CHAPTER 8 SYSTEMS AND CONTROLS

→ The extend of substantive procedures to be performed depends on results auditors assessment of control
risk. 1. If the control risk is low :-
• the auditor can place more reliance on internal controls
• This increases the appropriateness of interim audit testing and less quantity of detailed substantive
procedures can be performed at the final audit.
• The audit strategy and plan will be updated to reflect that fewer substantive procedures can be performed.
2. If control risk is high :-
• Increase the volume of procedures conducted at and after the year end.
• Increase the level of substantive procedures, in particular, test of detail.
• increase the locations included in the audit scope.
• place less reliance on analytical procedures
• place less reliance on written representations from management
• Obtain more evidence from external sources
• Update the audit strategy and plan to reflect the additional testing.
→ Limitations of Internal controls
• Auditor can never eliminate the need for substantive procedures entirely because of inherent limitations:-
- Human error, - Ineffective controls, - Collusion of staff ( staff work together and collude together), -
Management override, Uses of management judgement on the nature and extent of controls it chooses.
→ COMPONENTS OF INTERNAL CONTROL
1. The control environment:- this includes governance and management function of an organisation.
• Focuses largely on the attitude, awareness and actions of those responsible for designing, implementing
And monitoring internal controls.
• Elements of internal control environment.
- How managements responsibility are carried out, demonstrating management’s commitment to the
integrity and ethical values
- How TCWG demonstrate independence from management and exercise oversight of the system.
- How the entity assigns authority and responsibility in pursuit of its objectives.
- How the entity attracts develops and retains competent people(Recruitment , Training , appraisal policies).
- How entity holds individuals accountable for their responsibilities.
• When assessing the control environment the auditor may consider how the management responds to the
findings and recommendations of the internal audit function regarding identified deficiencies.
2. The entity’s risk assessment process
• The auditor must obtain an understanding of entity’s process for identifying business risks, the entity
must then evaluate whether the process is appropriate to the entity’s circumstances taking into
consideration the nature and complexity of the entity.
•Auditor identifies instances where management failed to identify risks of material misstatement,and should
obtain understanding of why the entity’s process failed to identify the risks, consider implications the audit.
3. The entity’s process to monitor the system of internal control
• Clients continual process of evaluating the effectiveness of controls over time and taking necessary
remedial actions.
4. The information system and communication
• Consists of all the activities and policies relevant to financial reporting and communication
5. Control activities
• Control activities are policies (what should or should not be done) and procedures (actions to implement
policies) to achieve the control objectives of management and TCWG.
→ Examples of direct controls
• Sales :- A credit check on a customer reduces the risk of sales being made to a customer who may be unable
to pay thereby reducing the risk of irrecoverable debts. This reduces the risk of misstatement of receivables.
• Purchases :- Purchase requisitions and orders must be approved before being placed with the supplier.
Authorisation ensures the purchase is valid for business use reducing the risk of fraudulent purchases.
→ IT CONTROLS
• IT controls are divided into :- 1. General controls 2. Information processing controls
1. General controls:- support continued proper operation of the IT environment, including the effective
functioning of the information processing controls and the integrity of info in the information system.
2. Information processing controls:- relate to the processing of info in IT applications or manual processes
that directly address risks to the integrity of information. These may be automated ( in applications)/manual.
→ASCERTAINING THE SYSTEM(Procedures to obtain evidence regarding design and implementation of controls)
• Enquiries of Relevant personnel • Observing the application of controls • Tracing a transaction through the
system to understand what happens (walkthrough test) • Inspecting documents (Internal procedure manual)
→ For controls which don’t address a significant risk must be tested by auditor atleast once every third audit.
→DOCUMENTING CLIENTS SYSTEM Auditor must document clients system before evaluating if its adequate.
• Narrative notes:- Written description of a system
• Flowcharts:- diagrammatical representation of the system.
• Internal control Questionnaire (ICQ :-A list of controls given to client and asked whether those controls
are in place(objective type questions yes/no questions)eg.Does the company perform credit check on
customers
• Internal control evaluation Questionnaires (ICEQ) :- The client is asked to describe the controls they have
in place for a given control objective. ( More detailed questions about controls) eg. How does the company
ensured goods are only purchased for Valid business use.
→ TESTING THE SYSTEM
• Test of controls are performed only on those controls that the auditor has determined are suitably designed
to prevent, or detect and correct a material misstatement in a relevant assertion.
• Methods of control testing include :- 1. Observation of control activities 2. Inspection of Documents 3.
Using test data to ensure programmed controls are working effectively.
→ COMMUNICATING CONTROL DEFICIENCES ( IAS 265) (Communicated in management letter/report to
management usually sent at the end of audit process).
• Communicate any deficiencies that are of sufficient importance to merit management’s attention to
management • Communicate significant deficiencies to the TCWG ).
→ Deficiencies occur when:-
• A control is designed, Implemented or operated in that it unable to prevent or detect or correct a
misstatements in the FS on a timely basis
• A control necessary to prevent, detect and correct a misstatement in the FS on a timely basis is missing.
→ When the auditor reports deficiencies :- 1. The report is not a comprehensive list of deficiencies, but only
those that have come to light during the normal audit procedures. 2. The report is for the sole use of the
company 3. No disclosure should be made to third parties w/o Written agreement of the auditor 4. No
responsibility is assumed to any other parties. ( If asked for a covering letter this should be included in it )
→ TEST YOU UNDERSTANDING 1 ( Murray co sales cycle)
Direct Controls Test of control
→ Format of how to answer :- 1. • Inspect a sample of customer files to ensure a credit
1.i. Identify the control:- Credit checks are performed check has been performed.
and credit limits are set. •Inspect the customers account withing the system to
ii. Benefit of having the control :- Sales are only made endure credit limits have been put in place.
to customers that are likely to make a full and prompt
payment, reducing the risk of irrecoverable debts.
iii. Consequence if the control would be missing:-
Irrecoverable debts will reduce profit and cash inflow
and if not written off will result in overstatement of
receivables.(point optional).
 2.• A second member of the warehouse team checks
the goods packed, signing the GDN to evidence the
check : Segregation of duties.
• Segregation of duties reduces the risk of fraud or theft
which results in loss for company and potential
misstatements in accounting records.
2. • Visit the warehouse and observe the goods despatch
process to assess whether all goods are double checked
against the GDN prior to signing and despatch.
• Inspect the GDN for evidence of the signature to confirm
the physical goods have been checked to the GDN and the
GDN against the order prior to despatch.

