Internal Controls 1 Flashcards
Definition of internal control
ISA 315 defines internal control as the process designed and affected by those charged with governance, management and other personal to provide reasonable assurance about the achievement of the entity’s objectives regarding:
• The reliability of the financial reporting;
• The efficiency and effectiveness of operations and;
• Compliance with applicable law and regulations’ (e.g. for PAYE)
Why is internal control important to the auditor?
In Unit 10.1 we covered the requirement of the auditor to understand the entity. Finding out about the internal controls in an entity is part of this understanding. The auditors need to know how those responsible for the entity are looking after the things listed above.
The strength of the internal control system affects the risk level attributed to the audit (remember control risk?). Internal control within an entity can influence the type and amount of audit work as the auditors consider the chance of errors/misstatements in the financial information and whether assets are safeguarded.
In the audit report the auditors are required to comment on their review of the
directors’ report regarding internal controls.
Assessing the internal controls system
In assessing the internal control system, the auditor must assess:
- Whether adequate, properly designed controls in existence, and that these have operated throughout the period.
- The ‘control environment’ and the controls put in place by management to prevent and detect misstatements.
The auditor may do this through:
- Inquiry
- Analytical procedures
- Observation and inspection
5 Components of an Internal control system
Control Environment Risk assessment process Information system Control activities & procedures Monitoring
Control environment
The attitudes, awareness and actions of the directors and those charged with governance regarding internal control and how important it is within the company. The auditor must assess the control environment to see if policies and procedures are implemented.
A strong control environment would be evidenced by:
• Culture of honesty and integrity
• Staff that are well trained about the importance of controls
• Clear organisational structure with appropriate supervision and authority
• Involvement of those charged with governance in the audit process (e.g. existence of an audit committee)
• No ability for management to override controls
• An internal audit function (more on this in Unit 16
Risk assessment process
This is the process which management goes through to identify business risks within the company. Business risk is the risk that the business fails to achieve its objectives (making a profit). The auditor is interested if any business risks affect the financial statements.
Controls put in place to address business risks identified:
- Identify relevant business risks
- Estimate significance (importance) of the risks
- Assess likelihood of risk happening
- Decide how to address risk
Information system
The information system is anything regarding the movement of data and how it is recorded. The auditor needs to understand how transactions
are recorded and how the financial statements are prepared.
IT is likely to be involved here but information systems could be manual and could relate to people as well. The auditor will need to understand if staff are competent in their role within the financial reporting process and whether it is possible to interfere with, or override, any control procedures.
The auditor assesses whether the software, people, procedures and data:
- Identifies and records all valid transactions
- Records transaction in the appropriate accounting period
- Presents transactions in financial statements properly.
- Allows for proper classification of transactions
- Records monetary value correctly
Control activities & procedures
Control activities are the actions taken by management to deal with identified risks. Specifically, they put in place control procedures (controls) to mitigate business risks. These control procedures could be manual or computerised.
Control procedures a firm could implement:
Segregation of duties: No single person is responsible for the recording and processing of a complete transaction.
Organisational controls: Clear lines of reporting and allocated responsibilities.
Authorisation and approval - Procedures authorised and approved by appropriate individuals.
Physical controls - Limiting access to assets.
Supervision - Supervisory duties clearly defined and communicated to staff.
Personnel - Competent and professional staff.
Arithmetical procedures - All transactions are included, recorded and accurately processed.
Management - Additional performance reviews performed on to top of day to day routine system procedures.
Understanding control procedures:
ISA 315 requires the auditor to understand control procedures in place in the organisation as it will impact the work they carry out during the out. The auditor will typically go through the following steps:
Obtain details of processes and controls from management
Walkthrough each process to see if the controls are in place and working
Document findings
Assess effectiveness of controls
Consider impact on audit and whether any reliance can be placed on controls
Decide on audit approach/type of audit
Monitoring
Internal control procedures should be continually monitored to ensure that are still adequate in addressing the business risk. Whilst part of the auditor’s role is to highlight control weaknesses management should not be relying on this as a way of checking controls and should have their own
monitoring procedures in place.
Limitations of internal control
Controls can never completely eradicate all business risks due to the natural limitations that controls have:
• Human error
• Circumvention of controls through collusion
• Unusual or one-off transactions are unlikely to be covered but the control system
• Can be costly to implement (could outweigh the benefit)
• Segregation of duties may not be possible in small organisations
Documenting controls
The auditor must document on the audit file their understanding of the company’s internal control system. They may use:
Narrative notes – good for simple systems but hard to explain complex control systems
Questionnaires or checklists – easy to complete but not tailored to the client
Diagrams or flowcharts – Great for complicated systems but can be time consuming to put together
Communicating control deficiencies
ISA 265 outlines the requirements for auditors to communicate any deficiencies in internal control to management.
If the auditor finds significant deficiencies, they should:
• Discuss the weaknesses with those charged with governance on a timely basis
• Liaise fully with the internal auditors
• Assess the potentially materiality and impact of the weaknesses on the financial statements
• Consider suggesting remedial action to address the weaknesses
Communication might be oral or written. If written the following format is generally adopted:
The auditor will state what is wrong in the company’s process or what the business risk is.
Here the auditor explains why the weakness is a problem by describing the knock on effect of the weakness.
A control will be recommended that management could put in place to mitigate the identified risk.
Designing controls
When designing controls management or the auditor must consider what would be an appropriate control to prevent of detect the identified weakness in the system.