AUDIT procedures system and control

TOPIC SIX

 AUDIT PROCEDURES

By: Swedi Zakaria

6.1. Accounting System and Internal Control
Accounting system’ means the series of tasks and records of an entity by which transactions are processed as a means of maintaining financial records. Such systems identify, assemble, analyse, calculate, classify, record, summarise and report transactions and other events Internal control system’ comprises the control environment and control procedures. It includes all the policies and procedures (internal controls) adopted by the directors and management of an entity to assist in achieving their objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to internal policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. Internal controls may be incorporated within computerised accounting systems. However, the internal control system extends beyond those matters which relate directly to the accounting system

Auditors are only concerned with those policies and procedures within the accounting and internal control systems that are relevant to the financial statement assertions. The understanding of relevant aspects of the accounting and internal control systems, together with the inherent and control risk assessments, enables auditors to: 

•      Assess the adequacy of the accounting system as a basis for preparing the financial statements; 

•      Identify the types of potential misstatements that could occur in the financial statements; 

•      consider factors that affect the risk of misstatements; and   Design appropriate audit procedures. 

When planning their audit, auditors consider the likelihood of error in the light of inherent risk and the system of internal control (control risk) in order to determine the extent of work (and hence the level of detection risk) required to satisfy themselves that the risk of error in the financial statements is sufficiently low

Accounting system and control environment 

Auditors obtain an understanding of the accounting system sufficient to enable them to identify and understand: 

(a)    major classes of transactions in the entity’s operations; 

(b)   how such transactions are initiated; 

(c)    significant accounting records, supporting documents and accounts in the financial statements; and 

(d)   the accounting and financial reporting process, from the initiation of significant transactions and other events to their inclusion in the financial statements

An understanding of the control environment enables auditors to assess the likely effectiveness of control procedures. A strong control environment, for example one with strong budgetary controls and an effective internal audit function, increases the effectiveness of control procedures. A small entity’s control environment may be strengthened by the close involvement of the directors, including their review of financial information

Based on their understanding of the accounting system and control environment, auditors can make a preliminary assessment of the adequacy of the system as a basis for the preparation of the financial statements, and of the likely mix of tests of control and substantive procedures. 

As control procedures are often incorporated within accounting systems, gathering information to obtain the understanding of the accounting system is likely to result in some understanding of specific control procedures. In any event, as the accounting system, control environment and control procedures are closely related, auditors often seek to obtain information about all the relevant aspects of the accounting and internal control systems (‘the systems’) as one exercise. However, in order to design and select the appropriate audit tests it may be necessary for them to undertake additional work to obtain a more detailed understanding of specific control procedures. 

When seeking an understanding of the accounting systems and control environment sufficient to plan the audit, auditors obtain a knowledge of the design and operation of the systems. This understanding also assists the auditors’ assessment of inherent risk. In order to obtain this knowledge, they often perform ‘walk-through tests’, that is tracing one or more transactions through the accounting system and observing the application of relevant aspects of the internal control system

The nature, timing and extent of the procedures performed by auditors to obtain an understanding of the systems vary with, among other things; 

●      materiality considerations; 

●      the size and complexity of the entity; 

●      their assessment of inherent risk; 

●      the complexity of the entity’s computer systems; 

●      the type of internal controls involved; and 

●      the nature of the entity’s documentation of specific internal controls. 

Usually, the auditors’ understanding of the systems is obtained through previous experience with the entity updated as necessary by: 

(a)     enquiries of appropriate supervisory and other personnel at various organisational levels within the entity, together with reference to documentation such as  procedures manuals, job descriptions and systems descriptions; 

(b)     inspection of relevant documents and records produced by the systems; and 

(c)     observation of the entity’s activities and operations, including the information technology function’s organisation, personnel performing control procedures and the nature of transaction processing.

6.2. Internal controls and their inherent limitations 

Nothing in this world is ever perfect. Unfortunately, internal control systems are no different. Internal controls, no matter how well designed and implemented, can only provide reasonable assurance regarding the achievement of intended objectives. However, despite these inherent limitations, the reasonable assurance that internal controls provide enables an agency to focus on reaching its objectives while minimizing undesirable events. Management awareness and mitigation of these inherent limitations is important to the overall success of the internal control system and to the success of the agency’s objectives.

Common inherent limitations that hinder the effectiveness of an internal control system are:

Cost vs. Benefit: 

The concept of reasonable assurance recognizes that the cost of internal controls should not exceed the benefits derived and also recognizes evaluation of these factors requires estimates and judgments. Prohibitive costs prevent management from implementing the perfect internal control system. Management accepts certain risks because the cost of preventing such risks cannot be justified.

