SMU Classification: Restricted

OVERVIEW OF SEMINAR 3 MATERIALITY

Give assurance that there are Define materiality for
j
Compute materiality
no material misstatements in
FS
Materiality
FS as a whole (M)
Understand the entity and its = % x PBT/Total revenue
internal controls *% based on DR
Individual FS line item (PM)
Identify potential risks of Performance materiality
material misstatements
• Financial Statement level = % of RMM x Materiality
• Assertion level * % based on IR & CR
Various accounts that make
up each FS line (SM/SPM)
(Granular level) Specific materiality
= PM% x Account balance
Specific materiality
/ Specific Performance Specific performance
Materiality materiality
= % of RMM x SM
Boxes in white – not tested ! FYI !
 SMU Classification: Restricted

(OVERALL)
MATERIALITY
• There can be misstatements
from any of the line items on
P&L and BS.
• The sum of aggregated
misstatements should not
exceed (Overall) Materiality
• If it exceeds Materiality, the
FS will be deemed to be
materially misstated.
• Meaning that a qualified
opinion needs to be given Do we apply the same M and PM to both statements?
Yes, we use the same M and PM for P&L and BS. This is because we are
because FS users are likely to reviewing it at the FS level. Generally, we use PBT to compute M and PM as
change their decisions. the resultant is lower than if we were to use “Total assets” as benchmark.

Use / assets if the Profit before tax is

negative or very low. 2
 SMU Classification: Restricted

SEMINAR 4:
INTERNAL
CONTROL
ACCT 331 AUDIT &
ASSURANCE

Source:
https://www.markspaneth.com/blog/2017/strong
-internal-controls-help-reduce-restatements
 SMU Classification: Restricted

HOW DOES A
COMPANY’S
INTERNAL CONTROL
ENVIRONMENT
BIG QUESTION
AFFECT ITS
FINANCIAL
STATEMENTS
AUDIT? 4
 SMU Classification: Restricted

LEARNING OBJECTIVES

1. Explain the purpose of an effective internal control systems and its

limitations.
2. Identify risks of material misstatements (RMM) at assertion level, arising
from an entity’s internal control environment.
3. State the purpose of walkthrough procedure and test of controls testing.
4. Select the most appropriate approach to audit IT application controls.

5
 SMU Classification: Restricted

AUDIT OPINION FORMULATION PROCESS

Seminar 2

Seminar 3

Seminar 4

Seminar 5

Seminar 9 & 10

6
 SMU Classification: Restricted

AUDITOR-GENERAL FINDS WASTAGE OF $5.39M OF PUBLIC

FUNDS AT HPB OVER EXCESS FITNESS TRACKERS – JULY 2021

Source:
https://www.straitstimes.com/singapore/auditor-general-finds-wastage-of-539m-of-public-fu
nds-at-hpb-over-excess-fitness-trackers
7
Intentional – correct,
 SMU Classification: Restricted

QUESTION 1
WHAT IS THE PURPOSE OF
AN INTERNAL CONTROL
ENVIRONMENT?

ANY LIMITATIONS?
8
 SMU Classification: Restricted

The system designed, implemented and

maintained by those charged with
governance, management and other personnel
to provide reasonable assurance about the
WHAT IS achievement of an entity’s objectives with
INTERNAL regard to
CONTROL?  reliability of financial reporting,
[SSA315.12M]  effectiveness and efficiency of operations
and
 compliance with applicable laws and
regulations.

9
 SMU Classification: Restricted

INTERNAL CONTROLS:
PERVASIVE (ENTITY-WIDE) VS SPECIFIC (TRANSACTION)

IR
The purpose of internal controls is to
(i) prevent,
(ii) detect and/or
(iii) correct
intentional/unintentional errors that arise
as a result of inherent/control risks at the
firm level, as well as process level.
CR

10
 SMU Classification: Restricted

WHAT CAN GO WRONG?

