Systems and controls Flashcards
What is audit risk?
Audit risk = inherent risk x control risk x detection risk
What is the importance of internal control systems?
To design audit procedures, auditor needs to assess risk of material misstatement in financial statements. Then focus on those significant risk areas.
Internal controls – the mechanisms that clients design in an attempt to prevent, detect and correct misstatement.
Necessary for good financial reporting and to safeguard the assets of the shareholders. (Is a requirement of corporate governance).
Stronger the control system the lower the risk of material misstatement.
What is the reliance on internal control systems?
May reduce the substantive testing performed
Auditor needs to:
Ascertain how the system operates
Document the system in audit working papers
Test the operation of the system
Determine the impact on the audit approach for specific classes of transactions, account balances and disclosures
What are the basic principals of control systems?
Measure the effects of transactions and other relevant issues
Record those transactions and effects
Summarise them into a useable form
Publish those summaries to the relevant users of the information to assist decision making
What are computerised systems?
Need to transfer information from one piece of paper to another is greatly reduced.
Once an invoice is entered into system, the TB, the ledger and the financial statements are all updated.
Once a transaction is entered into system it will be processed.
Calculations will be accurate
Human error (inputting data for example) and fraud can still lead to misstatement in computerised systems
What are the components of an internal control system?
ISA 315 states that auditors need to understand an entity’s internal controls.
To assist this process it identifies 5 components of an internal control system:
The control environment
The entity’s risk assessment process
The information system
The control activities
Monitoring of controls
What is the control environment?
Includes the governance and management function of an organisation
Focuses largely on the attitude, awareness and actions of those responsible for designing, implementing and monitoring internal controls
Elements of the control environment that are relevant when the auditor obtains an understanding include the following:
Communication and enforcement of integrity and ethical values
Commitment to competence
Participation by those charged with governance
Management’s philosophy and operating style
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices
(Evidence through enquiry and observation)
What is the entitys risk assessment process?
Forms the basis of how management determines the risks to be managed
Processes vary depending on the nature, size and complexity of organisation
Larger organisations (usually listed ones) will have internal audit departments, whose roles focus heavily on risk identification and assessment
If client has robust procedures for assessing business risks it faces, the risk of misstatement, overall, will be lower
What is the information system?
The information systems relevant to financial reporting objectives include all the procedures and records which are designed to:
Initiate, record, process and report transactions
Maintain accountability for assets, liabilities and equity
Resolve incorrect processing of transactions
Process and account for system overrides
Transfer information to the general/nominal ledger
Capture information relevant to financial reporting for other events and conditions
Ensure information required to be disclosed is appropriately reported
What are the control activities?
Include all policies and procedures designed to ensure that management directives are carried out throughout the organisation.
Examples of specific control activities include those relating to:
Authorisation
Performance review
Information processing
Physical controls
Segregation of duties
What are application controls?
Either manual or automated and typically operate at the business process level and apply to the processing of transactions
Examples include:
Batch total checks
Sequence checks
Matching master files to transaction records
Arithmetic checks
Range checks
Existence checks
Authorisation of transaction entries
Exception reporting
What are general controls?
Policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems
Eg. Controls over:
Data centre and network operations
System software acquisition
Program change and maintenance
Access security – passwords, door locks, swipe cards
Backup procedures
What are the typical controls operating in a business?
Control Procedures:
Authorisation
Comparison
Computer controls
Arithmetical checks
Maintaining control accounts/records
Accounting reconciliations
Physical controls
Segregations of duties
M- can be matching: ie invoice to delivery note and original order
What is the monitoring of controls?
Process of assessing effectiveness of controls over time and taking necessary remedial action
If a control is not implemented properly or is simply considered ineffective then misstatements may pass undetected into the financial statements
Can either be ongoing or performed on a separate evaluation basis
Needs to be effective for the system to work
Monitoring of internal controls is often the key role of internal auditors.
How would audit ascertain the systems?
Procedures used to obtain evidence regarding the design and implementation of controls include:
Enquiries of relevant personnel
Observing the application of controls
Tracing transactions through the systems
Inspecting documents, such as internal procedure manuals
Auditors can also use prior knowledge of systems but must be updated and tested
ISA 315 specifies that enquiry alone is not sufficient to understand the nature and extent of controls
How would the audit document client systems?
Possible ways of documenting systems;
Narrative notes
Flowcharts
Organisation charts
Internal Control Questionnaire (ICQ) – list of possible controls, client confirms which applicable
Internal Control evaluation questionnaire (ICE) – lists control objectives with client then asked how meet objective
ISA 315 states that the method adopted is a matter of auditor judgement
How would the audit test the client systems?
Having documented the systems the auditor needs to assess whether:
They are actually implemented
They are effective
In order to assess the operating effectiveness of controls in preventing and detecting material misstatement the auditor performs tests of controls
Designed to gather evidence concerning:
How controls were applied during the period
The consistency of application
Who (or what) they were applied by
What are the methods of control testing?
Walkthrough tests, where a transaction is followed through the system
- Observation of control activities, eg inventory count
- Computer aided audit techniques
How does systems and controls impact the audit approach?
Auditor amends the audit approach in response to risk assessment.
Achieved by:
Emphasising the need for professional scepticism
Assigning more experienced staff to risk areas
Increasing supervision levels
Increasing the element of unpredictability in sample selection
Changing the nature, timing and extent of procedures
Increasing the emphasis on substantive tests of detail
An effective environment may allow the auditor to place more reliance on internal controls
Typically, this increase the appropriateness of interim testing and allows auditor to reduce the quantity of detailed substantive procedures performed
Can never eliminate the need for substantive procedures entirely because there are inherent limitations to the reliance that can be placed on internal control due to:
Human error in the use of judgement
Simple processing errors and mistakes
Collusion of staff in circumventing controls
The abuse of power by those with ultimate controlling responsibility
If risk assessment indicates significant risk of material misstatement due to deficiencies in internal controls the auditor should respond by?
Increasing procedures conducted at & after the year-end
Increasing substantive procedures
Increasing the locations included in the audit scope
What are the revenue cycle objectives?
To ensure that:
Sales are made to valid customers
Sales are recorded accurately
All sales are recorded
Cash is collected within a reasonable period
What are the stages of the revenue cycle?
Order received
Goods despatched
Invoice raised
Sale recorded
Cash received
Cash recorded
What are sales controls tests?
Tests of control should be designed to check that the control procedures are being applied and that the objectives are being achieved. Example procedures include:
Sequence checks on invoices, credit notes, despatch notes and orders. Ensure that all items are included and that there are no omissions or duplications.
Review the existence of evidence for authorisation in respect of:
- Orders – authorised by sales/production manager
- GDN’s –signed by the foreman to confirm despatch of goods listed
- Credit notes signed by manager
Ensure invoices are signed to confirm that amounts have been posted and received in cash
Observe that control account reconciliations have been performed and reviewed
What are the purchase cycle objectives?
Orders are made for valid and necessary business purchases
Purchase solutions are cost effective
Appropriate inventory items are received and stored securely
Purchases and related payables are recorded accurately
Cash is paid within a reasonable period and recorded accurately
