Auditing

Accounting Systems & Internal Control

Management Letters
Accounting Systems
Accounting systems are the processes a business uses to
record financial transactions on its financial statements (or
management information – e.g. monthly/quarterly financial
reports).

If the auditor can examine the accounting system, and show

that it is reliable and doing a good job, then the auditor can
be more comfortable that the financial statements are not
misstated.
Accounting Systems
The auditor needs to be concerned with a the accounting
system because:

– It is a Companies Act requirement that the auditor state

as part of the audit report if the directors have
maintained proper accounting systems.
– Accounting systems should capture the details of all
transactions of the company
– Reliable accounting systems reduce audit risk
Internal Controls
• Accounting systems need to have built in controls.
• Why? Things can go wrong without adequate checks,
authorisations and structures within the business.
• What can go wrong? A good question to ask yourself
when considering what controls are needed.
Accounting Systems

Accounting systems assist management with:

– Controlling the business
– Safeguarding the assets
– Maintaining proper accounting records
– Preparing the financial statements
– Preventing and detecting fraud
– Complying with legislation
Proper Accounting Records should
capture:
• All purchases and sales
• All receipts and payments of cash
• All assets and liabilities
• All inventory held

Accounting records should also:

• Disclose the financial position (e.g. net asset value or
profit/loss
• Enable the preparation of financial statements
Internal Controls

A system of accounting and record keeping will not succeed

in completely and accurately processing all transactions
unless internal controls are built into the system
Objectives of Internal Controls in Financial
Systems

• Reduce financial risk (e.g. risk of not making profit)

• Value for money
• Legality
• Ensure completeness of cash receipts
• Prevent payment errors
• Fraud and theft prevention
• Correct, up to date, record keeping
 Example

• A sales clerk receives a telephone order from a

customer, Hugh Smith, who asks for a delivery of 100
units of a company product, at a price of £50 per unit

• What is particularly risky (that is, what objectives

might fail to be met) about this transaction and
what procedures would be appropriate to reduce
the risks to an acceptable level?
Solution
Solution
Internal Control
“The auditor shall obtain an understanding of
internal control relevant to the audit”
This will allow:
• Understanding of internal control to identify types
of potential misstatements
• Consider factors that affect the risk of material
misstatement
• Design further audit procedures
ISA 315
Internal Control System
• Internal controls seek to ensure:
– adherence to internal policies
– safeguarding of assets
– prevention & detection of fraud & error
– accuracy & completeness of accounting records
– reliable financial information
– Minimising risk exposure
Internal Control System
Components of Internal Control:
1. The control environment
2. The entity’s risk assessment process
3. The information system
4. Control activities
5. Monitoring of controls

ISA 315
 Internal Control System

1 - The control environment:

The auditor shall obtain an understanding of
the control environment
The auditor shall evaluate whether:
 Management has created and maintained a
culture of honesty & ethical behaviour
 The control environment provides an appropriate
foundation for the other components of internal
control

ISA 315
 Internal Control System

2 - The entity’s risk assessment process:

The auditor shall obtain an understanding of
whether the entity has a process for:
Identifying business risks relevant to financial
reporting objectives;
Estimating the significance of the risks;
Assessing the likelihood of their occurrence;
and
Deciding about actions to address those risks

ISA 315
 Internal Control System

3 - The information system:

The auditor shall obtain an understanding of:
The major classes of transactions
Procedures for initiating, recording, processing
and correcting transactions
The accounting records and supporting
information
Financial reporting process to prepare the
financial statements
Controls surrounding journal entries
ISA 315
 Internal Control System

4 - Control activities:

“The auditor shall obtain an understanding of

control activities relevant to the audit, being
those the auditor judges it necessary to
understand in order to assess the risks of
material misstatement at the assertion level and
design further audit procedures responsive to
assessed risks”
ISA 315
 Internal Control System

4 - Control activities:

“Control activities are the policies and

procedures that help ensure that management
directives are carried out. Control activities,
whether within IT or manual systems, have
various objectives and are applied at various
organisational and functional levels”
ISA 315
Internal Control System
5 - Monitoring of controls:
The auditor will obtain an understanding of:
The major activities used to monitor internal
controls
How corrective action is taken
How control deficiencies are addressed
The role of internal audit
How internal audit fits into the entity’s structure
The activities performed by internal audit
ISA 315
Accounting & Internal Control
Systems

• Assess adequacy of controls – how well do these controls

work to get the right information onto the financial
statements?
• Identify where potential misstatements might occur in the
financial statements
• Consider risk of misstatement in the balances /accounts
• Design audit procedures (i.e. substantive testing)
Internal Control Categories
• Supervision
• Organisation
• Arithmetic & Accounting
• Physical
• Segregation of duties
• Personnel
• Authorisation
• Management
 Internal Control Categories

• Supervision:

• Organisation:

• Arithmetic and accounting:

• Physical:
 Internal Control Categories
• Segregation of duties:

• Personnel:

• Authorisation and approval:

• Management:
Limitations of Internal Controls
• Cost
• Routine
• Human error
• Collusion
• Overriding
• Complacency
• Problems in smaller entities
Recording & Evaluating the System
The auditor must understand the system. To do this the
auditor must document the system.

