Ch7 Audit

Page 265
CHAPTER 7
Understanding and assessing internal control
LEARNING OBJECTIVES (LO)

7.1 Explain the concept of internal control, its inherent limitations and
how it links to the audit strategy.
7.2 Describe the general objectives of internal control and how the
auditor uses them to develop specific control objectives.
7.3 Identify and define each of the components of internal control.
7.4 Identify the steps in a financial report audit by which the auditor
obtains an understanding of internal control and assesses control
risk, and the methods and procedures used by the auditor in each
step.
7.5 Distinguish between user controls and information technology (IT)
controls, between general controls and application controls, and
between automated controls and manual controls, and identify the
general controls and application controls that affect the auditor’s
assessment of control risk in a computerised system.
7.6 Explain the role of the internal audit function in internal control and
how it may affect the audit.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
RELEVANT GUIDANCE
ASA 200/ISA 200 Overall Objectives of the Independent Auditor and the
Conduct of an Audit in Accordance with Australian
(International) Auditing Standards
ASA 260/ISA 260 Communication with Those Charged with Governance
ASA 315/ISA 315 Identifying and Assessing the Risks of Material

Misstatement through Understanding the Entity and Its
Environment
ASA 402/ISA 402 Audit Considerations Relating to an Entity Using a

Service Organisation
ASA 610/ISA 610 Using the Work of Internal Auditors

CHAPTER OUTLINE
As part of understanding the entity and its environment, the auditor needs to
obtain an understanding of internal control. This is the basis of a preliminary
assessment of control risk and an evaluation of the extent to which controls may
be relied on to assure the accuracy and reliability of accounting records.
The auditor needs to obtain a sufficient understanding of internal control to plan

the audit and develop an effective audit approach. The auditor must use
professional judgment to assess audit risk, and design audit procedures to
reduce it to an acceptably low level. As a result of the adoption of the business
risk approach, auditors now place more importance on controls related to risk
monitoring and decision making. The auditor needs to develop a thorough
understanding of the way management uses internal control to respond to
business risks.
The auditor also studies and evaluates internal control because of Page 266
interest in the reliability of accounting data. In the past, the auditor has
tended to focus mainly on those transaction controls that relate to the
prevention or detection of errors in recording accounting data.
The auditor’s understanding of internal control makes it possible to assess

control risk in order to determine the nature, timing and extent of other audit
tests. Control risk is one of the elements of audit risk in the model introduced in
Chapter 4 .
The objective of the review of internal control is not to determine the adequacy
of the internal control for management purposes. This would go beyond the
normal scope of a financial report audit, and evidence on which to base an
opinion on internal control would require the application of additional audit

procedures beyond those specified in ASA 315 (ISA 315). This will be discussed
in Chapter 13 .
This chapter discusses the relationship of internal control to the audit strategy,
the components of internal control, and the auditor’s consideration of internal
control in a financial report audit. From the external auditor’s viewpoint, internal
audit forms part of internal control. This chapter discusses the effects of internal
audit on the external audit function.
How this chapter fits into the planning and risk-assessment stages of a financial
report audit is illustrated in Figure 7.1 , which is an expansion of part of the
flowchart provided in Chapter 1 .
FIGURE 7.1 Flowchart of planning and risk-assessment stage of a financial report audit
Page 267
LO 7.1 Internal control and audit strategy
Concept of internal control

According to ASA 315.4 (ISA 315.4), internal control is ‘the process designed and
implemented by those charged with governance, management and other personnel to
provide reasonable assurance regarding the achievement of the entity’s objectives
concerning financial reporting, the effectiveness and efficiency of operations, and
compliance with laws and regulations’. Controls work by preventing or detecting and
correcting errors, as illustrated in Figure 7.2 .
FIGURE 7.2 Operation of controls
Therefore, as indicated in ASA 315.A52 (ISA 315.A52), internal control is designed and
implemented to address business risks that threaten any of these objectives, including:
reliability of the entity’s financial reporting

effectiveness and efficiency of the entity’s operations

compliance with applicable laws and regulations.
The importance of internal control has developed as business entities have become larger
and more complex. Both management and auditors see the benefits of a framework within
which business activity is directed and coordinated.
Management recognises that internal control is an effective means of controlling a business

(for example, asset protection, efficient use of resources) where size prevents direct
involvement at all levels, and of meeting statutory responsibilities for the maintenance of
accounting and other records. The directors of a company are responsible for the overall
control of that company, and effective internal control is central to efficient risk
management and therefore is an important part of the corporate governance process, as
discussed in Chapter 3 .
In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO)

released its Internal Control—Integrated Framework. This framework is recognised as a
leading framework for designing, implementing and conducting internal control and
assessing the effectiveness of internal control. It is used by management, internal auditors
and external auditors when designing or assessing internal controls. In May 2013, COSO
issued an update to its framework to reflect changes in the business, operating and
reporting environments (see Auditing in the global news 7.1 ).
Page 268
7.1 Auditing in the global news ...
Internal Control—Integrated Framework

In 1992 the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) released its Internal Control—Integrated Framework
(the original framework). The original framework has gained broad
acceptance and is widely used around the world . . . In the twenty years
since the inception of the original framework, business and operating
environments have changed dramatically, becoming increasingly complex,
technologically driven and global. At the same time, stakeholders are more
engaged, seeking greater transparency and accountability for the integrity of
systems of internal control that support business decisions and governance
of the organization. COSO is pleased to present the updated Internal Control
—Integrated Framework (Framework) . . .
The requirement to consider the five components to assess the

effectiveness of a system of internal control remains unchanged
fundamentally. Also, the Framework continues to emphasize the importance
of management judgment in designing, implementing, and conducting
internal control, and in assessing the effectiveness of a system of internal
control . . .
At the same time, the Framework includes enhancements and clarifications

that are intended to ease use and application . . .
Internal control helps entities achieve important objectives and sustain and
improve performance. COSO’s Internal Control—Integrated Framework
(Framework) enables organizations to effectively and efficiently develop
systems of internal control that adapt to changing business and operating

environments, mitigate risks to acceptable levels, and support sound
decision making and governance of the organization.
Designing and implementing an effective system of internal control can be

challenging; operating that system effectively and efficiently every day can
be daunting. New and rapidly changing business models, greater use and
dependence on technology, increasing regulatory requirements and scrutiny,
globalization, and other challenges demand any system of internal control to
be agile in adapting to changes in business, operating and regulatory
environments.
An effective system of internal control demands more than rigorous

adherence to policies and procedures: it requires the use of judgment.
Management and boards of directors use judgment to determine how much
control is enough. Management and other personnel use judgment every
day to select, develop, and deploy controls across the entity. Management
and internal auditors, among other personnel, apply judgment as they
monitor and assess the effectiveness of the system of internal control . . .
Source: Extracted from COSO’s Internal Control—Integrated Framework, Foreword and Executive
Summary. ©2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO).
ASA 315.12 (ISA 315.12) requires that the auditor obtain an understanding of internal
control relevant to the audit. The risk of material misstatement at the financial report level
is affected by the auditor’s understanding of the control environment (ASA 315.A123/ISA
315.A123). At the assertion level, the auditor needs to consider whether their assessment of
the risk of material misstatement takes account of the entity’s controls—that is, control risk
(ASA 315.26/ISA 315.26).
Inherent limitations of internal control

As indicated by ASA 315.A54–A56 (ISA 315.A54–A56), internal control cannot assure a
reliable financial report because it has inherent limitations . Therefore, the auditor can
never rely completely on the internal control.
Internal control usually depends both on the quality and integrity of people working within
the entity, and on those people following prescribed policies and procedures. Thus, it is
subject to breakdowns caused by carelessness and fatigue, and it can be circumvented
intentionally through collusion. Management may also override the controls, since
someone must supervise the system. Internal control is designed to prevent fraud or errors
by people operating within the system. Someone in a supervisory position may perpetrate
fraud or errors by acting outside the system. Undue reliance on management to
automatically ‘do the right thing’ may create opportunities for managers who lack integrity
to behave inappropriately. Also, most control activities are directed at routine Page 269
transactions rather than non-routine transactions, and they may become inadequate due to
changes in conditions.
In addition, internal control recognises the concept of reasonable assurance, because the
cost of controls must bear a reasonable relationship to the benefits expected. Management
needs to evaluate this cost–benefit trade-off and adopt control methods and measures that
are prudent for the assets at risk. This evaluation is usually subjective, but it should be
based on a careful consideration of the risks and the alternatives for achieving control.
Management also makes accounting estimates, such as allowance for doubtful accounts
receivable, and selects accounting principles, such as the method of accounting for
inventory (for example, FIFO (first in, first out) or average cost), that are subject to
judgment. Thus, the reliability of the financial report is not assured even if accounting
records are reliable.
Audit strategy
As discussed in Chapter 4 , in order to issue an opinion on the financial report, the
auditor must consider audit risk for each assertion for each significant account balance,
class of transactions and events, and disclosure, and reduce it to an acceptable level. ASA
200.13 (ISA 200.13) and ASA 200.A39 (ISA 200.A39) indicate that the risk of material
misstatement at the assertion level consists of two components: inherent risk and control
risk. Inherent risk was discussed in Chapter 6 . Control risk will be covered in this
chapter.
Control risk is the risk that a material misstatement could occur in an assertion and not
be prevented or detected on a timely basis by the entity’s internal control. The auditor can
assess the control risk as high, or alternatively assess control risk as less than high and then
test the controls to obtain evidence to support this assessment. The assessment of control
risk as less than high is evidence that a control that could potentially be relied upon exists.
Tests of controls then need to be performed to gain evidence that the specific control
activities have been effectively and consistently applied throughout the period under audit.
Tests of controls will be discussed in Chapter 8 .
Auditors recognise that sound internal control, by enhancing the credibility of accounting
records, reduces the need for routine checking of large volumes of transactions. As
discussed in Chapter 4 , evidence obtained from sound internal control is generally
more reliable. The evidence supporting the financial report consists of the underlying
accounting data and the corroborating information available to the auditor. Thus,
confidence in the propriety and accuracy of the underlying accounting data contributes to
the auditor’s opinion on the financial report. The internal control affects the propriety and
accuracy of accounting data and thus the value of those data as audit evidence.
The auditor may reach a conclusion on the accuracy and reliability of underlying
accounting data by testing the accounting data itself (reducing detection risk) or by
performing procedures to understand and evaluate the internal control to see whether the
accounting data were developed under conditions likely to ensure accuracy and reliability
(assessing control risk).
Figure 7.3 illustrates alternatives available to the auditor when considering the
accounting flow of transactions for credit sales and collections. To substantiate the
accuracy and reliability of the accounting for credit sales and collections, the auditor has
the following alternatives:
test the sales and cash receipts transactions to establish the occurrence, completeness,
cut-off and accuracy of recording of the recurring debit and credit entries to accounts
receivable
identify and test the policies and procedures that ensure the occurrence, completeness,
cut-off and accuracy of recording these transactions
some combination of the above.
FIGURE 7.3 Overview of flow of transactions for credit sales
The substantiation of the underlying accounting data is interrelated with the corroborating
information that the auditor needs to obtain for balances. For example, the number of
confirmation requests sent to debtors on the amount owed at balance date is influenced by
the auditor’s confidence in the propriety and accuracy of the debits and credits to accounts
receivable. Also, confirmations of the accounts receivable balance provide some assurance
of the accuracy and reliability of the debits and credits recorded. Obtaining Page 270
evidence that the control risk is low for specific assertions for specific accounting
data is an alternative to substantiating the data directly. The choice of the mix of auditing
procedures necessary to test the accounting data and obtain corroborating information will
be discussed in Chapter 8 .
QUICK REVIEW
1. Internal control affects the propriety and accuracy of accounting data and
therefore their reliability as audit evidence.
2. Achieving satisfactory internal control is management’s responsibility.
3. Internal control cannot assure a reliable financial report because of its
inherent limitations.
4. The auditor needs to obtain an understanding of internal control as a basis
for assessing control risk.
LO 7.2 Internal control objectives
Internal controls are concerned with ensuring that:
risks are identified and minimised

management decision making is effective and business processes are efficient
transactions are carried out in accordance with management’s general or specific
authorisation
laws, rules and regulations are complied with
transactions are promptly recorded in the correct amount, in the appropriate accounts and
in the correct accounting period, so as to allow the preparation of the financial report
within a framework of recognised accounting policies and to maintain accountability for
assets
access to assets is permitted only in accordance with management’s authorisation
the record of accountability for assets is compared with the existing assets at reasonable
intervals and appropriate action is taken with respect to any differences.
The quality of an entity’s internal control affects not only the reliability of its financial
data, but also the ability of the entity to make good decisions and remain in business. The
internal control should be designed to parallel the risks present in the entity, industry and
global environment. The ASX Corporate Governance Council’s Corporate Governance
Principles and Recommendations (3rd edn, 2014), which were discussed in Chapter 3
in relation to corporate governance, stress the importance of internal control in managing
risks to achieve an entity’s business objectives.
Controls may be either preventative or detective, as illustrated earlier in Figure 7.2 . Pre
ventative controls are internal controls that are used to prevent undesirable events or
errors. Detective controls are internal controls that are used to identify events or errors
if they have occurred.
Page 271
Management controls
Management controls are the activities undertaken by senior management to mitigate
strategic risks to the entity and to promote the effectiveness of decision making and the
efficiency of business activities. They can be either preventative or detective controls.
Management controls tend to focus on overall effectiveness and efficiency within an entity
rather than on details of individual transactions or activities. Generally, they are designed
to provide an overall indication that processes and activities are functioning properly, and
to provide an effective response to risk in a timely manner.
Management controls include activities such as:
communicating business objectives and goals throughout the entity

establishing lines of authority and accountability
establishing and enforcing appropriate codes of corporate conduct
monitoring both the external and internal environment for risks
defining policies and procedures for dealing with these risks
monitoring performance of key segments of the entity through performance indicators
and benchmarking.
For example, establishing and enforcing a corporate governance policy on dealing with
conflicts of interest for managerial personnel is both a management control that reduces the
risk of self-serving behaviour by people in positions of authority within the entity and an
example of a preventative management control. Monitoring key performance indicators of
a segment to identify unexpected results or indications of manipulation of results is an
example of a detective management control.
To be able to assess the effectiveness of management controls for reducing strategic risks,
the auditor must first develop an understanding of what procedures and policies
management has implemented. To do this, the auditor may review procedures manuals,
periodic reports and internal audit testing in order to evaluate how effective management is
in monitoring and controlling risk. However, in most situations, a complete understanding
of management control is best obtained by interviewing the key personnel who are
assigned the responsibility of managing critical risks.
For each of the significant business risks identified, the auditor should give consideration
to any existing management controls that may mitigate the risk. If a business risk has
significant implications for the audit, then the related controls are also relevant. The
relationship between management controls and auditing planning is shown in
Global example 7.1 .
GLOBAL EXAMPLE 7.1 A management control and its implications
for the audit
Management control
Retro Ltd continually monitors its main competition to estimate their time-to-
market for new products. The market data may be a leading indicator of
potential competitive problems and evidence of new products.
Audit implications
Monitoring competitors’ actions is an important management control for
managing the risk that competitors will introduce new products, reduce
prices or improve service to obtain a competitive advantage. This risk is
important to an auditor because of its effect on revenue levels, profit margins
and inventory valuation. If the auditor wishes to rely on this control, they will
need to test it. Tests of controls are discussed in Chapter 8 .
Page 272
Transaction controls
As well as management controls, there are many other control activities that are performed
by staff employees and lower-level management as part of the various processes within the
entity. These transaction controls are generally focused on internal risks within
systems and processes and reflect the formal policies and procedures defined by senior
management. Such controls deal primarily with the reliability of accounting information
and compliance with rules and regulations, and may be either preventative or detective
controls. For example, assigning responsibility for authorising transactions to specific
individuals is an example of a preventative transaction control. An employee undertaking a
sequence check of the sales journal to check for missing sales invoices is an example of a
detective transaction control.
The objectives of these accounting controls are to control the flow of transactions through
the accounting system and to safeguard the related assets by authorising transactions,
recording transactions, restricting access to assets and checking for existence of recorded
assets.
Every transaction goes through the identifiable steps of authorisation, execution and
recording. The accuracy and reliability of transaction records depends on making
reasonably sure that there are controls over the financial report assertions discussed in
Chapter 4 .
Characteristics of satisfactory internal control

The objectives and concepts outlined above are reflected in the following general
characteristics of satisfactory internal control:
1. There should be controls to monitor and minimise business risks.

