1. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 1 CHAPTER 8 UNDERSTANDING THE INTERNAL CONTROL STRUCTURE AND ASSESSING CONTROL RISK

2. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 2 AUDIT STRATEGY AND INTERNAL CONTROL STRUCTURE To reach a conclusion on reliability of underlying accounting data, the auditor can: Test the accounting data (substantive approach). Perform procedures to review and evaluate the internal control structure to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach). Auditor adopts the best combination of these approaches.AA

3. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 3 STRUCTURE OF AND RESPONSIBILITY FOR INTERNAL CONTROL Internal control structure is: Management’s philosophy and operating style, and all the policies and procedures adopted by management to assist in achieving the entity’s objectives Management is responsible for establishing, maintaining and monitoring the internal control structure.

4. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 4 INHERENT LIMITATIONS OF INTERNAL CONTROL STRUCTURE Inherent limitations arise because of: Control breakdowns as a result of the actions of careless, fatigued or deviant staff The possibility of management override The existence of non-routine transactions for which internal controls were not devised

5. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 5 REASONABLE ASSURANCE Internal control structure should be designed to provide reasonable assurance that assets are safeguarded and accounting records are reliable. Concept of reasonable assurance recognises that, in some cases, cost of establishing and maintaining controls can outweigh benefits of adopting controls.

6. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 6 OBJECTIVES OF INTERNAL CONTROL STRUCTURE Management controls: Risks are identified and minimised Management decision making is effective and business processes efficient Transaction controls: Transactions are carried out in accordance with management’s general or specific authorisations Transactions are promptly and accurately recorded so as to allow the preparation of financial reports Access to assets limited in accordance with authorisation Asset records are compared with existing assets at reasonable intervals

7. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 7 MANAGEMENT CONTROLS Management controls include activities such as: Communicating business objectives and goal Establishing lines of authority and accountability Establishing and enforcing appropriate codes of corporate conduct Monitoring both external and internal risk environments Defining policies and procedures for dealing with these risks Monitoring performance of key segments of the entity through performance indicators and benchmarking

8. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 8 TRANSACTION CONTROLS Performed by staff and lower level management. Every transaction goes through the identifiable steps of authorisation, execution and recording. Accuracy and reliability of transaction records depend on: Authorisation and approval — Transactions appropriately authorised. Occurrence — Recorded transactions represent events that occurred. Completeness — All authorised transactions are recorded. Measurement — Transactions are accurately recorded in proper amounts, proper account classification and proper accounting period. Safeguarding — Access is restricted to authorised personnel. Reconciliation — Recorded amounts are periodically reconciled with counts of assets.

9. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 9 CHARACTERISTICS OF A SATISFACTORY INTERNAL CONTROL STRUCTURE Controls to monitor and minimise business risks Segregation of incompatible duties and responsibilities System of authorisation, recording and procedures to provide control over assets, liabilities, revenues and expenses Sound business practices in performance of duties and functions Capabilities commensurate with responsibilities

10. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 10 ELEMENTS OF THE INTERNAL CONTROL STRUCTURE Control environment Information system Control procedures

11. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 11 CONTROL ENVIRONMENT The control environment includes management’s overall attitude, awareness and actions regarding internal control and its importance in the entity. AUS 402.04/ISA 400.08

12. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 12 CONTROL ENVIRONMENT EVALUATION The auditor should consider: Management’s philosophy and operating style Entity’s organisational structure Assignment of authority and responsibility Existence and effectiveness of internal audit Use of information technology Competence and integrity of entity’s human resources Existence and effectiveness of audit committee

13. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 13 INFORMATION SYSTEM Consists of methods and records established to: Identify, assemble, analyse, classify, record and report exchange transactions and relevant events and conditions; and maintain accountability for entity’s assets, liabilities, revenues and expenditures.

14. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 14 CONTROL PROCEDURES Includes both policies and procedures that management has established to ensure its directives are carried out. Control procedures are added to the accounting system to ensure that system produces accurate and reliable data.

15. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 15 EVALUATING CONTROL PROCEDURES The auditor will be interested in control procedures aimed at ensuring internal control objectives concerning: Authorisation and approval, e.g. control of access Occurrence, e.g. proper use of documents Completeness, e.g. accounting for sequence of pre- printed documents Measurement, e.g. use of control totals Safeguarding, e.g. physical protection Reconciliations, e.g. inventory counts

16. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 16 INTERNATIONAL DEVELOPMENTS In 1992, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in the USA identified an extended set of internal control procedures. The five components of internal control structure identified by COSO are: Control environment Monitoring Risk assessment Information and communication Control activities

17. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 17 IAASB AUDIT RISK SUBCOMMITTEE Considering revision of applicable auditing standards to reflect strategic business risk approach. Approach appears to: Enhance required understanding of internal control Include requirement to evaluate internal control for:  significant risks; and  other risks for which it is not practicable or possible to reduce audit risk to an acceptably low level using substantive procedures. Significant change to current standards, where the auditor does not have to evaluate internal controls if control risk is set at high.

18. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 18 CONSIDERING THE INTERNAL CONTROL STRUCTURE IN A FINANCIAL REPORT AUDIT For every audit, irrespective of intended reliance on IC, the auditor must obtain sufficient understanding of internal control structure to plan audit and determine tests to be performed. The nature and extent of auditor’s consideration of internal control structure varies considerably across audits and depends on audit strategy.

19. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 19 STEPS IN AUDITOR’S CONSIDERATION OF INTERNAL CONTROL STRUCTURE Fig. 8.2 Steps in auditor’s consideration of the internal control structure (p. 338)

20. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 20 UNDERSTANDING THE CONTROL ENVIRONMENT Auditor gains understanding of control environment by: Making enquiries of key management personnel Inspecting documented policies and procedures Observing activities and operations Considering past experience with client

21. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 21 UNDERSTANDING THE INFORMATION SYSTEM Auditor required to obtain sufficient knowledge of information system to understand: Major classes of transactions Initiation of transactions Records, documents and accounts Accounting processing Financial reporting procedures

22. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 22 UNDERSTANDING THE CONTROL PROCEDURES An auditor is required to obtain an understanding sufficient to develop an audit plan (AUS 402.23/ISA 400.20). Procedures include: Discussion with client management and staff Inspection of documentation Observation of the entity’s activities, operations and procedures Walkthrough - auditor traces one or a few transactions of each type through the related documents and accounting records, observing related processing and control procedures in operation

23. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 23 PROCEDURES TO DOCUMENT UNDERSTANDING OF INTERNAL CONTROL STRUCTURE Internal control questionnaires and checklists Narrative memoranda Flowcharts

24. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 24 ASSESSMENT OF CONTROL RISK AS HIGH Control risk will be assessed as high when: Entity does not have internal controls that relate to specific assertion; Testing of internal controls is likely to indicate internal controls are weak; or Testing of internal controls is not the most efficient method of obtaining audit evidence.

25. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 25 ASSESSING CONTROL RISK AS LESS THAN HIGH For each assertion where control risk is assessed as less than high: Tests of controls need to be performed to ensure design and operation of control is adequate to support lowered assessed level of control Detection risk is assessed as higher, and as a result fewer substantive procedures are expected to be performed

26. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 26 Two main categories: User controls: those controls established and maintained by departments whose processing is performed by computer. CIS controls: those controls established and maintained in the location of the computer, for example in data-processing departments. LEVELS OF CONTROL IN COMPUTERISED SYSTEMS

27. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 27 CIS controls can be further divided into general and application controls; general controls if they relate to a number of application systems, application controls if they relate to a particular application. User controls are always application controls, given their purpose. CIS CONTROLS AND GENERAL AND APPLICATION CONTROLS

28. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 28 GENERAL CONTROLS Manual and computer controls that relate to all or many computerised accounting applications to provide a reasonable level of assurance that overall objectives of internal control are achieved. General controls include: Segregation of duties Control over programs Control over data

29. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 29 SEGREGATION OF DUTIES Auditor especially interested in: Separation between CIS and user department functions Separation of incompatible functions within CIS department, especially those with an understanding of system from those with access to system

30. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 30 SEGREGATION OF DUTIES WITHIN CIS SeparatePositions within CIS department Knowledge: those with an understanding nCIS manager of systems and programsn Systems analysts n Applications programmers Access: those with access to the computer, n Computer operators production programs and data filesn Data-entry clerks (no access to computer console, data control records or programs) n Data-control clerks (no access to computer console) n Librarian (no access to computer console) n Systems programmers* * The position of systems programmer must have access to perform the function. Systems programmers should have no detailed knowledge of the company’s accounting systems or application programs. Table 8.1 Segregation of duties within CIS (p. 352)

31. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 31 CONTROL OVER PROGRAMS Includes control over: Development or acquisition of new programs Changes to existing programs Access to programs Systems software

32. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 32 CONTROL OVER DATA Control procedures in user departments to ensure restricted access (e.g. key passes) Control procedures in CIS departments at input and processing stage Restriction of access to data files (e.g. password)

33. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 33 OTHER GENERAL CONTROLS These include controls that back up hardware, software and files and ensure recovery when computer installation or particular files or programs are damaged. These do not normally have an effect on an auditor’s control risk assessment.

34. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 34 APPLICATION CONTROLS Relate to individual computerised accounting applications (e.g. debtors) Contribute to achievement of specific control objectives considered by auditor in tests of controls Can be programmed or manual and located in either the user departments or CIS department

35. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 35 USER DEPARTMENT APPLICATION CONTROLS Control totals:  Financial totals  Record totals  Hash totals Review and reconciliation of data Error correction and resubmission procedures Authorisation of each transaction and batch of transactions

36. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 36 CIS APPLICATION CONTROLS Usually classified in the following categories: Input File Processing Output

37. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 37 INPUT CONTROLS Control totals Key verification Key entry verification Programmed controls:  Check digit  Limit or reasonableness test  Field test  Valid code test

38. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 38 FILE CONTROLS Include: Internal file labels — computer- readable data that identifies content of file External file labels — printed or handwritten labels attached to disk or tape

39. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 39 PROCESSING CONTROLS Programmed control procedures:  Checking numerical sequence of records  Comparing related fields Run-to-run control totals

40. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 40 OUTPUT CONTROLS These include: Restricted distribution Automatic dating of reports Page numbering End-of-report messages

41. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 41 RELATIONSHIP BETWEEN THE REVIEW OF GENERAL AND APPLICATION CONTROLS Should start internal control evaluation by looking at general controls. If general controls are unreliable, auditor has little confidence in programmed application controls and reduced confidence in manual application controls => auditor takes more substantive approach to the audit. If general controls are reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made => auditor determines appropriate degree of testing of controls and substantive testing.

42. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 42 CONTROL SYSTEMS IN DIFFERENT ENVIRONMENTS: DATABASE SYSTEMS A database is a computer-readable file of records that is used by many accounting applications. In order to handle processing of data, a system software program called a database management system (DBMS) is used. Guidance on auditing database systems is contained in AGS 1022/IAPS 1003.

43. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 43 STAND-ALONE PC SYSTEMS In such systems the distinction between general and application controls might be blurred and controls might be less structured. For this reason control risk might be assessed at maximum level. Guidance on auditing stand-alone PC systems is contained in AGS 1018/ IAPS 1001.

44. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 44 LANS AND OTHER NETWORKS Networking PCs means that processing is distributed to PCs at many locations. This can cause problems with security and control procedures as they are more dispersed and intensify control risk.

45. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 45 COMPUTER SERVICE BUREAU Computer service bureau is a centre or service entity that performs computer applications for another company. A common application processed through a service entity is payroll. AUS 404/ISA 402 provides an auditor with guidance on audit implications of using a computer service entity.

46. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 46 CONSIDERING THE WORK OF AN INTERNAL AUDITOR AUS 604/ISA 610 recognises that an external auditor is able to use the work of an internal auditor to assist in an audit engagement. Extent of reliance is dependent on evaluation of internal audit function by external auditor.

47. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 47 DIFFERENCES BETWEEN INTERNAL AND EXTERNAL AUDITOR These differences are:  Objectives  Independence  Qualifications of each of the auditors For an external audit, each of these elements is regulated by the Corporations Act, while they are determined by management for an internal audit.

48. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 48 EVALUATING INTERNAL AUDIT External auditors should consider: Organisational status Scope of internal auditing Technical competence Due professional care

49. Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 49 USING THE SERVICES OF INTERNAL AUDIT Overall responsibility for audit engagement remains with external auditor. External auditor is required to undertake general evaluation as part of review of IC structure. If external auditor plans to rely on internal audit, they should carefully review internal auditor’s working papers and procedures to ensure testing is sufficient to meet their requirements, and that conclusions outlined in working papers are appropriate.