Professional Documents
Culture Documents
(OVERALL)
MATERIALITY
• There can be misstatements
from any of the line items on
P&L and BS.
• The sum of aggregated
misstatements should not
exceed (Overall) Materiality
• If it exceeds Materiality, the
FS will be deemed to be
materially misstated.
• Meaning that a qualified
opinion needs to be given Do we apply the same M and PM to both statements?
Yes, we use the same M and PM for P&L and BS. This is because we are
because FS users are likely to reviewing it at the FS level. Generally, we use PBT to compute M and PM as
change their decisions. the resultant is lower than if we were to use “Total assets” as benchmark.
SEMINAR 4:
INTERNAL
CONTROL
ACCT 331 AUDIT &
ASSURANCE
Source:
https://www.markspaneth.com/blog/2017/strong
-internal-controls-help-reduce-restatements
SMU Classification: Restricted
HOW DOES A
COMPANY’S
INTERNAL CONTROL
ENVIRONMENT
BIG QUESTION
AFFECT ITS
FINANCIAL
STATEMENTS
AUDIT? 4
SMU Classification: Restricted
LEARNING OBJECTIVES
5
SMU Classification: Restricted
Seminar 2
Seminar 3
Seminar 4
Seminar 5
Seminar 9 & 10
6
SMU Classification: Restricted
Source:
https://www.straitstimes.com/singapore/auditor-general-finds-wastage-of-539m-of-public-fu
nds-at-hpb-over-excess-fitness-trackers
7
Intentional – correct,
SMU Classification: Restricted
QUESTION 1
WHAT IS THE PURPOSE OF
AN INTERNAL CONTROL
ENVIRONMENT?
ANY LIMITATIONS?
8
SMU Classification: Restricted
9
SMU Classification: Restricted
INTERNAL CONTROLS:
PERVASIVE (ENTITY-WIDE) VS SPECIFIC (TRANSACTION)
IR
The purpose of internal controls is to
(i) prevent,
(ii) detect and/or
(iii) correct
intentional/unintentional errors that arise
as a result of inherent/control risks at the
firm level, as well as process level.
CR
10
SMU Classification: Restricted
Sales occur that Control that will not allow a sale to be Fictitious • Bank reconciliation is performed
are not processed if a customer has exceeded its payments are monthly and checked and approved by a
recoverable credit limit (typically included in the IT made manager. (Detective)
system) • Follow-up of cheques presented to the
Employees are Review of overtime transactions before bank but not recorded in the general
paid unworked payment of wages ledger (Corrective) (other examples
overtime • IT system breaks down – another
Incorrect amounts Invoices are reviewed and authorised system to correct)- more for followup
billed to before sending out for accounting
customers Shipments are Daily comparison of quantities billed and
Unauthorised All purchase orders of 10,000 above must shipped but not quantities shipped
purchase orders be approved by two senior managers. billed (Detective)
Customers are Reconciliation of customer statement
wrongly billed balances to ledger and follow-up of any 11
CLASS DISCUSSION
WHAT ARE THE PREVENTIVE,
DETECTIVE AND
CORRECTIVE INTERNAL
CONTROLS IMPLEMENTED IN
READING 4.1 TEE INTERNATIONAL?
12
SMU Classification: Restricted
Changes in
New information
operating New personnel
systems
environment
New business
Corporate Expanded foreign
models, products or
restructurings operations
activities
No matter how effective, the protection is limited because it can only provide reasonable
assurance over the financial reporting process.
Breakdowns in internal control can occur due to faulty human judgment or error, e.g. poor
design of control or personnel fails to carry out the control appropriately.
Controls can be circumvented by the collusion of 2 or more people or inappropriate
management override of controls.
Management’s judgment on the nature and extent of controls to be implemented, in
response of identified risks, is possibly subjective and incomplete.
Reduces the risk of fraud, but it is not an absolute deterrent to fraud.
QUESTION 2
WHY IS IT IMPORTANT FOR
AUDITORS TO
UNDERSTAND ITS
CLIENT’S INTERNAL
CONTROL ENVIRONMENT?
15
SMU Classification: Restricted
Financial output more likely to be accurate and reliable due to lower probability
of unintentional and intentional errors arising from weak controls.
Audit effort need not be amplified because the probability of not detecting
material misstatements is considerably lower.
