F8-09 Internal Control

Session 9
Internal Control
This session covers the following content from the ACCA Study Guide.
A. Audit Framework and Regulation
3. Corporate governance
c) Describe good corporate governance requirements relating to directors'
responsibilities (e.g. for risk management and internal control) and the
reporting responsibilities of auditors.
e) Explain the importance of internal control and risk management.
C. Internal Control
1. Internal control systems
a) Explain why an auditor needs to obtain an understanding of internal
control relevant to the audit.
b) Describe and explain the five components of internal control
the control environment
the entity's risk assessment process
the information system, including the related business processes,
relevant to financial reporting, and communication
control activities relevant to the audit
monitoring of controls.
2. The use and evaluation of internal control systems by auditors
a) Explain how auditors record internal control systems including the use of,
narrative notes, flowcharts, internal control questionnaires and internal
control evaluation questionnaires.
c) Discuss the limitations of internal control components.
Session 9 Guidance
Read through and ensure that you gain a good understanding of internal control—essential
practical theory. This session lays the foundation for Session 12 (Tests of Control) and Session 13
(Communication on Internal Control).
Learn the definition of internal control and its components (s.1.1) and understand the importance of
the control environment (s.1.2). Attempt Example 1.
Appreciate that an accounting system is only one aspect of an information system and is not
necessarily computer-based (s.1.4).
(continued on next page)
F8 Audit and Assurance (INT)
Becker Professional Education | ACCA Study System
Ali Niaz - [email protected]
Objective: To explain the concepts of internal control systems, the role of internal control
within corporate governance and the evaluation of internal control by auditors.
• Session 8
Control Environment
Risk Assessment
Information Systems
Control Activities
Monitoring Controls
• Introduction
• UK Corporate Governance
• Understanding Internal
• Methods for Understanding
• Impact of Audit Approach
• Reporting Weaknesses
Session 9 Guidance
Learn the control objectives relevant to the preparation and presentation of financial statements
and the definition and types of control activities (s.1.5).
Understand the inherent limitations in internal controls and attempt Example 2.
Learn the UK Code's requirement for a "sound system" of internal controls (s.2.2).
Learn the procedures and methods used in understanding the design and implementation of
internal control (s.3).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
Internal Control Systems
The objective of the auditor is to identify and assess the risks of
material misstatement, whether due to fraud or error, at the financial
statement and assertion levels, through understanding the entity and
its environment, including the entity's internal control, thereby
providing a basis for designing and implementing responses to the
assessed risks of material misstatement.
Internal control—the process designed, implemented and
maintained by those charged with governance, management and
other personnel to provide reasonable assurance about:
< the achievement of the entity's objectives with regard to the
reliability of financial reporting;
< the effectiveness and efficiency of its operations; and
< compliance with applicable laws and regulations.
1.1.1 Components
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
1.1.2 Audit Requirements
< The auditor's primary consideration is whether, and how, a
specific control prevents, or detects and corrects, material
misstatements in the financial statements, rather than its
classification into any particular component.
The auditor must understand the five components of internal
control as an essential part of his risk assessment procedures.
He must obtain an understanding of:
= the control environment;
= the entity's process for identifying risks relevant to financial
reporting objectives and designing and implementing
controls to address those risks;
= the information system relevant to financial reporting;
Illustration 1 Understanding the
Information System
An understanding of the information system relevant to financial
reporting includes obtaining an understanding of the:
< Classes of transactions in the entity's operations which are
significant to the financial statements.
< Procedures by which those transactions are initiated, recorded,
processed and reported in the financial statements.
< Related accounting records, supporting information and specific
accounts in the financial statements.
< Ways the information system captures events and conditions
(other than classes of transactions) which are significant to the
financial statements.
< Financial reporting process used to prepare the entity's financial
statements, including significant accounting estimates and
the control activities to assess the risks of material
misstatement at the assertion level (and to design further
audit procedures responsive to assessed risks); and
= the major types of activities the entity uses to monitor
internal control over financial reporting and how the entity
initiates corrective actions to its controls.
