-
Define internal control
Internal control encompasses the entity’s resources, systems, processes, culture, structure and tasks
When controls are effective, the entity is more likely to achieve its strategic and operating objectives
The auditor focuses on controls with a direct impact on the entity’s financial reporting, compliance and asset safeguarding (ASA 315; ISA 315) (Maintain integrity of financial reporting)
Internal control is the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations”
-
Objectives of internal control- assertions
- 1. No fictitious or duplicated transactions- occurrence, rights and obligations, existence
- 2. Prevent or detect omissions of transactions- accuracy, completeness, valuation and allocation
- 3. Correct amounts assigned to transactions- accuracy, valuation and allocation
- 4. Classified transactions are charged to the correct account- accuracy, valuation and allocation, classification
- 5. Transactions must be summarised and totalled correctly- accuracy, valuation and allocation
- 6. Accumulated totals in transaction file are correctly transferred to general and subsidiary ledgers- accuracy, classification, valuation and allocation
- 7. Transactions are recorded in the correct accounting period- cut-off, completeness
-
Objectives of internal controls
1. Auditor aims to gain an understanding of how the client uses internal controls to meet these objectives- observation enquiry
2. Focusing on these objectives helps auditor select controls for testing to gain greatest assurance that controls are operating effectively
3. Failure of an entity’s controls to meet any of these objectives is a weakness in internal control
-
Inherent limitations of internal controls
- Human error that results in control breakdown
- Ineffective understanding of control’s purpose
- Collusion by two or more individuals to avoid control
- Software program control being overridden, disabled
- Management decisions about nature and extent of controls being implemented
-
Entity-level internal controls
-
Entity level control: control environment
Culture, structure and discipline of an entity.
–Communication and enforcement of integrity and ethical values
–Commitment to competence
–Participation by those charged with governance
–Management’s philosophy and operating style
–Organisational structure, including IT
–Assignment of authority and responsibility
–Human resource policies and practices
-
Entity-level internal controls: entity's risk assessment process
- How does the entity identify and respond to business risks?
- Auditor is interested in how management identify, analyse and manage risks relevant to financial reporting, and how the risks might impact the audit
-
Entity-level controls: information systems and communication
- Designed to capture and provide information to conduct, manage and control entity’s operations
- Includes manual and automated systems
- Auditor is interested in systems relevant to financial reporting
-
Entity level controls: control activities
Policies and procedures that help make sure management’s directives are carried out
–Performance review - actual vs budget, investigation of differences
–Information processing - Manual or automated, to check accuracy etc
–Physical control - Security of assets and records
- –Segregation of incompatible duties
- No one employee/group should be in position both to perpetrate a fraud and to cover it up
- Separate authorisation/custody/recording
-
When understanding client's control activities the auditor considers
- Extent of reliance on IT
- Existence of necessary policies and procedures
- Extent to which control policies are being applied
- Clarity of management objectives for controls
- Existence of planning and reporting systems for performance and investigation of variance, and management action to follow-up
- Extent of segregation of duties
- Software controls over data and programs
- Periodic comparison between records and assets
- Safeguards over access to documents, records, assets
-
Entity level controls: monitoring controls
Do management monitor controls and modify as required when conditions change?
–Ongoing monitoring procedures should be part of regular activities, e.g. internal audit function
- –Auditor considers:
- Are there periodical evaluations of internal controls?
- Do client staff regularly obtain evidence of control functioning?
- Extent to which information from external parties corroborate, or contradict, internal information
- Management act on audit recommendations, or respond to control difficulties on timely basis
-
Internal control in small entities
- Difficult to implement formal controls, segregate duties in small entities.
- Reliance on owner-manager, heavily involved in daily business
- Auditor could increase substantive procedures to compensate for weaker controls
-
Transaction level controls
- These controls impact a particular transaction, or group of transactions
- They are aimed at preventing an error from entering the records, or detecting errors that do enter the records
- Controls are considered for transaction processes, or flows, for example,
- Sales process
- Cost of sales process
-
Transaction-level controls: when gaining an understanding of the transaction processes, the auditor
Identifies major events and transactions in the process
Identifies risks to correct processing of the transactions – What Can Go Wrong? (WCGWs)
For each WCGW, auditor identifies one or more controls
This understanding is documented and used to guide evaluation and testing of internal controls
-
Documenting internal controls: narratives and flowcharts, combination
- Narratives: Very useful when controls simple, straightforward
- Auditor uses words to describe each step of transaction from start to finish
- Flowcharts: Useful for more complex controls – keep chart simple
- Conveys information visually
- Combination: Use both techniques side-by-side. Narrative used to explain details
-
Documenting internal controls: Checklists and preformatted questionnaires
- Helps identify most common controls that should be present
- Useful for less experienced auditors
-
-
Identifying strengths and weaknesses in controls
- After documentation, auditor must assess control system
- Identify weaknesses that have financial reporting impact
- Draw conclusions about control risk (low, medium, high)
- Significant levels of professional judgement are required when deciding whether an internal control observation (individually or in combination with others) is relevant to the audit and should be tested.
ASA260 requires auditors to provide those charged with governance with timely observations arising from the audit that are significant and relevant to their responsibility to oversee the financial reporting process, and to promote effective two-way communication between the auditor and those charged with governance.
The auditor needs to communicate issues of governance interest as soon as practicable, and at an appropriate level of responsibility, including significant (or material) weaknesses in the design or implementation of internal control. It is for these key reasons that the auditor prepares what is often called a management letter.
-
Management letters
Letter from the auditor to the client, recommendations based on internal control assessment findings and other matters (ASA 260; ISA 260, and ASA 265; ISA 265)
Professional judgment required about which matters to include in letter
Allows management to document their actions in response, and inform those charged with governance
Often use interim and final management letters
|
|
