F8: Audit and Assurance

2 Designed to give you knowledge and application of: Section A: Audit Framework and Regulation Section B: Internal audit Section C: Planning and risk assessment Section D: Internal control Section E: Audit evidence Section F: Review Section G: Reporting

3 Section D: Internal Control Designed to give you knowledge and application of: D1. Internal control systems D2. The use of internal control systems by auditors D3. Transaction cycles D4. Tests of control D5. The evaluation of internal control components D6. Communication on internal control

4 Learning Outcomes D1: Internal control system,  Explain why an auditor needs to obtain an understanding of internal control activities relevant to audit. [1]  Describe and explain the five components of an internal control system. [1]  Discuss the difference between tests of control & substantive testing. [1]

5 D3: Transaction Cycles Learning Outcomes  Explain, analyse & provide examples of internal control procedures, control activities. [2]  Provide examples of computer system controls. [2]

6 D4: Tests of Control Learning Outcomes  Explain & tabulate tests of control suitable for inclusion in audit working papers. [2]  List examples of application controls and general IT controls. [2]

7 D6: Communication on internal control Learning Outcomes  Examples of how the reporting of internal control significant deficiencies and recommendations to overcome those significant deficiencies are provided to management. [2]

8 What are internal controls? Process effected by BoD, management etc. to provide reasonable assurance on the organisation. Efficiency & effectiveness of operations Compliance with law & regulations Reliability of financial reporting Refer to examples on pages 237 and 238

9 What internal controls are relevant to audit? Those that have an impact on the FS… Avoidance of fraud / error / wastages Planning the audit & understanding the internal control Reliability of financial reporting Accuracy of records Prompt corrections of weaknesses in internal control Refer to examples on pages 238 to 240

10 Remember it as PAIRS According to ISA 315 examples of specific control activities are Authorisation Performance reviews Physical controls Information processing Segregation of duties Control activity Consists of polices, procedures which help to ensure that the management directives are followed. Components of internal control Internal control consists of the following components:  the control environment  the entity’s risk assessment process  the information system, including the related business processes, relevant to financial reporting & communication  control activities  monitoring of controls IFAC Glossary of terms Continued… Components of internal control and control activities

11 Example  securing the assets by employing security staff to guard the assets  permitting restricted access to the strong-room of a bank  carrying out a physical verification of the cash daily Physical controls Designed to ensure the physical security of assets Segregation of duties Reduces risk of errors & fraud Assigning responsibilities of authorising transactions, recording transactions & maintaining custody of assets to different people Example (Purchase transactions):  the purchase manager will raise the purchase order.  the storekeeper will receive the goods.  the accountant will record the purchase transaction.  the cashier will make the payment for the purchase Continued…

12  Important transactions & process have the approval of officials decided by the management  The entity has complied with pre-determined policies. Benefits of authorisation  All the important transactions & processes which require to be authorised  Level of authority that is responsible for the authorisation Entity needs to identify  Inspect validity of documents  Approve transactions by initialling & dating document Process for approval by authorised person Authorisation: Approval of transactions / process by authorised person Example A person authorising the payroll will review the  Timesheet,  overtime records etc. of the employees Check:  Calculations &  Authorise the payroll by initialing & dating it. Continued…

13 Information processing Variety of controls which are performed to test the accuracy, completeness & authorisation of transactions in a computerised system Grouped into Application controls General IT controls Authorisation: only authorised person can use the software Completeness: transactions are complete Accuracy: transactions are accurately recorded Ensure control over: Data centre, change of system software, access security & is a base for application IT controls Continued…

14 Includes  Comparing actual figure with budgets, forecasts & prior period items  Relating different sets of data – operating / financial (with each other) Performance review Management reviews performance to find out whether the results are according to expectations. Continued… Refer to Example (Air Cool Fans) on page 279 Refer to Test Yourself 1 on page 291

15 Tests of control are performed by a combination of various methods, by the auditor namely Observation: observes mail opening procedure of an entity Enquiry: consults purchase manager about capital expenditure methods Inspection: checks that the receipts are recorded in cash book Re-performance: tests the control in operation for purchases every year Tests of controls: Tests performed to obtain audit evidence about the operating effectiveness of controls in preventing, / detecting & correcting, material misstatements at the assertion level. - IFAC Glossary of terms Tests of controls

