This part considers the auditors’ approach to
internal control systems as outlined in ISA 315 ‘understanding the entity and
its environment and assessing the risks of a material misstatement’ and then
considers what internal control is and gives a
internal control systems as outlined in ISA 315 ‘understanding the entity and
its environment and assessing the risks of a material misstatement’ and then
considers what internal control is and gives a
detailed review of internal
control in specific areas. At the end we take a look at the ideas on control
environment and control procedures and consider the limitations of internal
control.
The auditor and internal control
As we have seen, ISA 315 requires auditors to
obtain an understanding of the internal control sufficient to plan the audit
and develop an effective audit approach.
obtain an understanding of the internal control sufficient to plan the audit
and develop an effective audit approach.
This includes:
·
Using the
understanding of internal control to identify types of potential misstatements;
Using the
understanding of internal control to identify types of potential misstatements;
·
Considering
factors that affect the risks of potential misstatements; and
Considering
factors that affect the risks of potential misstatements; and
·
Designing
the nature, timing and extent of audit procedure.
Designing
the nature, timing and extent of audit procedure.
ISA 315 is based on the idea that internal control
is not simply a set of produces and checks but instead includes a whole range
of activities and attitudes.
is not simply a set of produces and checks but instead includes a whole range
of activities and attitudes.
Internal control consists of the following:
·
The
control environment.
The
control environment.
·
The risk
assessment processes
The risk
assessment processes
·
The
information system, including the related business processes, relevant to
financial reporting and communication.
The
information system, including the related business processes, relevant to
financial reporting and communication.
·
Control
activities
Control
activities
·
Monitoring
of controls
Monitoring
of controls
Clearly smaller and less complex organizations will
have less complex systems. They may not, for example, have detailed written
procedures, or formal risk assessment policies; in owner managed businesses the
owner/manager may well be directly involved in internal control matters which,
in larger organizations, would be the responsibility of accountants, managers
or internal auditors.
have less complex systems. They may not, for example, have detailed written
procedures, or formal risk assessment policies; in owner managed businesses the
owner/manager may well be directly involved in internal control matters which,
in larger organizations, would be the responsibility of accountants, managers
or internal auditors.
Within the organization there will be many and
various controls of many and various aspects of the organization’s activities.
It is important to understand that the ones the auditor in interested in are
the ones which relate to the objective of preparing accounts which are true and
fair. This will, primarily, center on the financial system and the control of
assets and liabilities as well as some of the controls involved in the risk
management processes of the organization.
various controls of many and various aspects of the organization’s activities.
It is important to understand that the ones the auditor in interested in are
the ones which relate to the objective of preparing accounts which are true and
fair. This will, primarily, center on the financial system and the control of
assets and liabilities as well as some of the controls involved in the risk
management processes of the organization.
Some internal controls used for management control
purposes are not immediately relevant to the audit. For example, a company may
have controls designed to prevent excessive use materials in production, or
controls designed to make operations efficient, such as an airline’s automated
controls to maintain flight schedules. These are not directly relevant to a
financial statement audit.
purposes are not immediately relevant to the audit. For example, a company may
have controls designed to prevent excessive use materials in production, or
controls designed to make operations efficient, such as an airline’s automated
controls to maintain flight schedules. These are not directly relevant to a
financial statement audit.
The auditor must exercise professional judgment in
deciding whether a control, or series of controls, is relevant and should be tested;
included in that decisions-making process will be judgments which involve
deciding whether a control, or series of controls, is relevant and should be tested;
included in that decisions-making process will be judgments which involve
·
The size
of the business;
The size
of the business;
·
Its
nature, including its ownership and how it is organized;
Its
nature, including its ownership and how it is organized;
·
How
diverse and complex its operation are;
How
diverse and complex its operation are;
·
The legal
and regulatory framework it operates within;
The legal
and regulatory framework it operates within;
·
The
nature and complexity of the financial and management systems;
The
nature and complexity of the financial and management systems;
·
The level
of materiality or significance of the transaction being controlled which the
auditor will have set at the planning stage.
The level
of materiality or significance of the transaction being controlled which the
auditor will have set at the planning stage.
What the auditors are trying to do is to make judgments’
about the efficiency and reliability of the internal control systems and the
risks involved should it fail, so that the audit effort can be concentrated in
areas of highest risk and where the systems are most vulnerable.
about the efficiency and reliability of the internal control systems and the
risks involved should it fail, so that the audit effort can be concentrated in
areas of highest risk and where the systems are most vulnerable.
The auditor has to obtain a full understanding of
how the controls work and how effective they are in preventing misstatements
and detecting errors. They do this by:
how the controls work and how effective they are in preventing misstatements
and detecting errors. They do this by:
·
Asking
questions of managers and staff;
Asking
questions of managers and staff;
·
Observing
controls in operation;
Observing
controls in operation;
·
Inspecting
documents and reports;
Inspecting
documents and reports;
·
Tracing
transactions thorough the system.
Tracing
transactions thorough the system.
