Systems and controls

Question 1

It focuses largely on the

Answer 1

attitude, awareness and actions of those responsible
for designing, implementing and monitoring internal controls

Question 2

The control environment includes the

Answer 2

governance and management function
of an organisation

Question 3

Elements of the control environment:

Answer 3

 How management’s responsibilities are carried out, demonstrating
management’s commitment to integrity and ethical values.
 How those charged with governance demonstrate independence from
management and exercise oversight of the system.
 How the entity assigns authority and responsibility in pursuit of its
objectives.
 How the entity attracts, develops and retains competent people including
recruitment policies, training policies and performance appraisals.
 How the entity holds individuals accountable for their responsibilities
e.g. performance measures and disciplinary policies

Question 4

The entity’s risk assessment process

Answer 4

The auditor must obtain an understanding of the entity’s process for identifying
business risks relevant to financial reporting, assessing the significance of those
risks and addressing those risks. The auditor must then evaluate whether the
process is appropriate to the entity’s circumstances taking into consideration the
nature and complexity of the entity

Question 5

Business risks relevant to financial reporting are threats to the achievement of
ongoing business objectives and can lead to misstatement in the financial
statements.
Examples include

Answer 5

 New information systems and technology
 Rapid growth
 New accounting requirements/principles
 Maintaining the integrity of data and information processing
 Risks to the entity’s business strategy if the entity’s IT strategy does not
effectively support the business strategy
 Interruptions in the IT environment when the entity does not make
necessary updates to the IT environment or such updates are not timely

Question 6

The information system and communication

Answer 6

The information system relevant to financial reporting consists of all of the
activities and policies relevant to financial reporting and communication. It
includes the procedures within both computerised and manual systems.

Question 7

The information system includes all of the procedures and records which are
designed to:

Answer 7

 Initiate, record, process and report transactions.
 Maintain accountability for assets, liabilities and equity.
 Resolve incorrect processing of transactions.
 Process and account for system overrides.
 Transfer information to the general ledger.
 Capture information relevant to financial reporting for other events and
conditions.
 Ensure information required to be disclosed is appropriately reported

Question 8

Control activities

Answer 8

Control activities are the policies (statements of what should or should not be
done) and procedures (actions to implement policies) to achieve the control
objectives of management and those charged with governance

Question 9

Examples of specific control activities include those relating to:

Answer 9

 Authorisation to confirm the validity of a transaction.
 Reconciliations to address the completeness or accuracy of transactions.
 Verifications to address the completeness, accuracy or validity of
transactions.
 Physical or logical controls to prevent theft of assets or data.
 Segregation of duties to reduce opportunity for any person to commit and
conceal fraud in the normal course of their duties

Question 10

Controls may be

Answer 10

direct or indirect

Question 11

A direct control addresses

Answer 11

the risk of
material misstatement at the assertion level

Question 12

Indirect controls support

Answer 12

the direct controls. The general IT controls given below
are examples of indirect controls

Question 13

IT controls are normally divided into

Answer 13

general controls and information
processing controls. An effective IT system should include both.

Question 14

General controls

Answer 14

General IT controls support the continued proper operation of the IT
environment, including effective functioning of the information processing
controls and the integrity of information in the information system

E.g. controls over:
 Access − Preventing unauthorised access to applications, databases,
operating system, networks.
 Program changes or other changes to the IT environment – Segregation of
duties, system development, data conversion.
 Process to manage IT operations – job scheduling, job monitoring, backup
and recovery, intrusion detection

Question 15

Information processing controls

Answer 15

Information processing controls relate to the processing of information in IT
applications or manual processes that directly address risks to the integrity of
information.

