understanding the internal control structure and … · • monitoring both external and internal...

Copyright 2003 McGraw-Hill Australia Pty Ltd

PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett

Slides prepared by Roger Simnett 1

CHAPTER 8

UNDERSTANDING THE INTERNAL CONTROL

STRUCTURE AND ASSESSING CONTROL RISK




AUDIT STRATEGY AND INTERNAL

CONTROL STRUCTURE

To reach a conclusion on reliability of underlying accounting data, the auditor can:

• Test the accounting data (substantive approach).

• Perform procedures to review and evaluate the internal control structure to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach).

Auditor adopts the best combination of these approaches.AA




STRUCTURE OF AND RESPONSIBILITY

FOR INTERNAL CONTROL

Internal control structure is:

Management’s philosophy and operating style, and all the policies and procedures adopted by management to assist in achieving the entity’s objectives

Management is responsible for establishing, maintaining and monitoring the internal control structure.




INHERENT LIMITATIONS OF

INTERNAL CONTROL STRUCTURE

Inherent limitations arise because of:

• Control breakdowns as a result of the actions of careless, fatigued or deviant staff

• The possibility of management override

• The existence of non-routine transactions for which internal controls were not devised




REASONABLE ASSURANCE

Internal control structure should be

designed to provide reasonable assurance

that assets are safeguarded and

accounting records are reliable.

Concept of reasonable assurance

recognises that, in some cases, cost of

establishing and maintaining controls can

outweigh benefits of adopting controls.




OBJECTIVES OF INTERNAL

CONTROL STRUCTURE

Management controls:

• Risks are identified and minimised

• Management decision making is effective and business

processes efficient

Transaction controls:

• Transactions are carried out in accordance with management’s

general or specific authorisations

• Transactions are promptly and accurately recorded so as to

allow the preparation of financial reports

• Access to assets limited in accordance with authorisation

• Asset records are compared with existing assets at reasonable

intervals




MANAGEMENT CONTROLS

Management controls include activities such as:

• Communicating business objectives and goal

• Establishing lines of authority and accountability

• Establishing and enforcing appropriate codes of corporate conduct

• Monitoring both external and internal risk environments

• Defining policies and procedures for dealing with these risks

• Monitoring performance of key segments of the entity through performance indicators and benchmarking




TRANSACTION CONTROLS

Performed by staff and lower level management.

Every transaction goes through the identifiable steps of

authorisation, execution and recording. Accuracy and

reliability of transaction records depend on: • Authorisation and approval — Transactions appropriately

authorised.

• Occurrence — Recorded transactions represent events that occurred.

• Completeness — All authorised transactions are recorded.

• Measurement — Transactions are accurately recorded in proper amounts, proper account classification and proper accounting period.

• Safeguarding — Access is restricted to authorised personnel.

• Reconciliation — Recorded amounts are periodically reconciled with counts of assets.




CHARACTERISTICS OF A

SATISFACTORY INTERNAL CONTROL

STRUCTURE

• Controls to monitor and minimise business risks

• Segregation of incompatible duties and

responsibilities

• System of authorisation, recording and

procedures to provide control over assets,

liabilities, revenues and expenses

• Sound business practices in performance of

duties and functions

• Capabilities commensurate with responsibilities




ELEMENTS OF THE INTERNAL

CONTROL STRUCTURE

• Control environment

• Information system

• Control procedures




CONTROL ENVIRONMENT

The control environment includes

management’s overall attitude,

awareness and actions regarding

internal control and its importance

in the entity. AUS 402.04/ISA 400.08




CONTROL ENVIRONMENT

EVALUATION

The auditor should consider:

• Management’s philosophy and operating style

• Entity’s organisational structure

• Assignment of authority and responsibility

• Existence and effectiveness of internal audit

• Use of information technology

• Competence and integrity of entity’s human resources

• Existence and effectiveness of audit committee




INFORMATION SYSTEM Consists of methods and records established to:

• Identify, assemble, analyse, classify, record and report exchange transactions and relevant events and conditions; and

• maintain accountability for entity’s assets, liabilities, revenues and expenditures.




CONTROL PROCEDURES

• Includes both policies and procedures that management has established to

ensure its directives are carried out.

• Control procedures are added to the accounting system to ensure that system produces accurate and reliable data.




