Systems and controls

Question 1

What is audit risk?

Answer 1

Audit risk = inherent risk x control risk x detection risk

Question 2

What is the importance of internal control systems?

Answer 2

To design audit procedures, auditor needs to assess risk of material misstatement in financial statements. Then focus on those significant risk areas.
Internal controls – the mechanisms that clients design in an attempt to prevent, detect and correct misstatement.
Necessary for good financial reporting and to safeguard the assets of the shareholders. (Is a requirement of corporate governance).
Stronger the control system the lower the risk of material misstatement.

Question 3

What is the reliance on internal control systems?

Answer 3

May reduce the substantive testing performed

Auditor needs to:
Ascertain how the system operates
Document the system in audit working papers
Test the operation of the system
Determine the impact on the audit approach for specific classes of transactions, account balances and disclosures

Question 4

What are the basic principals of control systems?

Answer 4

Measure the effects of transactions and other relevant issues

Record those transactions and effects

Summarise them into a useable form

Publish those summaries to the relevant users of the information to assist decision making

Question 5

What are computerised systems?

Answer 5

Need to transfer information from one piece of paper to another is greatly reduced.
Once an invoice is entered into system, the TB, the ledger and the financial statements are all updated.
Once a transaction is entered into system it will be processed.
Calculations will be accurate

Human error (inputting data for example) and fraud can still lead to misstatement in computerised systems

Question 6

What are the components of an internal control system?

Answer 6

ISA 315 states that auditors need to understand an entity’s internal controls.

To assist this process it identifies 5 components of an internal control system:
The control environment
The entity’s risk assessment process
The information system
The control activities
Monitoring of controls

Question 7

What is the control environment?

Answer 7

Includes the governance and management function of an organisation
Focuses largely on the attitude, awareness and actions of those responsible for designing, implementing and monitoring internal controls
Elements of the control environment that are relevant when the auditor obtains an understanding include the following:
Communication and enforcement of integrity and ethical values
Commitment to competence
Participation by those charged with governance
Management’s philosophy and operating style
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices
(Evidence through enquiry and observation)

Question 8

What is the entitys risk assessment process?

Answer 8

Forms the basis of how management determines the risks to be managed
Processes vary depending on the nature, size and complexity of organisation
Larger organisations (usually listed ones) will have internal audit departments, whose roles focus heavily on risk identification and assessment

If client has robust procedures for assessing business risks it faces, the risk of misstatement, overall, will be lower

Question 9

What is the information system?

Answer 9

The information systems relevant to financial reporting objectives include all the procedures and records which are designed to:
Initiate, record, process and report transactions
Maintain accountability for assets, liabilities and equity
Resolve incorrect processing of transactions
Process and account for system overrides
Transfer information to the general/nominal ledger
Capture information relevant to financial reporting for other events and conditions
Ensure information required to be disclosed is appropriately reported

Question 10

What are the control activities?

Answer 10

Include all policies and procedures designed to ensure that management directives are carried out throughout the organisation.
Examples of specific control activities include those relating to:
Authorisation
Performance review
Information processing
Physical controls
Segregation of duties

Question 11

What are application controls?

Answer 11

Either manual or automated and typically operate at the business process level and apply to the processing of transactions
Examples include:
Batch total checks
Sequence checks
Matching master files to transaction records
Arithmetic checks
Range checks
Existence checks
Authorisation of transaction entries
Exception reporting

Question 12

What are general controls?

Answer 12

Policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems
Eg. Controls over:
Data centre and network operations
System software acquisition
Program change and maintenance
Access security – passwords, door locks, swipe cards
Backup procedures

Question 13

What are the typical controls operating in a business?

Answer 13

Control Procedures:

Authorisation
Comparison
Computer controls
Arithmetical checks
Maintaining control accounts/records
Accounting reconciliations
Physical controls
Segregations of duties

M- can be matching: ie invoice to delivery note and original order

Question 14

What is the monitoring of controls?

Answer 14

Process of assessing effectiveness of controls over time and taking necessary remedial action
If a control is not implemented properly or is simply considered ineffective then misstatements may pass undetected into the financial statements
Can either be ongoing or performed on a separate evaluation basis
Needs to be effective for the system to work
Monitoring of internal controls is often the key role of internal auditors.

Question 15

How would audit ascertain the systems?

Answer 15

Procedures used to obtain evidence regarding the design and implementation of controls include:
Enquiries of relevant personnel
Observing the application of controls
Tracing transactions through the systems
Inspecting documents, such as internal procedure manuals

Auditors can also use prior knowledge of systems but must be updated and tested
ISA 315 specifies that enquiry alone is not sufficient to understand the nature and extent of controls

Question 16

How would the audit document client systems?

