Ch06 Internal Control System.docx

DOCUMENTING THE INTERNAL CONTROL SYSTEM Benefits of Internal Control to the entity Based on our previous studies we can now identify the following principal benefits that may arise for an entity from a sound system of internal control: Assurance that all transactions are completely and accurately processed. Confidence that only authorized transactions takes place. Assurance that adequate documentation supporting transactions is created and retained. Assurance that the company’s assets and liabilities are correctly stated, in order for them to make informed decisions on the operations of the business. Minimization of the risk of fraud and misappropriation of assets. Benefits of Internal Control to the auditor Of course, if the audit client benefits from a sound system of internal control, it is likely that the auditor will also be benefited. All of the above stated benefits help to promote a situation where the financial statements present a true and fair view. In simple terms, a good system of internal control will make life easier for the auditor. Auditor’s work on the Internal Control International standards on auditing emphasize the importance of internal control to the auditor by stating that auditor should: Obtain an understanding of the accounting and internal control system sufficient to plan the audit and develop an effective audit approach, and Use professional judgment to assess the components of audit risk and to design audit procedures to ensure it is reduced to an acceptably low level. At an early stage in their work auditors will have to decide the extent to which they wish to place reliance on the internal controls of the enterprise. As the audit proceeds, that decision will be kept under review and, depending on the results of their examination, they may decide to place more or less reliance on these controls. Categories of Internal Control These are often summarized by using the mnemonic SOAP MAPS as follows: Supervision Organization Arithmetic and Accounting Physical Management and Monitoring Authorization Personnel Segregation of duties Supervision There should be adequate supervision of work to ensure that controls are being complied with. Possible application: a supervisor or manager reviews and checks the work of a subordinate. Organization Enterprises should have a formal, documented organization structure with clear lines of responsibility. Possible application: lines of authority within an organization make it clear which individuals are responsible for decisions and transactions Arithmetic and Accounting The company should ensure that there are adequate controls to ensure the completeness and accuracy of its financial records. Fundamentals of Auditing Possible application: standard accounting procedures such as the use of control accounts, reconciliation procedures and the performance of arithmetic checks on accounting records. Physical There should be adequate physical control to ensure the security and safekeeping of its assets such as plant and machinery, valuable inventory items and cash. Possible application: banking cash immediately, controlling access to inventory areas; electronic tagging of inventory and portable non-current assets. Management and Monitoring There should be sufficient controls in existence to ensure management can effectively control the business operations. Possible application: the use of budgeting and standard costing systems; the establishment of an internal audit department f) Authorization All transactions should be authorized. Possible application: authorization of purchases, cash and bank payments, sale of non-current assets, sales to customers on credit, bad debt write offs. g) Personnel Employees should be appropriately qualified and of suitable caliber to perform the required tasks. Possible application: recruiting the right people for the job; training them effectively, motivating and rewarding employees in an appropriate way. Segregation of duties There should be an appropriate division of responsibilities to reduce the opportunity for fraud and manipulation. This is a fundamental control procedure designed to ensure that one person does not have sole charge of a transaction from beginning till end. Perfect segregation of duties exists where each of the main stages in a transaction are under the control of a different person. Possible application: Consider an inventory purchasing system in a manufacturing company: Stage Documentation Responsibility Initiation Stores requisition Stores keeper Authorization Purchase order Purchasing officer Custody Goods received note Receiving officer Recording Invoice Account department Documenting the system Documenting the system is an extremely important stage in the audit; Auditing standards state that in planning the audit, auditors should obtain and document an understanding of the accounting system and control environment sufficient to determine their audit approach. The various methods of ascertaining and recording the system may be summarized as follows: Organization chart Narrative notes Flowcharts Internal control questionnaires (ICQs) Internal control evaluation checklists (ICEC) -2953-183100 Organization Chart Production Factory Purchases Chief Manager Accountant Accounts Planning Manager Controller Managing Director Production Sales Finance Director Director Director Distribution Advertising Manager Manger Narrative Notes This is a simple and apparently convenient way of describing systems. Having ascertained the system, the auditor draws up a narrative description of it for the audit files. An example might be: Sales invoices are prepared by Mr._____ They are checked by Mr. _____ and then passed to Mr. _____ for recording in the customer’s account in the sales ledger etc. Shortcomings of the method: Notes can take up a disproportionate amount of space Notes may be difficult to interpret What happens it personnel change? Flowcharts This is becoming an increasingly widely used technique for recording accounting systems in audit files. A flowchart is a diagrammatical representation of an accounting system. A good flowchart will be supplemented with narrative. Flowcharts