In addition, auditors must also obtain an understanding of:
= how the entity has responded to risks arising from IT (see
Session 12); and
= how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
Control Environment
The control environment relates to:
< governance and management functions; and
< the attitude, awareness and actions of management.
The control environment is the foundation for effective internal
control, providing discipline and structure because it:
< Sets the tone of an organisation, influencing the control
consciousness of its management and employees.
Strongly relates to how management (and governance) has
created a culture of honesty and ethical behaviour, supported
by appropriate controls to prevent and detect fraud and error,
= Communication and enforcement of integrity and ethical
= Cascade effect (i.e. following management's best
governance practice).
= Commitment to competence (e.g. only those with the
appropriate skills and knowledge are considered for each
= Participation by those charged with governance (see
Session 3):
− independent (as far as possible) from the entity and
management (e.g. non-executive directors, audit
− experienced and prepared to be a sounding board for
− prepared to work with, but stand up to, management;
− demanding and challenging of management decisions;
− access to documents and information as required;
− effective interaction with internal and external
auditors; and
− operation of "whistle-blowing" procedures, independent of
= Management's philosophy and operating style (including
approach to risk management and application of accounting
= Organisational structure (e.g. open and transparent or
closed and opaque).
= Assignment of authority and responsibility (e.g. clearly
= Human resource policies and practices (e.g. commitment to
best practice in recruitment, training, appraisal, counselling,
progression, compensation and remedial actions).
*A strong control
environment may be
a positive influence
when assessing, for
example, the risk
of fraud. However,
the elements must
be considered
collectively (e.g.
the enforcement of
ethical values together
with appropriate
recruitment policies for
a financial reporting
staff will not mitigate
aggressive earnings
reporting by senior
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
Risk Assessment Process
< These are the procedures by which the entity's management
identifies events which may lead to risks relevant to the
corporate objectives (including financial statement risks), and
how it decides to address those risks and review the results of
doing so.
A risk event is essentially any external or internal matter
which can lead to a positive or negative effect on the entity
achieving its objectives. Events may be expected (e.g. routine
and recurring) or unexpected, but predictable.
Beyond the development of a sound understanding of the
strategic and operational objectives, identifying events
which may affect the achievement of those objectives
requires a very detailed understanding of the entity, its
markets, legal, political, economic, social, technological
("PEST"), environmental and cultural environments in which
it operates.*
*The procedures used
to identify risk events
(e.g. event inventory
databases, internal/
external analysis,
process flow analysis,
trends and root
causes) are not in the
Illustration 2 Risk Events
< Changes in regulatory, legal and environmental requirements.
< Changes in customer demands, life style indicators, new competitor products, new suppliers,
locking in/locking out to suppliers/customers.
< Workplace accidents, fraud, dated work practices, renewal of agreements, strikes, increased
sick leave, need for preventative maintenance.
< Change management, outsourcing, changes in market share, inefficiency, increasing customer
complaints, production problems, loss of repeat business.
< IS security breaches, downtime of systems, denial of service, updating of websites.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
Information System
< An information system consists of:
physical and hardware (if IT-based) infrastructure;
software (if IT-based);
= people;
= procedures; and
= data.
It includes the accounting system and consists of the procedures
and records established to initiate, record, process, report and
maintain accountability of the records and information necessary
to satisfy management and financial reporting objectives.*
By manual or programmed procedures (e.g.
manual sales order, Internet order through
website, re-order level trigger).
Identify, capture and record valid transactions
and relevant information on a timely basis,
including information for disclosure.
Edit, validate, calculate, measure, summarise,
reconcile and classify.
Preparation of management, financial and other
statements so that the transactions, disclosures
and other information are correctly presented.
For the related assets, liabilities and equity.
*This encompasses
recording the correct
monetary value
of transactions
and recording the
transactions in the
correct accounting
period (i.e. cut-off).
