Internal Control System

Questions and Answers

Within the framework of ASA 315.12(m), what constitutes the MOST critical aspect of an entity's 'control environment' in effectively mitigating risks related to financial misstatements, particularly when considering the potential for overriding internal controls?

• The active participation of those charged with governance in overseeing financial reporting and internal controls.
• The documented policies outlining segregation of duties for all financial processes.
• The consistent application and rigorous enforcement of ethical values and integrity throughout the organizational hierarchy. (correct)
• The comprehensive risk assessment process meticulously documented and regularly updated.

In the context of a complex, multi-national corporation, which of the following scenarios represents the most insidious compromise of the 'information system and communication' component of internal control?

• Delayed dissemination of updated accounting policies from headquarters to a remote subsidiary resulting in inconsistent application.
• A failure to integrate newly acquired subsidiary's financial reporting system fully into the parent company's consolidated system within a reasonable timeframe.
• Use of a non-standard, shadow IT system by a department which bypasses central data validation controls, affecting data integrity. (correct)
• A well-intentioned, but ultimately flawed, translation of financial reporting guidelines into a local language, leading to misinterpretation.

Assuming an organization's risk assessment procedures are deemed 'reactive' rather than 'proactive', what outcome would MOST concern an auditor regarding the potential for material misstatement in financial reporting?

• A tendency to address risks only after they have already manifested, leading to potentially significant financial losses and reporting errors. (correct)
• Increased reliance on external consultants to identify emerging risks.
• Over-allocation of resources to low-impact risks due to a lack of prioritization.
• A documented history of failing to meet financial forecasting accuracy targets.

Considering the interplay between general IT controls and application controls, under what specific circumstance would an auditor justifiably limit their testing solely to general IT controls, foregoing testing of application controls altogether?

Never, application controls are always a vital testing component. (D)

In the context of segregation of duties (SoD) within an IT environment, identify the most critical incompatiblity that could lead to increased risk.

A systems programmer responsible for both developing and operating accounting IT systems. (A)

Within the framework of database normalization, what is the most significant long-term consequence of failing to adhere to the principle that 'each data element should be stored only once'?

Introducing inconsistencies across various parts of the database leading to difficulties in reconciling database systems. (C)

In designing limit tests for a payroll system, which approach demonstrates the greatest understanding of the nuanced application of controls to prevent errors, especially regarding the potential for both unintentional mistakes and deliberate circumvention?

Implementing dynamic limits that consider role, pay grade, and typical work patterns, while also triggering secondary review for values approaching the limits. (A)

When evaluating an organization's transition to a new Enterprise Resource Planning (ERP) system, which poses the most significant and pervasive risk to the integrity of historical financial data, potentially leading to material misstatements in comparative financial statements?

Failure to adequately test data migration processes, resulting in incomplete or inaccurate transfer of historical financial data. (D)

In the context of evaluating internal controls, what scenario demonstrates the most complete and effective application of the 'Test Data' approach to validate controls within a computerized accounting system?

Creating a comprehensive suite of test transactions that maps to each control point in the system and assessing if it's successfully rejected or accepted. (B)

Given the constraints in implementing robust segregation of duties in a small business, which compensating control would be MOST effective in mitigating the risk of fraudulent financial reporting perpetrated by the owner-manager?

Engaging an external accounting firm to conduct a thorough annual audit of the financial statements. (B)

In determining the extent to which an external auditor can rely on the work of internal auditors, what consideration regarding 'direct assistance' carries the most weight under prevailing auditing standards (specifically within Australia)?

Australian law specifically prohibits using internal auditors to provide direct assistance. (A)

An auditor discovers several minor deficiencies in an entity's internal control system. Under what condition, specified by ASA 265, are these deficiencies most likely to be classified as a 'significant deficiency'?

If the deficiencies, individually or in combination, represent a material weakness in the organization's financial reporting. (B)

When testing internal controls related to 'timeliness of processing', which audit procedure provides the most compelling evidence of adherence?

Comparing dates on a sample of source documents with corresponding dates in ledgers. Examining exception reports and related adjusting journal entires. (A)

What is the most critical objective an auditor seeks to achieve when performing 'tests of controls'?

