SYLLABUS AREA C- INTERNAL CONTROLS Flashcards
Describe and explain the five components of a company’s internal control
1) Control environment: The AAA attitude awareness and actions of the top management. Their committment to put in place a sound system
2) Entity risk assessment process: Auditor must understand the management’s scanning process to identify loopholes/ weaknesses in the organisation where things may go wrong.
3) The entity’s process of monitoring controls:
monitoring is check and balance to ensure control activities are operating effectively, and if not, taking necessary remedial action.
monitoring can be ongoing or performed on a separate evaluation basis.
it’s key role of IA function
4) INFORMATION SYSTEM and communication:
is there a channel of communication where issues/ problems/ weaknesses / fraud instances or unusual activity is reported to the right level for prompt actions?
IS helps management be alert to ground realities and helps them with risk assessment process.
5) CONTROL ACTIVITIES:
are there policies and procedures put in place by management to mitigate the identified risk? for eg. segregation of duties , password, physical security
Why does an auditor need to understand the components of internal control that are relevant to the financial statements?
auditor needs to understand to evaluate the effectiveness of the company’s system so that they can determine the nature, timing and extent of audit procedures to be performed.
if CS is designed, implemented and working effectively, there will be less risk of MMS in FS.
as they will either be prevented or detected and corrected.
the auditor will use assessment of control risk to determine the impact on audit strategy and audit plan.
if control risk is low, what will be the impact on audit strategy and plan?
-auditor can rely more on internal controls and internally generated evidence.
-auditor can reduce the quantity of detailed substantive procedures to be performed at the final audit stage.
-audit strategy and plan will be updated to reflect that fewer substantive procedures will be required or smaller sample sizes can be tested at the final audit stage.
if control risk is high, what will be the impact on audit strategy and audit plan?
-increased volume of procedures during and after year end
-increased level of substantive procedures, test of detail
-increased locations in audit scope
-less reliance on AP as client info is not reliable
-less reliance on written representation from management
-obtain more external evidence, from customers and suppliers.
-update audit strategy and plan to reflect additional testing required at final audit stage
what are the limitations of internal controls?
controls cant always be relied on because:
-human error
-ineffective controls
-collusion of staff
-abuse of power (management override) eg. fabrication of FS by management
-use of management judgement on nature and extent of controls it chooses to implement
Define direct and indirect controls
Direct controls address the risk of material misstatement at the assertion level. eg. agreeing the amounts on the payroll list with individual payslips to check accuracy.
Indirect controls support direct control, eg. manager reviews the payroll total each month to ensure it is in line with expectation.
describe IT controls of a company
Level of risk from IT depends on nature and extent of technology use.
company may use complex technology like blockchain or simple tech like a simple user interface in which client enters data and it is processed by computer.
auditor must understand IT system and identify areas where risk might arise.
there are two types of IT controls: general controls and information processing IP controls
what are general and information processing controls?
General controls- they support the operation of the IT environment. including effective functioning of IP controls and integrity of info.
eg.
access- make sure no unauthorised person can access apps, databases, network
job monitoring, backup and recovery, intrusio detection
segregation of duties, system development.
IP CONTROLS: relate to processing of information in IT apps or manual process. they address risks of integrity of information
they may be automated or manual.
eg. batch total checks to double check if any invoices are missing or entered twice
-sequence checks
-matching master files to transaction records
-arithmetic checks
-range checks
-existence checks (to check if employees exist)
-exception reporting
why is it important for auditors to communicate with TCWG
importance:
-helps TCWG understand audit matters and develops a constructive working relationship
-helps auditors obtain informaton relevant to the audit, like obtaining an understanding of entity, identifying sources of evidence and info of specific events.
-it helps tcwg fulfill their responsibility to oversee the financial reporting process, thus reducing risk of MMS.
-promotes two way communication
what are some matters which the auditor may communicate to TCWG?
-Auditors responsibilities
-audit plan and timetable
-key audit risks identified at planning stage
-significant difficulties encountered
-significant matters arising and accounting adjustments
-deficiencies in internal control system
-how EA AND IA can work together and any planned use of IA’s work
-any written representations required by auditor
-suspected frauds
-if planning to modify opinion
-for listed co: a confirmation that ethical standards have been complied and safeguards have been put for any ethical threats identified.
What are the different types of control activities?
Segregation of duties (diff people for different roles to prevent fraud)
Authorisation (approval from a responsible official)
Information processing ( controls including general and IT controls which ensure completeness, accuracy, eg, use of batch control total when entering transactions into system)
Physical controls (restricted access to computer)
Performance reviews(comparison of budget vs actual, analysing variances)
what are application controls that can be applied to ensure completeness and accuracy of purchase invoices?
-Document counts – the number of invoices to be input are counted, the invoices are
then entered one by one, at the end the number of invoices input is checked against
the document count. This helps to ensure completeness of input.
-Control totals – here the total of all the invoices, such as the gross value, is manually
calculated. The invoices are input, the system aggregates the total of the input
invoices’ gross value and this is compared to the control total. This helps to ensure
completeness and accuracy of input.
-One for one checking – the invoices entered into the system are manually agreed
back one by one to the original purchase invoices. This helps to ensure completeness
and accuracy of input.
-Review of output to expected value – an independent assessment is made of the
value of purchase invoices to be input, this is the expected value. The invoices are
input and the total value of invoices is compared to the expected value. This helps to
ensure completeness of input.
-Check digits – this control helps to reduce the risk of transposition errors.
Mathematical calculations are performed by the system on a particular data field,
such as supplier number, a mathematical formula is run by the system, this checks
that the data entered into the system is accurate. This helps to ensure accuracy of
input.
-Range checks – a pre‐determined maximum is input into the system for gross invoice
value, for example, $10,000; when invoices are input if the amount keyed in is
incorrectly entered as being above $10,000, the system will reject the invoice. This
helps to ensure accuracy of input.
-Existence checks – the system is set up so that certain key data must be entered,
such as supplier name, otherwise the invoice is rejected. This helps to ensure
accuracy of input.
Inventory not listed on the sheets is to be
entered onto separate sheets, which are
not sequentially numbered.
The supervisor will be unable to ensure
the completeness of all inventory sheets.
This could result in understatement of
inventory.
rec:Each team should be given a blank
sheet for entering any inventory count
which is not on their sheets. This blank
sheet should be sequentially
numbered, any unused sheets should
be returned at the end of the count,
and the supervisor should check the
sequence of all sheets at the end of the
count.
Damaged goods are not being stored in a central area, as they are too heavy.
and instead the counter is
just noting on the inventory sheets the
level of damage.
It will be difficult for the finance team to decide on an appropriate level of write
down if they are not able to see the damaged goods.
The inventory value for the damaged items may not be appropriate.
In addition, if these goods are left in the aisles, they could be inadvertently sold to
customers or moved to another aisle.
rec:
clearly flagged by counters
use machine to move them to a central location, to avoid risk of selling these goods
senior from finance team shud inspect these goods to assess the level of write down.
Lily Window Glass Co undertakes
continuous production and so there will
be movements of goods during the count.
Goods may be missed or double counted
due to movements in the warehouse.
Inventory records could be under or
overstated as a result.
rec: raw materials required on date of count shud be esitmated and put to side, and considered as WIP
goods manufactutred on count date, shud be stored at one side and counted at the end of count and included as finished goods
goods recieved from suppliers move to one location and end mein count and include as raw materials
