Assurance 4 &5
Completeness - Assertions about classes of transactions and events, and related disclosures, for the period under audit
All transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included
information system and communication:
A component of internal control that includes the financial reporting system, and consists of the procedures and records established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity.
Limitations of internal controls - Unusual transactions
A limitation of internal controls is that they are generally designed to deal with what normally or routinely happens in a business. However, it may be the case that an unusual transaction may occur which does not fit into the normal routines, in which case standard controls may not be relevant to the unusual transaction, and hence mistakes may be made in relation to that unusual transaction.
Walk-through procedure
A procedure that involves tracing a few transactions through the financial reporting system.
Business risk:
A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity's ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies (ISA (UK) 315: para. 12b).
Completeness
All assets, liabilities and equity interests that should have been recorded have been recorded and all related disclosures that should have been included in the financial statements have been included
Accuracy - Assertions about classes of transactions and events, and related disclosures, for the period under audit
Amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been appropriately measured and described
Limitations of internal controls - Human element
An important limitation of controls is the human element. Most controls can only function as well as the people that are implementing them. Controls are not necessarily foolproof. If a human being makes a mistake implementing a control, then that control might be ineffective. Another problem for companies associated with the human element of controls is that of the intention of the people using them. Controls, such as keeping your computer password secret, rely on the integrity of the people being asked to implement them. If people do not understand the importance or relevance of the control they may be less inclined to adhere to it.
Appropriateness
the measure of quality and reliability
Control activities: Authorisation and approvals
Approval of transactions/documents - Transactions/documents should be approved by an appropriate person.
Existence
Assets, liabilities and equity interests exist
Presentation
Assets, liabilities, and equity interests are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework
Accuracy, valuation and allocation
Assets, liabilities, and equity interests have been included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments have been appropriately recorded, and related disclosures have been appropriately measured and described
Classification
Assets, liabilities, and equity interests have been recorded in the proper accounts
Control activities: Segregation of duties
Assigning different individuals the responsibilities of authorising transactions, recording transactions and maintaining custody of assets
If the quality of evidence is external
Audit evidence from external sources is more reliable than that obtained from the entity's records
Sufficiency
the measure of the quantity of audit evidence.
Classification- Assertions about classes of transactions and events, and related disclosures, for the period under audit
transactions and events have been recorded in the proper accounts
Control activities: Reconciliations
Compare two or more data elements - For example, comparing sales reports by units sold to sales in the statement of profit or loss
Control activities: Verifications
Comparing an item with a policy
general IT controls - Testing and documentation of program changes
Complete testing procedures Documentation standards Approval of changes by computer users and management Training of staff using programs
General IT controls Definition
Controls over the entity's IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (ie, the completeness, accuracy and validity of information) in the entity's information system) (ISA (UK) 315: para. 12d).
Information processing controls: Definition
Controls relating to the processing of information in IT applications or manual information processes in the entity's information system that directly address risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information) (ISA (UK) 315: para. 12e).
general IT controls - Controls to ensure continuity of operations
Storing extra copies of programs and data files off-site Protection of equipment against fire and other hazards Back-up power sources Emergency procedures Disaster recovery procedures eg, availability of back-up computer facilities Maintenance agreements and insurance
If the quality of evidence is written
Evidence in the form of documents (paper or electronic) or written representations are more reliable than oral representations
If the quality of evidence is auditor
Evidence obtained directly by auditors is more reliable than that obtained indirectly or by inference
If the quality of evidence is entity
Evidence obtained from the entity's records is more reliable when related control systems operate effectively
Explicit opinions issued by auditor
In respect of the state of the company's affairs at the end of the financial year In respect of the company's profit or loss for the financial year In relation to the financial reporting framework (IFRS Standards or UK GAAP) In respect of other legal requirements of the Companies Act 2006 The information given in the strategic report and the directors' report is consistent with the financial statements
Items included only by exception
Items included only by exception Adequate accounting records have been kept. Returns adequate for the audit have been received from branches not visited. The financial statements are in agreement with the accounting records and returns. All information and explanations have been received as the auditors think necessary and they have had access at all times to the company's books, accounts and vouchers. Details of directors' emoluments and other benefits have been correctly disclosed in the financial statements. Particulars of loans and other transactions in favour of directors and others have been correctly disclosed in the financial statements.