Answer 16

Possible ways of documenting systems;
Narrative notes
Flowcharts
Organisation charts
Internal Control Questionnaire (ICQ) – list of possible controls, client confirms which applicable
Internal Control evaluation questionnaire (ICE) – lists control objectives with client then asked how meet objective

ISA 315 states that the method adopted is a matter of auditor judgement

Question 17

How would the audit test the client systems?

Answer 17

Having documented the systems the auditor needs to assess whether:
They are actually implemented
They are effective

In order to assess the operating effectiveness of controls in preventing and detecting material misstatement the auditor performs tests of controls
Designed to gather evidence concerning:
How controls were applied during the period
The consistency of application
Who (or what) they were applied by

Question 18

What are the methods of control testing?

Answer 18

Walkthrough tests, where a transaction is followed through the system

• Observation of control activities, eg inventory count
• Computer aided audit techniques

Question 19

How does systems and controls impact the audit approach?

Answer 19

Auditor amends the audit approach in response to risk assessment.
Achieved by:
Emphasising the need for professional scepticism
Assigning more experienced staff to risk areas
Increasing supervision levels
Increasing the element of unpredictability in sample selection
Changing the nature, timing and extent of procedures
Increasing the emphasis on substantive tests of detail
An effective environment may allow the auditor to place more reliance on internal controls
Typically, this increase the appropriateness of interim testing and allows auditor to reduce the quantity of detailed substantive procedures performed
Can never eliminate the need for substantive procedures entirely because there are inherent limitations to the reliance that can be placed on internal control due to:
Human error in the use of judgement
Simple processing errors and mistakes
Collusion of staff in circumventing controls
The abuse of power by those with ultimate controlling responsibility

Question 20

If risk assessment indicates significant risk of material misstatement due to deficiencies in internal controls the auditor should respond by?

Answer 20

Increasing procedures conducted at & after the year-end
Increasing substantive procedures
Increasing the locations included in the audit scope

Question 21

What are the revenue cycle objectives?

Answer 21

To ensure that:

Sales are made to valid customers
Sales are recorded accurately
All sales are recorded
Cash is collected within a reasonable period

Question 22

What are the stages of the revenue cycle?

Answer 22

Order received
Goods despatched
Invoice raised
Sale recorded
Cash received
Cash recorded

Question 23

What are sales controls tests?

Answer 23

Tests of control should be designed to check that the control procedures are being applied and that the objectives are being achieved. Example procedures include:
Sequence checks on invoices, credit notes, despatch notes and orders. Ensure that all items are included and that there are no omissions or duplications.
Review the existence of evidence for authorisation in respect of:
- Orders – authorised by sales/production manager
- GDN’s –signed by the foreman to confirm despatch of goods listed
- Credit notes signed by manager
Ensure invoices are signed to confirm that amounts have been posted and received in cash
Observe that control account reconciliations have been performed and reviewed

Question 24

What are the purchase cycle objectives?

Answer 24

Orders are made for valid and necessary business purchases
Purchase solutions are cost effective
Appropriate inventory items are received and stored securely
Purchases and related payables are recorded accurately
Cash is paid within a reasonable period and recorded accurately

Question 25

What are the purchase cycle stages?

Answer 25

Requisition raised
Order placed
Goods received
Invoice received
Purchase recorded
Cash paid

Question 26

What are purchase control tests?

Answer 26

Obtain the ledger recording purchase orders: ensure each page has been signed by a responsible official to confirm all orders have been recorded and there are no gaps in the sequence of orders
Obtain a sample of purchase invoices; ensure each invoice has been signed by a responsible official to confirm checks on the invoice have been completed and the invoice is passed for payment
Obtain a sample of credit notes; ensure each credit note is signed by a responsible official to confirm credit note details (goods description and quantity) have been agreed to the relevant goods returned note
Review the purchase order for the relevant signature for approval
Review purchase invoice for evidence that the invoice has been reviewed and checked
Review purchase invoice for initialling of grid stamp
Review supplier reconciliation note to ensure the control has been complied with

Question 27

What are the payroll system objectives?

Answer 27

Pays the right people
Pays the right rate
Pays for valid work done
Deals correctly with taxes and other deductions

Question 28

What are the payroll system stages?

Answer 28

Timesheets submitted
Standing data input
Processing of data
Recording of payroll
Staff paid

Question 29

What are the payroll control tests?

