Embed Size (px)
Citation preview
TOPIC 4:INTERNAL CONTROL SYSTEMS
References: Chapter 10
AUD390 2011
AUD390 AUDITING DIA
INTERNAL CONTROL SYSTEM (ICS)
Fundamental Concepts
Documenting The Understanding Of Ic & Control Risk
Importance Of Internal Control (Ic)
Communication Of IC Related
Matters
Components Of ICS
AUD390 AUDITING DIA
A system of internal controls consists of policies & procedures to provide management with reasonable assurance that the company achieves its objectives & goals.
These policies & procedures are called controls, and they normally considered as entity’s internal control
A set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible.
Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.
AUD390 AUDITING DIA
Three objectives in designing internal control systems:reliability of financial reportingeffectiveness & efficiency of operationscompliance with laws & regulations
AUD390 AUDITING DIA
Limitations of IC Human error Management override of IC Cost contraints
Cost of entity’s ICS should note exceed that are expected to derived
Lack of personal quality among employee
Collusion “an act of 2 or more employees to steel assets or mistake records”
AUD390 AUDITING DIA
AI400 Risk Assessment & Internal Control The Cadbury Report The Sarbanes Oxley 2002 Report The Coso Report
AUD390 AUDITING DIA
AUD390 AUDITING DIA
CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
INFORMATION & COMMUNICATION
MONITORING
Definition:Actions, policies & procedures that reflect the overall attitudes of top management, directors, & owners of an entity about its IC & its importance
Subcomponents:- Integrity & ethical values Commitment to competence BOD or AC participation Management’s philosophy & operating style Organizational structure Assignment of authority & responsibility HR policies & practices
AUD390 AUDITING DIA
AUD390 AUDITING DIA
Definition:Management’s identification & analysis of risks relevant to the preparation of fin stat in accordance with accounting standard i.e. FRS
Risk assessment process– Identify factors affecting risks– Assess significance of risks & likelihood of
occurrence– Determine actions necessary to manage
risks
AUD390 AUDITING DIA
Definition:Policies & procedures that management has established to meet its objectives for financial reporting
Types of specific control activities:-– Adequate separation of duties– Proper authorization of transactions &
activities– Adequate documents & records– Physical control over assets & records– Independent checks on performance
AUD390 AUDITING DIA
Definition:Method used to initiate, records, process & report an entity’s transactions & to maintain accountability for related assets
AUD390 AUDITING DIA
Definition:Management’s ongoing & periodic assessment of the quality of IC performance to determine whether controls are operating as intended and are modified when necessary
Monitoring mechanism:– Studies of existing IC– Internal Audit Reports
AUD390 AUDITING DIA
– Exception reporting on control activities– Reports from Regulatory such as BNM,
SC, Bursa Malaysia– Feedback from operating personnel– Complaints from customers
AUD390 AUDITING DIA
Phase 1: Obtain & document understanding of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate tests of controls
Phase 4: Decide planned detectionsrisk & substantive tests
AUD390 AUDITING DIA
Purpose:– To obtains an understanding of the
entity’s IC through Gathering evidence about the design of
IC Observed whether the IC have been
placed in operations Methods in gathering evidence:
i. Narrativesii. Flowchartsiii. Internal Control Questionnaire
AUD390 AUDITING DIA
Methods to evaluate whether the designed controls are actually placed in operations:
i. Update & evaluate Auditor’s previous experience with the entity
ii. Make inquiries of client personneliii. Examine documents & recordsiv. Observe entity activities & operationsv. Perform walkthrough of the
accounting system
AUD390 AUDITING DIA
Definition ~ A written description of a client’s IC
A proper narrative of any ICS include 4 characteristics
i. The origin of every documents & records in the system
ii. All processing that takes placeiii. The disposition of every document and
records in the systemiv. An indication of the controls relevant to
the assessment of control risk
AUD390 AUDITING DIA
Definition ~ A diagram of the client’s documents and their sequential flow in the organization
Advantages:– It provides a concise overview of the
client’s system– It helps in identifying inadequacies in the
system– Easier to read– Easier to update
Refer Appendix Flowcharting Techniques Ch 6 of Messier et al, 2006
