Internal Control (Chapter 2) [P2]

Question 1

List the types of control

Answer 1

• preventative
• detective
• corrective
• directive

Question 2

What are preventive controls?

Answer 2

Used to deter or prevent an undesirable event from occurring

Eg. Burglar bars to prevent burglars from breaking in

Question 3

What are detective controls?

Answer 3

Used to detect undesirable events that have occurred

Eg. Burglar alarm to detect when someone’s broken into a building

Question 4

What are corrective controls?

Answer 4

Used to correct the effects of undesirable events

Eg. Burglar alarm is linked to security company that responds in time to stop the burglars

Question 5

What are directive controls?

Answer 5

Used to discourage an undesirable event from occurring or to encourage a desirable event to occur

Eg. A sign warning that a building is protected by burglar alarm is used to discourage burglars from attempting to break in

Question 6

What activities do business operations include?

Answer 6

• handling of cash
• buying and selling on credit
• inventory
• debtors
• creditors
• fixed assets
• payroll

Question 7

List three possible risks

Answer 7

• error
• fraud
• theft

Question 8

Why do business operations leave businesses vulnerable to risk?

Answer 8

They often entail complex procedures, involving several personnel and numerous transactions

Question 9

How can businesses guard against the risks of business operations?

Answer 9

By establishing an effective risk management and control system

Question 10

List the components of a risk management and control system

Answer 10

• risk management function
• system of internal control
• internal audit function

Question 11

Define risk management

Answer 11

The process of identifying, assessing and managing risk

Question 12

Define risk

Answer 12

Uncertain future events that may have a negative impact on business operations and a detrimental effect on the business achieving its objectives

Question 13

What activities should the risk management function be responsible for?

Answer 13

• establishing risk management policy and strategy of the business
• analysing business operations and procedures to identify risks
• evaluating and assessing potential impact of risks identified
• deciding on appropriate action to be taken in response to each of the risks identified
• developing and implementing appropriate internal control processes to combat risks
• continual reviewing of risk management process and strategy

Question 14

List the four responses of the risk management function

Answer 14

• avoid the risk
• control the risk
• transfer the risk
• tolerate the risk

Question 15

Explain avoiding the risk

Answer 15

This is likely to be the response if the risk is significant and either cannot be contained or is too costly to control

Question 16

Explain controlling the risk

Answer 16

This is normally the response if the risk is significant, but can be cost-effectively controlled

Question 17

Explain transferring the risk

Answer 17

This is likely to be the response if the risk is significant, but unlikely to occur

Question 18

Explain tolerating the risk

Answer 18

A risk may be tolerated if it’s found that the risk is unlikely to occur and it would have little impact even if it did occur

Question 19

What is the purpose of internal controls in a business?

Answer 19

To control risks to help ensure that the business objectives are accomplished

Question 20

What should an effective system of internal controls ensure?

Answer 20

• the financial and operational information of a business is reliable and accurate
• employees comply with policies, procedures and rules of business
• employees adhere to the business code of ethics
• business assets are safeguarded
• business resources are used economically and efficiently

Question 21

What is the purpose of internal controls in accounting?

Answer 21

The purpose is to control risks to help ensure that the accounting objectives of the business are achieved. They form part of the system of internal controls of a business and are implemented not only to ensure that the transactions of the business are recorded accurately, but also to protect the business against the risk of financial loss due to fraud or error

Question 22

What does an effective system of internal accounting controls ensure?

Answer 22

• accounting records are accurate and reliable
• income is received and correctly recorded
• expenses are properly authorized and correctly recorded
• assets are safeguarded and properly recorded
• liabilities are paid timeously and are properly recorded
• errors and irregularities in processing information are detected

Question 23

List the elements of internal control

Answer 23

• division of duties
• proper documentation
• authorisation of transactions
• physical controls
• reconciliations

Question 24

Explain division of duties

Answer 24

It involves the separation of responsibilities/duties that would, if combined, enable an individual to record and process a complete transaction. This would provide that person with the opportunity to commit fraud by manipulating the transaction irregularly

Question 25

What is the primary objective of division of duties?

