Chapter 8 - Systems & Controls
Chapter 8 - Systems & Controls
If a client’s system of internal control is working effectively, there will be less risk
of material misstatement in the financial statements as the controls will either
prevent the errors from happening in the first place, or they will detect the
misstatements and prompt action for them to be corrected.
If control risk is low, the auditor can place more reliance on the internal controls,
they can reduce the quantity of detailed substantive procedures, and the audit
strategy would be updated to reflect that fewer substantive procedures will be
required or smaller sample sizes.
If control risk is high, the auditor would then increase the size of substantive
procedures, would place less reliance on the analytical procedures as the
information provided would not be reliable, obtain more evidence from external
sources, update the audit strategy to reflect the additional testing.
Auditor can never eliminate the need for substantive procedures entirely, there
are a few limitations present.
Those are human errors, ineffective controls (controls might not work as
intended), Collusion of staff (staff working together to bypass segregation of
duties), abuse of power by those controlling responsibility, use of management
judgement.
Auditor may consider how the management responds to the findings and whether
any controls are implemented. Evidence regarding the control environment is
obtained through a mixture of enquiry and observation.
If the client has robust procedures for assessing the business risks, it faces then
the risk of misstatement overall would be lower. If the auditor identifies instances
where management failed to identify risks of a material misstatement, they
should obtain an understanding of why the entity’s process failed to identify the
risks and consider the implications of the audit.
Entity’s process to monitor the system of internal control
Client’s continual process of evaluating the effectiveness of the controls over time
and taking necessary remedial action. Monitoring can either be ongoing or
separate. Monitoring is often the role of internal audit department.
Information systems relevant to the financial reporting consists of all the activities
and policies relevant to the financial reporting, including the procedures within
both computerized and manual systems.
Information system includes all the procedures designed to initiate record process
and report transactions, maintain accountability for assets liabilities and equity,
resolve incorrect processing of transactions, ensuring information required to be
disclosed is appropriately reported.
Control activities
Control activities are the policies and procedures to achieve the control objectives
of management and those charged with governance. Examples of specific control
activities are authorization to confirm the validity of a transaction, reconciliations,
verifications, physical or logical controls, segregation of duties.
A control objective identifies the risk that the entity needs to manage, most
companies would have a control procedure in place to prevent this risk from
occurring.
Controls may be direct or indirect. Direct control addresses the risk of material
misstatements at the assertion level. Indirect controls whereas support the direct
controls.
To ascertain the system, the auditor should enquire about the relevant personnel,
observe application of controls, tracing a transaction through the system to
understand what happens, inspect documents.
The auditor should not however rely on enquiries and knowledge from the
previous year as changes might have occurred, systems knowledge must be
updated and tested once more. The auditor should usually test the controls once
every third audit.
The auditor must document the client’s control systems before evaluating
whether the system is adequate and working effectively. Ways of documenting
the systems include,
Internal control questionnaires (ICQ) are a list of controls is given to the client and
they are asked whether those controls are in place. Usually asks does.
Tests of controls are only performed on those controls that the auditor has
determined are suitable to prevent or detect and correct a material
misstatement. Controls will only be worth testing if they are designed
appropriately in the first place and implemented. If a control is not designed to be
implemented effectively there is no benefit in testing it. Methods of testing
include,
Inspection of documents
Significant deficiencies are those which merit the attention of those charged with
governance.
Auditor will consider the following when determining if the deficiency in the
internal control is significant, likelihood of deficiencies leading to material
misstatements, susceptibility to loss or fraud, subjectivity, and complexity of
determining estimated amounts, financial statement amounts exposed to the
deficiencies, importance of the controls to the financial reporting process.
Exam requirement
Recommendation: Must deal with the specific deficiency you have identified.
In the exam if asked for a covering letter, the auditor in which gives a report on
deficiencies, it should be made clear that:
Only those deficiencies that have come to light during normal audit procedures,
report is made for the sole use of the company, no disclosure should be made to a
third party, no responsibility is assumed to any other parties.
1. Sales system
2. Purchases system
3. Payroll system
4. Inventory system
5. Cash system
6. Non-Current assets
Use the words “This could result in” or “There is a risk that”.
Key controls are actions taken by the management to reduce the risk of fraud and
error. For the full mark explain the risk that the control is designed to mitigate.
Use the wording “This minimizes the risk of” or “This ensures that”
Test of controls