0 - 10 - LECTURE - Internal Controls - 2012.2013 - JSW - Annotated

BPP Learning ACCA PAPER F8 AUDIT AND ASSURANCE (INTERNATIONAL) CHAPTER 9
Please note that I have added a few notes (in this colour) to these slides you may wish to add to your copy
Sources utilised in this lecture

BPP Learning Media (2011) ACCA Paper F8 Audit and
Assurance (International) Study Text for Exams in 2012 chapter 9 ISA 315 http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf
23/11/2012
University of Greenwich
IK
Aims
After this session the you should
understand 1. Why and how the auditor assesses the internal controls of the company 2. The implications of perceived sufficient, effective (strong) and perceived insufficient, ineffective (weak) internal controls
23/11/2012 University of Greenwich IK 3
Aims
After this session the you should
understand 1. Why and how the auditor assesses the internal controls of the company 2. The implications of perceived sufficient, effective (strong) and perceived insufficient, ineffective (weak) internal controls
23/11/2012 University of Greenwich IK
(Context) Auditors duty: TO EXPRESS AN OPINION To do that they need EVIDENCE
Objectives You should be able to:

Define internal control. Discuss (with appropriate examples) the 5 elements /
components of internal control , the implication for the auditors understanding of the entity and the resulting audit. Discuss the auditors consideration, recording of and testing internal control systems and how this impacts the resulting audit process and communication to the client. Critically consider the various methods of recording internal control systems.
Objectives You should be able to:

Discuss the control implications inherent in small
companies and the limitations inherent to internal control systems. Discuss the 2 types of controls operational within a computerised environment.
23/11/2012
IK
Definition of internal control

WHAT? A process - designed, implemented, maintained (systems, to do something)
BY WHOM? Those charged with governance
(usually directors), management and others WHY? To provide reasonable assurance about achieving objectives of: reliable financial reporting, effective & efficient operations and compliance with laws and regulations.
Based on: http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (ISA 315 paragraph 4)
23/11/2012
IK
Definition of internal control
Directors are not expected to account for every penny (because the WHAT? A process - designed, implemented, cost of control maintained (systems, to do something) would be too great) BY WHOM? Those charged with governance
(usually directors), management and others WHY? To provide reasonable assurance about achieving objectives of: reliable financial reporting, effective & efficient operations and compliance with laws and regulations.
Based on: http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (ISA 315 paragraph 4)
23/11/2012
IK
Internal control and the audit

Auditor needs to UNDERSTAND (inter alia) the ACCOUNTING SYSTEM and CONTROL ENVIRONMENT (relevant to the audit) to design the appropriate audit approach.
Based on BPP Learning (2011) p 155 23/11/2012 University of Greenwich IK 9
Understanding?
Aids In identifying risk of material misstatement, and to Plan the nature (what kind of procedures), timing (when) and extent (how much) of audit procedures.
Based on BPP Learning (2011) p 155
23/11/2012
IK
10
How does understanding impact upon the auditors approach?

When there are relevant, adequately designed and effectively (i.e. good or strong) operating controls
-> Controls test + Substantive tests ( procedures )
When there are irrelevant, inadequately designed and/or ineffective (i.e. poor or weak) controls
-> Risk of
material misstatement increases -> Focus on substantive tests procedures

Based on BPP Learning (2011) p 155 23/11/2012 University of Greenwich IK 11
IC has 5 elements - ISA 315 (COSO)

1.
2. 3. 4.
5.
23/11/2012
Control environment Risk assessment Information system relevant to financial reporting Control activities (formally called control procedures) Monitoring the controls
BPP Learning Media (2011) p155
University of Greenwich IK 12
1. Control environment
23/11/2012
IK
13
Control environment (CE)

Definition:
Very much depends on mgt ( management ) Governance, management functions
Attitudes, awareness and actions (AAA)

Internal control and its importance
See detailed def. BPP Learning Media (2011) P156
23/11/2012
IK
14
How would the auditor view CE

Strong CE is a positive indicator when
considering risk of MM (material misstatement)
Based on BPP Learning (2011) p 156

Elements of the control environment

Auditor inquires, observes, inspects in
order to assess if these elements have been implemented: 1. Communication (and enforcement of) integrity and ethical values 2. Commitment to competence 3. Participation by those charged with governance
Elements of the control environment cont.