Assess whether the internal controls tested are suitably designed to prevent or detect material financial statement misstatements; if so, determining whether those controls are operating effectively. (C)

In the context of auditing a highly automated system, what statement accurately contrasts non-routine and routine transactions?

Testing of controls of routine transactions can often be minimised. (A)

When evaluating an organization's use of 'auto-completion' for customer data entry, what represents the most critical threat to data validity, potentially leading to financial misstatements?

An increased risk that old records are being used and incorrectly maintained. (D)

Given the description of Computer Security "Controls should ensure that: Only the correct programs are running on the system at the correct time. Programs are not tampered with. There is no ability for external programs to run on the computer.", what type of program is MOST critical to control?

Unauthorised software (A)

In scenarios where third party services are leveraged to create a transaction such as via EDI protocol, they become the most difficult to control when

The third party systems operate under differing standards. (A)

What represents the most important risk regarding 'Computer Logs'?

Unauthorised individuals are able to access the logs. (D)

The nature of the work when looking at Tests of Control should consider: a) the amount of judgement involved; b) the assessed risk of material misstatement; c) the extent to which the internal audit function's organisational status and relevant policies and procedures support the objectivity of the internal auditors; and d) level of competition, which of these statements is incorrect?

It should read the level of competence of the function. (D)

Flashcards

System of Internal Control

A system designed to provide reasonable assurance regarding financial reporting reliability, operational effectiveness, and legal compliance.

Control Environment

The organizational background that either encourages or inhibits internal control.

Integrity and Ethical Values

Communication and enforcement of integrity and ethical values.

Risk Assessment Procedures

Procedures used to proactively deal with risky situations before they occur.

Control Activities

A series of procedures to implement internal control over the accounting system.

Authorisation

Ensuring only those with the required knowledge, experience, and responsibility can carry out activities.

Review

The process where one person checks another person's work for error.

Reconciliation

A formal process where two pieces of data are compared to look for differences.

Stocktaking

A process where the quantity of items in the ledger is compared to a physical count of the items.

Segregation of Duties

Splitting tasks into multiple sections completed by separate people to prevent fraud.

Document Processing Controls

Ensuring each document is processed, but only processed once.

Autonumbering

Each document is given a sequential number.

Control Totals

Control is used to keep a record of the number of documents or the total dollar value of a set of transactions.

Timeliness of Processing

Documents should be processed as quickly as possible.

Monitoring of Controls

Monitor the effectiveness of internal control performance over time.

Internal Auditors

Most large companies have these divisions to internally audit.

Change Management

All alterations to the computer system should be done through formal processes.

Database Normalisation

That individual items of data should only be stored ONCE.

Referential Integrity

Guarantees only valid customer numbers can be listed on orders table.

Application Controls

Those controls that impact on the operation of one accounting application

Study Notes

• Business risks can lead to errors in a company's financial statements affecting the business, auditors, and financial statement users
• Incorrectly processed transactions and erroneous accounting information are costly and can result in mismanagement and legal repercussions
• Businesses use internal control strategies to mitigate these costs

System of Internal Control

• It's designed, implemented, and maintained with governance, management, and personnel
• Obtains reasonable assurance of achieving objectives, including reliable financial reporting, efficient operations, and legal compliance per ASA 315.12(m)
• It comprises five interrelated components for ASA purposes:
  • The control environment
  • Risk assessment process
  • Process to monitor internal control
  • Information system and communication
  • Control activities, as stated in ASA 315.12(m)

The Control Environment

• It influences and shapes internal controls within an organization
• Important factors for an effective control environment include:
  • Integrity and ethical values
  • Commitment to competence
  • Participation from those charged with governance
  • Management's philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • HR policies and practices
• Ensuring competent personnel reduces the necessity for constant oversight
• Hierarchical structures may reduce errors but can impede functionality
• Flatter structures promote adaptability but are more vulnerable to errors
• Being proactive versus reactive is important, proactive is better

