Transcript
DOCUMENTING THE INTERNAL CONTROL SYSTEM
Benefits of Internal Control to the entity
Based on our previous studies we can now identify the following principal benefits that may arise for an entity from a sound system of internal control:
Assurance that all transactions are completely and accurately processed.
Confidence that only authorized transactions takes place.
Assurance that adequate documentation supporting transactions is created and retained.
Assurance that the company’s assets and liabilities are correctly stated, in order for them to make informed decisions on the operations of the business.
Minimization of the risk of fraud and misappropriation of assets.
Benefits of Internal Control to the auditor
Of course, if the audit client benefits from a sound system of internal control, it is likely that the auditor will also be benefited. All of the above stated benefits help to promote a situation where the financial statements present a true and fair view. In simple terms, a good system of internal control will make life easier for the auditor.
Auditor’s work on the Internal Control
International standards on auditing emphasize the importance of internal control to the auditor by stating that auditor should:
Obtain an understanding of the accounting and internal control system sufficient to plan the audit and develop an effective audit approach, and
Use professional judgment to assess the components of audit risk and to design audit procedures to ensure it is reduced to an acceptably low level.
At an early stage in their work auditors will have to decide the extent to which they wish to place reliance on the internal controls of the enterprise. As the audit proceeds, that decision will be kept under review and, depending on the results of their examination, they may decide to place more or less reliance on these controls.
Categories of Internal Control
These are often summarized by using the mnemonic SOAP MAPS as follows:
Supervision
Organization
Arithmetic and Accounting
Physical
Management and Monitoring
Authorization
Personnel
Segregation of duties
Supervision
There should be adequate supervision of work to ensure that controls are being complied with. Possible application: a supervisor or manager reviews and checks the work of a subordinate.
Organization
Enterprises should have a formal, documented organization structure with clear lines of responsibility.
Possible application: lines of authority within an organization make it clear which individuals are responsible for decisions and transactions
Arithmetic and Accounting
The company should ensure that there are adequate controls to ensure the completeness and accuracy of its financial records.
Fundamentals of Auditing
Possible application: standard accounting procedures such as the use of control accounts, reconciliation procedures and the performance of arithmetic checks on accounting records.
Physical
There should be adequate physical control to ensure the security and safekeeping of its assets such as plant and machinery, valuable inventory items and cash.
Possible application: banking cash immediately, controlling access to inventory areas; electronic tagging of inventory and portable non-current assets.
Management and Monitoring
There should be sufficient controls in existence to ensure management can effectively control the business operations.
Possible application: the use of budgeting and standard costing systems; the establishment of an internal audit department
f) Authorization
All transactions should be authorized.
Possible application: authorization of purchases, cash and bank payments, sale of non-current assets, sales to customers on credit, bad debt write offs.
g) Personnel
Employees should be appropriately qualified and of suitable caliber to perform the required tasks. Possible application: recruiting the right people for the job; training them effectively, motivating and rewarding employees in an appropriate way.
Segregation of duties
There should be an appropriate division of responsibilities to reduce the opportunity for fraud and manipulation.
This is a fundamental control procedure designed to ensure that one person does not have sole charge of a transaction from beginning till end. Perfect segregation of duties exists where each of the main stages in a transaction are under the control of a different person. Possible application:
Consider an inventory purchasing system in a manufacturing company:
Stage
Documentation
Responsibility
Initiation
Stores requisition
Stores keeper
Authorization
Purchase order
Purchasing officer
Custody
Goods received note
Receiving officer
Recording
Invoice
Account department
Documenting the system
Documenting the system is an extremely important stage in the audit;
Auditing standards state that in planning the audit, auditors should obtain and document an understanding of the accounting system and control environment sufficient to determine their audit approach.
