Chapter 5

Systems Assessment

Internal Control
Auditors need to understand the client`s system so that they can: 1. Assess their reliability for the preparation of financial statements. 2. Design suitable audit procedures. 3. If the auditor is able to rely on the system it will be because it contains some of the components of internal control as set out in ISA 315. A company`s management has a number of obligations: 1) To manage the business effectively. 2) To produce timely, and accurate financial statement and management information (both for management and statutory purposes). 3) To safeguard the business assets. 4) To prevent and detect fraud. The purpose of a system is to enable the business to : a) Collect data. b) Summarize data. c) Produce FS and management information. d) To aid the directions in complying with the above obligations.

WHY AUDITORS CARE ABOUT INTERNAL CONTROLS

Because if controls appear to be good, assurance is gained that the Financial Statements are materially correct meaning that substantive testing can be Reduced Because a good control system helps in the assessment of the strength and integrity of client's management.

What is an internal control system? (ISA 315)

Understanding of Internal Control is used by the auditor to identify types of potential misstatements and to consider factors that affect the risks of material misstatements and design the nature, timing and extent of further audit procedures. Internal Control. Understanding of Internal Control is used by the auditor
1. to identify types of potential misstatements; 2. To consider factors that affect the risks of material misstatements; and 3. To design the nature, timing and extent of further audit procedures.

Definitions of Internal Control:Internal controls is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entitys objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives. Internal control is the process designed and affected by those charged with governance, management, and other personnel .. to provide reasonable assurance about the achievement of the entitys objectives with regard to:
1. Reliability of financial reporting, 2. Effectiveness and efficiency of operations and 3. Compliance with applicable laws and regulations

2
It is generally accepted that a good Internal Control System is made up of 5 elements: = A strong Control Environment = Good Control Procedures = Good Risk Assessment = Good Information Systems = Effective Monitoring (typically the role of internal auditors).

3
Control environment The control procedures are unlikely to be effective unless there is a strong control environment: = Management Attitude needs to be strong: = managers follow same controls as staff, no override = those breaching controls are punished = controls are part of staff training. = Staff who are likely to follow the controls: = recruitment process to get right sort of people (e.g. No criminal record) = training to ensure all understand importance of controls. = Segregation of Duties = different parts of processes done by different people = nobody checks their own work = nobody has total control of all parts of a transaction. It encompasses the following elements: (a) Communication and enforcement of integrity and ethical values. (b) Commitment to competence (c) Participation by those charged with governance (d) Managements philosophy and operating style (e) Organizational structure (f) Human resource policies and practices Auditor should evaluate how these components have been incorporated into the entitys processes.

4
ii) The Entitys Risk Assessment Process; It is the process of identifying and responding to business risks that affect entitys financial reporting. Such process includes how management: 1. Identifies risks that affect entitys ability to produce financial statement that give true and Fair view, 2. estimates their significance, 3. Estimates likelihood of their occurrence and 4. Decides upon actions to manage them. Risks relevant to financial reporting include: Internal events, and External events and circumstance That may occur and adversely affect an entitys ability to: initiate, Record, Process, and report the financial information. Risks can arise due to circumstances such as the following: (internal/external) a) Changes in operating environment b) New personnel c) New or revamped information systems d) Rapid growth e) New technology f) New business models, product or activities g) Corporate restructurings h) Expanded foreign operations i) New accounting pronouncements

iii) Information system, including the related business processes, relevant to financial reporting and communication The information system consists of: 1. Infrastructure (physical and hardware components), 2. Software 3. People 4. Procedures and 5. Data Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of IT. Importance of Information System Accordingly, an information system encompasses methods and records that: Identify and record all valid transaction. Describe on a timely basis the transaction in sufficient detail to permit proper classification of transactions for financial reporting. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. Present properly the transactions and related disclosures in the financial statements. Communication Communication involves: providing an understanding of individual roles and responsibilities pertaining to internal control, understanding roles of others and doing exception reporting to higher level management. Communication takes such forms as: Policy manuals, Accounting and financial reporting manuals and memorandum. It may also be made Electronically, Orally and Through the actions of management

Control procedures
There are several types of control procedure:
C omparison A uthorisation R econciliations C omputer Controls A rithmetical P hysical

or CARCAP for short.

2
Risk assessment; Clearly, if the risks are not identified properly at the start of a risk management process, the wrong control procedures will be put in place ... and so the control system will fail. Unfortunately, this issue can never be completely avoided ... because whatever controls you have in place, a clever criminal will inevitably find a way around them! Information systems; You can only know if your controls are effective if you have accurate information being produced. Inaccurate information may be hiding problems. Monitoring; On paper, many systems sound fantastic and impossible to break. In reality, the truth is often very different. Despite massive security, high profile buildings often get broken into ... often because the controls that management THINK are happening are in fact routinely ignored. Companies should monitor their controls to ensure they are taking place, and are achieving the desired effect. Monitoring is typically carried out by Internal Auditors.

Benefits of Internal Control to the entity

Based on our previous studies we can now identify the following principal benefits that may arise for an entity from a sound system of internal control: a) Assurance that all transactions are completely and accurately processed. b) Confidence that only authorized transactions takes place. c) Assurance that adequate documentation supporting transactions is created and retained. d) Assurance that the companys assets and liabilities are correctly stated, in order for them to make informed decisions on the operations of the business. e) Minimization of the risk of fraud and misappropriation of assets.

