Auditing Gray 2015 Chapter 7 Systems Work Basic Ideas 1

Chapter 7
Systems work:
basic ideas 1
Use with The Audit Process: Principles, Practice and Cases, 6th edn
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015
Learning objectives
• To explain the significance of the layers of regulation and control.

• To define internal control and explain the significance of the control
environment and related components, and accounting and quality
assurance/control systems.
• To explain the nature and role of systems development/maintenance controls
and describe the main features of these controls.
ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015 2
Internal controls and control risk
• Main interest at interim is to determine accounting records are genuine,
accurate and complete.
• If accounting and control systems good, and general control environment
satisfactory, more likely accounting records will be reliable.
• Effectiveness of accounting and control systems closely related to control risk –
has a bearing on extent of substantive procedures.
• An understanding of internal control assists the auditor in identifying types of
potential misstatements and factors that affect risks of material misstatement,
and in designing the nature, timing and extent of further audit procedures (ISA
315, para A42).
• Important relationship between tests of controls and extent of substantive
procedures.
Definitions: substantive procedure and test of control (ISA 330,
para 4)
• Test of control – An audit procedure designed to evaluate the

operating effectiveness of controls in preventing, or detecting and
correcting material misstatements at the assertion level.
• Substantive procedure – ‘An audit procedure designed to detect
material misstatements at the assertion level. Substantive
procedures comprise:
(i) Tests of details of classes of transactions, account balances,
and disclosures, and
(ii) Substantive analytical procedures’.
Layers of regulation and control expanded
(1) Figure 7.1
Layers of regulation and control expanded (2)
• Controls are to prevent, detect or correct events that the entity

does not wish to happen.
• Internal control: The process designed, implemented and
maintained by those charged with governance (TCWG),
management and other personnel to provide reasonable assurance
about the achievement of an entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations.
The term “controls” refers to any aspects of one or more of the
components of internal control (ISA 315, para 4).
Business risk approach – impact on extent of audit tests
• Business risk approaches may result in reduced tests of controls

and substantive tests of detail; more reliance on effectiveness of
control environment and analytical evidence.
• Auditors are becoming more selective in detailed work they
perform, concentrating on systems critical to their ability to form
an opinion.
• Important part of control environment is effective internal audit
function and quality standards group, if one exists.
Potential limitations in internal control
Table 7.1
Layers of regulation and control expanded
(3)
• Components of internal control are:

– Control environment
– Entity’s risk assessment process
– Information system
– Control activities
– Monitoring of controls
The control environment
• Includes:
– Governance
– Management functions and attitudes
– Attitude of TCWG and management to internal controls
• Control environment sets tone of organization
• Elements of control environment:
– Communication and enforcement of integrity and ethical values
– Commitment to competence
– Participation by TCWG
– Management’s philosophy and operating style
– Organizational structure
– Assignment of authority and responsibility
– Human resource policies and practices
Entity’s risk assessment process
• Entities should consider likelihood of business risks crystallizing and the

significance of the consequent financial impact on the business.
• Once this has been done suitable controls should be introduced to reduce risks
to acceptable level.
Information system
• Includes related business processes, relevant to financial reporting and

communication.
• Relevant and timely information about internal activities and external factors
essential if an entity is to be successful – including Key Performance Indicators
(KPIs).
Control activities
• Include:
– Authorization
– Performance reviews,
– General and application controls over information processing
– Physical controls
– Segregation of duties
Monitoring of controls
• Basic task is to assess the performance of controls and their adequacy and
relevance over time.
• Monitoring may be a special responsibility of a quality standards group,
internal audit or even external audit.
Case study 7.1
High Quality Limited (small independent supermarket)
1. How relevant are the matters we discussed under the heading

‘layers of regulation and control expanded’ to the management
of this small company? What kind of objectives could the
business have?
2. If you were the proprietors, how would you ensure that sales
and purchases were fully and accurately recorded?
Case study 7.2
Entity in the financial services sector: Caiplie Financial Services
• What policy features would be relevant in an entity giving advice to

individuals about such matters as personal pensions, life assurance
and investments in bonds and securities, and what kind of controls
might be particularly important?
• Remember that the entity is advising people about some of the
more important investment decisions they will make during their
lives.
Accounting and quality assurance/control systems
• Distinguish between accounting systems and systems of internal control.

