Download - ch06_ppt_moroney_2e.ppt
-
8/10/2019 ch06_ppt_moroney_2e.ppt
1/34
CHAPTER 6
GAINING AN UNDERSTANDING OFTHE CLIENTS SYSTEM OF INTERNAL
CONTROLS
Prepared by:
Daniella Juric
RMIT University
-
8/10/2019 ch06_ppt_moroney_2e.ppt
2/34
LEARNING OBJECTIVES
AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:
1. Define internal control
2. Discuss the seven generally accepted objectives of internal control
activities
3. Differentiate the elements of internal control at the entity level
4. Describe the elements of internal control at the transaction level
5. Discuss the different techniques used to document internal controls
6. Describe the importance of identifying strengths and weaknesses in a
system of internal controls
7. Describe how to communicate internal control strengths and
weaknesses to those charged with governance.
-
8/10/2019 ch06_ppt_moroney_2e.ppt
3/34
-
8/10/2019 ch06_ppt_moroney_2e.ppt
4/34
-
8/10/2019 ch06_ppt_moroney_2e.ppt
5/34
OBJECTIVES OF INTERNAL
CONTROLS
IS AN ENTITYS INTERNAL CONTROL EFFECTIVE AS IT
RELATES TO RECORDING OF TRANSACTIONS AND
BALANCES?
Effective internal control meets the following objectives:
1. REALTHAT IS NO FICTITIOUS OR
DUPLICATED TRANSACTIONS
ASSERTIONS TESTEDOCCURRENCE,RIGHTS AND OBLIGATIONS AND
EXISTENCE
2. RECORDEDTHAT IS TO PREVENT
OR DETECT OMISSIONS OF
TRANSACTIONSASSERTIONS TESTEDACCURACY,
COMPLETENESS, VALUATION AND
ALLOCATION
-
8/10/2019 ch06_ppt_moroney_2e.ppt
6/34
OBJECTIVES OF INTERNAL
CONTROLS
IS AN ENTITYS INTERNAL CONTROL EFFECTIVE AS IT
RELATES TO RECORDING OF TRANSACTIONS AND
BALANCES?
Effective internal control meets the following objectives:
3. VALUEDTHAT IS
CORRECT AMOUNTS
ASSIGNED TOTRANSACTIONS
ASSERTIONS TESTED
ACCURACY, VALUATION
AND ALLOCATION
4. CLASSIFIEDTHAT IS
TRANSACTION ARE
CHARGED TO THECORRECT ACCOUNT
ASSERTIONS TESTED -
ACCURACY, VALUATION
AND ALLOCATION,
CLASSIFICATION
5. SUMMARISEDTHAT IS
TRANSACTIONS MUST BE
SUMMARISED ANDTOTALLED CORRECTLY
ASSERTIONS TESTED
ACCURACY, VALUATION
AND ALLOCATION
-
8/10/2019 ch06_ppt_moroney_2e.ppt
7/34
OBJECTIVES OF INTERNAL
CONTROLS
IS AN ENTITYS INTERNAL CONTROL EFFECTIVE AS IT
RELATES TO RECORDING OF TRANSACTIONS AND
BALANCES?
