AUDIT PROCEDURES
By: Swedi Zakaria
6.1. Accounting System and Internal Control Accounting system’
means the series of tasks and records of an entity by which transactions are
processed as a means of maintaining financial records. Such systems identify,
assemble, analyse, calculate, classify, record, summarise and report
transactions and other events Internal control system’ comprises the control
environment and control procedures. It includes all the policies and procedures
(internal controls) adopted by the directors and management of an entity to
assist in achieving their objective of ensuring, as far as practicable, the
orderly and efficient conduct of its business, including adherence to internal
policies, the safeguarding of assets, the prevention and detection of fraud and
error, the accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information. Internal controls may be
incorporated within computerised accounting systems. However, the internal
control system extends beyond those matters which relate directly to the
accounting system
Auditors are only concerned
with those policies and procedures within the accounting and internal control
systems that are relevant to the financial statement assertions. The
understanding of relevant aspects of the accounting and internal control systems,
together with the inherent and control risk assessments, enables auditors
to:
•
Assess the adequacy of the accounting system as
a basis for preparing the financial statements;
•
Identify the types of potential misstatements
that could occur in the financial statements;
•
consider factors that affect the risk of
misstatements; and Design appropriate audit
procedures.
When planning their audit,
auditors consider the likelihood of error in the light of inherent risk and the
system of internal control (control risk) in order to determine the extent of
work (and hence the level of detection risk) required to satisfy themselves
that the risk of error in the financial statements is sufficiently low
Accounting
system and control environment
Auditors obtain an
understanding of the accounting system sufficient to enable them to identify
and understand:
(a)
major classes of transactions in the entity’s
operations;
(b)
how such transactions are initiated;
(c)
significant accounting records, supporting documents
and accounts in the financial statements; and
(d)
the accounting and financial reporting process, from
the initiation of significant transactions and other events to their inclusion
in the financial statements
An understanding of the control
environment enables auditors to assess the likely effectiveness of control
procedures. A strong control environment, for example one with strong budgetary
controls and an effective internal audit function, increases the effectiveness
of control procedures. A small entity’s control environment may be strengthened
by the close involvement of the directors, including their review of financial
information
Based on their understanding of
the accounting system and control environment, auditors can make a preliminary
assessment of the adequacy of the system as a basis for the preparation of the
financial statements, and of the likely mix of tests of control and substantive
procedures.
As control procedures are often
incorporated within accounting systems, gathering information to obtain the
understanding of the accounting system is likely to result in some
understanding of specific control procedures. In any event, as the accounting
system, control environment and control procedures are closely related,
auditors often seek to obtain information about all the relevant aspects of the
accounting and internal control systems (‘the systems’) as one exercise.
However, in order to design and select the appropriate audit tests it may be
necessary for them to undertake additional work to obtain a more detailed
understanding of specific control procedures.
When seeking an understanding of
the accounting systems and control environment sufficient to plan the audit,
auditors obtain a knowledge of the design and operation of the systems. This
understanding also assists the auditors’ assessment of inherent risk. In order
to obtain this knowledge, they often perform ‘walk-through tests’, that is
tracing one or more transactions through the accounting system and observing
the application of relevant aspects of the internal control system
The nature, timing
and extent of the procedures performed by auditors to obtain an understanding
of the systems vary with, among other things;
●
materiality considerations;
●
the size and complexity of the entity;
●
their assessment of inherent risk;
●
the complexity of the entity’s computer systems;
●
the type of internal controls involved; and
●
the nature of the entity’s documentation of specific
internal controls.
Usually, the auditors’
understanding of the systems is obtained through previous experience with the
entity updated as necessary by:
(a)
enquiries of appropriate supervisory and other
personnel at various organisational levels within the entity, together with
reference to documentation such as
procedures manuals, job descriptions and systems descriptions;
(b)
inspection of relevant documents and records produced
by the systems; and
(c)
observation of the entity’s activities and operations,
including the information technology function’s organisation, personnel
performing control procedures and the nature of transaction processing.
6.2. Internal controls and their inherent
limitations
Nothing in this world is ever
perfect. Unfortunately, internal control systems are no different. Internal
controls, no matter how well designed and implemented, can only provide
reasonable assurance regarding the achievement of intended objectives. However,
despite these inherent limitations, the reasonable assurance that internal
controls provide enables an agency to focus on reaching its objectives while
minimizing undesirable events. Management awareness and mitigation of these
inherent limitations is important to the overall success of the internal
control system and to the success of the agency’s objectives.
Common inherent limitations that
hinder the effectiveness of an internal control system are:
Cost vs. Benefit:
The concept of reasonable
assurance recognizes that the cost of internal controls should not exceed the
benefits derived and also recognizes evaluation of these factors requires
estimates and judgments. Prohibitive costs prevent management from implementing
the perfect internal control system. Management accepts certain risks because
the cost of preventing such risks cannot be justified.
