Professional Documents
Culture Documents
Introduction
Learning outcomes
Chapter study guidance
Learning topics
1 Introduction
2 Respective responsibilities of those charged with governance and
auditors
3 Evaluating and testing internal controls
4 Service organisations
5 Internal controls in an IT environment
6 Cyber security and corporate data security
7 Communicating and reporting on internal control
Summary
Self-test questions
Further question practice
Technical reference
Answers to Interactive questions
Answers to Self-test questions
Introduction
Learning outcomes
• Analyse and evaluate the control environment for an entity based on an understanding of the
entity, its operations and its processes
• Evaluate an entity’s processes for identifying, assessing and responding to business and
operating risks as they impact on the financial statements
• Appraise an entity’s accounting information systems and related business processes relevant to
corporate reporting and communication including virtual arrangements and cloud computing
• Analyse and evaluate strengths and weaknesses of preventive and detective control mechanisms
and processes, highlighting control weaknesses; including weaknesses related to cyber security
and corporate data controls
• Evaluate controls relating to information technology and e-commerce; including controls
associated with cyber security and corporate data security
• Explain and appraise the entity’s system for monitoring and modifying internal control systems
• Devise, explain and evaluate tests of controls
• Explain the respective responsibilities of those charged with governance and auditors in respect
of internal control systems
Specific syllabus references for this chapter are: 12(a)–(g), 13(h)
7
the financial
statements.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 355
Topic Practical Study approach Exam approach Interactive
significance questions
Once you have worked through this guidance you are ready to attempt the further question practice
included at the end of this chapter.
• An entity’s system of internal controls informs the auditor’s assessment of audit risk and the nature
of the audit procedures that would be undertaken during the audit fieldwork stage.
• In addition to the auditing standards, corporate governance codes (such as the UK Corporate
Governance Code and the Sarbanes–Oxley Act) also prescribe the respective responsibilities of
the auditor and those charged with governance with regards to internal controls.
Internal control is an essential aspect of the entity about which the auditor must gain an
understanding at the start of the audit. The effectiveness of the system of internal controls informs
the auditor’s risk assessment and, consequently, the audit procedures to be carried out at the audit
fieldwork stage. Therefore, internal control will have to be considered throughout the audit life cycle
– from planning to finalisation and reporting.
In this chapter, we will revise the auditor’s responsibilities with regards to the system of internal
control and the consideration of internal controls at different stages of the audit. We will then have a
closer look at the implications of service organisations, and the risks and benefits of internal controls
in an IT environment.
As you will have seen already, internal control is central to corporate governance. Therefore, we will
regularly refer back to our discussions on corporate governance in Chapter 4.
• Auditors are responsible for obtaining audit evidence that provides reasonable assurance that the
financial statements are free of material misstatements, some of which may be caused by error.
• Management are responsible for designing and implementing a system of internal control which
is capable of preventing, or detecting and correcting, errors in the financial records.
• Auditors are required to assess the system of internal control as part of their audit in order to
determine whether to rely on the system of controls or carry out extended tests of details.
Definitions
Those charged with governance: The person(s) or organisation(s) (for example, a corporate trustee)
with responsibility for overseeing the strategic direction of the entity and obligations related to the
accountability of the entity. This includes overseeing the financial reporting process. For some
entities in some jurisdictions, those charged with governance may include management personnel,
for example, executive members of a governance board of a private or public sector entity, or an
owner-manager.
In the UK, those charged with governance include executive and non-executive directors and the
members of the audit committee.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 357
Error: An unintentional misstatement in financial statements, including the omission of an amount or
a disclosure.
Internal control: A process designed, implemented and maintained by those charged with
governance, management, and other personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness
and efficiency of operations and compliance with applicable laws and regulations. It follows that
internal control is designed and implemented to address identified business risks that threaten the
achievement of any of these objectives.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 359
eg, computers tend to make fewer mistakes than humans after a given procedure has been correctly
programmed.
The use of computer-assisted audit techniques (CAATs) is referred to below.
Please also refer back to Chapter 4 for the auditor’s responsibilities for the evaluation of internal
controls from a corporate governance perspective.