< Transactions may be standard (e.g. in the normal course of
business—sales, purchases, accruals, depreciation) or nonstandard (e.g. asset impairment, bad debt write-off, related
party transactions). How the information system deals with
all types of transactions must be understood (e.g. raising and
authorising journal entries).
The information system must also be able to deal with errors
and incorrect processing:
= Is a suspense account used and regularly checked and
= Is it possible to override the system or bypass controls?
= If so, how does the management deal with such matters?
Management must be able to demonstrate that it understands
the individual roles and responsibilities of those in the
information system. Individuals in the system must also
understand their roles and responsibilities and how they relate
to others in the system.
The means of reporting exceptions to a higher authority must
be clear and unambiguous. This includes reporting channels
to management, those charged with governance and, if
necessary, to an external authority (e.g. regulators).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
Control Activities
Control activities—the policies and procedures which help ensure
that management directives are carried out and that actions are
taken to address risks that threaten the achievement of the entity's
< Control activities are performed by employees at all levels of
the entity.
Control activities may be:
= preventive or detective; and
= manual or automated.
Types of control activities and examples include:
< Basically, "if it can move, authorise it", for example:
purchase or disposal of non-current assets;
new suppliers, supplier payments;
purchase and sales invoices;
new employees, wage rates, promotions;
journal entries, bad debt write-offs.
< Actual against budget, prior year and variance analysis.
< Analytical review, internal versus external data.
< Functional or activity performance in that activities which
should have taken place actually took place.
< Accuracy, completeness and authorisation, for example:
checking arithmetical accuracy (e.g. of documents,
maintaining and reviewing accounts and trial balances;
carrying out reconciliations (e.g. bank, supplier
sequence checks of pre-numbered documents
(e.g. despatch notes);
completeness checks (e.g. that all documents have been
follow-up of error reports (and taking appropriate action);
IT general and application controls (see Session 12).
< Secured access to assets and records.
< Password access to computer systems.
< Comparing book to physical (e.g. inventory, petty cash, noncurrent assets).
of duties
< Separation of the authorising, recording and custody
Actions of one employee are checked by another.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
Monitoring of Controls
Monitoring is a process to assess the effectiveness of internal
control performance over time. It involves assessing the design
and operation of controls on a timely basis and taking necessary
corrective actions for changes in conditions.*
< Ongoing monitoring activities (i.e. 24/7) are often built into
the normal recurring activities of an entity and include regular
management and supervisory activities.
*Without monitoring control systems and receiving feedback on the
performance of those controls, the entity's management will have no
idea whether a control, although still operating, is actually effective.
Example 1 Monitoring Activities
Describe FIVE monitoring activities.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
Limitations of Internal Control
1.7.1 Manual v IT Controls
< Internal control comprises a mix of manual and IT controls.
Even where IT is extensively used, there will be manual
elements in the system (e.g. authorisation of programme
changes, monitoring the effectiveness of IT).
< In general, manual controls are considered to be higher risk
than IT controls as:*
= manual controls are performed by people who are less
predictable than IT and more error prone (e.g. they are
human, after all);
= manual controls are more easily bypassed, ignored
or overridden than IT controls (as IT controls are
programmed—the systems automatically run them); and
= manual controls are subject to random, simple errors and
< Manual controls may be more suitable where judgement and
discretion are required, for example:
= for large, unusual or non-recurring transactions;
= where errors are non-routine and difficult to define,
anticipate or predict;
= where a control response is required outside of the routine
automated control; and
= in monitoring the effectiveness of automated controls.
However, the very nature of using judgement and discretion
in internal control may mean high risk (e.g. where the control
environment—attitude, awareness and actions of management—is
*But note that an
IT system cannot
tell if a control is
will run the control
as programmed.
Appropriate controls
over the analysis,
design, programming
and testing of systems
are therefore crucial.
