Professional Documents
Culture Documents
INTRODUCTION
Internal controls
Internal controls are controls put in place to safe guard the assets of the company, to prevent fraud from
occurring, ensure compliance with laws and regulations applicable to entity, to produce reliable
information and to operate the business effectively and efficiently.
Auditor needs to understand internal controls from the businesses perspective.
Internal control is a process, it’s a combination of systems, policies and procedures designed, implemented
and maintained to address the risks involved in running a business.
Not the sole responsibility of management, everyone is responsible for internal control.
Limitations to internal controls
1. Cost/benefit – may be more expensive and not worth implementing.
2. Internal controls are directed at routine transactions (everyday transactions) rather than non-routine
transactions (special cases).
3. Human error – due to carelessness, distractions, mistakes or misunderstandings.
4. Internal controls could be dodged through collusion.
5. Management could easily override internal controls.
6. Procedures may become inadequate due to changes and compliance with procedures may deteriorate.
Components of internal control
1. The control environment ISA 315 para 14 A76-A86
2. Risk assessment ISA 315 para 15 A87-A88
Identify and assess risks
- Operational – risk that threatens the entity
- Financial reporting – risk that accounting system doesn’t only record
transactions which have occurred, are authorised and which are
recorded and processed accurately and completely.
- Compliance – risk that entity does not comply with laws and regulations
applicable to the entity.
How to respond to risk
- Control activities
- Information system
Influencing factors in determining whether sufficient appropriate evidence has been obtained.
- Assessing inherent and control risk at the client
- Materiality
- Experience gained from previous audits
- Results of audit procedures already conducted
- Source and reliability of information available
- The persuasiveness of the audit evidence
Procedures in carrying out a risk assessment, test of controls and substantive testing.
Inspection (examining documentation to physical asset)
Observation (looking at the process being performed by others)
External confirmation (written)
Recalculate (checking manually or electronically the math accuracy of documents or records)
Reperformance (auditor preforming the procedure or control of internal controls)
Analytical procedures (comparing year to year or mouths)
Inquiry (seeking information from knowledgeable persons )
2. Planning stage
IAS 300 states that the objective of the audit is to plan the audit so it will be performed in an effective
manner.
The planning of the audit: - Ensures appropriate attention is devoted to important areas of the
audit.
- Problems are identified and resolved on a timely basis.
- A competent audit team
- Appropriate direction and supervision of the audit team
- Work is completed on time
* The audit strategy
Sets the scope, timing and direction of the audit and guides the development of the audit plan.
o Scope:
*The financial reporting standards on which the financial information has been prepared.
*Expected coverage, including numbers and locations of components to be involved.
*Involvement of other auditors?
*The need for specialised knowledge
* The availability of internal audit work and the extent of the auditor’s reliance on it.
* The effect of information technology on the audit procedures, use of CAATS
o Timing:
*The company’s time table for reporting – interim, year end?
* Schedules with management and those charged with governance to discuss the nature, timing and
extent of the audit.
* Communication with other auditors, experts etc. and the timing of reports to be issued as a result of
their work.
* Size, complexity and number of locations of the client.
* Extent and complexity of computerisation of the client – CAATS
o Direction:
*Materiality – lower = more audit work
* The presence of significant risk
* Impact of high risk at FS level means more experienced staff to be placed of the audit.
* Evidence of management’s commitment to design and operation of sound internal controls
*The volume of transactions – Use of CAATS
*Significant business development affecting the entity.
* Materiality
It is understood that FS are not 100% accurate, there is a margin of error. This margin must be acceptable to
users otherwise FS are of little or no value. If misstatements are outside the acceptable margin they become
material and are likely to affect user’s decisions.
Nature of materiality
- It is subjective
- It is relative (very from user to user)
- Can be both qualitative (regarded as material when judged against other
factors) and quantitative (exceeds amount which auditor deems
material)
Planning materiality is basically the guideline for the amount of misstatements the user can live with.
Performing stage – this will be set once auditor starts tests on specific acc balances and classes of
transactions.
NB to remember that something could be material in aggregate and not just individually.
Performance materiality is set lower than planning materiality and thus a larger sample should be tested.
ISA 320 – auditor must determine performance materiality for the purpose of:
- Assessing risk of material misstatements (class of trans or acc bal)
- Determine nature, timing and extent of further audit procedures
Performance materiality takes into account that we test for misstatements which in aggregate might exceed
the planning materiality level.
Management responsibility: prevent and detect fraud by implementation and monitoring of internal
controls.
Auditors responsibility: ISA 240 p12-33
Responses to risk at material misstatements due to fraud ISA 240 p28-33
The auditor will respond by conducting extensive procedures on the existence, rights and
valuation of inventory and the occurrence of sales/ existence of debtors.
