Beruflich Dokumente
Kultur Dokumente
CHAPTER 7
Understanding and assessing internal control
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
RELEVANT GUIDANCE
ASA 200/ISA 200 Overall Objectives of the Independent Auditor and the
Conduct of an Audit in Accordance with Australian
(International) Auditing Standards
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
CHAPTER OUTLINE
As part of understanding the entity and its environment, the auditor needs to
obtain an understanding of internal control. This is the basis of a preliminary
assessment of control risk and an evaluation of the extent to which controls may
be relied on to assure the accuracy and reliability of accounting records.
The auditor also studies and evaluates internal control because of Page 266
interest in the reliability of accounting data. In the past, the auditor has
tended to focus mainly on those transaction controls that relate to the
prevention or detection of errors in recording accounting data.
The objective of the review of internal control is not to determine the adequacy
of the internal control for management purposes. This would go beyond the
normal scope of a financial report audit, and evidence on which to base an
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
This chapter discusses the relationship of internal control to the audit strategy,
the components of internal control, and the auditor’s consideration of internal
control in a financial report audit. From the external auditor’s viewpoint, internal
audit forms part of internal control. This chapter discusses the effects of internal
audit on the external audit function.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
How this chapter fits into the planning and risk-assessment stages of a financial
report audit is illustrated in Figure 7.1 , which is an expansion of part of the
flowchart provided in Chapter 1 .
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
FIGURE 7.1 Flowchart of planning and risk-assessment stage of a financial report audit
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Page 267
Therefore, as indicated in ASA 315.A52 (ISA 315.A52), internal control is designed and
implemented to address business risks that threaten any of these objectives, including:
The importance of internal control has developed as business entities have become larger
and more complex. Both management and auditors see the benefits of a framework within
which business activity is directed and coordinated.
Page 268
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
7.1 Auditing in the global news ...
Internal control helps entities achieve important objectives and sustain and
improve performance. COSO’s Internal Control—Integrated Framework
(Framework) enables organizations to effectively and efficiently develop
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
be agile in adapting to changes in business, operating and regulatory
environments.
Source: Extracted from COSO’s Internal Control—Integrated Framework, Foreword and Executive
Summary. ©2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO).
ASA 315.12 (ISA 315.12) requires that the auditor obtain an understanding of internal
control relevant to the audit. The risk of material misstatement at the financial report level
is affected by the auditor’s understanding of the control environment (ASA 315.A123/ISA
315.A123). At the assertion level, the auditor needs to consider whether their assessment of
the risk of material misstatement takes account of the entity’s controls—that is, control risk
(ASA 315.26/ISA 315.26).
Internal control usually depends both on the quality and integrity of people working within
the entity, and on those people following prescribed policies and procedures. Thus, it is
subject to breakdowns caused by carelessness and fatigue, and it can be circumvented
intentionally through collusion. Management may also override the controls, since
someone must supervise the system. Internal control is designed to prevent fraud or errors
by people operating within the system. Someone in a supervisory position may perpetrate
fraud or errors by acting outside the system. Undue reliance on management to
automatically ‘do the right thing’ may create opportunities for managers who lack integrity
to behave inappropriately. Also, most control activities are directed at routine Page 269
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
transactions rather than non-routine transactions, and they may become inadequate due to
changes in conditions.
In addition, internal control recognises the concept of reasonable assurance, because the
cost of controls must bear a reasonable relationship to the benefits expected. Management
needs to evaluate this cost–benefit trade-off and adopt control methods and measures that
are prudent for the assets at risk. This evaluation is usually subjective, but it should be
based on a careful consideration of the risks and the alternatives for achieving control.
Management also makes accounting estimates, such as allowance for doubtful accounts
receivable, and selects accounting principles, such as the method of accounting for
inventory (for example, FIFO (first in, first out) or average cost), that are subject to
judgment. Thus, the reliability of the financial report is not assured even if accounting
records are reliable.
Audit strategy
As discussed in Chapter 4 , in order to issue an opinion on the financial report, the
auditor must consider audit risk for each assertion for each significant account balance,
class of transactions and events, and disclosure, and reduce it to an acceptable level. ASA
200.13 (ISA 200.13) and ASA 200.A39 (ISA 200.A39) indicate that the risk of material
misstatement at the assertion level consists of two components: inherent risk and control
risk. Inherent risk was discussed in Chapter 6 . Control risk will be covered in this
chapter.
Control risk is the risk that a material misstatement could occur in an assertion and not
be prevented or detected on a timely basis by the entity’s internal control. The auditor can
assess the control risk as high, or alternatively assess control risk as less than high and then
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
test the controls to obtain evidence to support this assessment. The assessment of control
risk as less than high is evidence that a control that could potentially be relied upon exists.
Tests of controls then need to be performed to gain evidence that the specific control
activities have been effectively and consistently applied throughout the period under audit.
Tests of controls will be discussed in Chapter 8 .
Auditors recognise that sound internal control, by enhancing the credibility of accounting
records, reduces the need for routine checking of large volumes of transactions. As
discussed in Chapter 4 , evidence obtained from sound internal control is generally
more reliable. The evidence supporting the financial report consists of the underlying
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
accounting data and the corroborating information available to the auditor. Thus,
confidence in the propriety and accuracy of the underlying accounting data contributes to
the auditor’s opinion on the financial report. The internal control affects the propriety and
accuracy of accounting data and thus the value of those data as audit evidence.
The auditor may reach a conclusion on the accuracy and reliability of underlying
accounting data by testing the accounting data itself (reducing detection risk) or by
performing procedures to understand and evaluate the internal control to see whether the
accounting data were developed under conditions likely to ensure accuracy and reliability
(assessing control risk).
Figure 7.3 illustrates alternatives available to the auditor when considering the
accounting flow of transactions for credit sales and collections. To substantiate the
accuracy and reliability of the accounting for credit sales and collections, the auditor has
the following alternatives:
test the sales and cash receipts transactions to establish the occurrence, completeness,
cut-off and accuracy of recording of the recurring debit and credit entries to accounts
receivable
identify and test the policies and procedures that ensure the occurrence, completeness,
cut-off and accuracy of recording these transactions
some combination of the above.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
The substantiation of the underlying accounting data is interrelated with the corroborating
information that the auditor needs to obtain for balances. For example, the number of
confirmation requests sent to debtors on the amount owed at balance date is influenced by
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
the auditor’s confidence in the propriety and accuracy of the debits and credits to accounts
receivable. Also, confirmations of the accounts receivable balance provide some assurance
of the accuracy and reliability of the debits and credits recorded. Obtaining Page 270
evidence that the control risk is low for specific assertions for specific accounting
data is an alternative to substantiating the data directly. The choice of the mix of auditing
procedures necessary to test the accounting data and obtain corroborating information will
be discussed in Chapter 8 .
QUICK REVIEW
1. Internal control affects the propriety and accuracy of accounting data and
therefore their reliability as audit evidence.
2. Achieving satisfactory internal control is management’s responsibility.
3. Internal control cannot assure a reliable financial report because of its
inherent limitations.
4. The auditor needs to obtain an understanding of internal control as a basis
for assessing control risk.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
LO 7.2 Internal control objectives
Internal controls are concerned with ensuring that:
The quality of an entity’s internal control affects not only the reliability of its financial
data, but also the ability of the entity to make good decisions and remain in business. The
internal control should be designed to parallel the risks present in the entity, industry and
global environment. The ASX Corporate Governance Council’s Corporate Governance
Principles and Recommendations (3rd edn, 2014), which were discussed in Chapter 3
in relation to corporate governance, stress the importance of internal control in managing
risks to achieve an entity’s business objectives.
Controls may be either preventative or detective, as illustrated earlier in Figure 7.2 . Pre
ventative controls are internal controls that are used to prevent undesirable events or
errors. Detective controls are internal controls that are used to identify events or errors
if they have occurred.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Page 271
Management controls
Management controls are the activities undertaken by senior management to mitigate
strategic risks to the entity and to promote the effectiveness of decision making and the
efficiency of business activities. They can be either preventative or detective controls.
Management controls tend to focus on overall effectiveness and efficiency within an entity
rather than on details of individual transactions or activities. Generally, they are designed
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
to provide an overall indication that processes and activities are functioning properly, and
to provide an effective response to risk in a timely manner.
For example, establishing and enforcing a corporate governance policy on dealing with
conflicts of interest for managerial personnel is both a management control that reduces the
risk of self-serving behaviour by people in positions of authority within the entity and an
example of a preventative management control. Monitoring key performance indicators of
a segment to identify unexpected results or indications of manipulation of results is an
example of a detective management control.
To be able to assess the effectiveness of management controls for reducing strategic risks,
the auditor must first develop an understanding of what procedures and policies
management has implemented. To do this, the auditor may review procedures manuals,
periodic reports and internal audit testing in order to evaluate how effective management is
in monitoring and controlling risk. However, in most situations, a complete understanding
of management control is best obtained by interviewing the key personnel who are
assigned the responsibility of managing critical risks.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
For each of the significant business risks identified, the auditor should give consideration
to any existing management controls that may mitigate the risk. If a business risk has
significant implications for the audit, then the related controls are also relevant. The
relationship between management controls and auditing planning is shown in
Global example 7.1 .
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
GLOBAL EXAMPLE 7.1 A management control and its implications
for the audit
Management control
Retro Ltd continually monitors its main competition to estimate their time-to-
market for new products. The market data may be a leading indicator of
potential competitive problems and evidence of new products.
Audit implications
Monitoring competitors’ actions is an important management control for
managing the risk that competitors will introduce new products, reduce
prices or improve service to obtain a competitive advantage. This risk is
important to an auditor because of its effect on revenue levels, profit margins
and inventory valuation. If the auditor wishes to rely on this control, they will
need to test it. Tests of controls are discussed in Chapter 8 .
Page 272
Transaction controls
As well as management controls, there are many other control activities that are performed
by staff employees and lower-level management as part of the various processes within the
entity. These transaction controls are generally focused on internal risks within
systems and processes and reflect the formal policies and procedures defined by senior
management. Such controls deal primarily with the reliability of accounting information
and compliance with rules and regulations, and may be either preventative or detective
controls. For example, assigning responsibility for authorising transactions to specific
individuals is an example of a preventative transaction control. An employee undertaking a
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
sequence check of the sales journal to check for missing sales invoices is an example of a
detective transaction control.