Entity’s Risk Assessment Procedures

• Used to proactively manage risky situations before they occur
• The board of directors is responsible for these procedures
• When preparing financial reports, auditors should gain the understanding of the entity's risk assessment process by identifying financial reporting risks, significance, and how they are addressed
• The auditor evaluates if the risk assessment is suited to the entity's nature, per ASA 315.22

Information System

• All organizations utilize complex systems to process accounting data and generate financial reports
• Auditors need to understand:
  • Classes of transactions
  • Procedures (including IT) for transaction initiation, recording, processing, and reporting
  • Related accounting records
  • How the information system captures relevant events or conditions beyond transaction classes
  • The financial reporting processes used to prepare reports
• Events separate from transactions include depreciation and inventory write-downs

Control Activities

• Businesses adopt procedures to implement internal control, which are formally developed and documented in policies and procedure manuals
• Staff training and proper supervision is critical

Types of Control Activities

• Authorisation
• Review
• Reconciliation
• Stocktaking
• Physical controls
• Segregation of duties
• Document matching
• External confirmation
• Document processing controls
• Autonumbering and sequence testing
• Control totals
• Timeliness of processing
• Apply these categories to tailor the situation instead of just stating the class

Authorisation

• Limits activity to individuals with the required knowledge, experience, and responsibility to perform activities
• Examples: credit managers authorizing credit limit increases or warehouse managers authorizing inventory removal
• Authorization is often demonstrated with signatures before action takes place

Review

• It is the process of one person checking another's work for errors, which can occur continuously or periodically
• Transactions can either be reviewed in full or sampled
• Usually supported by a signature
• Errors that are found are corrected using adjusting journal entries

Reconciliation

• Compares two independent sets of data to identify differences, such as comparing cash accounts to bank statements or accounts payable sub-ledgers to supplier statements
• Carried out regularly
• Reconciliation processes fix errors using adjusting journal entries
• Bank reconciliations should mirror each other
• Identify legitimate differences and investigate discrepancies to find who made the error and create adjusting entries

Stocktaking

• This compares system records of items against an actual physical count
• Includes inventory and fixed asset stocktakes
• It's carried out regularly
• Discrepancies are reconciled with adjusting journal entries

Physical Controls

• It's used to prevent theft of assets and information via:
  • Locked drawers/doors
  • Keys and swipe cards
  • Safes
  • CCTV cameras
  • Security guards
• Ensure supporting procedures are in place, such as key control procedures

Segregation of Duties

• Responsibilities are split into multiple parts that are handled by different people
• One person cannot do the whole task
• Examples: sales initiation, authorization, and record-keeping of the transaction completed by different individuals
• Mitigates the risk of fraud
• Company policies and procedures document this

Document Matching

• Multiple documents arise from many transactions
• Examples: customer orders, sales invoices, dispatch notes, cash receipts or purchase orders, supplier invoices, goods received notes, and payment advices
• Matching confirms data consistency
• Inconsistent information finds errors
• Any discrepancy needs to be investigated then adjusted

External Confirmation

• Every transaction has a related third party
  • A sale is a purchase from the customer perspective
  • A bank deposit is a liability for the bank
• Confirmation involves obtaining their record of the transaction and comparing for discrepancies

Document Processing Controls

• Ensure processing accuracy
• Each document is processed exactly once
• Prevent omissions, double entries, processed spoilage
• Rubber stamps (e.g., "Paid," "Received," "Cancelled") and processing step tick boxes can be used

Autonumbering and Sequence Testing

• It's used to ensure that a document in a consistent set is given a sequential number
• Used to account for all documents
• Missing document numbers should be investigated
• Spoiled documents shouldn't be disposed of, in order to preserve the sequence

Control Totals

• Used to track the number or total dollar amount of transactions
• Examples: counting sales invoices sent and matching to those in the sales journal, or totaling transaction values before and after processing
• Control is important for batched and transferred docs
• Verifies completeness and accuracy

Timeliness of Processing

• Quick and prompt processing minimizes potential errors and losses
• Examples: Post sales invoices daily and bank cash daily
• Comparing document dates with journal dates verifies

