Read Also Accounting and Internal Systems (iSA 400)Questions and Answers
Component of accounting and internal control system
These are:-
- risk assessment
- Control environment
- Control procedures
1. Risk Assessment
audit risk means the risk that the auditor may give an inappropriate audit opinion i.e. the auditor may report that the financial statements show a true and fair view while in reality they are materially misstated. audit risk is composed of:
- inherent risk
- Control risk
- Detection risk
1. Inherent risk
This is the risk that the account balances are transactions could be materially misstated assuming that there were no internal control system. inherent risk could increase a result of an adverse attitude of managers on the internal control system i.e. if they view internal control system as unimportant.
2. Control risk
This is the risk that a material misstatement could occur in an account balance or clan of transactions which will not be prevented or detected in a timely manner by the entity’s accounting and internal control system.
3. Detection risk
This is the risk that the auditor’s tests of balances and transactions will not detect a material misstatement that exists in an accounts balance or class of transactions. This implies that detection risk is the only component of audit risk under the auditor’s control.
Risk Based Audit
This audit uses a model called audit risk model. if inherent risk and control risk are assessed to be high, then to remain within an overall acceptable audit risk, the level of acceptable detection risk must be low meaning that the level of tests of balances and transactions must be relatively high. if inherent and control risks are assessed to be low, then the level of acceptable detection risk may be higher leading to relatively lower level of tests of balances and transactions. Therefore the assessment of inherent and control risk is an essential part in deciding the overall approach to an audit.
For the audit model, audit risk equals inherent risk multiplied by the control risk and detection risk.
Advantages of Audit Risk Model
- helps eliminate over or under auditing because the nature, extent and timing of audit procedures performed is determined by the risk assessment carried out.
- The results appear more rational and defensible than if the model was not used. i.e. incase the auditor is called upon to support his decisions in a court of law, he can justify the level of reliance on the internal control system and the amount of substantive tests carried out
- helps allow work to be delegated to junior members of audit staff who will be able to carry on without having to rely too much on their own judgment.
- The increased use of computer in business has made the calculations of audit risk easier leading to more efficient and effective audit.
Disadvantages Audit Risk Model
- The model gives an impression of accuracy which is unrealistic as in practice its difficult to put a quantitative value on inherent risk.
- For the model to be useful, the number of items being tested need to be sufficiently large to allow for valid statistical conclusions to be made. This rule out the use of the model in many small audits.
- The model has a danger of adapting an overly mechanistic approach and that the auditor may lose his ‘feel’ for the audit assignment.
- it requires proper knowledge of the burden to be able to assess the audit risk.
- A wrong assessment of inherent and control risk will lead to over or under auditing.
2. Control Environment
iSa 400 refers control environment as being the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance to the entity. The control environment has an effect on the effectiveness of the specific control procedures. a strong control environment i.e. one with tight budgetary control and an effective internal audit function can significantly complement specific control procedures. Thus the control environment sets the tone of the entity by influencing the control consciousness of people. It may be viewed as the foundation of other components of internal control.
Factors influencing the control of environment
- The function of the board of directors or the audit committee. The control environment is significantly influenced by the effectiveness of the board of directors or the audit committee. This effectiveness is determined by the extent of its independence from management, experience and status of members and the extent to which it raises and pursues difficult matters with management and also its relationship with internal and external auditors.
- management philosophy, style and ease with which managers could override controls. management philosophy refers to whether the management likes taking risk in business or has a conservative approach. This has an impact on the overall reliability of financial statements. if they are risk takers, losses are likely and may want to hide them. if they are conservative to risk, there may be no business hence low profits and this may lead to falsification of financial statements.
- The implementation of organizational structure and methods of assigning authority and responsibility. This determines how well employees understand the limits placed upon their powers and responsibilities. The objective is to separate responsibility for authorizing a transaction, keeping records for the transaction and custody of assets acquired from the transaction.