The various methods of ascertaining and recording the system may be summarized as follows:
Organization chart
Narrative notes
Flowcharts
Internal control questionnaires (ICQs)
Internal control evaluation checklists (ICEC)
-2953-183100
Organization Chart
Production
Factory
Purchases
Chief
Manager
Accountant
Accounts
Planning
Manager
Controller
Managing Director
Production
Sales
Finance
Director
Director
Director
Distribution
Advertising
Manager
Manger
Narrative Notes
This is a simple and apparently convenient way of describing systems. Having ascertained the system, the auditor draws up a narrative description of it for the audit files. An example might be:
Sales invoices are prepared by Mr._____ They are checked by Mr. _____ and then passed to Mr. _____ for recording in the customer’s account in the sales ledger etc.
Shortcomings of the method:
Notes can take up a disproportionate amount of space
Notes may be difficult to interpret
What happens it personnel change?
Flowcharts
This is becoming an increasingly widely used technique for recording accounting systems in audit files. A flowchart is a diagrammatical representation of an accounting system.
A good flowchart will be supplemented with narrative. Flowcharts have the following advantages:
They portray the flow of documents through the system and enable the auditor to relate those movements with procedures and checks carried out as part of that system.
They show the movement of documents in such a way that, when properly prepared, the sources and destinations of all documents will be clear.
They help to highlight weaknesses in the control of the business.
They enable audit tests to be clearly related to weaknesses in the accounting system.
Standard symbols are used to represent documents, operations and checks carried out. Flow lines are used to join up the symbols and represent the movement of documents. Dotted lines are used to represent the flow of information between documents.
Essentials of flowchart
Internal control evaluation flowcharts must highlight the following:
the sequence of operations happening to each document (e.g. authorization, checking, matching, filing)
thesegregation of staff duties and who is responsible for each operation.
Fundamentals of Auditing
Symbols used in manual systems flowcharts
•
A document
• A multi-part set of documents
•
Pre-numbered document
N
• A book of account
• An operation performed on a document
• A check performed on a document
• Filing a book or document
3404870-18472153519170-8959852376170-579755
Document flow
2371725-86995
• Information flow
29476701473202257425-92710
• Connector with another page/flow-line
Fundamentals of Auditing
01905
Flowchart of purchases
Narratives:
1 Requisition note raised when goods are at a pre-set re-order level. Order quantity is pre-determined by use of a copy of the previous purchase order.
2 Signed by store manager.
3 Buyer checks authorization.
4 Purchase order set prepared.
8 P02 filed temporarily to act as a check on overdue deliveries.
10 P04 and P05 are filed until goods are received.
11 Weekly check on overdue deliveries.
12 Goods checked to PO to ensure they are in agreement.
13 If not damaged, goods are accepted and a goods received note set is raised. Where quantity received is below order a shortage memo set is also raised and a note made on the purchase order.
14 P05 is sent back to the warehouse to act as the next requisition note.
Commentary on the above flowchart
All operations and checks are positioned on vertical lines within a particular department.
Horizontal lines show the movement of a document between departments.
In practice the flowchart would continue, dealing with the processing of the purchase invoice/credit note/day books/payables ledger/cash book etc. The
flow-lines at the bottom of the page would continue to page 2 of the flowchart.
Note that the narrative to the flowchart does not deal with all of the operation numbers since some should be self-explanatory e.g. operation 9 represents the
numerical filing of P03 in the buying department.
EVALUATING THE INTERNAL CONTROL SYSTEM
Flow Charts and Internal Control Questionnaires: Use of the major symbols in flow charts
The Document symbol
Each document in the flowchart should have a vertical flow-line. Such vertical flow-lines represent a movement in time within a particular department. When the document is moved to another department, this movement in position will be represented by a horizontal line; departments are therefore listed across the page.
671195-304803691862185290
Here the document is originated in Dept A. It is moved to Dept B, then Dept D and then Dept C. Note that only vertical and horizontal lines areused, never diagonal lines.
The Operation symbol
Various operations will be performed on a document.
It will, for instance: be prepared, added up, used to prepare other documents, etc. Any operation, other than a check function, is represented by the cross symbol.
Each operation symbol should be supported by a brief narrative explaining the nature of the operation.