EXAMPLES OF SPECIFIC (TRANSACTION) CONTROLS

Example Preventive Controls Example Detective and/or Corrective Controls

Sales occur that Control that will not allow a sale to be Fictitious • Bank reconciliation is performed
are not processed if a customer has exceeded its payments are monthly and checked and approved by a
recoverable credit limit (typically included in the IT made manager. (Detective)
system) • Follow-up of cheques presented to the
Employees are Review of overtime transactions before bank but not recorded in the general
paid unworked payment of wages ledger (Corrective) (other examples
overtime • IT system breaks down – another
Incorrect amounts Invoices are reviewed and authorised system to correct)- more for followup
billed to before sending out for accounting
customers Shipments are Daily comparison of quantities billed and
Unauthorised All purchase orders of 10,000 above must shipped but not quantities shipped
purchase orders be approved by two senior managers. billed (Detective)
Customers are Reconciliation of customer statement
wrongly billed balances to ledger and follow-up of any 11

disputed item(s) (Detective and Corrective)

 SMU Classification: Restricted

CLASS DISCUSSION
WHAT ARE THE PREVENTIVE,
DETECTIVE AND
CORRECTIVE INTERNAL
CONTROLS IMPLEMENTED IN
READING 4.1 TEE INTERNATIONAL?

12
 SMU Classification: Restricted

Changes in
New information
operating New personnel
systems
environment

New business
Corporate Expanded foreign
models, products or
restructurings operations
activities

CAN INTERNAL CONTROL PREVENT/MANAGE THE ABOVE

RISKS?
13
 SMU Classification: Restricted

No matter how effective, the protection is limited because it can only provide reasonable
assurance over the financial reporting process.
Breakdowns in internal control can occur due to faulty human judgment or error, e.g. poor
design of control or personnel fails to carry out the control appropriately.
Controls can be circumvented by the collusion of 2 or more people or inappropriate
management override of controls.
Management’s judgment on the nature and extent of controls to be implemented, in
response of identified risks, is possibly subjective and incomplete.
Reduces the risk of fraud, but it is not an absolute deterrent to fraud.

INHERENT LIMITATIONS OF INTERNAL CONTROL [SSA315 APPENDIX 3]

14
 SMU Classification: Restricted

QUESTION 2
WHY IS IT IMPORTANT FOR
AUDITORS TO
UNDERSTAND ITS
CLIENT’S INTERNAL
CONTROL ENVIRONMENT?

15
 SMU Classification: Restricted

STRONG INTERNAL CONTROL ENVIRONMENT IMPLIES…

Financial output more likely to be accurate and reliable due to lower probability
of unintentional and intentional errors arising from weak controls.

Management and employees less likely to successfully manipulate figures.

Audit effort need not be amplified because the probability of not detecting
material misstatements is considerably lower.
16
 SMU Classification: Restricted

RISK ASSESSMENT 3-STEP PROCESS

Steps SSA Requirements Purpose
1. Gather information Auditors are required to gather To provide a frame of reference within
about the entity information about: which the auditor plans the audit and
• The entity and its environment revises the audit plan through the audit
• Applicable financial reporting
framework
• System of Internal controls
2. Perform risk Auditors are required to To identify sources of RMM and obtain
assessment procedures • Make enquiries supporting audit evidence to support the
• Perform analytical procedures assessment at both the financial statement
• Observe and inspect and assertion levels

3. Use information to Auditors are required to To enable auditor to direct the audit effort to
assess the risks of Assess the RMM at financial statement and where it is most needed i.e. areas with the
material misstatement assertion level highest RMM
17
 SMU Classification: Restricted

STEP 1: UNDERSTANDING ENTITY AND ITS ENVIRONMENT

UNDERSTAND THE ENTITY’S SYSTEM OF INTERNAL CONTROL
[SSA315.A21-26 & APPENDIX 3]

Control environment Understand and evaluate the set of existing controls, processes and structure

Risk assessment Understand the entity’s process for identifying and evaluate the appropriateness of system
process

Monitoring of system Understand and evaluate the entity’s monitoring process of internal controls relevant to financial
of internal control reporting

Information system Understand and evaluate the entity’s information flows, accounting records and financial reporting
and communication process.