general IT controls - Controls to prevent wrong programs or files being used
Operation controls over programs Libraries of programs Proper job scheduling
If the quality of evidence is originals
Original documents are more reliable than photocopies, or facsimiles
Control activities: Physical or logical controls
Physical security of assets Authorisation for access to computer programs and data files Periodic counting and comparison with amount shown on accounts
general IT controls - Prevention or detection of unauthorised changes to programs
Segregation of duties Full records of program changes Password protection of programs so that access is limited to computer operations staff Restricted access to central computer by locked doors, keypads Maintenance of program logs Virus checks on software: use of anti-virus software and policy prohibiting use of non-authorised programs or files Back-up copies of programs being taken and stored in other locations Control copies of programs being preserved and regularly compared with actual programs Stricter controls over certain programs (utility programs) by use of read only memory
Limitations of internal controls - Collusion
Staff members may want to override or avoid controls in order to defraud the company. Controls may be bypassed very effectively and secretly by two or more people working together, that is, colluding in fraud.
general IT controls - Development of computer applications
Standards over systems design, programming and documentation Full testing procedures using test data (see Chapter 11) Approval by computer users and management Segregation of duties so that those responsible for design are not responsible for testing Installation procedures so that data is not corrupted in transition Training of staff in new procedures and availability of adequate documentation
general IT controls - Controls to prevent unauthorised amendments to data files
Such as passwords to prevent unauthorised entry, built in controls to permit changes
Audit committees
The audit committee is an important aspect of the control environment of the company. It is a sub-committee of the board of directors responsible for overseeing an entity's internal control structure, financial reporting and compliance with relevant laws and regulations
Tests of controls or tests of detail?
The auditor must choose what kind of procedures to perform. In most cases this will be a mixture of tests of controls and substantive procedures. The auditor must always perform some substantive procedures, no matter how reliable an entity's internal controls are.
Control environment
The control environment includes the governance and management functions and the attitudes, awareness and actions of those charged with governance and management concerning the entity's internal control and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people.
segregation of duties
The control of using a number of people in a single system
Entity's risk assessment process:
The entity's risk assessment process is an iterative process for identifying and analysing risks to achieving the entity's objectives, and forms the basis for how management or those charged with governance determine the risks to be managed (ISA (UK) 315: Appendix 3, para. 7).
Control activities:
They are the policies and procedures that help ensure that management directives are carried out.
Presentation - Assertions about classes of transactions and events, and related disclosures, for the period under audit
Transactions and events are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework
Cut-off- Assertions about classes of transactions and events, and related disclosures, for the period under audit
Transactions and events have been recorded in the correct accounting period
Occurrence - Assertions about classes of transactions and events, and related disclosures, for the period under audit
Transactions and events that have been recorded or disclosed have occurred and such transactions and events pertain to the entity
A company has various objectives:
to ensure it reports its financial position correctly to shareholders to ensure that it operates effectively and efficiently to ensure that it complies with relevant laws and regulations
The auditor must always carry out substantive procedures on material items. In addition, the auditor must carry out the following substantive procedures:
agreeing the financial statements to the underlying accounting records examining material journal entries examining other adjustments made in preparing the financial statements
Other procedures (tests of detail)
may be appropriate to gain information about account balances (for example, inventories or trade receivables), particularly in verifying the assertions of existence and valuation.
Reasons for internal controls
minimising the company's business risks ensuring the continuing effective functioning of the company ensuring the company complies with relevant laws and regulations
The audit committee is comprised of
non-executive directors.
Analytical procedures
tend to be appropriate for large volumes of predictable transactions (for example, wages and salaries).
Rights and obligations
the entity holds or controls the rights to assets, and liabilities are the obligations of the entity