Effective internal control meets the following objectives:
6. POSTEDACCUMULATED TOTALS IN
TRANSACTION FILE ARE CORRECTLY
TRANSFERRED TO GENERAL ANDSUBSIDIARY LEDGERS
ASSERTIONS TESTEDACCURACY,
CLASSIFICATION, VALUATION AND
ALLOCATION
7. TIMELYTHAT IS TRANSACTIONS ARE
RECORDED IN THE CORRECT
ACCOUNTING PERIOD
ASSERTIONS TESTEDCUT-OFF AND
COMPLETENESS
-
8/10/2019 ch06_ppt_moroney_2e.ppt
8/34
OBJECTIVES OF INTERNAL
CONTROLS
1. Auditor aims to gain an understanding of how the client
uses internal controls to meet these objectives
2. Focusing on these objectives helps auditor select
controls for testing to gain greatest assurance thatcontrols are operating effectively
3. Failure of an entitys controls to meet any of these
objectives is a weakness in internal control
-
8/10/2019 ch06_ppt_moroney_2e.ppt
9/34
OBJECTIVES OF INTERNAL
CONTROLS
ALL INTERNAL CONTROL SYSTEMS HAVE INHERENT
LIMITATIONS
Human error that results in control breakdown
Ineffective understanding of controls purpose
Collusion by two or more individuals to avoid control
Software program control being overridden, disabled
Management decisions about nature and extent of
controls being implemented
-
8/10/2019 ch06_ppt_moroney_2e.ppt
10/34
ENTITY-LEVEL INTERNAL
CONTROLS
1. Control
Environment
2. Entitys riskassessment
process
3. IT and
communication
s systems
4. ControlActivities
5. Monitoring
of Controls
-
8/10/2019 ch06_ppt_moroney_2e.ppt
11/34
ENTITY-LEVEL INTERNAL
CONTROLS
ENTITY LEVEL INTERNAL CONTROLS POTENTIALLY
IMPACT ALL ENTITY PROCESSES. COMPRISES:
1. THE CONTROL ENVIRONMENT
Culture, structure and discipline of an entity. Communication and enforcement of integrity and ethical values
Commitment to competence
Participation by those charged with governance
Managements philosophy and operating style
Organisational structure, including IT
Assignment of authority and responsibility
Human resource policies and practices
-
8/10/2019 ch06_ppt_moroney_2e.ppt
12/34
ENTITY-LEVEL INTERNAL
CONTROLS
2. THE ENTITYS RISK ASSESSMENT PROCESS
How does the entity identify and respond to business risks?
Auditor is interested in how management identify, analyse and
manage risks relevant to financial reporting, and how the risksmight impact the audit
3. INFORMATION SYSTEMS AND COMMUNICATION
Designed to capture and provide information to conduct, manage
and control entitys operations Includes manual and automated systems
Auditor is interested in systems relevant to financial reporting
-
8/10/2019 ch06_ppt_moroney_2e.ppt
13/34
ENTITY-LEVEL INTERNAL
CONTROLS
4. CONTROL ACTIVITIES
Policies and procedures that help make sure
managements directives are carried out
Performance review - actual vs budget, investigation of differences
Information processing- Manual or automated, to check accuracy
etc
Physical control - Security of assets and records
Segregation of incompatible duties No one employee/group should be in position both to perpetrate a
fraud and to cover it up
Separate authorisation/custody/recording
-
8/10/2019 ch06_ppt_moroney_2e.ppt
14/34
ENTITY-LEVEL INTERNAL
CONTROLS
WHEN UNDERSTANDING CLIENTS CONTROL
ACTIVITIES, AUDITOR CONSIDERS: Extent of reliance on IT
Existence of necessary policies and procedures
Extent to which control policies are being applied
Clarity of management objectives for controls
Existence of planning and reporting systems for performance and investigation
of variance, and management action to follow-up
Extent of segregation of duties
Software controls over data and programs
Periodic comparison between records and assets
Safeguards over access to documents, records, assets
-
8/10/2019 ch06_ppt_moroney_2e.ppt
15/34
ENTITY-LEVEL INTERNAL
CONTROLS
5. MONITORING OF CONTROLS
Does management monitor controls and modify as required when
conditions change?
Ongoing monitoring procedures should be part of regular activities,e.g. internal audit function
Auditor considers:
Are there periodical evaluations of internal controls?
Do client staff regularly obtain evidence of control functioning?