Monitoring of Controls

• It's the assessment of internal control performance over time with assessment and remedial actions
• Management monitors controls through ongoing and separate evaluations
• Ongoing monitoring is part of normal operations, such as regular managing activities

Monitoring is Needed Because

• They risk not not being followed because of fraud or laziness
• Adapt to account for changes to organizational systems

Internal Auditors

• Most large companies have these divisions which reports to senior managers or the board
• Their work can be used by the external auditor

Functions of Internal Audit:

• Monitoring of internal controls
• Examination of financial and operating information
• Review of operating activities
• Review of compliance with laws and regulations
• Risk management
• Review of corporate governance

System of Internal Control: Using Internal Audits

• External auditors determine if internal audit work can be used by evaluating:
  • Objectivity
  • Competency
  • Whether they apply a disciplined approach including quality controls per ASA 610.15
• Scope, status, skills, and systems are vital considerations

Internal Control and Risk

• Auditors look for errors, with business risks causing these errors
• Controls reduce the risk of errors, including preventing, detecting, and correcting errors
• Strong controls translate lower errors and and less testing
• Key factors that determine the work needed are risks, controls, and materiality

Internal Controls and Audit Assertions

• Some controls affect overall risk at the financial statement level
• Competent and ethical senior has more chances for true, fair statements
• Other controls only address 1 assertion
• Security measures prevent inventory theft, impacting the existence assertion
• Payroll verified by an experience impacts the accuracy of wages expense

Auditor's Responsibility

• Auditors do not express opinion of effectiveness on internal control systems in Australia
• Auditors need to understand an internal controls impact Relevant auditor procedures must be performed per ASA 315.21

Relevance of Internal Controls

• The auditor assess controls relevance with materiality and risk significance, size, nature, characteristics, and regulatory
• Supermarkets compared to BHP face a different inventory risk of of stolen goods

Limitation of Internal Control

• Internal control provides reasonable assurance of achieving reliable reports
• The inherent limitations of internal controls are effected by:
  • Human error
  • Human judgement
  • Collusion
  • inherent limitations of control system design

Auditor's Reliance on Controls

• Auditors test controls they plan to rely on
• Tests are skipped controls are ineffective, risks adequately addressed elsewhere, control not relevant, risk control addresses not material, testing too expensive
• Don't prove ineffectiveess, prove effectiveness
• Chief accountant is a CFO
• Internal auditors reporting to CFO is problematic, but the CFO really should be the one reporting to the board of directors or audit committee
• Only rely on systems that are process-centric
• E.g., someone doing write-offs must be checked to ensure they are not falsely marking bad debt and keeping the money themselves

IT Accounting Systems

• Two types can be found
  • General controls - affect the overall computer system operation
  • Application controls - affect specific applications
• IT system can be computerized or manual

Control Testing

• Test general controls to determine reliance before continuing
• Evaluate application controls only when general controls work
• Less testing necessary if application controls works

Controls Over Programs

• Ensure programs running on systems and what they do known at all times

Aspects:

• Management change
• Security

Change Management

• Handle all changes through formal processes with documentation and formal processes

Change Management Steps

• development of a formal specification
• timeline and budget agreement
• formal documentation of software
• regular meetings
• testing of each software part
• final acceptance testing
• formal software handover

Computer Security

Assurance that:

• Only correct programs run on time
• There is no tampering
• No external programs can run, viruses etc
• Unauthorized software is not present

Security Controls:

• Passwords
• Antivirus and firewalls
• Secure networks
• Computer logs
• Restricted access
• Computer security audits

Contols Over Data

• Assurance needed that
  • Changes are allowed
  • There is no data loss
  • data is accurate and consistent
  • There is no data theft The same controls apply but in addition:
  • There is a backup and reconstruction controls, normalization, data and physical encryption as well as copy prevention

Data Normalization

• Storage rule is store items once in database normalization to achieve efficiency and reliability, save space, avoid data integrity issues, easier to update
• Normalization is achieved by:
• Keys for unique IDs
• Linked tables breaking data to small tables
• Used to identify tables (Primary Key) and join database tables (Foreign Key)
• Keys should be stored one time

