Continuing professional

development
Auditing and Assurance
Internal controls
Internal controls
❑ A control is an activity that prevents or detects and correct errors to mitigate risks
― Preventative controls – prevent undesirable events from occurring and facilitate desirable events; and
― Detective controls – identify or detect undesirable events and correct those errors/misstatements

❑ Examples of preventative controls:

― Approvals
― Segregation of duties
― Restrictions of user overrides
― Dual entry of sensitive managerial transactions
― System controls preventing unauthorized access

❑ Examples of detective controls:

― Stock count
― Exception reports and action taken on the exceptions
― Management review and action taken on the exceptions

© Endunamoo APC Professional Programme 2020 4

Internal controls…
❑ Two ways controls are executed:
― Manual controls – executed by people (e.g. authorisation and management review controls)
― Automated controls – configured in an application code (e.g. exception reports, interface & system access controls)

❑ Controls are applicable at different levels in the organisation

― Governance level controls (entity level controls)
Entity Level Controls
― Management level controls (higher level controls)
― IT General controls addresses the following risks
o Input risk Higher Level Controls
o Data integrity/manipulation risk
o Extraction risk
― Process level controls IT General Controls
o Revenue and receivables
o Expenses, procurement and creditors
Process Level Controls
o Inventory
o Fixed assets

© Endunamoo APC Professional Programme 2020 5

IT General Controls
❑ IT General controls apply to mainframe and end-user environments at the
following levels:
― Operating system
― Application level Logical Access
― Database
― Network
Program changes

❑ IT General controls that maintain the integrity of information and security of

data commonly include controls over the following (ISA315:A96): Computer operations
― Data centre and network operations
― System software acquisition, change and maintenance
System security
― Program change controls
― Access security
― Application system acquisition, development and maintenance

© Endunamoo APC Professional Programme 2020 6

Access controls

❑ New user and modification of user approvals Manual

❑ Timeous termination of users

Detective

❑ Review of users and user profiles

Preventative
❑ Privilege users approval

❑ Passwords protection

❑ Review privilege user activities Automated

― Completeness and accuracy of information
― Evidence the review

© Endunamoo APC Professional Programme 2020 7

Change controls

❑ Approval of changes Manual

❑ Review changes
Detective
― Completeness and accuracy of information
― Evidence the review

Preventative

Automated

© Endunamoo APC Professional Programme 2020 8

Computer operations and system security

❑ Backups Manual

❑ Disaster recovery controls Detective

❑ Anti-virus controls
Preventative
❑ Firewalls and encryptions

❑ Penetration testing

❑ Batch processing Automated

© Endunamoo APC Professional Programme 2020 9

Tests of controls ISA330

International Standard on Auditing 330 (ISA 330) “The auditors’ responses to assessed risks” provides that the auditor shall
design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant
controls when (ISA 330:8):

❑ The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are
operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature,
timing and extent of substantive procedures): OR

― Impossible to design effective substantive procedures (e.g. entity conducts its business using IT and no documentation of
transaction is produced or maintained, other than through the IT system)

― If there is a significant risk due to fraud or error, the auditor must test the suitability of the design and appropriate
implementation of the control at a minimum.

❑ Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.

© Endunamoo APC Professional Programme 2020 10

Tests of controls… ISA330

When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor:
❑ Obtain audit evidence about changes to those controls subsequent to the interim period; and
❑ Determine what additional audit evidence should be obtained for the remaining period (ISA330: 12).

Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls include:
❑ Inquiring of entity personnel
❑ Observing the application of specific controls
❑ Inspecting documents and reports
❑ Tracing transactions through the information system relevant to financial reporting

Test of controls
❑ Suitability of the design
❑ Appropriate implementation
❑ Operating effectiveness

© Endunamoo APC Professional Programme 2020 11

Internal control deficiencies ISA265

International Standard on Auditing 265 (ISA 265) “Communicating Deficiencies in Internal Control to Those Charged with
Governance and Management” provides that the objective of the auditor is to communicate appropriately to those charged with
governance and management deficiencies in internal control that the auditor has identified during the audit & that, in the auditor’s
professional judgment, are of sufficient importance to merit their respective attentions (ISA 265:5).

ISA265:6 provides that deficiency in internal control when:

• A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements
in the financial statements on a timely basis; or
• A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing.

Significant deficiency in internal control – a deficiency or combination of deficiencies in internal control that, in the auditor’s
professional judgment, is of sufficient importance to merit the attention of those charged with governance.

The auditor shall include in the written communication of significant deficiencies in internal control: (a) a description of the
deficiencies and an explanation of their potential effects; and (b) sufficient information to enable those charged with governance
and management to understand the context of the communication.