However, one important thing for the student to
understand is that understanding the controls is not the same as testing the
controls. Auditors use their knowledge of the systems and controls to design
their audit procedures for the testing of the system and its controls.
understand is that understanding the controls is not the same as testing the
controls. Auditors use their knowledge of the systems and controls to design
their audit procedures for the testing of the system and its controls.
Students need to understand the integrated nature
of the accounting system and the internal controls which are built into it.
of the accounting system and the internal controls which are built into it.
There are five key aspects to internal control:
The control environment
This includes the attitudes, awareness and actions
of the directors and senior managers of the organization. It is, in effect, the
culture of the organization insofar as it relates to internal control and is
part of the corporate governance framework
of the directors and senior managers of the organization. It is, in effect, the
culture of the organization insofar as it relates to internal control and is
part of the corporate governance framework
It includes:
·
The
fostering and communication of a culture of honesty and ethical behavior
throughout the organization.
The
fostering and communication of a culture of honesty and ethical behavior
throughout the organization.
·
A
commitment to competence-to training and maintaining the appropriate levels of
skill and knowledge.
A
commitment to competence-to training and maintaining the appropriate levels of
skill and knowledge.
·
Management’s
philosophy and operating style, their approach to risk and attitudes toward
correct financial reporting.
Management’s
philosophy and operating style, their approach to risk and attitudes toward
correct financial reporting.
·
The
organization structure.
The
organization structure.
·
The
involvement of non-executive directors in the audit process
The
involvement of non-executive directors in the audit process
·
The human
resource policies-recruitment, training, evaluation, promotion, and rewarding
of staff.
The human
resource policies-recruitment, training, evaluation, promotion, and rewarding
of staff.
The auditor must assess the control environment,
and ensure that the policies and procedures which are part of it are actively
being implemented. This will form part of the routine audit tests which we will
look at later.
and ensure that the policies and procedures which are part of it are actively
being implemented. This will form part of the routine audit tests which we will
look at later.
The risk assessment process
We look at this in more detail in chapter 14 when
we discuss business risk and the business risk approach to business risk, or at
least those relevant to financial reporting and assess what, if any, impact
these are likely to have on the financial accounts.
we discuss business risk and the business risk approach to business risk, or at
least those relevant to financial reporting and assess what, if any, impact
these are likely to have on the financial accounts.
The auditor will look at:
·
How
management identifies business risks relevant to financial reporting.
How
management identifies business risks relevant to financial reporting.
·
How
management estimates the significance of those risks.
How
management estimates the significance of those risks.
·
How
management assesses the likelihood of their occurrence.
How
management assesses the likelihood of their occurrence.
·
What
actions they decide to take in respect of the risks they have identified.
What
actions they decide to take in respect of the risks they have identified.
Once again we are only concerned with the risk of
loss of customers due to competition or risks posed by the potential loss of a
key supplier, are not directly relevant to the audit of the financial
statements; however so how management identifies and deals with these types of
risk is something the auditors have to review.
loss of customers due to competition or risks posed by the potential loss of a
key supplier, are not directly relevant to the audit of the financial
statements; however so how management identifies and deals with these types of
risk is something the auditors have to review.
The information system
The auditor has to obtain a full understanding of
the information system and the related business processes.
the information system and the related business processes.
This includes:
·
The
classes of transaction in the organization’s operation which are significant to
the financial systems.
The
classes of transaction in the organization’s operation which are significant to
the financial systems.
·
The
procedures, both IT and manual, which are used to record those transactions.
The
procedures, both IT and manual, which are used to record those transactions.
·
The
related accounting records, whether electronic or manual and the supporting
information used to initiate, record, process and report transactions.
The
related accounting records, whether electronic or manual and the supporting
information used to initiate, record, process and report transactions.
·
How the system
work.
How the system
work.
·
The
process by which the organization prepares its financial statements.
The
process by which the organization prepares its financial statements.
Control activities
These are the detailed policies and procedures that
help ensure that management directives are carried out, for example, that
necessary actions are taken to address the risks that threaten achievement of
the organization’s objectives.
help ensure that management directives are carried out, for example, that
necessary actions are taken to address the risks that threaten achievement of
the organization’s objectives.
Monitoring of controls
It is important to understand that the management
should not be using the eternal auditors as the vehicle for monitoring the
effectiveness or otherwise of their system of internal control.
should not be using the eternal auditors as the vehicle for monitoring the
effectiveness or otherwise of their system of internal control.
They should have their own procedures which might
take the form of:
take the form of:
·
Internal
audit-carried out by specialist internal auditors.
Internal
audit-carried out by specialist internal auditors.
·
Senior
management review-where senior mangers perform audit-type tests on selected
parts of the system.
Senior
management review-where senior mangers perform audit-type tests on selected
parts of the system.
·
Analysis
of the results by applying analytical procedures to, say, monthly management
account and detecting anomalies or areas for investigation.
Analysis
of the results by applying analytical procedures to, say, monthly management
account and detecting anomalies or areas for investigation.