The objectives of these accounting controls are to control the flow of transactions through
the accounting system and to safeguard the related assets by authorising transactions,
recording transactions, restricting access to assets and checking for existence of recorded
assets.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Every transaction goes through the identifiable steps of authorisation, execution and
recording. The accuracy and reliability of transaction records depends on making
reasonably sure that there are controls over the financial report assertions discussed in
Chapter 4 .
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
GLOBAL EXAMPLE 7.2 Lack of segregation of duties
Fact
Machinery Ltd’s storeroom clerk, Bob Johnson, authorises inventory
acquisitions and also keeps the accounting records related to inventory.
Audit implications
Mr Johnson could authorise the acquisition of unneeded inventory, remove
the material from the premises or even have it delivered to another location,
and alter the accounting records to make it look as if the inventory never
existed, or has been sold. Provided that the accounting records agreed with
the amount of inventory on hand, the theft would be difficult to detect
without a special investigation, which is outside the scope of a normal audit.
Page 273
QUICK REVIEW
1. Internal controls are important in managing an entity’s risks.
2. Internal control includes both management and transaction controls.
3. Characteristics of a satisfactory internal control system include monitoring
and minimising business risk, segregation of duties, authorisation, sound
business practices and ensuring that personnel have capabilities
commensurate with their responsibilities.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
LO 7.3 Components of internal control
ASA 315.14–24 (ISA 315.14–24) state that a company’s internal control consists of five
components, as indicated in Figure 7.4 .
Control environment
ASA 315.A77 (ISA 315.A77) states that the control environment includes governance
and management’s overall attitude, awareness and actions regarding internal control and its
importance in the entity. The control environment sets the tone of an entity. It influences
the control consciousness of all personnel and is the foundation for the other components.
The control environment includes the following elements, as set out in ASA 315.A78 (ISA
315 A78):
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Therefore, most management controls discussed earlier will be part of the control
environment.
Integrity and ethical values are essential elements of the control environment and will
influence the effectiveness of the design, administration and monitoring of other
components of internal control. Integrity and ethical behaviour are products of the Page 274
entity’s ethical standards and how they are communicated and reinforced in
practice. Management should remove or reduce any incentives or temptations that result in
personnel engaging in dishonest, illegal or unethical acts. Entity values and behavioural
standards should be communicated to personnel through policy statements and codes of
conduct and by management example.
Commitment to competence
Management needs to consider the competence levels required for specific jobs and take
action to ensure that all individuals have the necessary skills and knowledge to perform
their jobs.
consider whether there is an audit committee that understands the entity’s business
transactions and evaluates whether the financial report gives a true and fair view.
Management’s philosophy and operating style includes its overall control consciousness.
Management’s attitude toward control sets the stage for the entire entity. If management
emphasises the importance of maintaining reliable accounting records and adhering to
established policies and procedures then the entity’s personnel are more likely to have a
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
high regard for these matters in performing their duties. Therefore, this is a subjective, but
critical, aspect of the auditor’s consideration of whether the environment is conducive to
good control.
Other characteristics that the auditor may consider are management’s approach to taking
and monitoring business risks; management’s attitudes and actions vis-à-vis financial
reporting; and management’s attitude to information processing and accounting functions
and personnel.
Organisational structure
An entity’s organisational structure is the overall framework for planning, directing and
controlling operations to achieve the entity’s objectives. It includes the form and nature of
the entity’s organisational units, and related management functions and reporting
relationships. An effective control environment requires clear definitions of responsibilities
and lines of authority.
Methods of assigning authority and responsibilities influence how well responsibilities are
communicated, how well they are understood and how much responsibility personnel feel
in performing their duties. There should be appropriate delegation of authority and all
personnel should understand that they are accountable for the activities for which they are
responsible.
Human resources policies and practices cover recruitment, orientation, training, evaluating,
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
counselling, promoting, compensating and taking remedial action for personnel. For
example, high recruitment standards demonstrate an entity’s commitment to competent and
trustworthy people.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
and how they should be managed. Management may introduce plans, programs or Page 275
actions to address specific risks or it may accept a risk on a cost–benefit basis.
Lists of possible conditions and events that may indicate the existence of risks of material
misstatements are contained in Appendix 2 to ASA 315 (ISA 315).
Information system
Information must be identified, captured and exchanged in a form and timeframe that
enables the entity’s personnel to carry out their responsibilities. An entity’s information
system includes its accounting system , which comprises the methods and records
established to initiate, record, process and report exchange transactions and relevant events
and conditions, and to maintain accountability for the related assets, liabilities and equity.
An information system includes infrastructure such as hardware and other physical
components, software, people, procedures and data. Many information systems make
extensive use of IT, while some remain largely manual.
An effective information system duly considers establishing records and methods that:
An important feature of an information system is the audit trail, which was discussed in
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Chapter 4 . This term implies that individual transactions can be traced through each
step of the accounts to their inclusion in the financial report and, similarly, from the
financial report the amounts can be vouched or traced back to the original source
documentation. The audit trail consists of all the accounting documents and records that
are prepared as transactions are processed from origin to final posting. Source documents,
journals and ledgers are the main elements in the audit trail. Source documents are the
initial record of transactions in the system. Processing usually creates a source document
when a transaction is executed. For example, goods received are usually entered on a
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
receiving report and goods shipped on a shipping report. Source documents are evidence of
the authenticity of a transaction.
Nearly all businesses use a computer for at least part of their accounting. Computerisation
ranges from personal computers that summarise transactions to extremely complex
systems. The methods an entity uses to process significant accounting applications may
influence the control activities designed to achieve its internal control objectives. The
characteristics that distinguish computer processing from manual processing include the
following:
Transaction trails Some computer systems are designed so that a complete transaction
audit trail exists only for a short period or only in computer-readable form.
Uniform processing of transactions Computer processing uniformly processes
transactions with similar characteristics through the same branch of the program.
Segregation of duties reduced Many control activities once performed by separate
individuals in manual systems may be concentrated.
Potential for misstatements There may be greater potential for individuals to gain
unauthorised access to data or to alter data without visible evidence, as well as to gain
access (direct or indirect) to assets.
Potential for increased management supervision Computer systems offer management
a wide variety of analytical tools to review and supervise operations.
Big data needs to be processed with advanced tools (analytics and algorithms) to Page 276
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
the reasonableness of an estimate; or controls assurance, for example by identifying
payments that were made without approval. Further, they have the ability to analyse
complete populations of data. Sophisticated advanced data analytics offerings from several
suppliers are discussed in Chapter 9 , as they impact substantive testing.
When using advanced data analytics, the majority of data that is being used has been
produced by the entity and so the reliability of that information for the auditor’s purposes is
critical. The International Auditing and Assurance Standards Board (IAASB) (2016) has
identified that this raises questions regarding the minimum level of IT general controls
testing required when using advanced data analytics and the impact of any deficiencies in
IT general controls and application controls on the reliability of the data from the IT
system that the auditor wishes to use for advanced data analytics.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
7.2 Auditing in the global news ...
How big data and advanced data analytics are transforming the
audit
In the past, entities have owned their data and it has traditionally been
prepared by humans in a structured format. However, due to recent
technological advances, data is now often machine-generated and includes
both structured and unstructured material, some of which resides outside the
entity itself.
Ramlukan (2015) has argued that one area where big data and advanced
data analytics has significant potential is in the transformation of the audit.
Auditors have traditionally used data analysis to enhance the quality of their
audits. However, Ramlukan argues that while this is true, up till now auditors
have been restricted by the lack of efficient technology to undertake the
analysis, difficulties relating to data capture and privacy concerns. Thus,
Ramlukan argues that the developments in big data and advanced data
analytics provide an opportunity to reassess the way an audit is conducted.
The use of big data and advanced data analytics will allow an auditor to go
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Page 277
Control activities
Control activities encompass both policies and procedures established by management
in order to ensure that its directives are carried out, and include both management controls
and transaction controls, although most are transaction controls. Control activities should
be distinguished from the accounting system discussed earlier. An entity needs an
accounting system for functions such as billing shipments to customers, recording these
individual transactions and summarising them for recording in the general ledger. Control
activities are added to ensure that the accounting system produces accurate and reliable
data. For example, control activities are added to a billing system to ensure that all
shipments are billed and that all billings are for the correct amount.
Appendix 1 to ASA 315 (ISA 315) indicates that control activities may be categorised as
policies and procedures that pertain to:
performance reviews
information processing
physical controls
segregation of duties.
A strong internal control will include management controls such as performance revie
w control activities that independently check the performance of individuals or
processes. An example of a performance review activity would be comparing actual
performance with budget and investigating any unexpected differences. As discussed
earlier, management controls are concerned primarily with monitoring and controlling
business risk. Performance indicators may be useful for highlighting a problem or risk at an
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
early stage.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Physical control activities are transaction controls and include measures such as locked
storerooms for inventory and fireproof safes for cash and securities on hand. Accounting
records and source documents must also be protected. The nature of the item usually
dictates the physical precautions that are necessary. For example, an inventory of
gemstones would be treated differently from an inventory of cement.
As discussed earlier in this chapter, segregation of duties is an integral part of the plan of
organisation. A person should not be in a position to both perpetrate and conceal errors or
fraud in the normal course of their duties. Different people are assigned the responsibilities
of authorising transactions, recording transactions and maintaining custody of assets.
In order for an entity to operate, some personnel must have access to assets. Restricting
access limits the opportunities for irregularities but cannot prevent them. Control is
achieved through segregation of duties by limiting the opportunities both to perpetrate and
to conceal the act.
Thus, the most basic segregation of duties is to have different individuals or departments
responsible for the custody of assets and for the keeping of records of those assets. A
transaction may be considered to pass through the following four phases:
Ideally, each of these four phases should be kept separate. However, in practice, for
convenience and efficiency, phases 1 and 2 may be combined without significant risk.
