Systems and controls

Example of a Car Manufacturer

Physical Process

Car leaves Wheels Car kept in Car sold to

Mechanic Wheel dept.
previous provided warehouse dealership
Provided by finishes car
dept. by stores labour pool until sale

Accounting Systems and Process

Inventory Dr WIP – Wheels Dr WIP – Wheels Dr Finished Goods Dr COGS
& W/House Cr WIP - Trim Cr Inventory Cr WIP - Wheels Cr Finished Goods
Dr WIP – Wheels
Payroll
Cr Wages Payable

Sales & Dr Acc. Receivable

AR Cr Sales

When Stores runs out of tyres

Purch. Orders Stores receives

tyres from factory tyres

Purchasing Dr Inventory - tyres

& AP Cr Accounts Payable
 ASA 315: Information system and
communication

• How does the entity communicate:

• (i) Between people within the entity, including how financial reporting roles
and responsibilities are communicated;
• (ii) Between management and those charged with governance (TCWG);
and
• (iii) With external parties, such as those with regulatory authorities
 Information system and communication
• How does information on transactions flow through the entity’s information
system, including how they are:
– initiated,
– recorded,
– processed,
– corrected as necessary,
– incorporated in the general ledger
– reported in the financial statements;
• How is Information about events and conditions, other than transactions,
captured, processed and disclosed in the financial statements
• What are the accounting records, specific accounts in the financial
statements and other supporting records relating to the flows of information
in the information system
• What is the financial reporting process used to prepare the entity’s financial
statements, including disclosures
 The Information System
• The information system:
– Initiates, records, captures, processes, discloses transactions and
events
– maintains accountability for the related assets, liabilities and equity.
• Resolves incorrect processing of transactions, for example, automated
suspense files and procedures to clear suspense items on a timely basis;
• Processes and accounts for system overrides or bypasses to controls;
• Incorporates information from transaction processing in the general ledger
(e.g., transferring of accumulated transactions from a subsidiary ledger);
• Captures and processes information relevant to the preparation of the
financial statements for events and conditions other than transactions, such
as the depreciation and amortization of assets and changes in the
recoverability of assets; and
• Ensures information required to be disclosed by the applicable financial
reporting framework is accumulated, recorded, processed, summarized and
appropriately reported in the financial statements.
 The IT environment
The IT environment includes:
• Applications
– An IT application is a program or a set of programs that is used in the
initiation, processing, recording and reporting of transactions or
information. IT applications include data warehouses and report writers.
• IT infrastructure
– The IT infrastructure comprises the network, operating systems, and
databases and their related hardware and software.
• IT processes
– The IT processes are the entity’s processes to manage access to the IT
environment, manage program changes or changes to the IT
environment and manage IT operations
• Personnel involved to support the business operations and achieve
business strategies.
 IT controls

General information technology (IT) controls

• Controls over the entity’s IT processes that support the continued proper
operation of the IT environment, including the continued effective
functioning of information processing controls and the integrity of
information (i.e., the completeness, accuracy and validity of information) in
the entity’s information system.

Information processing controls

• Controls relating to the processing of information in IT applications or
manual information processes in the entity’s information system that directly
address risks to the integrity of information (i.e., the completeness, accuracy
and validity of transactions and other information).
 Understand the
accounting
information system

Procedures for
Classes of initiating, recording,
processing and
transactions
correcting
transactions

General ledger Inclusion in the

postings financial statements

How other
Accounting records information, not
transactions, are
captured
 Audit of Information system controls

Identify:
• Controls that address risks of material misstatement at the assertion level
• Controls that address a risk that is determined to be a significant risk
• Controls over journal entries, including non-standard journal entries used to
record non-recurring, unusual transactions or adjustments
• Controls for which the auditor plans to test operating effectiveness in
determining the nature, timing and extent of substantive testing, risks for
which substantive procedures alone do not provide sufficient appropriate
audit evidence;
• Identify the IT applications and the other aspects of the entity’s IT systems
 Information system controls

Examples of controls in the control activities component include:

• authorizations and approvals

• reconciliations
• verifications (such as edit and validation checks or automated calculations)
• segregation of duties
• physical or logical controls
• safeguarding of assets (custody)
 Risks arising from the use of IT

• Assess the susceptibility of information processing controls to ineffective

design or operation
• Assess the risks to the integrity of transactions and other information in the
entity’s information system
– completeness,
– accuracy
– validity
due to ineffective design or operation of controls in the entity’s IT
processes
 Physical controls

What physical controls exist?

