CHAPTER 8 UNDERSTANDING THE INTERNAL CONTROL STRUCTURE AND

CHAPTER 8 UNDERSTANDING THE INTERNAL CONTROL STRUCTURE AND ASSESSING CONTROL RISK Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 1

AUDIT STRATEGY AND INTERNAL CONTROL STRUCTURE To reach a conclusion on reliability of underlying accounting data, the auditor can: • Test the accounting data (substantive approach). • Perform procedures to review and evaluate the internal control structure to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach). Auditor adopts the best combination of these approaches. AA Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 2

STRUCTURE OF AND RESPONSIBILITY FOR INTERNAL CONTROL Internal control structure is: Management’s philosophy and operating style, and all the policies and procedures adopted by management to assist in achieving the entity’s objectives Management is responsible for establishing, maintaining and monitoring the internal control structure. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 3

INHERENT LIMITATIONS OF INTERNAL CONTROL STRUCTURE Inherent limitations arise because of: • Control breakdowns as a result of the actions of careless, fatigued or deviant staff • The possibility of management override • The existence of non-routine transactions for which internal controls were not devised Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 4

REASONABLE ASSURANCE l l Internal control structure should be designed to provide reasonable assurance that assets are safeguarded and accounting records are reliable. Concept of reasonable assurance recognises that, in some cases, cost of establishing and maintaining controls can outweigh benefits of adopting controls. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 5

OBJECTIVES OF INTERNAL CONTROL STRUCTURE Management controls: • • Risks are identified and minimised Management decision making is effective and business processes efficient Transaction controls: • • Transactions are carried out in accordance with management’s general or specific authorisations Transactions are promptly and accurately recorded so as to allow the preparation of financial reports Access to assets limited in accordance with authorisation Asset records are compared with existing assets at reasonable intervals Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 6

MANAGEMENT CONTROLS Management controls include activities such as: • Communicating business objectives and goal • Establishing lines of authority and accountability • Establishing and enforcing appropriate codes of corporate conduct • Monitoring both external and internal risk environments • Defining policies and procedures for dealing with these risks • Monitoring performance of key segments of the entity through performance indicators and benchmarking Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 7

TRANSACTION CONTROLS Performed by staff and lower level management. Every transaction goes through the identifiable steps of authorisation, execution and recording. Accuracy and reliability of transaction records depend on: • • • Authorisation and approval — Transactions appropriately authorised. Occurrence — Recorded transactions represent events that occurred. Completeness — All authorised transactions are recorded. Measurement — Transactions are accurately recorded in proper amounts, proper account classification and proper accounting period. Safeguarding — Access is restricted to authorised personnel. Reconciliation — Recorded amounts are periodically reconciled with counts of assets. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 8

CHARACTERISTICS OF A SATISFACTORY INTERNAL CONTROL STRUCTURE • Controls to monitor and minimise business risks • Segregation of incompatible duties and responsibilities • System of authorisation, recording and procedures to provide control over assets, liabilities, revenues and expenses • Sound business practices in performance of duties and functions • Capabilities commensurate with responsibilities Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 9

ELEMENTS OF THE INTERNAL CONTROL STRUCTURE • Control environment • Information system • Control procedures Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 10

CONTROL ENVIRONMENT The control environment includes management’s overall attitude, awareness and actions regarding internal control and its importance in the entity. AUS 402. 04/ISA 400. 08 Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 11

CONTROL ENVIRONMENT EVALUATION The auditor should consider: • • • Management’s philosophy and operating style Entity’s organisational structure Assignment of authority and responsibility Existence and effectiveness of internal audit Use of information technology • Competence and integrity of entity’s human resources • Existence and effectiveness of audit committee Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 12

INFORMATION SYSTEM Consists of methods and records established to: • Identify, assemble, analyse, classify, record and report exchange transactions and relevant events and conditions; and • maintain accountability for entity’s assets, liabilities, revenues and expenditures. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 13

CONTROL PROCEDURES • Includes both policies and procedures that management has established to ensure its directives are carried out. • Control procedures are added to the accounting system to ensure that system produces accurate and reliable data. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 14

EVALUATING CONTROL PROCEDURES The auditor will be interested in control procedures aimed at ensuring internal control objectives concerning: • Authorisation and approval, e. g. control of access • Occurrence, e. g. proper use of documents • Completeness, e. g. accounting for sequence of preprinted documents • Measurement, e. g. use of control totals • Safeguarding, e. g. physical protection • Reconciliations, e. g. inventory counts Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 15