2. There should be proper segregation of duties (see Global example 7.2 ). There
should be no incompatible functions, so that no person is in a position to perpetrate and
conceal fraud in the normal course of duties. For example, as far as possible, different
individuals should perform the following functions: authorising a transaction, recording a
transaction, maintaining custody of the assets that result from a transaction, and
comparing assets with the related amounts recorded in the accounting records.
3. The internal control should have a system of authorisation, recording and other
procedures adequate to provide accounting control of assets, liabilities, revenues and
expenses.
4. There should be sound business practices in place in the performance of duties and
functions by each department, including pre-numbering of documents originating within
the entity, completion of sequence checks of documents used and maintenance of control
over unused documents.
5. Internal procedures should ensure that all personnel have capabilities commensurate with
their responsibilities.
GLOBAL EXAMPLE 7.2 Lack of segregation of duties
Fact
Machinery Ltd’s storeroom clerk, Bob Johnson, authorises inventory
acquisitions and also keeps the accounting records related to inventory.
Audit implications
Mr Johnson could authorise the acquisition of unneeded inventory, remove
the material from the premises or even have it delivered to another location,
and alter the accounting records to make it look as if the inventory never
existed, or has been sold. Provided that the accounting records agreed with
the amount of inventory on hand, the theft would be difficult to detect
without a special investigation, which is outside the scope of a normal audit.
Page 273
QUICK REVIEW
1. Internal controls are important in managing an entity’s risks.
2. Internal control includes both management and transaction controls.
3. Characteristics of a satisfactory internal control system include monitoring
and minimising business risk, segregation of duties, authorisation, sound
business practices and ensuring that personnel have capabilities
commensurate with their responsibilities.
LO 7.3 Components of internal control
ASA 315.14–24 (ISA 315.14–24) state that a company’s internal control consists of five
components, as indicated in Figure 7.4 .
FIGURE 7.4 Components of internal control
Control environment
ASA 315.A77 (ISA 315.A77) states that the control environment includes governance
and management’s overall attitude, awareness and actions regarding internal control and its
importance in the entity. The control environment sets the tone of an entity. It influences
the control consciousness of all personnel and is the foundation for the other components.
The control environment includes the following elements, as set out in ASA 315.A78 (ISA
315 A78):
communication and enforcement of integrity and ethical values

commitment to competence
participation by those charged with governance
management’s philosophy and operating style
organisational structure
assignment of authority and responsibilities
human resources policies and practices.
Therefore, most management controls discussed earlier will be part of the control
environment.
Communication and enforcement of integrity and ethical

values
Integrity and ethical values are essential elements of the control environment and will
influence the effectiveness of the design, administration and monitoring of other
components of internal control. Integrity and ethical behaviour are products of the Page 274
entity’s ethical standards and how they are communicated and reinforced in
practice. Management should remove or reduce any incentives or temptations that result in
personnel engaging in dishonest, illegal or unethical acts. Entity values and behavioural
standards should be communicated to personnel through policy statements and codes of
conduct and by management example.
Commitment to competence
Management needs to consider the competence levels required for specific jobs and take
action to ensure that all individuals have the necessary skills and knowledge to perform
their jobs.
Participation by those charged with governance
An entity’s attitude to internal control is influenced significantly by those charged with

governance. Factors to be considered include their independence from management; their
experience and stature; their scrutiny of activities; the appropriateness of their actions; the
information they receive; the extent to which they raise and pursue difficult questions with
management; and their interaction with internal and external auditors. The auditor will also
consider whether there is an audit committee that understands the entity’s business
transactions and evaluates whether the financial report gives a true and fair view.
Management’s philosophy and operating style
Management’s philosophy and operating style includes its overall control consciousness.
Management’s attitude toward control sets the stage for the entire entity. If management
emphasises the importance of maintaining reliable accounting records and adhering to
established policies and procedures then the entity’s personnel are more likely to have a
high regard for these matters in performing their duties. Therefore, this is a subjective, but
critical, aspect of the auditor’s consideration of whether the environment is conducive to
good control.
Other characteristics that the auditor may consider are management’s approach to taking
and monitoring business risks; management’s attitudes and actions vis-à-vis financial
reporting; and management’s attitude to information processing and accounting functions
and personnel.
Organisational structure
An entity’s organisational structure is the overall framework for planning, directing and
controlling operations to achieve the entity’s objectives. It includes the form and nature of
the entity’s organisational units, and related management functions and reporting
relationships. An effective control environment requires clear definitions of responsibilities
and lines of authority.
Assignment of authority and responsibilities
Methods of assigning authority and responsibilities influence how well responsibilities are
communicated, how well they are understood and how much responsibility personnel feel
in performing their duties. There should be appropriate delegation of authority and all
personnel should understand that they are accountable for the activities for which they are
responsible.
Human resources policies and practices
Human resources policies and practices cover recruitment, orientation, training, evaluating,
counselling, promoting, compensating and taking remedial action for personnel. For
example, high recruitment standards demonstrate an entity’s commitment to competent and
trustworthy people.
Entity’s risk-assessment process

An entity’s risk-assessment process is its way of identifying and responding to business
risks. Once risks have been identified, management needs to consider their significance
and how they should be managed. Management may introduce plans, programs or Page 275
actions to address specific risks or it may accept a risk on a cost–benefit basis.
Lists of possible conditions and events that may indicate the existence of risks of material
misstatements are contained in Appendix 2 to ASA 315 (ISA 315).
Information system
Information must be identified, captured and exchanged in a form and timeframe that
enables the entity’s personnel to carry out their responsibilities. An entity’s information
system includes its accounting system , which comprises the methods and records
established to initiate, record, process and report exchange transactions and relevant events
and conditions, and to maintain accountability for the related assets, liabilities and equity.
An information system includes infrastructure such as hardware and other physical
components, software, people, procedures and data. Many information systems make
extensive use of IT, while some remain largely manual.
An effective information system duly considers establishing records and methods that:
identify and record all valid transactions

resolve incorrect processing of transactions
process and account for system overrides
transfer information from transaction processing systems to the general ledger
capture information relevant to financial reporting for events and conditions other than
transactions
present the transactions and related disclosures properly in the financial report.
An important feature of an information system is the audit trail, which was discussed in
Chapter 4 . This term implies that individual transactions can be traced through each
step of the accounts to their inclusion in the financial report and, similarly, from the
financial report the amounts can be vouched or traced back to the original source
documentation. The audit trail consists of all the accounting documents and records that
are prepared as transactions are processed from origin to final posting. Source documents,
journals and ledgers are the main elements in the audit trail. Source documents are the
initial record of transactions in the system. Processing usually creates a source document
when a transaction is executed. For example, goods received are usually entered on a
receiving report and goods shipped on a shipping report. Source documents are evidence of
the authenticity of a transaction.
Nearly all businesses use a computer for at least part of their accounting. Computerisation
ranges from personal computers that summarise transactions to extremely complex
systems. The methods an entity uses to process significant accounting applications may
influence the control activities designed to achieve its internal control objectives. The
characteristics that distinguish computer processing from manual processing include the
following:
Transaction trails Some computer systems are designed so that a complete transaction
audit trail exists only for a short period or only in computer-readable form.
Uniform processing of transactions Computer processing uniformly processes
transactions with similar characteristics through the same branch of the program.
Segregation of duties reduced Many control activities once performed by separate
individuals in manual systems may be concentrated.
Potential for misstatements There may be greater potential for individuals to gain
unauthorised access to data or to alter data without visible evidence, as well as to gain
access (direct or indirect) to assets.
Potential for increased management supervision Computer systems offer management
a wide variety of analytical tools to review and supervise operations.
As a result of technological development, almost anything can now be measured and

recorded digitally and thereby turned into data. Big data refers to data sets that are
voluminous and complex (see Auditing in the global news 7.2 ). Thousands of
simultaneous events may be tracked in real time and may involve numbers, text, images,
sound and video. As well as internal structured data, big data includes data that is
unstructured and machine-generated, and data that resides outside an entity’s boundaries.
Big data needs to be processed with advanced tools (analytics and algorithms) to Page 276
reveal meaningful information. These advanced audit analytics, which were

discussed in Chapter 4 , involve discovering and analysing patterns, identifying
anomalies and extracting information from data underlying the subject matter of the audit,
through analysis, modelling and visualisation. Therefore, advanced data analytics includes
both analytical procedures and traditional file interrogation. They can be used for
exploratory purposes, to understand the entity and identify risks; and for confirmatory
purposes, to see if there are any deviations from expectations that indicate the potential
presence of a material misstatement. Advanced data analytics can be used to provide the
auditor with substantive assurance, for example through a predictive model to determine
the reasonableness of an estimate; or controls assurance, for example by identifying
payments that were made without approval. Further, they have the ability to analyse
complete populations of data. Sophisticated advanced data analytics offerings from several
suppliers are discussed in Chapter 9 , as they impact substantive testing.
When using advanced data analytics, the majority of data that is being used has been
produced by the entity and so the reliability of that information for the auditor’s purposes is
critical. The International Auditing and Assurance Standards Board (IAASB) (2016) has
identified that this raises questions regarding the minimum level of IT general controls
testing required when using advanced data analytics and the impact of any deficiencies in
IT general controls and application controls on the reliability of the data from the IT
system that the auditor wishes to use for advanced data analytics.
7.2 Auditing in the global news ...
How big data and advanced data analytics are transforming the
audit
In the past, entities have owned their data and it has traditionally been
prepared by humans in a structured format. However, due to recent
technological advances, data is now often machine-generated and includes
both structured and unstructured material, some of which resides outside the
entity itself.
This huge expansion of data is referred to as big data. It is generally believed

that the analysis of this big data will have an enormous impact on entities’
ability to improve their productivity and profitability by enabling more in-
depth risk analysis and consequently better risk management. As a result,
many entities are investing heavily in enabling the use of advanced data
analytics in their businesses.
Ramlukan (2015) has argued that one area where big data and advanced
data analytics has significant potential is in the transformation of the audit.
Auditors have traditionally used data analysis to enhance the quality of their
audits. However, Ramlukan argues that while this is true, up till now auditors
have been restricted by the lack of efficient technology to undertake the
analysis, difficulties relating to data capture and privacy concerns. Thus,
Ramlukan argues that the developments in big data and advanced data
analytics provide an opportunity to reassess the way an audit is conducted.
The use of big data and advanced data analytics will allow an auditor to go
from using sampling to test a population, to analysing the entire population.

Advanced data analytics will also allow the auditor to better understand the
entity’s business risks and help identify fraud. However, auditors will still
need to find the right balance between applying auditor judgment and
relying on the results of these advanced data analytics. Also, Ramlukan
points out that a further issue is how current auditing standards and
regulations, which are based on the traditional audit, can be aligned with the
use of advanced data analytics.
Page 277
Control activities
Control activities encompass both policies and procedures established by management
in order to ensure that its directives are carried out, and include both management controls
and transaction controls, although most are transaction controls. Control activities should
be distinguished from the accounting system discussed earlier. An entity needs an
accounting system for functions such as billing shipments to customers, recording these
individual transactions and summarising them for recording in the general ledger. Control
activities are added to ensure that the accounting system produces accurate and reliable
data. For example, control activities are added to a billing system to ensure that all
shipments are billed and that all billings are for the correct amount.
Appendix 1 to ASA 315 (ISA 315) indicates that control activities may be categorised as
policies and procedures that pertain to:
performance reviews
information processing
physical controls
segregation of duties.
A strong internal control will include management controls such as performance revie
w control activities that independently check the performance of individuals or
processes. An example of a performance review activity would be comparing actual
performance with budget and investigating any unexpected differences. As discussed
earlier, management controls are concerned primarily with monitoring and controlling
business risk. Performance indicators may be useful for highlighting a problem or risk at an
early stage.
A number of different transaction controls are performed to check the accuracy,

completeness and authorisation of transactions. The two broad groupings of information
processing control activities are application controls and general IT controls. Application
controls apply to processing of individual applications, while general IT controls are
policies and procedures that apply to many applications. These will be discussed in more
detail later in this chapter.
Physical control activities are transaction controls and include measures such as locked
storerooms for inventory and fireproof safes for cash and securities on hand. Accounting
records and source documents must also be protected. The nature of the item usually
dictates the physical precautions that are necessary. For example, an inventory of
gemstones would be treated differently from an inventory of cement.
As discussed earlier in this chapter, segregation of duties is an integral part of the plan of
organisation. A person should not be in a position to both perpetrate and conceal errors or
fraud in the normal course of their duties. Different people are assigned the responsibilities
of authorising transactions, recording transactions and maintaining custody of assets.
In order for an entity to operate, some personnel must have access to assets. Restricting
access limits the opportunities for irregularities but cannot prevent them. Control is
achieved through segregation of duties by limiting the opportunities both to perpetrate and
to conceal the act.
Thus, the most basic segregation of duties is to have different individuals or departments
responsible for the custody of assets and for the keeping of records of those assets. A
transaction may be considered to pass through the following four phases:
1. Authorisation the initial authorisation or approval for an exchange transaction

2. Execution the act that commits the entity to the exchange, such as placing an order
3. Custody the physical act of accepting, delivering or maintaining the asset
4. Recording the entry of the transaction data into the accounting system.
Ideally, each of these four phases should be kept separate. However, in practice, for
convenience and efficiency, phases 1 and 2 may be combined without significant risk.
Clearly, phases 2, 3 and 4 should not be combined, and normally phase 3 (direct physical
access) and phase 4 (record keeping) are incompatible. However, the risk of Page 278
incompatible combinations should be evaluated by considering specific

circumstances in conjunction with the general guideline that no one person should be in a
position to misappropriate an asset or improperly record a transaction without detection.
ASA 315.25 (ISA 315.25) requires the auditor to relate identified risks to the assertion
level, taking account of the relevant controls. ASA 315.A137 (ISA 315.A137) indicates
that in making risk assessments, the auditor may identify controls that are likely to prevent
or detect material misstatements in specific assertions. The following discussion of control
activities is organised by class of transaction assertions, under the headings of occurrence,
completeness, accuracy, cut-off, classification and presentation.
Occurrence
Control activities for authorisation and approval help to ensure that only transactions that
occurred are processed and that invalid transactions are rejected. Effective control activities
for processing transactions usually start with clear policies for authorisation and ap
proval . An entity’s board of directors has the ultimate authority, but its approval is
usually reserved for important financing and investing activities, such as major acquisitions
and dispositions involving real estate, debt and share capital. The day-to-day authority of
running a business is the responsibility of senior management, which delegates that
authority to operating personnel.
Management’s authorisation of transactions may be general or specific. General

authorisation applies to transactions that are recurrent and have a high volume. Examples
include the use of price lists and credit limits for credit sales transactions. Specific
authorisation is applied when management has decided that individual transactions must be
approved, such as all purchases in excess of an established dollar amount. Approval is the
actual step of checking that the conditions established for authorisation have been met.
Examples of authorisation and approval procedures include requiring a second signature on
cheques or electronic funds transfers over a specified limit and limiting certain error-
correction functions to personnel who log on to the computer system with a manager’s
username and password.
Related control activities that provide assurance of occurrence concern the proper use of
documents that serve as the original record of transaction execution. These source
documents should be designed to reduce the risk that a transaction will be recorded
incorrectly, recorded more than once or not recorded at all. Desirable features of source
documents include the following:
Pre-numbering This allows for physical control of the documents.