Clearly, phases 2, 3 and 4 should not be combined, and normally phase 3 (direct physical
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
access) and phase 4 (record keeping) are incompatible. However, the risk of Page 278
ASA 315.25 (ISA 315.25) requires the auditor to relate identified risks to the assertion
level, taking account of the relevant controls. ASA 315.A137 (ISA 315.A137) indicates
that in making risk assessments, the auditor may identify controls that are likely to prevent
or detect material misstatements in specific assertions. The following discussion of control
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
activities is organised by class of transaction assertions, under the headings of occurrence,
completeness, accuracy, cut-off, classification and presentation.
Occurrence
Control activities for authorisation and approval help to ensure that only transactions that
occurred are processed and that invalid transactions are rejected. Effective control activities
for processing transactions usually start with clear policies for authorisation and ap
proval . An entity’s board of directors has the ultimate authority, but its approval is
usually reserved for important financing and investing activities, such as major acquisitions
and dispositions involving real estate, debt and share capital. The day-to-day authority of
running a business is the responsibility of senior management, which delegates that
authority to operating personnel.
Related control activities that provide assurance of occurrence concern the proper use of
documents that serve as the original record of transaction execution. These source
documents should be designed to reduce the risk that a transaction will be recorded
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
incorrectly, recorded more than once or not recorded at all. Desirable features of source
documents include the following:
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
In some systems, source documents are recorded on computer. In this case, the four
features of information are little changed.
Control activities that help to ensure occurrence are concerned with the proper handling of
such source documents, whether in a computer or a manual system. For example, control
activities include comparing details on a receiving report, such as description and quantity,
with details on the supplier’s invoice. Another example of a control activity is cancellation
of supporting documents for a purchase when payment is approved. This prevents
inadvertent or fraudulent reuse of the source documents to support a duplicate payment or
fictitious purchase.
Control activities can be designed as part of the data-entry system to help ensure v Page 279
alidity . The computer may reject invalid dates by requiring a month between 1
and 12, and a day between 1 and 31. Any entry in an amount field that is not numeric may
be rejected. These are called computer editing controls.
Completeness
Proper handling of documents also helps to ensure completeness. One control activity is to
inspect pre-numbered documents to confirm whether they have all been processed. This
procedure is often called accounting for the sequence of pre-numbered documents. If
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
documents are not pre-numbered, they should be numbered when a transaction originates,
although this method is less effective.
Another control activity used to check completeness is the use of control totals. For
example, if 10 documents totalling $500 in cash receipt transactions were supposed to be
entered into the computer system, the system should report that it processed 10 entries
totalling $500.
A third control activity involves matching related source documents to confirm whether
related processing steps have been completed. For example, purchase orders or receiving
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
reports can be matched with vendors’ invoices to confirm that goods ordered or received
have subsequently been recorded as accounts payable.
Accuracy
An organised set of accounting records is an essential starting point for achieving recording
accuracy. The requirement that debits equal credits is a built-in error-detecting feature. The
use of ledgers also contributes to recording accuracy in two ways: a trial balance prepared
from the ledger proves the balancing of debits and credits, and the ledger contains control
accounts for use in balancing subsidiary ledgers.
The use of control totals, discussed above under ‘Completeness’, also contributes to the
accuracy of records. If, in the example given above, a cash receipt of $23 was mistakenly
entered as $32, the system would report that it processed $509 for the 10 receipts, rather
than the $500 control total.
All the features of accounting systems described above provide the foundation for controls
to help ensure recording accuracy. However, the actual control activities are usually in the
form of independent checks, reviews and approvals established at the points in the
processing of transactions and handling of related assets where errors or irregularities
could occur. For example, the financial controller may review supporting documents for a
disbursement before payment.
Cut-off
The cut-off period is generally the few days either side of the reporting date. Cut-off
controls are used to ensure that transactions during the cut-off period are recorded in the
correct period. In the absence of appropriate controls, such as an independent review of
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
transactions during the cut-off period, cut-off errors may occur, because year end is a
hectic time and staff may make errors under stress or because of fraudulent misstatement to
manipulate the results for the period.
Classification
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Presentation
Presentation is concerned with whether items in the financial report are appropriately
aggregated or disaggregated and clearly described, and related disclosures are relevant and
understandable. An example of a presentation control would be to have someone
independent of its preparation review it.
Page 280
Monitoring of controls
Monitoring of controls is a process used to assess the effectiveness of the performance
of internal control. It involves evaluating the design and operation of controls and taking
corrective action where necessary. Management may monitor controls through ongoing
activities such as supervisory activities or separate evaluations. In addition,
communications from external parties, such as customer complaints, may indicate
problems. In many entities, internal auditors also contribute to the monitoring process.
An internal audit function is an individual, group or department within an entity that acts
as a separate, higher level of control to determine whether the internal control is
functioning effectively. Internal auditors may make special enquiries at management’s
direction or generally review operating practices to promote increased efficiency. However,
the external auditor is concerned with internal auditors who act as a higher level of control
—an additional layer, in effect—to ensure that the accounting system and control activities
are operating. An effective internal audit function can significantly strengthen the
monitoring of control.
Internal audit may affect the external audit in the following three ways:
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
1. The internal audit function is part of the internal control If an entity has an internal
audit function that acts as a higher level of control, it will influence the external auditor’s
assessment of control risk and as a result affect the scope of audit procedures.
2. The internal auditors may have descriptions and other documentation of the
internal control These documents may help the external auditor to obtain an
understanding of the entity’s internal control.
3. The internal auditors may provide direct assistance to the independent auditor by
making substantive tests or tests of controls.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Many internal audit departments have also become involved in assessing the business
strategy of the entity and identifying the associated risks. This work will be useful to the
external auditor when undertaking a business risk approach to the audit. The involvement
of internal audit in assessing business strategy will be discussed further in Chapter 14 .
The extent to which the external auditor may use the work of internal audit will be
discussed later in this chapter.
QUICK REVIEW
1. Internal control consists of the control environment, the entity’s risk-
assessment process, information system, control activities and monitoring
of controls.
2. The control environment includes consideration of communication and
enforcement of integrity and ethical values; commitment to competence;
participation by those charged with governance; management’s
philosophy and operating style; organisational structure; assignment of
authority and responsibilities; and human resources policies and practices.
3. Control activities include policies and procedures that pertain to
performance reviews, information processing, physical controls and
segregation of duties.
4. Control activities relate to the risk of material misstatement at the assertion
level.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
LO 7.4 Considering internal control in a financial report
audit
In every audit, the auditor obtains a sufficient understanding of each of the five
components of internal control to plan the audit and determine the tests to be performed.
The nature and extent of the auditor’s consideration of internal control varies considerably
from audit to audit. In all audits, the auditor must understand the internal control, Page 281
particularly those controls associated with the accounting system. No matter what
audit strategy is followed, substantiating the underlying data is important. The auditor’s
understanding must be sufficient to identify types of potential misstatements, to consider
factors that affect the risk of material misstatement and to design effective audit tests. On
the other hand, for some assertions for some balances or transaction classes, an
understanding of the control activities component of internal control may be minimal,
depending on the audit strategy followed.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Internal control policies and procedures are unlikely to relate to the specific assertion
(that is, the client does not have controls for this assertion).
–
The evidence that would be obtained by additional testing would probably not support
a reduced level of control risk (testing would probably prove that control for the
assertion is weak).
–
Obtaining additional evidence to support the control risk level would not be the most
efficient audit approach for the assertion (substantive tests are easier to perform than
tests of controls).
Consider whether further reduction in control risk would be an efficient audit approach
and whether further evidence would be likely to support the reduced level.
3. For each assertion within each significant transaction class, account balance or disclosure
for which the auditor plans to assess control risk at a level less than high, consider
whether sufficient evidence has been obtained to support the desired control risk level.
Perform tests of controls to evaluate the design or operation of the internal control
policy or procedure, to obtain needed evidence. (This step will be covered in
Chapter 8 .)
Document the basis of conclusions about the assessed level of control risk.
4. Design substantive tests to detect potential material misstatements. (This step will be
covered in Chapter 9 .)
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
FIGURE 7.5 Steps in the auditor’s consideration of internal control
identify the types of potential misstatements that could occur and the factors that
contribute to the risk that they will occur
understand the accounting system sufficiently to identify the client documents, reports
and other information that may be available and ascertain what data will be used in audit
tests
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Operating effectiveness is the manner in which entity personnel apply the policies that are
in place. Have the policies and procedures been used consistently throughout the year? Are
they used by all employees performing the function? When the employee ordinarily
responsible for a procedure is ill or on leave, is the procedure still effective? Does the
employee take the appropriate action when an exception is noted, or are overrides
common?
Audit evidence for some elements of the control environment may not be available in
documentary form, particularly in smaller entities where communication between
management and other personnel may be informal. Therefore, management’s attitudes,
awareness and actions are important in the design of a smaller entity’s control environment.
The nature of the control environment means that it has a pervasive effect on assessing the
risk of material misstatement. For example, an active and independent board of directors
may influence the philosophy and operating style of senior management. As indicated by
ASA 315.A84 (ISA 315.A84) the control environment does not prevent, or detect and
correct, a material misstatement itself, but it may influence the auditor’s assessment of
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
other controls and so affect the auditor’s risk assessment. Therefore, the control
environment influences the nature, timing and extent of the auditor’s further procedures.
The auditor is required by ASA 315.18 (ISA 315.18) to obtain sufficient knowledge of the
information system to understand:
initiation of transactions
records, documents and accounts used in processing and recording transactions
how the accounting system captures significant events, conditions and transactions
the financial reporting process used to prepare the financial report
controls surrounding journal entries.
The auditor needs first to obtain an understanding of the path that transactions take through
both the manual and the computerised portions of the information system. The auditor then
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
considers the anticipated computer-related controls that may contribute to a control risk
assessment of less than high, and documents and tests controls in order to assess the
control risk.
During general planning, the auditor generally obtains the following information on the
client’s computer system:
type of computer equipment and its configuration, including input and processing modes
used
types of systems software
organisational structure of computer processing activities, including the organisational
location of the IT department, number of personnel and internal organisation plan
number and nature of computerised accounting applications.