3. • Customers sign the GDN and return it to murray
co : this helps to minimize disputes as proof of delivery
and acceptance of goods is obtained.
• Disputes with customers may result in overstatement
of receivables and loss of customer goodwill.
3. • Inspect a sample of GDNs retained by the warehouse
to ensure they are signed by the customers to confirm
receipt of goods and to confirm they are retained in the
warehouse in case of disputes.

4. • The invoice is raised from the GDN: This ensures 4. • Inspect the GDNs for evidence of being matched to
the invoice related to the actual quantity of goods invoices. Agree the details on both to ensure control has
despatched rather than the order which may be been effective.
different
• This reduces the risk of customers being invoiced
incorrectly which would result is misstatement of
revenue and receivables. This could cause customer
dissatisfaction and a loss of customer goodwill

5. • Sales invoices are prepared using the company
price list : this ensures customers are invoiced
correctly.
• Incorrect invoicing will lead to misstatement of
revenue and receivables. This could also cause
customer dissatisfaction and a loss of customer
goodwill.
5. • Inspect the price list for approval by the directors.
• Obtain a copy of the current price list and match a
sample of invoices to agree correct prices have been used.
• Agree the prices in the system to approved price list
• Enquire of management who has authority to amend the
standing data such as prices in the system to ensure only
persons having the authority have access.
• Try to input a change to the prices in the system using a
user ID of a clerk to ensure that the system does not allow
access to this standing data.

