Systems and Controls

Kaplan Chapter 8

ACCA Paper F8 INT

Audit and Assurance
1
 Learning Outcomes
1. Explain why an auditor needs to understand internal controls
2. Describe and explain key components of an internal control
system
3. Discuss the difference between tests of control and
substantive procedures
4. Identify and describe elements of internal control
5. Explain how auditors identify weaknesses in internal control
systems
6. Provide examples of application and general IT controls
7. Analyse limitations of internal controls in the context of fraud
and error
8. Identify and explain management’s risk assessment process
2
 Internal Control Systems
The directors are responsible for ensuring that the internal control
systems within the organisation are effective.

Safeguarding the company’s assets

The prevention and detection of fraud

Safeguarding the shareholders’ investment

Internal control systems refer to proper and efficient administration of all

business transactions for the benefit of the company and (hence) for the
financial statements.
The auditor must gain an understanding of the client entity internal control
systems.
3
 ISA 315 - Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and Its Environment

• Five Components of an internal control system

1. The control environment
2. The entity’s risk assessment process
3. The information systems
4. The control activities
5. The monitoring of controls

4
 1. The control environment

• Communication and enforcement of integrity and

ethical values
• Commitment to competence
• Participation of those charged with governance
• Management’s philosophy and management style
• Organisational structure
• Assignment of authority and responsibility
• Human resources policies and practices

5
 2. The entity’s risk assessment process

• How management determines risks and how

they are managed.
• Vary depending on nature and size of the
business
• Large organisation may have departments
focusing on risk
If a robust procedure for risk assessment,
monitoring and feedback; the overall risk of
misstatement will be lower
6
 3. The information systems
• Initiate, record, process and report transactions
• Maintain accountability for assets, liabilities and equity
• Resolve incorrect processing of transactions
• Process and account for system overrides
• Transfer information to the general/nominal ledger
• Capture information relevant to financial reporting for
other events and conditions
• Ensure information required to be disclosed is
appropriately reported
• Data protection act 1998
7
 4. The control activities
Designed to ensure management directives are
carried out:
• Authorisation
• Performance review
• Information processing
• Physical controls
• Segregation of duties
• IT controls:
– Application
– General
8
 IT controls
Application controls
• Batch total checks
• Sequence checks
• Matching master files to transaction records
• Arithmetic checks
• Range checks (+/-)
• Existence checks (employees)
• Authorisation of transactions
• Exception reporting
E.g.: Sage50 – sales invoice can not be raised before the customer and nominal accounts
have been set up
General controls
• Data centre and net work operations
• System software acquisition
• Program change and maintenance
• Access security – passwords, locks, cards
• Backup procedures
9
 Memory help
ACCAMAP
Control Procedures:

Authorisation
Comparison – analytical review
Computer controls – passwords, maintenance
Arithmetical checks – working hours
Maintaining control accounts/records
Accounting reconciliations
Physical controls
 5. The monitoring of controls

• Ensuring effectiveness of control over time

• Ensuring its implemented
• Continually improve – internal auditors

11
 Ascertaining the system
Obtaining evidence of the design and
implementation of controls
• Enquiries
• Observation
• Walk through
• Procedures
• Prior knowledge – update
ISA 315 – enquiry alone in not sufficient

12
 Documenting the system
The auditor must record the company’s internal control system.
ISA 315 – the method is the auditors judgement

Organisational charts – roles, responsibilities, reporting structure

A narrative explanation of the systems

Descriptive notes
and controls
A diagrammatical representation of the
Flowchart
system and controls

Checklist A tick box system, compared to auditor

expected controls
ICQ – possible controls Internal control questionnaire (ICQ)
ICE – client confirms objectives met
Internal Control Evaluation Questionnaire (ICE)

All documentation should be reviewed for each audit and

updated as necessary. 13
 Internal Control Questionnaire
The ICQ is an auditor generated source of evidence.

Internal control questionnaire:

To Establish an understanding of the Internal controls

in Operation for each Class of transaction.

The Auditor will use the Evidence obtained as the basis for

Initial evaluation of the Internal control systems and

Internal control tests.

14
 Testing the Control System
Tests of control Vs Substantive procedures
Are the controls:
– Actually implemented
– Are they effective
Evidence
– How controls applied
– Consistency of application
– Who or what they were applied by
Methods of control testing
– Walk through
– Observation
– CAAT
Substantive procedures designed to detect material misstatement
– tests of detail and analytical
15
 Impact on Audit approach

In relation to the auditors response to the risk assessment they:

– Emphasise the need for professional scepticism
– Assign more staff with greater skills to risk areas
– Increase supervision levels
– Increase sampling selection and unpredictability
– Change nature and timing of procedures
– Increase substantive testing – detail
High risk of misstatement due to control environment
– Increase post year end procedures
– Increase substantive testing
– Increase location within the scope
Can never eliminate substantive testing due to
– Human error - judgement
– Simple processing error
– Collusion of staff
– Abuse of power 16
 Internal Control Systems
Internal control systems include the operational policies and
practices used by the organisation to control the efficiency and
integrity of day-to-day business transactions.
Day-to-day business transactions:

Sales
Linked to purchases,debtors, cash receipts,
discounts and bad debts etc.

Linked to creditors, stock, cash payments,

Purchases
discounts etc.

Including rates, hours etc. Linked to product cost,

Payroll
cash payments, HMRC and stock valuation etc.

Other expenses Linked to cash payments etc.

17
 Internal Control Systems
Effective internal control systems will seek to ensure the efficiency
and integrity of day-to-day business transactions.

General internal control activities:

Authorisation For all business transactions

Documentation Confirming authority and generating

an audit documentation trail

Checking transaction accuracy, discovering

Reconciliation
and correcting errors (and detecting fraud)

Segregation Between authorisation, performance

of duties and recording of transactions

18
 Financial Statement Assertions
ISA 500 – Audit evidence.
Auditors should use assertions for:

Class of transactions
Account balances

Presentation and disclosure

Financial statement assertions are the auditor’s reasonable

assumptions of the qualities, observed by management, included
in the financial statements items.

19
 Financial Statement Assertions
All audit tests will serve to confirm one or more of the
financial statement assertions.
Financial statement assertions
– Class of transactions:

Occurrence That a transaction actually occurred

Completeness That all transactions within the class

are included and recorded

Accuracy That a transaction is recorded at an

accurate value

Cut - off That all transactions are recorded to the

correct period

Classification That all transactions are recorded to

the appropriate account
20
 Internal Controls and Financial Statement Assertions

SDQ 6.2:

The draft financial statements of the company

currently being audited shows an entry of
£52,000 for office rent.

Required:
Taking each of the financial statement assertions (class of transaction) in turn, discuss
how you would approach the task of auditing this value

21
 Specific Other Issues
No two business will operate in exactly the same way. The type of
business and operating environment will determine the extent and
effectiveness of the internal control system.
Small businesses (owner / manager):

No formal control systems Control mechanisms created as

required by management

Weak controls
Overridden and / or ignored by management
as necessary or required

Where the auditor evaluates the internal control systems as weak, the
approach to audit work will be adjusted accordingly. (i.e. all
substantive testing and / or qualified report)

22
 Sales cycle
Objectives
• Sales made to valid customers
• Sales recorded accurately
• All sales recorded
• Cash collected timely
Control tests
– Sequence – no omission or duplication
– Existence of authorisation
– Orders - authorised
– GDN’s - signed
– Credit notes - signed
– Signed confirmation of nominal posting (grid)
– Observe reconciliations – performed and reviewed 24