Systems and controls - activities Control activities are all around us. When ... strength, because all entries must leave an ‘audit trail’, although the

  • Published on
    02-Mar-2018

  • View
    213

  • Download
    1

Embed Size (px)

Transcript

  • SystemsandcontrolsChapter learning objectives

    Uponcompletionofthischapteryouwillbeableto:

    explainwhyanauditorneedstoobtainanunderstandingofinternalcontrolactivitiesrelevanttotheaudit

    describeandexplainthekeycomponentsofaninternalcontrolsystem

    discussthedifferencebetweentestsofcontrolandsubstantiveprocedures

    identifyanddescribetheimportantelementsofinternalcontrols,includingthecontrolenvironmentandmanagementcontrolactivities

    explaintheimportanceofinternalcontrolstoauditors explainhowauditorsidentifyweaknessesininternalcontrol

    systemsandhowthoseweaknesseslimittheextentofauditorsrelianceonthosesystems

    explainandtabulatetestsofcontrol,suitableforinclusioninauditworkingpapers,for revenue

    purchases

    payrolls

    revenueandcapitalexpenditure

    inventory

    bankandcash

    provideexamplesofcomputersystemcontrolsandlistexamplesofapplicationcontrolsandgeneralITcontrols

    analysethelimitationsofinternalcontrolcomponentsinthecontextoffraudanderror

    explaintheneedtomodifytheauditstrategyandauditplanfollowingtheresultsoftestsofcontrol

    161

    chapter

    8

  • identifyandexplainmanagementsriskassessmentprocesswithreferencetointernalcontrolcomponents

    discussandprovideexamplesofhowthereportingofinternalcontrolweaknessesandrecommendationstoovercomethoseweaknessesareprovidedtomanagement.

    Systems and controls

    162 KAPLAN PUBLISHING162 KAPLAN PUBLISHING

  • 1Client's systems

    Auditorsneedtounderstandtheclientssystemssothattheycan:

    IftheauditorisabletorelyonthesystemitwillbebecauseitcontainssomeofthecomponentsofinternalcontrolassetoutinISA315.

    Thischaptertakesyouthrough:

    Assesstheirreliabilityforthepreparationoffinancialstatements. Designsuitableauditprocedures.

    Howsystemsoperate. Whatinternalcontrolis. Howauditorsidentifyandtestcontrols. Whattheyshoulddowhenthecontrolsfailorwhenthereareother

    weaknessesinthesystem.

    2A word about systemsWhy do companies have systems?

    Acompanysmanagementhasanumberofobligations:

    Thesethingsdonothappenatrandomthecompanyneedssystems.

    Thepurposeofasystemistoenablethebusinessto:

    Tomanagethebusinesseffectively. Toproducetimely,andaccuratefinancialstatementsandmanagement

    information(bothformanagementandstatutorypurposes).

    Tosafeguardthebusinessassets. Topreventanddetectfraud.

    collectdata summarisedata producefinancialstatementsandmanagementinformation.

    chapter 8

    KAPLAN PUBLISHING 163

    Expandable Text

  • 3What is internal control and how does it work?Managements view

    Logically,themorereliableasystemisthemoreaccurateitsoutputwillbeasmorereliableinformationwillleadtobetterdecisionmaking.

    Thereforemanagementshouldbepleasedtohavegoodsystemsbecause:

    financialinformationwillbelesspronetoerror goodsystemsmayplayapartinfraudpreventionanddetection goodsystemswillhelpwithsafeguardingtheassets.

    What about the auditors?

    Theauditorsjobistoformanopiniononthefinancialstatements.

    To do this the risk that the financial statements may be misstated, must be reduced to an acceptable level.

    Itreallyisallaboutrisk.

    So,fromtheauditorspointofview:

    Thenextquestionmustbe,therefore,howtojudgewhetherasystemismoreorlessreliable.Theanswerwilldependonthestrengthsorweaknessofinternalcontrol.

    Systems and controls

    164 KAPLAN PUBLISHING

  • Itfollows,therefore,thattoformaviewabouttheextenttowhichinternalcontrolcanbereliedupon,theauditorwillneedto:

    Wewilllookatallofthislaterinthischapter.

    First,weneedtoconsiderthenatureofinternalcontrol.

    understandhowthesystemworks understandthecontrolswithinthesystem testwhetherornotthecontrolsareeffective.

    Internal control components

    ISA315statesthattherearefivecomponentsofinternalcontrol:

    (1) Thecontrolenvironment.

