0% found this document useful (0 votes)
8 views9 pages

Chapter 8 - Systems & Controls

Chapter 8 discusses the importance of internal controls in reducing the risk of material misstatements in financial statements, highlighting the auditor's reliance on these controls based on their effectiveness. It outlines the components of internal control, the limitations auditors face, and methods for documenting and testing these systems. The chapter also emphasizes the need for auditors to communicate deficiencies and provide recommendations for improvement.

Uploaded by

Savitha M
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
8 views9 pages

Chapter 8 - Systems & Controls

Chapter 8 discusses the importance of internal controls in reducing the risk of material misstatements in financial statements, highlighting the auditor's reliance on these controls based on their effectiveness. It outlines the components of internal control, the limitations auditors face, and methods for documenting and testing these systems. The chapter also emphasizes the need for auditors to communicate deficiencies and provide recommendations for improvement.

Uploaded by

Savitha M
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Chapter 8

Systems & Controls

If a client’s system of internal control is working effectively, there will be less risk
of material misstatement in the financial statements as the controls will either
prevent the errors from happening in the first place, or they will detect the
misstatements and prompt action for them to be corrected.

If control risk is low, the auditor can place more reliance on the internal controls,
they can reduce the quantity of detailed substantive procedures, and the audit
strategy would be updated to reflect that fewer substantive procedures will be
required or smaller sample sizes.

If control risk is high, the auditor would then increase the size of substantive
procedures, would place less reliance on the analytical procedures as the
information provided would not be reliable, obtain more evidence from external
sources, update the audit strategy to reflect the additional testing.

Limitations of internal control

Auditor can never eliminate the need for substantive procedures entirely, there
are a few limitations present.

Those are human errors, ineffective controls (controls might not work as
intended), Collusion of staff (staff working together to bypass segregation of
duties), abuse of power by those controlling responsibility, use of management
judgement.

Components of internal control

Auditor needs to understand an entity’s internal control. There are five


components being Control environment, Risk assessment process, Information
system, Control activities, Monitoring.
The control environment

The control environment includes the governance and management function of


an organisation. It focuses largely on the attitude, awareness, and actions of
those responsible for internal controls. Control environment sets the tone of an
organisation and provides the foundation for other components.

Elements of the control environment:

How management’s responsibilities are carried out, how governance charged


people demonstrate independence, how entity assigns authority and
responsibilities, policies of recruitment, how entity holds individuals accountable.

Auditor may consider how the management responds to the findings and whether
any controls are implemented. Evidence regarding the control environment is
obtained through a mixture of enquiry and observation.

Entity’s risk assessment process

Auditor must obtain an understanding of the entity’s process of identifying


business risk relevant to financial reporting. Risk assessment process forms the
basis for how the management determines the risk to be managed. However, the
auditor is usually interested in the risks relevant to preparation of financial
statements.

Business risks relevant to financial reporting are threats to the achievement of


ongoing business objectives and can lead to misstatement in the financial
statements.

If the client has robust procedures for assessing the business risks, it faces then
the risk of misstatement overall would be lower. If the auditor identifies instances
where management failed to identify risks of a material misstatement, they
should obtain an understanding of why the entity’s process failed to identify the
risks and consider the implications of the audit.
Entity’s process to monitor the system of internal control

Client’s continual process of evaluating the effectiveness of the controls over time
and taking necessary remedial action. Monitoring can either be ongoing or
separate. Monitoring is often the role of internal audit department.

Information system and communication

Information systems relevant to the financial reporting consists of all the activities
and policies relevant to the financial reporting, including the procedures within
both computerized and manual systems.

Information system includes all the procedures designed to initiate record process
and report transactions, maintain accountability for assets liabilities and equity,
resolve incorrect processing of transactions, ensuring information required to be
disclosed is appropriately reported.

Control activities

Control activities are the policies and procedures to achieve the control objectives
of management and those charged with governance. Examples of specific control
activities are authorization to confirm the validity of a transaction, reconciliations,
verifications, physical or logical controls, segregation of duties.

A control objective identifies the risk that the entity needs to manage, most
companies would have a control procedure in place to prevent this risk from
occurring.

Controls may be direct or indirect. Direct control addresses the risk of material
misstatements at the assertion level. Indirect controls whereas support the direct
controls.

Complex IT systems may involve the use of emerging technologies, less


sophisticated systems may simply be a user interface in which the client enters
data which the system processes. IT Controls are divided into general controls and
information processing controls. An effective IT system should include both.
General IT Controls support the continued proper operation of the IT
environment including effective functioning of the information processing
controls. For example, controls over Access, program changes, process to manage
IT operations.

