ch06_ppt_moroney_2e.ppt

8/10/2019 ch06_ppt_moroney_2e.ppt

1/34

CHAPTER 6

GAINING AN UNDERSTANDING OFTHE CLIENTS SYSTEM OF INTERNAL

CONTROLS

Prepared by:

Daniella Juric

RMIT University


2/34

LEARNING OBJECTIVES

AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:

1. Define internal control

2. Discuss the seven generally accepted objectives of internal control

activities

3. Differentiate the elements of internal control at the entity level

4. Describe the elements of internal control at the transaction level

5. Discuss the different techniques used to document internal controls

6. Describe the importance of identifying strengths and weaknesses in a

system of internal controls

7. Describe how to communicate internal control strengths and

weaknesses to those charged with governance.


3/34


4/34


5/34

OBJECTIVES OF INTERNAL

CONTROLS

IS AN ENTITYS INTERNAL CONTROL EFFECTIVE AS IT

RELATES TO RECORDING OF TRANSACTIONS AND

BALANCES?

Effective internal control meets the following objectives:

1. REALTHAT IS NO FICTITIOUS OR

DUPLICATED TRANSACTIONS

ASSERTIONS TESTEDOCCURRENCE,RIGHTS AND OBLIGATIONS AND

EXISTENCE

2. RECORDEDTHAT IS TO PREVENT

OR DETECT OMISSIONS OF

TRANSACTIONSASSERTIONS TESTEDACCURACY,

COMPLETENESS, VALUATION AND

ALLOCATION


6/34


CONTROLS



BALANCES?


3. VALUEDTHAT IS

CORRECT AMOUNTS

ASSIGNED TOTRANSACTIONS

ASSERTIONS TESTED

ACCURACY, VALUATION

AND ALLOCATION

4. CLASSIFIEDTHAT IS

TRANSACTION ARE

CHARGED TO THECORRECT ACCOUNT

ASSERTIONS TESTED -

ACCURACY, VALUATION

AND ALLOCATION,

CLASSIFICATION

5. SUMMARISEDTHAT IS

TRANSACTIONS MUST BE

SUMMARISED ANDTOTALLED CORRECTLY

ASSERTIONS TESTED

ACCURACY, VALUATION

AND ALLOCATION


7/34


CONTROLS



BALANCES?


6. POSTEDACCUMULATED TOTALS IN

TRANSACTION FILE ARE CORRECTLY

TRANSFERRED TO GENERAL ANDSUBSIDIARY LEDGERS

ASSERTIONS TESTEDACCURACY,

CLASSIFICATION, VALUATION AND

ALLOCATION

7. TIMELYTHAT IS TRANSACTIONS ARE

RECORDED IN THE CORRECT

ACCOUNTING PERIOD

ASSERTIONS TESTEDCUT-OFF AND

COMPLETENESS


8/34


CONTROLS

1. Auditor aims to gain an understanding of how the client

uses internal controls to meet these objectives

2. Focusing on these objectives helps auditor select

controls for testing to gain greatest assurance thatcontrols are operating effectively

3. Failure of an entitys controls to meet any of these

objectives is a weakness in internal control


9/34


CONTROLS

ALL INTERNAL CONTROL SYSTEMS HAVE INHERENT

LIMITATIONS

Human error that results in control breakdown

Ineffective understanding of controls purpose

Collusion by two or more individuals to avoid control

Software program control being overridden, disabled

Management decisions about nature and extent of

controls being implemented


10/34

ENTITY-LEVEL INTERNAL

CONTROLS

1. Control

Environment

2. Entitys riskassessment

process

3. IT and

communication

s systems

4. ControlActivities

5. Monitoring

of Controls


11/34


CONTROLS

ENTITY LEVEL INTERNAL CONTROLS POTENTIALLY

IMPACT ALL ENTITY PROCESSES. COMPRISES:

1. THE CONTROL ENVIRONMENT

Culture, structure and discipline of an entity. Communication and enforcement of integrity and ethical values

Commitment to competence

Participation by those charged with governance

Managements philosophy and operating style

Organisational structure, including IT

Assignment of authority and responsibility

Human resource policies and practices


12/34


CONTROLS

2. THE ENTITYS RISK ASSESSMENT PROCESS

How does the entity identify and respond to business risks?