Control activities Identify and evaluate controls that address risks of material misstatement at the assertion level
Determine if the controls are operating effectively

18
 SMU Classification: Restricted

MAJOR ACCOUNTING CYCLES

Revenue Expenditure
• Sales order • Inventory/Purchases
• Accounts payable
• Cash receipts
• Payroll
• Accounts receivable • Cash payments

Fixed Assets Conversion/Production

• Purchase  Payments • Production
• Disposal  Receipts • Cost accounting

Financing
• Borrowing/repayment
• Stock issuance
• Dividends 19
• Cash management
 SMU Classification: Restricted

Included within the entity’s system of

DETERMINE internal control are aspects that relate
to the entity’s reporting objectives,
INTERNAL including its financial reporting
CONTROLS objectives, but it may also include
aspects that relate to its operations or
RELEVANT TO compliance objectives, when such
aspects are relevant to financial
EXTERNAL AUDIT reporting.
[SSA315 APPENDIX 3 PARA  Controls over compliance with laws and
3] regulations may be relevant to financial
reporting when such controls are relevant
to the entity’s preparation of disclosures of
contingencies in the financial statements. 20
 SMU Classification: Restricted

INTERNAL CONTROL POTENTIAL IMPACT ON FINANCIAL

REPORTING

Management compares monthly actual to budget income Identifies potential errors in financial reporting and is
statement figures. All significant variances are relevant to audit
investigated and explained.

Regular health and safety inspections are performed at Not relevant to the audit. However, if accident occurred,
all warehouses. that event could be relevant to the audit as a contingent or
actual liability.

EXAMPLES OF INTERNAL CONTROLS AND THEIR

RELEVANCY ON FINANCIAL REPORTING

21
 SMU Classification: Restricted

PHASE 2:
The more effective the internal controls
UNDERSTANDING implemented, the lower the IR & CR.
YOUR CLIENT’S
INTERNAL
CONTROL
ENVIRONMENT  Have assurance over the financial output.
 Identify risks of material misstatements (RMM) that may occur.
 Determine control risk (CR) level.
 Develop appropriate audit procedures.

22
 SMU Classification: Restricted

The auditor is required to obtain an

understanding of internal control
UNDERSTANDING relevant to the audit when identifying
and assessing the risks of material
INTERNAL misstatements(RMM).
CONTROL FOR THE In making those risk assessments, the
PURPOSE OF auditor considers internal control in
order to design audit procedures that
EXTERNAL AUDIT are appropriate in the circumstances,
[SSA265.2] but not for the purpose of expressing
an opinion on the effectiveness of
internal control.
23

GROUP EXERCISE:
IDENTIFICATION OF
INTERNAL CONTROL
DEFICIENCIES
Required:
1. Identify all internal control
deficiencies and potential RMM
of Tantpro.
2. Suggest ONE appropriate internal
control for each deficiency.
3. What is your assessment of
Tantpro’s CR for its receivable
cycle? Should you continue to
perform TOC?
SMU Classification: Restricted
You have been carrying out audit procedures to gain an understanding
of the entity, Tantpro Ltd. The following matters have come to your
attention:
 The company offers standard credit terms to its customers of 60
days from the date of invoice. Statements are sent to customers on a
monthly basis. However, Tantpro does not employ a credit controller
and, other than sending the statements on a monthly basis, it does
not otherwise communicate with its customers on a systematic basis.
 On occasion, the receivables ledger clerk may telephone a customer
if the company has not received a payment for some time. Some
customers pay regularly according to the credit terms offered to
them, but others pay on a very haphazard basis and do not provide a
remittance advice.
 Receivables ledger receipts are entered onto the receivables ledger
but not matched to invoices remitted.. The company does not
produce an aged list of receivables balances
24
 SMU Classification: Restricted

ANSWERS TO IN-CLASS EXERCISE - TANTPRO

Internal Control Deficiency Potential RMM Appropriate Internal Control
(what the company did not do right)
Tantpro does not employ a credit RMM – Assertion – revenue Employ a credit controller
controller and, other than sending the overstated – False Customers Communicate with Customers on
statements on a monthly basis, it does Systhematic basis
not otherwise communicate with its RMM – Assertion - Overstated
customers on a systematic basis
customers pay regularly according to RMM – Assertion – revenue
the credit terms offered to them, but overstated – False Customers
others pay on a very haphazard basis
and do not provide a remittance RMM – Assertion - Overstated
advice
are entered onto the receivables
ledger but not matched to invoices
remitted