Answer 29

Test a sample of timesheets, clock cards or other records, for approval by a responsible official. Pay particular attention to the approval of overtime
Observe wages distribution for adherence to procedures ensuring employees sign for wages, that unclaimed wages are rebanked, etc
Test Obtain the payment sheet for casual labour payments and ensure this has been signed by the chief accountant to authorise the payments made
Obtain the weekly payroll and ensure this has been signed by a responsible official to approve the payments
Examine evidence of independent checks of payrolls
Inspect payroll reconciliations to confirm they are done regularly, agreeing PAYE liability to Inland Revenue records
Examine explanations for payroll expense variations
Test authorisation for payroll deductions by reviewing employees records, looking at who is authorised to make amendments, and observe process
authorisation for payroll amendments by reference to personnel records
Test controls over payroll amendments by reviewing changes and seeing whether they have been authorised. You could print off an exception report highlighting changes and follow those through. You could also do a dummy transaction to see how the system handles change

Question 30

What are the inventory system objectives?

Answer 30

Inventory levels are in keeping with the needs of
- Production (raw materials and bought in components)
- Customer demand (finished goods)
Inventory levels are not:
- Excessive
- Too low (stockouts)
Value for money is achieved
Goods/services delivered are what was ordered
Quality of goods/services delivered is satisfactory

Question 31

What is the inventory system process?

Answer 31

Inventory received
Inventory stored
Raw materials used in production
Inventory despatched
Inventory count

Question 32

What are the inventory control tests?

Answer 32

Observe physical security of inventories and environment
Obtain inventory records. Where quantity has been changed without reference to GDN and GRN, ensure that amendment is signed by a responsible official to authorise that change
In client’s warehouse, observe client staff ensuring that where a movement in inventory occurs, that movement is recorded on the appropriate GDN or GRN
Test for evidence of authorisation to write off or scrapping of inventories (existence of signature)
Observe controls over recording of movements of inventory belonging to third partiesObserve the procedures for authorisation for inventory movements ie the use made of authorised goods received and despatched notes
Inspect reconciliations of inventory counts to inventory records (this gives overall comfort on the adequacy of controls over the recording of inventory)
Test for evidence of sequences checks of despatch and goods received notes for completeness
Assess adequacy of inventory counting procedures and attend the count to ensure that procedures are complied with

Question 33

What are capital expenditure controls?

Answer 33

Controls virtually identical to controls over purchases. Some controls may vary, such as:
Capex often substantial amounts, so most companies require items in annual budget authorised by senior management
Regular revenue expense items may be monitored by simple variance analysis monthly
Capital items likely to be stored on an asset register, which records details of supplier, price, insurance details, current location, responsible employee, etc
As for inventories, assets likely to be checked against the register on a regular basis
Assets sold second-hand to be checked against similar items or price guides to ensure the company receives fair value
Ownership documents (title deeds, vehicle registration documents) will be safely stored

Question 34

What are the bank and cash system objectives?

Answer 34

Cash balances are safeguarded
Cash balances kept to a minimum
Money can only be extracted from bank accounts for authorised purposes

Question 35

What are the bank and cash system control tests?

Answer 35

• Observe that mail opened by 2 staff to minimise the possibility of fraud
• Reperform reconciliation of cash receipts to bank lodgements
• Test for evidence of a sequence check on any pre-numbered receipts for cash
• Test for evidence of arithmetical check on cash received records
• Inspect current cheque books for
  Sequential use of cheques
  Controlled custody of unused cheques
  Any signatures on blank cheques
• Test for evidence of arithmetical checks on cash payments records, including cashbook
• Obtain file of direct debit payments – ensure each payment is authorised
  Bank reconciliations:
  Examine evidence of regular bank reconciliations, at least once per month, but in larger organisations this should be done daily or weekly
  Examine evidence of independent checks of bank reconciliations (eg a signature)
  Examine evidence of follow up of outstanding items on the bank reconciliation. Pay particular attention to old outstanding reconciling items that should be written back such as old, unpresented cheques
  Petty cash:

Test petty cash vouchers for appropriate authorisation
Test cancellation of paid petty cash vouchers
Test for evidence of arithmetical checks on petty cash records
Test for evidence of independent checks on the petty cash balance
Perform a surprise petty cash count and reconcile to petty cash records

Question 36

Who should auditors report deficiencies in internal controls to?

Answer 36

Auditors should communicate deficiencies in internal control to those charged with governance and management
ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management
Agreed in engagement letter
Report to management at end of audit process, making clear that:
- The report is not a comprehensive list of deficiencies, but only those that have come to light during normal audit procedures
- Report is for sole use of company
- No disclosure should be made to a third party without written agreement of the auditor
- No responsibility is assumed to any other parties
Structure – deficiency, consequence, recommendation