These controls may be automated (embedded in IT applications) or manual
(e.g. input or output controls). [ISA 315 (Revised 2019), A6]
Examples include:
 Batch total checks (e.g. when entering invoices onto the system the
system may give a batch total i.e. the number of invoices actually entered.
The clerk entering the invoices can then double check that the correct
number of invoices has been entered and none have been missed or
entered twice)
 Sequence checks (to ensure the number sequence is complete and no
items are missing).
 Matching master files to transaction records (e.g. matching prices on sales
invoices to the company’s price list to ensure the prices being applied are
correct).
 Arithmetic checks (to verify arithmetical accuracy).
 Range checks (to ensure that data entered is within a reasonable range).
 Existence checks (e.g. to check employees exist).
 Authorisation of transaction entries (to ensure the transaction is valid and
should be processed).
 Exception reporting (the system may generate an exception report when
something which isn’t usual has occurred e.g. changes to bank details of
employees which wouldn’t be expected to change often).

Question 16

Documenting client’s systems

Answer 16

The auditor must document the client’s control systems before evaluating
whether the system is adequate and working effectively

Question 17

Possible ways of documenting systems include

Answer 17

 Narrative notes – a written description of a system.
 Flowcharts – a diagrammatical representation of the system.
 Questionnaires – a prepared list of questions in relation to the client’s
control system. There are two types of questionnaire that can be used:
Internal Control Questionnaire (ICQ) – a list of controls is given to the
client and they are asked whether or not those controls are in place.
Internal Control Evaluation Questionnaire (ICEQ) – the client is asked
to describe the controls they have in place for a given control objective.
 Organisation chart – a diagram showing reporting lines, roles and
responsibilities.

Question 18

Testing the system

Answer 18

Tests of controls are performed only on those controls that the auditor has
determined are suitably designed to prevent, or detect and correct a material
misstatement in a relevant assertion.

Controls will only be worth testing if they are designed appropriately in the first
place (i.e. they are capable of preventing or detecting and correcting
misstatements) and implemented (i.e. the controls exist and the entity is using
them). When a control is not designed or implemented effectively, there is no
benefit in testing it.

Question 19

Typical methods of controls testing include:

Answer 19

 Observation of control activities, e.g. observing the inventory count to
ensure it is conducted effectively and in accordance with the count
instructions.
 Inspection of documents recording performance of the control,
e.g. inspecting an order for evidence of authorisation.
 Using test data to ensure the programmed controls are working effectively.
See the ‘Evidence’ chapter)

Answer 20

ISA 265 Communicating Deficiencies in Internal Control to Those Charged with
Governance and Management requires the auditor to:
 Communicate any deficiencies that are of sufficient importance to merit
management’s attention to management. [ISA 265, 10]
 Communicate significant deficiencies to those charged with governance.
[ISA 265, 9

Question 21

Deficiencies occur when:

Answer 21

 A control is designed, implemented or operated in such a way that it is
unable to prevent, or detect and correct misstatements in the financial
statements on a timely basis, or
 A control necessary to prevent, or detect and correct, misstatements in the
financial statements on a timely basis is missing.

Question 22

The external auditor should consider the following when determining if a
deficiency in internal controls is significant:

Answer 22

 The likelihood of the deficiencies leading to material misstatements in the
financial statements in the future.
 The susceptibility to loss or fraud of the related asset or liability.
 The subjectivity and complexity of determining estimated amounts.
 The financial statement amounts exposed to the deficiencies.
 The volume of activity that has occurred or could occur in the account
balance or class of transactions exposed to the deficiency or deficiencies.
 The importance of the controls to the financial reporting process.
 The cause and frequency of the exceptions detected as a result of the
deficiencies in the controls.
 The interaction of the deficiency with other deficiencies in internal control

Question 23

Report to management/management letter

Answer 23

The auditor will communicate the deficiencies in a report to management or
management letter. It is usually sent at the end of the audit and comprises a
covering letter with an appendix containing the deficiencies the auditor has
found within the client’s control system(s) and recommendations to overcome
each deficiency.

Question 24

The appendix will set out the following:

Answer 24

Deficiency and consequence - A clear description of what is
wrong.
What could happen if the
deficiency is not corrected?
Focus on what matters to the
client – the risk of a reduction in
revenue, extra costs, stolen
assets, errors in the accounts

Recommendation - This must deal with the specific deficiency
you have identified. It must also provide
greater benefits than the cost of
implementation.
Try to specify exactly how the
recommended control should operate, for
example, suggest who should carry out the
control procedure, and how frequently it
should be performed