Pre-printed instructions These show the steps required to fill out the document and
route it through the system.
Approval blocks These provide designated spaces for necessary approval signatures,
stamps and initials.
Simplicity This includes ensuring that the document is easy to use and that the number
of copies is minimised.
In some systems, source documents are recorded on computer. In this case, the four
features of information are little changed.
Numbering This is generally assigned automatically by the software.

Instructions These appear on the screen or are available through a ‘help’ menu.
Approval The operator signs on with a password or other unique key, which is recorded
for each transaction.
Simplicity This includes ensuring that the document as it appears on screen is user-
friendly.
Control activities that help to ensure occurrence are concerned with the proper handling of
such source documents, whether in a computer or a manual system. For example, control
activities include comparing details on a receiving report, such as description and quantity,
with details on the supplier’s invoice. Another example of a control activity is cancellation
of supporting documents for a purchase when payment is approved. This prevents
inadvertent or fraudulent reuse of the source documents to support a duplicate payment or
fictitious purchase.
Control activities can be designed as part of the data-entry system to help ensure v Page 279
alidity . The computer may reject invalid dates by requiring a month between 1
and 12, and a day between 1 and 31. Any entry in an amount field that is not numeric may
be rejected. These are called computer editing controls.
Completeness
Proper handling of documents also helps to ensure completeness. One control activity is to
inspect pre-numbered documents to confirm whether they have all been processed. This
procedure is often called accounting for the sequence of pre-numbered documents. If
documents are not pre-numbered, they should be numbered when a transaction originates,
although this method is less effective.
Another control activity used to check completeness is the use of control totals. For
example, if 10 documents totalling $500 in cash receipt transactions were supposed to be
entered into the computer system, the system should report that it processed 10 entries
totalling $500.
A third control activity involves matching related source documents to confirm whether
related processing steps have been completed. For example, purchase orders or receiving
reports can be matched with vendors’ invoices to confirm that goods ordered or received
have subsequently been recorded as accounts payable.
Accuracy
An organised set of accounting records is an essential starting point for achieving recording
accuracy. The requirement that debits equal credits is a built-in error-detecting feature. The
use of ledgers also contributes to recording accuracy in two ways: a trial balance prepared
from the ledger proves the balancing of debits and credits, and the ledger contains control
accounts for use in balancing subsidiary ledgers.
The use of control totals, discussed above under ‘Completeness’, also contributes to the
accuracy of records. If, in the example given above, a cash receipt of $23 was mistakenly
entered as $32, the system would report that it processed $509 for the 10 receipts, rather
than the $500 control total.
All the features of accounting systems described above provide the foundation for controls
to help ensure recording accuracy. However, the actual control activities are usually in the
form of independent checks, reviews and approvals established at the points in the
processing of transactions and handling of related assets where errors or irregularities
could occur. For example, the financial controller may review supporting documents for a
disbursement before payment.
Cut-off
The cut-off period is generally the few days either side of the reporting date. Cut-off
controls are used to ensure that transactions during the cut-off period are recorded in the
correct period. In the absence of appropriate controls, such as an independent review of
transactions during the cut-off period, cut-off errors may occur, because year end is a
hectic time and staff may make errors under stress or because of fraudulent misstatement to
manipulate the results for the period.
Classification
Classification is concerned with transactions being recorded in the proper account. An

example of a classification control activity would be to have someone check that the
account coding on source documents is in accordance with the entity’s chart of accounts.
Presentation
Presentation is concerned with whether items in the financial report are appropriately
aggregated or disaggregated and clearly described, and related disclosures are relevant and
understandable. An example of a presentation control would be to have someone
independent of its preparation review it.
Page 280
Monitoring of controls
Monitoring of controls is a process used to assess the effectiveness of the performance
of internal control. It involves evaluating the design and operation of controls and taking
corrective action where necessary. Management may monitor controls through ongoing
activities such as supervisory activities or separate evaluations. In addition,
communications from external parties, such as customer complaints, may indicate
problems. In many entities, internal auditors also contribute to the monitoring process.
An internal audit function is an individual, group or department within an entity that acts
as a separate, higher level of control to determine whether the internal control is
functioning effectively. Internal auditors may make special enquiries at management’s
direction or generally review operating practices to promote increased efficiency. However,
the external auditor is concerned with internal auditors who act as a higher level of control
—an additional layer, in effect—to ensure that the accounting system and control activities
are operating. An effective internal audit function can significantly strengthen the
monitoring of control.
Internal audit may affect the external audit in the following three ways:
1. The internal audit function is part of the internal control If an entity has an internal
audit function that acts as a higher level of control, it will influence the external auditor’s
assessment of control risk and as a result affect the scope of audit procedures.
2. The internal auditors may have descriptions and other documentation of the
internal control These documents may help the external auditor to obtain an
understanding of the entity’s internal control.
3. The internal auditors may provide direct assistance to the independent auditor by
making substantive tests or tests of controls.
Many internal audit departments have also become involved in assessing the business
strategy of the entity and identifying the associated risks. This work will be useful to the
external auditor when undertaking a business risk approach to the audit. The involvement
of internal audit in assessing business strategy will be discussed further in Chapter 14 .
To be effective, the internal auditor needs to possess adequate skills, knowledge,

experience, integrity and objectivity, and to communicate directly with the external auditor,
governing body and audit committee.
The extent to which the external auditor may use the work of internal audit will be
discussed later in this chapter.
QUICK REVIEW
1. Internal control consists of the control environment, the entity’s risk-
assessment process, information system, control activities and monitoring
of controls.
2. The control environment includes consideration of communication and
enforcement of integrity and ethical values; commitment to competence;
participation by those charged with governance; management’s
philosophy and operating style; organisational structure; assignment of
authority and responsibilities; and human resources policies and practices.
3. Control activities include policies and procedures that pertain to
performance reviews, information processing, physical controls and
segregation of duties.
4. Control activities relate to the risk of material misstatement at the assertion
level.
LO 7.4 Considering internal control in a financial report
audit
In every audit, the auditor obtains a sufficient understanding of each of the five
components of internal control to plan the audit and determine the tests to be performed.
The nature and extent of the auditor’s consideration of internal control varies considerably
from audit to audit. In all audits, the auditor must understand the internal control, Page 281
particularly those controls associated with the accounting system. No matter what
audit strategy is followed, substantiating the underlying data is important. The auditor’s
understanding must be sufficient to identify types of potential misstatements, to consider
factors that affect the risk of material misstatement and to design effective audit tests. On
the other hand, for some assertions for some balances or transaction classes, an
understanding of the control activities component of internal control may be minimal,
depending on the audit strategy followed.
An overview of the auditor’s consideration of

internal control
Figure 7.5 presents the steps in the auditor’s consideration of internal control in the
audit of a financial report. The process presented in the figure is discussed in this section.
The following is an outline of the steps to be taken:
1. Obtain an understanding of the internal control.

Obtain an understanding of the entity’s control environment.
Obtain an understanding of the entity’s process for identifying risks relevant to financial
reporting objectives and for deciding on actions to address these risks.
Obtain an understanding of the information system for significant classes of
transactions, account balances and disclosures.
Obtain an understanding of the control activities to assess the risk of misstatement at

the assertion level.
Obtain an understanding of the major types of activities that the entity uses to monitor
internal control over financial reporting.
Document the understanding of internal control.
2. Assess the level of control risk based on the understanding obtained.
The auditor may assess control risk as high for any one of the following three
conditions:
–
Internal control policies and procedures are unlikely to relate to the specific assertion
(that is, the client does not have controls for this assertion).
–
The evidence that would be obtained by additional testing would probably not support
a reduced level of control risk (testing would probably prove that control for the
assertion is weak).
–
Obtaining additional evidence to support the control risk level would not be the most
efficient audit approach for the assertion (substantive tests are easier to perform than
tests of controls).
Consider whether further reduction in control risk would be an efficient audit approach
and whether further evidence would be likely to support the reduced level.
3. For each assertion within each significant transaction class, account balance or disclosure
for which the auditor plans to assess control risk at a level less than high, consider
whether sufficient evidence has been obtained to support the desired control risk level.
Perform tests of controls to evaluate the design or operation of the internal control
policy or procedure, to obtain needed evidence. (This step will be covered in
Chapter 8 .)
Document the basis of conclusions about the assessed level of control risk.
4. Design substantive tests to detect potential material misstatements. (This step will be
covered in Chapter 9 .)
FIGURE 7.5 Steps in the auditor’s consideration of internal control
Understanding internal control

The auditor generally performs the procedures to obtain an understanding of the internal
control during the general planning phase of the audit, as described in Chapter 5 . The
auditor obtains an understanding of the internal control in order to:
identify the types of potential misstatements that could occur and the factors that
contribute to the risk that they will occur
understand the accounting system sufficiently to identify the client documents, reports
and other information that may be available and ascertain what data will be used in audit
tests
determine an efficient and effective approach to the audit. Page 282

Page 283
Operating effectiveness is the manner in which entity personnel apply the policies that are
in place. Have the policies and procedures been used consistently throughout the year? Are
they used by all employees performing the function? When the employee ordinarily
responsible for a procedure is ill or on leave, is the procedure still effective? Does the
employee take the appropriate action when an exception is noted, or are overrides
common?
ASA 315.A76 (ISA 315.A76) indicates that obtaining an understanding of an entity’s

controls is not a sufficient test of operating effectiveness, unless there is some automation
that provides for the consistent application of the operation of the control. However, an
auditor who decides to reduce the assessed level of control risk to less than high must
consider operating effectiveness and gather evidence to support this assessment. The
auditor then needs evidence that the internal control exists and has operated effectively
throughout the relevant period. Evidence will be obtained through tests of controls, which
will be discussed in Chapter 8 .
Understanding the control environment

ASA 315.14 (ISA 315.14) requires the auditor to obtain an understanding of the control
environment sufficient to assess its effectiveness. The methods and audit procedures used
to understand the control environment are explained in ASA 315.A79–A80 (ISA 315.A79–
A80) and include:
making enquiries of key management personnel

inspecting entity documents, to the extent the entity has documented relevant policies and
procedures
observing entity activities and operations.
Audit evidence for some elements of the control environment may not be available in
documentary form, particularly in smaller entities where communication between
management and other personnel may be informal. Therefore, management’s attitudes,
awareness and actions are important in the design of a smaller entity’s control environment.
The nature of the control environment means that it has a pervasive effect on assessing the
risk of material misstatement. For example, an active and independent board of directors
may influence the philosophy and operating style of senior management. As indicated by
ASA 315.A84 (ISA 315.A84) the control environment does not prevent, or detect and
correct, a material misstatement itself, but it may influence the auditor’s assessment of
other controls and so affect the auditor’s risk assessment. Therefore, the control
environment influences the nature, timing and extent of the auditor’s further procedures.
Understanding the risk-assessment process

ASA 315.15 (ISA 315.15) requires that the auditor obtain an understanding of the entity’s
business risk-assessment process and decide on actions to address those risks and their
results. Therefore, the auditor needs to determine how management identifies business
risks relevant to the financial report, estimate the significance of the risks, assess their
likelihood of occurring and decide on actions to manage them. The auditor will enquire of
management about business risks that management has identified, and consider whether
they may result in a material misstatement. If the auditor identifies a risk of material
misstatement during the audit that management failed to identify, the auditor needs to
consider whether management should have identified it and, if so, why the process failed.
Understanding the information system

The audit procedures necessary to obtain an understanding of the information system
include enquiry of management, supervisory and staff personnel; inspection of records,
documents and reports; reading of the client’s descriptions of the system, or Page 284
similar client documentation such as a chart of accounts or a procedures manual;
observation of company activities and operations; previous experience with the client; and
review of the previous year’s working papers.
The auditor is required by ASA 315.18 (ISA 315.18) to obtain sufficient knowledge of the
information system to understand:
significant classes of transactions

initiation of transactions
records, documents and accounts used in processing and recording transactions
how the accounting system captures significant events, conditions and transactions
the financial reporting process used to prepare the financial report
controls surrounding journal entries.
The auditor needs first to obtain an understanding of the path that transactions take through
both the manual and the computerised portions of the information system. The auditor then
considers the anticipated computer-related controls that may contribute to a control risk
assessment of less than high, and documents and tests controls in order to assess the
control risk.
During general planning, the auditor generally obtains the following information on the
client’s computer system:
type of computer equipment and its configuration, including input and processing modes
used
types of systems software
organisational structure of computer processing activities, including the organisational
location of the IT department, number of personnel and internal organisation plan
number and nature of computerised accounting applications.
As part of understanding the information system, the auditor identifies the extent to which
the computer is used in each significant accounting application, and obtains the following
information:
the purpose of the application, particularly the documents, reports and updated master
files generated by the application and the general ledger account balances affected by the
application
the source, volume and form of input to the application, particularly the user departments
in which transactions originate and other computerised accounting applications that
generate input for the application
the master files affected by the application, including, in particular, the storage media, the
file maintenance process and the size and organisation of files
the mode and frequency of processing
the form of output of the application and the distribution of output.
This information enables the auditor to understand the relationship between the manual and
computerised portions of the information system and to assess the size and complexity of
the computerised portion of the information system and how much assistance will be
required from computer audit specialists.
ASA 315.19 (ISA 315.19) also requires the auditor to obtain an understanding of how the
entity communicates financial reporting roles and responsibilities and significant matters
relating to financial reporting. It includes the extent to which personnel understand how
their activities in the information system relate to others and the means of reporting
exceptions to a higher level within the entity. The auditor’s understanding of
communication also includes communication between management and those charged with
governance, particularly the audit committee, as well as communication to regulators.
Understanding the control activities