Information process controls relate to the processing of information in IT


applications, these controls would be automated. Examples include batch total
checks, sequence checks, matching master files, arithmetic checks, range checks,
existence checks, authorization of transaction entries, exception reporting.

Ascertaining the systems

To ascertain the system, the auditor should enquire about the relevant personnel,
observe application of controls, tracing a transaction through the system to
understand what happens, inspect documents.

The auditor should not however rely on enquiries and knowledge from the
previous year as changes might have occurred, systems knowledge must be
updated and tested once more. The auditor should usually test the controls once
every third audit.

Documenting client’s systems

The auditor must document the client’s control systems before evaluating
whether the system is adequate and working effectively. Ways of documenting
the systems include,

Narrative Notes: Written description of a system.

Flowcharts: A diagrammatical representation of the system.


Questionnaires: A prepared list of questions in relation to the client’s control
system. There are two types of questionnaires that can be used.

Internal control questionnaires (ICQ) are a list of controls is given to the client and
they are asked whether those controls are in place. Usually asks does.

Internal control evaluation questionnaire (ICEQ) is when client is asked to


describe, and they are asked whether the controls are in place. Usually asks how?

Organizational chart: A diagram showing reporting lines, roles, and


responsibilities.

Documentation method Advantages Disadvantages


Narrative Notes They are simple to Time consuming and
record, and it facilitates cumbersome if the
understanding by all staff system is complex, may
members. be difficult to identify
missing controls.
Flow Charts Easy to view the whole Difficult to amend as the
system in one diagram, whole diagram would
easy to spot missing need to be updated, still a
controls. need for notes to support
the diagram.
Internal control Quick to prepare as a Controls may be
questionnaires (ICQ) standard questionnaire overstated as the client
can be used for all clients, might do yes as that’s
and it ensures all what the auditor wants,
common controls are unusual controls are
present. unlikely to be included
and may not be
identified, and it may
contain several irrelevant
controls.
Internal control Client must respond with Overstatement is unlikely
evaluations (ICE) the control they have in but client may still
place rather a yes/no, overstate the controls,
and it is quick to prepare. irrelevant controls may
be present in the list.
Testing the system

Tests of controls are only performed on those controls that the auditor has
determined are suitable to prevent or detect and correct a material
misstatement. Controls will only be worth testing if they are designed
appropriately in the first place and implemented. If a control is not designed to be
implemented effectively there is no benefit in testing it. Methods of testing
include,

Observation of control activities

Inspection of documents

Using test/dummy data

Communicating control deficiencies

Auditor should communicate any deficiencies that are of sufficient importance to


merit management’s attention to management. Any significant deficiencies
should be communicated to those charged with governance.

Deficiencies occur when a control is designed, implemented, or operated in such


a way that it is unable to prevent or detect and correct misstatements, or if a
control necessary to prevent or detect and correct misstatement is missing.

Significant deficiencies are those which merit the attention of those charged with
governance.

Auditor will consider the following when determining if the deficiency in the
internal control is significant, likelihood of deficiencies leading to material
misstatements, susceptibility to loss or fraud, subjectivity, and complexity of
determining estimated amounts, financial statement amounts exposed to the
deficiencies, importance of the controls to the financial reporting process.
Exam requirement

Deficiency: Clear description of what is wrong.

Consequence: What could happen if the deficiency is not corrected?

Recommendation: Must deal with the specific deficiency you have identified.

In the exam if asked for a covering letter, the auditor in which gives a report on
deficiencies, it should be made clear that:

Only those deficiencies that have come to light during normal audit procedures,
report is made for the sole use of the company, no disclosure should be made to a
third party, no responsibility is assumed to any other parties.

Types of internal control systems

1. Sales system
2. Purchases system
3. Payroll system
4. Inventory system
5. Cash system
6. Non-Current assets

How to identify deficiencies?

1. Weak segregation of duties


2. Seniority of staff
3. No authorization
4. No review of work
5. Manual Vs. Automation
6. Look for NO/NOT in the question
7. Documentational issues
How to explain the deficiencies?

1. Loss of future sales


2. Loss of customer goodwill
3. Cashflow problems
4. Increase in cost (Negative impact on the business)

Use the words “This could result in” or “There is a risk that”.

How to explain the recommendations?

1. Do not just repeat the deficiency


2. Try to add value
3. Who should perform the activity
4. When it should be performed
5. Frequency

Key controls/Good controls (Opposite of deficiencies)

Key controls are actions taken by the management to reduce the risk of fraud and
error. For the full mark explain the risk that the control is designed to mitigate.

Use the wording “This minimizes the risk of” or “This ensures that”

Test of controls

1. Inquiry about management


2. Observe the process/activity
3. Use test data/dummy data
4. Inspect the documents/reports (look for signatures)

You might also like