When considering the cost
versus benefit of implementing a specific control, management must weigh both
tangible and intangible risks to the agency.
Inadequate
Segregation of Duties
Division or segregation of
duties among different employees is critical to reduce the risk of errors or
inappropriate actions. Staff size limitations can make maintaining the necessary
checks and balances of the duties relating to record keeping, custody, and
authorization difficult. If ideal separation of duties is not possible, the use
of compensating controls, such as independent reviews and oversight, can
provide the necessary control.
Control Override
An internal control system is
only as effective as the people who are responsible for its functioning.
Consistent management override sends the message that standard procedures are
not important. While exceptions to established policies are sometimes necessary
to accomplish a specific task, they pose a significant risk if not monitored
and limited.
Human Error
The effectiveness of an
internal control system is limited by the reality that human beings are not
perfect. Errors may occur due to employee carelessness, distraction, or
fatigue. Decisions are often made under time pressures, based on limited
information, and rely heavily on human judgment. Additionally, management may
fail to anticipate certain risks and ultimately fail to design and implement
appropriate controls to mitigate those risks.
Collusion
Two or more employees acting together to
perpetrate and conceal an action from detection can often circumvent the most
effective system of internal control. One of the best deterrents and methods of
curtailing collusion is a control environment that enforces written policies
and procedures, appropriately monitors internal controls, provides reporting of
suspicious activity, and educates employees about the consequences of fraud.
6.3. Internal Auditing Definition by IIA
Definition
of Internal Auditing
The Definition of Internal
Auditing states the fundamental purpose, nature, and scope of internal
auditing.
Internal auditing is
an independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and
governance processes (Institute of Internal Auditors)
Internal Auditing is a managerial control which functions by
measuring and evaluating the effectiveness of other controls. The overall
objective of internal audit is to assist all members of management in the
effective discharge of their functioning, by furnishing them with objective
analysis, appraisals, recommendations and pertinent comments concerning the
activities reviewed. The internal audit, in essence should be concerned with
any phase of business activity wherein it can be of service to management.
The concept of audit has undergone a sea change and the
earlier objectives, viz., “fault finding” is no more relevant or management not
interested in pursuing this. Internal Audit is a diverse and specialized
function in various fields of auditing. It is a tool used to detect good, bad
and the ugly. Internal Audit concept is an attempt to achieve an ideal
combination of financial audit, operational auditing and reviews the plans for
future. The Internal Audit, to be effective should provide three types of
services PPC, viz., Preventive, Protective and Curative.
•
In the preventive role, it forewarns the
management of an adverse situation in advance;
•
It protects the management by the bringing to
its notice the deficiencies in advance, before the external auditors point out;
and
•
As a curative function, it suggests remedial
measures, thereby acting as a catalyst for change and action.
6.4. External and Internal Auditors
Much of the work performed by a
company’s internal audit function can overlap with the work conducted by the
external auditor, specifically in areas dealing with the assessment of control
processes. It is likely that in carrying out detailed work evaluating and
reviewing the company’s internal control framework internal audit perform
procedures on financial controls relevant to the external audit. As such, the
external auditor, rather than duplicating these procedures, may be able to
place reliance on the work carried out by the internal auditor. The
International Standards On Auditing (ISAs) now highlight three ways in which
internal auditors may be utilised by the external auditor in the audit of
financial statements:
(i)
Obtain information relevant to external auditor’s
assessment of the risks of material misstatements due to error or fraud ISA 315 “Identifying and Assessing the Risks
of Material Misstatement through Understanding the Entity and Its Environment”
(ii)
To use the internal auditors work in partial
substitution for the audit evidence to be obtained by external auditor
(iii)
To use the internal audit evidence to perform audit
procedures under the direction, supervision and review of the external auditor
(i.e. provide direct assistance ISA 610)
Internal auditors are the employees of the entity, which could
result in threats to independence
(either in fact or perceived) if direct assistance is provided by the internal
auditors. On the other hand, the following benefits relating to provision of
direct assistance by the internal auditors cannot be ignored:
• There
will be a strengthened relationship
between the external and internal auditors through a more effective dialogue
• With
the knowledge of the internal
auditors, the external auditor can gain additional insights into the entity
• The
external auditor can use internal auditors who may have relevant expertise in particular areas, and
• The
external audit team can focus on the more
significant audit issues.
6.4.1. Guidance on Determining if it is
Appropriate for Internal Auditors to Provide Direct Assistance
The external auditor, in the course of discharging their
responsibilities must decide if it is appropriate in the circumstances to use
internal audit to provide direct assistance. The ISA identifies a number of
steps that the external auditor should work through when determining to what
extent, if any, direct assistance can be provided.
