Understanding and assessing Internal Controls AND Tests of Controls - Week 6 Flashcards
Memorize!
What is the definition of internal controls? And what are its objectives?
It is defined as the rules, objectives and policies that are carried out to control risks within an organisation. The objectives of internal controls are to:
- identify and minimize risks
- Ensure transactions are carried out in accordance to management’s authorisation.
- Ensure assets are safeguarded.
- To ensure laws, rules and regulations are complied with.
What are the five elements of internal controls that an auditor needs to understand?
- Control environment - auditor’s must know management’s overall ATTITUDE to internal controls.
- Entity’s risk-assessment process - know how risks are identified, assessed and responded to within the entity.
- Information System - know how a transaction is initiated, how documents and procedures are recorded and what are the controls surrounding journal entries.
- Control activities - Auditors need to inspect documents (see checkboxes!), observe an entity’s operations, etc.
- Monitoring of controls - Auditors must understand HOW the entity monitors internal controls over financial reporting.
If an auditor wants to use the work of an internal auditor, the auditor (external) must…
Re-perform some of the internal auditor’s work if they want to rely on it. According to the Pacific Acceptance case, an auditor has a duty to check and see for themselves.
When an auditor assesses the control risk for a particular account or transaction, the auditor must deem it to be either low or high. If the control risk is assessed as high, it is because the internal controls:
- Simply do not exist
- are poor or faulty and do not provide reliable evidence
- are effective, but the Test of Controls would be more time-consuming than performing direct substantive tests (e.g firm is small enough to do substantive testing)
When an auditor assesses the control risk for a particular account or transaction, the auditor must deem it to be either low or high. If the control risk is assessed as low, it is because the internal controls:
- are concluded as reliable. Therefore, the auditor will use Test of Controls to validate whether or not the internal controls is REALLY reliable. The lower the control risk is being assessed, the further the evidence needs to be gathered by the auditor.
The higher that we assess control risks…
the less reliance that an auditor will put on the internal controls and the more assurance the auditor must obtain from substantive testing.
The lower that we assess control risks…
the more reliance that an auditor is going to put on the internal controls, therefore more evidence must be gathered from Test of Controls (to ensure controls are operating effectively) than substantive procedures.
Method of testing controls: When no audit trail exists, greater emphasis is placed on:
-Observation and inquiry of the control
Method of testing controls: If an audit trail does exist…
Auditors should inspect documentation for evidence of that control being put in place.
Sales cycle (revenue, receivables and receipts) are commonly characterised by…?
High volume of routine transactions. The risk of material misstatement are commonly related to high-volume clerical processing rather than complex accounting problems.
Difference between routine transactions and non-routine transactions in a revenue, receipts and receivables system?
A routine transaction is well-controlled and well-suited to Test of Controls being operated. A non-routine transaction, however, do not have internal controls being developed for it. Substantive tests are usually taken to test a non-routine transaction.
What are some examples of non-routine transactions?
Adjustments for return of merchandise
Allowances for defective merchandise
Write-offs or allowances for bad debts
What happens if an auditor is using Test of Controls and finds out that the controls are not working accurately enough..?
The auditor will attempt to find a compensating control that will reduce the risk of material misstatement and test this control. If there is no compensating control, the auditor must use substantive procedures to assess the impact of this particular risk.
What are the differences between Accounts Payable and Accounts Receivable when it comes to auditing?
For an auditor, it is important to detect an understatement in Accounts Payable as this could lead to greater profit than what exists.
For an auditor, it is also important to detect an overstatement in Accounts Receivable as this could lead to greater profit than what exists.
Difference between general IT controls and application IT controls? Give 3 examples for each (Q7.9 of textbook).
General controls relate to many computerised accounting applications. Examples include segregation of duties between operators and programmers, approval of changes to a program and restricted access to a system.
Application controls apply to processing a specific type of transaction, such as payroll or invoicing. Examples include check digits, limit checks and validity checks.