Significant risk
Auditor must consider whether:
- Risk of fraud
- Relates to recent significant economic, accounting, other
development
- Complexity of transaction
- The degree of subjectivity
- Whether it involves transactions outside normal course of
business, unusual due to size or nature.
Concept of materiality: see above
SUBSTANTIVE PROCEDURES
Debtors
Creditor
Other income and accruals
Provisions
Long term loans
Inventory
Investments
Major risk will be overstating the investment account (fictitious investments, overstatement of value).
Client will prepare schedule of investments – listed, unlisted, details of each, cost and fair value, CY movement.
Assertions CERVP
PPE
Take IAS 16 into account – cost or revaluation model
Assertions for PPE account – CERVP
Completeness
- Select sample of Fixed (A) and trace to fixed (A) register (asset to
document).
- Review CPJ and creditor’s payment for fixed assets purchased
and confirm that they are recorded as fixed (A).
- Review lease agreement and enquire of senior personnel for
evidence of asset leased but not capitalised.
- Inspect for repairs and similar accounts for material items which
may indicate acquisition of PPE which was erroneously
expensed.
Existence
- Select sample of assets on fixed (A) register and inspect for
physical asset (Document to asset)
- If asset cannot be physically verified, inspect collaborating
evidence eg: licence expenses
- Inspect CRJ for cash received for disposal of fixed asset, ensure
that item for which cash was received is on disposal list.
Rights
- Determine change in rights to assets by 1. Enquire of
management 2. Inspect director minutes.
- For additions, inspect purchase documents for title to ensure
they are in client’s name. (registration documents, title deeds,
sales agreements)
- For assets still being paid for, inspect payment records to ensure
client is not behind on payments.
- Where leased assets are being capitalised inspect lease
agreement to ensure risk and rewards of ownership has passed
to client.
- 1. Enquire of management 2. Inspect director’s minutes 3.
Inspect loan agreement to ensure that assets are not held as
security.
Valuation
- Agree o/b on summary schedule to prior years working paper
and general ledger to ensure amounts agree.
- Repreform all casts and extensions in fixed asset register and
supporting list of additions and disposals.
- Inspect summary of schedules and general ledger to ensure
amounts agree.
- Reperform reconciliation of the fixed asset register to fixed
assets accounts and acc dep in general ledger.
Assertions for movement (additions and disposals) – COCAC *remember depreciation and impairments
Completeness
Occurrence
- Select sample of assets from fixed (A) register and trace to
capital budget, minutes, purchase requisition for evidence of
authority.(ADD)
- Inspect physical asset and cross ref description, serial number to
purchase document. (ADD)
- Inspect invoice/ contract to ensure it was made out to client,
signed by client. (ADD)
- Inspect payment records CPJ to ensure payment was made for
asset. (ADD)
- Trace proceeds to bank statements to ensure disposal was
recorded. (DISP)
- Inspect documents used to approve disposal for authorise
signature. (DISP)
Classification
- Inspect purchase documents and ledger account to ensure that
VAT was not included in cost.
- Trace posting from source in GL to ensure transaction was
recorded in the correct account.
Accuracy
- Inspect invoice to ensure that cost of asset includes shipping
and installation.
Cut off
- Inspect dates on all documentation to ensure transaction was
recorded in correct period.
Intangibles
Assertions related to it will be CERVP. Main focus for auditor will be valuation and existence.
Completeness
- Enquire of management about R&D projects on way.
- Review minutes to identify expenditure on intangibles and
inspect documents to ensure recorded.
- Obtain written representation about any intangible assets.
Existence
- If asset has a physical representation, this should be inspected
by auditor.
Rights
- Inspect letters, patents, registration of trademarks to ensure
they are in client’s name.
Valuation
- Depending on indefinite or definite useful life inspect
documentation and supporting schedule to ID if intangible was
tested for impairments.
Presentation
- Inspect disclosure for applicable framework, consistence with
evidence gained, clear and understandable wording.
Bank
Equity
4. Concluding stage
See completion of the audit discussed later.
The relationship between audit risk, inherent risk, control and detection risk and material
misstatements
AR = IH x CR x DR
The risk of material misstatements are made up of inherent risk and control risk – the risk of material
misstatement will be highest where there is a high level of inherent risk relating to the assertion and the
control is weak.
If inherent (built in risk) and control risk (management’s responsibility) is high, the auditor needs to ensure
that the detection risk is low as to reduce audit risk, by:
- Having an audit team exercise professional scepticism
- Proper supervision in place
- Review procedures
This means getting the nature, timing and extent of the audit procedures right.
>>detection risk is the only risk controllable by auditor.