As part of understanding the information system, the auditor identifies the extent to which
the computer is used in each significant accounting application, and obtains the following
information:
the purpose of the application, particularly the documents, reports and updated master
files generated by the application and the general ledger account balances affected by the
application
the source, volume and form of input to the application, particularly the user departments
in which transactions originate and other computerised accounting applications that
generate input for the application
the master files affected by the application, including, in particular, the storage media, the
file maintenance process and the size and organisation of files
the mode and frequency of processing
the form of output of the application and the distribution of output.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
This information enables the auditor to understand the relationship between the manual and
computerised portions of the information system and to assess the size and complexity of
the computerised portion of the information system and how much assistance will be
required from computer audit specialists.
ASA 315.19 (ISA 315.19) also requires the auditor to obtain an understanding of how the
entity communicates financial reporting roles and responsibilities and significant matters
relating to financial reporting. It includes the extent to which personnel understand how
their activities in the information system relate to others and the means of reporting
exceptions to a higher level within the entity. The auditor’s understanding of
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
communication also includes communication between management and those charged with
governance, particularly the audit committee, as well as communication to regulators.
The audit procedures normally used to obtain an understanding of control Page 285
activities involve:
The walk-through clarifies the auditor’s understanding of how the system and the control
activities work. The audit procedures applied for a walk-through are substantially the same
as those that would be applied to a larger number of transactions in doing tests of controls.
The distinction between a walk-through and tests of controls lies in the auditor’s purpose in
applying these procedures. The auditor must obtain sufficient understanding of the control
activities to consider how a specific control activity, individually or in combination with
others, prevents, or detects and corrects, material misstatements in classes of transactions,
account balances or disclosures. Control activities relevant to the audit are those that the
auditor considers it necessary to obtain an understanding of, in order to assess the risk of
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
material misstatement at the assertion level and to design and perform further audit
activities responsive to the assessed risks. An understanding of all of the client’s control
activities is not necessary for audit planning.
The nature and extent of audit procedures necessary to obtain an understanding of the
control activities varies considerably from entity to entity. A key issue is the level of
complexity and sophistication of the accounting system and operations. In a small business,
for example, the auditor may find a control environment in which there are too few
employees to achieve an adequate segregation of duties, thus resulting in the auditor
adopting a substantive approach. In that case, sufficient knowledge of the control activities
to plan the audit may have been achieved as part of the understanding of the control
environment, the risk-assessment process and the information system, and additional work
on specific control activities will not be needed.
Most computerised accounting applications include both manual and computer portions.
The auditor needs to understand the path that transactions take through both portions of the
information system. Some aspects of the computerised portion of the system are obviously
different from a manual system. They are unique to computer processing and not difficult
to identify. For example, some control activities may be included in a computer program
and leave no visible evidence of their execution. If the auditor intends to assess control risk
as less than high based on such control activities, it may be necessary to test the computer
program. However, it is often possible to substantiate computer-generated information
directly or to test manual controls maintained by computer users, instead of testing
automated control activities. The most common forms of reliance on the computer occur
when a manual control activity or an audit procedure is dependent on computer-generated
information.
In some cases, a manual control activity that is necessary to achieve a specific control
objective is dependent on the results of computer processing. For example, in the case of a
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
computerised billing application, the auditor wants to know whether control activities
provide reasonable assurance that products shipped are billed. If the control activity that
achieves this objective is a review by a billing clerk of a computer-generated report of
missing shipping documents based on a numerical sequence test in a computer program,
then the auditor must rely on the computer in order to use the manual control activity in
assessing the control risk.
If there are significant computerised accounting applications, the auditor may need to
obtain an understanding of the general controls, which will be discussed later in this
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
chapter. Auditors may review general controls even when they do not plan to assess control
risk as less than high, as a service to clients. Usually the review is done by a Page 286
computer audit specialist or an auditor with additional training in computerised
systems. The review is conducted by enquiry and observation of client IT personnel and
review of existing documentation, such as client manuals, previous years’ work papers and
other information on the computer installation and computerised accounting applications.
The auditor’s objective is to decide whether there is reasonable assurance that:
there is adequate segregation of duties between IT and users, and also within the IT
department
the development or acquisition of programs and changes to programs are authorised,
tested and approved before implementation
access to data files is restricted to authorised users and programs.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Unless the auditor believes that understanding of particular activities is needed for audit
planning, the internal control activities need not be documented.
The auditor’s objective is to identify and document the minimum number of specific
control activities that provide reasonable assurance of achieving specific control objectives.
As a result, the documentation prepared by the auditor may be much less detailed than that
which would be prepared by a systems analyst. For example, if an entity’s cash payments
system provides for the financial controller’s review and approval and cancellation of
supporting documents before payment, the auditor may not be concerned with prior
processing steps for individual supporting documents such as purchase orders. The auditor
documents and tests those specific control activities that provide reasonable assurance of
achieving specific control objectives for specific assertions.
Auditors generally use decision aids such as internal control questionnaires and
checklists in obtaining an understanding of the internal control. These act both as memory
aids and as convenient ways to document the understanding obtained.
Generalised forms relating to the control environment range from detailed checklists that
present all the potential features of a control environment to simple forms that list broad
categories of features, such as personnel policies and procedures and organisational
structure, leaving space to describe the particular client’s methods.
listing of each transaction type, the source document to initiate the transaction and the
party responsible for the initiation, the approximate volume of each transaction type, the
accounts and computer files in which the transaction is recorded, the processing that occurs
and the place in the financial report where the transaction is summarised.
Questionnaires and checklists are also used to document control activities. Exhibit 7.1
presents a segment of an internal control questionnaire. Some questions require a ‘yes’ or
‘no’ answer about whether specific control methods and features are in place. Others are
organised by detailed control objective and the auditor writes in the client’s procedures that
achieve the listed objective.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
EXAMPLE OF PART OF AN INTERNAL CONTROL
EXHIBIT 7.1
QUESTIONNAIRE
Each question must be answered ‘Yes’ or ‘No’ or ‘N/A’. If the answer is ‘No’, provide
an explanation.
(b) pre-numbered?
6. Are invoices
(b) pre-numbered?
Narrative memoranda
Page 288
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
EXAMPLE OF A NARRATIVE DESCRIPTION OF PART
EXHIBIT 7.2
OF A SALES ACCOUNTING SYSTEM
The billing department uses the shipping document to prepare a two-copy sales
invoice with the following distribution:
1. Sent to customer.
2. Forwarded to accounts receivable record keeping. The shipping document is filed
numerically.
Flowcharts
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Figure 7.6 presents some common flowchart symbols. Several audit firms have devised
unique approaches when preparing flowcharts that use non-standard symbols. These
approaches are too diverse to illustrate, but they all emphasise exclusion of document or
information flows that are not relevant to the understanding of internal control for the
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
purposes of audit planning. The standardised symbols in Figure 7.6 are used in the
computer industry and by many audit firms and their clients.
Figure 7.7 presents a flowchart for a portion of a simple sales information system.
Figure 7.8 presents a system flowchart for a portion of a batch computerised
accounting application. One of the advantages of creating flowcharts is that a Page 289
graphic presentation of a series of related processing steps is easier to understand
than a long narrative description. However, if a flowchart includes all the document and
information flows in the system, it also may become too complex to be understood easily,
and the significant control activities can be difficult to identify. As a result, the emphasis in
practice is on simplifying flowcharts.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
FIGURE 7.7 Flowchart of the first part of the sales accounting system described in Exhibit 7.2
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
FIGURE 7.8 Segment of a flowchart on the billing function in a batch computerised sales accounting system
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Assessing control risk
After obtaining an understanding of the components of internal control, the auditor assesse
s control risk for the assertions embodied in the account balance, transaction class and
disclosure components of the financial report. The auditor must decide whether to assess
control risk for a particular assertion as high or as less than high.
The auditor may assess control risk as high because the entity’s internal control policies
and procedures in the area:
The auditor may decide to assess control risk as less than high when it improves audit
efficiency. If the auditor assesses control risk as less than high, the auditor must obtain
sufficient evidence to support that level. First, the auditor identifies specific control
activities relevant to particular assertions that are likely to prevent or detect Page 290
Global Example 7.3 , involving sales, illustrates the process in more detail. In this
example, the auditor would design tests of controls to obtain evidence about the operating
effectiveness of the control activities identified, as control risk has been identified as low
and therefore the auditor wishes to rely on the controls.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Page 291
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
GLOBAL EXAMPLE 7.3 Example of evaluating effectiveness of
control activities for sales
Transaction Sales
class
Assertion Completeness
The auditor may make a different assessment of control risk for each material account
balance, class of transactions and events, or disclosure; or for each assertion relating to the
one balance, class of transactions and events, or disclosure. For example, the auditor may
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
assess control risk for inventory assertions as high and for cash assertions as low, or assess
the risk for existence of cash as low but completeness as high. However, the auditor
recognises the interrelationships of account balances and transaction classes. For example,
a low level of assessed control risk for sales and cash receipts means a low level of control
risk for accounts receivable for assertions affected by the accuracy and reliability of
recorded sales and cash receipts.
ASA 315.29 (ISA 315.29) requires that for significant risks, to the extent that the auditor
has not already done so, the auditor should evaluate the design of the entity’s related
controls, including control activities, and determine whether they have been implemented.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
An understanding of the entity’s controls relating to significant risks is considered
necessary to provide the auditor with adequate information to develop an effective audit
approach, even if the auditor does not intend to rely on those controls.
ASA 315.30 (ISA 315.30) also requires the auditor to evaluate the design and determine
the implementation of the entity’s controls, including relevant control activities, over those
risks for which, in the auditor’s judgment, it is not possible or practicable to reduce the risk
of misstatements at the assertion level to an acceptably low level with evidence obtained
solely from substantive procedures. Therefore, the auditor cannot simply default to a high
assessment of control risk without first evaluating the controls in these two areas.
Tests of controls
If control risk is assessed as less than high, the auditor has identified specific policies and
procedures that are likely to prevent or detect misstatements. Evidence is needed to support
the conclusion that those policies and procedures are effective. The evidence should
demonstrate both:
The evidence necessary to support a specific level of control risk is a matter of audit
judgment. However, the auditor requires stronger evidence of the effectiveness of a
procedure if the assessed level of control risk is low than if it is only medium.
Page 292
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
including control risk. The manner in which these items are documented is for the auditor
to determine, using professional judgment.
