Lecture 5- Internal control & on site work

One section in which internal control is broken down into in ISA 315 is [blank_start]control[blank_end] environment. This includes elements such as [blank_start]integrity[blank_end] & [blank_start]ethical[blank_end] values, [blank_start]commitment[blank_end] to competence ([blank_start]committed[blank_end] to embedding this in [blank_start]organisation[blank_end]), those charged with [blank_start]governance[blank_end] (involves considering [blank_start]importance[blank_end] of their roles & how [blank_start]effective[blank_end] they are as they have got important responsibility), management’s [blank_start]philosophy[blank_end] & [blank_start]operating[blank_end] style (think how they [blank_start]work[blank_end] & [blank_start]implement[blank_end] something), [blank_start]organisational[blank_end] structure (centralised or decentralised), assignment of [blank_start]authority[blank_end] & [blank_start]responsibility[blank_end] (who is responsible) & finally [blank_start]human resource[blank_end] policies & practices (how are staff [blank_start]recruited[blank_end] & how are they [blank_start]developed[blank_end])

Another section in which internal control is broken down into in ISA 315 is [blank_start]risk[blank_end] assessment. ISA 315 says [blank_start]auditor[blank_end] should understand whether entity has process to identify [blank_start]business risks[blank_end] relevant to [blank_start]financial[blank_end] reporting objectives, [blank_start]estimating[blank_end] significance of [blank_start]risks[blank_end], [blank_start]assessing[blank_end] likelihood of [blank_start]occurrence[blank_end] & deciding upon [blank_start]actions[blank_end] to address those [blank_start]risks[blank_end]

Third section in which internal control is broken down into in ISA 315 is [blank_start]information[blank_end] system & related business [blank_start]processes[blank_end]. This involves looking at [blank_start]accounting[blank_end] system (general ledger so [blank_start]financial[blank_end] system), [blank_start]production[blank_end] system, [blank_start]budget[blank_end] information, [blank_start]personnel[blank_end] system, [blank_start]software[blank_end] (presentations, word-processing etc) & [blank_start]financial reporting[blank_end] process (consider how all [blank_start]systems[blank_end] listed above link with this process)

Accounting system- [blank_start]Auditors[blank_end] need to obtain an understanding of [blank_start]accounting[blank_end] system sufficient to identify & understand: [blank_start]major[blank_end] classes of [blank_start]transactions[blank_end], how [blank_start]transactions[blank_end] are initiated, significant accounting [blank_start]records[blank_end], supporting [blank_start]documents[blank_end] & [blank_start]accounts[blank_end] & finally [blank_start]accounting[blank_end] & [blank_start]financial[blank_end] reporting process (all listed above are [blank_start]integrated[blank_end] into this process which is critical for [blank_start]auditors[blank_end] in understanding [blank_start]accounting[blank_end] system & applying it in [blank_start]audit[blank_end] process)

Fourth section in which internal control is broken down into in ISA 315 is [blank_start]control[blank_end] procedures. This involves [blank_start]performance[blank_end] reviews (are they [blank_start]performing[blank_end] & meeting [blank_start]expectations[blank_end]), [blank_start]information[blank_end] processing, physical [blank_start]controls[blank_end] (security) & [blank_start]segregation[blank_end] of duties (looking at split between [blank_start]responsibility[blank_end] between different parts of [blank_start]transaction[blank_end])

Fifth section in which internal control is broken down into in ISA 315 is [blank_start]monitoring[blank_end] of controls. This is process that deals with ongoing [blank_start]assessment[blank_end] of quality of internal [blank_start]control[blank_end] performance. This involves thinking about [blank_start]current[blank_end] performance, [blank_start]adequacy[blank_end] & [blank_start]relevance[blank_end] over time (examining whether it is going to [blank_start]change[blank_end] or whether something needs to be [blank_start]updated[blank_end])

There is challenge for [blank_start]small[blank_end] companies in relation to [blank_start]controls[blank_end]. This is because there may be [blank_start]close[blank_end] involvement of [blank_start]owner[blank_end]/[blank_start]manager[blank_end]. This means there may be an ability to [blank_start]override[blank_end] or [blank_start]breach[blank_end] controls. Also, as there are not [blank_start]many[blank_end] people in small companies, [blank_start]segregation[blank_end] of duties may be [blank_start]harder[blank_end] to enforce

Limitations of accounting & control systems include [blank_start]cost[blank_end], human [blank_start]error[blank_end] (i.e. someone making mistakes as they are not [blank_start]trained[blank_end] properly), [blank_start]collusion[blank_end] (i.e. may [blank_start]mislead[blank_end] user with financial information), controls being [blank_start]by-passed[blank_end] or [blank_start]overridden[blank_end] & controls designed for [blank_start]routine[blank_end] & not [blank_start]non-routine[blank_end]