Is there direct access?

Access via a pin?
Access via an SMS code being sent?

What arithmetical/accounting controls exist?

Control accounts
Batch totals
Hash totals
Sequentially numbered documents
 Extent of audit tests
• Business risk approach places reliance on the
effectiveness of the control environment (internal controls)
and analytical evidence.

• Auditors should be selective in the detailed work they

perform, concentrating on the client’s systems that are
critical to their ability to form an opinion.

• Important parts of the control environment are:

– an effective internal audit function (see later lecture).
– A system of internal control (see corporate
governance at end of course too)

NOTE – MORE TO COME IN LECTURE 8 ON TESTS OF IT

CONTROLS

13
Audit Tests
 Audit tests

Three types of test may be

performed on an audit:

• Walk through tests

• Tests of control

• Substantive tests
 Audit tests of systems
• The purpose of accounting is to collect financial information about the
company and report it to stakeholders
• Accounting information is produced as goods and services are
developed, manufactured or provided

• The purpose of an audit is to provide users of the financial information

reasonable assurance that the information is complete, accurate, and
free from misstatement.
• To do this the auditor must perform Audit Tests.

• The first stage is to understand the system.

 The accounting systems and
controls
• After planning an audit we conduct the interim
audit and determine whether the accounting
records are likely to be genuine, accurate and
complete.
• There is an important relationship between:
– internal controls,
– control risk,
– tests of controls, and
– the extent of substantive procedures.
• If accounting and control systems are good and
the general control environment satisfactory
(internal controls), it is more likely control risk is
lower and that the accounting records will be
reliable.
• The effectiveness of the accounting and control
system is closely related to control risk (see last
week) – this has a bearing on the extent of
substantive procedures (see later).

17
 Interim Audit:
Understanding the systems
To understand the accounting systems we need to
ask:
• What are the major classes of transaction
– sales,
– purchases
– inventory
– bank and cash
– PPE
– payroll
• How is a transaction initiated?
• What accounting records exist and what
documents are produced?
• How do these produce the accounts in the financial
statements?
• What is the accounting and financial reporting
process?
First we establish the systems and processes using
narratives, flowcharts and walk through tests
 Recording the accounting (and control) systems

Visual description:
1. Organization charts
2. Information trail/ audit trails
3. Flow charts:
document flow chart
data flow diagram
system flow chart
program flow chart.

Use questionnaires and checklists to assess the systems:

• Internal control questionnaire (ICQ)
• Internal control evaluation questionnaire (ICE)
• Electronic data processing (EDP) or IT checklists

In practice, a combination of narrative description, flowcharts and questionnaires

and checklists will be used. Each method has its advantages and disadvantages.

19
 Walk through tests
• Auditors use ‘walk-through tests’ to:
• understand the system,
• record the system
• see if the entity has appropriate controls in force.

1. Find out which people operate the systems

• Enquire into: who does what?
2. Interview key people involved
• ask: what do you do?
3. Note the distribution of documents such as invoices and orders
• Which documents go where?
4. What are the accounting entries as a result of the transactions
• Construct the information/ audit trail.

• Auditors record the systems and controls using:

– Narrative descriptions
– Visual descriptions- flow charts
– Questionnaires and checklists
 Walk through tests

• Walk through tests are used to understand the system and

identify the key controls that will reduce control risk.
• The internal control system may include policies and procedures
that extend beyond the accounting system.
• Auditors are concerned with those that are relevant to the audit.
• Walk through tests may use:
– flowcharts
– questionnaires
– narratives
– checklists

Control risk can be assessed after

understanding the system
 Walk through tests
• Establish which systems there are:
– Sales
– Purchasing
– Inventory (stock)
– Payroll
– Property, plant and equipment
– Bank and cash
• First understand the system:
– Talk to staff
– review procedure manuals
– inspect documents
– observe operations and procedures
• Then check your understanding of how the systems operate in
practice by walking through them:
– Trace transactions all the way through the system from initiation
of a transaction to final completion/payment
 Flow charts
• Who does what?
• What do they do and how?
• What documents are used?
– Obtain copies of all documents as you
chart the system.

