Internal Control (Chapter 2) [P2] Flashcards
List the types of control
- preventative
- detective
- corrective
- directive
What are preventive controls?
Used to deter or prevent an undesirable event from occurring
Eg. Burglar bars to prevent burglars from breaking in
What are detective controls?
Used to detect undesirable events that have occurred
Eg. Burglar alarm to detect when someone’s broken into a building
What are corrective controls?
Used to correct the effects of undesirable events
Eg. Burglar alarm is linked to security company that responds in time to stop the burglars
What are directive controls?
Used to discourage an undesirable event from occurring or to encourage a desirable event to occur
Eg. A sign warning that a building is protected by burglar alarm is used to discourage burglars from attempting to break in
What activities do business operations include?
- handling of cash
- buying and selling on credit
- inventory
- debtors
- creditors
- fixed assets
- payroll
List three possible risks
- error
- fraud
- theft
Why do business operations leave businesses vulnerable to risk?
They often entail complex procedures, involving several personnel and numerous transactions
How can businesses guard against the risks of business operations?
By establishing an effective risk management and control system
List the components of a risk management and control system
- risk management function
- system of internal control
- internal audit function
Define risk management
The process of identifying, assessing and managing risk
Define risk
Uncertain future events that may have a negative impact on business operations and a detrimental effect on the business achieving its objectives
What activities should the risk management function be responsible for?
- establishing risk management policy and strategy of the business
- analysing business operations and procedures to identify risks
- evaluating and assessing potential impact of risks identified
- deciding on appropriate action to be taken in response to each of the risks identified
- developing and implementing appropriate internal control processes to combat risks
- continual reviewing of risk management process and strategy
List the four responses of the risk management function
- avoid the risk
- control the risk
- transfer the risk
- tolerate the risk
Explain avoiding the risk
This is likely to be the response if the risk is significant and either cannot be contained or is too costly to control
Explain controlling the risk
This is normally the response if the risk is significant, but can be cost-effectively controlled
Explain transferring the risk
This is likely to be the response if the risk is significant, but unlikely to occur
Explain tolerating the risk
A risk may be tolerated if it’s found that the risk is unlikely to occur and it would have little impact even if it did occur
What is the purpose of internal controls in a business?
To control risks to help ensure that the business objectives are accomplished
What should an effective system of internal controls ensure?
- the financial and operational information of a business is reliable and accurate
- employees comply with policies, procedures and rules of business
- employees adhere to the business code of ethics
- business assets are safeguarded
- business resources are used economically and efficiently
What is the purpose of internal controls in accounting?
The purpose is to control risks to help ensure that the accounting objectives of the business are achieved. They form part of the system of internal controls of a business and are implemented not only to ensure that the transactions of the business are recorded accurately, but also to protect the business against the risk of financial loss due to fraud or error
What does an effective system of internal accounting controls ensure?
- accounting records are accurate and reliable
- income is received and correctly recorded
- expenses are properly authorized and correctly recorded
- assets are safeguarded and properly recorded
- liabilities are paid timeously and are properly recorded
- errors and irregularities in processing information are detected
List the elements of internal control
- division of duties
- proper documentation
- authorisation of transactions
- physical controls
- reconciliations
Explain division of duties
It involves the separation of responsibilities/duties that would, if combined, enable an individual to record and process a complete transaction. This would provide that person with the opportunity to commit fraud by manipulating the transaction irregularly
What is the primary objective of division of duties?
To reduce the risk of fraud and errors by limiting opportunities and increasing the element of checking
List the functions that should be separated in division of duties
- authorisation
- execution
- custody
- record keeping
Explain proper documentation
This requires that proper and accurate documentation is maintained and used to support all transactions. The information relating to each transaction should be recorded accurately and in full detail on the relevant source document. The source documents should be pre-numbered, consecutive and prepared timeously. After the source document has been used to record the transaction in the appropriate subsidiary journal, it should be filed so that it can be used to provide evidence of the transaction
Explain the authorisation of transactions
This requires that transactions should only be approved and carried out by personnel acting within the scope of their authority. Authorization policies and procedures clearly identify which personnel have the authority to approve each type of transaction. The restriction of authority is essential to reduce the risk of fraudulent transactions being processed
Explain physical controls
These are controls that are used to physically safeguard assets and records (safes, secure storage, cash registers, fireproof filing cabinets, password-protected computer programs). These controls are designed to ensure that access to assets and records is restricted to authorized personnel only. Physical controls are used to reduce risk of theft of business property or fraudulent tampering with business records
Explain reconciliations
Process of comparing two sets of records to check that they’re in agreement, used to reduce the risk of errors and fraud. If it’s found that the records are different, then the differences must be accounted for and necessary adjustments must be processed. Where there’s differences that can’t be accounted for, further investigation needs to take place and this frequently results in the detection of legitimate errors. However, this investigation can lead to the discovery of fraudulent transactions and expose complex fraud schemes
Define internal auditing
An independent assessment of the effect of the risk management and internal control of a business to identify the strengths and weaknesses to the management and control of risk. The resulting information enables management to improve risk management and internal control, helping to ensure that business objectives are achieved
What is the purpose of internal auditing?
It is an assurance and a consulting activity.