Evaluating the outcome of tests of control will require an understanding of the implications for the
audit overall. This in turn will require sound skills of judgement.
4 Service organisations
Section overview
Where the auditor’s client uses a service organisation, the auditor may need to obtain evidence of
the accuracy of processing systems within a service organisation.
Definition
Service organisation: A third-party organisation that provides services to user entities that are part of
those entities’ information systems relevant to financial reporting.
ISA (UK) 402, Audit Considerations Relating to an Entity Using a Service Organisation provides
guidance on how auditors carry out their responsibility to obtain sufficient, appropriate audit
evidence when the audit client (called the ‘user entity’ in the standard) uses such an organisation.
The ISA (UK) mentions the following service organisation services that may be relevant to the audit
(this is not an exhaustive list):
• Maintenance of accounting records
• Other finance functions, such as the tax compliance function
• Management of assets
• Undertaking or making arrangements for transactions as agents of the user entity
Definition
User auditor: An auditor who audits and reports on the financial statements of a user entity.
The ISA (UK) states that the objective of the auditor is ‘to obtain an understanding of the nature and
significance of the services provided by the service organisation and their effect on the user entity’s
internal control relevant to the audit, sufficient to identify and assess the risks of material
misstatement’ (ISA (UK) 402.7).
The ISA requires the auditor to understand how the user entity uses the services of the service
organisation. In obtaining an understanding of the entity, the auditor shall consider the following:
(a) The nature of the services provided by the service organisation
(b) The nature and materiality of the transactions processed or accounts or financial accounting
processes affected by the service organisation
(c) The degree of interaction between the activities of the service organisation and those of the
user entity
(d) The nature of the relationship between the user entity and the service organisation, including
the contractual terms
(e) In the UK, if the service organisation maintains all or part of a user entity’s accounting records,
whether those arrangements impact the work the auditor performs to fulfil reporting
responsibilities in relation to accounting records (The wording of UK company law raises a
particular issue, as the wording appears to be prescriptive, requiring the company itself to keep
accounting records. Whether a company ‘keeps’ records will depend on the particular terms of
the outsourcing arrangement.)
When obtaining an understanding of internal control the auditor shall:
(a) evaluate the design and implementation of controls at the user entity that relate to the services
provided by the service organisation; and
(b) determine whether this gives sufficient understanding of the effect of the service organisation on
the user entity’s internal control to provide a basis for the identification and assessment of risks
of material misstatement.
If not then the auditor shall do one or more of the following:
(a) Obtain a report from the service organisation’s auditors (there are two different types of report,
see below)
(b) Contact the service organisation, through the user entity
(c) Visit the service organisation and perform procedures that will provide information about the
relevant controls
(d) Use another auditor to perform procedures that will provide information about the relevant
controls
Definitions
Type 1 report: A report that comprises both of the following:
• A description, prepared by management of the service organisation, of the service organisation’s
system, control objectives and related controls that have been designed and implemented as at a
specified date
• A report by the service auditor with the objective of conveying reasonable assurance that includes
the service auditor’s opinion on the description of the service organisation’s system, control
objectives and related controls and the suitability of the design of the controls to achieve the
specified control objectives
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 361
Type 2 report: A report that comprises both of the following:
• A description, as in a Type 1 report of the system and controls, of their design and
implementation as at a specified date or throughout a specified period and, in some cases, their
operating effectiveness throughout a specified period
• A report by the service auditor with the objective of conveying reasonable assurance that
includes:
– the service auditor’s opinion on the description of the service organisation’s system, control
objectives and related controls, the suitability of the design of the controls to achieve the
specified control objectives, and the operating effectiveness of the controls; and
– a description of the service auditor’s tests of the controls and the results thereof.
The availability of a report on internal controls generally depends on whether the provision of such a
report is part of the contractual terms between the user entity and the service organisation.
Before placing reliance on the report, the user auditor shall do the following:
• Consider the service auditor’s professional competence and independence from the service
organisation
• Consider the adequacy of the standards under which the report was issued
• Evaluate whether the period covered is appropriate for the auditor’s purposes
• Evaluate the sufficiency and appropriateness of the report for the understanding of the internal
controls relevant to the audit
• Determine whether the user entity has implemented any complementary controls that the service
organisation, in the design of its service, has assumed will be implemented
While a Type 1 report may be useful to a user auditor in gaining the required understanding of the
accounting and internal control systems, an auditor would not use such reports as a basis for
reducing the assessment of control risk.