INTERNATIONAL DEVELOPMENTS • In 1992, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in the USA identified an extended set of internal control procedures. The five components of internal control structure identified by COSO are: • • • Control environment Monitoring Risk assessment Information and communication Control activities Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 16

IAASB AUDIT RISK SUBCOMMITTEE Considering revision of applicable auditing standards to reflect strategic business risk approach. Approach appears to: • • Enhance required understanding of internal control Include requirement to evaluate internal control for: 4 significant risks; and 4 other risks for which it is not practicable or possible to reduce audit risk to an acceptably low level using substantive procedures. Significant change to current standards, where the auditor does not have to evaluate internal controls if control risk is set at high. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 17

CONSIDERING THE INTERNAL CONTROL STRUCTURE IN A FINANCIAL REPORT AUDIT • For every audit, irrespective of intended reliance on IC, the auditor must obtain sufficient understanding of internal control structure to plan audit and determine tests to be performed. • The nature and extent of auditor’s consideration of internal control structure varies considerably across audits and depends on audit strategy. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 18

STEPS IN AUDITOR’S CONSIDERATION OF INTERNAL CONTROL STRUCTURE Fig. 8. 2 Steps in auditor’s consideration of the internal control structure (p. 338) Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 19

UNDERSTANDING THE CONTROL ENVIRONMENT Auditor gains understanding of control environment by: • Making enquiries of key management personnel • Inspecting documented policies and procedures • Observing activities and operations • Considering past experience with client Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 20

UNDERSTANDING THE INFORMATION SYSTEM Auditor required to obtain sufficient knowledge of information system to understand: • • • Major classes of transactions Initiation of transactions Records, documents and accounts Accounting processing Financial reporting procedures Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 21

UNDERSTANDING THE CONTROL PROCEDURES An auditor is required to obtain an understanding sufficient to develop an audit plan (AUS 402. 23/ISA 400. 20). Procedures include: • Discussion with client management and staff • Inspection of documentation • Observation of the entity’s activities, operations and procedures • Walkthrough - auditor traces one or a few transactions of each type through the related documents and accounting records, observing related processing and control procedures in operation Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 22

PROCEDURES TO DOCUMENT UNDERSTANDING OF INTERNAL CONTROL STRUCTURE • Internal control questionnaires and checklists • Narrative memoranda • Flowcharts Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 23

ASSESSMENT OF CONTROL RISK AS HIGH Control risk will be assessed as high when: • Entity does not have internal controls that relate to specific assertion; • Testing of internal controls is likely to indicate internal controls are weak; or • Testing of internal controls is not the most efficient method of obtaining audit evidence. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 24

ASSESSING CONTROL RISK AS LESS THAN HIGH For each assertion where control risk is assessed as less than high: • Tests of controls need to be performed to ensure design and operation of control is adequate to support lowered assessed level of control • Detection risk is assessed as higher, and as a result fewer substantive procedures are expected to be performed Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 25

LEVELS OF CONTROL IN COMPUTERISED SYSTEMS Two main categories: • User controls: those controls established and maintained by departments whose processing is performed by computer. • CIS controls: those controls established and maintained in the location of the computer, for example in data-processing departments. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 26

CIS CONTROLS AND GENERAL AND APPLICATION CONTROLS • CIS controls can be further divided into general and application controls; general controls if they relate to a number of application systems, application controls if they relate to a particular application. • User controls are always application controls, given their purpose. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 27

GENERAL CONTROLS Manual and computer controls that relate to all or many computerised accounting applications to provide a reasonable level of assurance that overall objectives of internal control are achieved. General controls include: • Segregation of duties • Control over programs • Control over data Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 28

SEGREGATION OF DUTIES Auditor especially interested in: • Separation between CIS and user department functions • Separation of incompatible functions within CIS department, especially those with an understanding of system from those with access to system Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 29

SEGREGATION OF DUTIES WITHIN CIS Separate Positions within CIS department Knowledge: those with an understanding of systems and programs n CIS manager n Systems analysts n Applications programmers Access: those with access to the computer, production programs and data files n Computer operators n Data-entry clerks (no access to computer console, data control records or programs) n Data-control clerks (no access to computer console) n Librarian (no access to computer console) n Systems programmers* * The position of systems programmer must have access to perform the function. Systems programmers should have no detailed knowledge of the company’s accounting systems or application programs. Table 8. 1 Segregation of duties within CIS (p. 352) Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 30