1.7.2 Inherent Limitations
< No internal control system, no matter how well-designed and
operated, can provide management with conclusive evidence
that the financial reporting objectives are reached. Only
reasonable assurance can be achieved.
Because no internal control system can be 100% perfect in
preventing error, especially deliberate error (i.e. fraud), ISA
240 The Auditor's Responsibilities Relating to Fraud in an
Audit of Financial Statements requires auditors to identify
and assess the risks of material misstatement of the financial
statements due to fraud, including the design, implementation
and effectiveness of fraud prevention controls (see
Session 11).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
Example 2 Inherent Limitations
Suggest SIX inherent limitations in a typical control system, identifying those which may
directly lead to the potential for fraud.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
Corporate Governance and Internal Control*
< Good corporate governance requires management (the board)
to (among many requirements):
= Review and guide corporate strategy, major plans of
action, risk policy, annual budgets and business plans;
set performance objectives; monitor implementation
and corporate performance; and oversee major capital
expenditures, acquisitions and divestitures (OECD).
= Ensure the integrity of the corporation's accounting and
financial reporting systems (e.g. independent audit, control
systems, risk management procedures, financial and
operational control, compliance with laws and regulations
Risk management and the use of sound internal controls are
fundamental elements of corporate governance.
*Also refer to
Session 3.
UK Corporate Governance Code
2.2.1 Turnbull Guidance on Internal Controls
< The Turnbull Guidance (www.frc.org.uk) on internal controls
under the UK's Corporate Governance Code takes a risk-based
*Under the Guidance, a company's system of internal control should
aim to manage "risks that are significant to the fulfilment of its
business objectives, with a view to safeguarding the company's
assets and enhancing, over time, the value of the shareholders'
investment". The Code requires a strong link between risk
management and internal controls.
< A "sound system of internal control" should provide reasonable
assurance that a company will not be hindered in:
= pursuing its business objectives; or
= the orderly and legitimate conduct of its business by
reasonably foreseeable occurrences.
But no matter how sound a system may be, it cannot
eliminate the possibility of:
= poor judgement in decision-making;
= human error;
= control processes being deliberately circumvented by
= management overriding controls; and
= the occurrence of unforeseeable circumstances.*
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
*In other words, the
basic limitations of
control systems.
Session 9 • Internal Control
F8 Audit and Assurance (INT)
< In determining its policies with regard to internal control (and
thereby assessing what constitutes a sound system of internal
control in the particular circumstances of the entity), the
board must consider:
= the nature and extent of the risks facing the company;
= the extent and categories of risk which are acceptable for
the company to bear;
= the likelihood of the risks concerned materialising;
= the company's ability to reduce the incidence and effect of
the business of risks which do materialise; and
= the costs of operating particular controls relative to the
benefit thereby obtained in managing the related risks.
The internal control system should encompass the policies,
processes, tasks, behaviours and other aspects of a company
which, taken together:
= facilitate its effective and efficient operation by enabling it
to respond appropriately to significant business, operational,
financial, compliance and other risks to achieving the
company's objectives. This includes safeguarding assets from
inappropriate use or from loss and fraud and ensuring that
liabilities are identified and managed;
= help ensure the quality of internal and external reporting. This
requires the maintenance of proper records and processes that
generate a flow of timely, relevant and reliable information
from inside and outside the organisation;
= help ensure compliance with applicable laws and regulations
and also with internal policies with respect to the conduct of
2.2.2 Review of Internal Control
< The Code requires an entity's board to regularly review, and
form its own opinion of, the effectiveness of the company's
system of internal control.
There should be a defined process for the board's review, to
support its statement in the annual report (as required by the
Code). It is not enough to rely on the internal control system
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
< The board should:
= receive
and review regular reports from management and
— the key risks;
— the effectiveness of the internal controls;
— whether necessary action is being taken promptly;
— the need for more extensive monitoring.
= ensure that all aspects of internal control are being
reviewed; and
= perform an annual review for the purposes of preparing a
statement for the annual report.