But a Type 2 report may provide such a basis since tests of control have been performed. If this type
of report may be used as evidence to support a lower control risk assessment, a user auditor would
have to consider whether the controls tested by the service organisation auditor are relevant to the
user’s transactions (significant assertions in the client’s financial statements) and whether the service
organisation auditor’s tests of controls and the results are adequate.
• IT controls comprise general and application controls. General controls establish a framework of
overall control over the system’s activities whereas application controls are specific controls over
the applications maintained by the system.
• Computer-assisted audit techniques (CAATs) can be used by the auditor to test application
controls within the client’s computer systems.
• Specific considerations will apply where virtual arrangements including cloud computing are
used.
5.1 Introduction
We looked at IT-specific risks in the context of carrying out an audit risk assessment in Chapter 5, and
introduced the use of CAATs in Chapter 6. Here, we will consider IT controls in more detail, along
with how to audit them.
As you should know by now, the internal control activities in a computerised environment fall within
two categories: general controls and application controls.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 363
development and maintenance. They are sometimes referred to as supervisory, management or
information technology controls. General controls are considered in detail below.
General controls
Controls to ensure Storing extra copies of programs and data files offsite
continuity of operation Protection of equipment against fire and other hazards
Back-up power sources
Emergency procedures
Disaster recovery procedures eg, availability of back-up computer
facilities
Maintenance agreements and insurance
The auditors will wish to test some or all of the above general controls, having considered how they
affect the computer applications significant to the audit.
Application controls
Controls over input: Programs to check data fields (for example value, reference number,
accuracy date) on input transactions for plausibility
Digit verification (eg, reference numbers are as expected)
• Reasonableness test (eg, sales tax to total value)
• Existence checks (eg, customer name)
• Character checks (no unexpected characters used in reference)
• Necessary information (no transaction passed with gaps)
• Permitted range (no transaction processed over a certain value)
Manual scrutiny of output and reconciliation to source
Agreement of control totals (manual/programmed)
Controls over processing Similar controls to input must be in place when input is completed, for
example, batch reconciliations
Screen warnings can prevent people logging out before processing is
complete
Control over input, processing, data files and output may be carried out by IT personnel, users of the
system, a separate control group and may be programmed into application software.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 365
5.4 The use of CAATs
Computer-assisted audit techniques (CAATs) can assist the auditor in testing application controls. As
you will know from your earlier audit studies, there are generally two types of CAATs: audit software
and test data.
Audit software includes generalised audit software and custom audit software. Generalised audit
software includes programs that allow the auditor to carry out tests on computer files and databases.
An example of a generalised audit software program is ACL.
Generalised audit software allows auditors to perform a number of functions, such as database
access, sample selection, arithmetic functions, statistical analyses and report generation.
The advantages of generalised audit software include the fact that it is easy to use, limited IT
programming skills are needed, the time required to develop the application is relatively short, and
entire populations can be examined, thus negating the need for sampling. However, the drawbacks
of using this type of CAAT are that it involves auditing after the client has processed the data rather
than while the data is being processed, and it is limited to procedures that can be performed on data
that is available electronically.
Custom audit software is normally written by auditors for specific audit tasks. It is normally used in
situations where the client’s computer system is not compatible with the auditor’s generalised audit
software or where the auditor wants to do some testing that might not be possible with the
generalised audit software. However, this type of CAAT can be expensive and time consuming to
develop and may require a lot of modification if the client changes its accounting application
programs.
Test data is used to test the application controls in the client‘s computer programs. Test data is first
created for processing and it includes both valid and invalid data which is processed on the client’s
computer and application programs. The invalid data should therefore be highlighted as errors. Test
data allows the auditor to check data validation controls and error detection routines, processing
logic controls, arithmetic calculations and the inclusion of transactions in records and files.
The main benefit of test data is that it provides direct evidence on the effectiveness of controls in the
client’s application programs. However, its drawbacks include the fact that it is very time consuming
to create the test data, the auditor cannot be certain that all relevant controls are tested and the
auditor must make sure that all valid test data is removed from the client’s systems.