Auditor is interested in how management identify, analyse and

manage risks relevant to financial reporting, and how the risksmight impact the audit

3. INFORMATION SYSTEMS AND COMMUNICATION

Designed to capture and provide information to conduct, manage

and control entitys operations Includes manual and automated systems

Auditor is interested in systems relevant to financial reporting


13/34


CONTROLS

4. CONTROL ACTIVITIES

Policies and procedures that help make sure

managements directives are carried out

Performance review - actual vs budget, investigation of differences

Information processing- Manual or automated, to check accuracy

etc

Physical control - Security of assets and records

Segregation of incompatible duties No one employee/group should be in position both to perpetrate a

fraud and to cover it up

Separate authorisation/custody/recording


14/34


CONTROLS

WHEN UNDERSTANDING CLIENTS CONTROL

ACTIVITIES, AUDITOR CONSIDERS: Extent of reliance on IT

Existence of necessary policies and procedures

Extent to which control policies are being applied

Clarity of management objectives for controls

Existence of planning and reporting systems for performance and investigation

of variance, and management action to follow-up

Extent of segregation of duties

Software controls over data and programs

Periodic comparison between records and assets

Safeguards over access to documents, records, assets


15/34


CONTROLS

5. MONITORING OF CONTROLS

Does management monitor controls and modify as required when

conditions change?

Ongoing monitoring procedures should be part of regular activities,e.g. internal audit function

Auditor considers:

Are there periodical evaluations of internal controls?

Do client staff regularly obtain evidence of control functioning?

Extent to which information from external parties corroborate, or

contradict, internal information

Management act on audit recommendations, or respond to control

difficulties on timely basis


16/34


CONTROLS

INTERNAL CONTROL IN SMALL ENTITIES

Difficult to implement formal controls, segregate duties

in small entities

Reliance on owner-manager, heavily involved in daily

business

Auditor could increase substantive procedures to

compensate for weaker controlsAUDITOR MUST MAKE OVERALL ASSESSMENT OF

EFFECTIVENESS OF ENTITY-LEVEL CONTROLS


17/34

TRANSACTION-LEVEL CONTROLS

These controls impact a particular transaction, or group

of transactions

They are aimed at preventingan error from entering the

records, or detectingerrors that do enter the records Controls are considered for transaction processes, or

flows, e.g.

Sales process

Cost of sales process


18/34


WHEN GAINING AN UNDERSTANDING OF THE

TRANSACTION PROCESSES, THE AUDITOR:

Identifies major events and transactions in the process

Identifies risks to correct processing of the transactions

What Can Go Wrong? (WCGWs)

For each WCGW, auditor identifies one or more controls

This understanding is documented and used to guideevaluation and testing of internal controls


19/34


SALES PROCESSTransaction Associated Risks

What could go

wrongs

Example Control Key Assertions

Processing

Orders

Orders are processed to

the wrong customers

Review of orders processed each day by

an independent staff member (e.g.

salesperson)

Three-way match of order, dispatchdocument and invoice prior to dispatch

of goods

Occurrence and

Accuracy

Orders are taken from

customers with no credit

history or credit limit

Application control that will only allow orders

to be processed against existing approved

customers with enough unused credit limit

Occurrence and

Accuracy

Orders are incorrectly

inputted

Requirement for acknowledgement of order

by customer for any orders placed over

$5000 (using system-generated order

confirmation reports based on information

input into the system)

Accuracy


20/34



What could go wrongs

Example Control Key

Assertions

Approving

credit

Credit is approved for

customers unable to

pay.

Credit committee review and

approve all applications for credit

over $1000

Accuracy

Credit limits are set too

high or too low.