< If internal controls are regularly reviewed, the annual review
should be relatively straightforward and focus on:
= changes in risks since the last review;
= the company's ability to respond to change;
= the scope and quality of the management's ongoing
monitoring of internal control;
= the adequacy of communication;
= weaknesses in the system;
= the effectiveness of the year-end financial reporting
process; and
= whether the company needs a separate internal audit
function rather than relying on management to review
internal control.
< If internal control is not regularly reviewed, then the annual
review will have to be more comprehensive and this will take
longer. Therefore, it is better to review the system on a
regular basis so that the year-end review is easier to perform.
< Strong emphasis is placed on the role of internal audit in
assessing the effectiveness of the entity's risk assurance
procedures. If an entity does not have an internal audit
function, then it must consider, each year, the need for one
and state in its annual report that it has done so.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
Evaluation of Internal
Control Systems
Understanding Internal Control
The auditor is required to obtain an understanding of the design and
implementation of internal controls to assess the risks of material
misstatement. This is different from gaining audit assurance from the
effectiveness of internal controls (see Session 12). Understanding
internal control helps the auditor to decide if a control, individually
or in combination with other controls, is capable of effectively
preventing, or detecting and correcting, material misstatements.
< If controls are poorly designed or are not implemented, there
is potentially a greater risk of material misstatement in the
financial statements.
< Professional judgement has to be used to identify those
controls (which may be in any one of the five control
elements) that relate to:
the entity's objective of preparing financial statements that
give a true and fair view; and
the management of risk that may result in a material
misstatement in the financial statements.
Illustration 3 Relevant Internal
Controls to prevent unauthorised ordering of materials, or the
curtailment of the supply of essential material, will be relevant
to the audit, whereas controls to prevent the excessive use
of material in the manufacturing process are unlikely to be
Controls over the completeness and accuracy of information
produced by the entity will be relevant to the auditor when he
intends to rely on that information in designing and performing
further procedures.
Controls relating to operations and compliance objectives will
be relevant to the auditor if he relates them to data the auditor
evaluates or uses in applying audit procedures.
Controls relating to effective and efficient operations (e.g.
an airline's system of automated controls to maintain flight
schedules) would not normally be relevant to an audit.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
Methods for Understanding
< To be able to understand internal control, the design of a
control and then its implementation must be ascertained by
the auditor.
Evaluating the design of a control involves considering
whether the control, individually or in combination with
other controls, is capable of effectively preventing, or
detecting and correcting, material misstatements.
Implementation of a control means that the control exists
and that the entity is using it.
A poorly designed control may still result in a material
misstatement regardless of the fact that it is being correctly
3.2.1 Control Design
< Risk assessment procedures to obtain sufficient evidence
about the design of internal control include previous
experience, inquiry, observation, inspection and walkthroughs.
Past understanding and assessments carried
out (as recorded in the PAF). This must be
updated when changes have occurred in the
current year.
Usually of entity personnel (e.g.
management, internal audit, those charged
with governance, operational personnel).
Reviewing the application of specific controls,
especially in manual systems (e.g. inventory
counts, inspection of goods received,
enforcement of ethical practices).
Documents and reports, for example:
= the entity's risk-strategy assessment and
= internal control procedure manuals;
= management reports;
= system and control error reports;
= internal audit testing programmes
(including reports to management and
management response).
Desktop walk-through, supported by design
and procedural manuals, to gain a theoretical
understanding of the controls in a system.
Tracing a separate transaction through each
relevant element of the control system (e.g.
the sales system) and reviewing the design of
appropriate controls.
This will often require the use of computer
audit assisted techniques (CAATs: see
Session 21) to enable the transaction to be
traced through computer-based information
systems (IS).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
*If a control is badly
designed, there is
no point in testing
whether it has been
Session 9 • Internal Control
F8 Audit and Assurance (INT)
3.2.2 Internal Control Documentation
< Auditors use flowcharting systems, narrative notes, internal
control questionnaires (ICQs) and internal control evaluation
questionnaires (ICEQs) as a framework for understanding the
design of internal controls.
