You are on page 1of 25

Chapter 5

Systems Assessment

Internal Control
• Auditors need to understand the client`s system so that they can: 1. Assess their reliability for the preparation of financial statements. 2. Design suitable audit procedures. 3. If the auditor is able to rely on the system it will be because it contains some of the components of internal control as set out in ISA 315. • A company`s management has a number of obligations: 1) To manage the business effectively. 2) To produce timely, and accurate financial statement and management information (both for management and statutory purposes). 3) To safeguard the business assets. 4) To prevent and detect fraud. • The purpose of a system is to enable the business to : a) Collect data. b) Summarize data. c) Produce FS and management information. d) To aid the directions in complying with the above obligations.

WHY AUDITORS CARE ABOUT INTERNAL CONTROLS • Because if controls appear to be good. assurance is gained that the Financial Statements are materially correct – meaning that substantive testing can be Reduced • Because a good control system helps in the assessment of the strength and integrity of client's management. .

management. timing and extent of further audit procedures. effectiveness and efficiency of operations and compliance with applicable laws and regulations. Compliance with applicable laws and regulations • • . and other personnel ………. to identify types of potential misstatements. to provide reasonable assurance about the achievement of the entity’s objectives with regard to: – – – 1. timing and extent of further audit procedures. 2. 2.. Reliability of financial reporting.What is an internal control system? (ISA 315) • • • Understanding of Internal Control is used by the auditor to identify types of potential misstatements and to consider factors that affect the risks of material misstatements and design the nature. and 3. Internal control is the process designed and affected by those charged with governance. Internal Control. and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting. To design the nature. • • Definitions of Internal Control:Internal controls is the process designed and effected by those charged with governance. management. It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives. To consider factors that affect the risks of material misstatements. Effectiveness and efficiency of operations and 3. Understanding of Internal Control is used by the auditor – – – 1.

2 • It is generally accepted that a good Internal Control System is made up of 5 elements: – = A strong Control Environment – = Good Control Procedures – = Good Risk Assessment – = Good Information Systems – = Effective Monitoring (typically the role of internal auditors). .

It encompasses the following elements: – (a) Communication and enforcement of integrity and ethical values. – (b) Commitment to competence – (c) Participation by those charged with governance – (d) Management’s philosophy and operating style – (e) Organizational structure – (f) Human resource policies and practices Auditor should evaluate how these components have been incorporated into the entity’s processes.g.• • 3 Control environment The control procedures are unlikely to be effective unless there is a strong control environment: – = Management Attitude needs to be strong: – = managers follow same controls as staff. – = Staff who are likely to follow the controls: – = recruitment process to get “right” sort of people (e. No criminal record) – = training to ensure all understand importance of controls. • • • . no override – = those breaching controls are punished – = controls are part of staff training. – = Segregation of Duties – = different parts of processes done by different people – = nobody checks their own work = nobody has total control of all parts of a transaction.

product or activities g) Corporate restructurings h) Expanded foreign operations i) New accounting pronouncements • • • . Risks relevant to financial reporting include: – Internal events. It is the process of identifying and responding to business risks that affect entity’s financial reporting. 2. • Record. Such process includes how management: 1.• 4 ii) The Entity’s Risk Assessment Process. estimates their significance. Decides upon actions to manage them. 3. and report the financial information. Risks can arise due to circumstances such as the following: (internal/external) a) Changes in operating environment b) New personnel c) New or revamped information systems d) Rapid growth e) New technology f) New business models. Estimates likelihood of their occurrence and 4. Identifies risks that affect entity’s ability to produce financial statement that give true and Fair view. and – External events and circumstance That may occur and adversely affect an entity’s ability to: • initiate. • Process.

Software 3. • – understanding roles of others and • – doing exception reporting to higher level management. Infrastructure (physical and hardware components). Many information systems make extensive use of IT. or have less significance.• • • • • • • • iii) Information system. • – Accounting and financial reporting manuals and memorandum. Procedures and 5. • • Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. Communication • • Communication involves: • – providing an understanding of individual roles and responsibilities pertaining to internal control. an information system encompasses methods and records that: • • Identify and record all valid transaction. • • Describe on a timely basis the transaction in sufficient detail to permit proper classification of • transactions for financial reporting. • – Orally and • – Through the actions of management 5 . in systems that are exclusively or primarily manual. relevant to financial reporting and communication The information system consists of: 1. • • It may also be made • – Electronically. including the related business processes. • • Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. 2. • • Present properly the transactions and related disclosures in the financial statements. Data Infrastructure and software will be absent. Importance of Information System • Accordingly. Communication takes such forms as: • – Policy manuals. People 4.