1. Control environment
Management’s attitude to and awareness of the need for controls, because of the major consequences
of poor controls in a computerised system.
2. Company’s risk assessment procedures
About controlling IT risk, IT risks are one of the major risks company’s face. Internal control component
focuses on the assessment of and response to IT risk facing company
3. Information system
ISA 315 p89
4. Control activities
This component has a big influence on whether Fin info system records and processes only transactions
which are authorised and have actually occurred and has done so accurately and completely. Control
activities are a combination of auto and manual controls.
5. Monitoring of controls
Management needs to assess whether internal control system is meeting its objectives over time.
Whether they take place and whether they are affective.
General controls
General controls are those which establish an overall framework of control for computer activities,
controls which should be in place before and processing of transactions take place.
General controls categorised as follows:
o Control environment
ISA 315 pA76/77
o Documentation
Application controls
o Closely linked to cycles – as an application is a set of procedures and programmes designed to satisfy all
users associated with a specific task. Eg: payroll cycle
o Application controls are controls which are relevant to a specific task within a cycle of the accounting
system.
o An application control therefore is any control within an application which contributes to the accurate
and complete recording and processing of transactions which have actually occurred and have been
authorised. (V, A, C)
o Input, processing and output – application controls relate to each of these stages.
o Controls must be implemented over input, processing and output but also over MASTERFILE.
Masterfile
- Stores standard information and balances
- Names, addresses, balances
STRICTER CONROL OVER MASTERFILE, MORE RELIABLE INFO IS.
o Objective of control in computerised accounting environment is generally related to occurrence,
authorisation, accuracy and completeness of data and info stored on pc.
Occurrence and authorisation is concerned with making sure transactions and data is not
fictitious or fraudulent and have been authorised by management.
Accuracy is about minimising error by ensuring data and transactions are completely captured,
processed and allocated.
Completeness is making sure that data and transactions are not omitted or incomplete
o Main focus of application controls is to prevent errors, a good system will have a good detection control.
If errors are detected they must be corrected.
>>Control activities in a computerised system.
ISA 315 in a computerised system:
NB to remember application controls are a combination of manual (user controls) and automated
procedures.
1. Segregation of duties
Takes employees out of system, enables control procedures relating to authorising, executing, custody
and recording to be performed by 1 person on his pc. THIS IS DANGEROUS AND INCREASES RISK.
Seg of duties is achieved by controlling access employees have to the
system, the application on it and the functions within the application.
Achieved by setting up user profiles which details exactly what that
employee must have access to, and what they can do when he accesses.
(read only)
2. Isolation of responsibilities
Enhances isolation of resp by programming the pc to produce a log of who did what and when. This must
be properly followed up to be effective.
Terminal ID, passwords, authorisation control all isolate access as well.
3. Approval and authorisation
System can be programmed NOT to process if certain conditions have not been met.
Eg: System will not allow purchases from unapproved suppliers who are
not on creditors Masterfile.
EFT will not process unless myb 2 passwords have been entered to
authorise transaction.
OVERRIDE of controls above will be logged – logging and following up is a detective control.
4. Custody
If company does not have application controls to prevent and detect invalid actions, assets are under
serious threat.
Eg: company does not have physical control over the cash in bank but
must control unauthorised removals from bank account.
Controls over EFT will be extensive as cheque can be cancelled eft cant,
so preventive controls because detective controls over eft are irrelevant.
Electronic data protected by: controlling access of system at system
level (unauthorised access to system) and application level (if
authorised, can’t gain access to debtor’s applications), physical control
and disaster recovery controls.
5. Access control
Least privilege.
User must ID himself to system with valid user ID
Must authenticate himself with valid password
He will only be given access to what he is authorised to have access to in terms of his user profile.
6. Comparison and reconciliation
Eg: before authorising payment of wages, the paymaster or accountant could review the reconciliation
and tie it up to other sources of information, like changes in pay rates checked against original authority
for the change.
7. Performance review
Transactions can be tracked on the pc screen as they are being carried out.
Screen aids and features – all features, procedures and controls built into the application software and
on screen to assist user to capture info accurately and completely, also links user’s access privilege to
screen in front of them.
o Minimum key in info – less errors
o Formatted to look like hardcopy – recognisable
o Extensive use of screen dialogue and prompts – msgs pop up to guide user
o Mandatory fields – cannot continue unless complete
o Shading of field – no access, cannot click on it
* Output controls
Objective is to ensure that output is accurate and complete and that its distribution is strictly controlled
Eg: confidential output does not go to incorrect person.
Linked to processing controls because if processing was done accurately and completely it’s more likely
that output will be accurate and complete.
