Chapter 5

Systems Assessment
Prepared by omnia hassan
  
Internal Control
 
• Auditors need to understand the client`s system so that they can:
1. Assess their reliability for the preparation of financial statements.
2. Design suitable audit procedures.
3. If the auditor is able to rely on the system it will be because it contains some of the
components of internal control as set out in ISA 315.
 
• A company`s management has a number of obligations:
1) To manage the business effectively.
2) To produce timely, and accurate financial statement and management information (both
for management and statutory purposes).
3) To safeguard the business assets.
4) To prevent and detect fraud.
• The purpose of a system is to enable the business to :
a) Collect data.
b) Summarize data.
c) Produce FS and management information.
d) To aid the directions in complying with the above obligations.
 WHY AUDITORS CARE ABOUT INTERNAL
CONTROLS
• Because if controls appear to be good,
assurance is gained that the Financial
Statements are materially correct – meaning
that substantive testing can be Reduced
• Because a good control system helps in the
assessment of the strength and integrity of
client's management.
 What is an internal control system? (ISA 315)
• Understanding of Internal Control is used by the auditor to identify types of potential misstatements and
to consider factors that affect the risks of material misstatements and design the nature, timing and extent
of further audit procedures.
• Internal Control.
• Understanding of Internal Control is used by the auditor
– 1. to identify types of potential misstatements;
– 2. To consider factors that affect the risks of material misstatements; and
– 3. To design the nature, timing and extent of further audit procedures.
• Definitions of Internal Control:-
• Internal controls is the process designed and effected by those charged with governance, management,
and other personnel to provide reasonable assurance about the achievement of the entity’s objectives
with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance
with applicable laws and regulations. It follows that internal control is designed and implemented to
address identified business risks that threaten the achievement of any of these objectives.
 
• Internal control is the process designed and affected by those charged with governance, management,
and other personnel ………..
• to provide reasonable assurance about the achievement of the entity’s objectives with regard to:
– 1. Reliability of financial reporting,
– 2. Effectiveness and efficiency of operations and
– 3. Compliance with applicable laws and regulations
 2
• It is generally accepted that a good Internal Control System is
made up of 5 elements:
– = A strong Control Environment
– = Good Control Procedures
– = Good Risk Assessment
– = Good Information Systems
– = Effective Monitoring (typically the role of internal auditors).
 3
• Control environment
• The control procedures are unlikely to be effective unless there is a strong control environment:
– = Management Attitude needs to be strong:
– = managers follow same controls as staff, no override
– = those breaching controls are punished
– = controls are part of staff training.
– = Staff who are likely to follow the controls:
– = recruitment process to get “right” sort of people (e.g. No criminal record)
– = training to ensure all understand importance of controls.
– = Segregation of Duties
– = different parts of processes done by different people
– = nobody checks their own work
• = nobody has total control of all parts of a transaction.
• It encompasses the following elements:
– (a) Communication and enforcement of integrity and ethical values.
– (b) Commitment to competence
– (c) Participation by those charged with governance
– (d) Management’s philosophy and operating style
– (e) Organizational structure
– (f) Human resource policies and practices
• Auditor should evaluate how these components have been incorporated into the entity’s processes.
 4
• ii) The Entity’s Risk Assessment Process; It is the process of identifying and responding to business risks that
affect entity’s financial reporting. Such process includes how management:
1. Identifies risks that affect entity’s ability to produce financial statement that give true and Fair view,
2. estimates their significance,
3. Estimates likelihood of their occurrence and
4. Decides upon actions to manage them.
• Risks relevant to financial reporting include:
– Internal events, and
– External events and circumstance
• That may occur and adversely affect an entity’s ability to:
• initiate,
• Record,
• Process, and report the financial information.
• Risks can arise due to circumstances such as the following: (internal/external)
a) Changes in operating environment
b) New personnel
c) New or revamped information systems
d) Rapid growth
e) New technology
f) New business models, product or activities
g) Corporate restructurings
h) Expanded foreign operations
i) New accounting pronouncements
 5
• iii) Information system, including the related business processes, relevant to financial reporting and communication
• The information system consists of:
• 1. Infrastructure (physical and hardware components),
• 2. Software
• 3. People
• 4. Procedures and
• 5. Data
• Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many
information systems make extensive use of IT.
Importance of Information System
• Accordingly, an information system encompasses methods and records that:
• • Identify and record all valid transaction.
• • Describe on a timely basis the transaction in sufficient detail to permit proper classification of
• transactions for financial reporting.
• • Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
• • Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
• • Present properly the transactions and related disclosures in the financial statements.
 Communication
• • Communication involves:
• – providing an understanding of individual roles and responsibilities pertaining to internal control,
• – understanding roles of others and
• – doing exception reporting to higher level management.
Communication takes such forms as:
• – Policy manuals,
• – Accounting and financial reporting manuals and memorandum.
• • It may also be made
• – Electronically,
• – Orally and
• – Through the actions of management
 Control procedures
• There are several types of control procedure:
– C omparison
– A uthorisation
– R econciliations
– C omputer Controls
– A rithmetical
– P hysical
• or CARCAP for short.
 2
• Risk assessment; Clearly, if the risks are not identified properly at the start
of a risk management process, the wrong control procedures will be put in
place ... and so the control system will fail.
• Unfortunately, this issue can never be completely avoided ... because
whatever controls you have in place, a clever criminal will inevitably find a
way around them!
• Information systems; You can only know if your controls are effective if you
have accurate information being produced. Inaccurate information may be
hiding problems.
• Monitoring; On paper, many systems sound fantastic and impossible to
break. In reality, the truth is often very different. Despite massive security,
high profile buildings often get broken into ... often because the controls
that management THINK are happening are in fact routinely ignored.
• Companies should monitor their controls to ensure they are taking place,
and are achieving the desired effect.
• Monitoring is typically carried out by Internal Auditors.
 Benefits of Internal Control to the entity