© Endunamoo APC Professional Programme 2020 12

Service organisations
Many entities use service organisations to accomplish tasks that affect the entity’s internal controls. These services range from
performing a specific task under the direction of the entity to replacing entire business units as functions of an entity.

Examples of service organisations

❑ Custodial functions
❑ Fund administrators
❑ Investment and fund managers
❑ Software application and technology environment providers

Where management is taking an active role in the controls at a service organisation

❑ If functions performed at service organisations are integral to the entity’s business operations, the question is whether service
organisation controls complement those operated by their own organisation?
❑ If functions performed by service organisations affect an entity’s financial statements, auditors may also seek information
about the control procedures surrounding those services.

© Endunamoo APC Professional Programme 2020 13

Assurance reports on controls ISAE3402

International Standard on Assurance Engagements 3402 (ISAE 3402) “Assurance Reports on Controls at a Service Organisation”
provides various objectives for the service auditor (ISAE 3402:8); these being to obtain and report on reasonable assurance about
whether, in all material respects, based on suitable criteria:

❑ The service organisation’s description of its system fairly presents the system as designed and implemented throughout the
specific period or as at a specific date;

❑ The controls related to the control objectives stated in the service organisation’s description of its system were suitably
designed throughout the specific period or as at a specific date; and

❑ Where included in the scope of the engagement, the controls operated effectively to provide reasonable assurance that the
control objectives stated in the service organisation’s description of its system were achieved throughout the period.

© Endunamoo APC Professional Programme 2020 14

Assurance reports on controls… ISAE3402

At the pre-engagement activities of an assurance engagement such as this, the assurance provider spent more time discussing the
engagement with management or those charged with governance to understand the purpose of the engagement and to identify
the five elements of engagement set up.

This is done more so than you would for an audit engagement, where the purpose of the engagement and the five elements are
generally understood and clear. The elements are as follows:
❑ Three-party relationship
― User entity
― Service auditor
― Service organisation
❑ Appropriate subject matter
❑ Suitable criteria (i.e. benchmarks) and control objectives
❑ Sufficient and appropriate evidence
❑ Written report

© Endunamoo APC Professional Programme 2020 15

Assurance reports on controls… ISAE3402

Key factors to consider in evaluating the assurance report on controls at the service organisation and understanding extend of
reliance to be placed thereon:
❑ Whether the service auditor complies with relevant ethical requirements, including those pertaining to independence;
❑ Whether the service auditor has the capabilities and competence to perform the engagement;
❑ Whether the scope of the engagement and the service organisation’s description of its system will not be so limited that they
are unlikely to be useful to the user entities and their auditors – this includes:
— Whether the scope is limited to type 1 report; or
— Whether it is a type 2 report:
o Reliance period
o Bridging letters
❑ Sampling and completeness and accuracy of the population which were the subject of the samples
❑ Whether the assurance report was qualified or unqualified for each of the control objectives;
❑ What are the control deficiencies thereon and the impact to the user entity; and

© Endunamoo APC Professional Programme 2020 16

Assurance reports on controls… ISAE3402

Key factors to consider in evaluating the assurance report on

controls at the service organisation and understanding extend of
reliance to be placed thereon:
❑ Carve-outs or inclusive methods
ABC
― Carve-out method is whereby the service organisation’s Investments
description of its system includes the nature of the service
provided by a subservice organisation, but that subservice
organisation’s relevant control objectives and related
controls are excluded from the service organisation’s Alexander
description of its system and from the scope of the service Forbes SAGE Payroll
auditor’s engagement; and Administrators

― Inclusive method is whereby the service organisation’s

description of its system includes the nature of the service RH
provided by a subservice organisation, but that subservice Allan Gray
Investment VatIT
organisation’s relevant control objectives and related Fund
Managers
controls are excluded from the service organisation’s
description of its system and from the scope of the service
auditor’s engagement

© Endunamoo APC Professional Programme 2020 17

User entity of a service organisation ISA402

International Standard on Auditing 402 (ISA 402) “Audit considerations relating to an entity using a service organisation”
provides that the objective of the user auditor, when the user entity uses the services of a service organisation, are to obtain an
understanding of the nature and significance of the services provided by the service organisation and their effect on the user
entity’s internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and to design
and perform audit procedures responsive to those risks (ISA 402:7).

❑ Obtain an understanding from user manuals, system overviews, technical manuals, service level agreements, internal audit
reports and service auditors reports on the controls at the service organisation (ISA 402:A1).

❑ Examples of service organisation services that are relevant to the audit include (ISA 402:A4):
― Maintenance of the user entity’s accounting records
― Management of assets
― Initiating, recording or processing transactions as agent of the user entity

© Endunamoo APC Professional Programme 2020 18

 Thank you
Lecturer
Ferdi: [email protected]
APC Coordinator
| Email: [email protected]