- personnel policies and procedures. Employees should be recruited on basis of skills and knowledge essential for the performance of their jobs and if necessary, be trained
3. Control procedures
These are the policies and procedures in addition to the control environment, which the management has established to achieve the entity’s specific objectives. The mix of types of controls implemented by mgt will depend on the control objectives and the size of the entity.
Organizational plan chart
Companies should have proper organization plans. an organized plan shows clearly the various departments within the company, their functions and persons charged with ensuring that such functions are fulfilled. They seek to ensure that the entity is properly departmentalized preventing duplication of duties across departments and boosting accountability within the entity. Delegation and limits of authority should be well and clearly defined.
Segregation of duties.
This refers to separation of various duties and responsibilities such that one person cannot process and record a complete transaction from beginning to the end without being checked by another person. E.g. in purchase of fixed assets, an individual should not authorize the purchase, place the order, receive the assets, record the transaction and keep custody of the assets. To minimize risk of error and or intention the following should be performed by different individuals and departments as much as practicable.
- initiation of transaction. This is where if an item is found to be out of stock and a requisition is made.
- authorization Different levels of management should be given limits as to what they can authorize or to what extent they can commit company resources.
- Execution. person’s independent from those who authorize the transactions should execute them.
- recording. Segregation of duties also includes an internal check which refers to the activities of one person being complementary to those of another person.
Physical controls
These are security measures concerned with the custody of company’s assets by limiting access to authorized people only. Direct physical controls include keeping assets under lock and key, employment of security guards, building fences and use of closed circuit cameras. indirect physical controls include use of a fixed asset movement registers and use of computers to record utilization of company vehicles.
Authorization and approval.
Transactions that commit the organizations resources should be subject to authorization and approval by a responsible official. The limits for authorization should also be specified.
Arithmetic and accounting control.
These are controls within the accounting function which check that transactions are authorized and accurately recorded. These are aimed at ensuring completeness and accuracy of the accounting records. The key features are;
- Use of pre numbered documents in processing transactions.
- issuing of documents in sequence when processing transactions.
- monitoring movement of documents by use of a register in which all the people in possession of specific documents have signed that they are possession of those documents.
- production of exception reports e.g. where a local purchase order (lpo) has been raised and the order has not been fulfilled by the supplier.
- reconciliation of different accounts and the related control accounts e.g. bank reconciliation. reconciliations would only be effective if prepared by independent persons and non reconciling items resolved in a timely manner.
Personnel.
The proper functioning of any system is dependent on the competence and integrity of those operating it. The company must therefore recruit competent staff with integrity and intelligence. Staff should be assigned responsibilities that match their capability and undergo training where necessary.
Supervision.
Transactions and their recording should be subjected to supervision by competent and responsible officials. Supervision is necessary because it gives the chance of correcting errors and also because lower level employees generally tend to be indiscipline if not closely supervised. h) management controls.
These are controls exercised by management in addition to daily routines of the system. They include comparison of actual performance with budgets review of management accounts e.g. budgets and internal audit function.
Rotation of duties.
Duties should be rotated between personnel at the same organizational level e.g. payroll staff and credit control staff. Staff should be encouraged to take annual leave to provide an opportunity for their work to be checked by an independent person.
Routine and automatic checks.
These are conducted on routine duties and operations to ensure that they are operating efficiently. Such checks are conducted on surprise basis to minimize errors and frauds. Examples may include surprise cash counts and physical inspection of fixed assets.
Internal audit
This is a control function set up by management to review the accounting and internal control system. internal audit carries out continuous evaluation of operating effectiveness of the internal control policies and procedures. The findings and recommendations are then reported to management.
Limitations of Internal Control System
No internal control system however elaborate can by itself guarantee efficient administration and completion and accuracy of the recorded nor can it be proof against fraud. This is due to the following inherent limitations of accounting and internal control systems;
- Cost-benefit analysis. Management has to ensure that the benefits expected from an internal control system outweigh the cost of installing and maintaining the internal control system. as a result certain important controls may not be put in place due to the costs involved e.g. a small company may not have the resources to employ efficient staff to ensure segregation of duties.
