September-December 2016 Examinations ACCA 66

F8

INTERNAL CONTROL
1. Recording the client’s accounting system
One of the first things that the auditor has to do in a new audit is to record
the client’s accounting system.

This will allow the auditor to evaluate the internal control system and will allow
the audit to be conducted more efficiently.

Where it’s a repeat audit, the auditor must ensure that their records of the client
system are updated and remain accurate.

There are three ways of recording the system:

◉
Narrative notes
◉
Flowcharts
◉
Questionnaires.

With narrative notes, the auditor simply writes a few paragraphs explaining, for
example, exactly what happens to a supplier’s invoice when it’s received: how it
may be matched with goods received notes, how the calculations are checked, how
it is filed, how it is posted to the payables ledger, and how the amount is eventually
paid.

Narrative notes can be relatively quick to prepare. Typically you observe what
happens, you ask the client what happens, and you may also look at the
accounting procedures which they have established more formally.

The main problem that arises with narrative notes is the lack of structure or discipline.
It’s very easy for documents to appear in narratives and then not be mentioned
again and the audit team is then wondering what happens to these documents,
and where they can be found.

In flowcharts, diagrams are used to show the documents, the files, the
calculations, and the checks that are performed. Flowcharts can be somewhat
slower to produce and are certainly more difficult to amend (though nowadays,
flowcharting has been helped greatly by computer graphics systems).
Flowcharting imposes a great discipline on how systems are recorded as it has
very specific rules about how flowcharts are to be drawn. In addition, there is
usually a special symbol which is reserved to show where checks are performed.
Auditors are particularly interested where checks are performed because this is
helping the client to reduce their control risk.

Questionnaires can be used to record the accounting system, but they go slightly
further than mere recording: they actually begin to evaluate the accounting system.

There are two main patterns of questionnaire:

◉
Internal Control Questionnaire (ICQ).
 September-December 2016 Examinations ACCA 67
F8
◉
Internal Control Evaluation Questionnaire (ICEQ)
2. In ICQs, when you get the answer “yes” to a question, it is a good sign.
An example of a question could be, “Are suppliers’ invoices cancelled when
they are paid?” The answer “Yes” is good, the answer “No” is bad because it
means that those invoices could be inadvertently paid a second time.

3. The other type of questionnaire is an internal control evaluation

questionnaire (ICEQ). Here the answer “No”is good and a typical question
might be “Can suppliers’ invoices be paid twice?”

4. Internal control evaluation questionnaires are rather more open-ended and

flexible. What they are addressing are internal control objectives: the
mistakes and errors that we want to stop. Internal control questionnaires
seek out specific internal controls which can help internal control objectives to
be achieved. ICEQs will almost certainly require greater skill from the auditor.
Instead of simply having to find out if invoices cancelled, the auditor has to
assess whether or not invoices are liable to be paid twice and that’s a rather
more highly skilled operation.
5. Components of internal control systems
These are the five components of internal control systems:
◉
The control environment. We have mentioned this before. We said that it was
essentially the regard with which the internal control system is held. It’s to
do with the ethics and the culture of the organisation and whether internal
control and careful recording are held in high esteem by the management of
the company and indeed everyone working for it. Under this heading we can
also include how people are recruited, trained, the structure of the
organisation, responsibility, and accountability.
◉
The risk assessment process. This looks at how the entity itself assesses
material risks which might arise. It has to estimate the significance of those
risks and the likelihood that are occurring. Having identified a risk, having
assessed the likelihood of its occurring, the entity then has to decide
what to do about it. WHat controls would address the risks identified?
◉
The information system. An example of how a good information system
is useful in control can be seen in how the company produces and uses its
management accounts. Comparing actual results to budgets can give
management warnings that something had gown wrong or been mis-
recorded in the accounting system. The auditors also have to have an
understanding of the significant accounting estimates and judgments which
may be present in the financial statements.
◉
Control activities. These are defined as those policies and procedures, in
addition to the control environment, which are established to achieve the
entity’s specific objectives
◉
Monitoring controls. The operation of controls can be monitored first by
supervisors, then by managers, then by the finance director, or perhaps
nowadays more likely the audit committee. If the operation of controls is not
monitored they are likely to fall into this repair.

The heart of establishing a good internal control system is asking what could
September-December 2016 Examinations ACCA 68
F8
possibly go wrong and then asking how that can be prevented.