254889097155001708159779000
Invoice
Kamran totals the invoice
Note that the operation symbol is positioned on a vertical flow-line. It should never appear on ahorizontal flow-line since that would suggest in this case that Kamran totals the invoice while it is moving from one department to another.
Depicting multi-part sets of documents
Requisition
Note
Rauf prepares
Purchase
purchase order sets
order
Note that each part of the set must have a flow-line emanating from it. In this example; PO1 is sent to the supplier, PO2 goes off to another department and PO3 is filed numerically
Preliminary Evaluation of the System
Having ascertained, confirmed and recorded the system, the auditor now needs to carry out a preliminary evaluation of the system in order to make a decision as to whether he will:
Rely on internal controls and adopt a systems audit approach, or,
Perform extensive substantive testing. Using a verification approach to the audit.
Internal Control Questionnaire
Features:
Used in large company audit
Used to place reliance on internal controls
Used to design audit approach
Definition:
An ICQ is a formal and usually standardized document which comprises:
A list of internal controls in existence and
Highlights any weaknesses.
Objectives:
To ascertain a clients systems of accounting and internal control
To evaluate the control system thus recorded, and hence
To identify those controls which indicate strengths in the system upon which the auditor will seek to place reliance, and
To identify those areas over which there are weak or no controls and which therefore must be subjected to more extensive substantive testing and reported by inclusion in the
Management Letter.
Construction of an ICQ
It is good practice when designing ICQs to state, as a brief introduction:
A list of control objectives which each sub-system under consideration should seek to achieve
Any business considerations specific to the enterprise under review which should be taken into account.
The reason for this is essentially to highlight for the audit staff key areas for their consideration to the audit staff.
The questions in an ICQ should be designed to ascertain whether the control objectives are being achieved and should therefore cover such aspects as:
Instructions given to staff in the performance of their duties
Authorization procedures
Documents and procedures used to originate transactions
Recording procedures
Sequence of procedures
Custody procedures
Relative independence of the persons involved at each stage
of a transaction (i.e. segregation of duties).
The questions should be framed such that a Yes/No answer is given, with a No answer usually indicating a control weakness.
IV) An ICQ should carry such basic information as:
The name of the document (ICQ)
the system to which it relates (e.g. purchasing cycle)
the client to whom it relates
the accounting period under review
evidence of who has prepared and reviewed the document
the provision of columns for:
Yes and No answers
comments where neither Yes or No are applicable
indicating the significance or otherwise of apparent weaknesses
references to audit programs
references to Management Letters.
Having ascertained, confirmed and recorded the system, the auditor now needs to carry out a preliminary
evaluation of the system in order to make a decision as to whether he will:
Rely on internal controls and adopt a systems audit approach, or,
Perform extensive substantive testing. Using a verification approach to the audit.
Internal Control Questionnaire
An ICQ is a formal and usually standardized document which comprises:
A list of internal controls in existence and
Highlights any weaknesses.
Features:
Used in large company audit
Used to place reliance on internal controls
Used to design audit approach Objectives:
To ascertain a clients systems of accounting and internal control
To evaluate the control system thus recorded, and hence
To identify those controls which indicate strengths in the system upon which the auditor will seek to place reliance, and
To identify those areas over which there are weak or no controls and which therefore must be subjected to more extensive substantive testing and reported by inclusion in the Management Letter.
Construction of an ICQ
It is good practice when designing ICQs to state, as a brief introduction:
a list of control objectives which each sub-system under consideration should seek to achieve
any business considerations specific to the enterprise under review which should be taken into account.
The reason for this is essentially to highlight for the audit staff key areas for their consideration to the audit staff.
II) The questions in an ICQ should be designed to ascertain whether the control objectives are being achieved and should therefore cover such aspects as:
instructions given to staff in the performance of their duties
authorization procedures
documents and procedures used to originate transactions
recording procedures
sequence of procedures
custody procedures
relative independence of the persons involved at each stage of a transaction (i.e. segregation of duties).
The questions should be framed such that a Yes/No answer is given, with a No answer usually indicating a control weakness.
