L5 Understanding and assessing internal controls Flashcards
What is control risk?
The risk that a material misstatement could occur in an assertion and not be prevented or detected on a timely basis by the entity’s internal control.
When are tests of controls performed?
If control risk is assessed at less than high, tests of control need to be performed to gain evidence that specific control activities have been effectively and consistently applied throughout the period under audit.
What are the key objectives of internal controls?
Identify and minimise risks
Ensure effective management decision-making and efficient business processes
Carry out transactions with proper management authorisation
Comply with laws, rules, and regulations
Promptly and accurately record transactions
Restrict asset access to authorised individuals
Regularly compare asset records with actual assets
What are the key objectives of internal controls?
- Identify and minimise risks
- Ensure effective management decision-making and efficient business processes
- Carry out transactions with proper management authorisation
- Comply with laws, rules, and regulations
- Promptly and accurately record transactions
- Restrict asset access to authorised individuals
- Regularly compare asset records with actual assets
What is a preventive control?
Internal controls that are used to prevent undesirable events or errors.
What is detective controls?
Internal controls that are used to identify events or errors if they have occurred.
What is management’s role in internal control, and who holds ultimate responsibility?
- Management is responsible for initially establishing, maintaining, and supervising an appropriate internal control system.
- Effective internal control is key to efficient risk management.
- Ultimate responsibility for internal control rests with those charged with governance (e.g. board of directors).
What are the 5 components of internal control?
- Control environment
- Entity’s risk-assessment process
- Information system and communication
- Control activities
- Monitoring of controls
Describe the IC component: control environment
Includes governance and management’s overall attitude, awareness and actions regarding IC and its importance in the entity.
Describe the IC component: Entity’s risk-assessment process
- Entity’s way of identifying and responding to business risk.
- Once risks are identified, management assesses their significance and how to manage them.
- Management may introduce plans to address specific risks or accept a risk on a cost-benefit basis.
Describe the IC component: Information system and communication
- Identifies and records all valid transactions
- Resolves incorrect processing of transactions
- Processes and accounts for system overrides
- Transfers information from transaction processing systems to the general ledger
- Captures information for financial reporting beyond transactions
- Properly presents transactions and related disclosures in the financial report
What is the audit trail in the information system and communication component of internal control?
- The audit trail allows individual transactions to be traced through each step of the accounts.
- It enables verification of amounts in the financial report by tracing them back to original source documentation.
What are the main elements of an audit trail?
- Source documents: Initial records of transactions, created when a transaction is executed.
- Journal: A chronological record of all transactions.
- Ledger: A record that categorizes all financial transactions by account.
Describe the IC component: Control activities
- Authorisation and approval (by higher management)
- Reconciliation (comparing data elements for accuracy or completeness)
- Verification (comparing items with each other or a policy)
- Physical or logical controls (e.g., locked storerooms, fireproof safes)
- Segregation of duties (assigning different people to authorise, record, and maintain custody of assets)
What are the four phases of a transaction in segregation of duties?
- Authorisation: Initial approval of the transaction
- Execution: Committing the entity to the exchange (e.g., placing an order)
- Custody: Physical acceptance, delivery, or maintenance of assets
- Recording: Entering transaction data into the accounting system
Ideally, these phases should be kept separate.
How do control activities relate to financial report assertions?
Control activities can be related to the following assertions in financial reporting:
- Occurrence (e.g., authorisation and approval of transactions)
- Completeness (e.g., accounting for the sequence of transactions)
- Accuracy (e.g., checking dollar amounts against supporting documentation)
- Cut-off (e.g., independent review of transaction recording around balance date)
Describe the IC component: Monitoring of controls
Monitoring of controls is the process of assessing the effectiveness of internal controls.
It involves:
- Evaluating the design and operation of controls.
- Taking corrective action when necessary.
Management may monitor controls through:
- Ongoing activities like supervisory activities.
- Separate evaluations of controls.
Internal auditors often contribute to the monitoring process.
What is the role of the internal audit function in internal control and how may it affect the audit?
- Strengthens the internal controls and the monitoring of internal controls (if the internal audit function is effective).
- Internal auditing could be useful to an external auditor as it may affect audit risk (and thus the nature, timing and extent of audit procedures).
What does the external auditor have to consider when evaluating whether the internal audit is adequate for external audit purposes?
- Objectivity: The internal audit’s organisational status in the entity.
- Technical competence: Do the internal auditing personnel have adequate technical training and proficiency?
- Systematic and disciplined approach: Is the internal audit being conducted with due professional care? (e.g. internal audit work is properly planned, documented, supervised and reviewed).
What should the external auditor consider when determining whether to rely on the internal audit’s work?
- the amount of judgment involved in the work
- the assessed risks of material misstatement
- the objectivity of the internal auditors
- the technical competence of the internal auditors.
When does the auditor assess control risk as high?
- Internal control policies and procedures are poor (and don’t support a less than high assessment).
- Internal control and policies and procedures are effective but the audit tests would be more time consuming than performing direct substantive tests.
What is the difference between user controls and information technology controls?
- User controls: Performed by personnel in user departments and therefore are manual control activities.
- IT controls: Maintained in the location of the IT system.
What is the difference between general IT controls and IT application controls?
- General IT controls: Controls over the entity’s IT processes that support the continued proper operation of the IT environment.
- IT application controls: Manual or automated procedures that apply to the processing of transactions in individual IT applications.
What is the difference between automated controls and manual controls?
- Automated control: Suitable for high-volume, recurring transactions where types of errors can be predicted.
- Manual control: Suitable where judgement is required; transactions are large, unusual or non-recurring; and errors are difficult to predict.