4. Managements philosophy and operating
style (sincere, selfish, listens to suggestions,

seeks to make improvements)
5. Organisational structure (recall the

organisation chart?) links to
6. Assignment of authority and responsibility
7. Human resource policies and practices

See BPP Learning (2011) page 156 for a detailed discussion of each of the elements. 23/11/2012 University of Greenwich IK 17
2. The risk assessment process

ISA 315 states the auditor needs to
understand whether the entity has a process (system) to: 1. Identify risks (related to financial reporting objectives) 2. Estimate extent of risks 3. Assess likelihood of risky event occurring 4. Decide on actions to address risks
Based on ISA 315 par 15
2. The risk assessment process

ISA 315 states the auditor needs to
understand whether the entity has a process (system) to: 1. Identify risks (related to financial reporting objectives) 2. Estimate extent of risks 3. Assess likelihood of risky event occurring 4. Decide on actions to address risks
Based on ISA 315 par 15
What to do about risk assessment (RA) consideration?

If an entity has a RA process->
The auditor identifies risk of MM that
management's process did not identify (i.e. considers the adequacy or absence of ICs)
If an entity does not have a risk assessment
process / or the process is ad-hoc (i.e. no fixed system)

The auditor must discuss risk of MM with
management
23/11/2012
http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (ISA 315 par 16 and 17)

University of Greenwich IK
20
3. Information system (AIS) relevant to financial reporting (i.e. accounting

information systems - AIS) DEFINITION Procedures and records designed and established to: Initiate, record, process, and report transactions and to control assets, liabilities and equity; Deal with errors in transaction processing; Identify and deal with overrides in controls; Transfer information to the GL (General or Nominal ledger) (can you think of an example?)
and returns Purchases (daybook) DEFINITION and returns Cashbook Procedures and records designed and established to: Petty cashbook Initiate, record, process, and report transactions Journal and to control assets, liabilities and equity; Such as wages and deductions Deal with errors in transaction processing;
3. Information system (AIS) relevant Examples Sales to financial reporting (i.e. (daybook) accounting
information systems - AIS)
Identify and deal with overrides in controls; Transfer information to the GL (General or Nominal ledger) (can you think of an example?)
23/11/2012
IK
22
Information system (AIS) relevant to financial reporting (cont.)

Record events other than transactions (can
you think of an example?) Ensure disclosable information is appropriately kept (how would an entity know what to disclose?)
Based on http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (ISA 315, chapter A81)

Information system (AIS) relevant to financial reporting (cont.) Examples could

include Record events other than transactions (can Depreciation you think of an example?) charges Ensure disclosable information is Bad debts Changes in appropriately kept (how would anentity provisions know what to disclose?) (doubtful debts, stock damage..) Examples should include Revaluations Accounting standards Based on http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (ISA 315, chapter Impairment Company law A81)
The auditor needs to obtain an understanding of information systems

...relevant to the financial reporting objectives. This includes controls related to journal entries, estimates etc.
See BPP Learning Media (2011) p 157
23/11/2012
IK
25
4. Control activities
Definition: Control activities are the policies and procedures that help ensure that management directives are carried out.
See BPP Learning (2011) p 157
ISA 315 requires an understanding of the
control activities relevant to the audit and how the entity addressed IT risks.
Examples of control activities

Authorisation, check casting, review, re-
count, multiple copies, sequential numbering of documents, reconciliations (physical with recorded, different systems against one another), segregation of duties, limiting physical access, comparing internal to external evidence.
See BPP (2011) p158
How to segregate?
Segregate: 1. Carrying out transactions (segregate this as well) 2. Recording (segregate accounting operations) 3. Safeguarding
(Authorisation, recording, custody - ARC)
Note that Segregation of duties is sometimes regarded as part of the control environment
See BPP Learning Media (2011) p158
23/11/2012
IK
28
Example (Class)
How do you think segregation of duties would work for a supermarket - starting with the cashiers money tray?
23/11/2012
IK
29
Example (Class)
At this stage (rather unrealistically) we can ignore the
fact that there are only limited numbers of staff.

Only named people can operate a till (perhaps only at
certain times) A different member of staff should collect the monies from the cash registers and complete the bank paying-in slip A third member of staff should record it in the cashbook A fourth member of staff should take the money to the bank Remember ARC
University of Greenwich IK 30
23/11/2012
5. Monitoring controls
Processes to assess effective functioning of
internal controls for the period under review. Both design and functioning of controls need to be assessed on a frequent enough basis, changes to controls are needed when the entitys situation changes.
Based on BPP Learning (2011) page 158
23/11/2012
IK
31
Monitoring controls
Things auditor will take into consideration: Internal audit Sources of information Basis for information to be deemed reliable Major monitoring activities over financial reporting and correction of deficiencies.
Small companies the issue of control

Considering what weve said about internal control What do you think could be the issue in a small company?
See BPP Learning (2011) p159

Small companies the issue of control

Considering what weve said about internal control What do you think could be the issue in a small company?
Insufficient staff (weak segregation of duties)

However the control environment is likely to contain
much more director involvement of ground-level functions and staff. This raises a further issue directors overriding ICs and omitting transactions
Audit of smaller companies is possible using alternative
techniques and choice of audit methods

Limitations of accounting and control systems

Internal control systems only provide REASONABLE assurance, because of INHERENT LIMITATIONS (auditor always aware of possibility of fraud ISA 240).
Can you think of a few inherent limitations?

