Professional Documents
Culture Documents
Systems work:
basic ideas 1
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Learning objectives
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 2
Internal controls and control risk
• Main interest at interim is to determine accounting records are genuine,
accurate and complete.
• If accounting and control systems good, and general control environment
satisfactory, more likely accounting records will be reliable.
• Effectiveness of accounting and control systems closely related to control risk –
has a bearing on extent of substantive procedures.
• An understanding of internal control assists the auditor in identifying types of
potential misstatements and factors that affect risks of material misstatement,
and in designing the nature, timing and extent of further audit procedures (ISA
315, para A42).
• Important relationship between tests of controls and extent of substantive
procedures.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 3
Definitions: substantive procedure and test of control (ISA 330,
para 4)
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 4
Layers of regulation and control expanded
(1) Figure 7.1
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 55
Layers of regulation and control expanded (2)
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 6
Business risk approach – impact on extent of audit tests
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 7
Potential limitations in internal control
Table 7.1
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 8
Layers of regulation and control expanded
(3)
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 9
The control environment
• Includes:
– Governance
– Management functions and attitudes
– Attitude of TCWG and management to internal controls
• Control environment sets tone of organization
• Elements of control environment:
– Communication and enforcement of integrity and ethical values
– Commitment to competence
– Participation by TCWG
– Management’s philosophy and operating style
– Organizational structure
– Assignment of authority and responsibility
– Human resource policies and practices
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 10
Entity’s risk assessment process
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 11
Information system
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 12
Control activities
• Include:
– Authorization
– Performance reviews,
– General and application controls over information processing
– Physical controls
– Segregation of duties
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 13
Monitoring of controls
• Basic task is to assess the performance of controls and their adequacy and
relevance over time.
• Monitoring may be a special responsibility of a quality standards group,
internal audit or even external audit.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 14
Case study 7.1
High Quality Limited (small independent supermarket)
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 15
Case study 7.2
Entity in the financial services sector: Caiplie Financial Services
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 16
Accounting and quality assurance/control systems
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 17
Distinction between general controls and
application controls
• General controls: controls over environment in which entity
operates. Role to ensure that applications are trouble free and
prevent, detect or correct events that management do not wish to
happen
• Include:
– Systems development/maintenance controls
– Organizational controls
• Application controls are designed to ensure individual applications
run smoothly.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 18
Systems development/maintenance controls
1. Organizational structure to manage project and ensure high standards.
2. Documentation of development process – to allow informed person to understand
development process and how system works.
3. Testing at each stage before permission is given to proceed to the next stage.
4. Persons involved in the process take responsibility by confirmation in writing.
5. Parallel developments alongside technical development.
6. Reliable system for reporting system malfunctions.
7. Ensure unauthorized changes are not made to programs.
8. Ensure completeness of information/audit trail.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 19
Development of computer applications Figure 7.4
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 20
20
Organizational structure to manage projects
• Member of the board with final responsibility for information systems
• Members – systems analyst group – programming group – data control
group
• Representatives of main user groups
• Manager responsible for quality assurance.
• Manager with responsibility for security of data, software and hardware.
• Manager responsible for operations.
• Member of the database administration department.
• Representative of internal audit providing independent view on controls
and completeness of information/audit trail.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 21
Horton Limited information/audit trail
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 22
General controls – organizational controls
• Organization chart
• Segregation of duties: authorization of transactions; execution of transactions;
custody of assets; recording of transactions and assets.
Determine decision-making points in computer systems. Features:
a) Operation of program segregated from ability to change it.
b) Alteration of master files in hands of responsible official.
c) Rotation of duties, e.g. in data base administration department.
• Authorization and approval – by responsible persons – authority limitations.
• Supervision controls – higher level controls by responsible management.
• Management of data – e.g. way data collected, prepared and enters system.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 23
General controls – security and quality assurance
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 24
Organization chart of a computer department and its place in a
large entity
Figure 7.6
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 25
25
A word about collusion
• Value of segregation of duties depends on people being genuinely
independent of each other.
• If work together – collude – to defeat the object of the control, it is as if the
control does not exist.
• If A keeps inventory and B is required to count and compare it with inventory
records = important control to safeguard assets. If A misappropriates inventory
and B in cahoots states there were no differences between physical and book
inventories = collusion.
• General control principle: management checks outputs for reasonableness and
duties rotated periodically.
• Collusion is one reason fraud so often difficult to detect. Looks as though
proper segregation of duties but ineffective where two people act as one.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 26
An example of a grandfather, father, son (GFS) system Figure 7.7
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 27
27
Controls over master files
• Errors in master files cause systematic errors to occur every time a routine
such as payroll preparation is run
– GFS system to ensure master files can be reconstructed easily.
– Master file copies in secure location outside computer room.
– Master files identified internally and by external labelling.
– Master files to be updated by persons not connected with the execution or processing of
transactions – password system.
– 100% validation of input data to master file updating run to ensure that master file is not
corrupted.
– Checking of all input data by person inputting the data and an independent person.
– Ideally there should be exception reporting and check digit controls in force.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 28
Effective quality assurance function
• Important element of control: auditor assesses effectiveness by discussion with management
on role, determining that:
– Support of top management: statement from management highlighting importance of
quality of systems and information.
– High status within the organization.
– Action by management on recommendations, including those made during the
development process.
– Adequate resources to perform function properly, including staff with wide skills.
• Similar to steps taken to ensure effectiveness of internal audit
• Audit work includes: examination of reports by quality assurance group at development stage
and thereafter.
– Discussion with users: determine effectiveness from user perspective.
– Examine the educational and experience background of staff and the steps to keep staff up
to date.
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 29
Figure 7.1 Layers of regulation and controls – as
extended
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Figure 7.2 Example of matrix organizational
chart
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Figure 7.3 Raw data to information
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Figure 7.4 Programme for the development of computer applications in a large-scale
system
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Figure 7.5 Information trail/audit trail flowchart
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Figure 7.6 Organization chart of the computer department
and its place in a large entity
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Figure 7.7 An example of a grandfather, father, son (GFS)
system
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Figure 7.8 Troston payroll master file update
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015