In the table below, we briefly examine ways of testing application controls, including the use of
CAATs to do so.
Testing of application
controls
Manual controls If manual controls exercised by the user of the application system are
exercised by the user capable of providing reasonable assurance that the system’s output is
complete, accurate and authorised, the auditors may decide to limit
tests of control to these manual controls.
Controls over system If, in addition to manual controls exercised by the user, the controls to
output be tested use information produced by the computer or are contained
within computer programs, such controls may be tested by examining
the system’s output using either manual procedures or CAATs. Such
output may be in the form of magnetic media, microfilm or printouts.
Alternatively, the auditor may test the control by performing it with the
use of CAATs.
Programmed control In the case of certain computer systems, the auditor may find that it is
procedures not possible or, in some cases, not practical to test controls by
examining only user controls or the system’s output. The auditor may
consider performing tests of control by using CAATs, such as test data,
reprocessing transaction data and, in unusual situations, examining the
coding of the application program.
Being able to differentiate between general and application controls will allow the auditor to assess a
system and how robust it is. This demonstrates the ability to assimilate information about the system
for the purpose of evaluating the system.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 367
6 Cyber security and corporate data security
Section overview
Businesses need to keep their data secure whether it is in hard copy or electronic format. As business
operations increasingly use digital technology the issue of cyber security is an essential
consideration as part of the audit.
6.1 Introduction
There has always been a need for companies to keep information, or data, safe. This might be to
ensure confidentiality of customer details, to protect company ‘secrets’ or to ensure the integrity of
data. Where records and data are held in a hard copy format, as would have been the case in the
past, data security centres around physical security. This might simply involve a lock on a filing
cabinet. Increasingly, however, data is stored electronically. As a result, if a business is to keep its data
secure it must address the issue of cyber security. Addressing cyber security threats will be a key part
of its corporate data security strategy.
6.2.1 GDPR
The following table summarises the key points that are relevant to all accountants in this area.
Organisations must only collect personal data Data can only be obtained for a legitimate
(including sensitive personal data, such as business need and cannot be collected in case
biometric data used to identify an individual) it might be useful at some stage in the future.
when it can demonstrate that it has a valid This means that accountants need to consider
business need for that data. carefully what data they really need and be able
The GDPR distinguishes between data to justify it:
controllers who specify how and why data is • This includes data on employees, customers
processed and data processors who act on the and suppliers for all accountants and firms
controller’s behalf and deal directly with data • For firms, this also includes the details of any
itself. Both are liable under the GDPR. testing completed (eg, payroll and supplier
statements)
Personal data must be stored securely. It must This can include both physical storage of data
then be deleted when it is no longer required. (eg, in filing cabinets) and electronic storage –
given the vast amounts of data generated in the
21st Century due to advances in technology
such as big data and audit data analytics, this
creates a significant risk for all accountants,
especially as many organisations now use
‘cloud-based’ data storage.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 369
GDPR components Implications in practice for accountants
when using new technology or when before any personal data is collected.
processing might lead to a high risk to
individuals).
Breaches in the GDPR also need to be
disclosed – fines for non-compliance can reach
either €20 million or 4% of an organisation’s
global turnover.
The GDPR confers a series of rights on anyone whose personal data may be collected by an
organisation:
• The right to be informed (usually via some form of privacy notice)
• The right of access to your personal data and confirmation that it is being used
• The right of rectification if errors exist
• The right of erasure (sometimes referred to as ‘the right to be forgotten’)
• The right to restrict processing should you not wish your data to be used
• The right to data portability across different services should you wish
• The right to object (for example if you object to your data being used for marketing purposes)
• Rights in relation to automated decision-making and profiling (essentially, to ensure that all
decisions about your data are made using human not machine judgement)
Any non-compliance in relation to any of these rights may lead to fines and penalties, so they
should form part of any DPIA carried out.
(Source: The Information Commissioner’s Office (ICO) (2017) Overview of the General Data
Protection Regulation (GDPR))
The five functions (governance and leadership, organisational enablers, capabilities, cyber lifecycle
and solution lifecycle) provide a ‘strategic view of an organisation’s management of cyber security
risks’.