    (2) Theentitysriskassessmentprocess.

    (3) Theinformationsystemincludingtherelatedbusinessprocesses,relevanttofinancialreportingandcommunication.

    (4) Controlactivities.

    (5) Monitoringofcontrols.

    The control environment

    ThecontrolenvironmentisdefinedinISA315asbeingmadeupof:

    Thissoundsquitehighlevel,butitisreallyonlysayingthatifaclientcomplieswiththeprinciplesofgoodcorporategovernance(seeChapter3),theriskofmisstatementwillbelower.

    communicationandenforcementofethicalvalues commitmenttocompetence participationbythosechargedwithgovernance managementsphilosophyandoperatingstyle organisationalstructure assignmentofresponsibility humanresourcepoliciesandpracticesstafftraining,recruitment

    proceduresetc.

    chapter 8

    KAPLAN PUBLISHING 165

  • The entitys risk assessment process

    Iftheclienthasrobustproceduresforassessingthebusinessrisksitfaces,theriskofmisstatementwillbelower.

    The information system

    Wewillexaminethewaycontrolsoperatefordifferenttransactioncycleslaterinthischapter.Hereweneedtostressthattheconsiderationofsystemsisnotoptional.

    ISA 315 states:

    'The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting.'

    NB Itsays'relevanttofinancialreporting'andwealsoknowthattheauditorisinterestedinwhetherornottherearematerialmisstatementsinthefinancialstatements.

    Thestandardthereforedoesnotmeanthat:

    Exam hint

    Understandingthesystemiscompulsoryandinnearlyeverysittingofthepredecessorpaperoverthelasttwoyearsorsoatleastoneandsometimesseveralquestionshavedemandedanunderstandingofsystemsspecifictothescenarioclient.

    theauditorshouldlookintoeveryaspectofaclientssystems,orthat immaterialareasneedtobeconsidered.

    Usuallythesesystemsarecomputerised. Oftentheyinvolveuseoftheinternetorsomeaspectofecommerce.

    Systems and controls

    166 KAPLAN PUBLISHING

    Expandable text

  • Control activities

    Controlactivitiesareallaroundus.Whenweleavethetrainstationandputourticketthroughthebarrierwhenweleaveashopandsetoffanalarmwhenourpassportapplicationhastobecountersignedallareexamplesofcontrolactivities.

    ISA315referstofivetypesofcontrolactivity:

    Examplesofeachmightbe:

    Performancereviewcoversallsortsofanalyticalproceduresthatgivemanagementtheopportunitytoidentifyproblems.

    Thiscouldbethecomparisonoftheresultsofdifferentbranchesorthemonitoringofthecostsofaprojectagainstbudget(orthetimespentonanauditagainstthebudgetedfee)usuallyreferredtoasabudgetary control system.

    (1) Authorisation

    (2) Performancereviews.

    (3) Informationprocessing.

    (4) Physicalcontrols.

    (5) Segregationofduties.

    Whenastaffmemberfeelstheneedtoworkovertime,theirmanagershouldauthorisethisinadvance(asitwillcostthecompanyextramoney,andmaynotbeneeded).

    TheACCAcompareaveragemarksfromexamcentres,tohelpspotpotentialcheating,ortoidentifyifanycentremighthavebeendisruptedduringtheexamperformance review.

    Information processingthereconciliationofcontrolaccounts,oreditchecksthatensurethatinputscomplywithpreestablishedcriteria.

    chapter 8

    KAPLAN PUBLISHING 167

  • ISA315assumesthatthevastmajorityofsystemsareITbasedseebelowaboutapplicationcontrolsandgeneralcontrolsinITsystems.

    AnycompanywithvaluablegoodsorassetsislikelytoemploysecurityguardsanduseCCTVsystemsaphysicalcontrol.

    Ifonememberofstaffisresponsibleforpreparingchequesandbankingsandmaintainingthecashbookorbankledgeraccount,someoneelseshouldperformthebankreconciliationsegregation of duties.

    Monitoring of controls

    Clearlyif:

    itmightaswellnotbethere.

    Managementmustthereforemonitorcontrolstobesurethattheyareeffective.

    acontroliseitherineffective,or simplydoesnotfunction,

    Controls in IT systems

    Computerbasedcontrolsarenormallydividedintotwocategories:

    Applicationcontrols. Generalcontrols.

    Systems and controls

    168 KAPLAN PUBLISHING

    Expandable text

    Expandable text

    Expandable text

  • Application controls

    Applicationcontrolsarecontrolsthatarebuiltintothesystem,e.g.