>>Masterfile amendments
Needs to be protected from unauthorised changes!
Objective will be that: * only valid, authorised amendments are made to Masterfile. *details of amendment
are captured and processed accurately and completely. And *All Masterfile amendments captured are
processed. (Includes detective and preventive controls, where applicable correction)
1. RECORD ALL MASTERFILE AMENDMENTS ON A SOURCE DOCUMENT
(1) All amendments were recorded on hardcopy MAFs.
(2) MAFs were pre-printed, sequenced and designed in terms of sound document design principles.
2. AUTHORISE MASTERFILE AMENDMENT FORMS
(1) MAFs should be: *signed by 2 senior personnel and *cross referenced to the supporting documents.
3. ENTER ONLY AUTHORISED MASTERFILE AMENDMENTSONTO SYSTEM ACCURATELY AND COMPLETELY
(1) Restrict write access to specific members only, use their ID and password.
(2) All amendments automatically logged, sequenced and no write access to logs.
(3) To enhance accuracy and completeness of keying in info and detecting invalid conditions, screen aids
and programme checks will be implemented.
4. REVIEW MASTERFILE AMENDMENTS TO ENSURE THEY OCCURRED, WERE AUTHORISED AND WERE
ACCURATE AND COMPLETELY PROCESSED.
(1) Logs reviewed regularly by senior member
(2) Each logged amendment should be to confirm that it is supported by a proper authorised MAF
(3) The details on MAF are correct
(4) MAFs should be sequenced against the log to confirm that all MAF were entered.
Quantitative / Qualitative
Individual / Aggregate
-Important procedures that could create misstatements
o Related parties –ISA 550/IAS 24
o Contingent liabilities –IAS 37
o Impairments –IAS 36
o Subsequent events – IAS 10
When does the auditor consider the appropriateness of the going concern?
o At all stages of the audit.
Audit conclusion
If material uncertainty exists that casts significant doubt upon the entities ability to continue as a
going concern, it should be clearly disclosed of the nature and implications of uncertainly
necessary for the presentation of the FS not to be misleading.
If material uncertainty exists it must be properly disclosed in the FS otherwise the FS do not
fairly present the state of the affairs of the company.
Disclosure requires * description of condition giving rise to significant doubt and managements
plans to deal with such conditions * state clearly that there is a material uncertainty.
Subsequent events - Events occurring between date of financial statements and date of
auditors report.
- Facts that become known to auditor after the date of the auditor’s
report.
Events after the balance sheet date – IAS 10 events after balance sheet date, both favourable and
unfavourable, occurring between balance sheet date and date when the financial statements are
authorised.
ISA 560 splits time after auditors report into two 1) after auditors report, before financial statements
issued. 2) After financial statements have been issued to users.
Arises when at the conclution of the audit there is a material uncorrected misstatement.
NB: Sound CG is not a guarantee against failure but they are less likely to happen.
INTRODUCTION
5 policy objectives around which act was built, company law should promote the competitiveness and
development of SA economy by:
1. Encouraging entrepreneurship and enterprise development
2. Promoting innovation and investment in SA markets
3. Promoting efficiency of companies and their management
4. Encouraging transparency
5. Making company law compatible
In support of above, specific goals were set:
Simplicity
Flexibility
Corporate efficiency
Transparency
Predictable regulations
* 26: Public interest score
Every company needs to calculate public interest score at the end of each financial year. Used to determine
which financial reporting standard the company must comply with, categories to be audited/reviewed and
who must carry out review. See p 3/6
* 27: companies FS may be compiled internally or independently
*28: Independent review
A company which is not required to be audited must have an independent review of its annual financial
statements UNLESS it is a private company in which every shareholder is a director, owner/ manager.
Pub int score more than 100 review must be conducted by a registered auditor or member of professional
body.
*29: reportable irregularities, independent review
Places obligation on the independent reviewer to report a reportable irregularity at an independent review
client.
1. Send written report to commissioner
2. Within 3 days notify board in written, and send them a copy of the report.
3. In no longer than 20 days discuss RI with board
4. Send second report to commissioner either stating there is no RI, the RI is no longer
continuing or the RI is continuing.
*43: Social and ethics committee
Every STATE OWNED company, LISTED PUBLIC Company, any other company which in the prior 2/5 years
scored a pub int score of 500 points must all appoint a social and ethics committee.
Must be appointed 12 months of date they first became listed or met 500 points
Committee must comprise of:
- No less than 3 directors
- 1 non-executive director not involved in the prior 3 years
Function is to monitor the company’s activities, relevant legislation, legal requirements or code of best
practise with regards to:
- Social and economic development
- Good corporate citizenship
- The environment, health and public safety
- Consumers relationships
- Labour and employment