16
SMU Classification: Restricted
3. Use information to Auditors are required to To enable auditor to direct the audit effort to
assess the risks of Assess the RMM at financial statement and where it is most needed i.e. areas with the
material misstatement assertion level highest RMM
17
SMU Classification: Restricted
Control environment Understand and evaluate the set of existing controls, processes and structure
Risk assessment Understand the entity’s process for identifying and evaluate the appropriateness of system
process
Monitoring of system Understand and evaluate the entity’s monitoring process of internal controls relevant to financial
of internal control reporting
Information system Understand and evaluate the entity’s information flows, accounting records and financial reporting
and communication process.
Control activities Identify and evaluate controls that address risks of material misstatement at the assertion level
Determine if the controls are operating effectively
18
SMU Classification: Restricted
Revenue Expenditure
• Sales order • Inventory/Purchases
• Accounts payable
• Cash receipts
• Payroll
• Accounts receivable • Cash payments
Financing
• Borrowing/repayment
• Stock issuance
• Dividends 19
• Cash management
SMU Classification: Restricted
Management compares monthly actual to budget income Identifies potential errors in financial reporting and is
statement figures. All significant variances are relevant to audit
investigated and explained.
Regular health and safety inspections are performed at Not relevant to the audit. However, if accident occurred,
all warehouses. that event could be relevant to the audit as a contingent or
actual liability.
21
SMU Classification: Restricted
PHASE 2:
The more effective the internal controls
UNDERSTANDING implemented, the lower the IR & CR.
YOUR CLIENT’S
INTERNAL
CONTROL
ENVIRONMENT Have assurance over the financial output.
Identify risks of material misstatements (RMM) that may occur.
Determine control risk (CR) level.
Develop appropriate audit procedures.
22
SMU Classification: Restricted
GROUP EXERCISE: You have been carrying out audit procedures to gain an understanding
of the entity, Tantpro Ltd. The following matters have come to your
IDENTIFICATION OF attention:
INTERNAL CONTROL
The company offers standard credit terms to its customers of 60
DEFICIENCIES days from the date of invoice. Statements are sent to customers on a
monthly basis. However, Tantpro does not employ a credit controller
and, other than sending the statements on a monthly basis, it does
Required: not otherwise communicate with its customers on a systematic basis.
1. Identify all internal control On occasion, the receivables ledger clerk may telephone a customer
deficiencies and potential RMM if the company has not received a payment for some time. Some
of Tantpro. customers pay regularly according to the credit terms offered to
2. Suggest ONE appropriate internal them, but others pay on a very haphazard basis and do not provide a
control for each deficiency. remittance advice.
3. What is your assessment of Receivables ledger receipts are entered onto the receivables ledger
Tantpro’s CR for its receivable but not matched to invoices remitted.. The company does not
cycle? Should you continue to
produce an aged list of receivables balances
perform TOC?
24
SMU Classification: Restricted
GROUP EXERCISE: You have been carrying out audit procedures to gain an understanding
of the entity, Tantpro Ltd. The following matters have come to your
IDENTIFICATION OF attention:
INTERNAL CONTROL
The company offers standard credit terms to its customers of 60
DEFICIENCIES days from the date of invoice. Statements are sent to customers on a
monthly basis. However, Tantpro does not employ a credit controller
and, other than sending the statements on a monthly basis, it does
not otherwise communicate with its customers on a systematic basis.
Required:
On occasion, the receivables ledger clerk may telephone a customer
1. Identify all internal control if the company has not received a payment for some time. Some
deficiencies and potential RMM customers pay regularly according to the credit terms offered to
of Tantpro. them, but others pay on a very haphazard basis and do not provide a
2. Suggest ONE appropriate internal remittance advice.
control for each deficiency.
Receivables ledger receipts are entered onto the receivables ledger
3. What is your assessment of but not matched to invoices remitted. The company does not
Tantpro’s CR for its receivable produce an aged list of receivables balances.
cycle? Should you continue to
perform TOC?
26
SMU Classification: Restricted
DO WE NEED
WOULD TO DO MORE
UNDERSTANDING TO VERIFY
THE ENTITY’S THAT WE CAN
INTERNAL CONTROLS TRUST AND
USE THE
AND THE POTENTIAL ENTITY’S
IMPACT ON THE FS BE FINANCIAL
SUFFICIENT? OUTPUT?
27
SMU Classification: Restricted
QUESTION 3
WHAT IS DONE TO
ESTABLISH THE
OPERATING
EFFECTIVENESS OF
INTERNAL CONTROL?