Extent to which information from external parties corroborate, or
contradict, internal information
Management act on audit recommendations, or respond to control
difficulties on timely basis
-
8/10/2019 ch06_ppt_moroney_2e.ppt
16/34
ENTITY-LEVEL INTERNAL
CONTROLS
INTERNAL CONTROL IN SMALL ENTITIES
Difficult to implement formal controls, segregate duties
in small entities
Reliance on owner-manager, heavily involved in daily
business
Auditor could increase substantive procedures to
compensate for weaker controlsAUDITOR MUST MAKE OVERALL ASSESSMENT OF
EFFECTIVENESS OF ENTITY-LEVEL CONTROLS
-
8/10/2019 ch06_ppt_moroney_2e.ppt
17/34
TRANSACTION-LEVEL CONTROLS
These controls impact a particular transaction, or group
of transactions
They are aimed at preventingan error from entering the
records, or detectingerrors that do enter the records Controls are considered for transaction processes, or
flows, e.g.
Sales process
Cost of sales process
-
8/10/2019 ch06_ppt_moroney_2e.ppt
18/34
TRANSACTION-LEVEL CONTROLS
WHEN GAINING AN UNDERSTANDING OF THE
TRANSACTION PROCESSES, THE AUDITOR:
Identifies major events and transactions in the process
Identifies risks to correct processing of the transactions
What Can Go Wrong? (WCGWs)
For each WCGW, auditor identifies one or more controls
This understanding is documented and used to guideevaluation and testing of internal controls
-
8/10/2019 ch06_ppt_moroney_2e.ppt
19/34
TRANSACTION-LEVEL CONTROLS
SALES PROCESSTransaction Associated Risks
What could go
wrongs
Example Control Key Assertions
Processing
Orders
Orders are processed to
the wrong customers
Review of orders processed each day by
an independent staff member (e.g.
salesperson)
Three-way match of order, dispatchdocument and invoice prior to dispatch
of goods
Occurrence and
Accuracy
Orders are taken from
customers with no credit
history or credit limit
Application control that will only allow orders
to be processed against existing approved
customers with enough unused credit limit
Occurrence and
Accuracy
Orders are incorrectly
inputted
Requirement for acknowledgement of order
by customer for any orders placed over
$5000 (using system-generated order
confirmation reports based on information
input into the system)
Accuracy
-
8/10/2019 ch06_ppt_moroney_2e.ppt
20/34
TRANSACTION-LEVEL CONTROLS
SALES PROCESSTransaction Associated Risks
What could go wrongs
Example Control Key
Assertions
Approving
credit
Credit is approved for
customers unable to
pay.
Credit committee review and
approve all applications for credit
over $1000
Accuracy
Credit limits are set too
high or too low.
Credit committee review of credit
limits on a quarterly basis
Accuracy
Credit limits are
exceeded.
Application control requires
approval for exceeding credit limits
(exception report
generated, reviewed and approved)
Accuracy
-
8/10/2019 ch06_ppt_moroney_2e.ppt
21/34
TRANSACTION-LEVEL CONTROLS
SALES PROCESSTransaction Associated Risks
What could go
wrongs
Example Control Key Assertions
Shipping
goods
Products are shipped
without shipping
documents beinggenerated.
Application control generates picking slip and
delivery documentation when order is
processed
Accuracy,
completeness,
cut-off
Invoices are not raised
when goods
are shipped.
Monthly reconciliation of picking slips
generated with no invoice generated
Three-way match of order, dispatch
document and invoice
Regular stocktakes
Accuracy,
completeness
Goods are shipped to the
wrong customer.
Review of delivery address against
customer master file by warehouse staff
Three-way match of order, dispatch
document and invoice
Accuracy,
occurrence
-
8/10/2019 ch06_ppt_moroney_2e.ppt
22/34
TRANSACTION-LEVEL CONTROLS
SALES PROCESS
-
8/10/2019 ch06_ppt_moroney_2e.ppt
23/34
TRANSACTION-LEVEL
CONTROLSSALES PROCESS
-
8/10/2019 ch06_ppt_moroney_2e.ppt
24/34
TRANSACTION-LEVEL CONTROLS
COST OF SALES PROCESS
-
8/10/2019 ch06_ppt_moroney_2e.ppt
25/34
-
8/10/2019 ch06_ppt_moroney_2e.ppt
26/34
TRANSACTION-LEVEL CONTROLS
COST OF SALES PROCESS
Trans-
action
Associated Risks
What could go wrongs
Example Control Key Assertions
Recording
inventory
on hand
Inventory is recorded in the
balance sheet that does not
exist (therefore
understating cost of sales inthe income statement).