When considering the cost versus benefit of implementing a specific control, management must weigh both tangible and intangible risks to the agency.

Inadequate Segregation of Duties

Division or segregation of duties among different employees is critical to reduce the risk of errors or inappropriate actions. Staff size limitations can make maintaining the necessary checks and balances of the duties relating to record keeping, custody, and authorization difficult. If ideal separation of duties is not possible, the use of compensating controls, such as independent reviews and oversight, can provide the necessary control.

Control Override

An internal control system is only as effective as the people who are responsible for its functioning. Consistent management override sends the message that standard procedures are not important. While exceptions to established policies are sometimes necessary to accomplish a specific task, they pose a significant risk if not monitored and limited.

Human Error

The effectiveness of an internal control system is limited by the reality that human beings are not perfect. Errors may occur due to employee carelessness, distraction, or fatigue. Decisions are often made under time pressures, based on limited information, and rely heavily on human judgment. Additionally, management may fail to anticipate certain risks and ultimately fail to design and implement appropriate controls to mitigate those risks.

Collusion

 Two or more employees acting together to perpetrate and conceal an action from detection can often circumvent the most effective system of internal control. One of the best deterrents and methods of curtailing collusion is a control environment that enforces written policies and procedures, appropriately monitors internal controls, provides reporting of suspicious activity, and educates employees about the consequences of fraud.

6.3. Internal Auditing Definition by IIA

Definition of Internal Auditing

The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (Institute of Internal Auditors)  

Internal Auditing is a managerial control which functions by measuring and evaluating the effectiveness of other controls. The overall objective of internal audit is to assist all members of management in the effective discharge of their functioning, by furnishing them with objective analysis, appraisals, recommendations and pertinent comments concerning the activities reviewed. The internal audit, in essence should be concerned with any phase of business activity wherein it can be of service to management. 

The concept of audit has undergone a sea change and the earlier objectives, viz., “fault finding” is no more relevant or management not interested in pursuing this. Internal Audit is a diverse and specialized function in various fields of auditing. It is a tool used to detect good, bad and the ugly. Internal Audit concept is an attempt to achieve an ideal combination of financial audit, operational auditing and reviews the plans for future. The Internal Audit, to be effective should provide three types of services PPC, viz., Preventive, Protective and Curative. 

•      In the preventive role, it forewarns the management of an adverse situation in advance;

•      It protects the management by the bringing to its notice the deficiencies in advance, before the external auditors point out; and 

•      As a curative function, it suggests remedial measures, thereby acting as a catalyst for change and action. 

6.4. External and Internal Auditors

Much of the work performed by a company’s internal audit function can overlap with the work conducted by the external auditor, specifically in areas dealing with the assessment of control processes. It is likely that in carrying out detailed work evaluating and reviewing the company’s internal control framework internal audit perform procedures on financial controls relevant to the external audit. As such, the external auditor, rather than duplicating these procedures, may be able to place reliance on the work carried out by the internal auditor. The International Standards On Auditing (ISAs) now highlight three ways in which internal auditors may be utilised by the external auditor in the audit of financial statements:

(i)                 Obtain information relevant to external auditor’s assessment of the risks of material misstatements due to error or fraud  ISA 315 “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment”

(ii)               To use the internal auditors work in partial substitution for the audit evidence to be obtained by external auditor

(iii)             To use the internal audit evidence to perform audit procedures under the direction, supervision and review of the external auditor (i.e. provide direct assistance ISA 610) 

Internal auditors are the employees of the entity, which could result in threats to independence (either in fact or perceived) if direct assistance is provided by the internal auditors. On the other hand, the following benefits relating to provision of direct assistance by the internal auditors cannot be ignored:

•       There will be a strengthened relationship between the external and internal auditors through a more effective dialogue

•       With the knowledge of the internal auditors, the external auditor can gain additional insights into the entity

•       The external auditor can use internal auditors who may have relevant expertise in particular areas, and

•       The external audit team can focus on the more significant audit issues.

6.4.1. Guidance on Determining if it is Appropriate for Internal Auditors to Provide Direct Assistance

The external auditor, in the course of discharging their responsibilities must decide if it is appropriate in the circumstances to use internal audit to provide direct assistance. The ISA identifies a number of steps that the external auditor should work through when determining to what extent, if any, direct assistance can be provided.

