Topic 3 - The nature of and process for effective internal controls

Question 1

What is Internal Control?

Answer 1

• A system to help make sure an entity can achieve its objectives
  What are the directors doing to ensure they meet their objectives in relation to reliable F.S., effectiveness and efficiency of operations and compliance with applicable laws and regulations.

Question 2

What are the reasons for having a system of internal controls?

Answer 2

1. minimising business risk
2. continuous effective functioning of the compnay
3. compliance with relevant laws and regulations

Question 3

What are the five components of internal control?

Answer 3

CRIME
1. Control Environment
2. The Entity’s Risk assessment process
3. The Information system and communication
4. Control acitivies
5. The entity’s process to Monitor the system of internal control

Question 4

What is the Control Environment? (crimE)

Answer 4

• Attitude of directors to internal controls
• Awareness of internal control issues in the company
• Actions of senior management in relation to controls
  Essentially what are the directors doing to establish the culture and ethical behaviour of the company to prevent, detet and correct erros or fraud

Includes the governance and management functions of the organisation

Question 5

What is an Audit Committee and who should have one?

Answer 5

• A subcommittee consisting of a number of non-executive directors
• All UK listed companies should have one but it is considered good practice for large companies

Question 6

What do the Audit Committee do?

Answer 6

1. review internal controls and risk management systems
2. monitor financial statments
3. monitor and review effectiveness of internal audit department
4. be an internal audit function
5. recommend appointment, reappointment and removal of external auditor
6. approve remuneration and engagement terms of external auditor

Question 7

What is the Risk assessment process? (cRime)

Answer 7

1. identify relevant business risks
2. estimate the significance of the risks
3. assess the likelihood of occurance
4. decide upon actions (internal controls) to manage them

Management of an organisation have the responsibility to evaluate business risks

Question 8

What is the Information system and Communication? (crIme)

Answer 8

Main business processes - both manual and those generated by IT

Question 9

What do information systems consist of?

Answer 9

Infrastruture (physical and hardware components), software, people, procedures and data

Question 10

What are general IT controls?

Answer 10

Controls over the entity’s IT proceses that support the continued proper operation of the IT environment

Controls over whole IT systems

Question 11

What are examples of general IT controls?

Answer 11

1. restrict access/ prevent unauthorised acces
   2.ensure the continuity of operations
2. development of computer applications
3. preventation or detection of unauthorised changes to progrmas
4. testing and documentation of program changes

1. passwords
2. back up procedures, disater recovery plans, maintenance checks
3. user testing and approval
4. virus checks, restriced access to standing data, password protection
5. staff training

Question 12

What are information processing controls?

Answer 12

controls realting to the processessing of information in IT applications or manual information processes that directly address risks to integrity of info

these controls operate at the business process/data level

Question 13

What are examples of information processing controls?

Answer 13

1. input: authorisation
2. input:accuracy
3. input:completeness
4. processing master files and standing order

1. manual signature
2. batch checks, range limits, reasonableness checks
3. document counts
4. batch reconciliation and exception reporting
5. one- to - one check, controls over deletion

Question 14

What are Control activites (Crime)

Answer 14

the policies and procedures that help ensure that management directives are carried out

Question 15

What are the types of control activity?

Answer 15

SPAR-V
Segregation of duties, Physical or logical controls, Authorisation and approvals, Reconciliations, Verifications

• petty cash count (logical control)
• comparison of bank statement and balances with cash at bank nominal ledge account (reconciliation)
• comparing actual expenditue with budget and investigate differences (verfication)

Question 16

What is the difference between reconciliations and verifications?

Answer 16

Reconciliations require two things to agree (match) while verfications are a comparison but do not need to match

Question 17

How often should the entity’s process of monitoring the system of internal control be undertaken and who can monitor this? (criMe)

Answer 17

in a timely and systematic manner

• directors
• audit committee
• internal auditors

Question 18

What are the limitations of internal controls?

Answer 18

• expense of control - cost may outweigh benefit
• human element - lack of experience or time pressure can cause mistakes
• collusion
• unusual transactions - bypass internal controls

Question 19

Why do small companies have probems implenting effective internal control?

Answer 19

• fewer people means they can’t segregate duties - often a single person in charhe of entire process
• reduced number of experienced staff staff (less expertise)
• senior staff may be in a position to ignore internal controls

Question 20

What are cyber security risks?

Answer 20

• human threats
• fraud
• deliberate sabotage
• virsues and other corruptions
• malware
• denial of service attack

Question 21

What are the activites of internal audit

Answer 21

Not be involved in day to day operations
* montioring internal controls/ operating audits
* examining financial and operating info
* value for money reviews
* compliance reviews
* special investigations

Should not be involved is designing or operating control systems