The auditor is required by ASA 315.20 (ISA 315.20) to obtain an understanding of the
control activities relevant to the audit, including those necessary to understand the risks of
material misstatement, and therefore sufficient to develop the audit plan. Further, ASA
315.21 (ISA 315.21) requires the auditor to obtain an understanding of how the entity has
responded to risks arising from IT.
The audit procedures normally used to obtain an understanding of control Page 285
activities involve:
making enquiries of appropriate client personnel

inspecting documentation
observing the processing of transactions and handling of related assets.
Many auditors use a technique called a walk-through to clarify their understanding of

information obtained. A walk-through involves the auditor tracing one or a few transactions
of each type through the related documents and accounting records and observing the
related processing and control activities in operation. For example, the auditor might select
a few transactions recorded in the sales journal and trace them back to the related source
documents (invoice, customer order, shipping and control account). In doing this the
auditor actually ‘walks’ the selected transactions through the system by visiting the
relevant departments and talking to the personnel responsible for the various processing
and control activities.
The walk-through clarifies the auditor’s understanding of how the system and the control
activities work. The audit procedures applied for a walk-through are substantially the same
as those that would be applied to a larger number of transactions in doing tests of controls.
The distinction between a walk-through and tests of controls lies in the auditor’s purpose in
applying these procedures. The auditor must obtain sufficient understanding of the control
activities to consider how a specific control activity, individually or in combination with
others, prevents, or detects and corrects, material misstatements in classes of transactions,
account balances or disclosures. Control activities relevant to the audit are those that the
auditor considers it necessary to obtain an understanding of, in order to assess the risk of
material misstatement at the assertion level and to design and perform further audit
activities responsive to the assessed risks. An understanding of all of the client’s control
activities is not necessary for audit planning.
The nature and extent of audit procedures necessary to obtain an understanding of the
control activities varies considerably from entity to entity. A key issue is the level of
complexity and sophistication of the accounting system and operations. In a small business,
for example, the auditor may find a control environment in which there are too few
employees to achieve an adequate segregation of duties, thus resulting in the auditor
adopting a substantive approach. In that case, sufficient knowledge of the control activities
to plan the audit may have been achieved as part of the understanding of the control
environment, the risk-assessment process and the information system, and additional work
on specific control activities will not be needed.
Most computerised accounting applications include both manual and computer portions.
The auditor needs to understand the path that transactions take through both portions of the
information system. Some aspects of the computerised portion of the system are obviously
different from a manual system. They are unique to computer processing and not difficult
to identify. For example, some control activities may be included in a computer program
and leave no visible evidence of their execution. If the auditor intends to assess control risk
as less than high based on such control activities, it may be necessary to test the computer
program. However, it is often possible to substantiate computer-generated information
directly or to test manual controls maintained by computer users, instead of testing
automated control activities. The most common forms of reliance on the computer occur
when a manual control activity or an audit procedure is dependent on computer-generated
information.
In some cases, a manual control activity that is necessary to achieve a specific control
objective is dependent on the results of computer processing. For example, in the case of a
computerised billing application, the auditor wants to know whether control activities
provide reasonable assurance that products shipped are billed. If the control activity that
achieves this objective is a review by a billing clerk of a computer-generated report of
missing shipping documents based on a numerical sequence test in a computer program,
then the auditor must rely on the computer in order to use the manual control activity in
assessing the control risk.
If there are significant computerised accounting applications, the auditor may need to
obtain an understanding of the general controls, which will be discussed later in this
chapter. Auditors may review general controls even when they do not plan to assess control
risk as less than high, as a service to clients. Usually the review is done by a Page 286
computer audit specialist or an auditor with additional training in computerised
systems. The review is conducted by enquiry and observation of client IT personnel and
review of existing documentation, such as client manuals, previous years’ work papers and
other information on the computer installation and computerised accounting applications.
The auditor’s objective is to decide whether there is reasonable assurance that:
there is adequate segregation of duties between IT and users, and also within the IT
department
the development or acquisition of programs and changes to programs are authorised,
tested and approved before implementation
access to data files is restricted to authorised users and programs.
After obtaining an understanding of general controls, the auditor comes to a conclusion as

to whether they appear to be effective. Whether it is necessary or desirable to include such
controls as part of the basis to reduce the control risk assessment depends on the auditor’s
consideration of application controls. If the general controls are part of the basis for
reducing the control risk assessment, it is necessary to test the control activities.
Understanding monitoring of controls

ASA 315.22 (ISA 315.22) requires that the auditor obtain an understanding of the major
activities that the entity uses to monitor internal control over financial reporting, and of
how the entity initiates corrective actions to its controls. In many entities, internal auditors
contribute to the monitoring of the entity’s activities. The auditor needs to obtain an
understanding of the sources of the information related to the entity’s monitoring activities
and the basis on which management considers the information to be sufficiently reliable.
Documenting the understanding

Documentation of the understanding of the internal control system commonly includes:
internal control questionnaires and checklists

narrative memoranda
flowcharts.
Unless the auditor believes that understanding of particular activities is needed for audit
planning, the internal control activities need not be documented.
The auditor’s objective is to identify and document the minimum number of specific
control activities that provide reasonable assurance of achieving specific control objectives.
As a result, the documentation prepared by the auditor may be much less detailed than that
which would be prepared by a systems analyst. For example, if an entity’s cash payments
system provides for the financial controller’s review and approval and cancellation of
supporting documents before payment, the auditor may not be concerned with prior
processing steps for individual supporting documents such as purchase orders. The auditor
documents and tests those specific control activities that provide reasonable assurance of
achieving specific control objectives for specific assertions.
Internal control questionnaires and checklists
Auditors generally use decision aids such as internal control questionnaires and
checklists in obtaining an understanding of the internal control. These act both as memory
aids and as convenient ways to document the understanding obtained.
Generalised forms relating to the control environment range from detailed checklists that
present all the potential features of a control environment to simple forms that list broad
categories of features, such as personnel policies and procedures and organisational
structure, leaving space to describe the particular client’s methods.
Questionnaires and checklists used to document the understanding of the information

system tend to be less detailed than generalised forms for the control environment and
control activities. They usually have a separate section for each transaction class or Page 287
cycle. The questions (requiring a written answer rather than a ‘yes’ or ‘no’) require
listing of each transaction type, the source document to initiate the transaction and the
party responsible for the initiation, the approximate volume of each transaction type, the
accounts and computer files in which the transaction is recorded, the processing that occurs
and the place in the financial report where the transaction is summarised.
Questionnaires and checklists are also used to document control activities. Exhibit 7.1
presents a segment of an internal control questionnaire. Some questions require a ‘yes’ or
‘no’ answer about whether specific control methods and features are in place. Others are
organised by detailed control objective and the auditor writes in the client’s procedures that
achieve the listed objective.
EXAMPLE OF PART OF AN INTERNAL CONTROL
EXHIBIT 7.1
QUESTIONNAIRE
Each question must be answered ‘Yes’ or ‘No’ or ‘N/A’. If the answer is ‘No’, provide
an explanation.
Sales Yes / No / N/A
1. Are all sales orders approved by

the credit department before they
are accepted?
2. Is the credit approval function

separated from other sales, cash
and accounting functions?
3. Are delivery dockets
(a) prepared for all goods

leaving the factory?
(b) pre-numbered?
4. Is a sequence check completed to

ensure that all delivery docket
numbers are accounted for?
5. Are all details on delivery dockets

checked to customers’ orders?
6. Are invoices
(a) prepared for all sales?

(b) pre-numbered?
7. Is a sequence check completed to

ensure that all invoice numbers are
accounted for?
8. Are invoices checked to delivery

dockets?
9. Are invoices checked for
(a) additions and extensions?

(b) prices?
Narrative memoranda
A narrative memorandum is a written description of internal control policies and

procedures. Narratives may be used to document all three components of internal control.
Exhibit 7.2 presents a narrative description of a segment of a sales accounting system.
An auditor does not require exhaustive documentation of every step in all information
systems or enumeration of all control activities. The narrative provides the flexibility to
write only what is significant to the specific audit. However, this form of document
includes nothing to jog the memory to ensure that all important aspects are adequately
documented, and narratives are more dependent than questionnaires on the ability of the
auditor to write well. Narratives are more suited to documenting relatively simple systems.
Page 288
EXAMPLE OF A NARRATIVE DESCRIPTION OF PART
EXHIBIT 7.2
OF A SALES ACCOUNTING SYSTEM
The shipping department, based on an approved sales order, prepares a three-copy

shipping document when a shipment is made. The distribution of the document is as
follows:
1. Sent to customer with goods as a packing slip.

2. Forwarded to accounts receivable record keeping. The sales order is filed
numerically.
3. Forwarded to billing department.
The billing department uses the shipping document to prepare a two-copy sales
invoice with the following distribution:
1. Sent to customer.
2. Forwarded to accounts receivable record keeping. The shipping document is filed
numerically.
The accounts receivable record-keeping function periodically matches sales invoices

with shipping documents received, as follows:
1. Matched sales invoices are posted to accounts receivable ledger.

2. Matched sales invoices and shipping documents are filed alphabetically by
customer name.
Flowcharts
Flowcharts use symbols to create diagrams of information systems and control

activities. Preparing a flowchart is particularly useful in the case of systems that combine
manual and computer processing in significant accounting applications.
Figure 7.6 presents some common flowchart symbols. Several audit firms have devised
unique approaches when preparing flowcharts that use non-standard symbols. These
approaches are too diverse to illustrate, but they all emphasise exclusion of document or
information flows that are not relevant to the understanding of internal control for the
purposes of audit planning. The standardised symbols in Figure 7.6 are used in the
computer industry and by many audit firms and their clients.
FIGURE 7.6 Standard flowchart symbols
Figure 7.7 presents a flowchart for a portion of a simple sales information system.
Figure 7.8 presents a system flowchart for a portion of a batch computerised
accounting application. One of the advantages of creating flowcharts is that a Page 289
graphic presentation of a series of related processing steps is easier to understand
than a long narrative description. However, if a flowchart includes all the document and
information flows in the system, it also may become too complex to be understood easily,
and the significant control activities can be difficult to identify. As a result, the emphasis in
practice is on simplifying flowcharts.
FIGURE 7.7 Flowchart of the first part of the sales accounting system described in Exhibit 7.2
FIGURE 7.8 Segment of a flowchart on the billing function in a batch computerised sales accounting system
Assessing control risk
After obtaining an understanding of the components of internal control, the auditor assesse
s control risk for the assertions embodied in the account balance, transaction class and
disclosure components of the financial report. The auditor must decide whether to assess
control risk for a particular assertion as high or as less than high.
The auditor may assess control risk as high because the entity’s internal control policies
and procedures in the area:
are poor and do not support less than a high assessment

may be effective, but the audit tests to gather evidence of their effectiveness would be
more time consuming than performing direct substantive tests, or
do not pertain to the particular assertion.
The auditor may decide to assess control risk as less than high when it improves audit
efficiency. If the auditor assesses control risk as less than high, the auditor must obtain
sufficient evidence to support that level. First, the auditor identifies specific control
activities relevant to particular assertions that are likely to prevent or detect Page 290
material misstatements in those assertions. Next, the auditor performs tests of

controls to evaluate the effectiveness of these control activities. This process is followed for
each account balance or transaction class that is material to the financial report. These tests
of controls will be discussed in Chapter 8 .
Global Example 7.3 , involving sales, illustrates the process in more detail. In this
example, the auditor would design tests of controls to obtain evidence about the operating
effectiveness of the control activities identified, as control risk has been identified as low
and therefore the auditor wishes to rely on the controls.
Page 291
GLOBAL EXAMPLE 7.3 Example of evaluating effectiveness of
control activities for sales
Transaction Sales
class
Assertion Completeness
Audit Recorded sales include all authorised sales transactions.

objective
Control All goods shipped are billed.

objective
Relevant The sales manager reviews a detailed summary of

internal sales activity by location.
control Shipping documents are periodically matched with
activities sales invoices.
Control risk Low control risk

assessment
Impact on Will need to undertake tests of controls, as discussed in

audit Chapter 8 , in order to support low control risk
approach assessment and rely on controls.
The auditor may make a different assessment of control risk for each material account
balance, class of transactions and events, or disclosure; or for each assertion relating to the
one balance, class of transactions and events, or disclosure. For example, the auditor may
assess control risk for inventory assertions as high and for cash assertions as low, or assess
the risk for existence of cash as low but completeness as high. However, the auditor
recognises the interrelationships of account balances and transaction classes. For example,
a low level of assessed control risk for sales and cash receipts means a low level of control
risk for accounts receivable for assertions affected by the accuracy and reliability of
recorded sales and cash receipts.
ASA 315.29 (ISA 315.29) requires that for significant risks, to the extent that the auditor
has not already done so, the auditor should evaluate the design of the entity’s related
controls, including control activities, and determine whether they have been implemented.
An understanding of the entity’s controls relating to significant risks is considered
necessary to provide the auditor with adequate information to develop an effective audit
approach, even if the auditor does not intend to rely on those controls.
ASA 315.30 (ISA 315.30) also requires the auditor to evaluate the design and determine
the implementation of the entity’s controls, including relevant control activities, over those
risks for which, in the auditor’s judgment, it is not possible or practicable to reduce the risk
of misstatements at the assertion level to an acceptably low level with evidence obtained
solely from substantive procedures. Therefore, the auditor cannot simply default to a high
assessment of control risk without first evaluating the controls in these two areas.
Tests of controls
If control risk is assessed as less than high, the auditor has identified specific policies and
procedures that are likely to prevent or detect misstatements. Evidence is needed to support
the conclusion that those policies and procedures are effective. The evidence should
demonstrate both:
the effectiveness of the design of the policies and procedures

the operating effectiveness of the policies and procedures, that is, their consistent and
proper application.
The evidence necessary to support a specific level of control risk is a matter of audit
judgment. However, the auditor requires stronger evidence of the effectiveness of a
procedure if the assessed level of control risk is low than if it is only medium.
Tests of controls will be discussed in Chapter 8 .