EVALUATING CONTROL

PROCEDURES

The auditor will be interested in control procedures aimed at ensuring internal control objectives concerning:

• Authorisation and approval, e.g. control of access

• Occurrence, e.g. proper use of documents

• Completeness, e.g. accounting for sequence of pre-printed documents

• Measurement, e.g. use of control totals

• Safeguarding, e.g. physical protection

• Reconciliations, e.g. inventory counts




INTERNATIONAL DEVELOPMENTS

• In 1992, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in the USA identified an extended set of internal control procedures.

The five components of internal control structure identified by COSO are:

• Control environment

• Monitoring

• Risk assessment

• Information and communication

• Control activities




IAASB AUDIT RISK SUBCOMMITTEE

Considering revision of applicable auditing standards

to reflect strategic business risk approach.

Approach appears to:

• Enhance required understanding of internal control

• Include requirement to evaluate internal control for:

significant risks; and

other risks for which it is not practicable or possible to reduce audit risk to an acceptably low level using substantive procedures.

Significant change to current standards, where the auditor does not have to evaluate internal controls if control risk is set at high.




CONSIDERING THE INTERNAL

CONTROL STRUCTURE IN A

FINANCIAL REPORT AUDIT

• For every audit, irrespective of intended reliance on IC, the auditor must obtain sufficient understanding of internal control structure to plan audit and determine tests to be performed.

• The nature and extent of auditor’s consideration of internal control structure varies considerably across audits and depends on audit strategy.




STEPS IN AUDITOR’S CONSIDERATION

OF INTERNAL CONTROL STRUCTURE

Fig. 8.2 Steps in

auditor’s consideration

of the internal control

structure (p. 338)




UNDERSTANDING THE

CONTROL ENVIRONMENT

Auditor gains understanding of control

environment by:

• Making enquiries of key management personnel

• Inspecting documented policies and procedures

• Observing activities and operations

• Considering past experience with client




UNDERSTANDING THE

INFORMATION SYSTEM Auditor required to obtain sufficient

knowledge of information system to

understand:

• Major classes of transactions

• Initiation of transactions

• Records, documents and accounts

• Accounting processing

• Financial reporting procedures




UNDERSTANDING THE

CONTROL PROCEDURES

An auditor is required to obtain an understanding sufficient to develop an audit plan (AUS 402.23/ISA

400.20).

Procedures include:

• Discussion with client management and staff

• Inspection of documentation

• Observation of the entity’s activities, operations and procedures

• Walkthrough - auditor traces one or a few transactions of each type through the related documents and accounting records, observing related processing and control procedures in operation




PROCEDURES TO DOCUMENT

UNDERSTANDING OF INTERNAL

CONTROL STRUCTURE

• Internal control questionnaires and checklists

• Narrative memoranda

• Flowcharts




ASSESSMENT OF

CONTROL RISK AS HIGH

Control risk will be assessed as high when:

• Entity does not have internal controls that relate to specific assertion;

• Testing of internal controls is likely to indicate internal controls are weak; or

• Testing of internal controls is not the most efficient method of obtaining audit evidence.




ASSESSING CONTROL RISK

AS LESS THAN HIGH

For each assertion where control risk is assessed as less than high:

• Tests of controls need to be performed to ensure design and operation of control is adequate to support lowered assessed level of control

• Detection risk is assessed as higher, and as a result fewer substantive procedures are expected to be performed




Two main categories:

• User controls: those controls established and maintained by departments whose processing is performed by computer.

• CIS controls: those controls established and maintained in the location of the computer, for example in data-processing departments.

LEVELS OF CONTROL IN

COMPUTERISED SYSTEMS




• CIS controls can be further divided into general and application controls; general controls if they relate to a number of application systems, application controls if they relate to a particular application.

• User controls are always application controls, given their purpose.

CIS CONTROLS AND GENERAL

AND APPLICATION CONTROLS




GENERAL CONTROLS

Manual and computer controls that relate to all or many computerised accounting applications to provide a reasonable level of assurance that overall objectives of internal control are achieved.

General controls include: • Segregation of duties • Control over programs • Control over data




SEGREGATION OF

DUTIES

Auditor especially interested in:

• Separation between CIS and user department functions

• Separation of incompatible functions within CIS department, especially those with an understanding of system from those with access to system




SEGREGATION OF DUTIES WITHIN CIS

Separate Positions within CIS department

Knowledge: those with an understanding n CIS manager

of systems and programs n Systems analysts

n Applications programmers

Access: those with access to the computer, n Computer operators

production programs and data files n Data-entry clerks (no access to computer

console, data control records or programs)

n Data-control clerks (no access to computer

console)

n Librarian (no access to computer console)

n Systems programmers*

* The position of systems programmer must have access to perform the function.