Step 1: Prohibition by law or regulation
The external auditor may be prohibited by law or regulation
from obtaining direct assistance from internal auditors; therefore, the first
task is to understand the law or regulation of the jurisdiction in which the
auditor is operating. In the United Kingdom (and Ireland) for example, the Financial
Reporting Council (FRC) prohibits external auditors from using internal
auditors as ‘direct assistance’ members of the audit team in order to enhance
the principle of auditor independence. Consequently the guidelines in relation
to direct assistance are irrelevant to audits conducted in accordance with ISAs
(UK and Ireland).
Step 2A: Evaluation of the existence and significance of threats to
objectivity of the internal auditors
This is considered as an
important element in the external auditor’s judgment as to whether internal
auditors can provide direct assistance. Objectivity is regarded as the ability
to perform the tasks without allowing bias, conflict of interest or undue
influence of others to override professional judgment. The following factors
are relevant to the external auditor’s evaluation of objectivity
It should be noted that the
main purpose here is to evaluate threats
to objectivity. Take the first factor as an example – if evidence shows
that the internal audit function’s organisational status supports the
objectivity of the internal auditors, the external auditor will feel more
comfortable using direct assistance from the internal auditors. The following
situations are likely to support the objectivity of the internal auditors:
• The
internal audit function reports to those charged with governance (eg the audit
committee) rather than solely to management (eg the chief finance officer)
• The
internal audit function does not have managerial or operational duties that are
outside of the internal audit function
• The
internal auditors are members of relevant professional bodies obligating their
compliance with relevant professional standards relating to objectivity.
Step
2B: Evaluation of the level of competence of the internal auditors
Competence of the internal audit function is likely to be
deemed satisfactory where it can be evidenced that the function as a whole
operates at the level required to (i) enable assigned tasks to be performed
diligently and (ii) in accordance with applicable professional standards. To
make such evaluation, the external auditor can take into consideration the
following factors:
• Whether
there are established policies for hiring,
training and assigning internal auditors to internal audit engagements
• Whether
the internal auditors have adequate technical training and proficiency in
auditing (eg with relevant professional designation and experience)
• Whether
the internal auditors possess the required knowledge relating to the entity’s
financial reporting and the applicable financial reporting framework
• Whether
the internal audit function possesses the necessary skills (for example,
industryspecific knowledge) to perform work related to the entity’s financial
statements.
The above evaluation regarding
the internal auditors’ objectivity and competence should not be new to
candidates as it forms the basis for any assessment by the external auditor
when determining if reliance can be placed on the work of internal auditors and
as such the requirement for these evaluations has been present in previous
versions of ISA 610. The external auditor should bear in mind that the
assessment of competence and objectivity are of equal importance, and should be
assessed individually and in aggregate. For example if the internal auditors
are deemed appropriately competent but the external auditor identifies
significant threats to objectivity it is unlikely that the external auditor
will be able to use the internal auditors to provide direct assistance and vice
versa.
6.4.2. Assessment of Internal Audit Function
An effective internal audit
function may reduce, modify or alter the timing of external audit procedures
but can never eliminate them entirely.
The external auditors will have
to assess the internal audit function in the following aspects:
•
Organization status (reporting level and any
constraints or restrictions on the function
•
Scope of the function (extent and nature of
assignments performed and management action on internal audit reports)
•
Technical competence (training and proficiency)
•
Due professional care (whether internal audit is
properly planned, supervised, reviewed and documented)
When the external auditors
intend to use specific internal audit work, they should evaluate that work to
confirm its adequacy for external audit purpose.
6.5. Working Papers
Working Papers are the material
that auditors prepare or obtain and retain in connection with the performance
of the audit. It may be in the form of data stored on paper, film, electronic
media, or other media. They can also be used in court e.g. in case of negligent
audit
6.5.1. Types of Working Papers
Working papers are usually filed in 2 separate files:
6.5.1.1.Permanent
Audit File (used more than one financial year and file is built only one) It comprises matters of continuing
importance affecting the audit such as:
•
A permanent audit file normally includes
•
Information concerning the legal and organizational
structure of the entity. In case of a company, this includes the memorandum and
Article of association. In the case of a statutory corporation, this includes
the act and regulations under which the corporation functions.
•
Extracts or copies of important legal documents,
agreements and minute relevant to the audit.
•
A record of the study and the evaluation of the
internal controls related to the accounting system. This might be in the form
of narrative descriptions, questionnaires or flow charts, or some combination
thereof.
•
Copies of audited financial statements for
previous years.
•
Analysis of significant ratios and trends.
•
Copies of management letters issued by the
auditor, if any.
•
Record of communication with the retiring
auditor, if any, before acceptance of the appointment as auditor.
•
Notes regarding significant accounting policies.
•
Significant audit observations of earlier years.