• Based on our previous studies we can now identify the following

principal benefits that may arise for an entity from a sound system
of internal control:
• a) Assurance that all transactions are completely and accurately
processed.
• b) Confidence that only authorized transactions takes place.
• c) Assurance that adequate documentation supporting transactions
is created and retained.
• d) Assurance that the company’s assets and liabilities are correctly
stated, in order for them to
• make informed decisions on the operations of the business.
• e) Minimization of the risk of fraud and misappropriation of assets.
 Benefits of Internal Control to the auditor

• Of course, if the audit client benefits from a sound system of internal control, it is
likely that the auditor will also be benefited. All of the above stated benefits help to
promote a situation where the financial statements present a true and fair view. In
simple terms, a good system of internal control will make life easier for the auditor.
• Auditor’s work on the Internal Control
• International standards on auditing emphasize the importance of internal control to
the auditor by stating that auditor should:
• a) Obtain an understanding of the accounting and internal control system sufficient
to plan the
• audit and develop an effective audit approach, and
• b) Use professional judgment to assess the components of audit risk and to design
audit
• procedures to ensure it are reduced to an acceptably low level.
• At an early stage in their work auditors will have to decide the extent to which they
wish to place reliance on the internal controls of the enterprise. As the audit
proceeds, that decision will be kept under review and, depending on the results of
their examination, they may decide to place more or less reliance on these controls
 Internal Control Questionnaire
• An ICQ is a list of all possible controls for each area of the financial statements. The client staff are asked questions and systems
documentation reviewed to establish which controls exists.
• Features:
– • Used in large company audit
– • Used to place reliance on internal controls
– • Used to design audit approach
• Definition:
• An ICQ is a formal and usually standardized document which comprises:
– 1. A list of internal controls in existence and
– 2. Highlights any weaknesses.
• Objectives:
– (i) To ascertain a clients systems of accounting and internal control
– (ii) To evaluate the control system thus recorded, and hence
– (iii) To identify those controls which indicate strengths in the system upon which the auditor will seek to place reliance, and
– (iv) To identify those areas over which there are weak or no controls and which therefore must be subjected to more extensive
substantive testing and reported by inclusion in the Management Letter.
• Construction of an ICQ
I) It is good practice when designing ICQs to state, as a brief introduction:
– i. A list of control objectives which each sub-system under consideration should seek to achieve
– ii. Any business considerations specific to the enterprise under review which should be taken into account.
• The reason for this is essentially to highlight for the audit staff key areas for their consideration to the audit staff.
II) The questions in an ICQ should be designed to ascertain whether the control objectives are being achieved and should
therefore cover such aspects as:
– a. Instructions given to staff in the performance of their duties
– b. Authorization procedures
– c. Documents and procedures used to originate transactions
– d. Recording procedures
– e. Sequence of procedures
 2
– f. Custody procedures
– g. Relative independence of the persons involved at each stage of a transaction (i.e.
segregation of duties).
III) The questions should be framed such that a Yes/No answer is given, with a No answer usually
indicating a control weakness.
IV) An ICQ should carry such basic information as:
– (a) The name of the document (ICQ)
– (b) The system to which it relates (e.g. purchasing cycle)
– (c) The client to whom it relates
– (d) The accounting period under review
– (e) Evidence of who has prepared and reviewed the document
– (f) The provision of columns for:
• - Yes and No answers
• - comments where neither Yes or No are applicable
• - indicating the significance or otherwise of apparent weaknesses
• - References to audit programs
• - References to Management Letters.
• ICEs:
• ICEs (sometimes referred to as ICEQ) do not attempt to record all controls like an ICQ.
It is far more use as an evaluation tool for the auditors, as it focuses is on whether IC
objective are being met.
 Limitations of internal control systems
• Even if Control Systems are assessed as very
strong, auditors will still do SOME substantive
testing. Controls are never completely reliable
because:
– = staff make mistakes
– = staff collude to override systems
– = staff believe the cost of the control is greater than the
benefit ... so refuse to do it
– = controls are designed for normal events ... unique /
new types of transaction may bypass the system.
 Assessing an internal control system
• Find out what system client has
– Ask client, or read their internal procedures manuals.
• Ensure system understood
– May use “walk-through” tests, following 1 transaction through the system.
• Record System
– May use flowcharts, or questionnaires, or simply write it out in words.
• Assess System
– Does it help to keep the Financial Statements accurate?