28
SMU Classification: Restricted
31
SMU Classification: Restricted
Para 4b
Test of controls – An audit procedure designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
Para 8
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to
the operating effectiveness of relevant controls if:
a) The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively or
b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion
level, e.g. when there are no physical copies of transactions. 32
SMU Classification: Restricted
PHASE 2 TO PHASE 3
Understand and Walkthrough tests: Select Test of Controls (TOC): Select
Phase 2: Understanding the entity’s system of internal
controls
determine and perform the additional audit evidence to be obtained for the remaining period.
SMU Classification: Restricted
REVIEW
You are auditing a firm with three trading bank accounts, one term deposit account and
one surplus cash account. 5 *3 = 15
The trading accounts reconciliations are performed weekly, the term deposit account is
reconciled quarterly, and the surplus cash account is reconciled monthly.
Through risk assessment procedures, auditors decide to place high reliance on controls.
Required: How many samples do you need for this reconciliation controls testing?
36
SMU Classification: Restricted
If deviations from controls upon which the auditor intends to rely are detected, the
auditor shall make specific inquiries to understand these matters and their potential
consequences, and shall determine whether:
a) The tests of controls that have been performed provide an appropriate basis for
reliance on the controls;
b) Additional tests of controls are necessary; or
c) The potential risks of misstatement need to be addressed using substantive
procedures.
38
SMU Classification: Restricted
WHAT DO YOU DO
WITH INTERNAL
CONTROL
DEFICIENCIES
UNCOVERED?
DISCUSSION
39
SMU Classification: Restricted
QUESTION 5
HOW TO AUDIT
INFORMATION
SYSTEMS’ INTERNAL
CONTROLS? READING 4.2
40
SMU Classification: Restricted
COMPUTER-
AIDED AUDIT
TOOLS (CAAT)
41
SMU Classification: Restricted
IT Application Controls
Automated controls that relate specifically to applications (such as sales
processing and payroll processing) 42
SMU Classification: Restricted
Sources of information used (e.g how do transactions • Access to different modules are restricted
originate within the entity’s business process?) • Log-ons using password or biometric
How is information captured and processed? (e.g what are • Activity logs which summarise transactions and
the financial reporting processes used to record the the personnel-in-charge
transactions?) • Backup procedures to safeguard data loss
• Cloud computing and data security
How the information produced is used? (e.g what reports • The algorithm for generation of monthly and
are produced by the system and how are they used to manage yearly financial reports.
the entity?) • Review of algorithm for generation of reports
43
SMU Classification: Restricted
Processing Test data: Test specific controls in computer program as well as the logic and
procedural operations of the client’s computerised application.
Approaches
Integrated testing facility: Allows assessment of controls in the actual
environment in which transactions are usually processed.
Non- Program code review: reviewing the source program coding embedded within the
IT system as it will allow the identification of issues at source and not disrupt
processing clients' operations
approaches Review of job accounting data: reviews the printed log produced as jobs are run
and considers any excessive processing time, error conditions or abnormal halts.
44
SMU Classification: Restricted
1. TEST DATA
APPROACH
Procedures:
Auditor feed test data (simulated
transactions , both valid and
invalid) to client application.
Ensure that testing application is
the actual program client is
using.
Auditor compare the results of
a) Data which should be processed normally.
processing with the expectations.
Completed during audit b) Data which should be rejected.
fieldwork (Interim or Final?) c) Data which triggers system alerts.
45
SMU Classification: Restricted
REVIEW
Control under testing: number of payroll hours per week cannot exceed 50 hrs.
Required:
1. What are the 3 types of simulated data to be generated for the testing?
2. What are your expectations, based on the 3 types of simulated data?
3. What audit evidence does it provide, based on your results?
46
SMU Classification: Restricted
47
SMU Classification: Restricted
Test Data: inability to verify that it was working well THROUGHOUT the year as it was
performed during the audit fieldwork period.
ITF: very disruptive to the clients’ daily operations as there is a need to have "dummy transactions"
regularly inserted into their 'live' system, throughout the financial year. Will need to perform
additional work to remove dummy transactions before month-end closing.
Non-processing approaches: EA may not have the time and resources to perform this
approach. Client may not be keen to share their information systems access with auditors.
SEMINAR 4
HOMEWORK –
FUNKY
FURNITURE PART 2
SINSWIM
SELF-PRACTICE:
JGR 3-17 & 20
(ANSWERS PROVIDED
ON ELEARN) 49