Page 292
Documentation of the assessment of control risk

The auditor must document the assessment of control risk for the various assertions for
significant transaction classes, account balances and disclosures. ASA 315.32 (ISA 315.32)
requires the auditor to document their understanding of each of the components of internal
control, the sources of the information from which the understanding was obtained, the
risk-assessment procedures and the identified and assessed risks of material misstatement,
including control risk. The manner in which these items are documented is for the auditor
to determine, using professional judgment.
Effect on design of substantive tests

The result of the auditor’s consideration of the internal control is the assessment of control
risk, which is then used in planning substantive tests for the various assertions within the
transaction classes or account balances. Using the audit risk model discussed in
Chapter 4 , if the auditor assesses control risk as high, detection risk must be
minimised. Detection risk is reduced by performing substantive tests. The higher the level
of assessed control risk, the lower the level of reliance placed on the internal control and
the more assurance the auditor must obtain from substantive tests.
Ineffective internal control causes the auditor to increase the quantity and effectiveness of
the substantive tests, because there is a general relationship between control objectives and
audit objectives. Because it is not consistent, the relationship must be considered for each
transaction class separately. For example, approval of credit sales (goods shipped to
customers do not exceed established credit limits) is related to the specific audit objective
of valuation of accounts receivable. On the other hand, approval of disbursements is related
to specific audit objectives concerning existence or occurrence.
The impact of effective internal control on the nature, timing and extent of substantive tests
will be discussed in Chapter 9 . The relationship between specific control objectives
and specific audit objectives for major classes of transactions is considered further in
Chapter 8 for tests of controls, and in Chapter 9 for substantive tests.
QUICK REVIEW
1. The auditor needs to obtain an understanding of internal control; assess
the level of control risk based on the understanding obtained; perform
tests of controls to gain evidence that the controls exist and operate
effectively throughout the period; and design substantive tests.
2. The auditor will document the internal control using internal control
questionnaires and checklists, narrative memoranda and flowcharts.
3. The auditor may assess control risk along a range from high to low,
depending on the effectiveness of internal control.
4. The auditor must obtain evidence to support the assessed level of control
risk.
5. The higher the level of assessed control risk, the more assurance the
auditor must obtain from substantive tests.
LO 7.5 Computerised systems
It is expected that most students will have an understanding of the basic concepts of IT.
As discussed earlier in this chapter, ASA 315.18 (ISA 315.18) requires the auditor to have
an understanding of the information system, including the related business processes.
Many auditors now use what is known as the COBIT (control objectives for information
and related technology) framework (published by the Information Systems Audit and
Control Association) to identify how the business processes and the IT processes
interrelate with each other.
Page 293
The COBIT framework

While COBIT is an IT governance framework and supporting toolset designed to be used
by managers, the framework is also useful for auditors in obtaining an understanding of IT.
The COBIT framework is organised into four ‘domains’ as follows:
Planning and organisation—how the entity directs the deployment of IT resources and
the delivery of services.
Acquisition, implementation and maintenance—how the entity defines and analyses
the requirements for projects, meets those requirements and implements the selected
approach.
Delivery and support—how the entity establishes physical and logical security to
safeguard IT applications and resources against unauthorised use, modification,
disclosure or loss.
Monitoring—how the entity reviews performance and corrects deviations from
operational and procedural standards.
For each of these four COBIT domains, the auditor would typically look at three elements:
technology
people
procedures.
By understanding the technology, the people involved and the procedures of the four
COBIT domains, the auditor can understand the entity’s information system. The auditor
can then assess the risks of material misstatement related to the information system.
The COBIT framework identifies seven categories of threats to the computer information
requirements of the entity as follows:
1. Availability Is the information available, when required by the business process? For
example, risk of system downtime.
2. Confidentiality Is sensitive information protected from unauthorised disclosure? For
example, risk of hackers accessing servers.
3. Integrity Is the information accurate and complete as well as valid in accordance with
business expectations? For example, risk of failure of processing controls.
4. Effectiveness Is the information relevant and pertinent to the business process as well
as delivered in a timely, correct, consistent and usable manner? For example, risk of
providing insufficient information to management to make decisions.
5. Efficiency Is the information provided through the optimal use of resources? For
example, risk of poor cost–benefit analysis and inefficient use of resources.
6. Compliance Does the entity use information in compliance with relevant laws,
regulations and contractual agreements? For example, risk of lack of awareness of legal,
regulatory and contractual requirements resulting in non-compliance with those
requirements.
7. Reliability Is the appropriate information provided to management so that it can
operate the entity and exercise its financial and compliance reporting responsibilities? For
example, risk of outsourcers failing to meet targets.
By considering these seven categories of threats to the information requirements of the

entity, the auditor can evaluate the audit and business risks that arise from the information
system. For example, as a result of the auditor’s understanding of the information system,
the auditor would be able to identify whether the availability of information is at risk due to
frequent system downtime. The auditor would then consider whether frequent system
downtime is an inherent risk to the validity of the financial report.
In considering internal control that involves a computerised system, it is useful to

distinguish between various categories of controls.
Page 294
Levels of control in computerised systems

There are two major categories of controls in computerised systems: user controls and IT
controls. User controls are those controls established and maintained by departments
whose processing is performed by computer. User departments are responsible for any
errors that originate outside the IT department and for establishing and maintaining
controls over the information from their department which is processed by computer. For
example, a payroll department may determine gross payroll and the number of payroll
cheques to be prepared before processing, and then compare the computer output received
from the IT department with those totals.
The distinction between user controls and IT controls is therefore based on location. IT
controls are maintained in the location of the computer. IT controls can be subdivided
into general controls and application controls, as discussed below. User controls are always
application controls.
Use of computer-assisted audit techniques

(CAATs) in identifying controls
Due to the extensive use of IT in business processes and the fact that the audit trail may
only exist in computer-readable form, CAATs are often used by auditors to help identify IT
application controls at an entity. A CAAT may be used to perform a walk-through of a
computer system, whereby the auditor traces one or more transactions of each type through
the system, identifying the related controls over the transaction. Before performing the
walk-through using the CAAT, the auditor must ensure that the data in the system is not
compromised. This is usually done by using copies of the relevant data and a copy of the
production software on a system that is separate from the actual accounting system.
General controls versus application controls

General controls are those controls that relate to all or many computerised accounting
applications. For example, controls over the development of and changes to application
software affect all accounting applications and they are included in the auditor’s
consideration of the control environment. Application controls relate to specific
individual computerised accounting applications. For example, an automated control for

validating customers’ account numbers and credit limits affects only the sales accounting
application and is considered in assessing control risk for assertions in that area. This
example leads to another important distinction—that between automated and manual
controls.
Automated controls versus manual controls
An IT control may be either an automated control or a manual control activity, as
illustrated in Figure 7.9 .
FIGURE 7.9 Automated and manual controls
An automated activity is performed by computer software, while a manual activity is

performed by people. For example, the rejection of an invalid account number by the
computer is an automated control, while a data-entry operator checking for the authorised
signature on a document before keying in the data is a manual control. When the computer
generates a report of unusual transactions or conditions (for example, payroll hours for a
single staff member exceeding 50 for one week) for management review, that review is a
manual control that depends on an automated control.
Most entities’ systems of internal control consist of a mixture of manual and automated
controls. The mix of manual and automated controls will vary between entities, depending
on the nature of the entity and the complexity of the entity’s IT system. From an audit
perspective, the auditor is concerned with whether the control can be relied upon to prevent
or detect material misstatements, rather than whether it is manual or automated. However,
the auditor needs to recognise the characteristics of each type of control and the different
ways that they may need to be tested, as discussed in Chapter 8 .
General controls
General controls are defined in ASA 315.A108 (ISA 315.A108) as those policies and
procedures that relate to all or many applications and support the effective functioning of
application controls. General controls maintain the integrity of information and Page 295
the security of data. A variety of controls fall into this category, but the general
controls that are usually important to the planning and conduct of audits of financial
reports are as follows:
Segregation of duties This involves reviewing the plan of organisation and operation of
IT for the appropriate separation of incompatible functions.
Control over programs This involves reviewing control activities to ensure that
development, acquisition and changes to applications and systems programs are
authorised, tested and approved before being used for processing. Access to programs
should also be restricted to authorised personnel.
Control over data This involves reviewing control activities to ensure that access to the
system and to data files is restricted to authorised users and programs. All transactions
entering the system should be appropriately authorised.
Segregation of duties
In a computerised accounting system, the segregation of duties related to IT comprises:
separation between IT and user department functions

separation of incompatible functions within the IT department.
The IT department must be separate from user department functions if the user controls are
to be effective. Ideally, of the functions of authorisation, execution, recording and
accountability, the IT department should be responsible only for recording. However, in
some systems, initiation or execution of transactions is an automatic step in an application
program.
Normally there is an adequate segregation of duties if user departments independently

exercise review and reconciliation controls over original input and resubmissions. User
departments should independently reconcile manual documentation of input with computer
output. Also, errors should be returned for correction to the originating user department
and the user department should maintain an independent record (log) of corrections and
resubmissions.
Ideally, each computer-related function should be kept separate. However, the critical
separation of duties is that between operations and systems development. These functions
are incompatible and should not be combined: those who have knowledge of the Page 296
operation of the accounting systems and applications programs, including how to
modify programs, should not be permitted to access data files and production programs
that accompany operations. Table 7.1 presents the common large IT department
functions, showing those positions with knowledge of and those positions with access to
data files and/or production programs.
TABLE 7.1 SEGREGATION OF DUTIES WITHIN IT
Duty Positions within IT department
Knowledge: IT manager (responsible for supervising data-processing

those with an staff)
understanding of Systems analysts (responsible for designing accounting
systems and systems)
programs Applications programmers (responsible for developing
and testing new applications programs and changes to
existing programs)
Access: those Computer operators (responsible for human intervention

with access to required to run application programs)
the computer, Data-entry clerks (responsible for keying information
production from manual source documents to computer-readable
form—no access to computer console, data control
programs and records or programs)
data files Data-control clerks (responsible for the handling and
control of data within the IT department, including

comparing computer-calculated control totals to
manually established or data preparation totals—no
access to computer console)
Librarian (responsible for maintaining and releasing for
authorised use computer files maintained offline and
written documentation of production programs—no
access to computer console)
Systems programmers (need sufficient access to perform
the function; however, should have no detailed
knowledge of the company’s accounting systems or
application programs)
In a small computer system (minicomputer or microcomputer), there are often not enough
people to achieve adequate segregation of duties within the IT department or between the
IT department and the user. In such circumstances the auditor will usually conclude that
general controls are seriously deficient and that the control risk must be assessed as high
on the basis of IT controls. However, in some circumstances the auditor might still assess
control risk as less than high on the basis of user controls.
Control over programs
Usually, controls over programs apply to all computerised accounting applications. One of
the major risks for the business and therefore for the auditor is at the acquisition,
development or change stages of the program. Development of new programs, acquisition
of programs from software vendors and changes to existing programs must be adequately
controlled. Adequate control includes authorisation, testing and approval before new or
changed programs are used in processing applications.
Control activities for development, acquisition or changes to programs are conceptually

similar to other control activities that leave a documentary trail, and they may be tested by
inspection of documents for approval signatures. The essential features of control are
written procedures and documentation for the following steps:
1. Initiation Authorisation for the IT department to develop or acquire new programs or

change existing programs. There should be documentation, such as a program request
form, that is formally approved by the relevant user department and by IT management.
2. Testing Formal testing procedures include the involvement of users, IT management
and internal auditors. There should be an approved testing plan and the test data and
results, indicating approval, should be retained.
3. Implementation Formal approval by users and IT management before a program is
placed into production by IT personnel independent of programming. Programmers
should not have access to production programs, so there should be separate test programs,
and production programs should be protected from unauthorised access.

Page 297
Outside these steps, the major concerns of the business and the auditor relate to
unauthorised access or changes to the programs.
In many computerised systems, access to programs is protected by specialised systems

software. For example, program library management software protects application
programs that are stored online. This systems software also logs changes to programs and
any attempts to obtain unauthorised access to programs. When this type of systems
software is used, the auditor may be able to use management reports produced by the
software to determine the date of the last change to each program. Where this software is
modified, such modifications should be properly authorised, approved, tested and
documented. Only authorised personnel should have access to systems software and its
documentation.
Control over data
Control activities in user departments and IT application controls over input and processing
help to ensure that processed data are authorised, valid, complete and accurate. Control
over access to data maintained on computer-readable files ensures that the data remain
authorised, valid, complete and accurate.
The control activities that restrict access to data files to authorised users and programs are
a mixture of physical devices, manual control activities and automated control activities.
Physical security measures are necessary to ensure that only authorised personnel have
access to the computer room. These measures include locks, badges and passes to obtain
admittance. In an online system, physical security measures for terminals, such as locks
and a supervised location, are also important. In a system where there is remote
transmission from terminals to the central processing unit (CPU), physical security is more
difficult to achieve and automated procedures assume even greater importance.
Where data files are maintained offline, a librarian function separate from programming
and operations is important. The librarian should release files only in accordance with
established procedures for authorised use. Authorisation should include both the
individuals to whom files may be released and an authorised processing schedule. Proper
labelling of files (both internal and external) also helps to ensure protection of data files
from incorrect and unauthorised use.
In an online system, files are accessed through terminals. Thus a variety of automated
procedures is necessary, particularly procedures accomplished by systems software. When
terminals are located in user departments, only appropriate terminals should have access to
master files. For example, terminals in the billing department should not have access to the
accounts payable master file. This can be achieved by online storage of a list of authorised
terminals for each function, so that when a terminal requests access its identity is compared
with a list of authorised terminals for the requested file. It is also necessary to restrict the
use of terminals to authorised users. This can be achieved by using systems software that
requires users to enter an ID and a password in order to obtain access to particular data
files and programs.
Measures should also be taken in an online system to restrict the access to data files of
those involved in the programming function. Application programmers need to use files in
testing programs and these files should be copies, or files of fictitious data, rather than live
data files. Also, systems software may be used to bypass automated control activities
that restrict the access of application programs to data files. Therefore, use of systems
software should be controlled, and its use by systems programmers should be monitored.
Systems security software packages are available that monitor access to data files and
control unauthorised access. This software either prevents or detects unauthorised access to
data files. However, some systems software of this type may be operated in different modes
at the client’s choosing, and only some modes prevent unauthorised access. Other modes
detect and produce a management report of unauthorised access to data files and their
effectiveness is dependent on manual investigation and follow-up of the reports.
Where control over access to data files is dependent on systems software, the Page 298
assistance of a computer audit specialist is usually required. The computer audit
specialist assists in obtaining an understanding of the systems-software-dependent controls
and evaluates whether they are effective in restricting access to data files to authorised
users and programs.
Other general controls
There are other general controls but usually they do not have an effect on the auditor’s
assessment of control risk. For example, some general controls are concerned with the
ability to recover computer operations if various problems arise. These back-up and recov
ery controls relate to measures taken to back up hardware, software and files and to
ensure recovery if the computer installation or particular files or programs are damaged or
destroyed. For example, the client should have a contingency plan to follow if computer
processing is disrupted by a disaster such as a fire or a flood.
Back-up procedures relate to the ability to reconstruct data files if the current version of the
file is damaged by a hardware or software error. For example, in a system with batch input
and batch processing, files should be retained to allow the reconstruction of master files. A
retention policy often used is called the grandfather–father–son concept . As the name
implies, it involves retaining three generations of a particular master file and the related
transaction files. The current version of the master file is the ‘son’ file, and the two
previous versions are the ‘father’ and ‘grandfather’. In an online entry system, data file
retention requires dumping the entire contents of master files onto magnetic tape or disk on
a daily basis and creating a transactions log of processed transactions.
Application controls
Application controls are defined in ASA 315.A109 (ISA 315.A109) as manual or
automated procedures that operate at a business process level and therefore apply to the
processing of individual applications. They can be preventative or detective, and are
designed to ensure the integrity of the accounting records. Therefore, they relate to
procedures used to initiate, record, process and report transactions or other financial data.
The reliance that can be placed on application controls often depends on the reliability of
the general controls. For example, an automated IT control or a manual control activity that
depends on computer-generated information may not be effective if control over
development and changes to application software are ineffective. However, application
controls contribute to achievement of specific control objectives that the auditor considers
in tests of controls. The auditor assesses the effect of application controls on control risk in
order to restrict the scope of direct tests of balances. As explained earlier, application
controls may be user controls or IT controls.
User controls
User controls are performed by personnel in user departments and therefore are manual
control activities, and so these controls may be tested in the same manner as control
activities in a manual processing system. The auditor may test the functioning of user
controls by enquiry, observation and inspection of documents.
The user controls relevant to providing reasonable assurance of the occurrence,