Referential Integrity

• To ensure a tables are correctly linked there must be a way to validate customer numbers in the Tables
• Referential integrity is a control to only allow foreign key values if one primary exists

Cascading Updates

• If the customer gets assigned a new number due to merger
• Cascading updates ensure that when a primary key changes (customer number), records are updated automatically

Calculated Data

• Data should't be stored if formula exists eg birth date not age to save space and quickly update if necessary

Audit Trails

• To overcome data file changes, software store records
• A record stores changes, made person and date
• Version data can be reconstructed

Application Controls

• Impacts on operations on application
• If tested app controls the tested before applying

Manual Application Controls

• Segregation of duties
• Authorization
• Training and supervision
• Documented procedures and reporting
• Physical security

Computerised Application Controls

• They can enforce compliance and is set of with enforcement controls

Computerized application controls:

• input
• file
• processing
• output

Input Controls

• A major error source is incorrect inputs and design to check the point inputs
• A check is designed at the point of input in order prevent or errors before the system is entered
• Users have little access as possible

Input Control Principles

• Fix detectable error before the input is accepted
• Minimize typing picking from list

Access Rights

• Limited to people who have permission
• Is controlled with usernames and passwords

Field and Valid Code Test

• Fields that should only have data of certain kind entered
• Input should only be accepted if the format is right and in the right valid code

Auto-Numbering

• Sequence helps for audit
• If new order is created it gets number and old orders will not be deleted

Auto-Completion

• System will look up customer
• Helps to the right identifier

Limit Tests

• If numbers exceeds, the limit computer has the ability to get confirmation, allow authorisation from a supervisor and not allow the input

Check Digits/Formulae

• Are set up of two digits or enter with one mistake, then the answer will be invalid

Scanning and Electronic Data Interchange

• Common way to prevent input errors is to automate the input scanning process with scanners and QR codes
• Computers are able to separate businesses ,and directly communicate with each other

File and Processing Controls

• Codes that must be implemented on program
  • There has to be testing needed to be relied upon

Test of Internal Controls- Generalities

• The basic output is limiting access but people view summaries
• Reports may be archived

System

• Accounting data be stored so each record consists multiple fields and Tables

Data normalization

• Only be recorded in database to have reliable
• Users will see never see the database in a way that data is store onece to save space and be easier to update

Database normalisation

• Structure data is stored in which database normalization works
• Stored should be stored in multiply Tables A key uniquely identifies an id in system
• This can be an identifier or a number

Foreign Keys

• If info spreads over many tables, how to know which tables are linked
• Link them to table and foreign key

Example ABC Ltd

• Foreign key to ensure the record
• Valid code to ensure the number is only entered in Field 12

Referential Integrity

• Guarantees a number is only entered in if the code exists.
  • Then it won't prevent manipulation

Cascading Updates

• Ensure all updated
• Used only the key changes

Calculated Data

• Data that has been calculated -This saves space

Audit Trail

• Shows record/information that has been change
  • who changes what in the system

Application Controls

• Impacts different application
• That is found it can be applied

Manual Application Control

• Segregation of duties
• Reporting and security

Computer application controls

• computerised controls
  • Input
  • File and Output

Input

• designed ti check input
• little with access

Auto-numbering, General Principles

• Accepted if detectable

Access Rights

• Usernames and passwords
  • Give limited access

Feild Test

• Kind to enter in the system
• The form should be filled in to limit ommision

Valid code test

• When it is right

Auto numbering & auto completion

• Helps for the right identifier

Limit and Check Formulaes

• Reject numbers outside the range
• Prevent against types

Scanning

• Input processes that prevent errors to automate that processes

External Controls

• To view information
• Limited with summary

Testing IT Controls

• There is a reason errors are manual

---

VCT

• Its GENESIS number

Testing Control

Tests if Controls

• Are set by the business
• Are used with internal
• To get evidence of data

---

By Whom

• Has the authority
• What is the observation
  • Are there adjusting entities

---

Testing

• Physical Controls
• Inspection
• What's supporting it what is required

---

Internal controls

• Test is the control is operating

• has
• has code

• is there signature

---

Code

• code must operate