have the following advantages: They portray the flow of documents through the system and enable the auditor to relate those movements with procedures and checks carried out as part of that system. They show the movement of documents in such a way that, when properly prepared, the sources and destinations of all documents will be clear. They help to highlight weaknesses in the control of the business. They enable audit tests to be clearly related to weaknesses in the accounting system. Standard symbols are used to represent documents, operations and checks carried out. Flow lines are used to join up the symbols and represent the movement of documents. Dotted lines are used to represent the flow of information between documents. Essentials of flowchart Internal control evaluation flowcharts must highlight the following: the sequence of operations happening to each document (e.g. authorization, checking, matching, filing) thesegregation of staff duties and who is responsible for each operation. Fundamentals of Auditing Symbols used in manual systems flowcharts • A document • A multi-part set of documents • Pre-numbered document N • A book of account • An operation performed on a document • A check performed on a document • Filing a book or document 3404870-18472153519170-8959852376170-579755 Document flow 2371725-86995 • Information flow 29476701473202257425-92710 • Connector with another page/flow-line Fundamentals of Auditing 01905 Flowchart of purchases Narratives: 1 Requisition note raised when goods are at a pre-set re-order level. Order quantity is pre-determined by use of a copy of the previous purchase order. 2 Signed by store manager. 3 Buyer checks authorization. 4 Purchase order set prepared. 8 P02 filed temporarily to act as a check on overdue deliveries. 10 P04 and P05 are filed until goods are received. 11 Weekly check on overdue deliveries. 12 Goods checked to PO to ensure they are in agreement. 13 If not damaged, goods are accepted and a goods received note set is raised. Where quantity received is below order a shortage memo set is also raised and a note made on the purchase order. 14 P05 is sent back to the warehouse to act as the next requisition note. Commentary on the above flowchart All operations and checks are positioned on vertical lines within a particular department. Horizontal lines show the movement of a document between departments. In practice the flowchart would continue, dealing with the processing of the purchase invoice/credit note/day books/payables ledger/cash book etc. The flow-lines at the bottom of the page would continue to page 2 of the flowchart. Note that the narrative to the flowchart does not deal with all of the operation numbers since some should be self-explanatory e.g. operation 9 represents the numerical filing of P03 in the buying department. EVALUATING THE INTERNAL CONTROL SYSTEM Flow Charts and Internal Control Questionnaires: Use of the major symbols in flow charts The Document symbol Each document in the flowchart should have a vertical flow-line. Such vertical flow-lines represent a movement in time within a particular department. When the document is moved to another department, this movement in position will be represented by a horizontal line; departments are therefore listed across the page. 671195-304803691862185290 Here the document is originated in Dept A. It is moved to Dept B, then Dept D and then Dept C. Note that only vertical and horizontal lines areused, never diagonal lines. The Operation symbol Various operations will be performed on a document. It will, for instance: be prepared, added up, used to prepare other documents, etc. Any operation, other than a check function, is represented by the cross symbol. Each operation symbol should be supported by a brief narrative explaining the nature of the operation. 254889097155001708159779000 Invoice Kamran totals the invoice Note that the operation symbol is positioned on a vertical flow-line. It should never appear on ahorizontal flow-line since that would suggest in this case that Kamran totals the invoice while it is moving from one department to another. Depicting multi-part sets of documents Requisition Note Rauf prepares Purchase purchase order sets order Note that each part of the set must have a flow-line emanating from it. In this example; PO1 is sent to the supplier, PO2 goes off to another department and PO3 is filed numerically Preliminary Evaluation of the System Having ascertained, confirmed and recorded the system, the auditor now needs to carry out a preliminary evaluation of the system in order to make a decision as to whether he will: Rely on internal controls and adopt a systems audit approach, or, Perform extensive substantive testing. Using a verification approach to the audit. Internal Control Questionnaire Features: Used in large company audit Used to place reliance on internal controls Used to design audit approach Definition: An ICQ is a formal and usually standardized document which comprises: A list of internal controls in existence and Highlights any weaknesses. Objectives: To ascertain a clients systems of accounting and internal control To evaluate the control system thus recorded, and hence To identify those controls which indicate strengths in the system upon which the auditor will seek to place reliance, and To identify those areas over which there are weak or no controls and which therefore must be subjected to more extensive substantive testing and reported by inclusion in the Management Letter. Construction of an ICQ It is good practice when designing ICQs to state, as a brief introduction: A list of control objectives which each sub-system under consideration should seek to achieve Any business considerations specific to the enterprise under review which should be taken into account. The reason for this is essentially to highlight for the audit staff key areas for their consideration to the audit staff. The questions in an ICQ should be designed to ascertain whether the control objectives are being achieved and should therefore cover such aspects as: Instructions given to staff in the performance of their duties Authorization procedures Documents and procedures used