Limitations of accounting and control systems

Can you think of a few inherent limitations? 1. Costs > benefits 2. Collusion between staff and, or directors, and, or customers, suppliers or others (fraud) 3. Other fraudulent acts (such as abuse of authority) 4. Human error 5. Management override of ICs 6. Change an entity's activities can change but systems not modified to account for it 7. One-off (non-routine) transactions that can not be accommodated by accounting systems
23/11/2012
IK
36
The use of internal control systems by auditors

Auditors assess the adequacy of the systems as a basis for f/s + financial statement preparation, and identify risks of material misstatement Then consider further audit procedures.
The auditor must keep a RECORD of the clients system & update this annually
Methods of recording client systems are: 1. Narrative notes, 2. Flowcharts 3. Questionnaires (ICQ (control and control objective focused) & ICEQ (error/omission and detection or prevention focused) 4. Checklists
See BPP Learning Media (2011) p 162-166
Keep in ?. file and update yearly.

The auditor must keep a RECORD of the clients system & update this annually
Methods of recording client systems are: 1)Narrative notes, 2)Flowcharts 3)Questionnaires (ICQ (control and control objective focused) & ICEQ (error/omission and detection or prevention focused) 4)Checklists
PERMANENT file and update yearly. Keep in .

L11c
Audit and assurance J. E. Spencer-Wood
Recording systems, a bit more deatil

Narrative notes and checklists Flowcharts ICQs
Internal control questionnaires
ICEs / ICEQs
Internal control evaluation (questions)
Risk based
December 2010 - 2
40
UNIVERSITY of GREENWICH
L11c
ICQs
A series of questions asking if expected ICs exist
Written so that answers indicate
If YES = a strong control If NO = a weak control
All controls would be included An ICQ would usually be drawn up for each internal control cycle
The major cycles are sales, purchases, wages, cash, inventory, non-current assets
December 2010 - 2
41
L11c
ICQs (cont.)
All appropriate internal controls should be included in an ICQ Each answer (yes or no) must be considered individually as (in terms of likely material misstatement) some controls are not as important as others some may be irrelevant
December 2010 - 2
42
L11c
ICEs
Rather than considering all expected ICs, the ICE is based on the likelihood of error or fraud in each cycle
Key (or control) questions are established
Each key question has a supporting bank of detailed questions
Some ICEs are written so that answers indicate If YES = strong control If NO = weak control
December 2010 - 2
43
L11c
ICEs

An ICE too would usually be drawn up for each internal control cycle Example (Sales cycle)
Objective: Are all sales invoices recorded?
A key question in the sales cycle
Supporting question: Are invoices sequentially numbered? 44

December 2010 - 2
L11c
Two dimensional flow charts

Time Ordering Sales Warehouse Accounts
December 2010 - 2
45
Time to ponder
Do you think the auditor only records the systems
when he plans to place some reliance on it?
23/11/2012
IK
46
The answer is ....

NO, he needs to consider the internal controls as
part of his planning process when considering the risk of material misstatement (Based on ISA 315).
However, he only performs controls tests when he
believes the internal control system is sufficiently strong to place reliance on the controls having operated effectively.
23/11/2012
IK
47
Confirm understanding of controls

By doing a walk through test.
23/11/2012
IK
48
Tests of controls
Performed to obtain evidence about control Control design (prevent or detect and correct material misstatements at the assertion level) Control operation (throughout period)
23/11/2012
IK
49
What on earth does (s)he mean?

Assertion?? Time to revise a little from an earlier lecture!
23/11/2012
(Class)
IK
50
Assertions (extract from prior lecture) Categories of assertions (ISA 500) Classes of transactions 1. Statement of Comprehensive Income (IS, P&L
a/c)
Occurrence - Actual / in period / by entity Completeness - Nothing left out Accuracy - All data appropriately recorded Cutoff - Correct period Classification - Commission [In the right place - account
coding]
August 2012
51
Categories of assertions (cont.)

ISA 500
2. Statement of Financial Position (Balance sheet)

Existence - Assets, liabilities, equity interests Rights/obligations - Control of assets / obligations of

liabilities
Completeness - Nothing left out Accuracy - All data appropriate recorded Valuation and allocation - Appropriate carrying
values* and commission * carrying amounts / NBV
August 2012
52
Categories of assertions (cont.)

