Introduction To Internal Control Flashcards
What is a system of internal control?
Designed implemented and maintained by those charged with governance, management and other personell
To provide reasonable assurance the entity achieves financial reporting objectives, effectiveness, efficiency of operations and compliance with laws and regulations
To address identified business risks that threaten these objectives
Some limitations of internal controls
Human error
Unusual transactions
Collusion
Limitations of internal controls in small companies
Informal nature/lack of documentation
Limited numbers of staff detriment segregation of duties
Are D’s applying Uk CGC required to report on risk management and systems of internal control in the company’s annual report?
Yes
Components of internal control
- Control environment
- Risk assessment process
- Info system and communication
- Control activities
- Monitoring
What is the control environment?
Government and management functions
Attitude, awareness and actions of those charged with G+M concerning internal control + its importance
Examples of strong control environment
Existence of audit committee
Internal audit function
Effective documentation of controls
Importance of controls communicated
No management override
Recruitment of employees with integrity
Is an audit committee required under UK CGC?
Yes
What is an audit committee required to have?
Written terms of reference
Can business risk arise from setting inappropriate objectives and strategies?
Yes
Developing internal controls to address business risks process
- Identify relevant business risks
- Estimate their significance
- Assess likelihood of their occurrence
- Decide actions to address risks
Examples of circumstances that cause risks
Changes in operating environment
New personell
New Information system
Rapid growth
Restructuring
New technology
New business models
New products
New activities
Expanded foreign operations
Information systems and communication
A component of internal control
Including the financial reporting system
Consists of procedures and records
To initiate, record, process and report entity transactions
And maintain accountability for the related assets, liabilities and equity
Examples of elements of information systems and communication that auditors are interested in
Identifying significant classes of transactions
Systems for preparing FS
Accounting software used
Related accounting records and supporting information
Roles and responsibilities allocated to personell
Danger of internal controls being overridden at the FS preparation stage
What are control activities?
The policies and procedures that help ensure management directives are carried out
ISA (UK) 315 types of control activities
- Authorisation + approval
- Reconciliations
- Verifications
- Physical/logical controls
- Segregation of duties
Authorisation
Affirms transaction is valid
Authorisation usually takes form of…
Approval by higher management
Or verification
Approval
Automatic
Reconciliations
Compare 2 (or more) data elements.
If differences are identified then action is taken to bring data into agreement.
Generally address completeness or accuracy of processing transactions
Verifications
Compare 2 (or more items) with each other
Or to policy
Likely includes follow up action when they don’t match
Generally address completeness, accuracy or validity of processing transactions
Physical or logical controls examples
Secured facilities
Banking cash immediately
Authorisation to filed
Electronic tagging of inventory and portable non-current assets
Segregation of duties examples
Authorising transactions
Recording transactions
Maintaining custody over assets
2 general types of computer controls
- General IT controls
- Information processing controls
General IT controls definition
Support continued proper operation
Including information processing controls
And integrity of the information (completeness, accuracy and validity)
E.g. controls over system design, programming, documentation.
Testing system performance
Staff training
Password protection
Restricting physical access to central computers
Virus checks
Black ups off site
Disaster recovery procedures
Information processing controls
Can be IT or manual
Directly assessed risks to the integrity of information
(I.e. completeness, accuracy, and validity of transactions and other info)
4 types of information processing controls
- Input completeness
- Input accuracy
- Input authorisation
- Standing data
Controls over input completeness examples
Sequence checks
Document counts
Onto to one checking of processed output to source documents
Procedures over resubmission of rejected data
Controls over input accuracy examples
Existence checks e.g. customer name
Reasonableness checks e.g. VAT to total
Character checks e.g. no unexpected characters in ref no.
Range checks e.g. no timesheet processed over certain no. weekly hours
Controls over input authorisation definition
Manual
To ensure information was authorised and input by authorised personell
Controls over standing data
One to one checking of amendments to source documents
Periodic review
Who is recommended to monitor the actions of the executive related to cyber security?
NEDs/ Audit committee
What does understanding systems and controls allow an external auditor to do?
- Assess level of control risk
- Determine audit approach
The auditor must document the client’s internal controls. What are 3 ways of doing that?
- Narrative notes
- Questionnaires/Checklists
- Diagrams/flowcharts
Narrative notes
Good for simple systems
Juniors can complete
Questionnaires/Checklists pros
Easy to complete
Covers all areas
Questionnaires/Checklists cons
May overstate controls
Not tailored to client
Diagrams/Flowcharts pro
Best for complex system overview
Diagrams/Flowcharts cons
Complex and time-consuming to prepare
Reader needs to understand symbols used