Ineffective internal control causes the auditor to increase the quantity and effectiveness of
the substantive tests, because there is a general relationship between control objectives and
audit objectives. Because it is not consistent, the relationship must be considered for each
transaction class separately. For example, approval of credit sales (goods shipped to
customers do not exceed established credit limits) is related to the specific audit objective
of valuation of accounts receivable. On the other hand, approval of disbursements is related
to specific audit objectives concerning existence or occurrence.
The impact of effective internal control on the nature, timing and extent of substantive tests
will be discussed in Chapter 9 . The relationship between specific control objectives
and specific audit objectives for major classes of transactions is considered further in
Chapter 8 for tests of controls, and in Chapter 9 for substantive tests.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
QUICK REVIEW
1. The auditor needs to obtain an understanding of internal control; assess
the level of control risk based on the understanding obtained; perform
tests of controls to gain evidence that the controls exist and operate
effectively throughout the period; and design substantive tests.
2. The auditor will document the internal control using internal control
questionnaires and checklists, narrative memoranda and flowcharts.
3. The auditor may assess control risk along a range from high to low,
depending on the effectiveness of internal control.
4. The auditor must obtain evidence to support the assessed level of control
risk.
5. The higher the level of assessed control risk, the more assurance the
auditor must obtain from substantive tests.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
LO 7.5 Computerised systems
It is expected that most students will have an understanding of the basic concepts of IT.
As discussed earlier in this chapter, ASA 315.18 (ISA 315.18) requires the auditor to have
an understanding of the information system, including the related business processes.
Many auditors now use what is known as the COBIT (control objectives for information
and related technology) framework (published by the Information Systems Audit and
Control Association) to identify how the business processes and the IT processes
interrelate with each other.
Page 293
Planning and organisation—how the entity directs the deployment of IT resources and
the delivery of services.
Acquisition, implementation and maintenance—how the entity defines and analyses
the requirements for projects, meets those requirements and implements the selected
approach.
Delivery and support—how the entity establishes physical and logical security to
safeguard IT applications and resources against unauthorised use, modification,
disclosure or loss.
Monitoring—how the entity reviews performance and corrects deviations from
operational and procedural standards.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
For each of these four COBIT domains, the auditor would typically look at three elements:
technology
people
procedures.
By understanding the technology, the people involved and the procedures of the four
COBIT domains, the auditor can understand the entity’s information system. The auditor
can then assess the risks of material misstatement related to the information system.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
The COBIT framework identifies seven categories of threats to the computer information
requirements of the entity as follows:
1. Availability Is the information available, when required by the business process? For
example, risk of system downtime.
2. Confidentiality Is sensitive information protected from unauthorised disclosure? For
example, risk of hackers accessing servers.
3. Integrity Is the information accurate and complete as well as valid in accordance with
business expectations? For example, risk of failure of processing controls.
4. Effectiveness Is the information relevant and pertinent to the business process as well
as delivered in a timely, correct, consistent and usable manner? For example, risk of
providing insufficient information to management to make decisions.
5. Efficiency Is the information provided through the optimal use of resources? For
example, risk of poor cost–benefit analysis and inefficient use of resources.
6. Compliance Does the entity use information in compliance with relevant laws,
regulations and contractual agreements? For example, risk of lack of awareness of legal,
regulatory and contractual requirements resulting in non-compliance with those
requirements.
7. Reliability Is the appropriate information provided to management so that it can
operate the entity and exercise its financial and compliance reporting responsibilities? For
example, risk of outsourcers failing to meet targets.
Page 294
The distinction between user controls and IT controls is therefore based on location. IT
controls are maintained in the location of the computer. IT controls can be subdivided
into general controls and application controls, as discussed below. User controls are always
application controls.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
An IT control may be either an automated control or a manual control activity, as
illustrated in Figure 7.9 .
single staff member exceeding 50 for one week) for management review, that review is a
manual control that depends on an automated control.
Most entities’ systems of internal control consist of a mixture of manual and automated
controls. The mix of manual and automated controls will vary between entities, depending
on the nature of the entity and the complexity of the entity’s IT system. From an audit
perspective, the auditor is concerned with whether the control can be relied upon to prevent
or detect material misstatements, rather than whether it is manual or automated. However,
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
the auditor needs to recognise the characteristics of each type of control and the different
ways that they may need to be tested, as discussed in Chapter 8 .
General controls
General controls are defined in ASA 315.A108 (ISA 315.A108) as those policies and
procedures that relate to all or many applications and support the effective functioning of
application controls. General controls maintain the integrity of information and Page 295
the security of data. A variety of controls fall into this category, but the general
controls that are usually important to the planning and conduct of audits of financial
reports are as follows:
Segregation of duties This involves reviewing the plan of organisation and operation of
IT for the appropriate separation of incompatible functions.
Control over programs This involves reviewing control activities to ensure that
development, acquisition and changes to applications and systems programs are
authorised, tested and approved before being used for processing. Access to programs
should also be restricted to authorised personnel.
Control over data This involves reviewing control activities to ensure that access to the
system and to data files is restricted to authorised users and programs. All transactions
entering the system should be appropriately authorised.
Segregation of duties
The IT department must be separate from user department functions if the user controls are
to be effective. Ideally, of the functions of authorisation, execution, recording and
accountability, the IT department should be responsible only for recording. However, in
some systems, initiation or execution of transactions is an automatic step in an application
program.
Ideally, each computer-related function should be kept separate. However, the critical
separation of duties is that between operations and systems development. These functions
are incompatible and should not be combined: those who have knowledge of the Page 296
operation of the accounting systems and applications programs, including how to
modify programs, should not be permitted to access data files and production programs
that accompany operations. Table 7.1 presents the common large IT department
functions, showing those positions with knowledge of and those positions with access to
data files and/or production programs.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
In a small computer system (minicomputer or microcomputer), there are often not enough
people to achieve adequate segregation of duties within the IT department or between the
IT department and the user. In such circumstances the auditor will usually conclude that
general controls are seriously deficient and that the control risk must be assessed as high
on the basis of IT controls. However, in some circumstances the auditor might still assess
control risk as less than high on the basis of user controls.
Usually, controls over programs apply to all computerised accounting applications. One of
the major risks for the business and therefore for the auditor is at the acquisition,
development or change stages of the program. Development of new programs, acquisition
of programs from software vendors and changes to existing programs must be adequately
controlled. Adequate control includes authorisation, testing and approval before new or
changed programs are used in processing applications.
Control activities in user departments and IT application controls over input and processing
help to ensure that processed data are authorised, valid, complete and accurate. Control
over access to data maintained on computer-readable files ensures that the data remain
authorised, valid, complete and accurate.
The control activities that restrict access to data files to authorised users and programs are
a mixture of physical devices, manual control activities and automated control activities.
Physical security measures are necessary to ensure that only authorised personnel have
access to the computer room. These measures include locks, badges and passes to obtain
admittance. In an online system, physical security measures for terminals, such as locks
and a supervised location, are also important. In a system where there is remote
transmission from terminals to the central processing unit (CPU), physical security is more
difficult to achieve and automated procedures assume even greater importance.
Where data files are maintained offline, a librarian function separate from programming
and operations is important. The librarian should release files only in accordance with
established procedures for authorised use. Authorisation should include both the
individuals to whom files may be released and an authorised processing schedule. Proper
labelling of files (both internal and external) also helps to ensure protection of data files
from incorrect and unauthorised use.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
In an online system, files are accessed through terminals. Thus a variety of automated
procedures is necessary, particularly procedures accomplished by systems software. When
terminals are located in user departments, only appropriate terminals should have access to
master files. For example, terminals in the billing department should not have access to the
accounts payable master file. This can be achieved by online storage of a list of authorised
terminals for each function, so that when a terminal requests access its identity is compared
with a list of authorised terminals for the requested file. It is also necessary to restrict the
use of terminals to authorised users. This can be achieved by using systems software that
requires users to enter an ID and a password in order to obtain access to particular data
files and programs.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Measures should also be taken in an online system to restrict the access to data files of
those involved in the programming function. Application programmers need to use files in
testing programs and these files should be copies, or files of fictitious data, rather than live
data files. Also, systems software may be used to bypass automated control activities
that restrict the access of application programs to data files. Therefore, use of systems
software should be controlled, and its use by systems programmers should be monitored.
Systems security software packages are available that monitor access to data files and
control unauthorised access. This software either prevents or detects unauthorised access to
data files. However, some systems software of this type may be operated in different modes
at the client’s choosing, and only some modes prevent unauthorised access. Other modes
detect and produce a management report of unauthorised access to data files and their
effectiveness is dependent on manual investigation and follow-up of the reports.
Where control over access to data files is dependent on systems software, the Page 298
assistance of a computer audit specialist is usually required. The computer audit
specialist assists in obtaining an understanding of the systems-software-dependent controls
and evaluates whether they are effective in restricting access to data files to authorised
users and programs.
There are other general controls but usually they do not have an effect on the auditor’s
assessment of control risk. For example, some general controls are concerned with the
ability to recover computer operations if various problems arise. These back-up and recov
ery controls relate to measures taken to back up hardware, software and files and to
ensure recovery if the computer installation or particular files or programs are damaged or
destroyed. For example, the client should have a contingency plan to follow if computer
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Back-up procedures relate to the ability to reconstruct data files if the current version of the
file is damaged by a hardware or software error. For example, in a system with batch input
and batch processing, files should be retained to allow the reconstruction of master files. A
retention policy often used is called the grandfather–father–son concept . As the name
implies, it involves retaining three generations of a particular master file and the related
transaction files. The current version of the master file is the ‘son’ file, and the two
previous versions are the ‘father’ and ‘grandfather’. In an online entry system, data file
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
retention requires dumping the entire contents of master files onto magnetic tape or disk on
a daily basis and creating a transactions log of processed transactions.
Application controls
Application controls are defined in ASA 315.A109 (ISA 315.A109) as manual or
automated procedures that operate at a business process level and therefore apply to the
processing of individual applications. They can be preventative or detective, and are
designed to ensure the integrity of the accounting records. Therefore, they relate to
procedures used to initiate, record, process and report transactions or other financial data.
The reliance that can be placed on application controls often depends on the reliability of
the general controls. For example, an automated IT control or a manual control activity that
depends on computer-generated information may not be effective if control over
development and changes to application software are ineffective. However, application
controls contribute to achievement of specific control objectives that the auditor considers
in tests of controls. The auditor assesses the effect of application controls on control risk in
order to restrict the scope of direct tests of balances. As explained earlier, application
controls may be user controls or IT controls.