- Limited coverage. most internal controls tend to be directed towards routine transactions rather than non routine transactions leaving room for fraud and error as the non routine transactions will not be subjected to the appropriate controls e.g. if stock is damaged by fire and needs to be replaced immediately, there will be no controls available for such an emergency.
- human error. human beings are prone to carelessness, distraction, mistakes of judgment and misunderstanding instructions. This undermines the effectiveness of the internal control system because the most important component of internal control system is people
- Abuse of responsibility. Senior managers could override controls thereby creating negative perception of the internal control system to the lower level employees.
- Corruption. a member of management or employee could circumvent controls through collusion with persons within or without the company e.g. where an internal control on purchasing requires a quotation to be submitted, an employee can leak the prices in the quotations to his preferred supplier in exchange for a kick back.
- The possibility that procedures may become inadequate due to changes in conditions of the burden e.g. expansion of business without corresponding increase in number of staff may require some staff member to perform more tasks than previously. This dilutes the extent of segregation of duties.
An example of internal control system Over Sales and Debtors
When designing internal controls, it is important to identify the various stages followed in processing the transaction and controls that address the issues that arise in each of the stages.
- Customers should be approved before a credit facility is granted. The credit limit granted should be formally authorized after seeking references on the customer’s ability to pay. Such references are normally provided by banks suppliers and credit reference bureaus.
- Customers should be approved for sales only when the customer’s credit limit has not been exceeded. The sales personnel should ensure that they have up to date records of customers’ outstanding balances.
- Goods only be dispatched against a valid and an authorized sales order.all dispatches of goods and return inwards should be accurately recordedall dispatches should be involved. This can be achieved by checking copies of the sales order to the dispatch records the use of sequentially numbered documents would ensure that all sales are invoiced.
- invoices and credit notes should be accurately prepared from approved price list and all discounts or price deduction should be properly approved. price list and all trade discounts and price deduction should be properly authorized.
- Creditors’ notes and other adjustments should only be prepared against authorized return inwards or other appropriate documents. To prevent fraud, there should be proper segregation of duties such that the person who authorizes a sale is not able to authorize the issue of a credit note or other adjustments.
- All bad debts written off should be properly authorized and recorded. persons involved with original authorization of sales and granting credit to customers should not be involved in the authorization of bad debts write offs.
- Stock’s records should be accurately updated with all sales and sales returnsall transactions should be accurately posted to the ledgerSales ledger balances should be regularly reconciled to sales ledger control balances to ensure completeness and accuracy of the ledger.
- Sales ledger balances should be periodically aged and reviewed by the credit control staff. Overdue accounts should be identified and followed up for collection. The aged list of debtors would assist management and the auditor in assessing adequacy of bad debt provisions.
Key objectives in sales and debtors internal control system
- Credit should be extended to credit worthy customers.
- Goods should not be dispatched without an invoice being raised.
- overdue accounts should be promptly followed up.
- receipt from cash sales should be properly controlled.
- no unauthorized credit entries should be made to debtors account balances.
- There should be sufficient segregation of duties between sales function and credit control function in the entity
Ascertaining, Evaluating, recording and confirming internal control system
The auditor will need to ascertain, evaluate, record and confirm the internal control system to be able to determine the effectiveness of its component controls and to decide on the extent of his reliance thereon.
Ascertaining
This refers to the auditors attempt to identify and understand the internal controls that management has put in place. This is carried out in the following ways:-
- Utilizing clients accounting and control manuals which describe the accounting and internal control system.
- obtaining and relying on system records and description prepared by internal audit for organizations with inter audit functions.
- interviewing procedures being performed e.g. stock taking in order to clearly understand the nature of the controls involved.
- relying on prior year’s system notes which can be obtained from the previous auditor’s working papers.
The auditor’s objective in evaluating the internal control system is to determine the degree of reliance which he may place on the information contained in the accounting records. if he obtains reasonable assurance by means of compliance tests that the internal controls are effective in ensuring the completeness and accuracy of accounting records and the validity of entries therein, he may limit the extent of substantive testing. because of the inherent limitation of even the most effective internal control system, it will be impossible for the auditor to rely solely on its operation as a basis of his opinion on the financial statements.
