this is a lecture from open tuition to benefit from the lecture you should download the free lecture notes from opentuition.com in this lecture we're going to look at internal controls if the auditor thinks that the internal controls are working properly then they're able to rely on them and do less testing of the numbers themselves so we need to understand what controls are what the auditor does in terms of recording them assessing them and then finally testing the controls that are in place of the client so it's those issues that we need to look at first of all we need to understand a little bit about how you record the controls at a client so recording the clients accounting systems and you may be asked about the different methods of recording that can be used by the audit firm and the principal methods are narrative notes flowcharts and questionnaires narrative notes means that you simply make a list of the procedures the client has in place and these will be okay if you are looking at a very simple business the advantage of having narrative notes is that the staff don't need very much training because you can say to the audit staff go and speak to the credit controller and make notes about what they do to make sure that bad debts are actually collected in um if at all possible so these narrative notes at the end of the day are very they're useful if you have a very simple business these days of course you don't have many simple businesses that need auditing but if there is a very simple business model perhaps you can need you can use narrative notes the trouble is that they're not very disciplined and so it may just read like an essay that someone submitted at school so more common again is that they would use some kind of flow charting and that's what they would use with most businesses so this would be useful for a complex business the disadvantage is that the audit staff need training in floating flow chart techniques you won't have to prepare a flowchart or interpret it but if you've seen them you'll know that you have columns for each part of the business so on the sales cycle they'll have a column for the order a column for dispatch a column for invoicing a column for recording so it's very easy to see how the system fits together and where the different documents flow so that's the normal method of recording and finally sometimes they use questionnaires so questionnaires again are lists the way i describe it is lists of all possible controls again it can be a bit unthinking you'll see when you study the notes they're called internal control questionnaires and so on the sales cycle there'll be a list of all sorts of controls that could be in place then the audit staff have to sometimes physically tie the client down and go through the list of control and say do you have this do you have this do you have this do you have this and the client goes yes yes no no no then the auditor can go back to the office and assess which controls are in place and if on balance it looks as if they've got a decent control system in place so in our um course notes again you've got a little bit more detail about each of those so i won't read those points out there but there's some more detail there about how narrative works notes work how flow charting would work and finally about questionnaires the most common form of questionnaire is the one that's called an internal control questionnaire so that is where they will ask again effectively um is this control in place are invoices sequentially numbered are all auditors are all orders recorded um is there a check on the sequence of orders recorded that day so you can see these control lists there again you wouldn't be asked to write a list of them but the general spirit is that yes is a good thing the problem i think with questionnaires is they may not cover specific controls the client has which actually work better in their business either way the first stage is to say i must record the system understand what controls are in place i can still remember being a student a very long time ago and thinking well i can learn that but i don't really know what controls are so let's go a step ahead and say what are the different parts of an internal control system now when we talk about an internal control system we talk about five components there's a mnemonic for this that might help you to remember their names but don't do any highlighting yet the mnemonic is crime c-r-i-m-e it doesn't put the controls in the right order but actually it's one way to remember them the sea of crime is actually down here it's control activities so that's the sea of crime that one down here the r is risk assessment the i is information systems the m is monitoring and finally the e is the fact that about the environment in the first place so strictly control environment i suppose you could say krimke instead of crime but that doesn't seem to work quite well but we'll just talk through those components um control environment is very very much high level and it may be that you work in a business that's highly organized in which case they've probably got a very good control environment where on a day-to-day basis basis things just don't go wrong so what sorts of things constitute control environment that is the foundation as it says in the notes for everything else is where you can see in particular again there are things like an ethical statement perhaps the ethical statement is um posted again against each pc each workstation so the staff are aware of it it's very clear that those charged with governance as to their response as to they set down the tone of the business remember those charged with governance are above day-to-day management there are things like the non-executive directors the audit committee it's very clear again policy in terms of recruitment and things like that they're a job descriptions for everyone everyone is very clear about exactly what they do another way again of saying it is ultimately there is not chaos so you need a very good control environment in the first place the second thing is to make sure and think about whether management have got a process in place for