completeness and accuracy of data processed by the computer may be classified as control
totals; review and reconciliation of data; error correction and resubmission; and
authorisation controls.
Control totals are used to detect errors in input or processing when information is
batched before entry. Generally, there are the following three types:
1. Financial totals the totals of field amounts for all the records in a batch that are
normally computed as a result of processing. For example, in a sales accounting system,
financial totals are total dollars received or total dollars billed.
2. Record totals the totals of the number of logical or physical records in a batch. For
example, the total number of sales invoices and the total number of inventory items on
invoices in a batch are record totals.
3. Hash totals the totals of field amounts for all the records in a batch that are Page 299
computed for control purposes only. For example, the total of customer numbers
is a hash total.
If a user department establishes control totals before data entry and reconciles those totals
to output returned from the IT department, loss of data or changes in data that occur
outside the user department can be detected. For this control activity to be effective, the
user department must maintain detailed documentation, reconcile output to input and
investigate discrepancies. The procedures are as follows: a batch number is assigned; the
number of items in a batch is limited to facilitate reconciliation; control totals are recorded
manually in a log maintained by the user and on a transmittal ticket (batch header) that
accompanies the batch; the control totals on output reports are reconciled to the input
control totals; and differences and their resolution are also documented.
For a computerised system, review and reconciliation of data by users is an important

control activity. Users should make a manual review of the data before its transmittal or
entry, to help ensure the accuracy and completeness of data submitted for processing. Also,
users should carefully review computer output received and reconcile it to input. As
transactions may be automatically initiated or executed by application programs, users
should review a list of all computer-generated transactions for their applications. Review of
file maintenance changes to master files is also important. For example, there may be
changes to customer credit limits or addresses on the accounts receivable master file.
Changes not authorised by user control activities should be investigated. User review of
changes helps to ensure that they are authorised and accurate. Since users are
knowledgeable about the file data for their applications, user reviews of output for
reasonableness are important.
There are generally formal error correction and resubmission procedures in computerised
systems. Users are responsible for correcting errors that originate outside the IT
department. Procedures in user departments generally should include a user’s procedure
manual with written procedures for correcting errors, maintenance of a log for errors and
resubmissions, and careful review and approval of resubmitted source documents before
transmittal.
Authorisation controls are important to ensure that only valid transactions are processed.
During batching, individual transactions should be appropriately authorised. There should
also be an authorisation procedure for each of the batches from the user department to the
IT department for input.
IT controls
Every time data are transferred from one medium to another or are changed by processing,
such as by summarisation or calculation, there is potential for error. Therefore, IT
application controls are usually classified as input, file, processing and output controls.
Errors may be introduced at each of these stages in a computerised system.
Input controls naturally differ for batch input and online entry. Batch input goes
through a data preparation step for conversion of manual source documents to computer-
readable form. Batch data preparation generally includes the following control activities:
Control totals These are computed as a by-product of data preparation and compared
to the total established manually by the user department. Also, as part of data preparation,
a (computer-readable) batch header record including control totals is often created and
added to the input.
Key verification This is the duplicate keying of data to detect errors of entry. A
second operator rekeys the same source documents, and differences from the first keying
are identified and corrected. As key verification is expensive, it is usually confined to
critical data fields on source documents.
Key entry validation Data validation is a general term referring to tests used to detect
inaccurate or incomplete data. Key-to-disk equipment has logic capabilities that permit
data validation.
Online entry controls include (1) batch controls in online entry with batch processing and
(2) general controls, which were discussed earlier, to ensure that only authorised and valid
transactions are entered into terminals.
After data preparation in batch input systems, the batch input is read online from tape or
disk into primary storage. This step takes place under control of the CPU and a variety of
edit and data validation tests can be made using the logic capability of the CPU. Page 300
The following edit and data validation tests are examples of automated control
activities:
Check digits These are used to validate record-identification fields. For example, a
check digit may be used for customer numbers or employee numbers. The check digit is
calculated from the identification number and attached to it when the number is
originally assigned. The calculation is a numeric operation on the identification number.
A simple check digit algorithm might operate in the following way: Assume an inventory
item code is 6595 1. Once entered, the computer might divide the number 6595 by 7
(referred to as the modulus). The result of this division would be 942, with a remainder of
1. The computer would then compare this remainder with the final digit in the code (in
this case, 1). Since the remainder agrees with the check digit, the code is valid. If the
remainder was not the same as the check digit, then the code is invalid and would be
rejected.
Limit or reasonableness test This is a logic test used to determine whether a data
amount falls within previously established limits. Any amount that is outside the limit is
identified for investigation. For example, in a weekly payroll application, employee time
records with greater than 48 hours or less than 0 hours might be rejected or printed out
for investigation. In a cash payments system all disbursements over a specified amount,
such as $10 000, might be printed out for investigation. This type of automated control
activity helps to compensate for the lack of human involvement in computer processing.
Humans notice when data do not make sense or are out of line; computers do not, unless
they are specifically programmed to apply predefined criteria.
Field test This is a logic test based on the characteristics that data in particular fields
should exhibit. For example, characters should be alphabetic or numeric (alphanumeric
test); the field should have a specified size (for example, a field must contain five
characters, not four or six); the field should have a specified sign (sign test) or in some
cases a specified value.
Valid code test This is a logic test in which a code field in a record is compared to a
table of valid codes stored online. For example, a transaction code can be used in
accounts receivable processing so that only transactions with certain codes, such as credit
sales or cash collections, are accepted to update the debtors master file.
These automated control activities are examples rather than an exhaustive list of the
possible procedures.
File controls ensure that the proper versions of files are used in processing. For
example, the current period’s transaction file and the latest version of the master file should
generally be used in processing. Control activities in this area include file label controls. In
ternal file labels are computer-readable data that are actually part of the file; they
identify the data and content of the file. External file labels are printed or handwritten
adhesive labels on diskettes or magnetic tape reels.
Processing controls detect errors in data and errors that occur in processing as a result
of logic errors in application programs or systems software errors. Controls for data errors
include automated control activities, such as transaction code tests, checking the numerical
sequence of records on a file and comparing related fields in files. Controls to prevent or
detect processing errors include automated control activities such as reasonableness or
limit tests and use of redundant program calculations (double arithmetic). Also, control
totals accumulated during processing are compared to input totals and previous computer-
run totals. This is commonly known as a run-to-run control total reconciliation .
Output controls include manual control activities in which IT personnel and users
review output to ensure propriety and reasonableness; and proper output handling to ensure
that output is distributed only to authorised users. Output controls also include automated
controls restricting access to display specified information (for example, payroll data) on a
terminal or PC. Other automated output control activities include automatic dating of
reports, page numbering and end-of-report messages. These ensure that no pages can easily
be inserted, added or removed.
Page 301
Relationship between the review of general and

application controls
In an IT environment the auditor should start the internal control evaluation by looking at
the general controls. If these controls are found to be unreliable, then the auditor can have
little confidence in automated application controls and confidence in manual application
controls may be reduced. In this situation there is limited benefit in continuing to review,
document and perform tests of automated controls; the auditor must take a more
substantive approach to the audit.
If the general controls are reliable, the auditor makes a preliminary evaluation of
application controls and, if appropriate, a more detailed evaluation of application controls.
Thus, the auditor determines the degree of tests of controls and substantive testing which
will result in the most efficient and effective audit.
Control systems in different environments

Database systems
A database is a computer-readable file of records that is used by several accounting

applications. For example, a file of suppliers or vendors might be used by purchases,
accounts payable and inventory applications. In a file-based system, there is usually a
separate file for each application even though essentially similar information is maintained
on each file. In a database system, such a file is shared by the applications.
The database approach requires a file index with primary and secondary identifying key
fields, because different applications require different identifying keys. Because of the
complexity of the file structure, special systems software called a database management s
ystem (DBMS) is necessary to handle programming and related tasks for managing the
database. The person with overall responsibility for the data is the database administrator.
The key risk that exists in a database is the risk that general controls are inadequate to
properly control the operations of the database. This risk arises largely because a database
is a collection of data that is shared and used by a number of different users for different
purposes. Therefore, an error in one piece of data can potentially affect a number of
different applications across the entity.
Stand-alone PC systems
A PC can be used in various configurations. These include:
a stand-alone workstation operated by a single user or by a number of users at different

times
a workstation that is part of a local area network (LAN) of microcomputers
a workstation connected to a central computer.
When a PC is used as a stand-alone workstation, all data and programs are stored on that
PC. Control considerations and characteristics of the hardware and software are different
when a PC is linked to other computers, with a major difference being that data and
programs can be stored and controlled centrally and accessed when required.
With PCs, the distinction between general IT controls and application controls may be
blurred. Generally, the IT environment in which PCs are used is less structured than a
centrally controlled IT environment. Where PCs are used, it may not be practicable or cost
effective for management to implement sufficient controls to reduce the risks of undetected
errors to a minimum level. Thus, the auditor often assumes that control risk is high in such
systems.
In this situation, the auditor may find it more cost effective, after obtaining an
understanding of the control environment and flow of transactions, not to make a review of
general or application controls, but to concentrate the audit efforts on substantive tests of
transactions and balances at or near the end of the year.
LANs and other networks Page 302
In the past few years, many companies have moved their accounting applications from
mainframes to PCs on local area networks (LANs) . In most cases, internal control risk
has thus risen significantly. Over the years, companies with critical mainframe applications
developed effective security and control activities. Because their processing is now
distributed to PCs at many locations, the security and control activities and techniques
designed for the mainframe no longer apply, and often little has been put in place to replace
them. Viruses (unauthorised programs causing mischief or significant damage) can spread
quickly from one PC to another in a LAN environment. Complicating the design of
controls is the increasing trend to connect LANs with other LANs, or even with nationwide
networks.
Computer service organisations
A client may have some or all of its computerised accounting applications processed at an
outside service organisation, or centre, rather than using its own computers. Even
companies with large computer installations prefer to have applications such as payroll
processed externally.
ASA 402.9 (ISA 402.9) requires the auditor to obtain an understanding of how a user entity
uses the services of a service organisation in the user entity’s operations, including:
the nature and significance of the services provided by the service organisation and their
effect on the user entity’s internal control
the nature and materiality of the transactions processed or accounts or financial reporting
processes affected by the service organisation
the extent of interaction between the activities of the service organisation and the user
entity
the nature of the relationship between the user entity and the service organisation,
including the relevant contractual terms for the activities undertaken by the service
organisation.
When an audit client (user) employs a service organisation, audit evidence that is ordinarily
located at the user’s premises may be located at the service organisation. The auditor needs
to understand the nature and extent of the services provided by the service organisation
because they affect the nature, timing and extent of audit procedures, and it may not be
effective to obtain audit evidence from the service organisation.
When a service organisation is used, transactions that affect the financial report of the user
flow through an internal control system which is, at least in part, separate from the user;
thus, some or all of the evidence that the auditor needs may be under the control of the
service organisation. For the auditor to draw reasonable conclusions about the transactions,
and in some cases the resultant balances, that flow through the service organisation’s
internal control, it may be necessary to obtain audit evidence from the service organisation
or to have access to its records. In such circumstances, the auditor may find it necessary to
consider the internal control of the service organisation.
Where an entity uses a service organisation, there must be adequate planning at an early
stage in the audit process. To determine the significance of the service organisation’s
activities to the user and their relevance to the audit, the auditor needs to consider the
nature of the services, and the terms of the contract and relationship with the user.
The auditor needs to consider the division of internal control between the user and the
service organisation. ASA 402.10 (ISA 402.10) requires the auditor to evaluate the design
and implementation of relevant controls at the user entity that relate to services provided by
the service organisation. The user may have implemented controls that provide reasonable
assurance that irregularities at the service organisation would be detected. In some
circumstances, the auditor may be able to plan to rely on the internal control of the user
without obtaining an understanding of the internal control of the service organisation.
If the user auditor is unable to obtain a sufficient understanding from the user entity to
provide a basis for the risk assessment, ASA 402.12 (ISA 402.12) requires the user auditor
to:
obtain a type 1 or type 2 report from the service organisation’s auditor

contact the service organisation, through the user entity, to obtain the information
required
visit the service organisation and perform the necessary procedures to provide Page 303
the required information, or

use another auditor to perform procedures to obtain the necessary information.
The difference between a type 1 report and a type 2 report is illustrated in Figure 7.10 .
FIGURE 7.10 Difference between type 1 and type 2 reports
As indicated by ASA 402.Aus A16.1 (ISA 402.A16), a type 1 report is issued by the
service organisation’s auditor where the service organisation engages the auditor to report
on the description and design of its controls. A type 2 report is issued where the service
organisation engages the auditor to report on the description and design of its controls and
their operating effectiveness. As noted by ASA 402.A17 (ISA 402.A17), the availability of
a type 1 or type 2 report will generally depend on whether the contract between the service
organisation and the user entity includes a requirement for the provision of such a report by
the service organisation.
If the user auditor wishes to use the service organisation’s auditor’s report, ASA 402.13–14
(ISA 402.13–14) require the user auditor to satisfy themself as to the service auditor’s
competence and independence; the adequacy of the standards under which the type 1 or
type 2 report was issued; and that it covers an appropriate period.
QUICK REVIEW
1. The distinction between controls established and maintained by the user
department (user controls) and those maintained by the IT department (IT
controls) is important.
2. Controls are usually classified into two broad categories: general controls
and application controls.
3. General controls are controls that relate to all or many computerised
accounting applications. They include the plan of organisation and
operation of IT; control activities over development, acquisition and
changes to programs; and control activities to ensure that access to data
files is restricted to authorised users and programs.
4. Application controls are controls relating to individual computerised
accounting applications. They include user controls and IT controls.
5. An IT control can be either an automated control or a manual control.
6. Other computer environments include database management systems;
stand-alone PC systems; LANs and other networks; and computer service
organisations.
7. The auditor is required to obtain an understanding of how the entity uses
the services of a service organisation.
Page 304
LO 7.6 Considering the work of an internal auditor

In many large entities the organisational structure includes an internal audit function. The
role of internal audit was discussed briefly in Chapter 1 as well as earlier in this
chapter, and the changing role of internal audit will be discussed further in Chapter 14 .
The extent to which an external auditor can use the work of the internal auditor when
forming an opinion on the financial report depends on an evaluation of the internal audit
function by the external auditor.
Internal audit compared to external audit