For the business areas where risk management and internal control are effective, the audit provides “assurance” that risk is being managed and controlled adequately
For the business areas where risk management or internal control are inadequate, audit performs a “consulting” role by providing recommendations for for improving the management and control of risk
Explain the meaning of the internal control function
It is normally performed by a team of internal auditors (usually employees) but it can be contracted to specialist internal auditing firms. Internal auditors need to operate independently, be objective of their work and have strong ethical values. It’s essential that others within the business can’t influence the internal auditors in any way. While they don’t need to be accountants, they should have a broad range of skills and expertise in financial and operational areas, and in-depth understanding of the business culture, systems and processes
What is the role of the internal auditor?
To evaluate the effectiveness of the risk management and internal control system of the business and report their findings, opinions and recommendations to management
List the responsibilities of an internal auditor
- evaluating the adequacy and effectiveness of risk management to identify current risk issues and anticipate potential future areas of concern
- evaluating the adequacy and effectiveness of internal controls to identify deficiencies and provide recommendations for improvement
- reviewing and analyzing the business operations to gain a clear understanding of the various processes and the role they play in achieving the business objectives
- reviewing systems, operations, and procedures to determine whether the business and employees are in compliance with policies, procedures, laws, codes of practice, and regulations
- examining and evaluating the reliability and integrity of financial and operating information
- examining and evaluating the effective and efficient use of the business’s resources
- reviewing the means used to safeguard assets and verifying the existence of those assets
- providing management with analyses, appraisals, recommendations, and information concerning the activities reviewed to assist them in the management of risk
Summarize the relationship between risk management, internal control, and the internal auditing function
The achievement of business operations is threatened by risks that are identified and evaluated by risk management, which develops and implements internal control. Internal auditing evaluates the effectiveness of risk management and internal control
What is a risk-based approach to the internal audit
It involves identifying and focusing on the areas of greatest risk to the business. It aims to maximize the impact of the internal audit by ensuring that internal audit resources are allocated to the areas that matter most
List the four phases of an internal audit process
- planning
- fieldwork
- reporting
- following up
When does the planning phase begin?
After management has defined the general objectives and scope of the audit
Explain the planning phase of an internal audit
- Internal auditors gather info to gain a thorough understanding of the business activities under review. They do this by:
- reviewing documented policies and procedures
- having discussions with management
- analysing business operations - They define objectives of area being audited
- Risks to achieving objectives will be identified and analyzed to identify areas of significant risk
- Internal auditors plan the detail and scope of the work to be performed during fieldwork, giving priority to areas of greatest risk
List the tests performed during the fieldwork phase
- walkthrough tests
- compliance tests
- substantive tests
Explain walkthrough tests
It involves tracing a small sample of transactions through the existing systems from the beginning to the end of the process being assessed. These tests are performed for two main reasons:
- to determine whether the documented internal controls have actually been implemented
- to enable the internal auditors to gain a better understanding of the various control processes
Explain compliance tests
Involves reviewing the internal control processes to determine whether the internal controls are working as intended. They’re also known as “tests of control,” which are used to verify that control procedures are being adhered to and applied correctly or to uncover noncompliance and unclear procedures
Explain substantive tests
Involves testing, checking, and verifying the completeness, validity, and accuracy of the financial and operating information. These tests are used to uncover any material errors, irregularities, or inaccuracies and determine whether the objectives of the control processes are being achieved
List the internal auditing techniques
- sampling
- inspection
- observation
- enquiry
- re-performance
Explain sampling
Due to cost and time implications, it’s not possible to test and check every document and record. Therefore, auditors select a representative sample from each process to test. This sample should be large enough to provide the auditors with an accurate account of the business process, yet small enough to be completed in a short period of time
Explain inspection
Involves the investigation of documents, records, and reconciliations to ascertain whether internal control procedures are being carried out correctly and are operating efficiently
Explain observation
Involves internal auditors observing employees carrying out specific processes and procedures. By monitoring activities being performed, internal auditors can determine whether the internal control procedures are being complied with and can gauge the effectiveness of the processes
Explain enquiry
Involves internal auditors interviewing employees and asking them questions related to the performance of their duties. Through interviews, internal auditors can obtain useful information regarding the control environment and can determine the employees’ understanding of the control objectives. This helps the internal auditors to identify deficiencies or potential weaknesses in the internal control systems
Explain re-performance
Involves re-performing tasks that have already been performed to test for accuracy and completeness. This testing technique involves re-checking calculations, reconciliations, and recordkeeping procedures and enables the internal auditors to evaluate the accuracy and reliability of the information processed through various control systems
Define audit evidence
Information gathered and results obtained from internal audit tests and investigations
Explain the reporting phase
The aim of the internal auditors report is to provide management with an opinion as to whether the risk management and internal control systems are functioning effectively and managing risks to an acceptable level. The report should provide assurance on the areas of significant risk that are being effectively managed and controlled while at the same time documenting any significant shortcomings or weaknesses identified. The report should also provide recommendations for improvement in areas of significant risks where the management and control of risk were found to be inadequate
Explain the follow-up phase
Based on opinions, findings, and recommendations set out in the internal auditors report, management may decide to make changes to the existing risk management and internal control system to address weaknesses identified. The internal auditing function should establish a follow-up process to monitor any corrective action taken by management. This will help to ensure that those actions have been effectively implemented and are managing the associated risks to an acceptable level