Lecture 13 Internal Controls Introduction The auditors must understand the accounting system and control environment in order to determine their audit approach. An understanding of internal control assists the auditor in identifying types of potential misstatements and factors that affect the risks of material misstatement, and in designing the nature, timing and extent of further audit procedures. Definitions Internal control is defined as ‘the whole system of control, financial and otherwise, established by the management in other to carry on the business of the enterprise in an orderly and manner efficient, ensure adherence to management policies, safeguard the assets and secure as far as possible the completeness and accuracy of records’. APC of UK The individual components of an internal control system are known as controls or internal controls. Definitions ‘Internal control is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations’. ISA 315 Definitions Internal controls includes all policies and procedures adopted by the directors and management of an entity to assist in their objective of achieving as far as possible the orderly and efficient conduct of the business including adherence to internal policies, safeguard of assets, the prevention and detection of fraud and error, the accuracy and completeness of accounting record and timely preparation of reliable financial statement. Objectives of Internal Controls Internal Controls are instituted in an organization in order to ensure: The reliability and integrity of information Compliance with policies The safeguarding of assets The economical and efficient use of resources The accomplishment of established objectives and goals for operations and programmes Elements of internal controls Internal control has five elements; The control environment The entity’s risk assessment process The information system relevant to financial reporting Control activities Monitoring of controls Control environment The control environment is the framework within which controls operate. It is very much determined by the management of a business. It includes the governance and management functions and the attitudes, awareness and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity. A strong control environment does not by itself, ensure the effectiveness of the overall internal control system, but can be a positive factor when assessing the risks of material misstatement. A weak control environment can undermine the effectiveness of controls Elements of control environment Communication and enforcement of integrity and ethical values. Commitment to competence Participation by those charged with governance Management’s philosophy and operating style Organizational structure. Assignment of authority and responsibility Human resource policies and practices Entity’s risk assessment process ISA 315 says the auditor shall obtain an understanding of whether the entity has a process for; Identifying business risks relevant to financial reporting objectives. Estimating the significance of the risks Assessing the likelihood of their occurrence Deciding upon actions to address those risks Information system relevant to financial reporting This is a component of internal control that includes the financial reporting system, and consists of the procedures and records established to initiate, record, process and report entity transactions and to maintain accountability for the related assets, liabilities and equity. The areas include; Classes of transactions in the entity’s transactions Procedures within both IT and manual systems are initiated Related accounting records Controls surrounding journal entrries Control activities These are those policies and procedures that help ensure that management directives are carried out. Control activities include those activities designed to prevent or detect and correct errors. They include activities relating to authorisation, performance reviews, information processing, physical controls and segregation of duties. Examples are approval and control of documents, controls over computerised application, checking arithmetical accuracy of records, etc Monitoring of controls This is a process to assess the effectiveness of internal control performance over time. It includes assessing the design and operation of controls on a timely basis and taking necessary corrective actions modified for changes in conditions. Limitations of accounting and control systems Any internal control system can only provide the directors with reasonable assurance that their objectives are reached, because of inherent limitations. These include; The costs of control not outweighing their benefits The potential for human error (key) Collusion between employees The possibility of controls being by-passed or overridden by management Controls being designed to cope with routine and not non-routine transactions Recording accounting and control systems The auditor must keep a record of the client’s systems which must be updated each year. This can be done through the use of narrative notes, flowcharts, questionnaires or checklists. Narrative notes The purpose of narrative notes is to describe and explain the system, at the same time as making any comments or criticism which will help to demonstrate an intelligent understanding of the system. Advantages Simple to record and understand Flexible method and can be used for any system Editing is easy when computerised Disadvantages Time consuming compared to flowcharts Awkward to update if kept manually Difficult to identify missing controls Flowcharts This can take many forms but generally are graphic illustrations of the physical flow of information through the accounting system. Flowlines represent the sequence of processes, and other symbols represent the inputs and outputs to a process. Visit http//www.rff.com/flowcharts_samples.htm Advantages Can be prepared easily after a little experience Fairly easy to follow and review System is recorded in its entirety from start to end Eliminate the need for extensive narrative Disadvantages Suitable for standard systems Amendment is difficult without withdrawing Time consuming to areas that are of no audit significance ICQs The major question which internal control questionnaires are designed to answer is ‘How good is the system of controls?’ Although many different forms of ICQs exist in practice, they all conform to the following basic principles. They comprise a list of questions designed to determine whether desirable controls are present. Formulated to cover each of the major transaction cycle. ICQ is to evaluate the system as well as record it. Example; Are purchase invoices checked with GRN before being passed for payment? YES/NO/Comments ICQ example on Goods inward Are suppliers examined on arrival as to quantity and quality? Is such an examination evidenced in some way? Is receipt of suppliers recorded, perhaps by means of goods inwards notes? Are receipt records prepared by a person independent of those responsible for; Ordering function? The processing and recording of invoices ICEQs ICEQs are concerned with assessing whether specific errors (or frauds) are possible. They concentrate on significant errors or omissions that could occur at each phase of the appropriate cycle if controls are weak. Examples on purchases include; Is there reasonable assurance that; Goods or services could not be received without a liability being recorded? Receipt of goods or services is required in order to establish a liability? A liability will be recorded: Only for authorised items At the proper amount? Advantages and disadvantages of ICEQs Advantages Can ensure all controls are considered Quick to prepare Easy to use and control Easier to apply to a variety of systems than ICQs Identify key controls Highlight deficiencies Disadvantages Can be drafted vaguely, hence misunderstood May contain irrelevant controls May not include unusual controls May overstate controls Checklists Checklists may be used instead of questionnaires to document and evaluate the internal control system. The difference is that instead of asking questions, statements are made to ‘mark off’ and tick boxes are used to indicate where the statement holds true. Example ‘Suppliers are examined on arrival as to quantity and quality’. Tick Cross out Checklists share many advantages and disadvantages of ICQs and ICEQs TYPES OF INTERNAL CONTROLS Preventive Controls: that is, to deter undesirable event from occurring. Detective Controls: This is aimed at detecting undesirable event which have occurred. Corrective Controls: To remedy any undesirable event that has occurred. INTERNAL CONTROL MEASURES/ PROCEDURES S – Segregation of Duties O – Organisation A – Authorisation P – Physical S – Supervisory P – Personal A – Arithmetical and accounting M – Management SEGREGATION OF DUTIES: These should be a division of responsibilities for authorizing or initiating transactions physical custody and control of assets recording the transaction. Segregation of duties reduces the risk of intentional manipulations or error and increase the element of checking ORGANISATION: Enterprises should have a plan of their organization, defining and allocating responsibilities and identifying lines of reporting for all aspects of the enterprises operations, including the controls. The delegation of authority and responsibility should be clearly specified AUTHORISATION OR APPROVAL All transactions should require authorization or approval by an appropriate responsible person. The limits for these authorizations should be specified PHYSICAL: These are concerned mainly with the custody of assets and involve procedures and security measures designed to ensure that access to assets is limited to authorized personnel. For example, the custody of the keys to the safe should be limited to only the cashier and possibly a highly placed responsible official. SUPERVISORY Any system of internal control should include the supervision of responsible officials of day to day transactions and recording thereof. PERSONNEL: There should be procedures to ensure be procedures to ensure that personnel have capabilities commensurate with their responsibilities. Inevitably, the proper functioning of any system depends on the competence and integrity of those operating it. The qualification, selection and trainings well as the innate personal characteristics of the personnel involved are important features to be considered in setting up any control system. ARITHMETIC OR ACCOUNTING: These are the controls within the recording functions which check that the transactions to be recorded and processed have been authorized, that they are all included and that they are correctly recorded and accurately processed. Such controls include checking the arithmetical accuracy of the records, the maintenance and checking of totals, reconciliations, control accounts and trial balance and accounting for documents. MANAGEMENT: These are the controls exercised by management outside the day to day routine of the system. They include the overall supervisory controls exercised by management, the review of management accounts, and comparisons thereof with budget, the internal audit function and any other special review procedures. Limitations on the effectiveness of internal controls No internal control system however elaborate, can by itself guarantee efficient administration and the completeness and accuracy of the records, nor can it be proof against fraudulent collusions, especially on the part of those holding positions of authority or trust. Internal controls depending on separation of duties can be avoided (side stepped) by collusion. Limitations on the effectiveness of internal controls Authorization controls can be abused by the persons in whom the authority is vested, whilst the competence and integrity of the personnel operating the controls may be ensured by selection and training, these qualities may alter