Systems programmers should have no detailed knowledge of the company’s accounting

systems or application programs.

Table 8.1 Segregation of duties within CIS (p. 352)




CONTROL OVER

PROGRAMS

Includes control over:

• Development or acquisition of new programs

• Changes to existing programs

• Access to programs

• Systems software




CONTROL OVER DATA • Control procedures in user departments to

ensure restricted access (e.g. key passes)

• Control procedures in CIS departments at input

and processing stage

• Restriction of access to data files (e.g. password)




OTHER GENERAL

CONTROLS

• These include controls that back up hardware,

software and files and ensure recovery when

computer installation or particular files or

programs are damaged.

• These do not normally have an effect on an

auditor’s control risk assessment.




APPLICATION CONTROLS

• Relate to individual computerised accounting applications (e.g. debtors)

• Contribute to achievement of specific control objectives considered by auditor in tests of controls

• Can be programmed or manual and located in either the user departments or CIS department




USER DEPARTMENT APPLICATION

CONTROLS

• Control totals: Financial totals Record totals Hash totals

• Review and reconciliation of data

• Error correction and resubmission procedures

• Authorisation of each transaction and batch of transactions




CIS APPLICATION

CONTROLS Usually classified in the following

categories:

• Input

• File

• Processing

• Output




INPUT CONTROLS • Control totals

• Key verification

• Key entry verification

• Programmed controls:

Check digit

Limit or reasonableness test

Field test

Valid code test




FILE CONTROLS

Include:

• Internal file labels — computer-

readable data that identifies

content of file

• External file labels — printed or

handwritten labels attached to disk

or tape




PROCESSING CONTROLS

• Programmed control procedures:

Checking numerical sequence of records

Comparing related fields

• Run-to-run control totals




OUTPUT CONTROLS

These include:

• Restricted distribution

• Automatic dating of reports

• Page numbering

• End-of-report messages




RELATIONSHIP BETWEEN THE

REVIEW OF GENERAL AND

APPLICATION CONTROLS

• Should start internal control evaluation by looking at general controls.

• If general controls are unreliable, auditor has little confidence in programmed application controls and reduced confidence in manual application controls => auditor takes more substantive approach to the audit.

• If general controls are reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made => auditor determines appropriate degree of testing of controls and substantive testing.




CONTROL SYSTEMS IN DIFFERENT

ENVIRONMENTS: DATABASE SYSTEMS

• A database is a computer-readable file of records that is used by many accounting applications.

• In order to handle processing of data, a system software program called a database management system (DBMS) is used.

• Guidance on auditing database systems is contained in AGS 1022/IAPS 1003.




STAND-ALONE PC SYSTEMS

• In such systems the distinction between general and application controls might be blurred and controls might be less structured. For this reason control risk might be assessed at maximum level.

• Guidance on auditing stand-alone PC systems is contained in AGS 1018/ IAPS 1001.




LANS AND OTHER NETWORKS

• Networking PCs means that processing is distributed to PCs at many locations.

• This can cause problems with security and control procedures as they are more dispersed and intensify control risk.




COMPUTER SERVICE BUREAU

• Computer service bureau is a centre or service entity that performs computer applications for another company.

• A common application processed through a service entity is payroll.

• AUS 404/ISA 402 provides an auditor with guidance on audit implications of using a computer service entity.




CONSIDERING THE WORK OF

AN INTERNAL AUDITOR

• AUS 604/ISA 610 recognises that an external auditor is able to use the work of an internal auditor to assist in an audit engagement.

• Extent of reliance is dependent on evaluation of internal audit function by external auditor.




DIFFERENCES BETWEEN INTERNAL

AND EXTERNAL AUDITOR

• These differences are:

Objectives

Independence

Qualifications of each of the auditors

• For an external audit, each of these elements is regulated by the Corporations Act, while they are determined by management for an internal audit.




EVALUATING INTERNAL AUDIT

External auditors should consider:

• Organisational status

• Scope of internal auditing

• Technical competence

• Due professional care




USING THE SERVICES OF

INTERNAL AUDIT

• Overall responsibility for audit engagement remains with external auditor.

• External auditor is required to undertake general evaluation as part of review of IC structure.

• If external auditor plans to rely on internal audit, they should carefully review internal auditor’s working papers and procedures to ensure testing is sufficient to meet their requirements, and that conclusions outlined in working papers are appropriate.

understanding the internal control structure and … · • monitoring both external and internal...

Documents