Refer Case Question 10.38 Ch 10
AUD390 AUDITING DIA
Definition ~ A series of questions about the controls in each audit areas as a means of uncovering aspects of internal control that may be inadequate
It require a ‘yes’ or ‘no’ response, where NO indicating potential internal control deficiencies
Refer Figure 10.3 Partial Internal Control Questionnaire for Sales
AUD390 AUDITING DIA
Phase 1: Obtain & document understanding of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate tests of controls
Phase 4: Decide planned detectionsrisk & substantive tests
AUD390 AUDITING DIA
Definition:A measure of the auditor’s expectation that IC will neither prevent material misstatements from occurring nor detect & correct them if they occurred
Control Risk MatrixDefinition: A methodology used to help the auditor assess control risk by matching key internal controls and IC deficiencies with transaction-related audit objectives
Refer Figure 10.4 Control Risk for Sintok Hardware Sdn Bhd - Sales
AUD390 AUDITING DIA
Phase 1: Obtain & document understanding of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate tests of controls
Phase 4: Decide planned detectionsrisk & substantive tests
AUD390 AUDITING DIA
Definition ~ Audit procedures to test the operating effectiveness of controls in support of reduced assessed control risk
4 types of procedures involved:i. Make inquiries of appropriate client
personnelii. Examine documents, records & reportsiii. Observe control-related activitiesiv. Re-perform client procedures
AUD390 AUDITING DIA
Phase 1: Obtain & document understanding of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate tests of controls
Phase 4: Decide planned detectionsrisk & substantive tests
AUD390 AUDITING DIA
Auditor will use the results of the control risk assessment process (Phase 2) and test of controls (Phase 3) to determine the planned detection risk & related substantive test for the audit of financial statements.
What the process involves? Linking the control risk assessment to the
balance-related audit objectives for the accounts affected by the major transaction types
AUD390 AUDITING DIA
The appropriate level of detection risk for each balance-related audit objectives is decided using the audit risk model.
All covered and will be discussed in Topic 7 on Audit Planning
Auditing Standards (ISA315 & ISA260) require the auditor to communicate to those charged with governance, as soon as practicable, material weaknesses in the design or operation of the accounting & internal control systems, which have come to the auditor’s attention
1. Management Letter (ML)An optional letter written by the auditor to a client’s management containing the auditor’s recommendations for improving any aspects of the client’s business
AUD390 AUDITING DIA
• Items should be included in the ML: A statement that the purpose of the
audit was to report on the fin stats & not to provide assurance on IC
A statement that the letter only discusses weaknesses in IC which have come to the auditor’s attention as a result of the audit
A statement of restriction on the distribution of the report
AUD390 AUDITING DIA
2. Director’s Statement on IC• Under the Listing Requirements of
Bursa Malaysia Securities Berhad (Listing Requirements) Listed Companies to include a
Statement on Internal Control in the annual reports
Company’s external auditors must review the Statement on Internal Control & report the result to the BOD
AUD390 AUDITING DIA
• The Director’s Statement on Internal Control should incorporate the following aspects The Board should maintain a sound
system of IC to safeguard shareholders’ investment & the company’s assets
The Board should (inter alia) Identify the principal risks & ensure
the implementation of appropriate systems to manage the risks;
AUD390 AUDITING DIA
Review the adequacy & integrity of the company’s ICS & Management information system, including systems for compliance with applicable laws, regulations rules, directives & guidelines
AUD390 AUDITING DIA
1. Explain what is control environment and state 2 factors affecting this component.
2. Identify a key internal control and possible substantive test of transactions that could perform for each of the following audit objectives
i. Sales made to existing customer (Existence)ii. Existing sales transaction are recorded
(Completeness)iii. Recorded sales are for amount of goods
shipped and are correctly billed and recorded (Accuracy)
3. State the audit objective (s) for the following tests performed.
4. You decided to issue a Management Letteri. Define Management Letterii. Briefly explain 2 purposes of Management
LetterAUD390 AUDITING DIA