to originate transactions Recording procedures Sequence of procedures Custody procedures Relative independence of the persons involved at each stage of a transaction (i.e. segregation of duties). The questions should be framed such that a Yes/No answer is given, with a No answer usually indicating a control weakness. IV) An ICQ should carry such basic information as: The name of the document (ICQ) the system to which it relates (e.g. purchasing cycle) the client to whom it relates the accounting period under review evidence of who has prepared and reviewed the document the provision of columns for: Yes and No answers comments where neither Yes or No are applicable indicating the significance or otherwise of apparent weaknesses references to audit programs references to Management Letters. Having ascertained, confirmed and recorded the system, the auditor now needs to carry out a preliminary evaluation of the system in order to make a decision as to whether he will: Rely on internal controls and adopt a systems audit approach, or, Perform extensive substantive testing. Using a verification approach to the audit. Internal Control Questionnaire An ICQ is a formal and usually standardized document which comprises: A list of internal controls in existence and Highlights any weaknesses. Features: Used in large company audit Used to place reliance on internal controls Used to design audit approach Objectives: To ascertain a clients systems of accounting and internal control To evaluate the control system thus recorded, and hence To identify those controls which indicate strengths in the system upon which the auditor will seek to place reliance, and To identify those areas over which there are weak or no controls and which therefore must be subjected to more extensive substantive testing and reported by inclusion in the Management Letter. Construction of an ICQ It is good practice when designing ICQs to state, as a brief introduction: a list of control objectives which each sub-system under consideration should seek to achieve any business considerations specific to the enterprise under review which should be taken into account. The reason for this is essentially to highlight for the audit staff key areas for their consideration to the audit staff. II) The questions in an ICQ should be designed to ascertain whether the control objectives are being achieved and should therefore cover such aspects as: instructions given to staff in the performance of their duties authorization procedures documents and procedures used to originate transactions recording procedures sequence of procedures custody procedures relative independence of the persons involved at each stage of a transaction (i.e. segregation of duties). The questions should be framed such that a Yes/No answer is given, with a No answer usually indicating a control weakness. (IV) An ICQ should carry such basic information as: the name of the document (ICQ) the system to which it relates (e.g. purchasing cycle) the client to whom it relates the accounting period under review evidence of who has prepared and reviewed the document the provision of columns for: Yes and No answers comments where neither Yes or No are applicable indicating the significance or otherwise of apparent weaknesses references to audit programs references to Management Letters. Example of part of an ICQ INTERNAL CONTROL QUESTIONNAIRE Prepared by: ________ Date: ________ CLIENT: ___________ PERIOD: _____ Reviewed by:________ Date: ________ THE PURCHASING CYCLE Control objectives. Business considerations. The questionnaire Control objectives To ensure that: Purchased goods/services are ordered under proper authorities and procedures Purchased goods/services are only ordered as necessary for the proper conduct of the business operations and are ordered to suitable suppliers Goods/services received are effectively inspected for quality, quantity and condition Invoices and related documentation are properly checked and approved as being valid before being entered as trade payables All transactions relating to trade payables are valid (suppliers invoices, credit notes and adjustments), and only those valid transactions should be accurately recorded in the accounting records. Business considerations Points Nature of the company’s purchases. The existence of a purchasing department. The company’s purchasing policy. The selection of suppliers. Effect on audit procedures and on financial statements Auditor must be aware of the Varying nature of goods purchased. As far as possible ordering should be centralized. The fixing of minimum/maximum Inventory and re-order levels should ensure efficient control. However, buying in bulk, with resulting higher inventory levels may be part of a company policy to reduce unit costs, in which case inventory obsolescence and storage cost problems may arise. - The purchasing department should maintain a supplier’s register to record past purchases, prices, and satisfaction received etc. The constant seeking of alternative sources of supply at keener prices is an indication of efficient management (C) Questionnaire Initiation and authorization Yes/ No Comments References Are standard (Purchase) order forms (SOFs) issued showing names of suppliers, quantities ordered and prices? Are copies of SOFs retained on file? Who authorizes orders and what are their authority limits? Are the persons in 3 above independent of those who issue requisitions? Is a record kept, of orders placed but not executed? (If yes, specify type of record kept and filing sequence). Custody Are goods from suppliers inspected on arrival as to quantity and quality? How is the receipt of supplies recorded (e.g. by Goods Received Notes)? Are these records prepared by a person independent of those responsible for: ordering functions? processing and recording? Criticism on ICQs ICQs represent an attempt at a formalized, systematic, approach to the audit of large complex organizations. It is however increasingly apparent that such questionnaires can become too complex, lengthy and detailed for meaningful evaluation of accounting systems. There is a danger that ICQs can provoke too formalized an approach to an