately authorised
Risk: cheques paid to unauthorised persons
Objective of control: ensure payments made to authorised persons
Key control: 2 people sign off cheques, kept in secure location
Risk: receipts go missing
Objective of control: ensure all receipts are banked
Key control: monthly bank recs
IT controls
2 types
Application controls (withing computer system - checks for complete, accurate and valid information) - mandatory fields, arithmetic accuracy, range limited
General IT controls - virus protection, regular backups and passwords
Deficiencies or significant deficiency
Deficiency exists - when a control is unable to prevent/detect and correct misstatements or a control is missing
Significant deficiency - when in the auditors opinion is of sufficient importance to merit the attention of those in charge with governance (the deficiency is likely to led to a material misstatement, susceptible to loss of asset or fraud, cause and frequency - deficiency will be noted in a ‘report to management’
Internal audit
Main focus on the accounting and internal control systems (normally look at costs/efficiency) - normally performed by employees, need qualified, experienced staff and controlled by audit committee
Internal vs external auditors
Objectives Standards Report to Status Qualification
Objectives
External: opinion on accounts being “true and fair”
Internal: improve company’s operation (efficiency and effectiveness)
Standards
External: must follow International standards on auditing
Internal: choose to use guidelines from the institute of internal auditors
Report to
External: shareholders via audit report
Internal: Audit committee / board
Status
External: Independent
Internal: Employee of company but should be as independent as possible
Qualification
External: qualified accountant and member of recognised body
Internal: no qualification required but usually an accountant
Value for money audit - 3 E’s
Best possible combination of services for the least resources - 3 E’s - Economy, Efficiency and Effectiveness
Economy - least cost with an acceptable level of risk
Efficiency - best use of resources
Effectiveness - to achieve organisation objectives
Types of audit
IT audit - controlling the key risks surrounding its hardware, software, internet and the overall IT environment
Regulatory audit - key legal requirements
Fraud investigations - ensure no fraud is taking place
Customer experience - meeting customer needs, also promotes itself as a caring company
Procurement audit - around what the company has purchased
Internal audit report
Will produce a report similar to external auditors.
Including:
Addressee
Terms of reference - summarising who requested and purpose
Executive summary - summary of key findings