    TheformaldefinitionofapplicationcontrolsintheglossarytotheISAsis:

    Application controls in information technology Manual or automated procedures that typically operate at a business process level. Application controls can be preventative or detective in nature and are designed to ensure the integrity of the accounting records. Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data.

    General controls

    GeneralITcontrolsarepoliciesandproceduresthatrelatetomanyapplicationsandsupporttheeffectivefunctioningofapplicationcontrolsbyhelpingtoensurethecontinuedproperoperationofinformationsystems,e.g.controlsover:

    arithmeticchecks rangechecks validationchecks. Quickbooks,thesmallbusinessaccountingpackage,forexample,will

    notletyouenterasaleuntilyouhavesetupanitem,whichmeansyouhavetoallocatethesaletoarevenueaccount,setupthecustomerasareceivable,decideonVATtreatment,etc.

    Somesystemswillnotletyoureverseordeleteentriessothatallerrorshavetobecorrectedthroughtheuseofjournals.Thismaybeseenasastrength,becauseallentriesmustleaveanaudittrail,althoughthesystemcanbesocumbersometooperateandcorrectingjournalsbecomesodifficulttofollow,thattheoperationaldifficultiescreatedoutweighthebenefitsofthecontrol.

    datacentreandnetworkoperations systemsoftwareacquisition

    chapter 8

    KAPLAN PUBLISHING 169

  • Wegavetheexampleaboveofanapplicationcontrolthatwillnotallowerrorstobecorrectedbysimplydeletingtheoffendingentryandreplacingitwithacorrectone.Intheabsenceofacontrolsuchasthis,therewillneedtobegeneralcontrolswhichensurethatstaffareproperlytrained,sothaterrorsareminimisedandthatthedeletionofentriesonlyhappensinappropriatecircumstancesandwithproperauthorisation.

    changeandmaintenance accesssecuritypasswords,doorlocks,swipecards backupprocedures.

    4What should the auditor do about internal control?

    Whydoestheauditorcarryoutauditwork?

    Toreduce the riskofissuinganinappropriateauditreporttoanacceptablelevel.

    Theauditorhastwopossiblesourcesofassurancethatthefinancialstatementsarenotmateriallymisstated:

    Substantive proceduresarethosetestsandotherprocedures(suchasanalyticalreview)thatgivedirectassuranceabouttheassertionsinthefinancialstatementsseethechapteronauditevidenceformoreaboutfinancialstatementassertions.

    Sotheauditopinionissupportedbyevidencegatheredbytheauditor,andiftheauditorwishestogainassurancefrominternalcontrols,itwillbenecessarytotestthosecontrols.

    Internalcontrols. Substantiveprocedures.

    Systems and controls

    170 KAPLAN PUBLISHING

    Expandable text

  • Thedoubleheadedarrowacrosstheverticallinebetweencontrolsandsubstantiveproceduresneedssomeexplanation.

    WithaTest of Controls,theauditorisinterestedinwhetheracontrolhasoperatedcorrectlythesizeofthetransactionisirrelevant.Inotherwords,theauditorischeckingthatthecompanyhasbeentryingtoensurethatitsFinancialStatementsareaccurate.

    Forexample,if,whenauditingthebankandcashfigure,anauditoristoldthattheclientperformsbankreconciliationsattheendofeverymonthandtheauditorlooksforevidencethatthisreconciliationisindeedtakingplaceeverymonth,andisdoneproperly,atestofcontrolhasbeenperformed.

    Thegreatertheassurancefromcontrols,thelesstheassurancerequiredfromsubstantiveprocedures,sothelesstheleveloftesting.

    Ifitismoreefficienttotakeallthenecessaryassurancefromsubstantiveprocedures,thennonewillcomefromcontrolsandthereforethereisnorequirementtotestthem.

    ItisarequirementofISA500thatsomesubstantiveprocedures(whichmaybeanalyticalreview)mustbecarriedoutforallmaterialclassesoftransactions,accountbalancesanddisclosures.

    chapter 8

    KAPLAN PUBLISHING 171

  • WithaSubstantive Test,theauditoristryingtogainassurancedirectlyabouttheaccuracyofafigureintheFinancialStatements.

    Forexample,inacompanywherenobankreconciliationsareperformed,theauditormaychoosetoperformonetogainassurancethatthebankfigureintheFinancialStatementsisaccurate.