The company does not produce an RMM – Assertion – overstatement of

aged list of receivables balances 25
Don’t know which one to write off

GROUP EXERCISE:
IDENTIFICATION OF
INTERNAL CONTROL
DEFICIENCIES
Required:
1. Identify all internal control
deficiencies and potential RMM
of Tantpro.
2. Suggest ONE appropriate internal
control for each deficiency.
3. What is your assessment of
Tantpro’s CR for its receivable
cycle? Should you continue to
perform TOC?
SMU Classification: Restricted
You have been carrying out audit procedures to gain an understanding
of the entity, Tantpro Ltd. The following matters have come to your
attention:
 The company offers standard credit terms to its customers of 60
days from the date of invoice. Statements are sent to customers on a
monthly basis. However, Tantpro does not employ a credit controller
and, other than sending the statements on a monthly basis, it does
not otherwise communicate with its customers on a systematic basis.
 On occasion, the receivables ledger clerk may telephone a customer
if the company has not received a payment for some time. Some
customers pay regularly according to the credit terms offered to
them, but others pay on a very haphazard basis and do not provide a
remittance advice.
 Receivables ledger receipts are entered onto the receivables ledger
but not matched to invoices remitted. The company does not
produce an aged list of receivables balances.
26
 SMU Classification: Restricted

DO WE NEED
WOULD TO DO MORE
UNDERSTANDING TO VERIFY
THE ENTITY’S THAT WE CAN
INTERNAL CONTROLS TRUST AND
USE THE
AND THE POTENTIAL ENTITY’S
IMPACT ON THE FS BE FINANCIAL
SUFFICIENT? OUTPUT?

27
 SMU Classification: Restricted

QUESTION 3
WHAT IS DONE TO
ESTABLISH THE
OPERATING
EFFECTIVENESS OF
INTERNAL CONTROL?
28
 SMU Classification: Restricted

DESIGN AUDIT PROCEDURES FOR THE TESTING OF INTERNAL

CONTROLS

PHASE 2: PHASE 3A:

PHASE 3B:
Understanding the design Perform walkthrough tests
Perform tests of controls (TOC) to
and implementation of the to verify that the controls
conclude that the controls were
entity’s internal control are working as per
operating effectively throughout the
environment understanding in Phase 2 29
financial period audited.
 SMU Classification: Restricted

REVENUE CYCLE – WALKTHROUGH & TOC SAMPLE

WALKTHROUGH TEST OF CONTROL
Objective Example of controls Test of controls Implications if controls not working
Recorded 1. Sales recorded only with valid 1. Sample recorded sales 1. Recorded sales may not have occurred.
transactions are customer order and shipping transactions and vouch back to Extent A/R confirmation work and review
authorized and doc. shipping doc and customer order. subsequent collection.
actually
2. Credit is approved before  Sampling based on? 2. Receivable may not be collectible. Expand
occurred
shipment confirmation work and review of
(Occurrence/Exi 2. Compare customer balance with
subsequent collections
stence) approved credit limit.
All sales are 1. Pre-numbered shipping 1. Review reconciliations to Expand cutoff tests at year end to determine
recorded. documents and invoices which determine that control is working. that all transactions are recorded in the correct
(Completeness) are periodically accounted for. period.
2. Review management reports and
2. Monitoring: transactions are evidence of actions taken.
reviewed and differences are
investigated by company
Sales are Sales price comes from authorized Take a sample of recorded sales A/R may be overstated or understated due to
accurately sales price list maintained on the invoices and trace price back to pricing errors. Expand confirmation and
recorded. computer authorized list. subsequent collection procedures.
(Accuracy) 30
 SMU Classification: Restricted

REVENUE CYCLE – WALKTHROUGH SAMPLE (CONT’D)

Objective Example of controls Test of controls Implications if controls not working
Sales are 1. Computer records sale upon 1. Review monitoring 1. Company may have unrecorded sales
recorded in the entry of customer order and controls (for example, transactions. Discuss with
correct shipping information. management’s review of management to determine if it has
accounting Transactions entered but not transactions entered into plans to bill the sales.
period yet processed, are identified the system and not
2. Sales may be recorded in the wrong
(Cut-off) for an exception report and shipped and billed). year. Expand sales cutoff tests.
followed up.
2. Review nature of
2. Monthly statement are sent complaints received.
to customers. A group Investigate to determine if
independent of those there is a pattern.
recording the transactions,
receives and follows up
complaints.