< ICQs are composed of a series of questions for each control
cycle (e.g. sales, purchases, wages) and are designed to
identify whether particular internal controls exist (and if they
do not, to identify a possible area of weakness). For example:
= Is the customer credit limit checked before an order is
= Are goods received agreed to the authorised purchase
= Is the price charged by the supplier on the purchase invoice
agreed to an authorised price list?
= Is each amendment to the standing payroll database
reviewed to original input and authorisation and approved
by an independent official?
< Questions are framed such that a "No" answer indicates
a weakness and would highlight potential problems in
segregation of duties, controls or management supervision.
< ICQs must be:
= Comprehensive to ensure all controls are covered and to
highlight key and supporting controls.
= Easy to complete with reference to flowcharts, narrative
notes, walk-throughs and enquiries of client staff.
= Completed by competent members of the audit team.
< Weaknesses include the following:
Clients may be able to mislead the auditor, as they know a
"Yes" answer is required (so answers must be verified).
ICQs may contain questions on controls that are not
Actual controls operated by the client may not be included
in the ICQ.
ICQs may become a "tick box" exercise.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
< ICEQs go further than ICQs in that they are designed to assess
whether errors or fraud are possible. The questions asked are
more open and principles-based than the closed form (rulesbased) questions of ICQs. They are also closely related with
control objectives. For example:
= How does the client ensure that goods are sent only to
customers who can pay?
= How does the client ensure that goods are accepted only if
the correct ordering procedures have been followed?
= How does the client ensure that payments are made only for
goods and services received and required by the company?
= How does the client ensure that amendments to the
standing payroll data are relevant and accurate?
Advantages include the following:
The questions in an ICEQ can be concentrated (targeted)
on the possibility of error and fraud in each cycle and
therefore specifically designed to cover such possibilities,
reducing the number of questions and increasing their
Each question can relate to more than one client, as
questions are open and each client may have different
relevant controls that meet the question requirement.
At the same time, an ICEQ can be specifically tailored to
each client.
The answers will describe the nature and extent of the
controls in operation. The auditor can then assess the
control design and decide whether or not to rely on them
(i.e. they can then form the basis of the control testing
Completing the ICEQ requires a higher level of understanding,
in order to be able to link the controls to each question. An
ICQ may be completed first to aid such understanding.*
*Many auditors combine the ICEQ with the implementation and
control testing programme: columns are used to ask the question, to
give details of the controls, to give details of the implementation and
compliance tests, and give the results of the test with the effect, if
any, on the substantive test procedures.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
< A flowchart is a symbolic diagram representing the sequential
flow of authority, processes and documents.
< An adequate flowchart shows the origin of each document in
the system, its subsequent processing and its final disposal.
Flowcharts should:
= show the general flow of documents and data;
= start at the top of the page and move from top to bottom
and from left to right; and
= use descriptive wording.
The following are some of the most commonly used flowchart
Document or
(e.g., journals,
ledgers, etc.)
Key Entry
Tape File
On-page connector
Off-page connector
Off-line (paper) file; filed by:
Disk File
Data flow arrows
Communication link
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
Narrative Notes
< A narrative is essentially a written version of a flowchart. It
is a description of the auditor's understanding of the system
of internal control. A narrative is prepared by following a
sequence of events for a transaction through the accounting
< Narrative notes may be prepared for less complex systems of
controls and may be used with flowcharts to document more
complex systems.
