1.0 Explain the effect which a company’s Internal Controls will have on the conduct of an audit.
The auditor primarily concerned is with controls that have the objective of achieving reliable financial reporting. Other objective and related controls may be relevant if they pertain to data that auditors use in applying audit procedures.
Auditors have firm responsibilities for detecting errors and irregularities and illegal acts within a company. A companies objectivities and controls related to these matters are also relevant to auditors. When noncompliance could have a direct and material effect on the financial statements, controls over application law that are relevant (Gaumnitz et al., 1982).
Operational effectiveness and efficient controls that are designed to reduce the risk of material misstatements and bad operating decisions are not usually considered relevant to a financial statement audit (Biggs and Mock, 1983). Controls help safeguard that the company’s statement accurately reflect related losses. Controls will relate to the safeguarding assets against unauthorised acquisition, use and disposition.
Importantly the auditors will obtain an understanding of internal controls as an initial starting point for planning an audit and detecting specific problem that relate to control risk. In this process an auditor must acquire an understanding of the internal and perform a preliminary assessment of the control risks, which based mainly on their assessment of the design effectiveness of control procedures.
After a preliminary assessment is control, which implies that the control risk for a particular process or assertion may be lower than high, the auditor may choose to implement a less assessed level of control risk audit strategy (Doyle, Ge and McVay, 2007). The testing of the operating effectives of certain controls as a foundation of confirming that the assessment of the control risk and resulting reduction in the level of substantive processes will then precede that.
As a consequence of assessing, reviewing and testing internal control is the opportunity to advise and make recommendation to management of meaningful internal control weaknesses and flaws (Baysinger and Hoskisson, 1990).
2.0 Examples of Internal Controls and for each of the control and the system weaknesses which the controls should prevent and detect:
2.1 Introduction
Controls are procedures that have detailed processes that management have implode to ensure that specific objectives that a company wish to achieve (Spira and Page, 2003). These procedures ensure that all transactions are recorded without any omissions and that they are recorded accurately. In addition to this, internal controls are there to ensure that transactions are recorded in a timely fashion (Cosserat and Rodda, 2012).
The board of director also establish these procedures to prevent or detect fraud and errors being made in recording transactions and to safeguard that complete financial statements can be prepared promptly (Kizirian, Mayhew and Sneathen, 2005).
It is good practise that internal controls are reviewed on a regular basis by management and in addition to a supervisory review (Baysinger and Hoskisson, 1990). Company employees also should be made aware that adherence to company’s internal controls is monitored and no adherence is likely to be identified.
3.0 Information Processing Controls
Something that may interest an auditor is the information processing controls, which address risks associated with the completeness, accurateness of transactions. Computers in almost all companies are used for information processing and thus often categorised as general and application controls (Moeller, 2010).
3.1 General controls
General controls are those controls that apply to computer systems as a whole and include controls linked hardware, software, and maintenance, back up procedures and controls over computer programming.
3.2 Application Controls
Application Controls are those controls that pertain to the processing of specific types of transactions such as paying creditors and paying staff. These may relate to manual and computerised tasks and can be classified further into proper authorisation, documents and records and independent checks.
Proper authorisation procedures will safeguard any transactions processed by an individual are acting within the scope of their role, thus making sure they have the proper authority. This authorisation can be very specific or just general. General authorisation is just normal conditions where which a transactions are authorised for example the sale of a product at a discount (Cosserat and Rodda, 2012). Specific authorisation is granted on more an individual basis, which could be a routine transaction or a non-routine transaction, this be may the purchase of goods or major capital expenditure respectively. Authorisation procedures are also important in limiting access to assets, documents and records and to computer systems.
Documents are records are source documents, journals and ledgers. Documents provide physical evidence of transactions that occurred that may include accurate price, nature and terms of the transaction. When a document is signed or stamped, this provides a basis for which the responsibility of the performance and recording of the transaction. A company should design their documentation to encourage all relevant information and to provide for the required authorisations for those responsible for executing and recording the transactions. It is thought that employees will more likely perform their duties accurately if their responsibility is evidenced on documentation.
3.4 Segregation of duties
Segregation of duties ensures that individuals do not complete incompatible duties. What is meant be this is that when it is possible for an individual to commit error or irregularity and then in a situation to hide it in the normal course their duties (Doyle, Ge and McVay, 2007). An individual who processes cash from customers, for example should not also have authority to approve and record credits to customers for sales returns or write-off. In this case the person could possibly steal the cash and cover the theft by recording fake write offs. This supports the segregation of duties.
3.5 Physical controls
Physical controls limit access to assets and important records. Such control may be direct or indirect (Doyle, Ge and McVay, 2007). Direct controls include introducing measures for the safekeeping of assets, documents and records (such as locked storerooms) and allowing access to storage areas to restricted company staff. Indirect controls apply to the preparation or processing of documents (such as sales orders and payment vouchers) that authorised the use or disposition of assets (Cosserat and Rodda, 2012). They involve the use of mechanical and electronic equipment such as cash registers, which help to assure that all cash receipt transactions are rung up and which provide locked-in summaries of daily receipts. To be effective, physical controls must include periodic counts of assets and comparisons with amounts shown on control records.