• Test System
– If Controls look good, test them to ensure they operated throughout the
accounting year.
– If the controls did operate properly, then assurance is gained that the
Financial Statements are accurate ... so substantive testing can be reduced.
 Reporting weaknesses in controls to the
client
• If the auditor believes Controls could be
improved, it would be professional to advise
the client of the weaknesses, the
consequences of these weaknesses, and make
recommendations for improvement.
 Communicating deficiencies in internal control to those
charged with governance and management (ISA 265)
• ISA 265 requires that this communication is done in writing and on a timely basis
• and we often refer to this as a “Management Letter”.
• In practice, the management letter is sent to the client either after the controls testing is
completed, or at the end of the audit (if nothing urgent was found after the controls
testing).
• The Management Letter has two parts:
– = covering letter
– = appendix.
• The Covering Letter is a brief note explaining:
– = why the client is receiving this
– = that the weaknesses found are only those discovered during the audit ... There may be other
problems as well
– = that the advice is for internal use only and should not be passed to anyone else.
• The Appendix has the detailed:
– = WEAKNESSES
– = CONSEQUENCES
– = RECOMMENDATIONS.
• It will also typically have space for the client to confirm what action they propose to take.
 2
• The ISAs and in particular ISA 260 Communication of audit matters with those
charged with governance, places some further responsibilities on the external
auditors.
• The main forms of formal communication are:
• The Letter of engagement
• An engagement letter defines the legal relationship (or engagement) between a
professional firm (e.g., law, investment banking, consulting, advisory or
accountancy firm) and its client(s). This letter states the terms and conditions of the
engagement, principally addressing the scope of the engagement and the terms of
compensation for the firm.
• Most engagement letters follow a standard format. The example given below refers
to the engagement of an accountancy firm.
• Standard format for letters of engagement
• Addressee: Typically addressed to the senior management (e.g. CEO) of the client.
 3
• Identification of the service to be rendered: One type of service is a financial statement audit. Provided in
this section is a brief description of the nature of the particular service. Other services that are planned for
the audit (e.g. evaluation of internal control, preparation of regulatory reports) are also identified in this
section.
• Specification of the responsibilities of the auditor of the company: This section refers to the specific
professional standards and responsibilities of the auditor.
• Constraints on the accounting firm: For example, timing of access to client facilities and accounting records
may delay the engagement.
• Deadlines: This section lays out the estimated date of completion and release of the financial statements,
as well as the general guidelines for the timing of the audit work.
• Description of any assistance to be provided by the client: Typically, the client’s personnel will prepare
some schedules (e.g. bank reconciliations) and retrieve documents from files. The letter should describe
the assistance of client personnel. If the assistance is not provided and the auditors must complete the
work themselves, this section of the letter would provide justification for additional fees to the client.
• Interactions with specialists, internal auditors, and the predecessor auditor needed to conduct the audit:
Some specialists needed on an audit may include engineers to verify the stage of completion of electronic
components, real estate appraisers to appraise realizable value of real estate used as collateral for loans,
actuaries to evaluate the funding requirements and future cash flows associated with pensions or post-
retirement health costs, and attorneys to evaluate the likely disposition of contingent losses arising from
litigation.
• A disclaimer: Describing the limits of the audit. Typically this expresses that an audit is not designed to
detect all forms of fraud or illegal acts; rather, an audit checks the financial position of a client with
reference to generally accepted accounting principles.
• A description of the basis for fees: This may include a fixed fee or an estimate of fees based on expected
completion time and billing rates of firm employees assigned to the engagement.
• Ownership and accessibility of the auditor’s files to external parties.
 4
• The management letter(send at the end of auditor period); MANAGEMENT LETTER identifies issues not required to be
disclosed in the Annual Financial Report but represent the auditors concerns and suggestions noted during the audit.
• 
• The comfort letter;A letter given to organizations or persons of interest by external auditors regarding statutory audits,
statements and reports used in a prospectus. The comfort letter will be attached to the preliminary statements as
assurance that it will not be materially different from the final version.
Comfort letters can be used by lenders, such as banks as solvency opinions on whether a borrower can meet the payment
obligations of a loan. They are opinions and are not guarantees that the underlying company will actually remain solvent.