6. Control Activities
Control activities consist of the following:
◉
Segregation of duties. This means that no single transaction can be carried
out by just one person. If a transaction can be carried out by one person, it’s
very difficult to control that transaction. The person and his work undergo no
checking procedures meaning that errors are likely to go uncorrected; it also
opens the door to fraud. So, if one person could order the goods, receive the
goods, receive the invoice and pay the invoice, then it will be very easy for
those goods to be deflected to that person’s home or friends and family. In
fact, although we always have to be mindful of fraud, the more important
aspect of segregation of duties is the fact that one person is checking
the work of another and so errors are likely to be identified and corrected.
◉
Authorisation. The authorisation or approval and control of documents is
very important. Transactions should be approved by the appropriate person.
For example the purchase of fixed assets, the granting of credit, the writing off
of a bad debt, and the approval of employees’ overtime.
◉
Comparison. Comparing, for example, the results of stock takes to the book
records of stocks. Another example would be comparing goods receive
notes with the original purchase orders to make sure that what has been
received was, in fact, what was ordered. Constant comparison means that
errors, if they do occur, are much more likely to be discovered.
◉
Computer controls. More and more entities rely on computerised accounting
systems and computer controls are very important. We will see a whole
section on these later but, for example, it will be important to ensure the
backups of the data are regularly taken. It’s worth pointing out at this
stage that once a transaction gets into a computerised system it’s liable
to be automated from then on and there is less chance for ‘common sense’ to
be applied to that transaction later in its life.
◉
Arithmetic controls. These are perhaps slightly less important now that
more calculations are done by computer systems. But nevertheless it’s
important to make sure that simple calculations are correct, and in many cases
it may still be appropriate to re- perform those calculations at least on a test
basis.
Maintaining trial balances and control accounts. If the trial balance doesn’t
๏ balance or the control accounts don’t reconcile then something is amiss,
and the sooner that is found, the better.
◉
Accounting reconciliations. Reconciliations mean comparing a particular
balance in the accounting records with what another source says. For
example comparing the cash balance with a bank statement or comparing
a payables balance with the supplier statement.
◉
Physical. There should be physical safeguards established over certain assets
particularly inventories and cash. These assets can often be desirable, portable
and valuable. If they are not safeguarded, they are liable to go missing.
 September-December 2016 Examinations ACCA 69
F8
Physical controls would also apply to making sure inventories kept in
conditions in which they do not deteriorate, for example the warehouse
may need to be adequately heated or ventilated to ensure that the
inventory doesn’t get damp.

7. The inherent limitations of internal controls

Although auditors place reliance on internal controls, you must understand that there
are certain inherent limitations:
◉
Cost v benefit. The cost of establishing a system of internal
control may be greater than the benefits. To
take a ridiculous example, it’s very unlikely that
anyone is going to establish a system of internal
control over the issue of paperclips or
envelopes. The amount of management time
taken up with authorising trivial amounts of
expenditure simply makes it uneconomic. At
some stage however the benefits may
outweigh the costs and, for example, when it
comes to photocopying many organisations do
have some sort of authorisation or at least
accounting system to track who uses most of
the photocopying resource.
Human error. For example, one person makes out an
invoice using the wrong selling price and
another one checks it and doesn’t see the
error. This is always a possibility even in the best
regulated circumstances.
Collusion. Where two or more employees cooperate to
get around the internal control system. The
collusion might be to carry out a fraud or it
might be to cover up some error that was
made. The more segregated duties are, the
more people it would need to collude to carry
out an entire transaction.
Bypass of controls. Say someone has forgotten to order a vital piece of
equipment and that to speed matters up,
instead of getting the proper authorisation for
the purchase, they issue the purchase order
without that authorisation. They are bypassing
the controls: it may be done with the best
possible intentions, but if bypass of controls
becomes too common essentially the controls
are not operating.
◉
Non-routine transactions. These are transactions that are so rare that no system
of internal control has been devised. An example
can be the disposal of non-current assets. Many
of these assets are scrapped when they are
September-December 2016 Examinations ACCA 70
F8
disposed of, and to establish a system of
internal control might not have been thought
worthwhile. However, occasionally an asset with
a substantial value might be disposed of, and if
there is no system for getting the right price and
for ensuring that the proceeds come to the
organisation, then there is a possibility that
those transactions are not properly recorded.
September-December 2016 Examinations ACCA 71
F8
September-December 2016 Examinations ACCA 72
F8
September-December 2016 Examinations ACCA 73
F8