Understanding and Assessing Internal Controls

Understanding and Assessing Internal Controls

Definition of Internal Controls

  • Internal controls are processes designed and implemented by governance, management, and personnel to provide reasonable assurance regarding:
    • Reliability of financial reporting.
    • Effectiveness and efficiency of operations.
    • Compliance with laws and regulations.
  • In essence, internal controls are the rules, policies, and procedures within an organization that guide appropriate conduct.
    • They prevent employees from engaging in undesirable actions.
    • They facilitate employees in performing their duties correctly.
  • Controls function by preventing, detecting, and correcting errors.

Audit Strategy and Internal Controls

  • Audit strategy is linked to internal controls when there is an intention to rely on them.
  • Risk of material misstatement comprises:
    • Inherent risk (addressed in the prior topic).
    • Control risk (the focus of this topic).
  • Acceptable detection risk is related to both inherent risk and control risk.

Control Risk Assessment

High Control Risk
  • If control risk is assessed as high:
    • The auditor does not plan to rely on internal controls.
    • This indicates a significant risk that internal controls will fail to prevent, detect, or correct material misstatements.
    • Consequently, the auditor would not depend on internal controls to ensure financial integrity.
Low Control Risk
  • If control risk is assessed as less than high (or low):
    • The auditor believes there's a low risk that internal controls will fail to prevent, detect, or correct material misstatements.
    • Internal controls could potentially be relied upon to safeguard financial integrity.
  • If control risk is deemed low, tests of controls are necessary to gather evidence that specific control activities have been consistently and effectively applied during the audit period.

Testing Data vs. Testing Controls

  • Auditors have two options:
    • Test the accuracy and reliability of data directly to reduce detection risk.
    • Evaluate internal controls to determine if accounting data was developed under conditions likely to ensure accuracy and reliability.
  • Obtaining evidence that control risk is low for specific assertions is an alternative to directly substantiating the data.
Testing Data Directly
  • Involves taking numbers from financial reports (balance sheet or income statement) and substantiating them.
  • This substantiation covers all relevant assertions (balance sheet assertions for balance sheet numbers, income statement assertions for income statement numbers).
Testing Controls
  • Involves testing the controls safeguarding financial report assertions.
  • If controls are believed to safeguard balance sheet assertions, the auditor can assume the numbers within the balance sheet are true and fair after successful testing of controls.

Objectives of Internal Control (Client's Responsibility)

  • Internal controls are implemented by the management team within the organization.
  • Objectives include:
    • Identifying and minimizing risks.
    • Promptly and accurately recording transactions.
    • Ensuring transactions are carried out according to management's authorization.
    • Limiting access to assets in accordance with management's authorization.
    • Safeguarding assets.
    • Complying with laws, rules, and regulations.
  • Internal controls aim to control employee behavior, preventing undesirable actions and facilitating correct actions.

Characteristics of Satisfactory Internal Controls

  • Controls to monitor and minimize business risk.
  • Proper segregation of incompatible duties.
  • System for authorizing, recording, and controlling assets, liabilities, revenues, and expenses.
  • Sound business practices relevant to each department.
    • Examples: prenumbered documents (EFTs, checks), sequence checks.
  • Matching responsibility with the capabilities and requirements of the individual.

Management Controls vs. Transaction Controls

Management Controls
  • Activities taken by senior management to mitigate strategic risks and promote effective decision-making and business efficiency.
  • Designed to provide overall indication that processes are functioning properly and to respond to risks promptly.
  • Examples: establishing and monitoring corporate governance policies, monitoring key performance indicators.
Transaction Controls
  • Performed by staff, employees, and lower-level managers as part of ordinary processes.
  • Focus on internal risks within systems and processes.
  • Deal with the reliability of accounting information and compliance with laws and regulations.
  • Examples: authorizations (including staggered authorization levels), sequence checks.