(IV) An ICQ should carry such basic information as:
the name of the document (ICQ)
the system to which it relates (e.g. purchasing cycle)
the client to whom it relates
the accounting period under review
evidence of who has prepared and reviewed the document
the provision of columns for:
Yes and No answers
comments where neither Yes or No are applicable
indicating the significance or otherwise of apparent weaknesses
references to audit programs
references to Management Letters.
Example of part of an ICQ
INTERNAL CONTROL QUESTIONNAIRE
Prepared by: ________ Date: ________
CLIENT: ___________ PERIOD: _____
Reviewed by:________ Date: ________
THE PURCHASING CYCLE
Control objectives.
Business considerations.
The questionnaire
Control objectives
To ensure that:
Purchased goods/services are ordered under proper authorities and procedures
Purchased goods/services are only ordered as necessary for the proper conduct of the business operations and are ordered to suitable suppliers
Goods/services received are effectively inspected for quality, quantity and condition
Invoices and related documentation are properly checked and approved as being valid before being entered as trade payables
All transactions relating to trade payables are valid (suppliers invoices, credit notes and adjustments), and only those valid transactions should be accurately recorded in the accounting records.
Business considerations
Points
Nature of the company’s purchases.
The existence of a purchasing department.
The company’s purchasing policy.
The selection of suppliers.
Effect on audit procedures and on financial statements
Auditor must be aware of the Varying nature of goods purchased.
As far as possible ordering should be centralized.
The fixing of minimum/maximum
Inventory and re-order levels should ensure efficient control. However, buying in bulk, with resulting higher inventory levels may be part of a company policy to reduce unit costs, in which case inventory obsolescence and storage cost problems may arise.
- The purchasing department should maintain a supplier’s register to record past purchases, prices, and satisfaction received etc. The constant seeking of alternative sources of supply at keener prices is an indication of efficient management
(C) Questionnaire
Initiation and authorization
Yes/ No
Comments References
Are standard (Purchase) order forms (SOFs) issued showing names of suppliers, quantities ordered and prices?
Are copies of SOFs retained on file?
Who authorizes orders and what are their authority limits?
Are the persons in 3 above independent of those who issue requisitions?
Is a record kept, of orders placed but not executed? (If yes, specify type of record kept and filing sequence).
Custody
Are goods from suppliers inspected on arrival as to quantity and quality?
How is the receipt of supplies recorded (e.g. by Goods Received Notes)?
Are these records prepared by a person independent of those responsible for:
ordering functions?
processing and
recording?
Criticism on ICQs
ICQs represent an attempt at a formalized, systematic, approach to the audit of large complex organizations.
It is however increasingly apparent that such questionnaires can become too complex, lengthy and detailed for meaningful evaluation of accounting systems.
There is a danger that ICQs can provoke too formalized an approach to an assignment; that will be concentrating as they do on the controls themselves rather than upon the fraud or irregularity that the controlsare designed to prevent.
Internal Control Evaluation Checklists
To overcome the above discussed possible shortcomings, many auditing practices have amended their approach to internal control evaluation by the adoption of a different type of document, Internal ControlEvaluation Checklists (ICEC).
The ICEC is designed to determine; whether desirable internal controls are present?, using key control questions to ascertain where specific frauds or errors are possible.
It is normally employed where system’s information has already been recorded (usually in the form of flowcharts).
Key questions are asked in an ICEC, the answers to which prompt further supplementary questions. Reference is made to a supporting flowchart which is the means of ascertaining the existing systems. This makes the ICEC document shorter and less complex, but it may require more skill and judgment on the part of the auditor to interpret the completed form.
Note that virtually all the rules applicable to the construction of an ICQ apply to the construction of an ICEC.
Fundamentals of Auditing
Example of ICEC
INTERNAL CONTROL EVALUATION CHECKLIST
Prepared by: ________
Date: ________
CLIENT: ___________
PERIOD: _____
Reviewed by:________
Date: ________
PURCHASES – PAYABLES – PAYMENTS
Control objectives.