The ICAEW IT Faculty document, Audit insights: Cyber Security – Taking Control of the Agenda refers
to the ‘three lines of defence’ model. This applies controls, assurance and oversight at three different
levels in the organisation as follows:
• The first line is at an operational level, with controls built into processes and local management
responsible for their operation in practice ie, identifying and managing risks on a day-to-day
basis.
• The second line is at functional specialism level, for example the role of cyber-security specialists
and a chief information officer ie, providing oversight and expertise.
• The third line is at the level of internal audit functions or independent assurance providers ie,
providing assurance and challenge concerning the overall management of the risks.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 371
6.5 Risks external to the entity
As identified in the ICAEW IT Faculty document: Audit insights: Cyber Security – Closing the Cyber
Gap the issue is becoming an increasingly relevant aspect of supply chain risk management as many
high profile security breaches have come as a result of issues at suppliers, including IT service
providers, suppliers of non-IT goods and services and contractors. Obtaining assurance in this
respect is not an easy process meaning that companies are having to identify where the biggest risk
lies rather than simply focusing on the highest value suppliers. In addition, companies have had to
consider widening the scope of assurance processes so that they apply to all stages of the
transaction, rather than just at the procurement stage as has historically been the case. The most
common method used, particularly by large companies, is questionnaires which are sent to suppliers
to enable their processes to be evaluated and risks identified.
Be ready to respond Consider the most serious possible breach and ask whether the
organisation, and board, are ready to cope. What would they do if
competitors accessed their IP? How does the business reassure
customers if their data is stolen?
Build intelligence What does the business know about specific threats, the actors
and their possible methods? How have other major breaches
happened, and how do the defences put in place by the business
compare? What are their peers doing to manage their risk? How
can they get ahead of the regulators?
Be specific and real How can critical data actually be accessed and by whom? What
controls are in place, and how does the business know whether
they are working? How are any breaches detected?
Link to strategic change How are major strategic initiatives changing the risks? What is the
impact of any M&A activity? What are the risks attached to new
products or market expansion?
Attach consequences What behaviour is unacceptable because of cyber risks? How does
the business know if non-compliance is occurring? What happens
to employees who do not follow the rules?
Tailor activities How relevant is cyber security training to specific roles and
responsibilities? Do higher-risk jobs have higher levels of training
and awareness-raising activities? Are staff clear about the purpose
of good cyber behaviour?
Hold boards to the same Are boards expected to follow the same rules as staff? Is the board
level of accountability clear as to the purpose and consequences of non-compliance?
Does the board see itself as a role model for good cyber
behaviour? Do members of the board act as role models?
Remember insider risk What is in place to detect suspicious behaviour or patterns? How
are disgruntled or disaffected staff identified? Does the business
know how much system access potentially disaffected staff have?
Implement cyber-by-design Are new products and services designed with cyber risks in mind?
Do business change projects consider cyber risk early on? What
are the risks of poor design?
Continually review and re- Are designs building in flexibility and resilience to cope with
evaluate changing cyber risks? How often are cyber risks reviewed? How
are changing risks incorporated into existing processes?
Take difficult decisions Is the business prepared to delay major change or strategic
projects if the security is not good enough? Is the business using a
‘sticking plaster’ approach to an old infrastructure?
Embed cyber into start-ups If investing in new businesses, are cyber risks considered?
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 373
Specific procedures to address these issues could include the following:
• Perimeter defences
• Vulnerability management
• Asset management
• Identity management
• Data protection procedures
• Threat intelligence eg, sharing intelligence with others within the same industry
• Security monitoring
• Behavioural analysis
• Risk analytics
• Incident response procedures
• Forensics
• Business continuity/disaster recovery procedures
• Crisis management
An awareness of both the control environment and control procedures should help an auditor assess
the impact of any cyber threats. This is an example of structuring a problem to achieve an effective
solution.
Auditors are required to report to those charged with governance on material deficiencies in controls
which could adversely affect the entity’s ability to record, process, summarise and report financial
data potentially causing material misstatements in the financial statements.