identifying assessing risk in the business that's principally business risk which isn't really in our syllabus but when they look at the business if it's an airline they're saying well what are the risks that could affect us like a pandemic again like poorly maintained planes and so on that they've assessed those risks assess their size assess their likelihood the third element is to say do they have a proper information system which these days would probably mean again a very strong information technology environment so i need to understand how that process works so what we've already said isn't we that we've got the board of directors setting the tone of the business management being able to assess where their risks lie of not achieving their objectives proper information system in place so that you know we are aware of the financial position of the business at any time management are aware of problems immediately monitoring of key performance indicators those sorts of things so that system has been put in place fourthly that within each of the transaction cycles again there are control activities that have been predetermined now these we're going to talk about a lot in just a minute but the control activities is the detail of the controls in place first of all you need a proper environment it's like closing the door to make sure no one can come in and interrupt your meeting and then you carry out your activities which are things like reconciliations we'll cover them in a minute and finally the board needs to be able to look back and monitor the whole system and make sure again that the control system is working and that may well include an internal audit function and again internal audit may well be i'm there to monitor and help to monitor the controls that are set down are actually adhered to so running a good business and keeping it under control a decent control environment in the first place make sure people are clear about what they do management are able to assess the risks there's a good information system in place individual control activities have been predetermined and adhered to and finally again there's a monitoring process again like internal audit of the audit committee standing back and making sure that everything has been adhered to so you may be asked for the five components of an internal control system remember crime and make sure for the exam you could write perhaps a sentence about each of them the one that we need to take to much more detail though is this concept of control activities now control activities are much now more drilling down to errors in the financial statements as it says here i am now concerned about things being wrong in the accounts of the assertion level so as an example an assertion is something like completeness an item in the p l is sales or revenue so i might say what are the controls in place to confirm completeness of sales completeness of revenue an assertion is something like existence what controls are in place to make sure there is existence of inventory that the exists the inventory recorded in the books is the inventory that's actually physically there at the moment again there are various categories of these and i'll talk about some of them now or introduce some of them one of them is segregation of duties in particular if you took something like the purchase ledger then someone in the business would be responsible for making decisions about what to purchase for the business later someone has to pay the supplier it is very important that those two people are different people because otherwise in theory if barry makes the order and barry pays for the order there could be fraud barry could order stuff for himself and then initiate payment so what would be much better isn't it is that barry makes the order and then later someone else carry initiates payment it's not all about fraud a lot of it is about error you know when you prepare a set of accounts in your accounting exam you can never make your balance sheet balance and your tutor looks over your shoulder and said look there's a transposition error and you say how silly so a lot of it again is about you know prevention of errors sometimes in smaller businesses segregation of duties is not always possible the second type again that i'll mention now very easy to understand whatever it is needs to be authorized on the payroll cycle we need to authorize don't we things like overtime on the sales cycle we need to authorize credit limits for customers on the purchase cycle we need to authorize which um again payments all payments to some extent but specifically payments over certain limits so authorization there are controls in place to make sure that someone responsible again is actually authorizing whatever it happens to be at that stage in the business process reconciliations a very very very important term you've already met bank reconciliations um so bank reconciliations in your earth studies for other subjects we'll meet later within this syllabus supplier statement reconciliations suppliers send statements every month and we need to make sure don't we that everything that's on their statement is on the ledger unless it's an error there are also internal reconciliations within the business so things like a payroll reconciliation reconciling the amount that's being charged in the nominal ledger again against the amount that's ultimately again being paid out to the staff and for deductions and so on so reconciliations make sense finally again you've got physical controls which we understand the lock on the safe the lock on the door the keypad to gain access to the department and of course i.t or logical controls which i'll be talking about much more in a later chapter so we're saying that there are five elements of a control system one of them is control activities and there are various types of control activity like segregation reconciliations these controls will vary depending on whether you're looking at revenue or ppe or cash at bank and so on inevitably the auditor needs to be aware though of course that sometimes controls will have limitation again i'd make sure you learn at least the