AUDIT CYCLE

Audit report

Conclusion

Evidence

Procedures

Planning
 Audit planning
 Understanding the entity and its
environment
 Risk assessment
 Materiality
 Preliminary analytics
 Audit procedures
 Tests of control
 Substantive procedures
Substantive Analytics
Substantive Tests of detail
 Audit approach
Planning

Assessment of internal controls

Weak Strong

Tests of control

Substantive procedures
Extensive Reduced
Audit approach
INTERNAL CONTROLS
 What is internal control?
Internal control is a process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories:
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws and regulations
Common day questions – Internal Control

 What do you worry about going wrong?

 What steps have been taken to assure it

doesn’t?

 How do you know things are under control?

Internal control framework

Monitoring Risk
Assessment

Control
Environment
Information & Control
Communication Activities
 1. Control environment
Foundation for all other components of internal control.
Pervasive influence on all the decisions and activities of an
organization.
Effective organizations set a positive “tone at the top”.
Factors include the integrity, ethical values and
competence of employees, and, management’s philosophy
& operating style.
Examples of soft controls:
Management philosophy
Organizational structure
Communication
Competency of employees
 2. Risk assessment
 Risks are internal & external events (economic
conditions, staffing changes, new systems,
regulatory changes, natural disasters, etc.) that
threaten the accomplishment of objectives.
 Risk assessment is the process of identifying,
evaluating, and deciding how to manage these
events… What is the likelihood of the event
occurring? What would be the impact if it
were to occur? What can we do to
prevent or reduce the risk?
 3. Control activities
 Tools - policies, procedures, processes -designed and
implemented to help ensure that management directives are
carried out.
 Help prevent or reduce the risks that can impede the
accomplishment of objectives.
 Occur throughout the organization, at all levels, and in all
functions.
 Includes training, approvals, authorizations,
verifications, reconciliations, security of assets,
reviews of operating performance, and
segregation of duties.
 Types of Controls
 Preventative
 Detective
 4. Information & Communication
 Pertinent information must be captured,
identified and communicated on a timely basis.
 Effective information and communication
systems enable the organization’s people to
exchange the information needed to conduct,
manage, and control its operations.
 5. Monitoring
 Internal control systems must be monitored to
assess their effectiveness… Are they operating as
intended?
 Ongoing monitoring is necessary to react
dynamically to changing conditions…Have controls
become outdated, redundant, or obsolete?
 Monitoring occurs in the course of everyday
operations, it includes regular management &
supervisory activities and other actions personnel
take in performing their duties.
 Periodic testing can be done by the process owner,
internal audit and external audit.
 Key control activities
1. Segregation of duties
2. Documentation
3. Authorization and approvals
4. Security of assets
5. Reconciliation and review
 1. Segregation of duties
 Divide responsibilities between different
employees so one individual doesn’t control all
aspects of a transaction.
 Reduce the opportunity for an employee to
commit and conceal errors (intentional or
unintentional) or perpetrate fraud.
 2. Documentation
Document & preserve evidence to substantiate:
 Critical decisions and significant

events...typically involving the use,

commitment, or transfer of resources.
 Transactions…enables a transaction to be

traced from its inception to completion.

 Policies & Procedures…documents which set

forth the fundamental principles and methods

that employees rely on to do their jobs.
 3. Authorization and approvals
 Management documents and communicates
which activities require approval, and by
whom, based on the level of risk to the
organization.
 Ensure that transactions are approved and
executed only by employees acting within the
scope of their authority granted by
management.
 4. Security of assets
 Secure and restrict access to equipment, cash,
inventory, confidential information, etc. to
reduce the risk of loss or unauthorized use.
 Perform periodic physical inventories to verify
existence, quantities, location, condition, and
utilization.
 Base the level of security on the vulnerability of
items being secured, the likelihood of loss, and
the potential impact should a loss occur.
 5. Reconciliation and review
 Examine transactions, information, and events
to verify accuracy, completeness,
appropriateness, and compliance.
 Base level of review on materiality, risk, and
overall importance to organization’s objectives.
 Ensure frequency is adequate enough to detect
and act upon questionable activities in a timely
manner.
TESTS OF CONTROL
Audit approach
 Audit approach

Identify the process e.g. purchase, sales, payroll, bank
and cash, expenses, assets etc

Identify the steps in the process e.g. in purchases;
ordering, receipt of goods, and recording for purchases

Identify the risks at each step

Develop control objectives in the light of risks
identified

Suggest some suitable controls to meet control
objectives
 Test the controls
Purchase system - steps
 1. Placing orders
 Risks
a) Orders are made without approval
b) Orders are placed with suppliers not on authorized
list/ without tenders/ not to lowest bidder
 Control objectives
a) ----
b) ----
c) ----
 Suitable controls
 Tests of control
 2. Receiving goods
 Risks
a) Non-ordered goods are received (supplier, quality,
quantity)
b) Invoice is received for payment prior to the delivery
of goods/ does not match with the goods actually
received
 Suitable controls
a) Segregation of duties
b) Delivery notes and Purchase Orders are matched
with actual receipt of goods
c) Responsible person should sign the receipt
 3. Recording purchases
 Risks
a) Purchase invoices are incorrectly recorded (supplier,
quality, quantity)
b) Credit not claimed for goods returned
 Suitable controls
a) Purchase invoices matched with PO, GRN
b) Sequentially numbered PO and GRN are
maintained
c) Regular confirmation from the supplier for
outstanding balance
d) Debit notes to be issued for returns and exception
reporting is made
 Sales system

Develop yourself!!!
Payroll system
Inventory System
Cash system
 IT related controls
 Employees with access to computer systems have an
established need for the access.
 Passwords are secure and not shared.
 Procedures are in place to prevent unauthorized use or
transmission of information.
 Access to the system is removed for terminated or transferred
faculty, and staff, timely.
 Computers located in heavily traveled public areas have a
screen saver with password activation invoked.
 Each computer software package is licensed for the current
user.
 Computer files are backed up on a regular basis. Backup data
is stored in a location away from the originals
 The department has sufficient technical support for ongoing
operations to keep downtime minimal.
 The department has adequate resumption procedures for their
automated systems that are considered critical or vital to their
daily operations.
 Why controls may be ineffective?
 Human error may result in incomplete or
inaccurate processing
 May not always be cost effective to design
controls for everything in organizations
 Controls may be in place but may be
overridden by management
 Collusion may result in breach of segregation
of duties