Definitions
Deficiency: A deficiency in internal control exists when:
• a control is designed, implemented or operated in such a way that it is unable to prevent, or
detect and correct, misstatements in the financial statements on a timely basis; or
• a control necessary to prevent, or detect and correct, misstatements in the financial statements on
a timely basis is missing.
Significant deficiency in internal control: Those which in the auditor’s professional judgement are of
sufficient importance to merit the attention of those charged with governance.
The process of reporting to those charged with governance on material deficiencies in internal
control requires strong communication skills as well as the ability to conclude that the deficiency
might be significant.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 375
Summary
1. Can you explain the importance of internal controls as part of the auditor’s role?
2. Can you distinguish between the relative responsibilities of those charged with
governance and the auditor?
3. Can you explain how the auditor evaluates internal controls and recommend suitable tests
of control to support the audit opinion?
4. Can you explain the impact on the audit of an entity choosing to outsource some of its
core functions? What factors will this impact be dependent on?
5. Do you know the difference between general and application controls in an IT context?
Are you aware of the impact that new technology such as cloud computing can have on
the audit?
6. Can you explain the various cyber threats that an organisation is at risk from and how such
cyber threats are mitigated?
7. How should the auditor communicate deficiencies in internal control and what makes such
a deficiency significant?
2 Question practice
Aim to complete all self-test questions at the end of this chapter. The following self-test questions are
particularly helpful to further topic understanding and guide skills application before you proceed to
the next chapter.
Dodgy Burgers plc Being able to consider suitable audit procedures for testing relevant
internal controls.
Happy Flights plc This question tests how well you can discuss cyber security issues in the
context of a broader audit engagement.
Once you have completed these self-test questions, it is beneficial to attempt the following questions
from the Question Bank for this module. These questions have been selected to introduce exam style
scenarios that will help you improve your knowledge application and professional skills development
before you start the next chapter.
UHN requirement (4) You need to be able to explain the board’s responsibilities and
accountability for cyber security.
Newpenny You should be able to evaluate Rosa’s suggestion of placing more reliance
requirement (2) on operating effectiveness of controls.
Johnson Telecom As part of the key risks from derivatives trading, you need to consider the
requirement (3) necessary general and application IT controls that would be required.
Refer back to the learning in this chapter for any questions which you did not answer correctly or
where the suggested solution has not provided sufficient explanation to answer all your queries.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 377
Once you have attempted these questions, you can continue your studies by moving on to the next
chapter.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 379
Self-test questions
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 381
As a consequence, there have been continuing cash flow problems which have been partially
alleviated by special measures adopted this year, including:
• significant discounts for bookings made, and paid for in full, at least six months before travel;
• extension of short-term leases on existing aircraft, rather than leasing new aircraft (all planes are
leased); and
• significant new fixed-term borrowings.
Database system
A new database system for bookings was introduced in January 20X4 by IT consultants. The purpose
of the new system was to allow data on HF’s flight availability to be accessed by travel agents and
other flight booking agencies around the world. Agencies can all make bookings on the same
system.
The database system is used not just for bookings but also as part of the receivables accounting
system for agents to collect money from customers and pay to HF after deducting their commission.
The data collected then feeds into the financial statements.
Unfortunately, since installation, the following problems have been discovered, either in the database
system, or relating to operatives using the system:
• It is HF’s policy to overbook its flights by 5% of seat capacity. However, there have been a number
of instances where overbookings have far exceeded 5% due to processing delays.
• The system has crashed on a number of occasions causing delays in processing and loss of data.
• A computer virus penetrated the system, although it did not cause any damage and was quickly
removed.
• Cash received in advance has been recorded as revenue at the date of receipt by HF.
Now go back to the Introduction and ensure that you have achieved the Learning outcomes listed for
this chapter.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 383
Answers to Self-test questions
• Partially cooked burgers have • Management has • Obtain a copy of the Health and
been sold. set up a Health Safety policy and review to
• This constitutes an operational and Safety ensure that the policies are
risk (failure to comply will result training adequate. File on the permanent
in the company being shut down) programme. audit file for future reference.
and compliance risk (breach of • Hold discussions with the branch
Health and Safety regulations). managers on a sample basis to
ensure that the policy has been
implemented if staff do not reach
the required standard.