Components of Internal Control

  • Auditors need a thorough understanding, especially when using a lower assessed level of control risk approach.
Control Environment
  • Represents management's overall attitude, awareness, and actions regarding internal control and its importance.
  • Often referred to as "tone at the top."
  • If management doesn't adhere to established rules and procedures, it sends a negative message regarding compliance.
Entity's Risk Assessment Process
  • Auditors need to understand how the client identifies and assesses risks, and their responses to these risks.
Information System
  • Effective information systems must:
    • Identify and record all valid transactions.
    • Resolve incorrect processing of transactions.
    • Account for system overrides.
    • Transfer information to the general ledger.
    • Capture information relevant to financial reporting for events and conditions other than transactions.
    • Present transactions and disclosures properly in the financial report.
    • Example: XBRL (standard business reporting) mapping.
Inherent Limitations of Information Systems
  • Controls can break down due to:
    • Carelessness or fatigue.
    • Taking shortcuts (human nature).
    • Management override (can be manipulated).
    • Non-routine transactions (internal controls not typically designed for these).
Control Activities
  • Added to accounting systems to ensure accurate and reliable data.
  • Include policies and procedures related to:
    • Performance reviews.
    • Information processing:
      • Application controls (specific programs like payroll, accounts payable).
      • General IT controls (login details, access restrictions).
    • Physical controls (locked storerooms, fireproof safes, keys).
    • Segregation of duties: no single person should be able to perpetrate and conceal errors or fraud.
      • Authorization, execution, custody, and recording should be separate.
Controls to Safeguard Assertions
  • Occurrence: Clear policies for authorization and approval.
    • Proper use of original record documents.
  • Completeness: Prenumbered documents and sequence checks.
    • Control totals.
    • Matching source documents (e.g., purchase orders to invoices).
  • Accuracy: Debits equal credits in a double-entry system.
    • Control totals or independent checks.
  • Cutoff: Policies to ensure transactions are recorded in the correct financial year.
    • System-generated controls and independent reviews.
  • Classification: Proper authorization and coding of transactions.
  • Presentation: Independent review of draft financial reports.
Monitoring of Internal Control
  • Auditors need to understand how the entity monitors internal controls and initiates corrective actions.
  • Internal auditors often monitor activities.
  • External auditors must consider the objectivity, competence, and amount of judgment involved before relying on internal auditors' work.
  • The external auditor still needs to perform some independent verification.

Assessing Control Risk

  • Control risk is the risk that internal controls will fail to prevent or detect and correct material misstatements.
High Control Risk Assessment
  • Indicates controls are ineffective or don't exist.
  • Might occur when it's more efficient to use substantive tests directly.
  • Also, if controls don't relate to the specific assertion being focused on.
Low Control Risk Assessment
  • The auditor believes there's a low risk that controls will fail.
  • May improve audit efficiency.
  • Requires obtaining sufficient appropriate audit evidence to support the low-risk assessment.
  • Involves identifying specific control activities likely to prevent or detect material misstatements and performing tests of controls.
  • The process is followed for each material account balance or transaction class.
Effect of Control Risk on Substantive Tests
  • The assessment of control risk directly influences the planning of substantive tests.
  • Higher assessed control risk means less reliance on internal controls and more assurance needed from substantive tests.
Exception to the Rule: Mandatory Tests of Controls
  • Auditors must perform tests of controls if substantive procedures alone cannot provide sufficient appropriate audit evidence.
  • This often applies to routine recording of significant classes of transactions (revenues, purchases, cash receipts, cash payments).
  • These transactions are often highly automated with little manual intervention.
  • Testing controls enables testing of all transactions processed using the same program.
Example: Qantas
  • For companies like Qantas with a high volume of daily sales transactions, testing controls is more efficient and effective than substantive testing.

Three-Year Rule for Controls Testing (ASA 330)

  • Paragraph 14 addresses using audit evidence from previous audits.
  • Auditors must establish the continuing relevance and reliability of evidence by inquiring, observing, or inspecting for significant changes in controls.
  • If changes have occurred, tests of controls must be conducted in the current audit.
  • If no changes, controls must be tested at least once every three audits, with some controls tested each audit.
  • Paragraphs 38 and 39 clarify that the decision to rely on evidence from previous audits and the time between retesting is a matter of professional judgment.
  • Generally, the higher the risk of material misstatement or the greater the reliance on controls, the shorter the acceptable time period between retesting.