.Control procedures • There are several types of control procedure: – C omparison – A uthorisation – R econciliations – C omputer Controls – A rithmetical – P hysical • or CARCAP for short.

high profile buildings often get broken into . In reality. On paper.. this issue can never be completely avoided . . if the risks are not identified properly at the start of a risk management process. because whatever controls you have in place. You can only know if your controls are effective if you have accurate information being produced. • Unfortunately.2 • Risk assessment. • Monitoring is typically carried out by Internal Auditors. • Monitoring. the wrong control procedures will be put in place ... Clearly. a clever criminal will inevitably find a way around them! • Information systems. often because the controls that management THINK are happening are in fact routinely ignored. Despite massive security.... • Companies should monitor their controls to ensure they are taking place. many systems sound fantastic and impossible to break. Inaccurate information may be hiding problems. and are achieving the desired effect. the truth is often very different. and so the control system will fail.

in order for them to • make informed decisions on the operations of the business. • d) Assurance that the company’s assets and liabilities are correctly stated. • b) Confidence that only authorized transactions takes place. • c) Assurance that adequate documentation supporting transactions is created and retained. • e) Minimization of the risk of fraud and misappropriation of assets. .Benefits of Internal Control to the entity • Based on our previous studies we can now identify the following principal benefits that may arise for an entity from a sound system of internal control: • a) Assurance that all transactions are completely and accurately processed.

and b) Use professional judgment to assess the components of audit risk and to design audit procedures to ensure it are reduced to an acceptably low level. a good system of internal control will make life easier for the auditor. that decision will be kept under review and. depending on the results of their examination. In simple terms.Benefits of Internal Control to the auditor • Of course. if the audit client benefits from a sound system of internal control. At an early stage in their work auditors will have to decide the extent to which they wish to place reliance on the internal controls of the enterprise. All of the above stated benefits help to promote a situation where the financial statements present a true and fair view. they may decide to place more or less reliance on these controls • • • • • • • . it is likely that the auditor will also be benefited. Auditor’s work on the Internal Control International standards on auditing emphasize the importance of internal control to the auditor by stating that auditor should: a) Obtain an understanding of the accounting and internal control system sufficient to plan the audit and develop an effective audit approach. As the audit proceeds.

as a brief introduction: – i. Authorization procedures – c. Sequence of procedures . Objectives: – (i) To ascertain a clients systems of accounting and internal control – (ii) To evaluate the control system thus recorded. The reason for this is essentially to highlight for the audit staff key areas for their consideration to the audit staff. Any business considerations specific to the enterprise under review which should be taken into account.Internal Control Questionnaire • • An ICQ is a list of all possible controls for each area of the financial statements. and – (iv) To identify those areas over which there are weak or no controls and which therefore must be subjected to more extensive substantive testing and reported by inclusion in the Management Letter. Construction of an ICQ I) It is good practice when designing ICQs to state. A list of control objectives which each sub-system under consideration should seek to achieve – ii. Features: – – – • Used in large company audit • Used to place reliance on internal controls • Used to design audit approach • • • • • Definition: An ICQ is a formal and usually standardized document which comprises: – 1. The client staff are asked questions and systems documentation reviewed to establish which controls exists. and hence – (iii) To identify those controls which indicate strengths in the system upon which the auditor will seek to place reliance. Instructions given to staff in the performance of their duties – b. Documents and procedures used to originate transactions – d. Highlights any weaknesses. II) The questions in an ICQ should be designed to ascertain whether the control objectives are being achieved and should therefore cover such aspects as: – a. Recording procedures – e. A list of internal controls in existence and – 2.

e. • ICEs: • ICEs (sometimes referred to as ICEQ) do not attempt to record all controls like an ICQ. with a No answer usually indicating a control weakness. .comments where neither Yes or No are applicable .indicating the significance or otherwise of apparent weaknesses .References to audit programs . IV) An ICQ should carry such basic information as: – (a) The name of the document (ICQ) – (b) The system to which it relates (e. Relative independence of the persons involved at each stage of a transaction (i. It is far more use as an evaluation tool for the auditors. segregation of duties). as it focuses is on whether IC objective are being met.Yes and No answers .2 – f. Custody procedures – g. III) The questions should be framed such that a Yes/No answer is given.g.References to Management Letters. purchasing cycle) – (c) The client to whom it relates – (d) The accounting period under review – (e) Evidence of who has prepared and reviewed the document – (f) The provision of columns for: • • • • • .

so refuse to do it – = controls are designed for normal events . auditors will still do SOME substantive testing. unique / new types of transaction may bypass the system.Limitations of internal control systems • Even if Control Systems are assessed as very strong.. Controls are never completely reliable because: – = staff make mistakes – = staff collude to override systems – = staff believe the cost of the control is greater than the benefit .... .

