CHAPTER 5 - Introduction to Internal Control and Information Flows

Internal Control

a process designed, implemented and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity's objectives with regard to:
- Effectiveness and Efficiency of Operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.

Company's Objectives

- Effectiveness and Efficiency of Operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.

Reasons for Internal Controls

- minimising the company's business risks
- ensuring the continuing effective functioning of the company
- ensuring the company complies with relevant laws and regulations

Objectives of Internal Controls

SCREAM
- Safeguard assets
- Compliance
- Reduce fraud
- Effective Business
- Accurate Financial Reporting
- Minimise the business risk

Limitations of Internal Controls

- expense
- human element
- collusion
- unusual transactions

Limitations of IC (Expense)

controls can be expensive and there may be no cost benefit of operating.
benefit of cost can outweigh the risk.

Limitations of IC (Human Element)

controls are only as good as the person operating them.
if a mistake is made when implementing the controls, the control may be ineffective.

Limitations of IC (Collusion)

two or more people working together to bypass a control.

Limitations of IC (Unusual Transactions)

designed to deal with what routinely happens.

Control Environment

the control environment deals with the 3As of those who are charged with governance and management concerning the internal controls.
- attitude
- awareness
- actions

Strength of Control Environment

- very important to auditors
- a strong control environment = auditors will rely on the control systems rather than if it is weak.

Audit Committees

a sub-committee of the board of directors responsible for overseeing an entity's internal control structure, financial reporting and compliance with relevant laws and regulations.

- compulsory for listed companies
- senior body who's role is to review

Non Executive Directors - EA

- overseeing the external auditors
- appointing and removing the external auditors.
- ensuring the integrity of the financial statements
- review the objectivity of the external auditor
- review the non audit services offered

Non Executive Directors - IA

- ensuring internal controls and risk management are robust
- receiving the internal audit
- monitor and review the effectiveness of the internal audit

Business Risk

- significant conditions that could adversely affect an entity's ability to achieve its objectives
- business risk can become audit risk

Entity's Risk Assessment Process

- identification of business risks
- estimate impact + assess likelihood
- actions to manage

Information System and Communication

- procedures by which transactions are initiated, recorded, processed, corrected, and reported.
- how systems capture events and transactions.
- auditor will be concerned with the reliability of these systems.

Control Activities

- activities initiated by those charged with governance to safeguard the company assets by detecting and preventing fraud and error.

Preventative Control

- prevent an error occurring

Detective Control

- may identify that an error has occurred and correct it.

Types of Control Activity

PARIS V
- Physical or Logical Controls
- Authorisation and approvals
- Reconciliations
- Information Processing and General IT Controls
- Segregation of duties

- Verifications

Components of ICs

CRIME

CRIME: Control Activities

- safeguarding the company assets by detecting and preventing fraud
- PARIS V

CRIME: Risk

business risk can develop and become audit risk.

CRIME: Information Systems

reliability of a system; how this can affect the financial statement

CRIME: Monitoring

- internal audit department
- scrutinise the internal control systems

CRIME: Environment

the tone at the top , with the audit comittee overseeing the ICs

PARIS V: Physical or Logical Controls

physical counting, locking and security of assets.
e.g. company safe is locked at all times.

PARIS V: Authorisation and approvals

approval of transactions and documents
e.g. overtime should be approved by department managers.

PARIS V: Reconciliations

comparing two or more data elements
e.g. comparing transactions in bank statement vs accounting systems.

PARIS V: Information processing and IT Controls

internal controls in a computerised environment includes both manual procedures and procedures designed into computer programs
e.g. controls to check accuracy

PARIS V: Segregation of Duties

using different individuals for authorising, processing and maintaining custody of assets.
e.g. staff who record transactions cannot carry out reconciliations.

PARIS V: Segregation of Duties CARE

Cuatody
Authorisation
Recording
Execution of Transactions

PARIS V: Verifications

comparing an item with a policy and will involve a follow up action when there is a problem
e.g. comparing monthly expenses to budget = results in investigation of differences.

Information Processing Controls

manual or automated procedures that operate at a business process level.
can be preventative or detective in nature and are designed to ensure the integrity of information
- completeness, existence and accuracy

Information Processing Controls relate to

- input
- processing
- output data

IPC - Controls of Input Completeness

one-for-one checking of processed output to source documents and running exception reports.

IPC - Controls over Input Accuracy/Integrity

programs to check data fields:
- digit verification
- reasonableness test (e.g. VAT to total value)
- existence checks (e.g. customer name)
- character checks (no unexpected characters used in reference)
- permitted range (no transaction processed over a certain value)

IPC - Controls over Input Authorisation

manual and automatic checks to ensure information impact was:
- input authorised by personnel (e.g. password)

IPC - Controls over Processing of Inputs

e.g. screen warnings can prevent individuals from logging out.

IPC - Controls over master files and standing data

e.g. reviewing payroll records to individual employee personnel files.

General Controls

policies and procedures that relate to applications and support the function of of the IPC by helping to ensure the continued proper operation of information systems.

GC - Development of Computer Applications

standards over systems design, programming and documentation
- full testing procedures prior to use
approval by computer users and management
- training of staff in new procedures.

GC - Prevention or detection of unauthorised changes to programs

- password protection of programs so that access is limited to computer operation staff
- restricted access to central computer by locked doors, keypads
- virus checks on software: use of anti-virus software and policy prohibiting the use of non-authorised programs or files

GC - Testing and documentation of program changes

- complete testing procedures
- documentation of new systems
- approval of changes by computer users and management

GC - Controls to prevent unauthorised amendments to data files

such as passwords to prevent unauthorised entry, built in controls to permit changes.

GC - Controls to ensure continuity of company operations

- storing extra copies of programs and data files off-site
- protection of equipment against fire and other hazards
- back up power sources
- back up copies of programs being taken and stired in

Monitoring the system of ICs

- entities should review their overall internal controls to ensure that everything is running correctly, otherwise this could harm the efficiency.
- auditors will produce a management report at the end of the audit, outlining the deficiencies that have been identified in internal controls.

Obtaining information about ICs

- companies may have manuals of ICs and copies of IC policies
- record of what the controls were in prior years and therefore any prior deficiencies
- obtaining knowledge through talking to people who were previously involved with internal control and asking them what/why the controls have been implemented
- observing the control and how it is in action.

Recording of ICs

- narrative notes
- questionnaires and checklists
- diagrams

Recording of ICs: narrative notes

these are good for:
- short notes on simple systems
- background information
less good when things become more complex when diagrams take over.

Recording of ICs: questionnaires and checklists

these are good for:
- aiding memoires to ensure you have all the bases covered.
but:
- mechanical approach means that extra information is not asked
- tick boxes often get ticked whether the brain is engaged or not.

Recording of ICs: diagrams

- flowcharts for complex systems
- organisational charts
- family trees relating the related party transactions.