User controls
User controls are performed by personnel in user departments and therefore are manual
control activities, and so these controls may be tested in the same manner as control
activities in a manual processing system. The auditor may test the functioning of user
controls by enquiry, observation and inspection of documents.
completeness and accuracy of data processed by the computer may be classified as control
totals; review and reconciliation of data; error correction and resubmission; and
authorisation controls.
Control totals are used to detect errors in input or processing when information is
batched before entry. Generally, there are the following three types:
1. Financial totals the totals of field amounts for all the records in a batch that are
normally computed as a result of processing. For example, in a sales accounting system,
financial totals are total dollars received or total dollars billed.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
2. Record totals the totals of the number of logical or physical records in a batch. For
example, the total number of sales invoices and the total number of inventory items on
invoices in a batch are record totals.
3. Hash totals the totals of field amounts for all the records in a batch that are Page 299
computed for control purposes only. For example, the total of customer numbers
is a hash total.
If a user department establishes control totals before data entry and reconciles those totals
to output returned from the IT department, loss of data or changes in data that occur
outside the user department can be detected. For this control activity to be effective, the
user department must maintain detailed documentation, reconcile output to input and
investigate discrepancies. The procedures are as follows: a batch number is assigned; the
number of items in a batch is limited to facilitate reconciliation; control totals are recorded
manually in a log maintained by the user and on a transmittal ticket (batch header) that
accompanies the batch; the control totals on output reports are reconciled to the input
control totals; and differences and their resolution are also documented.
There are generally formal error correction and resubmission procedures in computerised
systems. Users are responsible for correcting errors that originate outside the IT
department. Procedures in user departments generally should include a user’s procedure
manual with written procedures for correcting errors, maintenance of a log for errors and
resubmissions, and careful review and approval of resubmitted source documents before
transmittal.
Authorisation controls are important to ensure that only valid transactions are processed.
During batching, individual transactions should be appropriately authorised. There should
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
also be an authorisation procedure for each of the batches from the user department to the
IT department for input.
IT controls
Every time data are transferred from one medium to another or are changed by processing,
such as by summarisation or calculation, there is potential for error. Therefore, IT
application controls are usually classified as input, file, processing and output controls.
Errors may be introduced at each of these stages in a computerised system.
Input controls naturally differ for batch input and online entry. Batch input goes
through a data preparation step for conversion of manual source documents to computer-
readable form. Batch data preparation generally includes the following control activities:
Control totals These are computed as a by-product of data preparation and compared
to the total established manually by the user department. Also, as part of data preparation,
a (computer-readable) batch header record including control totals is often created and
added to the input.
Key verification This is the duplicate keying of data to detect errors of entry. A
second operator rekeys the same source documents, and differences from the first keying
are identified and corrected. As key verification is expensive, it is usually confined to
critical data fields on source documents.
Key entry validation Data validation is a general term referring to tests used to detect
inaccurate or incomplete data. Key-to-disk equipment has logic capabilities that permit
data validation.
Online entry controls include (1) batch controls in online entry with batch processing and
(2) general controls, which were discussed earlier, to ensure that only authorised and valid
transactions are entered into terminals.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
After data preparation in batch input systems, the batch input is read online from tape or
disk into primary storage. This step takes place under control of the CPU and a variety of
edit and data validation tests can be made using the logic capability of the CPU. Page 300
The following edit and data validation tests are examples of automated control
activities:
Check digits These are used to validate record-identification fields. For example, a
check digit may be used for customer numbers or employee numbers. The check digit is
calculated from the identification number and attached to it when the number is
originally assigned. The calculation is a numeric operation on the identification number.
A simple check digit algorithm might operate in the following way: Assume an inventory
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
item code is 6595 1. Once entered, the computer might divide the number 6595 by 7
(referred to as the modulus). The result of this division would be 942, with a remainder of
1. The computer would then compare this remainder with the final digit in the code (in
this case, 1). Since the remainder agrees with the check digit, the code is valid. If the
remainder was not the same as the check digit, then the code is invalid and would be
rejected.
Limit or reasonableness test This is a logic test used to determine whether a data
amount falls within previously established limits. Any amount that is outside the limit is
identified for investigation. For example, in a weekly payroll application, employee time
records with greater than 48 hours or less than 0 hours might be rejected or printed out
for investigation. In a cash payments system all disbursements over a specified amount,
such as $10 000, might be printed out for investigation. This type of automated control
activity helps to compensate for the lack of human involvement in computer processing.
Humans notice when data do not make sense or are out of line; computers do not, unless
they are specifically programmed to apply predefined criteria.
Field test This is a logic test based on the characteristics that data in particular fields
should exhibit. For example, characters should be alphabetic or numeric (alphanumeric
test); the field should have a specified size (for example, a field must contain five
characters, not four or six); the field should have a specified sign (sign test) or in some
cases a specified value.
Valid code test This is a logic test in which a code field in a record is compared to a
table of valid codes stored online. For example, a transaction code can be used in
accounts receivable processing so that only transactions with certain codes, such as credit
sales or cash collections, are accepted to update the debtors master file.
These automated control activities are examples rather than an exhaustive list of the
possible procedures.
File controls ensure that the proper versions of files are used in processing. For
example, the current period’s transaction file and the latest version of the master file should
generally be used in processing. Control activities in this area include file label controls. In
ternal file labels are computer-readable data that are actually part of the file; they
identify the data and content of the file. External file labels are printed or handwritten
adhesive labels on diskettes or magnetic tape reels.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Processing controls detect errors in data and errors that occur in processing as a result
of logic errors in application programs or systems software errors. Controls for data errors
include automated control activities, such as transaction code tests, checking the numerical
sequence of records on a file and comparing related fields in files. Controls to prevent or
detect processing errors include automated control activities such as reasonableness or
limit tests and use of redundant program calculations (double arithmetic). Also, control
totals accumulated during processing are compared to input totals and previous computer-
run totals. This is commonly known as a run-to-run control total reconciliation .
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Output controls include manual control activities in which IT personnel and users
review output to ensure propriety and reasonableness; and proper output handling to ensure
that output is distributed only to authorised users. Output controls also include automated
controls restricting access to display specified information (for example, payroll data) on a
terminal or PC. Other automated output control activities include automatic dating of
reports, page numbering and end-of-report messages. These ensure that no pages can easily
be inserted, added or removed.
Page 301
If the general controls are reliable, the auditor makes a preliminary evaluation of
application controls and, if appropriate, a more detailed evaluation of application controls.
Thus, the auditor determines the degree of tests of controls and substantive testing which
will result in the most efficient and effective audit.
The database approach requires a file index with primary and secondary identifying key
fields, because different applications require different identifying keys. Because of the
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
complexity of the file structure, special systems software called a database management s
ystem (DBMS) is necessary to handle programming and related tasks for managing the
database. The person with overall responsibility for the data is the database administrator.
The key risk that exists in a database is the risk that general controls are inadequate to
properly control the operations of the database. This risk arises largely because a database
is a collection of data that is shared and used by a number of different users for different
purposes. Therefore, an error in one piece of data can potentially affect a number of
different applications across the entity.
Stand-alone PC systems
When a PC is used as a stand-alone workstation, all data and programs are stored on that
PC. Control considerations and characteristics of the hardware and software are different
when a PC is linked to other computers, with a major difference being that data and
programs can be stored and controlled centrally and accessed when required.
With PCs, the distinction between general IT controls and application controls may be
blurred. Generally, the IT environment in which PCs are used is less structured than a
centrally controlled IT environment. Where PCs are used, it may not be practicable or cost
effective for management to implement sufficient controls to reduce the risks of undetected
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
errors to a minimum level. Thus, the auditor often assumes that control risk is high in such
systems.
In this situation, the auditor may find it more cost effective, after obtaining an
understanding of the control environment and flow of transactions, not to make a review of
general or application controls, but to concentrate the audit efforts on substantive tests of
transactions and balances at or near the end of the year.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
In the past few years, many companies have moved their accounting applications from
mainframes to PCs on local area networks (LANs) . In most cases, internal control risk
has thus risen significantly. Over the years, companies with critical mainframe applications
developed effective security and control activities. Because their processing is now
distributed to PCs at many locations, the security and control activities and techniques
designed for the mainframe no longer apply, and often little has been put in place to replace
them. Viruses (unauthorised programs causing mischief or significant damage) can spread
quickly from one PC to another in a LAN environment. Complicating the design of
controls is the increasing trend to connect LANs with other LANs, or even with nationwide
networks.
A client may have some or all of its computerised accounting applications processed at an
outside service organisation, or centre, rather than using its own computers. Even
companies with large computer installations prefer to have applications such as payroll
processed externally.
ASA 402.9 (ISA 402.9) requires the auditor to obtain an understanding of how a user entity
uses the services of a service organisation in the user entity’s operations, including:
the nature and significance of the services provided by the service organisation and their
effect on the user entity’s internal control
the nature and materiality of the transactions processed or accounts or financial reporting
processes affected by the service organisation
the extent of interaction between the activities of the service organisation and the user
entity
the nature of the relationship between the user entity and the service organisation,
including the relevant contractual terms for the activities undertaken by the service
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
organisation.
When an audit client (user) employs a service organisation, audit evidence that is ordinarily
located at the user’s premises may be located at the service organisation. The auditor needs
to understand the nature and extent of the services provided by the service organisation
because they affect the nature, timing and extent of audit procedures, and it may not be
effective to obtain audit evidence from the service organisation.
When a service organisation is used, transactions that affect the financial report of the user
flow through an internal control system which is, at least in part, separate from the user;
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
thus, some or all of the evidence that the auditor needs may be under the control of the
service organisation. For the auditor to draw reasonable conclusions about the transactions,
and in some cases the resultant balances, that flow through the service organisation’s
internal control, it may be necessary to obtain audit evidence from the service organisation
or to have access to its records. In such circumstances, the auditor may find it necessary to
consider the internal control of the service organisation.
Where an entity uses a service organisation, there must be adequate planning at an early
stage in the audit process. To determine the significance of the service organisation’s
activities to the user and their relevance to the audit, the auditor needs to consider the
nature of the services, and the terms of the contract and relationship with the user.
