C2: AUDITING AND ASSURANCE
Topic
Internal Controls
Compiled by EmmaChris & G. Bundala
Internal Controls (ICs) – ISA 315
To be covered:
• Introduction to ICs
• Classification of controls
• Components of ICs
– Control environment
– Risk Assessment
– Control activities
– Information and communication
– Monitoring
• Responsibilities for ICs
• Internal audit as an aspect of IC
• IC in small entities
• Limitations of Ics
• A case on ICs
Compiled by EmmaChris & G. Bundala
1. Introduction to ICs
• ISA 315 Indentifying and assessing Risk of Material Misstatement
(RoMM) through understanding the entity and its environment
states that;
– ‘The objective of the auditor is to identify and assess the risks of material
misstatement, whether due to fraud or error, at the FS and assertion levels,…
…through understanding the entity and its environment, including the entity’s
internal control, …
…thereby providing a basis for designing and implementing
responses to the assessed risks of material misstatement’
• Understanding ICs helps the auditor to design further audit
procedures.
– If the auditor relies on ICs then he will reduce NTE of substantive procedures
– Otherwise, more detailed procedures have to be performed to substantiate a
transaction or balance
Compiled by EmmaChris & G. Bundala
1. Introduction to ICs
• Internal Control is the process designed and effected by
those charged with governance, management and other
personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to
– reliability of financial reporting,
– effectiveness and efficiency of operations and
– compliance with applicable laws and regulations.
• From the definition:
– IC is a process not an event
– IC is affected by people-BOD, mgt..
– IC provides reasonable assurance
– IC is geared to the achievement of objectives
Compiled by EmmaChris & G. Bundala
2. Classification of controls
i.
Directive controls: cause or encourage a desirable event to
occur–
e.g policies and procedures, laws and regulations, training seminars
ii. Detective controls: designed to detect errors or
irregularities that may have occurred.
–
Eg. reviews and comparisons, reconciliations,
iii. Corrective controls: designed to correct errors or
irregularities that have been detected.
–
Eg. corrective journal entries
iv. Preventive controls: designed to keep errors or irregularities
from occurring in the first place.
–
E.g. segregation of duties, physical control over assets, locking office
door to discourage theft, using passwords to restrict computer
access
Compiled by EmmaChris & G. Bundala
2. Classification of controls..
v. Recovery controls: designed to recover data in case there is
a loss.
–
E.g, backups, storing documents and IT backups in a protected
environment
Note that;
– Controls are complementary (overlap/function together to
achieve same objective)
– Compensating controls reduce risk that an existing or
potential control weakness will result in a misstatement
– Controls are redundant if they address the same control
objective
Compiled by EmmaChris & G. Bundala
3. Components of internal control
There are five components of ICs
i. Control environment
ii. Risk Assessment
iii. Control activities
iv. Information and communication
v. Monitoring
Compiled by EmmaChris & G. Bundala
3. Components of internal control..
i.
Control environment
•
includes the governance and management function of an
organisation.
is the foundation for effective Ics
Control environment includes the following elements
– Integrity and ethical values- communication and enforcement of
integrity and ethical values
– Commitment to competence
– Human resource policies and practices,
– Assignment of authority and responsibility,
– Management's philosophy and operating style,
– Board of Director's or Audit Committee participation, and
– Organizational structure.
•
•
Compiled by EmmaChris & G. Bundala
3. Components of internal control..
ii. Risk Assessment
is the process of identifying risks to achieving objectives; analyzing
potential events, considering their likelihood of occurring and
impact on achieving objectives; and deciding how to respond to
the risks.
Risk assessment involves:
i.
ii.
iii.
Risk identification
Analyzing the key risks (likelihood and impact)
deciding how to respond to each risk. risk responses are avoiding,
reducing, transferring (sharing), and accepting risk.
Compiled by EmmaChris & G. Bundala
3. Components of internal control..
ii. Risk Assessment
In summary, when identifying risk, look at the following:
i. Changes in the Operating Environment (e.g. Increased
Competition)
ii. New Personnel
iii. New Information Systems
iv. Rapid Growth
v. New Technology
vi. New Lines, Products, or Activities
vii. Corporate Restructuring
viii. Foreign Operations
ix. Accounting Pronouncements
Compiled by EmmaChris & G. Bundala
3. Components of internal control..
iii. Control activities
Control activities – actions taken to minimize risks
Control activities include:
– Segregation of duties
– Physical safeguarding (control over assets & records)
– Document design & control (documents & records)
– Comparisons, reconciliations & control accounts
– Authorisation of transactions & activities
iv. Information and communication
Methods and records established to record, process, summarize,
and report transactions and to maintain accountability of related
assets and liabilities.
Compiled by EmmaChris & G. Bundala
3. Components of internal control..
v. Monitoring
Refers to the assessment of the quality of internal control
performance over time. Can be:
a. Ongoing monitoring occurs in the course of operations.
b. Periodic monitoring includes tasks such as periodic internal
audit and annual reviews of high-risk business processes.
Compiled by EmmaChris & G. Bundala
4. Responsibilities for ICs
Management:
• Design, installation and maintenance of effective controls
• Concerns include:
– Reliability and accuracy of information
– Compliance with applicable laws/regulations & policies
– Effectiveness & efficiency of operations
– Safeguarding assets and records of the company
Auditor:
• Obtain an understanding of internal control relevant to the audit (ISA 315)
• Concerns include:
– Reliability of financial reporting
– Emphasis on controls over classes of transactions
– Safeguarding assets and records of the company
Compiled by EmmaChris & G. Bundala
5. Internal audit as an aspect of IC
• ISA 610 (3): “internal auditing means an appraisal activity
established within an entity as a service to the entity. Its functions
include, among other things, monitoring internal control”
• Generally, internal audit is an aspect of internal control
• According to ISA 610 (2): “the external auditor should consider the
activities of internal auditing and their effect, if any, on external
audit procedures”
Compiled by EmmaChris & G. Bundala
6. ICs in small entities
• Characteristics of small entities that have audit significance
– Owned by few individuals who control their operations
– Management sees no need for hiring personnel with
accounting knowledge (not cost-effective)
– Deficiency in internal controls
– Usually lack an active & effective policy-making body
– Executives dominate affairs of entity to far greater extent
than in larger entities
– Higher potential for management override due to
domination
– Few employees, but may have access to assets
Compiled by EmmaChris & G. Bundala
7. ICs in small entities..
Implications for the audit (SME):
– Limit(few) in employees prevents separation of duties
– Auditor is forced to rely more on management’s
assertions that cannot be independently confirmed
– Auditor has to perform more substantive tests and
consider other qualitative factors
– Lack of/weakness in internal controls has cost
implications
Compiled by EmmaChris & G. Bundala
8. Limitations of ICs
i. Only cost-effective controls can be implemented
ii. Controls are usually directed at routine transactions
iii. Potential human error due to carelessness, distraction,
mistakes of judgement, etc.
iv. Possible evasion of controls through collusion within or
with those outside the entity
v. Abuse of responsibility for implementing controls
vi. Inadequacy of controls due to changing situations or
compliance may deteriorate over time.
vii. Collusion. Two or more people acting together against
ICs
Compiled by EmmaChris & G. Bundala
A case on IC..
Compiled by EmmaChris & G. Bundala
DRM Software Review