Quick to prepare
Missing controls and
Client may overstate
Can present an entire
Difficult to change
May be cumbersome
deficiencies are clearly
system of controls in a
single diagram
Standard symbols make
it easy to see missing
Simple to record
Easy to understand
level of controls when
answering questions
Standard list of
questions may miss
unusual controls
without redrawing the
whole chart
Narrative notes may also
be needed
when documenting
complex systems
May not clearly identify
control exceptions
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
3.2.3 Control Implementation
< Inquiry alone is not sufficient to determine whether a control
has been implemented; it must be seen to be in operation.*
This may be achieved through a combination of:
Actions taken; and
Tracing a transaction through a system and checking that
the relevant controls are implemented (e.g. a purchase
order is authorised; the goods received note has been
agreed to it).
Tracing procedures and actions through a system (e.g. an
internal audit risk analysis report to management agreeing
that appropriate management action has taken place).
Tracing the general application of intangible procedures
(e.g. the ethical environment: that staff appear to be
ethically compliant and follow ethical guidance).
Where the systems are computer-based, computer assisted
audit techniques (CAATs) for testing individual control
implementation will be required (see Session 21).
Agreeing that procedures prior to the control action were
carried out. For example, where a bank reconciliation
is signed as having been checked by a manager, reperforming the bank reconciliation will confirm the accuracy
of the original work.
Control in operation (e.g. physical inspection of goods
received; physical inventory count; monitoring of IS/
Internet access and use by webmaster; meeting of audit
Actions taken
By responsible officials (e.g. follow up of an exception
report; risk analysis tracking; action taken following
disciplinary procedures).
Control operatives (e.g. internal audit, audit committee, risk
*Note that there are some areas of overlap between testing the
design and testing the implementation of controls.
Although many of the implementation testing procedures are broadly
the same as those used for testing the effectiveness of controls (see
Session 12), implementation testing involves testing to see that a
control was in operation at any one time and assists the auditor in
understanding the system. Testing for control effectiveness involves
testing to see if a control was in operation over a given period of
time (e.g. for the financial year) to obtain audit assurance that the
financial statements are free from material error.
In some circumstances, usually with IS, because of the
consistency of operation of automated controls, both objectives
(implementation and effectiveness) may be achieved through one
test (see Session 12). In a manual system, no evidence of the
control effectiveness over a period of time can be obtained by
implementation testing.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Session 9 • Internal Control
Example 3 Control Environment
Describe the approach to understanding internal control in the control environment.
Impact on Audit Approach
< As already noted, understanding the design of internal controls
and whether they have been implemented provides the auditor
with an understanding of the risks of material misstatement
due to poor design or non-operation.
If the auditor discovers that controls that were thought to
be operating are not, he must revisit the audit strategy and
consider the effect this will have (e.g. higher risk of material
misstatement with review of the nature, timing and extent of
substantive procedures to cover this higher risk).
If the auditor decides that placing reliance on the effectiveness
of the controls is an efficient and effective approach to
lowering audit risk to an acceptable level, he must obtain audit
evidence about the effectiveness of the control operations
throughout the period of the financial statements (see
Session 12).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9 • Internal Control
F8 Audit and Assurance (INT)
Reporting Weaknesses
< Those charged with governance, or management, must be
informed by the auditor of material weaknesses in the design
or implementation of internal control. For example, they must
be informed of:
risks of material misstatement which the entity has not
= risks of material misstatement for which the relevant control
is inadequate or has not been implemented; and (if in the
auditor's judgement there are)
= material weaknesses in the entity's risk-assessment process
(i.e. the risk approach and control procedures of the entity).
This will be done through the use of a management letter
(sometimes referred to as a weakness letter)
(see Session 12).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Session 9
Internal control is the process that is designed, implemented and maintained to provide
reasonable assurance that the entity achieves its objectives related to:
financial reporting;
effectiveness and efficiency of operations; and
compliance with laws and regulations.
The components of internal control are:
control environment;
risk assessment;
information systems;
control activities; and
The control environment, which includes the attitude, awareness and actions of
management, provides the foundation for effective internal control.
Risk assessment is the process of identifying events which may affect how an entity
achieves its corporate objectives.
Accounting systems include procedures to initiate, record, process, report and maintain
information needed by management and for financial reporting.