• Assess System – Does it help to keep the Financial Statements accurate? • Test System – If Controls look good. so substantive testing can be reduced.. or simply write it out in words. . • Ensure system understood – May use “walk-through” tests. or questionnaires.Assessing an internal control system • Find out what system client has – Ask client. or read their internal procedures manuals. then assurance is gained that the Financial Statements are accurate . following 1 transaction through the system.. – If the controls did operate properly. test them to ensure they operated throughout the accounting year. • Record System – May use flowcharts.

the consequences of these weaknesses. .Reporting weaknesses in controls to the client • If the auditor believes Controls could be improved. it would be professional to advise the client of the weaknesses. and make recommendations for improvement.

the management letter is sent to the client either after the controls testing is completed. or at the end of the audit (if nothing urgent was found after the controls testing).Communicating deficiencies in internal control to those charged with governance and management (ISA 265) • • • • • ISA 265 requires that this communication is done in writing and on a timely basis and we often refer to this as a “Management Letter”. • It will also typically have space for the client to confirm what action they propose to take. The Management Letter has two parts: – = covering letter – = appendix.. . In practice. There may be other problems as well – = that the advice is for internal use only and should not be passed to anyone else. • The Appendix has the detailed: – = WEAKNESSES – = CONSEQUENCES – = RECOMMENDATIONS.. The Covering Letter is a brief note explaining: – = why the client is receiving this – = that the weaknesses found are only those discovered during the audit .

g. consulting. The example given below refers to the engagement of an accountancy firm. advisory or accountancy firm) and its client(s). places some further responsibilities on the external auditors. . law. • Most engagement letters follow a standard format.2 • The ISAs and in particular ISA 260 Communication of audit matters with those charged with governance. • The main forms of formal communication are: • The Letter of engagement • An engagement letter defines the legal relationship (or engagement) between a professional firm (e.. principally addressing the scope of the engagement and the terms of compensation for the firm. investment banking. CEO) of the client.g. • Standard format for letters of engagement • Addressee: Typically addressed to the senior management (e. This letter states the terms and conditions of the engagement.

and attorneys to evaluate the likely disposition of contingent losses arising from litigation. Specification of the responsibilities of the auditor of the company: This section refers to the specific professional standards and responsibilities of the auditor. actuaries to evaluate the funding requirements and future cash flows associated with pensions or postretirement health costs. Description of any assistance to be provided by the client: Typically. and the predecessor auditor needed to conduct the audit: Some specialists needed on an audit may include engineers to verify the stage of completion of electronic components. Interactions with specialists. Provided in this section is a brief description of the nature of the particular service.g. Other services that are planned for the audit (e. A disclaimer: Describing the limits of the audit.g. A description of the basis for fees: This may include a fixed fee or an estimate of fees based on expected completion time and billing rates of firm employees assigned to the engagement. as well as the general guidelines for the timing of the audit work. The letter should describe the assistance of client personnel. Constraints on the accounting firm: For example. internal auditors. the client’s personnel will prepare some schedules (e. timing of access to client facilities and accounting records may delay the engagement. If the assistance is not provided and the auditors must complete the work themselves.3 • • Identification of the service to be rendered: One type of service is a financial statement audit. real estate appraisers to appraise realizable value of real estate used as collateral for loans. Ownership and accessibility of the auditor’s files to external parties. Deadlines: This section lays out the estimated date of completion and release of the financial statements. preparation of regulatory reports) are also identified in this section. rather. • • • • • • • . bank reconciliations) and retrieve documents from files. Typically this expresses that an audit is not designed to detect all forms of fraud or illegal acts. an audit checks the financial position of a client with reference to generally accepted accounting principles. this section of the letter would provide justification for additional fees to the client. evaluation of internal control.