System Documentation:
• To provide a record of how financial control and
accounting systems work.

• This is a ‘map’ of how the system works.

Collecting Information
• Interview managers in charge of systems
• Interview staff who operate the system
• Collect written procedures
• Collect copies of forms and vouchers
• Write up a description of the system
• Identify key controls
• Identify missing controls
Recording & Evaluating the System
Methods used to document the system:
1.Narrative notes
2.Flowcharts
3.Questionnaires & Checklists
Narrative Notes
• Written form
• Simple
• Awkward to change
• Describe & explain system
• Used to support flowcharts
Flowcharts
• Document flowcharts
• Straightforward
• Cover whole system
• Pinpoints weakness
• Only useful for document flow
• Amendment difficult
• Relevance of areas recorded
Questionnaires
• ICQ’s Internal Control Questionnaires

• ICEQ’s Internal Control Evaluation Questionnaire

(example on Moodle)
Walkthrough Tests
• To ensure that the actual system in operation is
the same as the system documented by the
auditor
• Trace transactions through the system from the
earliest available documentation to final recording
• Identify any areas where actual processing did
not match the system documented by the auditor
Systems-based auditing

The next step an auditor would take is to test and

evaluate the system of internal controls applied in
practice to the various components of an average
accounting system:
• Sales system
• Purchase system
• Inventory system
• Cash system
• Payroll system
The auditor may be able to comment on control
weaknesses which are a threat to the company’s financial
soundness
Tests of Control
• To assess if the auditor can rely on the internal processing
system to produce accurate financial statements

• To assess whether controls which are intended to prevent

loss through fraud, error or malpractice are operating
effectively
Tests of Control
1. Identify key controls
2. Design a test of control to ensure that the
control operated throughout the period
3. Select a sample from an appropriate source
4. Verify the operation of the control for each
item
5. Document number of control errors
6. Conduct impact assessment for errors
found
1. Identify Key Controls
• A key control is one the failure of which is
likely to permit fraud or error to occur
• For sensitive items, two or more controls with
the same function might be regarded as key
controls
• Where a control failure is discovered, the
operation of compensating controls should be
investigated
Examples of Tests of Control
• Inspect authorisation signatures on a
sample of invoice payments
• Inspect file documentation of new starters
on the payroll for evidence of authorisation
by the personnel department
• Re-perform bank reconciliations (balance
sheet cash amount compared to bank
statement) observing how quickly
reconciling items (e.g. cheques/payments
in transit) are cleared and inspecting for
supervisor review signature.
Tests of controls include, where relevant,
checking arithmetic accuracy

• In testing authorisation of new employee

payroll entries to the system, inspecting the
controls for ensuring payroll deductions are
accurate is also required.
• Inspection of the supervisor’s checks of
quantities and price calculations on
receivables invoices before issuing to
customers.
• Calculating control totals
4. Verify Operation of Controls
• Record evidence for each item sampled in testing
(e.g. is authorisation signature present on all
items selected)

• Identify any control failures in the sample selected

(e.g. no monthly bank reconciliation for February
and October) or, (incorrectly completed bank
reconciliation for three months out of 12 sampled).

• Or, control working in each item sampled.

 Documenting Errors and
Control Failures
• Should form part of a results summary
• Should be accompanied by a conclusion stating
whether or not controls are reliable
• If the number and nature of errors does not
indicate a high or medium control risk, this should
be clearly stated
7. Impact Assessment
Consider:
• Frequency of errors
• Whether errors are systematic
• Whether there are compensating controls
• Is control risk high, medium or low?
• Do we need a management letter point?
Documenting Tests
A Test Header Sheet Should be Drawn Up:
• Test Objective
• Test Procedure
• Sample source
• Sample size
• Results
• Conclusion
• Recommendation
Management Letters
• Why?
• What?
• When?
• Who?
Management Letters - Why?
• Should help management improve accounting
and control systems
• May be required by audit engagement letter
• ISA 260 encourages reporting to those charged
with governance
Management Letters - What?
• Scope of the letter
• Purposes of the systems covered
• Management responsibility for all controls
• Overall comments on strength of controls
• Schedule of control weaknesses
• Detailed report on control weaknesses
Reporting Control Weaknesses
• Should already have been made known to
management
• Nature of weakness
• Number of occurrences detected
• Potential consequences
• Recommendation
• Management response
• Manager responsible for implementation
• Implementation timescale
Management Letters - When?
• After control testing complete
• Note, at this stage we are probably towards
the end of the financial year of the client.
Thus any improvements in controls
implemented by the client won’t affect the
financial statements about to be audited at
the year end.
Management Letters - Who?
• Should always be drafted by the auditor
who did the work
• Should be reviewed by manager and
partner
• Introductory sections may be standardised
• Auditee management input usually
desirable
• Management should have chance to read a
draft
Management Letters - To Whom?
• Addressed to:
– Directors; or
– Audit Committee; or
– Appropriate level of management
• Not to operational managers in charge of systems
audited (let the directors know what the problems
are - the directors have the powers to deal with
them)
Management Letters
• Structure

– Properly addressed
– Introductory paragraph
– Main body detailing weaknesses found &
recommendations
– Request for a response
Reading
Chapters:
4, 9, 13, 14, 27