Step 1: Prohibition by law or regulation

The external auditor may be prohibited by law or regulation from obtaining direct assistance from internal auditors; therefore, the first task is to understand the law or regulation of the jurisdiction in which the auditor is operating. In the United Kingdom (and Ireland) for example, the Financial Reporting Council (FRC) prohibits external auditors from using internal auditors as ‘direct assistance’ members of the audit team in order to enhance the principle of auditor independence. Consequently the guidelines in relation to direct assistance are irrelevant to audits conducted in accordance with ISAs (UK and Ireland).

Step 2A: Evaluation of the existence and significance of threats to objectivity of the internal auditors

This is considered as an important element in the external auditor’s judgment as to whether internal auditors can provide direct assistance. Objectivity is regarded as the ability to perform the tasks without allowing bias, conflict of interest or undue influence of others to override professional judgment. The following factors are relevant to the external auditor’s evaluation of objectivity

It should be noted that the main purpose here is to evaluate threats to objectivity. Take the first factor as an example – if evidence shows that the internal audit function’s organisational status supports the objectivity of the internal auditors, the external auditor will feel more comfortable using direct assistance from the internal auditors. The following situations are likely to support the objectivity of the internal auditors:

•       The internal audit function reports to those charged with governance (eg the audit committee) rather than solely to management (eg the chief finance officer) 

•       The internal audit function does not have managerial or operational duties that are outside of the internal audit function

•       The internal auditors are members of relevant professional bodies obligating their compliance with relevant professional standards relating to objectivity.

Step 2B: Evaluation of the level of competence of the internal auditors

Competence of the internal audit function is likely to be deemed satisfactory where it can be evidenced that the function as a whole operates at the level required to (i) enable assigned tasks to be performed diligently and (ii) in accordance with applicable professional standards. To make such evaluation, the external auditor can take into consideration the following factors:

•       Whether there are established policies for hiring, training and assigning internal auditors to internal audit engagements

•       Whether the internal auditors have adequate technical training and proficiency in auditing (eg with relevant professional designation and experience)

•       Whether the internal auditors possess the required knowledge relating to the entity’s financial reporting and the applicable financial reporting framework

•       Whether the internal audit function possesses the necessary skills (for example, industryspecific knowledge) to perform work related to the entity’s financial statements.

The above evaluation regarding the internal auditors’ objectivity and competence should not be new to candidates as it forms the basis for any assessment by the external auditor when determining if reliance can be placed on the work of internal auditors and as such the requirement for these evaluations has been present in previous versions of ISA 610. The external auditor should bear in mind that the assessment of competence and objectivity are of equal importance, and should be assessed individually and in aggregate. For example if the internal auditors are deemed appropriately competent but the external auditor identifies significant threats to objectivity it is unlikely that the external auditor will be able to use the internal auditors to provide direct assistance and vice versa.

6.4.2. Assessment of Internal Audit Function

An effective internal audit function may reduce, modify or alter the timing of external audit procedures but can never eliminate them entirely.

The external auditors will have to assess the internal audit function in the following aspects:

•      Organization status (reporting level and any constraints or restrictions on the function

•      Scope of the function (extent and nature of assignments performed and management action on internal audit reports)

•      Technical competence (training and proficiency)

•      Due professional care (whether internal audit is properly planned, supervised, reviewed and documented)

When the external auditors intend to use specific internal audit work, they should evaluate that work to confirm its adequacy for external audit purpose.

6.5. Working Papers

Working Papers are the material that auditors prepare or obtain and retain in connection with the performance of the audit. It may be in the form of data stored on paper, film, electronic media, or other media. They can also be used in court e.g. in case of negligent audit

6.5.1. Types of Working Papers 

Working papers are usually filed in 2 separate files:

 

6.5.1.1.Permanent Audit File (used more than one financial year and file is built only one)  It comprises matters of continuing importance affecting the audit such as: 

•      A permanent audit file normally includes

•      Information concerning the legal and organizational structure of the entity. In case of a company, this includes the memorandum and Article of association. In the case of a statutory corporation, this includes the act and regulations under which the corporation functions.

•      Extracts or copies of important legal documents, agreements and minute relevant to the audit.

•      A record of the study and the evaluation of the internal controls related to the accounting system. This might be in the form of narrative descriptions, questionnaires or flow charts, or some combination thereof.

•      Copies of audited financial statements for previous years.

•      Analysis of significant ratios and trends.

•      Copies of management letters issued by the auditor, if any.

•      Record of communication with the retiring auditor, if any, before acceptance of the appointment as auditor.

•      Notes regarding significant accounting policies.

•      Significant audit observations of earlier years.