• Review the training course to
establish what procedures are
being taught to the staff, and
what follow up has been
implemented if staff do not reach
the required standard.
New competitor
Cash controls
• Risk of theft of cash takings • New controls • Review returns from branches to
(financial risk). implemented to head office on a sample basis.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 385
(1) Business risk and category Management (2) Audit procedures to be
strategy to combat completed in order to place
risk reliance on the controls in place
Limited seating
Recycled products
• A lack of confidence from the • The use of • Review the contracts with the
public in Dodgy Burgers plc’s recycled suppliers to ensure that recycled
environmental policies packaging. packages are clearly specified
(operational and compliance • Waste and the price is comparable to
risk). separations and the original prices of non-
collections. recycled products.
• Review the branch returns to
ensure that delivery notes have
been signed for the waste
collection and the receipts match
the tonnage collected. Ensure
that these are in line with
expectations from the
preliminary analytical procedures
on the accounts.
• Review the new packaging for
evidence that the recycled
symbols have been correctly
displayed.
• Discuss with the branch
managers if any further costs
have been incurred from having
to separate the waste for
collection, or whether
separate bins have been
provided in the branches for
the public to use.
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 387
These include:
• reduction in passenger numbers, as the reputation for safety may have diminished;
• grounding of aircraft by health and safety regulators perhaps resulting in loss of revenues,
cancellations and delays; and
• reconsideration of leasing older planes resulting in additional costs.
Audit procedures
• Review claims against HF received by audit completion.
• Review correspondence with HF’s legal advisers and consider taking independent legal advice
regarding the amount and probability of any claim against HF.
• Review any announcements by investigation teams and any correspondence with HF regarding
causes of the crash and the extent HF was to blame up to the date of audit completion (eg, ‘black
box’ flight recorder evidence).
• Consider the possibility of counter claims by HF against others responsible for the crash by
considering legal advice.
• Review any correspondence with Health and Safety Executive regarding grounding of planes or
possible causes of the crash.
• Review flight bookings since crash for evidence of a decline in reputation and fall in future sales.
• Assess impact on budgeted cash flows to consider impact on going concern.
(2) Operating issues
Financial reporting issues
• The decline in operating profits is further evidence of going concern problems.
• If the short-term leases have been extended then they will need to be recognised as right-of-use
assets in the statement of financial position.
Audit risks
The key audit risk is going concern. If there is adequate disclosure in the financial statements by the
directors regarding the uncertainties about going concern then an unmodified audit opinion will be
issued but the audit report will include a separate section headed ‘Material Uncertainty Related to
Going Concern’. However, if the directors do not disclose going concern uncertainties appropriately,
it may be necessary to modify the audit opinion.
The receipt of cash from customers in advance is likely to cause concern if the company does have
going concern issues, as this may amount to fraudulent trading if the customers, as unsecured
creditors, are unable to recover their payment.
The additional borrowing also increases financial risk and makes profit more sensitive to changes in
the level of operating activity.
Audit procedures
As already noted, cash flow forecasts will need to be reviewed up to the date of audit completion to
assess the future viability of the company. This should include the following:
• Examining overdraft and other lending facilities (eg, for ‘headroom’ against existing liabilities, for
interest rates and for capital repayment dates). Build a picture of future financial commitments.
• Identifying the level of advanced payments and discuss with the directors the issue of continuing
the policy of advanced payments and the implications for fraudulent trading.
• Examining budgets and cash flow projections as part of going concern. Review to assess future
expected changes in liquidity.
• Examining lease contracts to assess the lease renewals position in order to ascertain future levels
of commitment.
(3) Database system
Audit risks
General systems issues
The nature of the fault needs to be identified ie, there may be issues with the work and or
hardware/software supplied by the consultants. Some of the problems appear to be with the people
ICAEW 2021 7: The statutory audit: evaluating and testing internal controls 389
• Review data independence procedures (the data should be independent of the application such
that the structure of the data can be changed independently of the application).
• Consider the wider database control environment. This includes the general controls and who has
access to change particular aspects of the database.
• General controls might include: a standard approach for development and maintenance of
application programs; access rights; data resource management; data security, cyber-security and
data recovery.