bold words and the or you're able to explain perhaps four of these they make sense the client has to assess cost benefit it might be that it's simply not worth putting the control in place if the monetary amounts are not significant even if harry does something and carrie checks it there's still a chance of human error carrie might you know missed that particular transaction collusion of course it's fine isn't it for barry to to initiate the order carry to process the payment but what if barry loves carrie in which case there's a chance isn't there thou cooperate it's extremely rare but it happens and we have to be aware of it and sometimes again there's a chance sometimes in a smaller business but even in larger companies where the chief executive if they're an unpleasant person and they like shouting at people will just say no don't worry about that or you're fired in addition controls don't always um apply to non-routine transactions so there are controls over sales and purchases and so on but it may be again that there are transactions outside again the normal business cycle and perhaps there are no controls in place for it again one of them that's mentioned in the notes is disposal of non-current assets particularly if that's scrapped because it may be that someone in the factory says that's broken they stick it in recycling they're not aware sometimes because they work in the factory they're supposed to fill in a form and notify someone who maintains the non-current asset register so looking up here as it says right at the top we are always aware again that we will never ever eliminate the risk of error that is why of course we will always have to do some element again of sub substantive testing within the financial statements it will always have to be there to some extent remember substantive testing is testing the numbers there's a nice reminder isn't that about while we're thinking about this down here when it reminds us about the audit approach so what we're doing is looking at the control system seeing if it's well designed if it's badly designed we'll just have to test the numbers by ourselves lots of expense for us and then the client however if it looks like the controls are working well then we can do a more cost effective audit and that means we will reduce the level of numbers or substantive testing but it's one thing to say the controls are well designed it's another thing to say well they actually work and that means we need to test them clearly if you say to someone well do you do a bank reconciliation every month they'll say yes it's like saying to a child do you do your homework every night and they say yes have you brushed your teeth yes but the truth is they haven't have they unless you've observed them in the bathroom that's the child of course brushing their teeth so we need to make sure we not only check the design but also again then test the controls and what we might say is step one is it well designed step two now let's actually go ahead and test there's a little bit of audit theory coming out now with some relatively new jargon so you should be aware of the difference between these so make sure you learn these definitions be prepared to write a sentence about each first of all direct controls direct controls as it says are sufficiently precise detect prevent and correct misstatements now you then say well what does that mean so as it says further down here it tends to be things in information system tends to be things in control activities so examples on example of a direct control would be something like a bank reconciliation a bank reconciliation if done properly will help to assess the cash at bank is fairly stated the auditors may well be testing those also at a higher level they'll also be testing indirect controls as it says those are those are those that support direct controls and that that much more controls in the control environment again risk assessment and monitoring because if i know that internal audit is operating properly i've got comfort that they will have chased up things like bank reconciliations so don't lose too much sleep about this we'll summarize what to write in the exam in a minute but i'm just saying indirect controls an example of an index could direct control would be again looking at things like the the performance of internal audit so it's things which are linked things which are linked again to again risk assessment control environment and monitoring let's imagine it's a four mark question a mark for the the definition in the first place a mark for an example so if you can remember the points i'm underlining because this is quite topical i think you'll be okay direct controls sufficiently precise to prevent detect misstatement often associated with control activities example bank reconciliation two marks the other one now indirect controls support direct controls example monitoring again example again there you are internal audit that's plenty but what that's the theory the practice is to say well how do we actually write tests of control what sorts of things are we doing so controls let's think about a couple controls would be things like the staff must count the inventory in pairs that's the client staff so that they're both one is counted the other one's checking the count of the first one that's a control supply statement reconciliation that's a control so it's those sorts of things so what sorts of things would then constitute tests of control now this is the well it all needs learning but this point down here is so important again that it's very important indeed so frequently test controls would involve the verb inspect so i'm going to write a test of control inspect sample because we always test samples we don't want to test them all of bank reconciliations to confirm now if you do anything you evidence that you've done it in some way manual or electronic signature and again presumably they then be reviewed by someone else so i'm just gonna say to confirm signed by someone as evidence of review so barry did the bank reconciliation barry's manager matilda then reviewed it and signed it so notice the structure of my sentence