One classification of control in an IT environment is [blank_start]general controls[blank_end]. These control [blank_start]environment[blank_end] in which [blank_start]company[blank_end] operates

One type of general controls is [blank_start]systems[blank_end] development/maintenance [blank_start]controls[blank_end]. Important elements of this control include [blank_start]organisational[blank_end] structure to ensure high standards during [blank_start]development[blank_end], documentation of [blank_start]development[blank_end] process complete enough to allow [blank_start]informed[blank_end] persons to understand how the system works, [blank_start]testing[blank_end] at critical stages, [blank_start]agreement[blank_end] in writing at each stage, [blank_start]parallel[blank_end] developments including staff training, preparation of forms & file conversions, [blank_start]reliable[blank_end] system for reporting system malfunctions after implementation, steps to ensure [blank_start]unauthorised[blank_end] changes are not made to programs & finally user agreement at critical [blank_start]development[blank_end] points, particularly of user interfaces

Another type of general controls is [blank_start]organisational control[blank_end]. This involves organisation [blank_start]charts[blank_end] (i.e. who has [blank_start]responsibility[blank_end] for certain functions so that it is [blank_start]clear[blank_end] who does what & how they do it), [blank_start]segregation[blank_end] of duties (someone that is going to be undertaking [blank_start]transaction[blank_end] is clear about this), [blank_start]authorisation[blank_end] & [blank_start]approval[blank_end] & finally [blank_start]supervision[blank_end] control

Third type of general controls is [blank_start]security controls[blank_end]. These must determine that [blank_start]physical[blank_end] assets are safe. It is critical whether looking at [blank_start]hardware[blank_end], [blank_start]physical[blank_end] assets or [blank_start]software[blank_end] & [blank_start]data[blank_end]. Also, company should have [blank_start]security[blank_end] policy & identify assets at [blank_start]risk[blank_end] & likelihood of [blank_start]risks[blank_end] occurring

Fourth type of general controls is [blank_start]quality assurance[blank_end]. Need to recognise [blank_start]small[blank_end] group of people have responsibility to ensure [blank_start]quality[blank_end] standards for IT development are [blank_start]built[blank_end] in & [blank_start]maintained[blank_end] ([blank_start]quality assurance[blank_end] embedded into new [blank_start]system[blank_end] developments), [blank_start]quality assurance[blank_end] people need to be independent of [blank_start]development[blank_end] & [blank_start]maintenance[blank_end] & in smaller organisation may report to [blank_start]internal[blank_end] audit

Another classification of control in an IT environment is [blank_start]application controls[blank_end]. These are controls over specific [blank_start]areas[blank_end] & [blank_start]systems[blank_end]. This involves thinking about data [blank_start]capture[blank_end]/[blank_start]input[blank_end] controls, data [blank_start]processing[blank_end] controls, controls over [blank_start]output[blank_end] & controls over [blank_start]assets[blank_end] & [blank_start]liabilities[blank_end]

Auditor should rely on internal controls because it avoids need for [blank_start]increased[blank_end] levels of detailed [blank_start]substantive[blank_end] testing which are [blank_start]time consuming[blank_end] & [blank_start]boring[blank_end] manual work

In compliance tests/tests of control [blank_start]auditors[blank_end] evaluate whether internal [blank_start]controls[blank_end] & [blank_start]systems[blank_end] are designed to pick up material [blank_start]misstatements[blank_end] & have been operating [blank_start]effectively[blank_end] throughout period

Types of compliance tests/tests of control include [blank_start]information[blank_end]/[blank_start]audit[blank_end] trail, [blank_start]block[blank_end] testing/[blank_start]sample[blank_end] testing, [blank_start]interviews[blank_end] with company staff, [blank_start]observing[blank_end] staff at work, [blank_start]re-performance[blank_end] of control procedures & [blank_start]examination[blank_end] of management reviews

Audit process is driven by search for [blank_start]audit evidence[blank_end] to form an opinion, based on whole series of [blank_start]conclusions[blank_end] with regard to [blank_start]accuracy[blank_end] & [blank_start]dependability[blank_end] of accounting records, [blank_start]validity[blank_end] of figures in financial statements & [blank_start]compliance[blank_end] with legislation & accounting & reporting standards