Stocktakes are performed on a
quarterly basis
Valuation of
stock and
accuracy of
cost of sales
The wrong quantities are
recorded during the
stocktake.
All stock is double counted by
independent teams.
Review performed of all variances
greater than 10 per cent or $100
Accuracy
Goods that have been soldand invoiced are included in
the inventory on hand.
All stocktake variances greater than 10per cent or $100 are reviewed.
Accuracy, cut-off
-
8/10/2019 ch06_ppt_moroney_2e.ppt
27/34
DOCUMENTING INTERNAL
-
8/10/2019 ch06_ppt_moroney_2e.ppt
28/34
DOCUMENTING INTERNAL
CONTROLS
3. COMBINATION OF FLOWCHART AND NARRATIVE
Use both techniques side-by-side
Narrative used to explain details
4. CHECKLISTS AND PREFORMATTED QUESTIONNAIRES Helps identify most common controls that should be present
Useful for less experienced auditors
DOCUMENTING INTERNAL
-
8/10/2019 ch06_ppt_moroney_2e.ppt
29/34
DOCUMENTING INTERNAL
CONTROLS
Example of Narrative
EXAMPLE FLOWCHART FOR
-
8/10/2019 ch06_ppt_moroney_2e.ppt
30/34
EXAMPLE FLOWCHART FOR
CREDIT SALES PROCESS
Example of
Flowchart
-
8/10/2019 ch06_ppt_moroney_2e.ppt
31/34
IDENTIFYING STRENGTHS AND
WEAKNESSES IN CONTROLS
AFTER DOCUMENTATION, AUDITOR MUST ASSESS
CONTROL SYSTEM Identify weaknesses that have financial reporting impact
Draw conclusions about control risk Significant levels of professional judgement are required when deciding
whether an internal control observation (individually or in combination
with others) is relevant to the audit and should be tested.
ASA260 requires auditors to provide those charged with governance with
timely observations arising from the audit that are significant and
relevant to their responsibility to oversee the financial reporting process,
and to promote effective two-way communication between the auditor
and those charged with governance.
-
8/10/2019 ch06_ppt_moroney_2e.ppt
32/34
IDENTIFYING STRENGTHS AND
WEAKNESSES IN CONTROLS
The auditor needs to communicate issues of governance
interest as soon as practicable, and at an appropriate level
of responsibility, including significant (or material)
weaknesses in the design or implementation of internalcontrol. It is for these key reasons that the auditor prepares
what is often called a management letter.
-
8/10/2019 ch06_ppt_moroney_2e.ppt
33/34
MANAGEMENT LETTERS
Letter fromthe auditortothe client, recommendations
based on internal control assessment findings and other
matters (ASA 260; ISA 260, and ASA 265; ISA 265)
Professional judgment required about which matters toinclude in letter
Allows management to document their actions in
response, and inform those charged with governance
Often use interim and final management letters
-
8/10/2019 ch06_ppt_moroney_2e.ppt
34/34
SUMMARY
AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:
1. Define internal control
2. Discuss the seven generally accepted objectives of internal control
activities
3. Differentiate the elements of internal control at the entity level
4. Describe the elements of internal control at the transaction level
5. Discuss the different techniques used to document internal controls
6. Describe the importance of identifying strengths and weaknesses in a
system of internal controls
7. Describe how to communicate internal control strengths and
weaknesses to those charged with governance.