inspect confirm what i'm not inspecting to confirm a number that's a substantive test i'm expecting to observe a control the control is the signature by the manager i'm making sure that control is in place now abs you could could you use observe for a bank reconciliation observed barry doing the bank reconciliation well it's a it just sounds a bit silly doesn't it you'd feel like a bit of a walnut wool flower i think that's the phrase but observe observe well observe the inventory count there we go we've made we're making one up here observe the inventory count to confirm there are two staff counting the stock i'll just put counting notice again the words in the middle of the sentence to confirm after the confirm here's the control the control is that there are two staff there doing the count so observe to make sure the procedure is being carried out clearly there is a little bit of an issue there because staff know when they're being observed so well that's just something you have to live with finally although this one is not very important uh really um the clients don't like this very much re-perform do the control again well easiest way to visualize that is at the count harry has counted the lemons there are five barry has counted the lemons there are five i'm the auditor i will now count the lemons as well five clearly by me redoing what they've done it will confirm that actually their control of barry checking harry or whoever it was was in place or another way another one might be to re-perform re-perform a bank reconciliation why the client's already done it so they're standing you with their looking at you with their mouth open and you're saying i'm going to do my bank reconciliation and then we'll compare the two so the client staff don't like it we have to say tough sausage don't write that in the exam either reperform the bank reconciliation to confirm that it's been properly performed by the client i'm just making sure they did it properly in the first place notice the sentence structure to confirm every single time sometimes people say to me well could i use a different sentence structure watch my lips no i'll say that again no no you always write it using that sentence structure and everything will be fine um it does say underneath a very important point about a dangerous thing and that is this word inquire so ask the child if they've done their homework ask the bank robber if they robbed the bank you know it's just useless so it does actually form sometimes part of controls testing but it would always have to be combined with other things so this verb inquiry i think is very dangerous in life but also in the exam so if you're asked for four tests of control and you write for beginning with inquire how many marks will you get probably nothing so don't do it inspect observe and reperform trust me that's how you pick up the marks on basic tests of control we'll talk about other techniques again a bit later just recapping so far what are the key things that we've mentioned so far in this lecture coming back here quite a lot of things we talked about the methods of recording the system principally flow charting for many businesses we talked about the five components of control control environment risk assessment information systems control activities and monitoring we talked about some examples of control activities um we said that controls you cannot rely on a hundred percent and then finally we've been talking about some types of tests of control of verbs inspect observe and re-perform at the end of the audit there are two outputs one is and this is what the client wants is an opinion where the accounts are fairly stated in addition we also tell them about things that have gone wrong with their control system and it's really adding value to the audit so further down here as it says we will report back to management on internal control when i was an auditor it was described as adding value to the client so i will make sure that i notice again deficiencies and i then communicate them sometimes to those at the top those charged with governance sometimes if it's less significant to those lower down management and we would do that in a management letter a management letter at the end of the day will really summarize what the problem is it could be that you've got badly designed controls or it could be controls that are not working properly and of course if management addressed these things it might save the money it will certainly save the money next year when we do the audit because we'll be able to rely more on their controls and less on testing the numbers ourselves so here's the kind of thing in the management letter traditionally they present them in three columns you have a problem this is what the consequence might be and this is how you can fix the problem so let's just have a look at what they've got down here what's a problem a problem is that you notice that invoices are not cancelled when paid so it's probably done electronically now but traditionally the the chief accountant when they signed it they did agree to pay a particular supplier would have a big rubber stamp and that stabbed the invoice paid to make sure they didn't pay it again in a particular business they don't do that what's the implication of that what's the impact of that for management the impact of course you might pay more than once and of course this gets management attention because they say they hate wasting money or i hope they do and finally say well this is what you could do so you should mark or stamp the invoices paid to solve the problem and that's the idea of the traditional management letter there we are so we've had a look at controls make sure you learn the five components of the control environment that you sorry the control system that you've got examples of control activities that you know the difference because this is topical between direct and indirect controls and practice writing tests of controls find the control put the word inspect observe or re-perform in front of it and see if you can finish the sentence i think you'll be fine and there we are that is our little lecture around controls