Chapter 10 – Internal control and the auditor
Self-review Questions
10.1
Explain briefly what is meant by an ‘accounting system’.
Accounting system has an input, a processing and an output stage.
 The input stage involves capturing a mass of accounting data from either:
Source documents, which are completed manually or electronically when transactions take
place, or
Memoranda generated by the entity’s accountant. These generally record non-transactions
data, for example, writing off bad debts and period end adjustments.
 The processing stage involves converting the mass of raw data into useful information. This may be
achieved using manual or, as in most cases, electronic data processing methods but, in each case, it is
accomplished through recording, classifying and summarising the data.
 The output stage involves preparing the accounting information in a form useful to those who wish to
use it; that is, appropriately classifying, grouping and titling information in a meaningful manner.
10.2
Explain briefly why a client’s accounting system is divided into sub systems (or audit segments) for
audit purposes. State two bases on which this sub-division may be used.
If the auditor was to try and gain an understanding of the system which generates the financial statements as
a single unit, (s)he would find it cumbersome, inefficient and, in many cases, somewhat overwhelming. In
order to put it into a more practical footing, the auditor (conceptually) dissets the accounting system into subdivisions, or audit segments.
10.3
Explain briefly the meaning of each of the following terms:
i)
Internal control system,
Process designed, implemented and maintained by management to provide reasonable assurance
about achieving the entity’s objectives in respect reliable financial reporting, effective and
efficient operations and compliance with applicable laws and regulations.
ii)
Control environment,
The environment created by the entity’s directors and executives, through their attitudes,
awareness and actions regarding the entity’s internal controls and their importance in the entity.
iii)
The entity’s risk assessment process,
The process adopted by the entity for identifying business risks relevant to financial reporting,
deciding how to respond to those risks and the results of those responses.
iv)
Control activities,
Policies and procedures designed to ensure that responsibilities delegated by management are
fulfilled and performed in the intended manner. This internal control component includes control
activities that relate to information technology (IT) environments.
v)
Monitoring of controls,
A process designed to assess the effectiveness of internal control performance over time. It
includes assessing the design and operation of controls on a timely basis, taking corrective action
when required and modifying the controls, as appropriate, for changed conditions.
vi)
General IT-controls,
Policies and procedures that support the effective functioning of application controls and
maintain the integrity and security of data.
vii)
Application controls.
Procedures that apply to the processing of individual applications that are designed to ensure the
integrity of the accounting records and financial data. Controls over the input, processing and
output of data.
10.4
Outline the seven characteristics of a good system of internal control relevant to financial reporting.
1)
2)
3)
4)
5)
6)
7)
Competent, reliable personnel who possess integrity;
Clearly defined areas of authority and responsibility;
Proper authorisation procedures;
Adequate records;
Segregation of incompatible duties;
Independent checks on performance;
Physical safeguarding of assets and records.
10.5
Describe briefly two procedures which are used to document auditees’ accounting sub-systems.
i)
ii)
Narrative descriptions; and
A detailed description of accounting routines which take place within an accounting sub-system.
Flowcharts.
A diagrammatic representation of the flow of documents or information through an accounting
sub-system and the processes which take place within the system.
10.6
Explain briefly the purpose of ‘walk through test’ and how it is conducted.
Once auditors have documented their understanding of each accounting sub-system, they will test this
understanding against the system itself – through a walk through test.
One or two transactions of each major class (e.g. credit sales, credit purchases cash received, cash paid) are
traced through the entire accounting system, from their initial recording at source to their final destination as
components of account balances in the financial statements.
A procedure to confirm the auditor’s understanding of the flow of transactions data through the client’s
accounting system and the accuracy of their documents recording the system.
10.7
Define in relation to internal controls:
i)
A strength,
Internal accounting controls which operate effectively to prevent, or detect and correct, errors
and irregularities in the accounting data which pass through the control point. These are the
controls on which the auditor may plan to rely to prevent material misstatements from occurring
in the financial statements and thus to reduce substantive tests.
ii)
A deficiency
Controls that are either missing or are designed, implemented or operated in such a way
that they are unable to prevent, or detect and correct, misstatements in the financial
statements on a timely basis.
10.8
List five examples of inherent limitations of internal control systems.
1) The extent of an entity’s internal accounting control procedures depends on their cost-effectiveness.
Beyond some point, the cost of instituting additional control activities will exceed the benefits to be
gained from more accurate financial data or increased safeguarding of assets. E.g. little point installing
£50,000 CCTV system to prevent theft of 20p biro pens.
2) Internal accounting controls are designed to prevent and detect errors and irregularities in normal,
frequently occurring transactions. However, errors are more likely to occur in recording and/or
processing of infrequent, unusual transactions – for the very reason that they are unusual.
3) The potential for error is always present because accounting personnel are human and therefore
prone to mistakes. Similarly, there may be an error in the design of a control activity or a person
responsible for performing a particular function may not fully understand the purpose of the function
and fails to take appropriate action. Thus, internal accounting controls may not always operate as
intended.
4) There is a possibility that management will override the controls, or two or more employees will
collude so as to circumvent controls, or a computer operator may override or disable checks within a
software programme.
5) Internal accounting control procedures may become inadequate or inappropriate as a result of
changes in the entity’s internal and/or external environment and, as a consequence, compliance with
the controls may deteriorate.
10.9
a) Explain briefly the purpose of ‘compliance procedures’.
As auditors assess the design and implementation of their clients’ internal accounting controls they identify
internal control strengths, that is, control activities which appear to be operating effectively to meet certain
audit objectives.
However, irrespective of how effective internal controls may appear to be, before auditors can rely on them to
eliminate errors and irregularities from the accounting data, their operating effectiveness must be tested
through compliance procedures.
b) Give two examples of compliance procedures and link each to the audit objective it is designed to
test.
i)
ii)
Procedures where the control activities leave no audit trail
The primary compliance procedure where the client’s control activities do not leave an audit
trail are enquiry, observation and – for certain computer applications – reperformance.
Procedures where the control activities leave an audit trail
Where an audit trail is available (that is, where there is tangible evidence that a control
procedure has or has not been performed), the primary tests are enquiry and observation (as
for cases where no audit trail is left), and also inspection of source documents and,
accounting records and documents and reperformance.
10.10
Describe briefly what is meant by ‘an audit plan’ and how it is prepared.
The audit plan includes a set of detailed audit procedures designed to meet the specific audit objectives of
each audit segment. ISA 300: Planning an audit of financial statements, audit plans are to describe:
a) The nature, timing and extent of planned risk assessment procedures;
b) The nature, timing and extent of further audit procedures at the assertion level;
c) Other planned audit procedures that are required to be carried out so that the engagement complies
with ISAs.
The audit plan is usually prepared (at least conceptually) in the following two stages:
i)
Planning format
In this stage, the audit objectives for each class of transactions, account balance or other financial
statement disclosure within each audit segment are identified.
ii)
Performance format
Once the lists of audit procedures to be performed have been compiled, the procedures are
arranged in a logical sequence and any overlapping procedures are eliminated. This results in a
list of audit procedures which are set out in a manner suitable for their performance. This is the
audit plan.