According to ISA 500 & ISA 501 audit evidence is all [blank_start]information[blank_end] used by auditor in arriving at [blank_start]conclusions[blank_end] on which audit [blank_start]opinion[blank_end] is based & includes [blank_start]information[blank_end] contained in accounting [blank_start]records[blank_end] underlying financial statements & other [blank_start]information[blank_end]

Audit evidence collection procedures include [blank_start]inquiry[blank_end] (ask about [blank_start]processes[blank_end] & [blank_start]way[blank_end] system works), [blank_start]inspection[blank_end], [blank_start]observation[blank_end], [blank_start]confirmation[blank_end], [blank_start]recalculation[blank_end], [blank_start]re-performance[blank_end] & [blank_start]analytical[blank_end] procedures

One generalisation for assessing audit evidence (ISA 500) is audit evidence is more [blank_start]reliable[blank_end] when it is obtained from [blank_start]independent[blank_end] sources outside [blank_start]entity[blank_end]

Another generalisation for assessing audit evidence (ISA 500) is audit [blank_start]evidence[blank_end] that is generated internally is more [blank_start]reliable[blank_end] when related [blank_start]controls[blank_end] imposed by entity are [blank_start]effective[blank_end]

Third generalisation for assessing audit evidence (ISA 500) is audit evidence [blank_start]obtained[blank_end] directly by [blank_start]auditor[blank_end] is more [blank_start]reliable[blank_end] than audit evidence [blank_start]obtained[blank_end] indirectly or by [blank_start]inference[blank_end]

Fourth generalisation for assessing audit evidence (ISA 500) is audit evidence is more [blank_start]reliable[blank_end] when it exists in [blank_start]documentary[blank_end] form

Fifth generalisation for assessing audit evidence (ISA 500) is audit evidence provided by original [blank_start]documents[blank_end] is more [blank_start]reliable[blank_end] than audit evidence provided by [blank_start]photocopies[blank_end]

Sixth generalisation for assessing audit evidence (ISA 500) is evidence created in [blank_start]normal[blank_end] course of [blank_start]business[blank_end] is better than evidence specially [blank_start]created[blank_end] to satisfy [blank_start]auditor[blank_end]

Seventh generalisation for assessing audit evidence (ISA 500) is [blank_start]best-informed[blank_end] source of audit evidence will be [blank_start]management[blank_end] but management’s lack of [blank_start]independence[blank_end] reduces its value as source of such evidence

Eighth generalisation for assessing audit evidence (ISA 500) is evidence about [blank_start]future[blank_end] is difficult to [blank_start]obtain[blank_end] & less [blank_start]reliable[blank_end] than evidence about [blank_start]past[blank_end] events

Ninth generalisation for assessing audit evidence (ISA 500) is evidence may be [blank_start]upgraded[blank_end] by skilful use of [blank_start]supportive[blank_end] evidence

Audit tests are designed to obtain [blank_start]evidence[blank_end] about financial statement [blank_start]assertions[blank_end]. [blank_start]Assertions[blank_end] relate to classes of [blank_start]transactions[blank_end] & [blank_start]events[blank_end], account [blank_start]balances[blank_end] at period-end, & [blank_start]presentation[blank_end] & [blank_start]disclosure[blank_end]

Key assertions for balance sheet include [blank_start]existence[blank_end] (& [blank_start]occurrence[blank_end]), [blank_start]rights[blank_end] & [blank_start]obligations[blank_end], [blank_start]completeness[blank_end] & [blank_start]valuation[blank_end] & [blank_start]allocation[blank_end]

Key assertions for profit & loss include [blank_start]occurrence[blank_end], [blank_start]completeness[blank_end], [blank_start]accuracy[blank_end], [blank_start]cut-off[blank_end] & [blank_start]classification[blank_end]

Key assertions for notes include [blank_start]occurrence[blank_end] & [blank_start]rights[blank_end] & [blank_start]obligations[blank_end], [blank_start]completeness[blank_end], [blank_start]classification[blank_end] & [blank_start]understandability[blank_end] & [blank_start]accuracy[blank_end] & [blank_start]valuation[blank_end]

[blank_start]Client[blank_end] makes assertions that they have [blank_start]controls[blank_end] in place to ensure [blank_start]completeness[blank_end] & [blank_start]accuracy[blank_end] of all aspects of financial statements at [blank_start]balance[blank_end] & [blank_start]transactional[blank_end] level. Auditor undertakes [blank_start]tests[blank_end] of those [blank_start]controls[blank_end]. Auditor then undertakes [blank_start]substantive[blank_end] testing either via [blank_start]analytical[blank_end] review or [blank_start]tests[blank_end] of detail to gather [blank_start]evidence[blank_end] to prove that assertions are true or false