Business considerations.
The checklist
Control Objectives
As per ICQ
Business Consideration
As per ICQ
The Checklist
1 Purchase
Comment Referene
Can goods be purchased without authority?
(a) purchase requisitions and order approvals?
(b) limit of buyers authority to order?
(c) purchasing segregated from receiving, accounts payable and inventory records?
(d) un issued orders safeguarded against loss?
Can liabilities be incurred although goods not received?
(a) receiving segregated from purchasing, accounts payable and inventory records?
(b) are all goods passed directly to stores?
(c) GRNs or equivalent prepared independently?
(d) adequate comparison with order, claims for short shipment etc?
(e) invoices, GRNs, direct to accounts payable not purchasing?
(f) invoices checked to order and GRNs, prices checked?
(g) check of extensions, additions, discounts?
(h) documents cancelled to prevent re-use?
(i) unmatched documents investigated regularly?
(j) freight checked, bills matched to consignments?
(k) purchase returns and allowances controlled - follow-up?
(I) forward purchases controlled?
Can cut-off errors occur?
time lapse from receipt of goods to invoice processing?
valuation of unmatched GRNs?
adequate control and recording of receipts?
1.4 Can invoices be wrongly allocated?
Nominal ledger analysis?
Analysis independently checked?
Staff purchases controlled?
Independent and regular review?
Fundamentals of Auditing
1.5 Can liabilities be recorded for goods or services not ordered?
goods received without authority?
2 Payables
2.1 Can liabilities be incurred but not recorded?
payables balances agreed periodically?
suppliers statements independently reconciled?
invoice register?
forward contracts?
order backlog follow up?
debit balances controlled?
3 Payments
3.1 Can payments be made if not properly supported?
discounts taken?
control over invoices before validating complete?
cheque signatories independent of purchasing, receiving, accounts payable and cheque preparation?
signatories examine support for payment, check completeness, cancel support?
control over signature plates or pre-signed cheques?
control where one signature?
frequency with which cheques mailed?
independent regular bank reconciliation, with
cheques directly from bank and review reconciliation?
cheques crossed account payee only, continuity accounted for, control over unused cheques?
bank transfers controlled - standing orders?
issue of bearer or cash’ cheques?
(I) advances and loans controlled?
(m) bank transfer payments, traders credits, direct debits?
Can payments for non-routine purchases be made if not authorized or properly supported?
(a) services, expense accounts, taxation paymentsin advance, staff purchases and goods on consignment?
Can non-current assets be acquired or removed without proper authorization and recording?
(a) approved work orders for non-current assetsand major repairs?
(b) approval of cost over-runs?
(c) reporting of scrapping or disposals?
(d) detailed non-current asset register, regular physical inspection and review of values?
(e) periodic insurance appraisals, adequate coverage?
(f) control over loose tools?
Limitations of the effectiveness of Internal Control
It is possible to reduce the volume of transaction testing required in conducting an audit if the internal controls are sound and are operating effectively, but it is not likely that an auditor will be able to rely on internal controls entirely. This is because all control systems have inherent limitations such as:
The need to balance the cost of the control with its benefits
The fact that internal controls are applied to regular, recurring transactions, not one off year-end adjustments or unusual transactions, which are often large and subject to error.
The potential for human error
The possibility of fraudulent collusion (two or more persons operating together) to ‘get round’ controls that segregate duties. For example; the supervisor responsible for checking and authorizing overtime claims could collude with employees, to enable excess overtime payments to be claimed.
The abuse of authority and override of controls by senior managers or the owners of the business. Abuse of authority might involve ordering personal goods through the firm. It is very easy for directors and managers of organizations of any size to instruct staff to bypass normal procedures such as the requirement for authorization for payments.
The obsolescence of controls which have not changed to reflect changes in the business
activities or organization.
In practice, the training of auditors always involves a warning never to rely on internal controls entirely, no matter how effective they may appear to be. Hence some verification of transactions is always carried out as part of the auditor’s work.