due to pressure exerted both within and outside the enterprise. Human error due to errors of judgment or interpretation, or misunderstanding, carelessness, fatigue or distraction may undermine the effective operation of internal controls. Why internal controls should interest the auditor If the auditor wishes to place reliance on any internal controls, he should ascertain and evaluate these controls and perform compliance tests on their operation. The Auditors objective in evaluating and testing internal controls is to determine the degree of reliance which he may place on the information contained in the accounting records. If he obtains reasonable assurance by means of compliance test that the internal controls are effective in ensuring the completeness and accuracy of the accounting records and the validity of entries therein, he may limit the extent of his substantive testing In specific areas of business Financial statement assertions Audit tests are designed to obtain evidence about the financial statement assertions. Assertions relate to classes of transactions and events, account balances at the period-end, and presentation and disclosure. Financial statement assertions are the representations by management, explicit or otherwise, that are embodied in the financial statements as used by the auditor to consider the different types of potential misstatements that may occur. Financial statement assertions ISA 315 states that the auditor must use assertions for classes of transactions (ie income statement), account balances (ie SOFP), and presentation and disclosures in sufficient detail to form the basis for the assessment of risks of material misstatement and the design and performance of further audit procedures. Assertions about classes of transactions and events Occurrence; transactions and events that have been recorded have occurred and pertain to the entity. Completeness; all transactions have been recorded. Accuracy; amounts and other data have been recorded appropriately Cut-off; transactions have been recorded in the correct accounting period Classification; recorded in the proper accounts Assertions about account balances Existence; assets, liabilities and equity interests exist. Rights and obligations; entity holds or controls the rights to assets and liabilities are the obligations of the entity. Completeness; all assets, liabilities and equity (ALE) that should have been recorded have been recorded. Valuation and allocation; all ALE are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. Assertions about presentation and disclosure Occurrence and rights and obligation; disclosed events, transactions and other matters have occurred and pertain to the entity. Completeness; all disclosures that should have been included in the financial statements have been included. Classification and understandability; financial information is appropriately presented and described, and disclosures are clearly expressed. Accuracy and valuation; information are disclosed fairly and at appropriate amounts. Cash sales and collections OBJECTIVES To ensure that all cash to which the enterprise is entitled is received To ensure that all such cash is properly accounted for and entered in the records To ensure that all cash is deposited promptly and intact. Cash sales and collections MEASURES: Clearly defining and limiting the number of persons who are authorized to receive cash. Sales assistants, cashiers etc. must be clearly identified. Establishing a means of evidencing cash receipts. E.g. receipt books should be numbered serially and should be in triplicates, a responsible official other than the cashiers should keep control of the cash receipt books and the issues as well. Ensure that whoever pays cash, must receive a receipt. And if a cash register is used, the amount rung up should be visible to the customer. Cash sales and collections MEASURES Appointment of officials with responsibility for employing cash register at prescribed intervals, and agreeing the amount present with till roll totals. Such collections should be evidenced in writing and be initialed by the assistant and the supervisor. All cash and cheque must be banked intact and promptly. All cash shortages and excesses should be promptly investigated. The cashier should not have access to other cash funds or sales ledgers or even the purchases ledger. There should be occasional rotation of jobs. Test of controls (compliance testing) As part of his overall plan the auditor must ascertain the adequacy of the accounting system and the internal controls system. He will decide which controls if any he wishes to rely on and plan compliance tests to determine whether such reliance can be warranted. The auditor will almost certainly use the Internal Control Evaluation Questionnaire (ICEQ) completed for each component part of the system to draw up the compliance controls to be tested and provide information as to their strength and importance. Test of Controls are designed to check that the control procedures are being applied and that control objectives are being achieved. Sales System The three separate elements into which accounting controls may be divided clearly appear in the consideration of sales procedures. They are selling (authorisation), goods outwards (custody) and accounting (recording). Sales System- Control objectives The control objectives include the following: Sales are made in accordance with the company objectives, with agreement in place with all customers. Customer’s orders are authorised, controlled and recorded in order to execute them promptly and determine any provision required for losses arising from unfulfilled commitments. Goods shipped and work completed is controlled to ensure that invoices are issued and revenue recorded for all sales Goods returned and claims by customers is controlled in order to determine the liability for goods ordered and claims received but not entered or recorded in the debtors’ records. Invoices and