Component of Accounting and Internal Control System
Recording
Having identified the controls that management has put in place, it is important to create documented records of the internal control system. This will enhance the auditor’s understanding of the system and provide documentary evidence of work done. The following are methods used in recording the system.
- Flow Charts: These are diagrammatic representations of the company’s procedures and processes and are designed to show the movement of documents and information through the accounting system from initiation of transactions to final recording in the books of accounts. Standardized symbols are used to represent the flow of documents and information through the system. This use of visual description eliminates use of lengthy narratives in explaining the system.
- Questionnaires. These comprise a list of questions designed to determine whether the internal control system has desirable controls that cover each of the major transaction cycles. The questions are structured such that the client will be required to respond by giving either a yes or no answer. There are two types of questionnaires:
i. internal control questionnaires (iCQ). These are lists of questions that are designed to establish whether the company has put in place desirable controls to ensure that the affairs of the company are carried out in an orderly and efficient manner. ii. internal control evaluating questionnaires (iCEQ). These are lists of questions that seek to establish whether specific errors or fraud could occur rather than establishing whether certain desirable controls are present. E.g. is there reasonable assurance that sales are properly authorized? Yes / no.
- narratives. These refer to recording of the internal control system in narrative form or explanatory notes. They are preferable for simple systems where all the transactions and documentation are handled by one person only. They require little formal training of staff and are best suited to small and simple system description or to explain peripheral aspects of a larger system not dealt with by other techniques. narratives are too easy to record but difficult to change.
Confirming
Having recorded the system, the auditor then needs to confirm whether the system recorded exists, is operational and that the auditor has correct understanding of the system. This is done by use of walk through tests. a walk through test refers to the process where the auditor selects the particular transaction and traces it through the accounting information system from the time it was first captured and input as data to its final recording in the financial statements. The purpose of walk through tests may be either for auditor to identify specific control procedures or to confirm an existing understanding of internal control procedure in the internal control system.
Evaluating
Having recorded and confirmed the internal control system, the auditor will commence his evaluation. The auditor evaluates the client’s internal control system in order to decide whether the system is suitably designed and constitutes a reliable basis for preparation of financial statements. Evaluation is normally carried out simultaneously with recording. Evaluation will be assisted by the use of documentation designed to help identify the internal controls on which the auditor may wish to place reliance. The auditor uses internal control evaluation questionnaires (iCEQ) in evaluating the system based on key control questions.
Examples of key control questions that could be applied in evaluating internal control system for sales and debtors are:
- Can goods be dispatched without being involved?
- Can goods be sold to a bad credit risk?
- Can sales be invoiced but not recorded?
For wages and salaries
- Can employees be paid for work not done?
- Can bonuses or commissions be wrongly paid?
- Can pay as you earn (PAYE) and other statutory deductions be inflated by inclusion of ghost workers?
- Can wages and salaries be paid at the wrong rates?
- Tests of Control
after the system has been evaluated as being suitably designed the auditor then plans to carry out tests of control which are also called compliance tests. Compliance tests are procedures performed to obtain audit evidence about the effectiveness of the:
- Design of the accounting and internal control system i.e. whether it is suitably designed to prevent and correct material misstatements.
- Operation of the internal controls consistently throughout the financial period.
The auditor carries out tests of control to determine whether these controls have worked effectively throughout the financial period and can be relied upon to ensure complete, accurate and reliable accounting records.
Some of the procedures performed to obtain an understanding of the accounting and internal control system may not have been specifically planned as tests of control but may provide audit evidence about the effectiveness of the design and operation of the internal controls relevant to certain assertions and consequently serve as tests of control.
Component of Accounting and Internal Control System
Tests of control include:
- inspection: Documents supporting transactions and other events are inspected to gain assurance that internal controls have operated properly.
- inquiry: inquiries about internal controls which have no audit trail need to be done e.g.
inquiring whether appropriate security measures are undertaken during payment of wages.