Answer 25

To reduce the risk of fraud and errors by limiting opportunities and increasing the element of checking

Question 26

List the functions that should be separated in division of duties

Answer 26

• authorisation
• execution
• custody
• record keeping

Question 27

Explain proper documentation

Answer 27

This requires that proper and accurate documentation is maintained and used to support all transactions. The information relating to each transaction should be recorded accurately and in full detail on the relevant source document. The source documents should be pre-numbered, consecutive and prepared timeously. After the source document has been used to record the transaction in the appropriate subsidiary journal, it should be filed so that it can be used to provide evidence of the transaction

Question 28

Explain the authorisation of transactions

Answer 28

This requires that transactions should only be approved and carried out by personnel acting within the scope of their authority. Authorization policies and procedures clearly identify which personnel have the authority to approve each type of transaction. The restriction of authority is essential to reduce the risk of fraudulent transactions being processed

Question 29

Explain physical controls

Answer 29

These are controls that are used to physically safeguard assets and records (safes, secure storage, cash registers, fireproof filing cabinets, password-protected computer programs). These controls are designed to ensure that access to assets and records is restricted to authorized personnel only. Physical controls are used to reduce risk of theft of business property or fraudulent tampering with business records

Question 30

Explain reconciliations

Answer 30

Process of comparing two sets of records to check that they’re in agreement, used to reduce the risk of errors and fraud. If it’s found that the records are different, then the differences must be accounted for and necessary adjustments must be processed. Where there’s differences that can’t be accounted for, further investigation needs to take place and this frequently results in the detection of legitimate errors. However, this investigation can lead to the discovery of fraudulent transactions and expose complex fraud schemes

Question 31

Define internal auditing

Answer 31

An independent assessment of the effect of the risk management and internal control of a business to identify the strengths and weaknesses to the management and control of risk. The resulting information enables management to improve risk management and internal control, helping to ensure that business objectives are achieved

Question 32

What is the purpose of internal auditing?

Answer 32

It is an assurance and a consulting activity.

For the business areas where risk management and internal control are effective, the audit provides “assurance” that risk is being managed and controlled adequately

For the business areas where risk management or internal control are inadequate, audit performs a “consulting” role by providing recommendations for for improving the management and control of risk

Question 33

Explain the meaning of the internal control function

Answer 33

It is normally performed by a team of internal auditors (usually employees) but it can be contracted to specialist internal auditing firms. Internal auditors need to operate independently, be objective of their work and have strong ethical values. It’s essential that others within the business can’t influence the internal auditors in any way. While they don’t need to be accountants, they should have a broad range of skills and expertise in financial and operational areas, and in-depth understanding of the business culture, systems and processes

Question 34

What is the role of the internal auditor?

Answer 34

To evaluate the effectiveness of the risk management and internal control system of the business and report their findings, opinions and recommendations to management

Question 35

List the responsibilities of an internal auditor

Answer 35

• evaluating the adequacy and effectiveness of risk management to identify current risk issues and anticipate potential future areas of concern
• evaluating the adequacy and effectiveness of internal controls to identify deficiencies and provide recommendations for improvement
• reviewing and analyzing the business operations to gain a clear understanding of the various processes and the role they play in achieving the business objectives
• reviewing systems, operations, and procedures to determine whether the business and employees are in compliance with policies, procedures, laws, codes of practice, and regulations
• examining and evaluating the reliability and integrity of financial and operating information
• examining and evaluating the effective and efficient use of the business’s resources
• reviewing the means used to safeguard assets and verifying the existence of those assets
• providing management with analyses, appraisals, recommendations, and information concerning the activities reviewed to assist them in the management of risk

Question 36

Summarize the relationship between risk management, internal control, and the internal auditing function

Answer 36

The achievement of business operations is threatened by risks that are identified and evaluated by risk management, which develops and implements internal control. Internal auditing evaluates the effectiveness of risk management and internal control

Question 37

What is a risk-based approach to the internal audit

Answer 37

It involves identifying and focusing on the areas of greatest risk to the business. It aims to maximize the impact of the internal audit by ensuring that internal audit resources are allocated to the areas that matter most

Question 38

List the four phases of an internal audit process

Answer 38

• planning
• fieldwork
• reporting
• following up

Question 39

When does the planning phase begin?