credit notes are appropriately checked as being accurate and authorised before being entered in the debtors’ records. Sales System-Control considerations Selling: Considerations include the following: What arrangements are to be made to ensure that goods are sold at their correct price and to deal with cheque receipts, discounts and special reduction including those in connection with cash sales? Who is responsible for and how control is to be maintained over the granting of credit terms to customers. Who is responsible for accepting customer’s orders and what procedures are to be adopted for issuing production orders and dispatch notes? Sales System-Control considerations Selling: Who is to be responsible for the preparation of invoice and credit notes and what controls are to be instituted to prevent errors and irregularities. For example, how selling prices are to be ascertained and authorised, how the issue of credit note is to be controlled and checked, what checks should be on prices, quantities, extensions and totals shown on invoices and credit notes and how such documents in blank or completed form are to be protected against loss or misuse. What special controls are to be exercised over the dispatch of goods free of charge or on special terms? Sales System-Control considerations Goods Outwards: Factors to be considered include the following: Who may authorize the dispatch of goods and how such authority is evidenced. What arrangements are to be made to examine and record goods outwards (preferably this should be done by a person who has no access to stocks and has no accounting or invoicing duties) The procedures to be instituted for agreeing goods outwards records with customers’ orders, dispatch notes and invoices. Sales System-Control considerations Accounting: As far as possible sales ledger staff should have no access to cash, cash books or stocks and should not be responsible for invoicing and other duties normally assigned to sales staff. The following are amongst matters which should be considered: The appointment of persons as far as possible separately responsible for: Recording sales and sales returns Maintaining customers’ accounts Preparing debtors’ statements Sales System-Control considerations Arrangements to ensure that goods dispatched but not invoiced (or vice versa) during an accounting period are properly dealt with in the accounts of the periods concerned. What procedures are to be adopted for the preparation, checking and dispatch of debtors’ statements and for ensuring that they are not subject to interference before dispatch. How discounts granted and special terms are to be authorised and evidenced. What procedures is to be adopted for reviewing and following up overdue accounts. Who is to authorize the writing off of bad debts and how such authority is to be evidenced. SUBSTANTIVE TESTS (Sales) Accounting Records: Check additions and cross-casts of the sales daybook and sales returns day book. Check the posting of individual invoices to the nominal ledger and the control accounts Check entries in the sales day book and sales returns day book back to original invoices, credit notes and dispatch notes and vice versa. SUBSTANTIVE TESTS (Sales) Invoices and Credit Notes: Check the numerical sequence of invoices, enquiring into missing numbers and inspecting all copies of cancelled invoices. Check copy sales invoices and credit notes with sales day books and debtors’ ledger accounts, checking analysis of sales day books where appropriate and authorisation of credit notes. Compare invoice prices with authorised, up to date price lists, quotations and correspondence. Check calculations and additions of invoices and credit notes Scrutinize credit notes for large or unusual items. SUBSTANTIVE TESTS (Sales) Stock Records: Check goods dispatched notes or goods outwards records to copy sales invoices. Trace good outwards from invoice or dispatch note to stock record Trace goods returned from return documentation to stock records and credit notes. SUBSTANTIVE TESTS (Sales) General: Where returns or allowances affect the calculation of commissions, ensure that adjustments have been made properly. Control Accounts: Test the year-end control account reconciliation, checking back to source documentation such as sales invoices, cash and returns records. Ensure that any reconciling items are dealt with properly. SUBSTANTIVE TESTS (Sales) Analytical Procedures: Fluctuations in sales levels. Compare levels of sales throughout the year on a month-by-month basis and also sales in the last month of the year to sales in the first month of the next year. Investigate any large fluctuations. Consider vouching larger individual sales. Compare current gross profit percentage to previous year Compare stock turnover rate to previous year. SUBSTANTIVE TESTS (Sales) Cut Off Tests: Select items on both sides of the end date and ensure that they have been properly treated in the correct accounting period. Examine the file of unprocessed invoices and dispatch notes and ensure that none belongs to the period under review but has not been treated. Check that dispatch notes issued before the end of the year but not matched by any invoices are accrued and reported in the accounts under review. SUBSTANTIVE TESTS (Sales) Disclosure Check the classification, description and presented of sales and sales return in the financial statements. Check that amounts stated are in agreement with the accounting records. Note You may have noticed that the tests of controls and substantive procedures noted above sometimes appear very similar. One test can serve both as a test of control and as substantive procedure. Where for example, an invoice is checked for authorisation (test of control) it can also be checked for accuracy and pricing (substantive procedure). This does not mean that tests of controls and substantive procedures are interchangeable. It is vital that you understand the conceptual difference between the two types of test.