Credit committee review of credit

limits on a quarterly basis

Accuracy

Credit limits are

exceeded.

Application control requires

approval for exceeding credit limits

(exception report

generated, reviewed and approved)

Accuracy


21/34



What could go

wrongs


Shipping

goods

Products are shipped

without shipping

documents beinggenerated.

Application control generates picking slip and

delivery documentation when order is

processed

Accuracy,

completeness,

cut-off

Invoices are not raised

when goods

are shipped.

Monthly reconciliation of picking slips

generated with no invoice generated

Three-way match of order, dispatch

document and invoice

Regular stocktakes

Accuracy,

completeness

Goods are shipped to the

wrong customer.

Review of delivery address against

customer master file by warehouse staff

Three-way match of order, dispatch

document and invoice

Accuracy,

occurrence


22/34


SALES PROCESS


23/34

TRANSACTION-LEVEL

CONTROLSSALES PROCESS


24/34


COST OF SALES PROCESS


25/34


26/34


COST OF SALES PROCESS

Trans-

action

Associated Risks

What could go wrongs


Recording

inventory

on hand

Inventory is recorded in the

balance sheet that does not

exist (therefore

understating cost of sales inthe income statement).

Stocktakes are performed on a

quarterly basis

Valuation of

stock and

accuracy of

cost of sales

The wrong quantities are

recorded during the

stocktake.

All stock is double counted by

independent teams.

Review performed of all variances

greater than 10 per cent or $100

Accuracy

Goods that have been soldand invoiced are included in

the inventory on hand.

All stocktake variances greater than 10per cent or $100 are reviewed.

Accuracy, cut-off


27/34

DOCUMENTING INTERNAL


28/34


CONTROLS

3. COMBINATION OF FLOWCHART AND NARRATIVE

Use both techniques side-by-side

Narrative used to explain details

4. CHECKLISTS AND PREFORMATTED QUESTIONNAIRES Helps identify most common controls that should be present

Useful for less experienced auditors



29/34


CONTROLS

Example of Narrative

EXAMPLE FLOWCHART FOR


30/34

EXAMPLE FLOWCHART FOR

CREDIT SALES PROCESS

Example of

Flowchart


31/34

IDENTIFYING STRENGTHS AND

WEAKNESSES IN CONTROLS

AFTER DOCUMENTATION, AUDITOR MUST ASSESS

CONTROL SYSTEM Identify weaknesses that have financial reporting impact

Draw conclusions about control risk Significant levels of professional judgement are required when deciding

whether an internal control observation (individually or in combination

with others) is relevant to the audit and should be tested.

ASA260 requires auditors to provide those charged with governance with

timely observations arising from the audit that are significant and

relevant to their responsibility to oversee the financial reporting process,

and to promote effective two-way communication between the auditor

and those charged with governance.


32/34

IDENTIFYING STRENGTHS AND

WEAKNESSES IN CONTROLS

The auditor needs to communicate issues of governance

interest as soon as practicable, and at an appropriate level

of responsibility, including significant (or material)

weaknesses in the design or implementation of internalcontrol. It is for these key reasons that the auditor prepares

what is often called a management letter.


33/34

MANAGEMENT LETTERS

Letter fromthe auditortothe client, recommendations

based on internal control assessment findings and other

matters (ASA 260; ISA 260, and ASA 265; ISA 265)

Professional judgment required about which matters toinclude in letter

Allows management to document their actions in

response, and inform those charged with governance

Often use interim and final management letters


34/34

SUMMARY

AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:

1. Define internal control

2. Discuss the seven generally accepted objectives of internal control

activities

3. Differentiate the elements of internal control at the entity level

4. Describe the elements of internal control at the transaction level

5. Discuss the different techniques used to document internal controls

6. Describe the importance of identifying strengths and weaknesses in a

system of internal controls

7. Describe how to communicate internal control strengths and

weaknesses to those charged with governance.

ch06_ppt_moroney_2e.ppt

Documents