CONTROL OVER PROGRAMS Includes control over: • Development or acquisition of new programs • Changes to existing programs • Access to programs • Systems software Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 31

CONTROL OVER DATA • Control procedures in user departments to ensure restricted access (e. g. key passes) • Control procedures in CIS departments at input and processing stage • Restriction of access to data files (e. g. password) Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 32

OTHER GENERAL CONTROLS • These include controls that back up hardware, software and files and ensure recovery when computer installation or particular files or programs are damaged. • These do not normally have an effect on an auditor’s control risk assessment. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 33

APPLICATION CONTROLS • Relate to individual computerised accounting applications (e. g. debtors) • Contribute to achievement of specific control objectives considered by auditor in tests of controls • Can be programmed or manual and located in either the user departments or CIS department Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 34

USER DEPARTMENT APPLICATION CONTROLS • Control totals: 4 Financial totals 4 Record totals 4 Hash totals • Review and reconciliation of data • Error correction and resubmission procedures • Authorisation of each transaction and batch of transactions Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 35

CIS APPLICATION CONTROLS Usually classified in the following categories: • Input • File • Processing • Output Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 36

INPUT CONTROLS • • Control totals Key verification Key entry verification Programmed controls: 4 Check digit 4 Limit or reasonableness test 4 Field test 4 Valid code test Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 37

FILE CONTROLS Include: • Internal file labels — computerreadable data that identifies content of file • External file labels — printed or handwritten labels attached to disk or tape Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 38

PROCESSING CONTROLS • Programmed control procedures: 4 Checking numerical sequence of records 4 Comparing related fields • Run-to-run control totals Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 39

OUTPUT CONTROLS These include: • Restricted distribution • Automatic dating of reports • Page numbering • End-of-report messages Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 40

RELATIONSHIP BETWEEN THE REVIEW OF GENERAL AND APPLICATION CONTROLS • Should start internal control evaluation by looking at general controls. • If general controls are unreliable, auditor has little confidence in programmed application controls and reduced confidence in manual application controls => auditor takes more substantive approach to the audit. • If general controls are reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made => auditor determines appropriate degree of testing of controls and substantive testing. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 41

CONTROL SYSTEMS IN DIFFERENT ENVIRONMENTS: DATABASE SYSTEMS • A database is a computer-readable file of records that is used by many accounting applications. • In order to handle processing of data, a system software program called a database management system (DBMS) is used. • Guidance on auditing database systems is contained in AGS 1022/IAPS 1003. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 42

STAND-ALONE PC SYSTEMS • In such systems the distinction between general and application controls might be blurred and controls might be less structured. For this reason control risk might be assessed at maximum level. • Guidance on auditing stand-alone PC systems is contained in AGS 1018/ IAPS 1001. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 43

LANS AND OTHER NETWORKS • Networking PCs means that processing is distributed to PCs at many locations. • This can cause problems with security and control procedures as they are more dispersed and intensify control risk. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 44

COMPUTER SERVICE BUREAU • Computer service bureau is a centre or service entity that performs computer applications for another company. • A common application processed through a service entity is payroll. • AUS 404/ISA 402 provides an auditor with guidance on audit implications of using a computer service entity. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 45

CONSIDERING THE WORK OF AN INTERNAL AUDITOR • AUS 604/ISA 610 recognises that an external auditor is able to use the work of an internal auditor to assist in an audit engagement. • Extent of reliance is dependent on evaluation of internal audit function by external auditor. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 46

DIFFERENCES BETWEEN INTERNAL AND EXTERNAL AUDITOR • These differences are: 4 Objectives 4 Independence 4 Qualifications of each of the auditors • For an external audit, each of these elements is regulated by the Corporations Act, while they are determined by management for an internal audit. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 47

EVALUATING INTERNAL AUDIT External auditors should consider: • • Organisational status Scope of internal auditing Technical competence Due professional care Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 48

USING THE SERVICES OF INTERNAL AUDIT • Overall responsibility for audit engagement remains with external auditor. • External auditor is required to undertake general evaluation as part of review of IC structure. • If external auditor plans to rely on internal audit, they should carefully review internal auditor’s working papers and procedures to ensure testing is sufficient to meet their requirements, and that conclusions outlined in working papers are appropriate. Copyright 2003 Mc. Graw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 49