Comfort letters can also be used by underwriters as their obligation to carry out "reasonable investigation" into offerings of
securities. These letters of comfort will ensure that the reports provided conform to the generally accepted accounting
principles (GAAP). This helps the underwriter better understand aspects of the financial data which might not otherwise be
reported such as changes to financial statements and unaudited financial reports.
• A comfort letter is a document prepared by an accounting firm assuring the financial soundness or backing of a company.
The comfort letter can be issued by a auditor declaring no indication of false or misleading information in the financial
statements and that the company's prospectus follows GAAP. This is sometimes used in connection with an
initial public offering. Comfort letters are also sometimes provided by those involved in evaluating a company's assets, for
instance, in the case of oil and gas companies, third-party reserve engineering firms.
• A comfort letter may also be used as written assurance by a subsidiary's parent company or bank used to offer 'comfort' to
the buyer as to the seller's ability or willingness to perform its obligations. Comfort letters are often used because the seller
is unable or unwilling to provide a guarantee on a certain outcome, such as the performance of a security.
• Comfort letters are typically signed prior to the pricing decision or closing date for a given public offering or other
transaction, as a part of the due diligence process. Subsequently, a "bring-down" letter is used to re-verify, as of a later
date, that the original comfort letter is still valid.
• Letter of Comfort (LOU) in finance terminology is a type guarantee provided by one bank to other bank. Letter of Comfort
is also used by importers to arrange funds in products like buyers credit. For example, a bn importer in India may want
cheap funds on LIBOR rates, an international bank can provide these funds subject to letter of comfort provided by
importer's existing working capital bank, stating that on due date it guarantee the payment for the loan extended to
importer.
 5
• Additionally acknowledgement letter;A letter written to somebody to say that something
that he or she sent has been received
• Representation Letter: Written confirmation from management to the auditor about the
fairness of various financial statement elements. The purpose of the letter is to emphasize
that the financial statements are management's representations, and thus management
has the primary responsibility for their accuracy. Also, the letter provides supplementary
audit evidence of an internal nature by giving formal management replies to auditor
questions regarding matters that did not come to the auditor's attention in performing
audit procedures.
Some auditors request written representations of all financial statement items. All auditors
require representations regarding receivables, inventories, plant and equipment, liabilities,
and subsequent events.
Frequently, all these representations are included in one letter. The letter is required at the
completion of the audit fieldwork and prior to issuance of the financial statements with the
auditor's opinion.
Management acknowledges its responsibilities for running the company, the adequacy of
financial policies employed, confirmation of practices observed during the audit, and
confirmation to the auditor that management has made full disclosure of all material
activities and transactions in its financial records and statements.
 6
• ISA 260: Communication of audit matters with those charged with governance;
• ISA 260 requires the external auditor to communicate ‘audit matters of governance interest’ to those charged with
governance of the entity. ‘Those charged with governance’ means those entrusted with the supervision, control and
direction of an entity and would therefore include the audit committee and non-executive directors. They only include
management when it performs such functions.
 