6.5.1.2.Current Audit file (Pertain to a particular financial
year) It relates specifically to the
audit of a particular set of accounts:
♦ Correspondence relating to
acceptance of annual reappointment.
♦ Extracts of
important matters in the minutes of board meetings and general meetings as
relevant to audit.
♦ Evidence of the planning of
the audit and audit programme.
♦ Analysis of transactions and
balances.
♦ A record of
the nature, timing and extent of auditing procedures performed, and the results
of such procedures.
♦ Evidence that the work
performed by assistants was supervised and reviewed.
♦ Copies of communication with
other auditors, experts and other third parties.
♦ Letters of representation or confirmation received from
the client.
♦ Conclusions
reached by the auditor concerning significant aspects of the audit, including
the manner in which exceptions and unusual matters, if any, disclosed by the
auditor’s procedures were resolved or treated.
♦ Copies of the financial
information being reported on the related audit reports.
6.5.2. Confidentiality of working papers.
Ø Should not be made available
to third parties without client consent.
Ø Appropriate procedures
should be undertaken to maintain confidentiality and safe custody of working
papers.
Ø Should be retained for a
sufficient period of time to meet regulatory requirements
6.5.3. Content
Each audit working paper must be
headed with the following information: Ø The name of the client.
Ø The period covered by the
audit.
Ø The subject matter.
Ø The file reference.
Ø The initials (signature) of
the member of staff who prepared the working paper, and the date on which it
was prepared.
Ø In the case of audit papers
prepared by client staff, the date the working papers were received, and the
initials of the audit team member who carried out the audit work. Ø The
initials of the member of staff who reviewed the working papers and the date
which the review was carried out.
6.5.4. Some characteristics of a good working
paper Ø State
a clear audit objective.
Ø State the name of client,
subject matter, year/period end.
Ø State the full extent of the
test or audit objective.
Ø Reference of linked
documents.
Ø How sample size were
determined.
Ø Clearly and objectively
state the results of the test.
Ø The conclusions reached
should be consistent with result of the test.
Ø Main reference.
Ø Signed and dated by
preparer.
Ø Signed and date by
reviewer.
Ø Standards review by
reviewed.
6.5.5. Purpose of Working papers
Ø Assist in the planning and
performance of the audit.
Ø Assist in the supervision
and review of audit work.
Ø Record the
audit evidence resulting resulting from the audit work performed to support the
auditors opinion.
6.5.6. Importance of working papers.
Ø Quality
control purposes in respect of the audit.
Ø Assurance:
that the work delegated by the audit partner has been properly completed.
Ø Evidence:
that effective audit has been carried out.
Ø 3Es:
increase the economy, efficiency, and effectiveness of the audit.
Ø Support
auditor conclusion: contain sufficiently detailed and up to date facts which
justify the reasonableness of the auditor’s conclusions.
Ø Future
audits: retain a record of matters of continuing significance to future
audits
TUTORIAL QUESTIONS
QUESTION ONE
State 4 matters that you would
expect to find recorded in working papers in the permanent audit file and
explain their purpose
QUESTION TWO
(i). Independent
auditors should consider the work of internal auditors in their assessment of
control risk. Are internal auditors independent of management? Explain.
(ii). What
is the difference between the primary objective of the independent auditors and
that of internal auditors? Explain.
(iii). Discuss the factors that should be
considered by the independent auditors in deciding how much, if any, reliance
should be placed on the work of the internal auditors
QUESTION THREE
Auditors are required to
consider a client's internal control.
a. Describe
the two purposes of the auditors' consideration of a client's internal control
b.
Even the best internal control has certain limitations.
List three of those limitations
QUESTION FOUR
ISA 230 Audit Documentation establishes standards and provides guidance
regarding documentation in the context of the audit of financial statements.
Required:
(a)
List the purposes of audit working papers.
(b)
You have recently been promoted to audit manager in the
audit firm of Kipepe & Co. As part of your new responsibilities, you have
been placed in charge of the audit of 4U Movement Co, a long established audit
client of Kipepe & Co. 4U Movement Co sells spectacles; the company owns 42
stores where customers can have their eyes tested and choose from a range of
frames.
Required:
List the documentation that should be of assistance to you
in familiarising yourself with 4U Movement Co. Describe the information you
should expect to obtain from each document.
QUESTION FIVE
ISA 315 Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment states that an objective of
the auditor is to identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertion levels,
through understanding the entity and its environment, including its internal
control, thereby providing a basis for designing and implementing responses to
the assessed risks of material misstatement.
Required:
(a) Explain why it is
necessary for the auditor to understand an entity’s internal control system
when assessing risk.
(b) Explain and
compare the use of internal control questionnaires and internal control
evaluation questionnaires in obtaining an understanding of internal control.
0 comments:
Post a Comment