31
 SMU Classification: Restricted

TEST OF CONTROLS (TOC) [SSA330]

Para 4b
Test of controls – An audit procedure designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.

Para 8
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to
the operating effectiveness of relevant controls if:
a) The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively or
b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion
level, e.g. when there are no physical copies of transactions. 32
 SMU Classification: Restricted

PHASE 2 TO PHASE 3
Understand and Walkthrough tests: Select Test of Controls (TOC): Select
Phase 2: Understanding the entity’s system of internal
controls

Phase 3A: Determine implementation of internal

controls

Phase 3B: Determine operating effectiveness of

implemented controls
document the 5 a small number of random samples throughout the
components of the representative transactions financial year to inspect, verify
entity’s system of for each significant cycle and document.
internal controls. and perform detailed Conclude whether the controls
[SSA 315.A21- checking/vouching. were operating effectively
26] If selected sample showed throughout the financial year.
that controls were not **The conclusion is not an
Determine working as per opinion on the entity’s internal
preliminary CR. documentation in Phase 2, control systems.
revisit and reassess CR
level. Effective internal controls
(during FY) can reduce
If walkthrough tests results substantive audit procedures to
are satisfactory, tests of be performed in Phase 4.
controls can be carried out
33
to verify its operating
effectiveness.
 SMU Classification: Restricted

NATURE, EXTENT AND TIMING OF TOC [SSA330.10-12]

NATURE & EXTENT (Para 10)
 Understand how controls are applied throughout relevant period
 The consistency of application of said controls
 By whom or by what means they were applied
 If the tested controls are dependent on other controls, then those indirect controls need to be tested.
TIMING (Para 11 & 12)
 Test controls for the particular time, or throughout the period, for which the auditor intends to
rely on those controls
 If TOC was performed during an interim period,
 the auditor must check for significant changes to those controls subsequent to the interim period during the
Final audit and 34

 determine and perform the additional audit evidence to be obtained for the remaining period.
 SMU Classification: Restricted

GUIDANCE ON SAMPLING – HIGH RELIANCE

Seeking High Reliance on Control

Frequency of control Assumed population of Number of items to test*
controls occurrences
Annual Stock Take 1 1
Quarterly Annual Review of Budget 4against Actual 2
Monthly 12 2
Bank Reconciliation
Weekly 52 5
Inventory count
Daily 250 20
cash
Multiple times per day Over 250 25

*Based on statistics to achieve a certain level of confidence.

35
**Different audit firms may have different guidance, depending on their methodologies.
 SMU Classification: Restricted

REVIEW

You are auditing a firm with three trading bank accounts, one term deposit account and
one surplus cash account. 5 *3 = 15
The trading accounts reconciliations are performed weekly, the term deposit account is
reconciled quarterly, and the surplus cash account is reconciled monthly.
Through risk assessment procedures, auditors decide to place high reliance on controls.
Required: How many samples do you need for this reconciliation controls testing?

36
 SMU Classification: Restricted

DESIGNING AUDIT PROCEDURES

 Effective internal control  low CR
 Increased reliance on internal controls.
 Document a Walkthrough and perform Tests of Control
(TOC)
 If you have very good TOD results u can do
 TOC

 Ineffective internal control  high CR

 Reduced reliance on internal controls
 Document walkthrough but may not perform TOC as
there is no intention to reduce substantive audit
procedures
37
 SMU Classification: Restricted

EVALUATING THE RESULTS OF TOC [SSA330.17]

If deviations from controls upon which the auditor intends to rely are detected, the
auditor shall make specific inquiries to understand these matters and their potential
consequences, and shall determine whether:
a) The tests of controls that have been performed provide an appropriate basis for
reliance on the controls;
b) Additional tests of controls are necessary; or
c) The potential risks of misstatement need to be addressed using substantive
procedures.
38
SMU Classification: Restricted