assignment; that will be concentrating as they do on the controls themselves rather than upon the fraud or irregularity that the controlsare designed to prevent. Internal Control Evaluation Checklists To overcome the above discussed possible shortcomings, many auditing practices have amended their approach to internal control evaluation by the adoption of a different type of document, Internal ControlEvaluation Checklists (ICEC). The ICEC is designed to determine; whether desirable internal controls are present?, using key control questions to ascertain where specific frauds or errors are possible. It is normally employed where system’s information has already been recorded (usually in the form of flowcharts). Key questions are asked in an ICEC, the answers to which prompt further supplementary questions. Reference is made to a supporting flowchart which is the means of ascertaining the existing systems. This makes the ICEC document shorter and less complex, but it may require more skill and judgment on the part of the auditor to interpret the completed form. Note that virtually all the rules applicable to the construction of an ICQ apply to the construction of an ICEC. Fundamentals of Auditing Example of ICEC INTERNAL CONTROL EVALUATION CHECKLIST Prepared by: ________ Date: ________ CLIENT: ___________ PERIOD: _____ Reviewed by:________ Date: ________ PURCHASES – PAYABLES – PAYMENTS Control objectives. Business considerations. The checklist Control Objectives As per ICQ Business Consideration As per ICQ The Checklist 1 Purchase Comment Referene Can goods be purchased without authority? (a) purchase requisitions and order approvals? (b) limit of buyers authority to order? (c) purchasing segregated from receiving, accounts payable and inventory records? (d) un issued orders safeguarded against loss? Can liabilities be incurred although goods not received? (a) receiving segregated from purchasing, accounts payable and inventory records? (b) are all goods passed directly to stores? (c) GRNs or equivalent prepared independently? (d) adequate comparison with order, claims for short shipment etc? (e) invoices, GRNs, direct to accounts payable not purchasing? (f) invoices checked to order and GRNs, prices checked? (g) check of extensions, additions, discounts? (h) documents cancelled to prevent re-use? (i) unmatched documents investigated regularly? (j) freight checked, bills matched to consignments? (k) purchase returns and allowances controlled - follow-up? (I) forward purchases controlled? Can cut-off errors occur? time lapse from receipt of goods to invoice processing? valuation of unmatched GRNs? adequate control and recording of receipts? 1.4 Can invoices be wrongly allocated? Nominal ledger analysis? Analysis independently checked? Staff purchases controlled? Independent and regular review? Fundamentals of Auditing 1.5 Can liabilities be recorded for goods or services not ordered? goods received without authority? 2 Payables 2.1 Can liabilities be incurred but not recorded? payables balances agreed periodically? suppliers statements independently reconciled? invoice register? forward contracts? order backlog follow up? debit balances controlled? 3 Payments 3.1 Can payments be made if not properly supported? discounts taken? control over invoices before validating complete? cheque signatories independent of purchasing, receiving, accounts payable and cheque preparation? signatories examine support for payment, check completeness, cancel support? control over signature plates or pre-signed cheques? control where one signature? frequency with which cheques mailed? independent regular bank reconciliation, with cheques directly from bank and review reconciliation? cheques crossed account payee only, continuity accounted for, control over unused cheques? bank transfers controlled - standing orders? issue of bearer or cash’ cheques? (I) advances and loans controlled? (m) bank transfer payments, traders credits, direct debits? Can payments for non-routine purchases be made if not authorized or properly supported? (a) services, expense accounts, taxation paymentsin advance, staff purchases and goods on consignment? Can non-current assets be acquired or removed without proper authorization and recording? (a) approved work orders for non-current assetsand major repairs? (b) approval of cost over-runs? (c) reporting of scrapping or disposals? (d) detailed non-current asset register, regular physical inspection and review of values? (e) periodic insurance appraisals, adequate coverage? (f) control over loose tools? Limitations of the effectiveness of Internal Control It is possible to reduce the volume of transaction testing required in conducting an audit if the internal controls are sound and are operating effectively, but it is not likely that an auditor will be able to rely on internal controls entirely. This is because all control systems have inherent limitations such as: The need to balance the cost of the control with its benefits The fact that internal controls are applied to regular, recurring transactions, not one off year-end adjustments or unusual transactions, which are often large and subject to error. The potential for human error The possibility of fraudulent collusion (two or more persons operating together) to ‘get round’ controls that segregate duties. For example; the supervisor responsible for checking and authorizing overtime claims could collude with employees, to enable excess overtime payments to be claimed. The abuse of authority and override of controls by senior managers or the owners of the business. Abuse of authority might involve ordering personal goods through the firm. It is very easy for directors and managers of organizations of any size to instruct staff to bypass normal procedures such as the requirement for authorization for payments. The obsolescence of controls which have not changed to reflect changes in the business activities or organization. In practice, the training of auditors always involves a warning never to rely on internal controls entirely, no matter how effective they may appear to be. Hence some verification of transactions is always carried out as part of the auditor’s work.