• Understand the system

• Pinpoint strengths and weaknesses
• Identify controls
 Flowcharts

• Advantages:
1. Aids understanding of accounting/control systems.
2. To draw a flow chart auditors need to understand how the entity
controls its operations.
3. Detects strengths, weaknesses, unnecessary procedures and
identifies all the documents in the system

• Disadvantages:
1. Time-consuming to prepare and difficult to alter.
2. In simple systems, narrative descriptions better.
3. Considerable variation of symbols used.
4. Requires experience to prepare and interpret.
5. In complex situations can be too simplistic.

24
 Understand the system
Perform walk through tests
• To ensure the system works as
flow-charted/ documented

• Identify if the accounting systems

Systems could exist without any controls
• Identify the key controls
• Identify what could stop things
going wrong
 Determine systems and the controls in place – using
walk-through tests

Trace a few transactions through the accounting

information systems. For example:
• Select some sales orders from credit customers
Recording and trace to:
• (a) granting the credit;
systems • (b) the despatch note;
• (c) the sales invoice;
and walk • (d) the entry in the sales ledger;

through • (e) posting to the sales ledger control account

(trade receivables account );

tests • (f) entry in the inventory records.

Objective: NOT to prove ALL transactions are properly

recorded but to understand the system, record it, and
see if entity has appropriate controls.
 Understand the system

Need to update the system from last year:

Para A41 ASA 315 (revised):

The auditor is required to determine whether information obtained from the

auditor’s previous experience with the entity and from audit procedures
performed in previous audits remains relevant and reliable, if the auditor
intends to use that information for the purposes of the current audit. If the
nature or circumstances of the entity have changed, or new information has
been obtained, the information from prior periods may no longer be relevant or
reliable for the current audit. To determine whether changes have occurred that
may affect the relevance or reliability of such information, the auditor may make
inquiries and perform other appropriate audit procedures, such as walk-
throughs of relevant systems. If the information is not reliable, the auditor may
consider performing additional procedures that are appropriate in the
circumstances.
 Audit tests
Once we understand the system and have identified the key
controls, we need to plan our other tests:

ASA 330, para 4 defines:

• Test of control – An audit procedure designed to evaluate

the operating effectiveness of controls in preventing, or
detecting and correcting material misstatements at the
assertion level.

• Substantive procedure – An audit procedure designed to

detect material misstatements at the assertion level.
Substantive procedures comprise:

Tests of details:
– classes of transactions
– account balances
– disclosures
Substantive analytical procedures’

28
 Tests of control will verify whether
controls are working in practice or not

First we need to establish the controls

and then test them

Tests of The amount of substantive testing

depends upon how much reliance can
control be placed on key controls
and We then substantiate by direct
substantive evidence that there are no material
misstatements in the accounts
tests
 • Controls prevent, detect or correct events
that the entity does not wish to happen.

• ASA 315 (revised) (see lecture 2) defines

the system of Internal control as:

• The process designed, implemented and

maintained by those charged with
governance (TCWG), management and
other personnel to provide reasonable
Controls assurance about the achievement of an
entity’s objectives with regard to reliability of
financial reporting, effectiveness and
efficiency of operations, and compliance
with applicable laws and regulations.

30
 Control activities
• Controls include (VARPPS):
– Verifications
– Authorizations
– Reconciliations
– Performance reviews
– Physical controls including general and application controls over
information processing
– Segregation of duties

31
 Segregation of duties
• Assigning different people the responsibilities of:
– authorising transactions,
– recording transactions
– custody of assets
• Segregation of duties is intended to reduce the opportunities to allow any
person to be in a position to both perpetrate and conceal errors or fraud in
the normal course of the person’s duties.
• A manager authorising credit sales should not be responsible for
maintaining accounts receivable records or handling cash receipts.
• Could someone create a fictitious sale that could go undetected? What
controls would pick it up?
• Could a salesperson modify product price files or commission rates?
Periodic reviews by someone outside sales to see if a salesperson changed
prices - and if so asks why?
• Smaller entities may lack sufficient resources to achieve ideal segregation,
and the cost of hiring additional staff may be prohibitive.
 Collusion/ segregation of duties

• Segregation of duties depends on people being genuinely

independent of each other.
• If they work together – they may collude – this defeats the
object of the control, it is as if the control does not exist.
• If person A keeps inventory records a control might be that
person B checks by counting the physical inventory and
comparing it with inventory records.
• If A misappropriates (steals) inventory and B is involved in
the fraud – B will not report any differences between the
physical stock and the inventory system.
• As a general control principle: management should check
outputs for reasonableness and ensure that duties are
rotated periodically.
– Good control is people taking holidays
• Collusion is one reason fraud is so often difficult to detect.
Looks as though there is proper segregation of duties but
ineffective where two people act as one.