6.5.1.2.Current Audit file (Pertain to a particular financial year)  It relates specifically to the audit of a particular set of accounts: 

♦ Correspondence relating to acceptance of annual reappointment.

♦ Extracts of important matters in the minutes of board meetings and general meetings as relevant to audit.

♦ Evidence of the planning of the audit and audit programme.

♦ Analysis of transactions and balances.

♦ A record of the nature, timing and extent of auditing procedures performed, and the results of such procedures.

♦ Evidence that the work performed by assistants was supervised and reviewed.

♦ Copies of communication with other auditors, experts and other third parties.

♦ Letters of representation or confirmation received from the client.

♦ Conclusions reached by the auditor concerning significant aspects of the audit, including the manner in which exceptions and unusual matters, if any, disclosed by the auditor’s procedures were resolved or treated.

♦ Copies of the financial information being reported on the related audit reports.

6.5.2. Confidentiality of working papers. 

Ø Should not be made available to third parties without client consent. 

Ø Appropriate procedures should be undertaken to maintain confidentiality and safe custody of working papers. 

Ø Should be retained for a sufficient period of time to meet regulatory requirements 

6.5.3. Content 

Each audit working paper must be headed with the following information:  Ø The name of the client. 

Ø The period covered by the audit. 

Ø The subject matter. 

Ø The file reference. 

Ø The initials (signature) of the member of staff who prepared the working paper, and the date on which it was prepared. 

Ø In the case of audit papers prepared by client staff, the date the working papers were received, and the initials of the audit team member who carried out the audit work.  Ø The initials of the member of staff who reviewed the working papers and the date which the review was carried out. 

6.5.4. Some characteristics of a good working paper  Ø State a clear audit objective. 

Ø State the name of client, subject matter, year/period end. 

Ø State the full extent of the test or audit objective. 

Ø Reference of linked documents. 

Ø How sample size were determined. 

Ø Clearly and objectively state the results of the test. 

Ø The conclusions reached should be consistent with result of the test. 

Ø Main reference. 

Ø Signed and dated by preparer. 

Ø Signed and date by reviewer. 

Ø Standards review by reviewed. 

6.5.5. Purpose of Working papers 

Ø Assist in the planning and performance of the audit. 

Ø Assist in the supervision and review of audit work. 

Ø Record the audit evidence resulting resulting from the audit work performed to support the auditors opinion. 

6.5.6. Importance of working papers. 

Ø Quality control purposes in respect of the audit. 

Ø Assurance: that the work delegated by the audit partner has been properly completed. 

Ø Evidence: that effective audit has been carried out. 

Ø 3Es: increase the economy, efficiency, and effectiveness of the audit. 

Ø Support auditor conclusion: contain sufficiently detailed and up to date facts which justify the reasonableness of the auditor’s conclusions. 

Ø Future audits: retain a record of matters of continuing significance to future audits 

              

TUTORIAL QUESTIONS

QUESTION ONE

State 4 matters that you would expect to find recorded in working papers in the permanent audit file and explain their purpose

QUESTION TWO

(i). Independent auditors should consider the work of internal auditors in their assessment of control risk. Are internal auditors independent of management? Explain.

(ii). What is the difference between the primary objective of the independent auditors and that of internal auditors? Explain.

(iii). Discuss the factors that should be considered by the independent auditors in deciding how much, if any, reliance should be placed on the work of the internal auditors

QUESTION THREE

Auditors are required to consider a client's internal control. 

a.    Describe the two purposes of the auditors' consideration of a client's internal control

b.    Even the best internal control has certain limitations. List three of those limitations

QUESTION FOUR

ISA 230 Audit Documentation establishes standards and provides guidance regarding documentation in the context of the audit of financial statements.

 Required: 

(a)    List the purposes of audit working papers. 

(b)   You have recently been promoted to audit manager in the audit firm of Kipepe & Co. As part of your new responsibilities, you have been placed in charge of the audit of 4U Movement Co, a long established audit client of Kipepe & Co. 4U Movement Co sells spectacles; the company owns 42 stores where customers can have their eyes tested and choose from a range of frames. 

Required: 

List the documentation that should be of assistance to you in familiarising yourself with 4U Movement Co. Describe the information you should expect to obtain from each document.

QUESTION FIVE

ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment states that an objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including its internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

 Required:

(a) Explain why it is necessary for the auditor to understand an entity’s internal control system when assessing risk. 

(b) Explain and compare the use of internal control questionnaires and internal control evaluation questionnaires in obtaining an understanding of internal control.