Answer 39

After management has defined the general objectives and scope of the audit

Question 40

Explain the planning phase of an internal audit

Answer 40

1. Internal auditors gather info to gain a thorough understanding of the business activities under review. They do this by:
   - reviewing documented policies and procedures
   - having discussions with management
   - analysing business operations
2. They define objectives of area being audited
3. Risks to achieving objectives will be identified and analyzed to identify areas of significant risk
4. Internal auditors plan the detail and scope of the work to be performed during fieldwork, giving priority to areas of greatest risk

Question 41

List the tests performed during the fieldwork phase

Answer 41

• walkthrough tests
• compliance tests
• substantive tests

Question 42

Explain walkthrough tests

Answer 42

It involves tracing a small sample of transactions through the existing systems from the beginning to the end of the process being assessed. These tests are performed for two main reasons:
- to determine whether the documented internal controls have actually been implemented
- to enable the internal auditors to gain a better understanding of the various control processes

Question 43

Explain compliance tests

Answer 43

Involves reviewing the internal control processes to determine whether the internal controls are working as intended. They’re also known as “tests of control,” which are used to verify that control procedures are being adhered to and applied correctly or to uncover noncompliance and unclear procedures

Question 44

Explain substantive tests

Answer 44

Involves testing, checking, and verifying the completeness, validity, and accuracy of the financial and operating information. These tests are used to uncover any material errors, irregularities, or inaccuracies and determine whether the objectives of the control processes are being achieved

Question 45

List the internal auditing techniques

Answer 45

• sampling
• inspection
• observation
• enquiry
• re-performance

Question 46

Explain sampling

Answer 46

Due to cost and time implications, it’s not possible to test and check every document and record. Therefore, auditors select a representative sample from each process to test. This sample should be large enough to provide the auditors with an accurate account of the business process, yet small enough to be completed in a short period of time

Question 47

Explain inspection

Answer 47

Involves the investigation of documents, records, and reconciliations to ascertain whether internal control procedures are being carried out correctly and are operating efficiently

Question 48

Explain observation

Answer 48

Involves internal auditors observing employees carrying out specific processes and procedures. By monitoring activities being performed, internal auditors can determine whether the internal control procedures are being complied with and can gauge the effectiveness of the processes

Question 49

Explain enquiry

Answer 49

Involves internal auditors interviewing employees and asking them questions related to the performance of their duties. Through interviews, internal auditors can obtain useful information regarding the control environment and can determine the employees’ understanding of the control objectives. This helps the internal auditors to identify deficiencies or potential weaknesses in the internal control systems

Question 50

Explain re-performance

Answer 50

Involves re-performing tasks that have already been performed to test for accuracy and completeness. This testing technique involves re-checking calculations, reconciliations, and recordkeeping procedures and enables the internal auditors to evaluate the accuracy and reliability of the information processed through various control systems

Question 51

Define audit evidence

Answer 51

Information gathered and results obtained from internal audit tests and investigations

Question 52

Explain the reporting phase

Answer 52

The aim of the internal auditors report is to provide management with an opinion as to whether the risk management and internal control systems are functioning effectively and managing risks to an acceptable level. The report should provide assurance on the areas of significant risk that are being effectively managed and controlled while at the same time documenting any significant shortcomings or weaknesses identified. The report should also provide recommendations for improvement in areas of significant risks where the management and control of risk were found to be inadequate

Question 53

Explain the follow-up phase

Answer 53

Based on opinions, findings, and recommendations set out in the internal auditors report, management may decide to make changes to the existing risk management and internal control system to address weaknesses identified. The internal auditing function should establish a follow-up process to monitor any corrective action taken by management. This will help to ensure that those actions have been effectively implemented and are managing the associated risks to an acceptable level