• Procedures:
• • Such communications should be on a sufficiently prompt basis to enable those charged with governance to take
appropriate action. All communications will be before the financial statements are finalized.
• • The form of communications and the addressee of communications should be established at an early stage in the audit
process (i.e. planning).
• • Before reporting issues to the board, auditors should first discuss those matters with management. This gives management
an opportunity to provide further information or explanations.
• • If possible, matters should be addressed to the audit committee, or to the board if there is no audit committee.
• Generally, the communication should be two-way and ongoing, with either party keeping the other informed about relevant
matters throughout the year.
 
• Summary of responsibilities:
• Audit matters of governance include:
• Effects of significant accounting policies.
• Potential financial effect of risks/uncertainties.
• Material audit adjustments
• Disagreements with management concerning the financial statements.
• Expected modifications to the audit report.
• Internal control weaknesses including Fraud.
 7
• Timing of Communication: (stages of audit and communication required)
• Pre-Audit (Planning): the following issues are discussed and communicated
– 1. Practical matters concerning forthcoming audit
– 2. Audit expected fees
– 3. Nature and scope of audit work
– 4. Ensure Engagement letter are Up to date
– 5. Independence of auditor.
• During the Audit : any situation occurs that needs to be immediately addressed. It
would not be appropriate to delay communication until the audit is concluded.
• After the audit(conclusion of audit) : takes the form of mgt letter including:-
– 1. Major findings from the audit work
– 2. Observations on ICSs Weaknesses
– 3. Audit recommendations
– 4. Final draft of letter of representation
– 5. Expected modifications to audit report
– 6.Qualitative aspects of accounting /reporting practices.
– 7.uncorrected misstatements
 Control objectives, procedures, tests
• In the next few chapters, controls will be looked at for several major areas of a
business. As an introduction to this, we need to understand what the terms
control objective, control procedure, and control test mean.
• Control objective; That only good quality products are sent to our customers.
• Control procedures; Before goods are sent to customers, our quality control
department test a sample to ensure quality levels are high.
Feedback is obtained from customers to avoid any quality issues being repeated.
• Control tests; Auditor observes quality control department testing items before
they are despatched.
• Auditor enquires – asks quality control department how many items they test,
and
• what tests they do.
• Auditor inspects despatch notes – because the quality control staff would sign
them to show they had finished their checks.