What is the relationship between strategies of an entities and internal controls?
There is direct relationship between the strategies and internal controls because controls are established to attain the objectives. For example if one of the objectives of the entity is orderly and efficient operations, controls may be established to reduce wastage of material and reduce overtime.
Why obtaining an understanding of internal controls and evaluating the design of controls and determining whether these have been implemented, is not sufficient to serve as testing operating effectiveness of controls?
Although the auditor . ordinarily uses .same procedures in obtaining understanding of the design and implementation of controls and procedures for tests of operating effectiveness of controls, (except that re performance is not a procedure for obtaining understanding) the objectives are different. The objective of tests of control is to evaluate whether a control operated effectively.
Tests of operating effectiveness involves testing the controls throughout the period.
Tests of operating effectiveness requires a large sample size. The more the auditor intends to place reliance on tests of controls, the greater is the extent of test of controls.
Suggest significant control procedures over cash receipts
1. The post should be opened in the presence of responsible official.
2. At least two persons should be present at the time of opining the mail
3. A date stamp should be affixed on the post indicating date of receipt
4. All cheques received should be marked “Account payee only”
5. A receipt should be given for cash receipts
6. Cash and copy of the receipts should be handed over to the cashier
7. CCTV should be installed at the point of receipt of cash
What are limitations of tests of controls?
Certain limitations of tests of controls are:
1. Tests of controls are generally applied to routine transactions only
2. The sample drawn for tests of controls may not be representative of population
How would entity’s risk assessment procedures be evaluated by:
(a) Evaluation of entity’s risks assessment procedures by external auditor.
1. Consider how management. identifies business risks relating to financial reporting.
2. Consider how the man . ment determines significance and likelihood of such risk.
3. Management actions to manage the risks.
4. Identify risks of material misstatement which the management could not identify.
5. Report weaknesses in .the entity’s risk management process to those charged with governance.
(b) Evaluation of entity’s risks assessment procedures by internal auditor.
1. Obtain understanding of entity’s objectives.
2. Discuss with departmental managers the nature of the risks in their departments.
3. Consider how the management determines significance and likelihood of such risk.
4. Assess controls to manage the risks.
5. Test controls to provide evidence that they operate and provide effective management of risk.
6. Make recommendations to departmental manager for improving the operations.
7. Assess risks due to non compliance of laws and regulations
Is the auditor always required to make preliminary assessment of internal
controls and to perform tests of controls?
nswer-7Obtaining understanding of the design of internal controls (preliminary assessment) is mandatory. However, tests of controls are performed only when the auditor seeks to place reliance on internal controls, or where substantive procedures alone do not provide sufficient appropriate evidence (for example in IT environment)
Discuss matters to be considered in the audit of small business
Matters to be considered in the audit of small business are:
1. Many internal controls which would be relevant to large entities are not practical in small business, for example segregation of duties.
2. Strong management control system in which owner / manager supervisory control exist because of direct personal knowledge of the entity and involvement in transactions
3. Extended substantive procedures have to be performed.
4. Relatively more reliance has to be placed on management representations
5. If the auditor is requested to perform accounting work, it should be clearly mentioned that the accounts have been complied from the data provided by management. The auditor has only assisted management in preparing financial statements and takes no responsibility for the correctness of such statements.
Discuss the concepts “auditing around the computer” and “auditing through the computer”
Auditing around the computer
Auting around the computer involves testing controls ignoring the computer, in an IT environment. It is similar to testing control in a manual internal control systems. The procedures performed are similar to the manual procedures of tracing transactions through selected components of the client’s accounting and internal control system to he existence and effectiveness of internal controls.
The Auditing around the computer is used when the processing applications well documented and sufficient visual output exists or can be the client. The auditor can use familiar auditing procedures the tests and it is not necessary to test computer programs around the computer may be used to test most of the general IT controIs.
A disadvantage of this approach that cost-effective techniques available through the use of CAATS are not used.
Auditing through the computer
Auditing through the computer involves use of computer – assisted audit techniques. These tests are used generally in testing input validation routines and programmed processing controls. The technique has to be used when a significant part of the internal controls are related to computer program and there is a significant missing auditing trail. Disadvantages of this techniques are the specialized knowledge and skills required, and the possible interference with the clients data processing operation when the auditor uses client’s equipment, programs and files.
What controls should be exercised before recording accounts payable in
Before entering a liability for goods and services following control should be exercised.
1. Request the user department to authorize the purchase invoice.
2. The purchase price should also be authorized by the designated officials.
3. The accounts department should match the invoice with goo received note and purchase order. In case of services received, the user department should be requested to certify that services have been received to the satisfaction of user department.
4. The invoice should be checked for proper coding for expenses.
5. Arithmetical accuracy of the invoice should be checked.
Describe certain significant procedures relating to sales and receivable in IT environment
Certain significant procedures relating to sales and receivables in IT environment include:
– Customer’s order is entered on the computer
– The computer program checks the customer’s name and credit limit on the master file
– Sale department enters the customer name, account number and quantities to be delivered
– The stores department prints the dispatch note and dispatches the goods to customer
– Acknowledgment of customer is obtained on the dispatch note
– The compute updates the inventory records
– The accounts department enters sale price, prints sales invoice and sends the sales invoice to customer
– The computer updates accounts receivable record, sales account and cost of sales
– The computer also updates the aging analysis of receivables.
(a) Describe how would you apply test data technique regarding sales
and receivables. What are the limitations of such techniques.
(b) How would you use auditing around the computer to verify sales?
1. Review clients’ documentation and identify programmed controls
2. Obtain updated print out form the client
3. Create, for example, 25 invoices
4. Enter transactions on a spread sheet
5. Calculate predetermined computer results
6. Process stimulated transactions with the client’s computer program
7. Obtain updated print Out and compare with the predetermined results
8. If the predetermined results match with updated print out, controls are assumed to be functioning as stipulated in program documentation
9. Prepare another 25 sales invoices. This time, the invoices the should reflect invalid data including incorrect customer numbers, invalid name, products in which the company does not deal, funny dates, unusual credit limits
10. Check that the computer does not accept invalid invoices.
1. The auditor cannot be sure that the same program is used in daily operations as used for test data
2. The test data technique is time consuming and has to be tailor-made for each client
3. A successful test data run does not necessarily indicate effectiveness of client’s internal controls because other types of errors or frauds could occur outside the computer processing area. For example, failure to report all cash receipts.
From the computer output, select 35 sale invoices
Check copy of sales invoices with computer print out
Check arithmetical accuracy of invoices
Trace to accounts receivable records
Compare invoices with dispatch notes
Carry out sequence test of invoices
Briefly discuss control procedures over purchases in IT environment
Control procedures over purchases and payables
When goods reach re order point, a stores requisition is generated
• The requisition is approved by the stores department and it is sent to purchasing department
• Purchasing department prepares purchase order on computer and sends it to supplier
• The computer accepts the order only if it traces the name of supplier in the standing file. Thus it is ensured that the orders are placed only with authorized suppliers
When goods are received the details are entered in the computer system
Supplier sends the invoice to accounts
Accounts department inputs the invoice in the computer system
The computer system accepts the invoice only if the system has a record purchase order and record of goods received
The computer system posts invoice to accounts payable record.
Audit risks is composed of inherent risk, control risk and detection risk Control risk and inherent risk are risks prior to audit and termed as risk of misstatement in the financial statements. Conglomerate is a high risk client is a high risk client. The auditor should be alert to following risk areas.