WHAT DO YOU DO
WITH INTERNAL
CONTROL
DEFICIENCIES
UNCOVERED?
DISCUSSION

39
 SMU Classification: Restricted

QUESTION 5

HOW TO AUDIT
INFORMATION
SYSTEMS’ INTERNAL
CONTROLS? READING 4.2

40
SMU Classification: Restricted

COMPUTER-
AIDED AUDIT
TOOLS (CAAT)

41
 SMU Classification: Restricted

UNDERSTANDING IT RISKS AND CONTROLS (READING 4.2)

IT General Controls [SSA315.A173 & Appendix 6]

These controls operate across all applications and usually consist of a
mixture of automated controls and manual controls (such as IT access
control and review of IT reports)

IT Application Controls
Automated controls that relate specifically to applications (such as sales
processing and payroll processing) 42
 SMU Classification: Restricted

AUDITING INFORMATION SYSTEM

The auditor is required to understand: Examples

Sources of information used (e.g how do transactions • Access to different modules are restricted
originate within the entity’s business process?) • Log-ons using password or biometric

How is information captured and processed? (e.g what are • Activity logs which summarise transactions and
the financial reporting processes used to record the the personnel-in-charge
transactions?) • Backup procedures to safeguard data loss
• Cloud computing and data security

How the information produced is used? (e.g what reports • The algorithm for generation of monthly and
are produced by the system and how are they used to manage yearly financial reports.
the entity?) • Review of algorithm for generation of reports

43
 SMU Classification: Restricted

TEST OF IT APPLICATION CONTROLS

Processing Test data: Test specific controls in computer program as well as the logic and
procedural operations of the client’s computerised application.
Approaches
Integrated testing facility: Allows assessment of controls in the actual
environment in which transactions are usually processed.

Non- Program code review: reviewing the source program coding embedded within the
IT system as it will allow the identification of issues at source and not disrupt
processing clients' operations
approaches Review of job accounting data: reviews the printed log produced as jobs are run
and considers any excessive processing time, error conditions or abnormal halts.

44
 SMU Classification: Restricted

1. TEST DATA
APPROACH
Procedures:
 Auditor feed test data (simulated
transactions , both valid and
invalid) to client application.
 Ensure that testing application is
the actual program client is
using.
 Auditor compare the results of
a) Data which should be processed normally.
processing with the expectations.
 Completed during audit b) Data which should be rejected.
fieldwork (Interim or Final?) c) Data which triggers system alerts.

45
 SMU Classification: Restricted

REVIEW

Control under testing: number of payroll hours per week cannot exceed 50 hrs.

Required:
1. What are the 3 types of simulated data to be generated for the testing?
2. What are your expectations, based on the 3 types of simulated data?
3. What audit evidence does it provide, based on your results?

46
 SMU Classification: Restricted

2. INTEGRATED TEST FACILITY (ITF)

 Auditor create a dummy entity ( a record only

for auditor’s purpose) on live master file.
 Auditor enter transaction for processing by the
entity. These transactions are entered with
client’s live data and are processed in the same
way.
 The staff responsible for processing
transactions cannot distinguish the live
transactions from the auditor’s transaction.
 Can be done throughout the financial year, not
just during the audit.

47
 SMU Classification: Restricted

Test Data: inability to verify that it was working well THROUGHOUT the year as it was
performed during the audit fieldwork period.

ITF: very disruptive to the clients’ daily operations as there is a need to have "dummy transactions"
regularly inserted into their 'live' system, throughout the financial year. Will need to perform
additional work to remove dummy transactions before month-end closing.

Non-processing approaches: EA may not have the time and resources to perform this
approach. Client may not be keen to share their information systems access with auditors.

LIMITATIONS OF VARIOUS APPROACHES

48
SMU Classification: Restricted

SEMINAR 4
HOMEWORK –
FUNKY
FURNITURE PART 2
SINSWIM

SELF-PRACTICE:
JGR 3-17 & 20
(ANSWERS PROVIDED
ON ELEARN) 49