The auditor needs to consider the division of internal control between the user and the
service organisation. ASA 402.10 (ISA 402.10) requires the auditor to evaluate the design
and implementation of relevant controls at the user entity that relate to services provided by
the service organisation. The user may have implemented controls that provide reasonable
assurance that irregularities at the service organisation would be detected. In some
circumstances, the auditor may be able to plan to rely on the internal control of the user
without obtaining an understanding of the internal control of the service organisation.
If the user auditor is unable to obtain a sufficient understanding from the user entity to
provide a basis for the risk assessment, ASA 402.12 (ISA 402.12) requires the user auditor
to:
visit the service organisation and perform the necessary procedures to provide Page 303
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
The difference between a type 1 report and a type 2 report is illustrated in Figure 7.10 .
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
FIGURE 7.10 Difference between type 1 and type 2 reports
As indicated by ASA 402.Aus A16.1 (ISA 402.A16), a type 1 report is issued by the
service organisation’s auditor where the service organisation engages the auditor to report
on the description and design of its controls. A type 2 report is issued where the service
organisation engages the auditor to report on the description and design of its controls and
their operating effectiveness. As noted by ASA 402.A17 (ISA 402.A17), the availability of
a type 1 or type 2 report will generally depend on whether the contract between the service
organisation and the user entity includes a requirement for the provision of such a report by
the service organisation.
If the user auditor wishes to use the service organisation’s auditor’s report, ASA 402.13–14
(ISA 402.13–14) require the user auditor to satisfy themself as to the service auditor’s
competence and independence; the adequacy of the standards under which the type 1 or
type 2 report was issued; and that it covers an appropriate period.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
QUICK REVIEW
1. The distinction between controls established and maintained by the user
department (user controls) and those maintained by the IT department (IT
controls) is important.
2. Controls are usually classified into two broad categories: general controls
and application controls.
3. General controls are controls that relate to all or many computerised
accounting applications. They include the plan of organisation and
operation of IT; control activities over development, acquisition and
changes to programs; and control activities to ensure that access to data
files is restricted to authorised users and programs.
4. Application controls are controls relating to individual computerised
accounting applications. They include user controls and IT controls.
5. An IT control can be either an automated control or a manual control.
6. Other computer environments include database management systems;
stand-alone PC systems; LANs and other networks; and computer service
organisations.
7. The auditor is required to obtain an understanding of how the entity uses
the services of a service organisation.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Page 304
While recognising the similarities between the external and internal audit functions, it is
important to bear in mind the fundamental differences between them. In the case of a
company, the following major differences can be identified:
1. Objectives The external auditor has a statutory responsibility to report on the truth and
fairness of the financial report and on whether proper accounting records and registers
have been kept. These responsibilities cannot be delegated to others. The objectives of the
internal audit are determined by management to assist them in their decision making.
2. Independence The external auditor is appointed by and is responsible to the shareholders
of the company, in accordance with the provisions of the Corporations Act 2001. The
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
internal auditor may be appointed by and be responsible to management, the board or the
audit committee.
3. Qualifications The qualifications of persons permitted to accept appointment as external
auditors are stipulated in the Corporations Act 2001. There are no statutory qualification
requirements in the case of persons appointed to act as internal auditors. The type of
qualification and/or experience required are determined by management.
Despite these comments, ASA 610.8 (ISA 610.8) recognises that the external auditor may
be able to use the work of the internal audit function in a constructive and complementary
manner. Internal auditing may be useful to the external auditor as it may affect audit risk
and therefore the nature, timing and extent of audit procedures. As a result, ASA 610.Aus
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
13.1 requires an external auditor to determine whether the work of internal audit can be
used, and if so, in which areas and to what extent; and if using the work of internal audit, to
determine whether that work is adequate for external audit purposes.
The work of an internal auditor may be used in an external audit where it is viewed as part
of an audit client’s internal control. The external auditor evaluates the internal audit
function and determines the extent to which it can be used in the audit process.
objectivity—the internal auditor’s organisational status in the entity and the effect that
this may have on their ability to be objective. In particular, the internal auditor must be
free to communicate fully with the highest level of management and the external auditor,
and must be free of any other operating responsibility
technical competence—whether internal auditing personnel have adequate technical
training and proficiency, including professional qualifications and experience
systematic and disciplined approach—whether internal audit applies a systematic and
disciplined approach, including quality control. This would require internal audit to
exercise due professional care, including internal audit work being properly planned,
documented, supervised and reviewed. Evidence of this would be adequate audit
manuals, audit programs and working papers.
Page 305
external audit procedures, ASA 610.24 (ISA 610.24) requires the external auditor to
consider:
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
In addition, if the external auditor intends to use the work of internal audit, the evaluation
must include re-performance of some of the internal audit work. Further, ASA 610.21–22
(ISA 610.21–22) require that if the external auditor plans to use the work of internal audit,
the external auditor must discuss the planned use of its work with the internal auditor, as a
basis for coordinating their respective activities and must read the relevant reports of
internal audit.
The external auditor is required to undertake a general evaluation of the internal audit
function as part of the review of the client’s internal control, but where the auditor intends
to use specific internal audit work as a basis for modifying the nature, timing and extent of
audit procedures, the external auditor must specifically review the internal audit working
papers. An external auditor who relies on specific internal audit work to support a
preliminary assessment of control risk must evaluate and test that work to ensure that it is
adequate for external audit purposes and document the conclusions reached, as illustrated
by Figure 7.11 .
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
FIGURE 7.11 Considering using the work of internal audit
In accordance with ASA 260.15 (ISA 260.15) the external auditor is required to
communicate with those charged with governance an overview of the planned scope and
timing of the audit. The planned use of the work of the internal audit function is an integral
part of the external auditor’s overall audit strategy and is therefore relevant to those charged
with governance, for their understanding of the proposed audit approach. As a Page 306
result, ASA 610.20 (ISA 610.20) requires the external auditor to communicate
with those charged with governance how the external auditor has planned to use the work
of the internal audit function.
ISA 610 indicates that where it is not prohibited by law or regulation, external audit may
obtain direct assistance from internal audit. Direct assistance is the use of internal audit to
perform audit procedures under the direction, supervision and review of external audit.
However, the revised ASA 610, issued in December 2013, in ASA 610.Aus 1.2 and ASA
610.Aus 25.1, prohibits the use of internal auditors to provide direct assistance in an audit
or review conducted in accordance with the Australian auditing standards. This prohibition
on direct assistance does not represent a divergence from ISA 610, as the International
Auditing and Assurance Standards Board (IAASB) makes it clear that its requirements and
guidance in this area will not be applicable in jurisdictions where the use of internal
auditors to provide direct assistance is prohibited.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
QUICK REVIEW
1. The extent to which the external auditor can use the work of internal audit
depends on the evaluation of the internal audit function.
2. Internal audit may reduce audit risk and therefore the extent of the
external auditor’s work.
3. The evaluation of internal audit will consider its objectivity; the technical
competence of internal audit personnel; and whether internal audit applies
a systematic and disciplined approach, including quality control.
4. The effect of internal audit’s work on the nature, timing and extent of the
external audit procedures depends on the nature and scope of the internal
audit work; the assessed risks of material misstatement at the assertion
level; and the degree of subjectivity involved in the evaluation of the audit
evidence gathered by internal audit.
5. Where the external auditor intends to use specific internal audit work, the
external auditor will review the internal auditor’s working papers and test
the internal auditor’s work.
6. In Australia, external auditors are prohibited from using internal auditors to
provide direct assistance in an audit or review conducted in accordance
with the Australian auditing standards.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Summary
The study and evaluation of internal control is an important aspect of a financial report
audit. The auditor must obtain a sufficient understanding of the entity’s internal control,
including the internal audit function if applicable. The auditor’s understanding of internal
control must be documented in the audit working papers through completed flowcharts,
questionnaires or narrative descriptions. The auditor then needs to perform tests of
controls, assess control risk for each significant financial report assertion and document
this assessment. Making the correct assessment is crucial to completing an efficient and
effective audit.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Key terms
accounting system
application controls
approval
assessing control risk
authorisation
automated control
back-up and recovery controls
big data
check digit
control activities
control environment
control risk
control totals
database Page 307
hash totals
information system
inherent limitations of internal control
input controls
internal control
internal control questionnaire
internal file labels
IT controls
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
key entry validation
key verification
limit or reasonableness test
local area networks (LANs)
management controls
manual control
monitoring of controls
narrative memorandum
output controls
performance review
preventative controls
processing controls
program library management software
record totals
run-to-run control total reconciliation
segregation of duties
service organisation
systems software
transaction controls
user controls
valid code test
validity
walk-through
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
References and additional readings
American Institute of CPAs (AICPA) (2015) Audit Analytics and Continuous Audit,
Looking Toward the Future, AICPA, New York.
Australian Securities Exchange (ASX) Corporate Governance Council (2014) Corporate
Governance Principles and Recommendations, 3rd edn, June, ASX, Sydney.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2013)
Internal Control—Integrated Framework, May, AICPA, New York.
Grant, G., Miller, K. and Alali, F. (2008) ‘The effect of IT controls on financial reporting’,
Managerial Auditing Journal, Vol. 23, No. 8, pp. 803–23.
Institute of Internal Auditors (2005) ‘Putting COSO’s theory into practice’, Tone at the
Top, Issue 28, November, pp. 1–3.
International Auditing and Assurance Standards Board (IAASB) Data Analytics Working
Group (2016) Exploring the Growing Use of Technology in the Audit, with a Focus on
Data Analytics, September, International Federation of Accountants (IFAC), New
York.
IT Governance Institute (2012) COBIT 5, ISACA, Rolling Meadows, US.
Mock, T.J. and Willingham, J.J. (1983) ‘An improved method of documenting and
evaluating a system of internal accounting controls’, Auditing: A Journal of Practice &
Theory, Vol. 2, No. 2, Spring, pp. 91–9.
