Professional Documents
Culture Documents
control
systems
Internal control systems
The auditors must understand the accounting system and control environment in order to
determine their audit approach.
Internal control is
process designed, implemented and maintained by those charged with governance,
management, and other personnel to provide reasonable assurance about the reliability of
financial reporting, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations.
understanding of internal control assists the auditor in identifying types of potential
misstatements and factors that affect the risks of material misstatement and in designing the
nature, timing and extent of further audit procedures.
Many of these controls will relate to financial reporting, operations and compliance, but NOT
ALL of the entity's objectives and controls will be relevant to the auditor's risk assessment.
auditor can then decide whether it is more efficient to seek reliance on those controls and
perform tests of controls in that area, OR more efficient to perform substantive testing over
that area
5 Components of Internal control
systems
C: Control activities
R: Entitys Risk assessment process
I: Information system
M: Monitoring of controls
E: Control Environment
Components of Internal Control
Internal control components ISA 315 Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its Environment considers the
components of an entitys internal control. It identifies the following components:
1. Control Environment
Is a culture, attitude and awareness and actions of those charged with governance and
management concerning the entitys internal control
Read pg 172 BPP text book for further understanding
assess whether these elements of the control environment have been implemented using a
combination of enquiries of management and observation and inspection
Components of Internal Control
2. Entitys Risk assessment process
is the process how management
Identifying business risks relevant to financial reporting objectives
Estimating the significance of the risks
Assessing the likelihood of their occurrence
Deciding on actions to address those risks
it is also more difficult for accidental errors to be processed (since the more
people are involved, the more checking there can be)
Segregation of duties
Segregation should take place in various ways:
(a) Segregation of function:
carrying out a transaction
recording that transaction in the accounting records
maintaining custody of assets that arise from the transaction.
ADVANTAGES DISADVANTAGES
relatively simple to record and can a lot more time consuming than,
facilitate understanding by all audit representing it as a simple flowchart,
team members especially if the system is complex
easy to follow and review as the Narrative notes will still be needed to
information is presented in a standard explain the flowchart and hence it can
form be time consuming
eliminate the need for extensive narrative Time can sometimes be wasted by
and can be of considerable help in charting areas that are of no audit
highlighting the salient points of control significance.
and any deficiencies in the system.
Questionnaires
Internal Control
Internal Control
Evaluation
Questionnaires
Questionnaires
(ICQs)
(ICEQs)
Checklists share many of the same advantages and disadvantages of ICQs and ICEQs.
Tests of
controls
Tests of control
performed to obtain audit evidence about the effectiveness of the:
design of the accounting and internal control systems, ie whether they are suitably
designed to prevent, or detect and correct, material misstatement at the assertion level
operation of the internal controls throughout the period.
Auditors should consider:
How controls were applied
The consistency with which they were applied during the period
By whom they were applied
Substantive test
Substantive Audit Procedures
Test of Transactions
Vouching, Tracing, Recalculation,
Sequential Test
Procedures for tests of control
Inspection of documents supporting controls or events to gain audit evidence that internal
controls have operated properly,
eg verifying that a transaction has been authorised
Enquiries about internal controls which leave no audit trail,
eg determining who actually performs each function, not merely who is supposed to
perform it
Reperformance of control procedures
eg reconciliation of bank accounts, to ensure they were correctly performed by the entity
Examination of evidence of management views
eg minutes of management meetings
Testing of internal controls operating on computerised systems or over the overall IT function,
eg access controls
Observation of controls to consider the manner in which the control is being operated
Communication of deficiencies in
internal control
A deficiency in internal control exists when:
(a) A control is designed, implemented or operated in such a way that it is unable to
prevent, or detect and correct, misstatements in the financial statements on a timely basis
(b) A control necessary to prevent, or detect and correct, misstatements in the financial
statements on a timely basis is missing
Significant deficiencies in internal controls shall be communicated in writing to those charged
with governance and management
Impact of deficiencies on the auditor's
reliance on internal control pg 185
where significant deficiencies are identified, the auditor will have to use purely
substantive procedures to obtain sufficient appropriate audit evidence
auditor will not seek to place reliance on internal controls.
If deficiencies were not identified during planning and risk assessment, but only
become apparent later in the audit process. If this is the case, and the original
audit plan was based on a reliance on internal controls, that audit plan will need
to be amended, with the likely result that further audit procedures will need to
be performed.
Internal controls in a computerised
environment
GENERAL CONTROLS
Development/implementation of computer applications
Full testing procedures using test data
Segregation of duties so that those responsible for design are not responsible for testing
Installation procedures so that data is not corrupted in transition
when transferring data fr old system to new system
review report fr IT department on any deficiencies noted during the transfer of data
Training of staff in new procedures and availability of adequate documentation
Internal controls in a computerised
environment
GENERAL CONTROLS
Prevention or detection of unauthorised changes
Segregation of duties (person enter the transaction & amend the transaction)
Full records of program changes (Report)
Password protection of programs so that access is limited to computer operations staff
Restricted access to central computer by locked doors, keypads, password to enter the room
where central computer is located
Restricted access to authorised users only (password)
Virus checks on software: use of anti-virus software and policy prohibiting use of non-
authorised programs or files
Back-up copies of programs being taken and stored in other locations