Control activities are policies and procedures that help manage risk. They include
authorisation, performance reviews, information processing, physical controls and
segregation of duties.
Monitoring is the assessment of the effectiveness of internal control over time.
The auditor must understand:
A sound system of internal control should provide assurance that a company’s assets and
reputation are safeguarded. This assurance is not absolute due to the limitations in control
systems (e.g. human error).
the design of internal controls (e.g. through previous experience, inquiry, observation,
inspection and walk-throughs); and
the implementation of controls (e.g. through walk-throughs, CAATs, re-performance,
observation, etc).
Session 9 Quiz
Estimated time: 30 minutes
1. Explain the underlying objective of understanding the entity and its environment in
an audit. (1)
2. Define internal control. (1.1)
3. Identify the FIVE internal control components. (1.1.1)
4. State FIVE control activities. (1.5)
5. Describe an internal control system according to the Turnbull Guidance. (2.2.1)
6. Explain how understanding internal control helps the auditor. (3.1)
Identify the methods available to the auditor to assess control design. (3.2.1)
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Solution 1—Monitoring Activities
< Checking that activities (e.g. bank reconciliations) are carried out.
< Reports are produced when expected and actions carried out (e.g.
follow up on exception reports).
< Customers paying amounts as stated on their statements or
complaining about being overcharged.
< External regulators reporting on aspects of the internal controls
relating to regulations (e.g. financial services).
< Internal audit evaluations of the effectiveness of internal control and
risk procedures.
< External audit management letters and reports.
< Business activity and management accounts discussed at monthly
board meetings and challenged by non-executive directors and those
charged with governance.
Solution 2—Inherent Limitations
< Cost of internal control should not exceed benefits derived.
< Non-routine transactions may bypass the controls (fraud risk).
< Human error/machine breakdown.
< Collusion to circumvent controls (fraud risk).
< Abuse of responsibility (e.g. management fraudulently overriding
internal control).
< Changes in conditions and emerging risks may make current
controls obsolete.
< Deterioration in compliance (fraud risk).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Solution 3—Control Environment
Communication and enforcement of integrity and ethical values:
these are essential elements which influence the effectiveness of the
design, administration and monitoring of controls:
= Review of code of ethics.
= Discussions with management, audit committee and employees on
how ethical practice is communicated and implemented.
= Review of complaints procedures, whistle-blowing, press reports
(e.g. on bribery).
Commitment to competence: matters such as management's
consideration of the competence levels for particular jobs and how
those levels translate into requisite skills and knowledge:
= Review HR policies, recruitment procedures, job descriptions,
personnel requirements, appraisal, disciplinary procedures, training
Participation by those charged with governance: discussions, review
of terms of reference, review of documentation (e.g. minutes,
memos, notes) and observation to obtain evidence on attributes of
those charged with governance:
= Their independence from management.
= Their experience and stature.
= The extent of their involvement and the information they receive
and the scrutiny of activities.
= The appropriateness of their actions, including the degree to which
difficult questions are raised and pursued with management, and
their interaction with internal and external auditors.
Management's philosophy and operating style, as above:
= Active and independent board overseeing management.
= Approach to taking and managing risks.
= Attitudes and actions towards financial reporting.
= Attitudes towards information processing and accounting functions
and personnel.
Organisational structure: the framework in which an entity's activities
for achieving its objectives are planned, executed, controlled and
= Review of organisation charts, structures, committee roles,
reporting lines, openness and transparency, committee minutes.
= Discussions and corroborating evidence with/from management
and employees.
Assignment of authority and responsibility as above, to obtain
evidence on how authority and responsibility for operating activities
are assigned and how reporting relationships and authorisation
hierarchies are established.
Human resource policies and practices: review, observe, discuss,
corroborating evidence on the policies and practices that relate to
recruitment, orientation, training, evaluation, counselling, promotion,
compensation and remedial actions, etc.
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
Related flashcards
Create Flashcards