- re-performance of internal controls. E.g. reconciliation of the bank accounts to ensure clients bank accounts to ensure clients bank reconciliation statements is accurately prepared.
- observation. This entails observing control procedures being performed e.g. physical counting of stock will enable the auditor confirm that the exercise is being conducted properly. Such observation will provide evidence that a control is operating effectively as designed. When obtaining audit evidence about the effectiveness of internal controls, the auditors considers how they were applied and the consistency with which they were applied. The concept of effective operational controls recognizes that some deviation from prescribed control may occur. This may be due to changes in key personnel, human error and significant fluctuation in the volume of transactions.
Actions Taken When Internal Control System is Identified as Weak
- The auditor should bring to the attention of the management all the weaknesses he has identified and discuss with them the possible remedies and corrective measures immediately.
- The auditor should consider changing his audit approach by increasing the level of detailed substantive testing. This is because the weaknesses imply that the system is not operating as designed and therefore cannot be relied upon.
- The auditor should increase the sample size i.e. test as many entries as is considered necessary to avoid any error or fraud undetected.
- The auditor should record significant weakness in the management letter and give his recommendations to management on how the weaknesses can be corrected.
- if the internal control system is extremely weak such that he cannot depend upon it to apply any test, then he should qualify his report or at best give a disclaimer opinion.
The extent of reliance on internal control system by the auditor will depend on factors as: –
- His past experience with the company’s internal control system. Any fluctuation in volume of business transactions
- Changes in line managers or top management officials.
- Changes in accounting policies and practices.
- Changes in size of the company. Management Letter
although the statutory reporting requirements of the Companies act only calls for the auditor to make a report to the members as to whether the financial statements show a true and fair view. In addition to this, auditors provide management with a summary of their findings concerning strengths and weaknesses of accounting and internal control system as well as material issues arising from review of the financial statements. This summary is called the management letter.
Purposes of management Letter
- Enables the auditor to give his comments on the accounting records that he has examined during the course of the audit. areas of weakness in internal control system which my result to material errors will be highlighted and brought to management’s attention together with advice as to their improvement.
- Provides management with other constructive advice regarding areas where efficiency may be improved.
- Communicates matters arising during the audit so that there is a written record of all such matters. incase of litigation, the auditor may rely on the management letter for defense.
- Ensures auditor’s comments on the accounting on the internal control system reach those responsible members of management who have powers to act on the findings. a report to management will normally be a natural way of adding value to the client and the auditor should incorporate the need to report in the planning of the audit. before documenting the weaknesses in management letter, the auditor should discuss these with the appropriate officials. This eliminates the possibility that the auditor may have misunderstood. The operation of the system and will also enable the company make quick corrective actions. The management letter should be addressed to the board of directors or the audit committee.
Component of Accounting and Internal Control System
The timing of the management letter will vary. it will often be useful to complete the compliance tests before its submission, so that weaknesses in internal control system may be included. however, serious weaknesses discovered should be reported immediately. This may make it necessary to submit more than one management letter.
The management letter acts as effective feedback that assists management in running the company more efficiently and thus promotes constructive relationship between the auditor and management which may be useful in future audits. The management letter should be both objective and constructive. The auditor should request for comments from management as to all the matters rose indicating what actions management intends to take regarding the matters raised.
SUMMARY
- The auditors need to be aware of the entity and its environment and the controls that are operational in a system so that they can be able to determine the level of reliance that they are going to place on the operating effectiveness and efficiency system and thus determine the amount of testing that they need to carry out.
- The auditor should comprehend the risks that face the entity and how the management manages those risks and how they affect the financial reporting and how the risks may affect cause material misstatements and thus the scope of his work.
- The auditor must understand the information system that operates within the entity and most importantly how the financial reporting system works.
- The external auditor needs to assess the internal auditor’s impact on the control environment and how much reliance can be placed on his work.
- The internal audit department may be run by employees of the company or the function may be outsourced.
- The internal audit department is set up by the management to help the management