as a part of the due diligence process. Comfort letters are often used because the seller is unable or unwilling to provide a guarantee on a certain outcome. A comfort letter is a document prepared by an accounting firm assuring the financial soundness or backing of a company. Letter of Comfort (LOU) in finance terminology is a type guarantee provided by one bank to other bank. The comfort letter will be attached to the preliminary statements as assurance that it will not be materially different from the final version. a "bring-down" letter is used to re-verify. an international bank can provide these funds subject to letter of comfort provided by importer's existing working capital bank.• • • The management letter(send at the end of auditor period). Comfort letters are typically signed prior to the pricing decision or closing date for a given public offering or other transaction. This is sometimes used in connection with an initial public offering. A comfort letter may also be used as written assurance by a subsidiary's parent company or bank used to offer 'comfort' to the buyer as to the seller's ability or willingness to perform its obligations. such as banks as solvency opinions on whether a borrower can meet the payment obligations of a loan. These letters of comfort will ensure that the reports provided conform to the generally accepted accounting principles (GAAP). statements and reports used in a prospectus. They are opinions and are not guarantees that the underlying company will actually remain solvent. Comfort letters can be used by lenders. 4 • • • • . The comfort letter can be issued by a auditor declaring no indication of false or misleading information in the financial statements and that the company's prospectus follows GAAP. Letter of Comfort is also used by importers to arrange funds in products like buyers credit.A letter given to organizations or persons of interest by external auditors regarding statutory audits. Subsequently. such as the performance of a security. Comfort letters are also sometimes provided by those involved in evaluating a company's assets. The comfort letter. This helps the underwriter better understand aspects of the financial data which might not otherwise be reported such as changes to financial statements and unaudited financial reports. Comfort letters can also be used by underwriters as their obligation to carry out "reasonable investigation" into offerings of securities. as of a later date. in the case of oil and gas companies. for instance. a bn importer in India may want cheap funds on LIBOR rates. that the original comfort letter is still valid. third-party reserve engineering firms. MANAGEMENT LETTER identifies issues not required to be disclosed in the Annual Financial Report but represent the auditors concerns and suggestions noted during the audit. For example. stating that on due date it guarantee the payment for the loan extended to importer.

A letter written to somebody to say that something that he or she sent has been received Representation Letter: Written confirmation from management to the auditor about the fairness of various financial statement elements. inventories. and thus management has the primary responsibility for their accuracy. Some auditors request written representations of all financial statement items. and subsequent events. and confirmation to the auditor that management has made full disclosure of all material activities and transactions in its financial records and statements. plant and equipment. Frequently. Also. Management acknowledges its responsibilities for running the company. . All auditors require representations regarding receivables. The letter is required at the completion of the audit fieldwork and prior to issuance of the financial statements with the auditor's opinion. liabilities.• • 5 Additionally acknowledgement letter. the letter provides supplementary audit evidence of an internal nature by giving formal management replies to auditor questions regarding matters that did not come to the auditor's attention in performing audit procedures. confirmation of practices observed during the audit. the adequacy of financial policies employed. The purpose of the letter is to emphasize that the financial statements are management's representations. all these representations are included in one letter.

Material audit adjustments Disagreements with management concerning the financial statements. Generally. Potential financial effect of risks/uncertainties. Procedures: • Such communications should be on a sufficiently prompt basis to enable those charged with governance to take appropriate action. They only include management when it performs such functions. with either party keeping the other informed about relevant matters throughout the year. ISA 260 requires the external auditor to communicate ‘audit matters of governance interest’ to those charged with governance of the entity.e.• • 6 ISA 260: Communication of audit matters with those charged with governance. • If possible. matters should be addressed to the audit committee. planning). control and direction of an entity and would therefore include the audit committee and non-executive directors. • The form of communications and the addressee of communications should be established at an early stage in the audit process (i. the communication should be two-way and ongoing. Expected modifications to the audit report. Internal control weaknesses including Fraud. This gives management an opportunity to provide further information or explanations. Summary of responsibilities: Audit matters of governance include: Effects of significant accounting policies. auditors should first discuss those matters with management. All communications will be before the financial statements are finalized. ‘Those charged with governance’ means those entrusted with the supervision. • Before reporting issues to the board. or to the board if there is no audit committee. • • • • • • • • • • • • • • .

Practical matters concerning forthcoming audit 2. 7. Final draft of letter of representation 5. Independence of auditor. Expected modifications to audit report 6. Major findings from the audit work 2. Audit recommendations 4. • • During the Audit : any situation occurs that needs to be immediately addressed. After the audit(conclusion of audit) : takes the form of mgt letter including:– – – – – – – 1.Qualitative aspects of accounting /reporting practices. It would not be appropriate to delay communication until the audit is concluded. Audit expected fees 3. Observations on ICSs Weaknesses 3. Ensure Engagement letter are Up to date 5. Nature and scope of audit work 4.uncorrected misstatements .• • 7 and communication required) Timing of Communication: (stages of audit Pre-Audit (Planning): the following issues are discussed and communicated – – – – – 1.

control procedure. • Control tests. tests • In the next few chapters. Auditor observes quality control department testing items before they are despatched. • Auditor enquires – asks quality control department how many items they test. • Auditor inspects despatch notes – because the quality control staff would sign them to show they had finished their checks. and • what tests they do. • Control procedures. Before goods are sent to customers.Control objectives. controls will be looked at for several major areas of a business. our quality control department test a sample to ensure quality levels are high. That only good quality products are sent to our customers. . we need to understand what the terms control objective. Feedback is obtained from customers to avoid any quality issues being repeated. procedures. As an introduction to this. and control test mean. • Control objective.