For many firms, the audit evidence that they obtain does not focus on a client’s internal systems and controls, rather the work is focused on the substantive testing of the transactions and balances which make up the entity’s accounts. Consequently many practitioners do not believe that they are required to spend much time documenting a client’s internal systems and controls or indeed to test whether any of the controls actually operate in practice in any detail. However, to ignore this area will mean that the requirements of ISA 315: Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment are not complied with.
Required:
i) Explain the components of an internal control systems in line with ISA 315. (5 marks)
View Solution
The Control Environment
Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of an organization. It is a product of management’s philosophy, style and supportive attitude, as well as the competence, ethical values, integrity, and morale of the organization’s people. The organization structure and accountability relationships are key factors in the control environment.
Elements of the Control Environment
- Ethical Values and Integrity
- Management’s Operating Style and Philosophy
- Competence
- Morale
- Supportive Attitude
- Mission
- Structure
Risk Assessment
Risks are events that threaten the accomplishment of objectives. They ultimately impact an organization’s ability to accomplish its mission. Risk assessment is the process of identifying, evaluating and determining how to manage these events. At every level within an organization there are both internal and external risks that could prevent the accomplishment of established objectives. Ideally, management should seek to prevent these risks. However, sometimes management cannot
prevent the risk from occurring. In such cases, management should decide whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly. - Assessing Risk (Ask the questions…) – What obstacles could stand in the way of achieving your objective? – What can go wrong? – What is the worst thing that could happen? – What is the worst thing that has happened? – Are there new Processes? – Are there processes that have changed? – Are there new goals and legislation? – Are there staffing changes? – What keeps you awake at night?
- Impact – Is generally beyond the organization’s control in the short-to-medium term. Likelihood – Is the main focus of an organization’s internal control
- What are the possible risks in your area of operations and what is the likely impact of each?
- How to Deal With Risk
- Managing Risk
– Accept the risk: Do not establish control activities
– Prevent or reduce the risk: Establish control activities
– Avoid the risk: Do not carry out the function
- Preventing or Reducing Risk
– What is the cause of the risk?
– What is the cost of control vs. the cost of the unfavourable event?
– What is the priority of this risk?
Control Activities
Control activities are tools – both manual and automated – that help prevent or reduce the risks that can impede accomplishment of the organization’s objectives and mission. Management should establish control activities to effectively and efficiently accomplish the organization’s objectives and mission.
Examples of Control Activities
– Documentation
– Approval and Authorization
– Verification
– Supervision
– Separation of Duties
– Safeguarding Assets
– Reporting
– Computer Systems Controls o Backup and Disaster Recovery o Input Controls o Output Controls
Information and Communication Systems
Communication is the exchange of useful information between and among people and organizations to support decisions and coordinate activities. Within an organization, information should be communicated to management and other employees who need it in a form and within a time frame that helps them to carry out their responsibilities. Communication also takes place with outside parties such as customers, suppliers and regulators.
Elements of Communication
– Timeliness
– Sufficient but not excessive detail
– Appropriate to user
– Clear and open horizontal and vertical
Monitoring
Monitoring is the review of an organization’s activities and transactions to assess the quality of performance over time and to determine whether controls are effective. Management should focus monitoring efforts on internal control and achievement of organization objectives. For monitoring to be most effective, all employees need to understand the organization’s mission, objectives, and responsibilities and risk tolerance levels.
Major Areas for Monitoring
– Control Activities
– Mission
– Control Environment
– Communication
– Risks and Opportunities
– Results
ii) Why is the work on internal controls necessary when auditors take the substantive approach? (4 marks)
View Solution
Some auditors question the value of the work ISAs require on evaluating the design and implementation of controls. The purpose of this work is to help auditors properly understand the business and, very specifically, to deal with any risks arising from poor internal controls. Performing the same substantive procedures, regardless of whether controls are designed, implemented and operated properly, poorly or not at all, ignores the following:
- ISAs require substantive procedures to be tailored to the assessed risks;
- a substantive approach often involves analytical procedures and if auditors ignore controls, they risk placing undue reliance on the information on which they perform the procedures, if it is produced by a poorly-controlled system;
- auditors may well miss something important in a key area if they do not understand that the controls over them are poor, and they may not be auditing in the most efficient manner possible if they do not understand that controls are good; and
- ISAs require auditors to obtain an understanding of the internal controls relevant to the audit by evaluating the design and implementation of those controls irrespective of the size and complexity of the client and regardless of the audit strategy.