Control systems imposed on accounting system to ensure, within reason,
transactions and balances valid.
• Internal control: process for achieving objectives identified beforehand. It gives
reasonable but not absolute assurance control objectives are met.
• Users of information primarily concerned with the information derived from
systems and its reliability.
• Two kinds of control:
– General controls
– Application controls
Distinction between general controls and
application controls
• General controls: controls over environment in which entity
operates. Role to ensure that applications are trouble free and
prevent, detect or correct events that management do not wish to
happen
• Include:
– Systems development/maintenance controls
– Organizational controls
• Application controls are designed to ensure individual applications
run smoothly.
Systems development/maintenance controls
1. Organizational structure to manage project and ensure high standards.
2. Documentation of development process – to allow informed person to understand
development process and how system works.
3. Testing at each stage before permission is given to proceed to the next stage.
4. Persons involved in the process take responsibility by confirmation in writing.
5. Parallel developments alongside technical development.
6. Reliable system for reporting system malfunctions.
7. Ensure unauthorized changes are not made to programs.
8. Ensure completeness of information/audit trail.
• In a small system, the process would be much truncated.
Development of computer applications Figure 7.4
20
Organizational structure to manage projects
• Member of the board with final responsibility for information systems
• Members – systems analyst group – programming group – data control
group
• Representatives of main user groups
• Manager responsible for quality assurance.
• Manager with responsibility for security of data, software and hardware.
• Manager responsible for operations.
• Member of the database administration department.
• Representative of internal audit providing independent view on controls
and completeness of information/audit trail.
Horton Limited information/audit trail
General controls – organizational controls
• Organization chart
• Segregation of duties: authorization of transactions; execution of transactions;
custody of assets; recording of transactions and assets.
Determine decision-making points in computer systems. Features:
a) Operation of program segregated from ability to change it.
b) Alteration of master files in hands of responsible official.
c) Rotation of duties, e.g. in data base administration department.
• Authorization and approval – by responsible persons – authority limitations.
• Supervision controls – higher level controls by responsible management.
• Management of data – e.g. way data collected, prepared and enters system.
General controls – security and quality assurance
• Security over: physical assets

– Security plan: identify risks, threats, likely occurrence: fire and water
damage; energy variations; pollution; unauthorized intrusion.
• Security over: software.
– Controls over security of data: restrict access; maintain information/audit
trails; hold data and programs externally; GFS system/file dumps
• Quality assurance
Developed software to meet user needs: reliability, ease of use, efficient
in use, easy maintenance, clarity/completeness of system
documentation, effective staff.
Organization chart of a computer department and its place in a
large entity
Figure 7.6
25
A word about collusion
• Value of segregation of duties depends on people being genuinely
independent of each other.
• If work together – collude – to defeat the object of the control, it is as if the
control does not exist.
• If A keeps inventory and B is required to count and compare it with inventory
records = important control to safeguard assets. If A misappropriates inventory
and B in cahoots states there were no differences between physical and book
inventories = collusion.
• General control principle: management checks outputs for reasonableness and
duties rotated periodically.
• Collusion is one reason fraud so often difficult to detect. Looks as though
proper segregation of duties but ineffective where two people act as one.
An example of a grandfather, father, son (GFS) system Figure 7.7
27
Controls over master files
• Errors in master files cause systematic errors to occur every time a routine
such as payroll preparation is run
– GFS system to ensure master files can be reconstructed easily.
– Master file copies in secure location outside computer room.
– Master files identified internally and by external labelling.
– Master files to be updated by persons not connected with the execution or processing of
transactions – password system.
– 100% validation of input data to master file updating run to ensure that master file is not
corrupted.
– Checking of all input data by person inputting the data and an independent person.
– Ideally there should be exception reporting and check digit controls in force.
Effective quality assurance function
• Important element of control: auditor assesses effectiveness by discussion with management
on role, determining that:
– Support of top management: statement from management highlighting importance of
quality of systems and information.
– High status within the organization.
– Action by management on recommendations, including those made during the
development process.
– Adequate resources to perform function properly, including staff with wide skills.
• Similar to steps taken to ensure effectiveness of internal audit
• Audit work includes: examination of reports by quality assurance group at development stage
and thereafter.
– Discussion with users: determine effectiveness from user perspective.
– Examine the educational and experience background of staff and the steps to keep staff up
to date.
Figure 7.1 Layers of regulation and controls – as
extended
Figure 7.2 Example of matrix organizational
chart
Figure 7.3 Raw data to information
Figure 7.4 Programme for the development of computer applications in a large-scale
system
Figure 7.5 Information trail/audit trail flowchart
Figure 7.6 Organization chart of the computer department
and its place in a large entity
Figure 7.7 An example of a grandfather, father, son (GFS)
system
Figure 7.8 Troston payroll master file update

Auditing Gray 2015 Chapter 7 Systems Work Basic Ideas 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Gray 2015 Chapter 7 Systems Work Basic Ideas 1

Uploaded by

Copyright:

Available Formats

Chapter 7

• To explain the significance of the layers of regulation and control.

• Test of control – An audit procedure designed to evaluate the

• Controls are to prevent, detect or correct events that the entity

• Business risk approaches may result in reduced tests of controls

• Components of internal control are:

• Entities should consider likelihood of business risks crystallizing and the

• Includes related business processes, relevant to financial reporting and

1. How relevant are the matters we discussed under the heading

• What policy features would be relevant in an entity giving advice to

• Distinguish between accounting systems and systems of internal control.

• In a small system, the process would be much truncated.

• Security over: physical assets

You might also like