The internal audit function within an entity is determined by management, and differs from
the external audit function. Nevertheless, some of the means of achieving their objectives
are similar. Therefore, it is possible that the external auditor can use the work of the
internal auditor, thereby influencing the nature, timing and extent of the external audit
procedures.
While recognising the similarities between the external and internal audit functions, it is
important to bear in mind the fundamental differences between them. In the case of a
company, the following major differences can be identified:
1. Objectives The external auditor has a statutory responsibility to report on the truth and
fairness of the financial report and on whether proper accounting records and registers
have been kept. These responsibilities cannot be delegated to others. The objectives of the
internal audit are determined by management to assist them in their decision making.
2. Independence The external auditor is appointed by and is responsible to the shareholders
of the company, in accordance with the provisions of the Corporations Act 2001. The
internal auditor may be appointed by and be responsible to management, the board or the
audit committee.
3. Qualifications The qualifications of persons permitted to accept appointment as external
auditors are stipulated in the Corporations Act 2001. There are no statutory qualification
requirements in the case of persons appointed to act as internal auditors. The type of
qualification and/or experience required are determined by management.
Despite these comments, ASA 610.8 (ISA 610.8) recognises that the external auditor may
be able to use the work of the internal audit function in a constructive and complementary
manner. Internal auditing may be useful to the external auditor as it may affect audit risk
and therefore the nature, timing and extent of audit procedures. As a result, ASA 610.Aus
13.1 requires an external auditor to determine whether the work of internal audit can be
used, and if so, in which areas and to what extent; and if using the work of internal audit, to
determine whether that work is adequate for external audit purposes.
The work of an internal auditor may be used in an external audit where it is viewed as part
of an audit client’s internal control. The external auditor evaluates the internal audit
function and determines the extent to which it can be used in the audit process.
Evaluation of internal audit

ASA 610.15 (ISA 610.15) requires that when determining whether the work of internal
audit is likely to be adequate for external audit purposes, the external auditor must evaluate
internal audit’s:
objectivity—the internal auditor’s organisational status in the entity and the effect that
this may have on their ability to be objective. In particular, the internal auditor must be
free to communicate fully with the highest level of management and the external auditor,
and must be free of any other operating responsibility
technical competence—whether internal auditing personnel have adequate technical
training and proficiency, including professional qualifications and experience
systematic and disciplined approach—whether internal audit applies a systematic and
disciplined approach, including quality control. This would require internal audit to
exercise due professional care, including internal audit work being properly planned,
documented, supervised and reviewed. Evidence of this would be adequate audit
manuals, audit programs and working papers.
Page 305
Using the work of internal audit

In determining the effect of internal audit’s work on the nature, timing and extent of the
external audit procedures, ASA 610.24 (ISA 610.24) requires the external auditor to
consider:
the amount of judgment involved in the work

the assessed risks of material misstatement
the objectivity of the internal auditors
the technical competence of the internal auditors.
In addition, if the external auditor intends to use the work of internal audit, the evaluation
must include re-performance of some of the internal audit work. Further, ASA 610.21–22
(ISA 610.21–22) require that if the external auditor plans to use the work of internal audit,
the external auditor must discuss the planned use of its work with the internal auditor, as a
basis for coordinating their respective activities and must read the relevant reports of
internal audit.
The external auditor is required to undertake a general evaluation of the internal audit
function as part of the review of the client’s internal control, but where the auditor intends
to use specific internal audit work as a basis for modifying the nature, timing and extent of
audit procedures, the external auditor must specifically review the internal audit working
papers. An external auditor who relies on specific internal audit work to support a
preliminary assessment of control risk must evaluate and test that work to ensure that it is
adequate for external audit purposes and document the conclusions reached, as illustrated
by Figure 7.11 .
FIGURE 7.11 Considering using the work of internal audit
In accordance with ASA 260.15 (ISA 260.15) the external auditor is required to
communicate with those charged with governance an overview of the planned scope and
timing of the audit. The planned use of the work of the internal audit function is an integral
part of the external auditor’s overall audit strategy and is therefore relevant to those charged
with governance, for their understanding of the proposed audit approach. As a Page 306
result, ASA 610.20 (ISA 610.20) requires the external auditor to communicate
with those charged with governance how the external auditor has planned to use the work
of the internal audit function.
ISA 610 indicates that where it is not prohibited by law or regulation, external audit may
obtain direct assistance from internal audit. Direct assistance is the use of internal audit to
perform audit procedures under the direction, supervision and review of external audit.
However, the revised ASA 610, issued in December 2013, in ASA 610.Aus 1.2 and ASA
610.Aus 25.1, prohibits the use of internal auditors to provide direct assistance in an audit
or review conducted in accordance with the Australian auditing standards. This prohibition
on direct assistance does not represent a divergence from ISA 610, as the International
Auditing and Assurance Standards Board (IAASB) makes it clear that its requirements and
guidance in this area will not be applicable in jurisdictions where the use of internal
auditors to provide direct assistance is prohibited.
QUICK REVIEW
1. The extent to which the external auditor can use the work of internal audit
depends on the evaluation of the internal audit function.
2. Internal audit may reduce audit risk and therefore the extent of the
external auditor’s work.
3. The evaluation of internal audit will consider its objectivity; the technical
competence of internal audit personnel; and whether internal audit applies
a systematic and disciplined approach, including quality control.
4. The effect of internal audit’s work on the nature, timing and extent of the
external audit procedures depends on the nature and scope of the internal
audit work; the assessed risks of material misstatement at the assertion
level; and the degree of subjectivity involved in the evaluation of the audit
evidence gathered by internal audit.
5. Where the external auditor intends to use specific internal audit work, the
external auditor will review the internal auditor’s working papers and test
the internal auditor’s work.
6. In Australia, external auditors are prohibited from using internal auditors to
provide direct assistance in an audit or review conducted in accordance
with the Australian auditing standards.
Summary
The study and evaluation of internal control is an important aspect of a financial report
audit. The auditor must obtain a sufficient understanding of the entity’s internal control,
including the internal audit function if applicable. The auditor’s understanding of internal
control must be documented in the audit working papers through completed flowcharts,
questionnaires or narrative descriptions. The auditor then needs to perform tests of
controls, assess control risk for each significant financial report assertion and document
this assessment. Making the correct assessment is crucial to completing an efficient and
effective audit.
Key terms
accounting system
application controls
approval
assessing control risk
authorisation
automated control
back-up and recovery controls
big data
check digit
control activities
control environment
control risk
control totals
database Page 307
database management system (DBMS)

detective controls
external file labels
field test
file controls
financial totals
flowchart
general controls
grandfather–father–son concept
hash totals
information system
inherent limitations of internal control
input controls
internal control
internal control questionnaire
internal file labels
IT controls
key entry validation
key verification
limit or reasonableness test
local area networks (LANs)
management controls
manual control
monitoring of controls
narrative memorandum
output controls
performance review
preventative controls
processing controls
program library management software
record totals
run-to-run control total reconciliation
segregation of duties
service organisation
systems software
transaction controls
user controls
valid code test
validity
walk-through
References and additional readings
American Institute of CPAs (AICPA) (2015) Audit Analytics and Continuous Audit,
Looking Toward the Future, AICPA, New York.
Australian Securities Exchange (ASX) Corporate Governance Council (2014) Corporate
Governance Principles and Recommendations, 3rd edn, June, ASX, Sydney.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2013)
Internal Control—Integrated Framework, May, AICPA, New York.
Grant, G., Miller, K. and Alali, F. (2008) ‘The effect of IT controls on financial reporting’,
Managerial Auditing Journal, Vol. 23, No. 8, pp. 803–23.
Institute of Internal Auditors (2005) ‘Putting COSO’s theory into practice’, Tone at the
Top, Issue 28, November, pp. 1–3.
International Auditing and Assurance Standards Board (IAASB) Data Analytics Working
Group (2016) Exploring the Growing Use of Technology in the Audit, with a Focus on
Data Analytics, September, International Federation of Accountants (IFAC), New
York.
IT Governance Institute (2012) COBIT 5, ISACA, Rolling Meadows, US.
Mock, T.J. and Willingham, J.J. (1983) ‘An improved method of documenting and
evaluating a system of internal accounting controls’, Auditing: A Journal of Practice &
Theory, Vol. 2, No. 2, Spring, pp. 91–9.
Ramlukan, R. (2015) ‘How big data and analytics are transforming the audit’, Financial
Executives International Daily, 16 December, http://daily.financialexecutives.org/ho
w-big-data-and-analytics-are-transforming-the-audit/, accessed 15 December 2017.
Review questions
Internal control and audit strategy

7.1 Why does the auditor assess control risk? LO 7.1
7.2 Explain the concepts that underlie the definition of ‘internal control’. LO 7.1
Page 308
Internal control objectives

7.3 Explain the difference between management controls and transaction
controls. LO 7.2
7.4 Explain what is meant by incompatible accounting functions and how an
appropriate segregation of functions can be achieved. LO 7.2
Components of internal control

7.5 What is the internal control environment and why is it important? LO 7.3
7.6 Identify six areas the auditor must understand in relation to the information
systems relevant to financial reporting for an entity. LO 7.3
Considering internal control in a financial report

audit
7.7 Why does an auditor need to obtain an understanding of internal control in a
financial report audit? LO 7.4
7.8 Identify the procedures an auditor uses to obtain an understanding of the
flow of transactions and the related controls. LO 7.4
Computerised systems
7.9 Distinguish between general controls and application controls in a
computerised system and list four areas over which general IT controls are
commonly implemented. LO 7.5
7.10 Identify two situations in which manual controls may be less suitable than
automated controls. LO 7.5
Considering the work of an internal auditor

7.11 Discuss the extent to which the external auditor is able to use the work of an
internal auditor. LO 7.6
7.12 Explain how internal audit is different from external audit. LO 7.6
Discussion problems and case studies
Internal control and audit strategy

7.13 EASY You are the audit senior on the audit of Better Built Ltd, a medium-
sized office furniture manufacturer, and you have just completed your review
of its internal controls for your audit for the year ended 30 June 2018. Based
on your review, you have concluded that Better Built’s internal control is
excellent—in fact, it is one of the best systems you have seen since you
began auditing. As a result, the audit manager has suggested that as the
internal control is so good, you test the controls and if they prove to be
effective as expected, you rely solely on these controls to gain reasonable
assurance that the financial information is fairly stated.
REQUIRED
What do you think about the audit manager’s suggestion? LO 7.1
7.14 EASY Easy Beat Ltd sells CDs to music shops all over Australia. Although
each sale is of relatively low value, the company has a very high sales
volume and is very profitable. You are conducting the audit of Easy Beat for
the year ended 30 June 2018. You have just completed a review of Easy
Beat’s controls and have concluded that its internal control is satisfactory.
REQUIRED
Indicate the audit strategy that you are likely to adopt. Give
reasons. LO 7.1
Page 309
Internal control objectives

7.15 EASY You are a recent audit graduate and have just been assigned to the
audit of Slumber Pty Ltd, a bed manufacturer located in Newcastle. Your
audit senior has asked you to evaluate the internal control at Slumber. As
this is the first time that you have evaluated internal control, you are not sure
what sort of controls Slumber should have in place.
REQUIRED
Explain the characteristics of a satisfactory internal control. LO 7.2
7.16 MEDIUM Supremo Ltd is a major manufacturer of industrial

machinery. When the stores department requires items to be purchased,
they issue a three-part pre-numbered purchase requisition that needs to be
approved by the stores manager. Copy 1 is sent to the purchasing
department, copy 2 is sent to the accounts payable department and copy 3
is filed in the stores department. On receipt of an approved purchase
requisition, the purchasing department issues a five-part pre-numbered
purchase order. Copy 1 is sent to the supplier, copies 2 and 3 are forwarded
to the receiving department, copy 4 is forwarded to the accounts payable
department and copy 5 is filed in the purchasing department.
When goods are received, the receiving department just stamps ‘order
received’ on its two copies of the purchase order, which then forms its
receiving record. One copy of the receiving record is filed in the receiving
department and the other is forwarded to the accounts payable department.
The accounts payable department checks that there is a purchase
requisition, purchase order and receiving record for each supplier invoice
and then approves it for payment. The accounts payable department
prepares a pre-numbered payment voucher and forwards it, along with the
supplier’s invoice, purchase requisition, purchase order and receiving
record, to the financial accountant, who signs the payment voucher,
completes the payment by bank transfer to the supplier and returns the
supporting documents to the accounts payable department.
At the end of the month, the assistant accountant undertakes a sequence
check of all pre-numbered documents. The financial accountant receives the
monthly bank statement, prepares a bank reconciliation and investigates
any reconciling items.
REQUIRED
(a) Identify the weaknesses in Supremo’s internal control concerning the
purchases and payments functions.
(b) Explain why each is a weakness and provide a recommendation as to
how to overcome the weakness. LO 7.2
Components of internal control

