This chapter discusses:
• Risk assessment procedures and sources of information about the entity and its environment. including its internal controls. (Risk assessment procedures)
• Understanding the entity and its environment, Internal control
• Assessing the risk of material misstatement
• Communicating weakness in internal controls
• Documentation of accounting and internal control system
Risk Assessment Procedures And Sources Of Information About The Entity And Its Environment, Including Internal Control
The objective of risk assessment procedures is to obtain understanding of the entity and its environment including internal controls
Risk assessment procedures are:
(a)Inquires of management and others within the entity
(c)Observation and inspection
(a)Inquiries of management and others within the entity
Inquiry from Aspect of understanding the entity
Audit committee: Understanding of environment within which financial statements
are prepared, and risk management
Internal auditor: Conclusions formed by the internal auditor as regards effectiveness of the design arid” operation of internal controls
Accounts department: Selection and application of accounting policies
Lawyers: Risks of litigation and non-compliance with laws and regulation
(b) Analytical procedures
Analytical procedures assist in measurement -and review of entity’s financial performance. The financial performance helps in obtaining understanding of the entity. Analytical procedures are also useful in identifying potential problem areas.
(c) Observation and inspection
• Observation of entity’s activities and operations.
• Inspection of documents and records for example, purchase orders, sales invoices, dispatch notes and books of accounts.
• Study of monthly accounts and minutes of board of directors
• Visit to factory
• Walk through test
Understanding The Entity And Its Environment
The understanding of entity is required to assess risk of misstatement. It involves following aspects:
(a) Industry, regulatory and other factors including the applicable financial reporting framework
• Industry conditions such as competitive environment
• Regulatory environment
• Applicable financial reporting framework
(b) Nature of entity
• Operations, ownership, governance
• Class of transactions
• Related parties
(c) Objectives and strategies and the related business risks that may result in a material misstatement of the financial statements
Operational approaches by which management intends to achieve its objectives
Business risks resulting from significant conditions, events that could adversely affect the achievement of objectives
Measurement and review of entity’s financial performance
Performance measures that may create pressures to falsify accounts.
Internal controls are policies and procedures established by an entity to Provide a reasonable assurance about the achievement of entity’s objectives with regard to:
Reliability of financial statements
Promoting operational efficiency Compliance with laws and regulations The objective of a system of internal control is to reduce business risks that may adversely affect the achievement of above objectives auditor is only interested in those controls which pertain to jective of preparing reliable financial statements.
The components of internal control are:
(i) Control environment
(ii) Entity risk assessment procedures
(iii) Accounting system
(iv) Control activities
(v) Monitoring of controls
(i) Control Environment
Control environment refers to consciousness reflected by the actions of the management. It refers to emphasis placed by the management on internal controls. In a strong control environment. management will create an atmosphere where employees are motivated to abide by contro rules.
Examples of control-environment include:
• Corporate governance
• Management philosophy and operating style
• Segregation of duties
• Budgetary control
It should be noted that control environment refers to management attitude generally and not for any specific assertions. It has a pervasive effect over accounting system and control procedures.
The control environment may increase the effectiveness or may nullify the usefulness of the control procedures.
(ii) Entity Risk Assessment Process
Auditor’s duties as regards entity’s risks assessment process are:
1. Obtain understanding as to how does the management:
Identify business risks relating to financial statements
Estimates impact and likelihood of such risks
2. Management’s action to address the risks
3. Consider risks that the management has failed to identify.
The auditor should obtain understanding as to significant class of transactions, procedures-by which the transactions are initiated, recorded, processed and reported.
(iv) Control Activities (Control Procedures)
Control activities are established to ensure that management policies are complied with.
The areas covered are:
Transactions should be authorized in accordance with management’s general or specific authorization,
• purchase requisitions,
• purchase orders,
• sale prices, terms credit, limits,
• payments for expenses,
• appointment of employees, their rates of pay, changes thereto purchase and sale of fixed assets.
(b) Performance reviews
Comparing actual data with budgeted data
(c) Information processing
• Checking arithmetical accuracy of documents and records.
• Controls accounts and trial balance.
• All documents generated by the entity should be pre-numbered.
• Originals of all canceled documents should be maintained.
• After recording, documents should be properly filed.
• Comparing book balances with confirmations to customers.
• Comparing book balances of suppliers with their statement of accounts.
• Comparing bank balances with statement of accounts
• Comparing physical inventory with book inventory.
• Comparing cash in hand with cash book
• Comparing investments with securities on hand.
(d) Physical controls
• Restricting physical access to assets and records.
• Authorized persons to enter warehouse.
• Cheque books to be kept under lock and key.
(e) Segregation of duties
Segregation of following duties
Generally. the auditor is not required to obtain understanding of control activities relating to each assertion for every account balance or class of transactions. Some account balances may not be material e.g prepaid expenses, or can be verified 100% with substantive testing, for example, additions to fixed assets. The auditor is only interested in those control activities which may materially affect reliability of financial statements.
(v) Monitoring of Controls
Monitoring controls involves activities that the entity uses to monit internal controls. The task is generally performed by the internal auditor.
4.1 CONTROLIN IT ENVIRONMENT
Controls in 11′ environment ate classified as
General IT controls
IT application controls
GENERAL IT CONTROLS
General IT controls relate to the environment within which computer based accounting systems are operated and are applicable to all applications.
The objectives of general control include:
• Provide assurance that all applications have been properly developed and operated.
• Ensure that the program and data files are reliable.
• Ensure that overall objectives of internal controls are achieved.
General controls comprise:
Procedural controls for documenting, reviewing and testing computer programme.
Controls over physical. access to equipment and files
Organization controls relate to management philosophy and operating style, and include segregation of duties and rotation of duties.