16 The difference between tests of control & substantive procedures Test of controlSubstantive procedures Provide audit evidence that internal controls are operating as they should Detect material misstatements at the assertion level Focus on how controls were appliedEstablish directly whether the system objectives are being achieved If controls are operating properly, the level of substantive procedures is reduced and vice versa Transaction cycles Refers to policies & sequence of procedures for processing a particular type of transaction Stream of related data Is a series of steps taken to get something done, document & report it

17 Expense bill- received by Tom (clerk) who records the bill in the inward register of bills Administrative department Forwards to relevant department – the head of the dept. approves the bill and Forwards to General manager Send to Payments < 1000 > 1000 Paid in cash Paid in cheque Sent to accounts department for payment By cashier By accountant Approves the bill for payment If satisfied Bills < 5000 Authorised for payment by General manager Bills > 5000 Approval of relevant directors is also taken IF Example of Transaction flow for payments

18 Transaction flow Placement of orders Identify need for procurement Send out enquiries Receipt of replies Comparative Study of enquiries Raise the purchase order Receipt of materials Recording of transactions Payment made Payments Goods returned

19 Objectives Procurement is made only when the requirements are genuine Purchases are made at the most optimum prices Purchases meet the required quality standards Purchases are correctly accounted for Payments are made according to agreed terms Purchase transactions Control objectives : The controls which need to be in place so as that the auditors can have a reasonable assurance about the reliability of the internal control system. The auditor designs his audit procedures based on the control objectives. So do not mistake the objectives for the audit tests. Refer to Example on page 308 Explain, analyse & provide examples of internal control procedures & control activities, Provide examples of computer system controls. Continued…

20 General points for calculating payroll To be calculated in accordance with company policy To be prepared by authorised persons in accordance with company policy An auditor should verify the procedure for preparation of the pay sheet & written policies of the company Wages and salaries are paid at the correct rates Objectives of payroll Wages and salaries are paid to the right people. Wages & salaries are paid on time Refer to Example on page 317 Continued…

21 external auditor not responsible for detecting & reporting internal control deficiencies Extent of auditor’s responsibility for detecting & reporting internal control deficiencies only deficiency noticed by auditor during course of audit should be communicated Communication of deficiencies Method of communication Time of communication Level of communication written oral Deficiency should be communicated as soon as possible Deficiency should be communicated directly to responsible person Discuss & provide examples of how the reporting of internal control weaknesses & recommendations to overcome those weaknesses are provided to management. Continued…

22 Deficiency Deficiency in internal control – This exists when: (i) A control is designed, implemented / operated in such a way that it is unable to prevent, / detect & correct, misstatements in the financial statements on a timely basis; or (ii) A control necessary to prevent, / detect & correct, misstatements in the financial statements on a timely basis is missing Significant deficiency A deficiency / combination of deficiencies in internal control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged with governance. Matters to consider while deciding whether it is significant deficiency  The possibility that the deficiencies may result in material misstatements in the financial statements in the future  The possibility that the related asset or liability is vulnerable to loss / fraud  The likelihood that while determining estimated amounts internal control may have failed to cover all the significant matters.  The amounts in the financial statements may be exposed to the deficiencies.  The number of activities occurring in the account balance / class of transactions may be exposed to the deficiencies Refer to example on page 365 Continued…

23 RECAP  Explain why an auditor needs to obtain an understanding of internal control activities relevant to audit. [1]  Describe and explain the five components of an internal control system. [1]  Discuss the difference between tests of control & substantive testing. [1]  Explain, analyse & provide examples of internal control procedures, control activities. [2]  Provide examples of computer system controls. [2]  Explain & tabulate tests of control suitable for inclusion in audit working papers. [2]  List examples of application controls and general IT controls. [2]  Examples of how the reporting of internal control significant deficiencies and recommendations to overcome those significant deficiencies are provided to management. [2]