7.17 EASY You are auditing the inventory of Green Pastures Ltd for the year
ended 30 June 2018. Raw materials are imported from Korea and the
purchasing clerk prepares costing sheets, including the costs required to
bring the inventory to its location, and the translation of foreign currency
using appropriate foreign exchange rates. The costing sheets for work-in-
progress and finished goods are completed by the assistant management
accountant, as they also require the difficult allocation of overheads. All
costing sheets are approved by the management accountant.
REQUIRED
Identify a control activity over inventory valuation. LO 7.3
7.18 MEDIUM Your risk assessment of Meteor Ltd’s business processes

indicates that there is a risk that payments to suppliers are made prior to
goods being received. As part of your examination of the information system
and related control activities, you note that the following process is in place
in relation to payments:
A pre-numbered bank transfer requisition is prepared by accounting staff
for all payments.
Accounting staff then:
–
match the details on the supplier’s invoice to the appropriate receiving
report; and
– Page 310
match the details on the supplier’s invoice and receiving report to an
authorised purchase order.
The bank transfer requisition, together with the above supporting
documents, is then forwarded to the appropriate senior staff member for
review and authorisation.
REQUIRED
(a) Identify the internal control activity that addresses the risk of
payments being made to suppliers before the goods are delivered.
(b) What assertion does this internal control address? LO 7.3
Source: This question was adapted from the Chartered Accountants Program of the Institute of
Chartered Accountants in Australia, 2006 financial reporting and assurance module.
7.19 HARD Festival Ltd, a diversified manufacturer, has three divisions that

operate throughout Australia. Festival has always allowed its divisions to
operate autonomously, with head office intervention occurring only when
planned results were not obtained. Head office management has high
integrity, but the board of directors and audit committee are not very active.
Festival has a policy of hiring very competent people and has an ethical
code of conduct, but there is little monitoring of compliance by employees.
Management is relatively conservative in terms of accounting principles and
practices, but employee compensation packages depend largely on
performance. Usman Singh is the general manager of the electronics
division, which produces a variety of standardised parts for small appliances.
Usman has been the general manager for the past four years, and each year
he has been able to improve the profitability of the division. His
compensation is based largely on the division’s profitability. Much of the
improvement in profitability has come through aggressive cost cutting,
including a substantial reduction in control activities over inventory.
During the past year, a new competitor has entered the electronics division’s
markets and has offered substantial price reductions in an effort to obtain
market share. Usman has responded to the competitor’s actions by
matching the price cuts to try and maintain Festival’s market share. However,
Usman is very concerned, as he cannot see any other areas where costs
can be reduced so that the division’s growth and profitability can be

maintained. If profitability is not maintained, his salary and bonus will be
reduced.
Usman has decided that one way to make the division more profitable is to
manipulate inventory, because it represents a large amount of the division’s
statement of financial position. He also knows that controls over inventory
are weak. He views this inventory manipulation as a short-run solution to the
profit decline due to the competitor’s price cutting. Usman is certain that
once the competitor stops cutting prices, the misstatements in inventory can
be easily corrected.
REQUIRED
(a) Evaluate the strengths and weaknesses of Festival’s control
environment.
(b) What factors have led to and facilitated Usman’s manipulation of
inventory? LO 7.3
Considering internal control in a financial report

audit
7.20 EASY You have been assigned to the audit of Meteor Ltd and your audit
manager has asked that you document the internal control system using
both flowcharts and an internal control questionnaire.
REQUIRED
(a) Outline the disadvantages and problems with the use of an internal
control questionnaire that can be minimised if they are used in
conjunction with flowcharts.
(b) Explain what benefits are obtained from the use of flowcharts that are
not available from internal control questionnaires alone. LO 7.4
Page 311
7.21 EASY Consider the following independent situations, each of which applies

to an audit of a client for the year ending 30 June 2018.
(a) MPO Ltd is a large machinery manufacturer that uses business-to-
business e-commerce to transmit purchase orders to its many
suppliers. Each supplier electronically transmits an invoice, which is
credited directly to the accounts payable file. The goods usually take
one or two weeks to arrive. Once they have been received, a goods
received note is raised by MPO and matched with the supplier’s
invoice, and payment is authorised.
(b) Spiral Ltd’s credit officer, whose prime responsibility was setting and
reviewing customers’ credit limits, retired during the year. The position
has remained unfilled for six months, as no suitably qualified and
experienced replacement has yet been found.
(c) Kent Ltd failed to discover an employee fraud on a timely basis
because bank reconciliations were not being done each month.
REQUIRED
For each of the above situations, explain the impact on control risk and the
key account and assertion affected. LO 7.4
7.22 MEDIUM You are the auditor of Critical Solutions Ltd (CSL) for the year
ended 30 June 2018. During your planning process you note that the
human resources department of CSL has been short staffed recently and
has not been able to provide training to new staff responsible for
administrative and financial processing functions. Generally, new staff
members have experience within the industry.
While reviewing the accounting system you note that accounts receivable
are agreed to the sub-ledger, but there is no aging review, and an
increasing percentage of total receivables are falling into the 90 days+
category. Time sheets for processing staff are approved by supervisors,
then passed on to Susan Rogers in payroll. Susan prepares the pay sheet
information, which gets reviewed against the time sheets and approved by
the CFO, Peter Cummins, prior to payment being processed.
Access to the information technology (IT) system at CSL is controlled by
usernames and passwords, which are required to be changed regularly
through a programmed system prompt.
REQUIRED
Identify and explain two internal control strengths and two internal control
weaknesses for CSL. LO 7.4
Source: This question was adapted from the Chartered Accountants Program of Chartered
Accountants Australia and New Zealand, 2015 (2) audit and assurance module.
7.23 HARD You are the auditor of Safe Storage Pty Ltd, which is involved in the
manufacture of steel storage drums. One of the directors of Safe Storage
has requested that you perform a review of the internal controls within the
purchases and payments cycle of the company’s operations. From your
discussions with management and staff you ascertain that the company is a
small operation, operates from one location in Perth, and only has the
following staff:
five directors (one of whom, the CEO, is responsible for the day-to-day
operations of the company)
a warehouse manager
an assistant to the warehouse manager
a secretary/receptionist
an accounts receivable clerk
a banking clerk
an accounts payable clerk
three machinery operators who are involved in the manufacturing
process.
The warehouse manager is able to order from any supplier and will usually
telephone a number of suppliers to obtain quotes. The warehouse manager
will then order from one of these suppliers by telephone and Page 312
confirm the order by facsimile. The only documentation kept is the
facsimile confirmation of order, which is kept by the warehouse manager.
Once an order has been confirmed, the warehouse manager will complete
a purchase order (PO). The warehouse manager keeps one copy of the PO
and the other is forwarded to the accounts payable clerk, who files it in date
order.
When goods are received at the warehouse, the warehouse manager
checks the goods received to the delivery note attached to the goods and
signs the delivery note as evidence of this check. The delivery note
comprises two copies, one of which is retained by the person delivering the
goods and the other by the warehouse manager.
The warehouse manager forwards a copy of the signed delivery note to the
accounts payable clerk, who posts a journal entry to the creditors ledger for
the amount shown on the delivery note. The clerk then stamps the delivery
note ‘entered’ and files the delivery notes by supplier.
REQUIRED
(a) Describe the strengths and weaknesses in Safe Storage’s internal
control for the purchasing area.
(b) How will your assessment of internal controls affect your audit
approach for Safe Storage? LO 7.4
Computerised systems
7.24 EASY The following controls may exist in an entity’s IT system.
Control policy or procedure:
1. Limit test
2. Valid code test
3. Field test
4. Internal label
5. Record total
6. Check-digit verification
7. Sequence check
8. Financial total
9. Hash total
REQUIRED
Select the type of control from the above list of controls and enter it in the
appropriate place on the grid provided below. LO 7.5
DESCRIPTION OF CONTROL TYPE OF CONTROL
(a) A total of some non-financial

field for a batch of
transactions
(b) A numeric value calculated on

an indentifier number
(c) Dollar totals that ensure the

accuracy and completeness of
processing of sales invoices
(d) A test of an ID number or

code by comparing it to a file
that contains authorised ID
numbers or codes
(e) A test to ensure that a numeric

value does not exceed some
predetermined value
7.25 MEDIUM You are the audit senior on the audit of Fashion Bags Ltd, a large
distributor of ladies’ handbags. Fashion Bags operates on a national basis
and uses an online network system. The company is highly computerised,
with all major accounting functions being processed within the system. The
IT department operates out of the Sydney head office and comprises 15
people. The system has been fully developed and maintained by the IT
department, and the current system, apart from minor changes, has been in
use for three years. Each location is responsible for processing its own
transactions.
REQUIRED
(a) How does the use of an IT system alter the audit assertions Page 313
that are required to be achieved by the auditor? Explain how
the type of audit evidence would change.

(b) After completing your review, you have found the application controls
to be very efficient, but the general controls to be lacking in some
areas. How will the results of your review impact on your audit
approach? LO 7.5
7.26 HARD You are the audit senior on the audit of Travel Unlimited Ltd, an
Australian holiday experiences retailer. During 2017, the management of
Travel Unlimited recognised that it needed to allow customers to make
bookings online if it was to remain competitive. Travel Unlimited’s
customers include the general public, as well as Australian and overseas
travel agents selling packaged tours.
Given the need for an interface between the web-based booking system
and the general ledger, Travel Unlimited upgraded its existing accounting
software and acquired additional hardware to cope with the additional
speed of processing and the increase in required storage space.
During the year ended 30 June 2018, Travel Unlimited upgraded its entire
general ledger system to include an integrated purchasing module and an
accounts payable module. The integrated purchasing module and the
accounts payable module programs were installed on all company
computers. As part of the audit planning, you have identified the following
relevant IT application controls (AC) and IT general controls (GC) from the
integrated purchasing and accounts payable modules.
(a) The IT manager assigns each new staff member a user profile and an
initial password, based on advice provided by the IT administrator.
The initial password is generic. The first time the new employee logs
onto a company desktop computer, they are automatically forced to
change their password. Passwords must be changed every 30 days.
(b) There are clerks responsible for ordering and receiving (purchasing
clerks) and clerks responsible for processing invoices and preparing
remittance advices (processing clerks). Purchasing clerks only have
access to the purchasing module, and processing clerks only have
access to the accounts payable module. Each type of clerk has
exclusive access to their module via a separate password-protected
menu.
(c) The purchasing module automatically assigns each order a sequential
purchase order number. The purchasing clerk only has to enter the
supplier code, stock code and quantity ordered. The unit price is
automatically generated and cannot be overridden by the purchasing
clerk.
(d) Supplier information is contained in a supplier master file (SMF). Each
supplier has a unique supplier code. If the purchasing clerk attempts
to place an order with a supplier not in the SMF, the order cannot be
processed.
(e) When goods are delivered, the purchasing clerk enters the order
number and the date received. The quantity of goods received
cannot be overridden by the purchasing clerk. A ‘Yes/No’ prompt
confirms the receipt of the goods. The purchasing clerk is required to
enter ‘No’ if the quantity received is incorrect. If ‘No’ is entered, the
order cannot be processed for payment.
REQUIRED
For each of the IT controls described above, identify whether it is an IT
application control (AC) or an IT general control (GC) and explain your
answers. LO 7.5
Chartered Accountants in Australia, 2010 (3) audit and assurance module.
Considering the work of an internal auditor

7.27 EASY You are the audit senior on the audit of Outer Limits Ltd, a large
manufacturing company. The junior auditor in your team, Tracy Kee, has
been allocated the task of evaluating Outer Limit’s internal audit
department. Tracy is unsure of the reason for undertaking this task, as she
cannot understand how the abilities of the internal audit department will
affect the financial report. In order to ensure that she understands her task,
Tracy approaches you and asks the following: ‘Why do we need to review
internal audit? They don’t prepare the financial report, so if they get it wrong
it won’t affect our auditor’s opinion, will it?’
REQUIRED
As the audit senior, explain to Tracy why it is necessary to evaluate Page 314
the internal audit department. LO 7.6
7.28 MEDIUM Pleasure Craft Ltd, a river cruise operator, has an internal audit
function that is attached to the accounting and finance division and reports
directly to the finance director in his capacity as chair of the audit
committee.
During your review of internal audit for the audit relating to the year ended
30 June 2018, you note the following two matters:
1. During the year the staff of the internal audit function changed
significantly. The division employed two new staff to undertake the testing
of the financial accounting records, while the more senior personnel who
had previously done these tests concentrated on the performance
auditing schedule of the internal audit function, as the internal audit
manager believed that this provided a greater opportunity for the internal
audit function to add value to the entity. The new staff had no previous
audit or accounting experience.
2. The audit work that has been documented by internal audit appears to be
quite thorough and competent. However, for some of the audit tests
prescribed, the internal audit staff have not prepared detailed
documentation of the work that has been completed. They have only
initialled the audit program and noted that the test has been satisfactorily
performed.
REQUIRED
Provide your assessment as to whether the external auditor can rely on the
work of the internal audit function of Pleasure Craft. Give reasons. LO 7.6
Continuous case study
Background information for the continuous case study, Reliable Printers Ltd (RPL), is
contained in the Appendix to this book.
7.29 MEDIUM As part of your audit of RPL for the year ended 30 June 2018,
you are reviewing internal controls over RPL’s print-on-demand business.
REQUIRED
(a) Based on the background information contained in the Appendix ,
identify six control activities and indicate whether the control is a
manual control, an IT application control or an IT general control.
(b) Based on the background information contained in the Appendix ,
identify and explain two key internal control weaknesses where
control activities should be present in order to prevent material
misstatements remaining undetected or uncorrected but are not
present.
(c) For each control weakness identified in (b), identify one key account
balance at risk. Explain why it is at risk.
(d) For each account balance identified in (c), identify one key assertion
that may be at risk. LO 7.4
7.30 MEDIUM As part of your audit of RPL for the year ended 30 June 2018,
you are reviewing the risks and controls surrounding the installation of the
new IT system that will fully computerise and integrate all accounting
processes across the organisation, including integration into the general
ledger system.
REQUIRED
(a) Based on the background information contained in the Appendix ,
identify two specific audit risks that may have arisen from the
installation of the new IT system. Justify your answer.
(b) Describe one control activity that should have been in place to
prevent each risk identified in (a) from occurring. LO 7.5

Ch7 Audit

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ch7 Audit

Hochgeladen von

Copyright:

Verfügbare Formate

Page 265

LEARNING OBJECTIVES (LO)

ASA 260/ISA 260 Communication with Those Charged with Governance

ASA 315/ISA 315 Identifying and Assessing the Risks of Material

ASA 402/ISA 402 Audit Considerations Relating to an Entity Using a

ASA 610/ISA 610 Using the Work of Internal Auditors

The auditor needs to obtain a suﬃcient understanding of internal control to plan

The auditor’s understanding of internal control makes it possible to assess

opinion on internal control would require the application of additional audit

LO 7.1 Internal control and audit strategy

Concept of internal control

FIGURE 7.2 Operation of controls

reliability of the entity’s financial reporting

effectiveness and efficiency of the entity’s operations

Management recognises that internal control is an effective means of controlling a business

In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Internal Control—Integrated Framework

The requirement to consider the ﬁve components to assess the

At the same time, the Framework includes enhancements and clariﬁcations

systems of internal control that adapt to changing business and operating

Designing and implementing an eﬀective system of internal control can be

An eﬀective system of internal control demands more than rigorous

Inherent limitations of internal control

FIGURE 7.3 Overview of flow of transactions for credit sales

risks are identified and minimised

Management controls include activities such as:

communicating business objectives and goals throughout the entity

Characteristics of satisfactory internal control

1. There should be controls to monitor and minimise business risks.

FIGURE 7.4 Components of internal control

communication and enforcement of integrity and ethical values

Communication and enforcement of integrity and ethical

Participation by those charged with governance

An entity’s attitude to internal control is influenced significantly by those charged with

Management’s philosophy and operating style

Assignment of authority and responsibilities

Human resources policies and practices

Entity’s risk-assessment process

identify and record all valid transactions

As a result of technological development, almost anything can now be measured and

reveal meaningful information. These advanced audit analytics, which were

This huge expansion of data is referred to as big data. It is generally believed

from using sampling to test a population, to analysing the entire population.

A number of different transaction controls are performed to check the accuracy,

1. Authorisation the initial authorisation or approval for an exchange transaction

incompatible combinations should be evaluated by considering specific

Management’s authorisation of transactions may be general or specific. General

Pre-numbering This allows for physical control of the documents.

Numbering This is generally assigned automatically by the software.

Classification is concerned with transactions being recorded in the proper account. An

To be effective, the internal auditor needs to possess adequate skills, knowledge,

An overview of the auditor’s consideration of

1. Obtain an understanding of the internal control.

Obtain an understanding of the control activities to assess the risk of misstatement at

Understanding internal control

auditor obtains an understanding of the internal control in order to:

determine an efficient and effective approach to the audit. Page 282

ASA 315.A76 (ISA 315.A76) indicates that obtaining an understanding of an entity’s

Understanding the control environment

making enquiries of key management personnel

Understanding the risk-assessment process

Understanding the information system

significant classes of transactions