Ramlukan, R. (2015) ‘How big data and analytics are transforming the audit’, Financial
Executives International Daily, 16 December, http://daily.financialexecutives.org/ho
w-big-data-and-analytics-are-transforming-the-audit/, accessed 15 December 2017.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Review questions
Page 308
Computerised systems
7.9 Distinguish between general controls and application controls in a
computerised system and list four areas over which general IT controls are
commonly implemented. LO 7.5
7.10 Identify two situations in which manual controls may be less suitable than
automated controls. LO 7.5
7.12 Explain how internal audit is different from external audit. LO 7.6
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Discussion problems and case studies
7.14 EASY Easy Beat Ltd sells CDs to music shops all over Australia. Although
each sale is of relatively low value, the company has a very high sales
volume and is very profitable. You are conducting the audit of Easy Beat for
the year ended 30 June 2018. You have just completed a review of Easy
Beat’s controls and have concluded that its internal control is satisfactory.
REQUIRED
Indicate the audit strategy that you are likely to adopt. Give
reasons. LO 7.1
Page 309
Page 311
For each of the above situations, explain the impact on control risk and the
key account and assertion affected. LO 7.4
7.22 MEDIUM You are the auditor of Critical Solutions Ltd (CSL) for the year
ended 30 June 2018. During your planning process you note that the
human resources department of CSL has been short staffed recently and
has not been able to provide training to new staff responsible for
administrative and financial processing functions. Generally, new staff
members have experience within the industry.
While reviewing the accounting system you note that accounts receivable
are agreed to the sub-ledger, but there is no aging review, and an
increasing percentage of total receivables are falling into the 90 days+
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
category. Time sheets for processing staff are approved by supervisors,
then passed on to Susan Rogers in payroll. Susan prepares the pay sheet
information, which gets reviewed against the time sheets and approved by
the CFO, Peter Cummins, prior to payment being processed.
Access to the information technology (IT) system at CSL is controlled by
usernames and passwords, which are required to be changed regularly
through a programmed system prompt.
REQUIRED
Identify and explain two internal control strengths and two internal control
weaknesses for CSL. LO 7.4
Source: This question was adapted from the Chartered Accountants Program of Chartered
Accountants Australia and New Zealand, 2015 (2) audit and assurance module.
7.23 HARD You are the auditor of Safe Storage Pty Ltd, which is involved in the
manufacture of steel storage drums. One of the directors of Safe Storage
has requested that you perform a review of the internal controls within the
purchases and payments cycle of the company’s operations. From your
discussions with management and staff you ascertain that the company is a
small operation, operates from one location in Perth, and only has the
following staff:
five directors (one of whom, the CEO, is responsible for the day-to-day
operations of the company)
a warehouse manager
an assistant to the warehouse manager
a secretary/receptionist
an accounts receivable clerk
a banking clerk
an accounts payable clerk
three machinery operators who are involved in the manufacturing
process.
The warehouse manager is able to order from any supplier and will usually
telephone a number of suppliers to obtain quotes. The warehouse manager
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
will then order from one of these suppliers by telephone and Page 312
confirm the order by facsimile. The only documentation kept is the
facsimile confirmation of order, which is kept by the warehouse manager.
Once an order has been confirmed, the warehouse manager will complete
a purchase order (PO). The warehouse manager keeps one copy of the PO
and the other is forwarded to the accounts payable clerk, who files it in date
order.
When goods are received at the warehouse, the warehouse manager
checks the goods received to the delivery note attached to the goods and
signs the delivery note as evidence of this check. The delivery note
comprises two copies, one of which is retained by the person delivering the
goods and the other by the warehouse manager.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
The warehouse manager forwards a copy of the signed delivery note to the
accounts payable clerk, who posts a journal entry to the creditors ledger for
the amount shown on the delivery note. The clerk then stamps the delivery
note ‘entered’ and files the delivery notes by supplier.
REQUIRED
(a) Describe the strengths and weaknesses in Safe Storage’s internal
control for the purchasing area.
(b) How will your assessment of internal controls affect your audit
approach for Safe Storage? LO 7.4
Computerised systems
7.24 EASY The following controls may exist in an entity’s IT system.
Control policy or procedure:
1. Limit test
2. Valid code test
3. Field test
4. Internal label
5. Record total
6. Check-digit verification
7. Sequence check
8. Financial total
9. Hash total
REQUIRED
Select the type of control from the above list of controls and enter it in the
appropriate place on the grid provided below. LO 7.5
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
DESCRIPTION OF CONTROL TYPE OF CONTROL
7.25 MEDIUM You are the audit senior on the audit of Fashion Bags Ltd, a large
distributor of ladies’ handbags. Fashion Bags operates on a national basis
and uses an online network system. The company is highly computerised,
with all major accounting functions being processed within the system. The
IT department operates out of the Sydney head office and comprises 15
people. The system has been fully developed and maintained by the IT
department, and the current system, apart from minor changes, has been in
use for three years. Each location is responsible for processing its own
transactions.
REQUIRED
(a) How does the use of an IT system alter the audit assertions Page 313
that are required to be achieved by the auditor? Explain how
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
7.26 HARD You are the audit senior on the audit of Travel Unlimited Ltd, an
Australian holiday experiences retailer. During 2017, the management of
Travel Unlimited recognised that it needed to allow customers to make
bookings online if it was to remain competitive. Travel Unlimited’s
customers include the general public, as well as Australian and overseas
travel agents selling packaged tours.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Given the need for an interface between the web-based booking system
and the general ledger, Travel Unlimited upgraded its existing accounting
software and acquired additional hardware to cope with the additional
speed of processing and the increase in required storage space.
During the year ended 30 June 2018, Travel Unlimited upgraded its entire
general ledger system to include an integrated purchasing module and an
accounts payable module. The integrated purchasing module and the
accounts payable module programs were installed on all company
computers. As part of the audit planning, you have identified the following
relevant IT application controls (AC) and IT general controls (GC) from the
integrated purchasing and accounts payable modules.
(a) The IT manager assigns each new staff member a user profile and an
initial password, based on advice provided by the IT administrator.
The initial password is generic. The first time the new employee logs
onto a company desktop computer, they are automatically forced to
change their password. Passwords must be changed every 30 days.
(b) There are clerks responsible for ordering and receiving (purchasing
clerks) and clerks responsible for processing invoices and preparing
remittance advices (processing clerks). Purchasing clerks only have
access to the purchasing module, and processing clerks only have
access to the accounts payable module. Each type of clerk has
exclusive access to their module via a separate password-protected
menu.
(c) The purchasing module automatically assigns each order a sequential
purchase order number. The purchasing clerk only has to enter the
supplier code, stock code and quantity ordered. The unit price is
automatically generated and cannot be overridden by the purchasing
clerk.
(d) Supplier information is contained in a supplier master file (SMF). Each
supplier has a unique supplier code. If the purchasing clerk attempts
to place an order with a supplier not in the SMF, the order cannot be
processed.
(e) When goods are delivered, the purchasing clerk enters the order
number and the date received. The quantity of goods received
cannot be overridden by the purchasing clerk. A ‘Yes/No’ prompt
confirms the receipt of the goods. The purchasing clerk is required to
enter ‘No’ if the quantity received is incorrect. If ‘No’ is entered, the
order cannot be processed for payment.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
REQUIRED
For each of the IT controls described above, identify whether it is an IT
application control (AC) or an IT general control (GC) and explain your
answers. LO 7.5
Source: This question was adapted from the Chartered Accountants Program of the Institute of
Chartered Accountants in Australia, 2010 (3) audit and assurance module.
7.28 MEDIUM Pleasure Craft Ltd, a river cruise operator, has an internal audit
function that is attached to the accounting and finance division and reports
directly to the finance director in his capacity as chair of the audit
committee.
During your review of internal audit for the audit relating to the year ended
30 June 2018, you note the following two matters:
1. During the year the staff of the internal audit function changed
significantly. The division employed two new staff to undertake the testing
of the financial accounting records, while the more senior personnel who
had previously done these tests concentrated on the performance
auditing schedule of the internal audit function, as the internal audit
manager believed that this provided a greater opportunity for the internal
audit function to add value to the entity. The new staff had no previous
audit or accounting experience.
2. The audit work that has been documented by internal audit appears to be
quite thorough and competent. However, for some of the audit tests
prescribed, the internal audit staff have not prepared detailed
documentation of the work that has been completed. They have only
initialled the audit program and noted that the test has been satisfactorily
performed.
REQUIRED
Provide your assessment as to whether the external auditor can rely on the
work of the internal audit function of Pleasure Craft. Give reasons. LO 7.6
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.
Continuous case study
Background information for the continuous case study, Reliable Printers Ltd (RPL), is
contained in the Appendix to this book.
7.29 MEDIUM As part of your audit of RPL for the year ended 30 June 2018,
you are reviewing internal controls over RPL’s print-on-demand business.
REQUIRED
(a) Based on the background information contained in the Appendix ,
identify six control activities and indicate whether the control is a
manual control, an IT application control or an IT general control.
(b) Based on the background information contained in the Appendix ,
identify and explain two key internal control weaknesses where
control activities should be present in order to prevent material
misstatements remaining undetected or uncorrected but are not
present.
(c) For each control weakness identified in (b), identify one key account
balance at risk. Explain why it is at risk.
(d) For each account balance identified in (c), identify one key assertion
that may be at risk. LO 7.4
Source: This question was adapted from the Chartered Accountants Program of the Institute of
Chartered Accountants in Australia, 2012 (3) audit and assurance module.
7.30 MEDIUM As part of your audit of RPL for the year ended 30 June 2018,
you are reviewing the risks and controls surrounding the installation of the
new IT system that will fully computerise and integrate all accounting
processes across the organisation, including integration into the general
ledger system.
Copyright © 2018. McGraw-Hill Australia. All rights reserved.
REQUIRED
(a) Based on the background information contained in the Appendix ,
identify two specific audit risks that may have arisen from the
installation of the new IT system. Justify your answer.
(b) Describe one control activity that should have been in place to
prevent each risk identified in (a) from occurring. LO 7.5
Source: This question was adapted from the Chartered Accountants Program of the Institute of
Chartered Accountants in Australia, 2012 (3) audit and assurance module.
Gay, GE, & Simnett, R 2018, Auditing and Assurance Services in Australia, McGraw-Hill Australia, Sydney. Available from: ProQuest Ebook Central. [2 October 2020].
Created from usc on 2020-10-02 21:28:27.