Internal Controls Lecture Notes

Introduction

• Purpose: Understand internal controls, their recording, assessment, and testing by auditors.
• Key Idea: Auditors rely on effective internal controls to reduce testing of financial numbers.

Recording Client's Accounting Systems

Methods of Recording

1. Narrative Notes
   • Simple list of client procedures.
   • Suitable for simple businesses.
   • Easy for staff with minimal training.
   • Disadvantage: Can be unstructured, like a school essay.
2. Flowcharts
   • Visual representation of processes.
   • Suitable for complex businesses.
   • Staff require training in flowchart techniques.
   • Columns for different business parts make it easy to see system integration.
3. Questionnaires
   • Lists of possible controls (Internal Control Questionnaires).
   • Audit staff ask clients about controls in place.
   • May overlook specific, effective client controls.

Components of an Internal Control System

Mnemonic: CRIME

• C: Control Activities
• R: Risk Assessment
• I: Information Systems
• M: Monitoring
• E: Control Environment

Details of Components

1. Control Environment
   • High-level organizational structure.
   • Ethical statements, governance policies, job descriptions.
   • Clear roles and responsibilities.
2. Risk Assessment
   • Management processes for identifying and assessing business risks.
   • Examples: Airline risks like pandemics or poor maintenance.
3. Information Systems
   • Robust IT systems and processes.
   • Ensures management is aware of the financial position and problems.
4. Control Activities
   • Specific controls within transaction cycles (e.g., reconciliations).
   • Types include segregation of duties, authorization, reconciliations, physical controls, and logical controls.
5. Monitoring
   • Ensures control systems are functioning.
   • Internal audit functions and audit committees help monitor controls.

Testing Internal Controls

Types of Control Activities

• Segregation of Duties: Different people handle ordering and payments to prevent fraud and errors.
• Authorization: Required for actions like overtime, credit limits, and payments.
• Reconciliations: Ensure records match (e.g., bank reconciliations, payroll reconciliations).
• Physical Controls: Locks, keypads, safes.
• Logical Controls: IT security measures.

Limitations of Internal Controls

• Cost-Benefit Analysis: Not always worth implementing controls for insignificant amounts.
• Human Error: Even with controls, mistakes can happen.
• Collusion: Cooperation between employees can bypass controls.
• Override by Management: CEO or others may bypass controls.
• Non-Routine Transactions: Often lack controls (e.g., disposal of non-current assets).

Direct vs. Indirect Controls

• Direct Controls
  • Sufficiently precise to detect, prevent, and correct misstatements.
  • Example: Bank reconciliations.
• Indirect Controls
  • Support direct controls.
  • Involves control environment, risk assessment, and monitoring.
  • Example: Internal audit performance.

Writing Tests of Control

• Inspect: Sample documents to confirm controls (e.g., bank reconciliations signed by a manager).
• Observe: Staff performing control activities (e.g., inventory counts).
• Reperform: Auditor re-doing control activities (e.g., recounting inventory, reperforming reconciliations).
• Avoid Inquiry: Inquiries alone are not reliable for testing controls.

Reporting on Internal Controls

• Management Letters: Summarize deficiencies in controls and provide recommendations.
• Format: Problem, impact, and solution.
  • Example: Problem - Invoices not cancelled when paid. Impact - Risk of double payment. Solution - Mark invoices as paid.

Conclusion

• Key Takeaways
  • Understand the five components of internal control systems (CRIME).
  • Know examples of control activities.
  • Differentiate between direct and indirect controls.
  • Practice writing tests of control using inspect, observe, and reperform.
• Objective: Add value to the client through effective audit and control assessment.