ISA 500
3. Presentation and disclosure

Disclosed events - Occurrence and rights/obligations - Have occurred; pertain to the entity Completeness - Nothing left out Classification and understandability Appropriately presented and described; clarity
Accuracy and valuation - Information fairly disclosed;

appropriate amounts
August 2012
53
So, with assertions

All relevant categories need to be considered
All must be supported by SUFFICIENT

APPROPRIATE evidence and
August 2012
54
and, thinking of internal controls

ICs must ensure all appropriate assertions are
controlled to prevent MM
For example
Valuation (assertion) Cost, revaluation, writedowns must not contain MM Existence (assertion) Assets must actually exist etc..
August 2012
55
Test of controls can include:

Inspection of documents
Enquiries (Inquiries) Observation of IC procedures Re-performance of controls Examination of, for example, minutes of meetings CAATs
Consider: How, with how much consistency, by whom controls are applied.
See BPP Learning Media (2011) p166-167
23/11/2012
IK
56
What is the implication of the controls test

May lead to a revision of the risk assessment, which
in turn affects nature, timing, extent of further procedures. (i.e. when control tests reveal initial risk assessments were incorrect)
Need to communicate significant deficiencies in
WRITING to those charged with governance by means of a report to management.(ISA 265).

Still often referred to as the management letter
Also communicate deficiencies to management

See BPP Learning Media (2011) p167-168
IT related Internal controls

General controls things like back up plans, password protection, development, changes. Application controls think INPUT, PROCESSING, OUTPUT and MASTERFILE. Now, think COMPLETENESS, ACCURACY, VALIDITYmore in a later lecture
23/11/2012
IK
58
In class activity
P 173 Quick quiz
BPP Learning question 15 p368
23/11/2012
IK
59
Tutorial preparation
Revise chapter 9 of the textbook
Do tutorial questions 1-3
23/11/2012
IK
60

0 - 10 - LECTURE - Internal Controls - 2012.2013 - JSW - Annotated

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

0 - 10 - LECTURE - Internal Controls - 2012.2013 - JSW - Annotated

Hochgeladen von

Copyright:

Verfügbare Formate

BPP Learning ACCA PAPER F8 AUDIT AND ASSURANCE (INTERNATIONAL) CHAPTER 9

Sources utilised in this lecture

(Context) Auditors duty: TO EXPRESS AN OPINION To do that they need EVIDENCE

Objectives You should be able to:

Objectives You should be able to:

Definition of internal control

Definition of internal control

Internal control and the audit

How does understanding impact upon the auditors approach?

material misstatement increases -> Focus on substantive tests procedures

IC has 5 elements - ISA 315 (COSO)

Control environment (CE)

Attitudes, awareness and actions (AAA)

How would the auditor view CE

considering risk of MM (material misstatement)

Based on BPP Learning (2011) p 156

Elements of the control environment

Elements of the control environment cont.

style (sincere, selfish, listens to suggestions,

5. Organisational structure (recall the

6. Assignment of authority and responsibility

7. Human resource policies and practices

2. The risk assessment process

2. The risk assessment process

What to do about risk assessment (RA) consideration?

If an entity does not have a risk assessment

process / or the process is ad-hoc (i.e. no fixed system)

http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (ISA 315 par 16 and 17)

3. Information system (AIS) relevant to financial reporting (i.e. accounting

Information system (AIS) relevant to financial reporting (cont.)

Based on http://web.ifac.org/download/a017-2010-iaasb-handbook-isa-315.pdf (ISA 315, chapter A81)

Information system (AIS) relevant to financial reporting (cont.) Examples could

The auditor needs to obtain an understanding of information systems

See BPP Learning Media (2011) p 157

ISA 315 requires an understanding of the

Examples of control activities

(Authorisation, recording, custody - ARC)

fact that there are only limited numbers of staff.

Small companies the issue of control

See BPP Learning (2011) p159

Small companies the issue of control

Insufficient staff (weak segregation of duties)

Audit of smaller companies is possible using alternative

techniques and choice of audit methods

Limitations of accounting and control systems

See BPP Learning Media (2011) p 160

Limitations of accounting and control systems

The use of internal control systems by auditors

Keep in ?. file and update yearly.

PERMANENT file and update yearly. Keep in .

Recording systems, a bit more deatil

Supporting question: Are invoices sequentially numbered? 44

Two dimensional flow charts

when he plans to place some reliance on it?

The answer is ....

Confirm understanding of controls

See BPP Learning Media (2011) p 166

What on earth does (s)he mean?

Audit and assurance J. E. Spencer-Wood

Audit and assurance J. E. Spencer-Wood

Categories of assertions (cont.)

2. Statement of Financial Position (Balance sheet)

Existence - Assets, liabilities, equity interests Rights/obligations - Control of assets / obligations of