Chapter Understanding and Assessing Internal Control Copyright  2006 McGraw-Hill Australia Pty Ltd 8-1 Learning Objective 1: Audit Strategy and Internal Control • Internal control is the process designed and implemented by those charged with governance, management and other personnel to provide reasonable assurance regarding the achievement of the entity’s objectives concerning financial reporting, the effectiveness and efficiency of operations, and compliance with laws and regulations Refer AUS 402.42/ASA 315.54 (ISA 315.42) • It is designed and implemented to address business risks that threaten any of these objectives • The importance of internal control has increased as business entities become larger and more complex Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-2 Auditor’s requirements • AUS 402.41/ASA 315.52 (ISA 315.41) requires that the auditor obtain an understanding of internal control relevant to the audit • At the financial report level the auditor’s assessment of risk of material misstatement is affected by their understanding of the control environment Refer AUS 406.05/ASA 330.10 (ISA 330.05) • At the assertion level, the auditor needs to consider control risk in their assessment of the risk of material misstatement Refer AUS 406.12/ASA 330.19 (ISA 330.12) Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-3 Audit strategy • To reach a conclusion on accuracy and reliability of underlying accounting data, an auditor can: – – – Test the accounting data (substantive approach); or Perform procedures to review and evaluate the internal control to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach) An auditor adopts the best combination of these approaches Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-4 Learning Objective 2: Responsibility for Internal Control • Achieving satisfactory internal control is initially a management responsibility, although ultimate responsibility rests with the directors • To maintain control over operations and accounting data, management needs to adopt, maintain and supervise an appropriate internal control system Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-5 Inherent limitations of internal control • Internal control cannot assure a reliable financial report because it has inherent limitations Therefore, an auditor can never rely completely on the internal control • Inherent limitations arise because of: – – – Control breakdowns as a result of the actions of careless, fatigued or deviant staff; The possibility of management override; and The existence of non-routine transactions for which internal controls were not devised Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-6 Reasonable assurance • Internal control should be designed to provide reasonable assurance that assets are safeguarded and accounting records are reliable • The concept of reasonable assurance recognises that, in some cases, the cost of establishing and maintaining controls can outweigh benefits of adopting controls Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-7 Learning Objective 3: Internal Control Objectives • • • • • • • Risks are identified and minimised; Management decision making is effective and business processes efficient; Transactions are carried out in accordance with management’s authorisation; Laws, rules and regulations are complied with; Transactions are promptly and accurately recorded; Access to assets is limited in accordance with management’s authorisation; and Asset records are compared with existing assets at reasonable intervals Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-8 Management controls Management Controls are the activities undertaken by senior management to mitigate strategic risks to the entity and to promote the effectiveness of decision making and the efficiency of business activities • These include: • – – – – – – Communicating business objectives and goals; Establishing lines of authority and accountability; Establishing and enforcing appropriate codes of conduct; Monitoring risk environments; Defining policies and procedures for dealing with these risks; and Monitoring performance through performance indicators and benchmarking Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-9 Transaction controls • • These are performed by staff and lower level management Every transaction goes through the identifiable steps of authorisation, execution and recording These controls: are generally focused on internal risks and reflect the formal policies and procedures defined by senior management; – deal primarily with the reliability of accounting information and compliance with rules and regulations; and – control the flow of transactions through the accounting system and safeguard related assets by authorising and recording transactions, restricting access to assets and checking for existence of recorded assets – Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-10 User department application controls • Control totals: – – – Financial totals Record totals Hash totals • Review and reconciliation of data • Error correction and resubmission procedures • Authorisation of each transaction and batch of transactions Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-48 IT application controls • Usually classified in the following categories: – – – – Input controls; File controls; Processing controls; and Output controls Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-49 Input controls • Control totals; • Key verification; • Key entry validation; and • Programmed controls: – – – – Check digit Limit or reasonableness test Field test Valid code test Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-50 File controls • Include: – – Internal file labels — computer-readable data that identifies content of file External file labels — printed or handwritten labels attached to disk or tape Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-51 Processing controls • Programmed control procedures: – – • Checking numerical sequence of records Comparing related fields Run-to-run control totals Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-52 Output controls • These include: – – – – Restricted distribution; Automatic dating of reports; Page numbering; and End-of-report messages Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-53 Relationship between general and application controls • • The auditor should start by looking at general controls If general controls are unreliable, an auditor has little confidence in programmed application controls and reduced confidence in manual application controls → auditor takes more substantive approach to the audit • If general controls reliable, auditor makes preliminary evaluation of application controls If reliance on application controls is then planned, a more detailed evaluation of these controls is made → auditor determines appropriate degree of testing of controls and substantive testing Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-54 Control systems in different environments: DATABASE SYSTEMS • A database is a computer-readable file of records that is used by many accounting applications • In order to handle processing of data, a system software program called a database management system (DBMS) is used • Guidance on auditing database systems is contained in AGS 1022/IAPS 1003 Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-55 Stand-alone PC systems • In such systems the distinction between general and application controls might be blurred and controls might be less structured Thus, control risk might be assessed at maximum level • Guidance on auditing stand-alone PC systems is contained in AGS 1018/ IAPS 1001 Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-56 LANs and other networks • Networking PCs means that processing is distributed to PCs at many locations • This can cause problems with security and control procedures as they are more dispersed • In most cases control risk has risen significantly Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-57 Computer service bureau • A computer service bureau is a centre or service entity that performs computer applications for another company • A common application processed through a service entity is payroll • AUS 404/ASA 402 (ISA 402) provides an auditor with guidance on audit implications of using a computer service entity Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-58 Learning Objective 7: Considering the Work of an Internal Auditor • An effective internal audit function can significantly strengthen the monitoring of control • AUS 604/ASA 610 (ISA 610) recognises that an external auditor is able to use the work of an internal auditor to assist in an audit engagement • Extent of reliance is dependent on evaluation of internal audit function by external auditor Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-59 Differences between an internal and an external auditor • Differences are: – – – Objectives Independence Qualifications • For an external audit, elements are regulated by legislation • For an internal audit, elements are determined by management Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-60 Evaluating internal audit • In evaluating internal audit, external auditors should consider: – – – – Organisational status; Scope of internal auditing; Technical competence; and Due professional care Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-61 Using the services of internal audit • The overall responsibility for audit engagement remains with an external auditor • The external auditor is required to undertake general evaluation as part of review of internal controls • If the external auditor plans to rely on internal audit, they should carefully review internal auditor’s working papers and procedures to ensure testing is sufficient to meet their requirements, and that conclusions outlined in working papers are appropriate Copyright  2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 8-62 ... 406.05/ASA 330.10 (ISA 330.05) • At the assertion level, the auditor needs to consider control risk in their assessment of the risk of material misstatement Refer AUS 406.12/ASA 330.19 (ISA 330.12)... management’s authorisation; Laws, rules and regulations are complied with; Transactions are promptly and accurately recorded; Access to assets is limited in accordance with management’s authorisation;... Transaction process • A transaction may be considered to pass through four phases: Authorisation: the initial authorisation or approval for an exchange transaction; Execution: the act commits the entity