3.6 Performance Reviews
Examples of performance review include management review and analysis of:
Reports that summarise the detail of account balance such as an aged trial balance of trade receivables or reports of sales activity by region, division, salesperson or product line (Walsh and Seward, 1990). This could be done by the comparison of actual performance to budgets, forecasts or prior amounts.
4.0 How the auditor could check their operation and effectiveness of the internal controls.
The Auditor must meet their responsibility for obtaining and documenting an understanding of the information system and internal control environment (Murphy and Brown, 1992). This firstly is how the auditor would check their operation and effectiveness by obtain an understanding of the internal controls. They would do this by:
• Revising preceding experience with the company
• Inquiring the company’s management and staff
• Reviewing company documentation
• Observing company activities and processes
5.0 Review previous experience
In the case of a recurrence appointment with the company, the previous year’s engagement will contain a vital amount of information, which may be relevant to the current year’s audit. As a starting point the auditor can review and use the previous year’s documented understanding and the assessment of the controls risk. Any changes in the current year that have occurred may also be found out by making inquires to the company. The previous audit documentation should also contain information about the types and cause of any misstatements found prior. The auditor will determine whether management have taken any actions to correct by following up for information (Cosserat and Rodda, 2012).
5.1 Inquiring
Making inquiries of company management and staff is a vital source of information. Inquires will usually be describes in association with changes in any conditions or documentation of internal controls
5.2 Inspecting documents and records
Auditors will also review all relevant company documents and records, such as, accounting ledgers, journals and source documents. Though these inspections this will lead to additional questions to the company about specific control and change in conditions.
5.3 Observation and walkthrough
Observation will usually enhance the inquiry by confirming the auditors understanding of procedures and processes, which the company has described. A significant part of the inspection and observation is by being given a walkthrough of a procedure.
As this is to reinforce their understanding of the information system and control procedure or to check that there has bee no changes to the systems since last reviewed. The auditor will perform a trail to satisfy the documents understanding.
5.4 Preliminary assessment
Preliminary assessment is used by the auditor to evaluate the risk of material misstatement arising out of the understanding of internal control and is made to obtain a reasonable expectation of the effectiveness of controls based on the understanding of their design (Biggs and Mock, 1983).
The first step is assessing the control environment. A weak control environment can undermine the internal controls this is because if there are strong individual controls this does not compensate for the weak control environment (Cosserat and Rodda, 2012).
The second step is to assess the design of the risk management framework and it’s ability to avoid or correct misstatements. The effectiveness of a control is constrained by its fundamental design and control risk is measured individually in terms of financial statement transactions.
Effectively the auditor will begin by assessing controls procedure that pertains to the processing for different transactions assertions, such as the completeness, occurrence and accuracy. In evaluating the design of a controls effectiveness so that an initial assessment of control risk for an assertions, auditors; will review and identify any potential misstatements that could occur by the company transactions; will detect required control which will prevent or detect any material misstatements: then evaluate the gathered evidence and make an assessment.
5.5 Identify the potential misstatements
If the auditor’s understanding of the internal controls is obtained their inquires will have identified areas of strength and weakness of the presence of effective controls or the absence of effective controls. In addition, through the understanding of the company’s information systems, the auditors will identify the potential misstatements application to explicit transactions, given the company condition.
5.6 Identifying the necessary controls
The auditors can identify the necessary controls that would be likely to prevent or detect specific potential misstatements by using internal control questionnaire or manually analysing checklist. It must be noted that there may be several controls pertaining to an individual potential misstatement in other instances, only single controls may apply.
5.7 Making the assessment
The Auditor can make a preliminary assessment of control risk from the knowledge developed from the process of gaining an understanding of internal controls, identification of potential misstatements and the required control to prevent or detect those misstatements (Weber, 1978).
5.8 Internal Control Questionnaires
Another technique that is commonly used by audit firms to assess whether specific errors or frauds are possible, as opposed to determining the presence of internal control, is by using the internal control questionnaires (ICQ) (Lloyd Bierstaker and Thibodeau, 2006).
It has been found that auditors use the process of completing an ICQ accurately recognised further internal control design weaknesses than auditors who just prepared a narrative. Internal control evaluation experience moderated this effect. Bierstaker and Thibodeau implied in their results that the questionnaire documentation format supports an auditor’s existing internal control knowledge, thus improving performance when recognising internal control design weaknesses
5.9 Operating effectiveness
The second phase occurs on completion of test of control. If these do no support the preliminary assessment of control risk, then the auditors must perform additional substantive procedures. In more instances, however, the preliminary assessment is sufficiently reliable, such that the need to extend substantive procedures after completion of test of control rarely arises.
5.10 Testing of controls
Test of control are audit processes performed to identify the effectiveness of a control. It is require that when an auditor’s assessment of risks of material misstatement that the controls are performed effectively, thus the auditor will contact tests of controls to obtain evidence that controls were operating effectively and at the appropriate time periods. This is relevant to controls that are designed and are assessed as reliable and where the auditor may place a reliance on these controls to reduce the level of intense procedures.
Test of controls that relevant to the operating effectiveness of the control procedures are concerned with whether controls are working. Test of operating effectiveness focus on three questions:
• How was the control applied?
• Was it applied consistently during the year?
• Who applied it?
6.0 Conclusion
Internal control is essential for effective company operations. It Is important for an auditor to gain an understanding of internal control as a starting point in planning an audit and to detecting particular problems.