Segregation of duties between computer department and users of applications.
Ideally, the users of the applications should not be involved in computer operations. In particular, persons involved in following functions should not be involved in computer functions. Following functions should be segregated.
Approval of transactions.
Correction of errors
Initiate the transactions.
Custodian of physical assets.
Segregation of duties within the computer department
Following functions should be segregated within CIS department.
Data processing Manager: Overview and supervise data processing activities
Systems analyst: Designing accounting System with the participation of user departments and developing specifications for applications programme
Programmer: (i) Developing and testing new programme and modifications to existing programme to meet the specifications established by the system analyst.
(ii) Coding the required programme in Computer language.
Data entry clerk: Keying information From manual source Documents in accordance With instructions developed by programmers.
Librarian: (i) Maintaining and issuing files including magnetic tapes or disks and computer and computer documentation
(ii) protecting computer programme, master files, transaction tapes and other records from theft, damage, unauthorized use or alternations.
The bottom line is that operations andprogramming functions should be separated. The IT department- should neither authorize nor initiate transactions for processing. The user -department should authorize and initiate transactions and the IT department should process transactions.
Other organization controls
• Access to computer programmes should be limited so that only authorized persons may use the programme.
• Job rotation among computer operators is advisable.
• All employees should go on annual leave.
The check digit only indicates whether the identification number is valid. It does not check whether the code number exists in-chart of accounts of master file. It is therefore still necessary that code number that has been keyed also exist in master file.
The layout of each field is verified for compliance with its proper “picture” i.e., each position in the field contains alphabetic character, numeric digit or special character from an acceptable range.
This is accomplished by adding all figures in a horizontal direction and then in vertical direction. When the computer has completed the footings, the sum of horizontal totals should equal the sum of vertical totals.
The check reveals data, which is out of sequence. Code validity check. Computer programme will reject invalid codes by comparing input code with a listing of existing accounts stored within the computer’s memory.
Field that must contain numeric, alpha, zero, special character, or some combination can be checked internally against the transaction code table in order to detect erroneous data before executing detailed computer instructions.
Data received by an out put device is checked back to the source unit for comparison with original data. The purpose of echo check is to ensure that peripheral equipment such as printer complies with computer instructions.
Some accounts are always posted to debits or credits of certain accounts. Sign tests check appropriate debit or credits.
d) Controls over physical access to equipment and files
T programme or data files cannot be altered without the use of IT quipment, With the IT equipment, however, alterations in data may be made without leaving a visible evidence. EDP equipment and files ould therefore be secured form-unauthorized access.
Physical security devices, for example security guards to check entrance computer room, both for staff and outsiders. Even the programmers y not be allowed to have access to computer equipment thorized passwords, restricting access to data files and programmes.
The passwords provide control over access to computer programme and es. For the operator it would be possible to have access only to specified files. Passwords may be assigned at various levels. Some passwords only ow data entry, others allow corrections also, while some may allow estricted access and view also. The client should make full use of the ility. A senior official should keep a record of passwords assigned to ividual employees. Such passwords should be frequently changed. ess to programme be limited. For example only computer operator ld access to machine and files and only the programmer can make in programme should be placed on computers. At present this is quite an practice .
Only authorized software is acquired
Modifications to software are authorized.
IT APPLICATION CONTROLS
The strength of application controls is affected by general controls. Assume that general controls over access to documentation are weak, it be of no use to implement application controls on the input, of application controls are to provide assurance as to validity thorization, completeness, and accuracy of a specific application.
Application controls are categorized into:
• Input controls
• Processing controls
• Output controls
The objective here is to ensure proper authorization of input data, complete and accurate conversion into machine-readable form.
In case of batch processing, the user department should approve each batch. In case of on line processing, the computer may perform authorization function. For example a purchase requisition is automatically generated when an item of inventory reaches reorder level.
Check digit verification
Invalid data is corrected or resubmitted to user department.
The objective is to ensure that processing corresponds with the programme instructions.
Computer processing is exposed to following errors:
Processing wrong files
Update in wrong files
Loss of data
The controls are achieved through application program which reads the input data, tests data for built in controls and prints error messages found in the processing.
Basic objectives of output controls are to ensure that the processing results are accurate and the print outs are given only to authorized persons.
The above objectives are achieved through:
Reconciliation of output control totals with input control totals.
Comparison of output to source documents.
Security of output-before dispatch.
Distribution of print outs only to authorized persons.
One of the techniques of achieving input and output controls is the batch control.
The objective of batch control is to provide an assurance for accuracy and completeness of the data entered into the system. The totals of the documents to be processed through the computer are compared with the total received after processing. The commonly used batch controls are:
Control totals, i.e., the total amount of the batch document for example total payments.
• Hash total, for example total of payment voucher numbers.
• Number of items in batch.
Assume that following payment vouchers are included in batch to be processed.
The control total is 141652; hash total is 868 and number of items of the batch are 8.
After completing the review of controls, the auditor will make a preliminary assessment whether reliance on such controls is warranted. Where preliminary evaluation of the application controls and general controls reveal ineffective control, the auditor should move directly to substantive tests which may be assisted by the use of CAATs. If preliminary evaluation discloses application controls or general controls which may meet the auditor’s objectives, he should design and carry out tests of controls.
In determining whether the auditor would perform tests of controls he will consider following maters.
Ease of performance of tests of controls
If application controls are entirely manual the auditor may decide to perform tests of controls relating to application controls only, rather than to place reliance over general controls. However, before he can place reliance on application controls, the auditor needs to test the effect of relevant general controls.
1. Limiting direct physical access to assets and records
2. Segregation of duties
Following duties should be segregated
– Safe custody