    Itcansometimesbedifficulttotellthedifferencebetweenatestofcontrolandasubstantivetest.Thekeyistounderstandwhytheauditoriscarryingoutthetest.

    5The auditor and the system

    Wehavealreadyseenthattheauditorneedstounderstandthesystem:

    ItisalsocompulsoryasstatedinISA315:

    The auditor should obtain an understanding of the information systems, including the related business processes, relevant to financial reporting.

    ISA 315 para 81

    Toassessitsreliabilityasabasisforpreparingfinancialstatements. Toassesstheeffectivenessofcontrols. Todesignsuitableauditprocedures.

    Establishing the system

    Informationaboutthesystemcomesfrom:

    previousknowledge/experience clientsstaff clientssystemmanuals walkthroughtests(wheretransactionsaretracedthroughsystemto

    confirmourunderstanding).

    Documenting the system

    Possiblewaysofdocumentingthesystemandcontrolsare:

    narrativenotes(whichcanprovebulkyifsystemislargeorcomplex) flowcharts(whichcanmakeacomplexsystemeasiertofollow) organisationchartsshowingroles,responsibilities,andreporting

    lines

    Systems and controls

    172 KAPLAN PUBLISHING

  • InternalControlQuestionnaire(ICQ) InternalControlEvaluationQuestionnaire(ICE).

    A word on questionnaires (ICQs)

    ICQs

    ICEs

    ExamplesofICQsandICEsaregivenlaterinthechapter.

    AnICQisalistofallpossiblecontrolsforeachareaoftheFinancialStatements.Theclientsstaffareaskedquestionsandsystemsdocumentationreviewed,toestablishwhichcontrolsexist.

    Thesystemisthenappraisedbutthiscanbedifficult.Differentcombinationsofcontrolscouldachievethesameresult.

    ICE (sometimes referred to as ICEQ)doesnotattempttorecordALLcontrolslikeanICQ.

    Instead,foreachcontrolobjective,itasksforthecontrolswhichachievethatobjective.

    Assuch,anICEmaynotrecordtheentiresystembutitisfarmoreuseasanevaluationtoolfortheauditor,asitsfocusisonwhetherICObjectivesarebeingmet.

    6The limitations of internal controlGood, but not that good

    Wehaveseenthatwhereinternalcontrolisstrong,itmayreducetheamountofevidencetheauditorneedstogainfromothersources.

    NeverthelessISA315insiststhatformaterialareassomesubstantivetestingneedstobecarriedout.

    Thereasonforthisisthattherearelimitationstothereliancethatcanbeplacedoninternalcontrolbecauseof:

    humanerrorintheuseofjudgement simpleprocessingerrorsandmistakes collusionofstaffincircumventingcontrols responsiblepeopleabusingthatresponsibilitytooverridecontrols.

    chapter 8

    KAPLAN PUBLISHING 173

  • Internal control and fraud

    Thelasttwoitemsontheabovelisttakeusintofraudterritory.

    Weknowthat:

    However,asISA240states:

    Inplanningandperformingtheaudittoreduceauditrisktoanacceptablylowlevel,theauditorshouldconsidertherisksofmaterialmisstatementsinthefinancialstatementsduetofraud.

    managementisresponsibleforthepreventionanddetectionoffraud theauditorisnot.

    7What if the controls dont work? The possibilities

    Aswehaveseen,theauditordrawsassurancefromanumberofsources,includinginternalcontrols.

    Thechartbelowshowsthedecisionstobetakenwhichdependontheeffectivenessofcontrolsandtheimpactontheauditplaniftheyarefoundnottobeeffective.

    Systems and controls

    174 KAPLAN PUBLISHING

    Expandable Text

  • Itmaybemoreefficientandcosteffectivenottorelyoncontrolsatallasasourceofassurance(butweneedsufficientassurancefromothersources).

    Itispossiblethat,eventhoughthecontrolsarenotaseffectiveaswewouldlike,andtheriskofmisstatementmaybeincreased,itmaystillbeatanacceptablelevel.

    Ifwedoneedtoamendtheplan,itisnotsimplyamatterofincreasingthenumberofitemswetest.

    chapter 8

    KAPLAN PUBLISHING 175

  • If we need to change the plan

    Asyoucanseefromthediagram,therearetwopossibilities:

    Alternative sources

    Possibilitiesare:

    Increasing the extent of testing

    ISA330says:

    So,ifcontrolsareineffective,increaseyoursamplesize.

    BUT

    ISA330states:

    Extentincludesthequantityofaspecificaudit...

Recommended

View more >