33
 • During your walk through tests and
understanding of the systems identify
any key controls
• Then test whether these controls are
operating as you understand them to
operate in practice by performing
tests of control
– are the controls complied with by
staff?
Tests of – do staff over-ride controls?
• Identify conditions indicating the
control performance of controls
• Identify deviations that indicate a
control is not working
• To place any reliance on a control it is
essential to check that it operates in
practice
• You are checking the controls- not
the transactions
 Internal control
questionnaires/
evaluations
• Consider REAPS:
R Has the transaction been Recorded and
how?
•
E What Evidence exists for the
transaction?
•
A What Authority is there over the
transaction?
•
P Is the transaction Properly recorded?
•
S Are there any Special factors that apply to
the audit area under consideration?

Plan the extent of the final audit work.

 Tests of control

Auditors have to decide, using their judgment,

whether the system appears strong enough for them
to rely on it in arriving at conclusions on the
assertions.

Auditors perform tests of control to satisfy

themselves that their initial conclusion about a system
is valid.

Objective: to decide if in fact the system and controls

can be relied upon to detect any errors.

36
 Tests of controls

• See whether the controls are working as documented and have

been implemented all year round.
• Do tests of control at the interim audit and complete them at the
final audit.
• It is not worthwhile if:
– A high level of assurance can be gained from inherent control
factors and the system of internal controls and analytical
reviews
– The area is not material
– Preliminary review indicates that controls are not strong and a
high level of assurance is needed from substantive tests.
 • Tests of information/ audit trails.
• Testing outputs.
• Interviews with company staff
(inquiry) using interviewing style
conducive to getting people to be
talkative.
• Observing staff at work (observation),
Tests of keeping eyes open and not assuming
controls staff will always operate in the
manner they have told you they do.
• Re-perform control procedures.
• Examine management reviews.
• Test reliability of budgets prepared by
management.
 Tests of control

Tests of control
– observations
– Ask questions
– Inspections
– reviewing
– re-performance.

Use Internal control questionnaires (ICQs) to assess any key controls

Then use internal control evaluations (ICEs) to assess if they were
operating as expected
 Tests of control: examples
• Control
– Bank reconciliations are done every day
• Test of control
– Check 10 random days in the year and see
that a bank reconciliation was done.
• Control
– Financial controller (FC) signs the credit
approval for a new customer
• Test of control
– Select 10 new customers in the year and
check that the FC has signed the credit
approval
• Check for the signature
• You are not checking whether the FC
should have approved it or not
 Internal control questionnaires/
evaluations

• Identify/ test/ evaluate

• Prepare internal control questionnaires

– Identify key controls

• Perform tests of control

– Establishes whether the key controls identified actually work in
practice.

• Complete Internal Control Evaluation

– Evaluate whether you can rely on these controls as operating
properly throughout the year
 Internal control
questionnaire (ICQ)

• ICQs record details of the system – especially

useful in recording small systems.
• Used to interpret the strengths and
weaknesses of the systems.
• Designed to prompt memory as to the matters
of importance in the system.
• Indicates whether individual parts of the
system are strong or weak, but requires overall
conclusion.

42
 Internal control evaluations (ICE)

• ICEs are not used to record the system, but to evaluate the controls
in the system

• Sets objectives for auditors, phrased as key questions.

• These key questions can often only be answered by asking other

questions.

43
 Evaluate the controls (ICES)

• Consider whether any of the controls can be relied upon all year.
• At the year end audit consider the results of the tests of controls
done during the interim audit and final audit
• Plan substantive tests based on the internal control evaluations
• Where possible use the same samples for substantive tests and
tests of control.
Sales system

Cash sales
Sales on credit
 Class of transaction
• Cash Sale
• Posted to Sales and bank/cash