6. • Discounts must be requested by a sales manager
and authorised by sales director: Segregation of duties
and Authorisation.
• This reduces the risk of fraud and unauthorised
discounts which will result in loss of revenue for the
company and possible misstatement within the
accounting records.
6. • With the clients permission, attempt to process an
invoice with a sales discount not authorised by the sales
director. The system should reject the
invoice.
• Inspect sales orders with discounts given for evidence of
the sales director's signature
authorising the discount.

7. • Review of the receivables ledger for credit 7. • Inspect the receivables ledger for evidence of monthly
balances: identifies possible overpayments or errors review for credit balances such as a
within the receivables ledger. manager's signature.
• Errors in the accounting records can be
promptly corrected.

8. • Monthly customer statements sent to customers: 8. • For a sample of customers, inspect copies of monthly
reminds customers of the invoices they need to pay and statements sent out to confirm statements
enables them to identify errors in invoices which can be are in fact issued.
notified to Murray Co.
• This can reduce the risk of irrecoverable debts.
Irrecoverable debts will reduce profit and cash
inflows and if not written off will result in
overstatement of receivables.

9. • Receipts are counted by the office assistant, 9. • Observe the cash receipt process to assess the
recorded by the cashier, and the sales ledger clerk adequacy of segregation of duties.
agrees the amount received to the amount invoiced:
segregation of duties.
• Segregation of duties reduces the risk of fraud which
could cause misstatement in the accounting
records and loss for the company.

Control Deficiency Recommendation

→ Format of how to answer:- 1. • Credit checks should be performed annually to
1. i.Identify the deficiency:- Credit checks are only ensure the credit limit originally given to the customer
reperformed if a customer requests a increase in credit is still appropriate.
limit . • If the credit status has changed, the credit limit
ii. Explain the deficiency:- A customers credit rating should be revised.
may be deteriorated but Murray co will not know and
continue to give the same level of credit.
iii. Consequence:- This will increase the risk of
irrecoverable debts, affecting profit and cash flow.
Irrecoverable debts may result in possible
overstatement of receivables.
2. • Credit limits are checked after the order has been 2. • Credit limit should be checked before the order is
accepted. confirmed to ensure the customer has sufficient credit.
• The customer may not have sufficient credit which
may result in irrecoverable debts and a reduction to
profit. Irrecoverable debts may result in overstatement
of receivables.

3. • Sales invoices are not sequentially numbered.
• Goods may not have been invoiced which will result in
lost revenue and profit for the Company.
• The company will not be able to identify if any
invoices are missing resulting in understatement of
revenue.
3. • Sales invoices should be sequentially numbered
and a sequence check should be performed by the
accounts department on a daily/weekly basis.
• Any breaks in the sequence should be
investigated.

4. • No review is performed to ensure all goods have 4. • A review should be performed to ensure that every
been invoiced. GDN has a matching invoice to ensure all
• Goods may not have been invoiced which will result in goods have been invoiced.
understatement of revenue.

5. • The receivables ledger is only reconciled when the
sales manager has time.
• Errors may exist within the receivables accounting
records which will not be identified and
resolved on a timely basis.
6. • The credit controller only follows up on balances
which are six months overdue.
• This increases the risk of irrecoverable debts which
will reduce profit and cash inflows. Irrecoverable debts
may result in overstatement of receivables.
5. • The receivables ledger should be reconciled to the
control account on a monthly basis.
• The reconciliations should be reviewed by a different,
responsible official to ensure the
reconciliation has been performed properly.
6. • Credit control procedures should be followed to
ensure full and prompt payment by customers,
e.g. a telephone call to the customer
followed by a letter.