• Sale on credit
• Posted to Sales ledger

Definitions Account balance

• Sales
• Bank and cash
• Accounts receivable (sales ledger
control account)
A system may impact both the
P&L and balance sheet
 – Theft of cash – likelihood
high, magnitude low
Cash
sales: • Controls over:
– Custody over cash
Inherent – Authorisation of the sale
risk and – Recording of the
controls transaction
– Execution of the sale and
cash received
 Consider REAPS
• Internal Controls Questionnaires should
establish if there are controls to ensure that
for all sales for cash:
– The cash received by the entity is
recorded
– There is evidence of the transaction
taking place
Cash Sales- – There was authorisation for that person
making the sale and taking the cash
controls – The sales and cash is properly accounted
for and recorded:
Dr Cash
Cr sales
– All cash is deposited at the bank:
Dr bank
Cr cash
Unlikely to be any special factors
 Cash Sales Systems
• Take CARE/ REAPS

• Are only certain individuals authorised to receive

cash?
• Are there pre-numbered receipt forms or cash
registers with sealed till rolls?
• Are receipts always given to customers or a QR code/
bar code is scanned?
• Is cash regularly collected by a separate person,
reconciled to till roll/ receipt books and signed and
banked?
• Are takings reconciled to the bank statement?
• Are duties rotated -and what about holidays?
 Sales on credit: Inherent risk and controls

CREDIT SALES are where the company extends credit

(NB - not to be confused with a credit card sale)

What might be an inherent risk? Depends on the

system – has it changed? Is the system complex? \

• Consider controls over:

– Custody over accounts receivable-journal entries/ credit notes
– Authorisation of the sale
– Recording of the sales transaction
– Execution of the sale and monies received
 • All customers orders are executed and evidence
exists?
– Incoming orders are recorded and given a
number
Example: You book an airline ticket- given
Credit booking reference number by the airline –
their transaction record.

sales – Orders are matched with invoices and

outstanding parts of orders are listed.

systems: – Sequence checks on orders are made by

someone else such as the sales manager

Are there • Credit sales are only made to good credit risks
(part of authorisation)?
– Credit checks are made on all new customers
controls by credit control staff.
– Sales manager approves all credit sales to new
to ensure customers.
– Sales staff have screens showing credit limits
that: available on a real-time basis.
– Any sales going over a credit limit need
approval by the sales manager.
 Credit sales systems:
controls

• All sales are invoiced and recorded?

– The sales order generates a despatch note
against which goods are delivered by the
drivers at the warehouse
– Invoices are pre-numbered and are attached
to despatch notes and order notes by finance
staff.
– Signed despatch notes (delivery notes) by
customers are matched against the invoices.
– Sequence checks on order numbers,
despatch notes and invoices are made by
the reconciliations clerk.
– Statements are sent to customers monthly.
 Credit sales system
controls
• Prices, discounts and GST are correct and
properly recorded?
– Invoices use price lists and customer discount
tables.
– The computer systems calculates GST/ tax.

• All invoices are recorded properly in the sales

ledger?
– Finance staff check invoice postings to the sales
ledger
– A reconciliations clerk prepares statements and
ageing analyses.
– Cash and BPAY/ electronic receipts are handled
by the cash and banking area staff
– The sales manager reviews all statements and
an aged debtors listings.
 Credit sales
systems: controls

• The sales ledger is reconciled to the

sales ledger control account to ensure
properly recorded?
– The reconciliations clerk reconciles
the sales ledger to the Sales Ledger
Control (general ledger) daily.
– The financial controller checks all
reconciliations.
• All credit notes are authorised?
– The sales manager authorises all
credit notes before they are passed
to the finance department for
processing.
– The financial controller signs off a
listing of credit notes issued daily
 Credit sales

• Are all credit postings to the sales ledger authorised?

– The reconciliations clerk lists all credit entries on a monthly
basis which are approved by the financial controller.
– All bad debt write-offs are authorised by the financial
controller and sales director.
 • Are only authorised shipments despatched?
– Only warehouse staff are physically allowed
to despatch goods.
– The despatch note and order form are sent
to finance for filing with the invoice.
– One copy of the despatch note is signed by
the customer and filed with another copy
and invoice.

Credit
sales
 Credit sales

Are all inventory records updated?

– A copy of the despatch note is sent to the
stores clerk who updates the stock
records.
– Reconciliations do a sequence check of
despatch notes held by the stores clerk
monthly.
– Internal audit check postings from
despatch notes to stock records.
– Reconciliations reconcile stock cards to
stock accounts monthly.
 • Controls and testing
controls are vital to an
audit

Summary • Those controls need to

be evaluated- are they
working in practice?
What happens when
someone is on
holiday?

• Be sceptical, use your

judgement.

• Remember assertions,
evidence, risk

• Plan the final audit