Benefits of Internal Control to the auditor

Of course, if the audit client benefits from a sound system of internal control, it is likely that the auditor will also be benefited. All of the above stated benefits help to promote a situation where the financial statements present a true and fair view. In simple terms, a good system of internal control will make life easier for the auditor. Auditors work on the Internal Control International standards on auditing emphasize the importance of internal control to the auditor by stating that auditor should: a) Obtain an understanding of the accounting and internal control system sufficient to plan the audit and develop an effective audit approach, and b) Use professional judgment to assess the components of audit risk and to design audit procedures to ensure it are reduced to an acceptably low level. At an early stage in their work auditors will have to decide the extent to which they wish to place reliance on the internal controls of the enterprise. As the audit proceeds, that decision will be kept under review and, depending on the results of their examination, they may decide to place more or less reliance on these controls

Internal Control Questionnaire

An ICQ is a list of all possible controls for each area of the financial statements. The client staff are asked questions and systems documentation reviewed to establish which controls exists. Features:
Used in large company audit Used to place reliance on internal controls Used to design audit approach

Definition: An ICQ is a formal and usually standardized document which comprises: 1. A list of internal controls in existence and 2. Highlights any weaknesses. Objectives: (i) To ascertain a clients systems of accounting and internal control (ii) To evaluate the control system thus recorded, and hence (iii) To identify those controls which indicate strengths in the system upon which the auditor will seek to place reliance, and (iv) To identify those areas over which there are weak or no controls and which therefore must be subjected to more extensive substantive testing and reported by inclusion in the Management Letter. Construction of an ICQ I) It is good practice when designing ICQs to state, as a brief introduction: i. A list of control objectives which each sub-system under consideration should seek to achieve ii. Any business considerations specific to the enterprise under review which should be taken into account. The reason for this is essentially to highlight for the audit staff key areas for their consideration to the audit staff. II) The questions in an ICQ should be designed to ascertain whether the control objectives are being achieved and should therefore cover such aspects as: a. Instructions given to staff in the performance of their duties b. Authorization procedures c. Documents and procedures used to originate transactions d. Recording procedures e. Sequence of procedures

2
f. Custody procedures g. Relative independence of the persons involved at each stage of a transaction (i.e. segregation of duties). III) The questions should be framed such that a Yes/No answer is given, with a No answer usually indicating a control weakness. IV) An ICQ should carry such basic information as: (a) The name of the document (ICQ) (b) The system to which it relates (e.g. purchasing cycle) (c) The client to whom it relates (d) The accounting period under review (e) Evidence of who has prepared and reviewed the document (f) The provision of columns for:
- Yes and No answers - comments where neither Yes or No are applicable - indicating the significance or otherwise of apparent weaknesses - References to audit programs - References to Management Letters.

ICEs: ICEs (sometimes referred to as ICEQ) do not attempt to record all controls like an ICQ. It is far more use as an evaluation tool for the auditors, as it focuses is on whether IC objective are being met.

Limitations of internal control systems

Even if Control Systems are assessed as very strong, auditors will still do SOME substantive testing. Controls are never completely reliable because:
= staff make mistakes = staff collude to override systems = staff believe the cost of the control is greater than the benefit ... so refuse to do it = controls are designed for normal events ... unique / new types of transaction may bypass the system.

Assessing an internal control system

Find out what system client has
Ask client, or read their internal procedures manuals.

Ensure system understood

May use walk-through tests, following 1 transaction through the system.

Record System
May use flowcharts, or questionnaires, or simply write it out in words.

Assess System
Does it help to keep the Financial Statements accurate?

Test System
If Controls look good, test them to ensure they operated throughout the accounting year. If the controls did operate properly, then assurance is gained that the Financial Statements are accurate ... so substantive testing can be reduced.

Reporting weaknesses in controls to the client

If the auditor believes Controls could be improved, it would be professional to advise the client of the weaknesses, the consequences of these weaknesses, and make recommendations for improvement.

Communicating deficiencies in internal control to those charged with governance and management (ISA 265)
ISA 265 requires that this communication is done in writing and on a timely basis and we often refer to this as a Management Letter. In practice, the management letter is sent to the client either after the controls testing is completed, or at the end of the audit (if nothing urgent was found after the controls testing). The Management Letter has two parts:
= covering letter = appendix.

The Covering Letter is a brief note explaining:

= why the client is receiving this = that the weaknesses found are only those discovered during the audit ... There may be other problems as well = that the advice is for internal use only and should not be passed to anyone else.

The Appendix has the detailed:

= WEAKNESSES = CONSEQUENCES = RECOMMENDATIONS.

It will also typically have space for the client to confirm what action they propose to take.

2
The ISAs and in particular ISA 260 Communication of audit matters with those charged with governance, places some further responsibilities on the external auditors. The main forms of formal communication are: The Letter of engagement An engagement letter defines the legal relationship (or engagement) between a professional firm (e.g., law, investment banking, consulting, advisory or accountancy firm) and its client(s). This letter states the terms and conditions of the engagement, principally addressing the scope of the engagement and the terms of compensation for the firm. Most engagement letters follow a standard format. The example given below refers to the engagement of an accountancy firm. Standard format for letters of engagement Addressee: Typically addressed to the senior management (e.g. CEO) of the client.

3
Identification of the service to be rendered: One type of service is a financial statement audit. Provided in this section is a brief description of the nature of the particular service. Other services that are planned for the audit (e.g. evaluation of internal control, preparation of regulatory reports) are also identified in this section. Specification of the responsibilities of the auditor of the company: This section refers to the specific professional standards and responsibilities of the auditor. Constraints on the accounting firm: For example, timing of access to client facilities and accounting records may delay the engagement. Deadlines: This section lays out the estimated date of completion and release of the financial statements, as well as the general guidelines for the timing of the audit work. Description of any assistance to be provided by the client: Typically, the clients personnel will prepare some schedules (e.g. bank reconciliations) and retrieve documents from files. The letter should describe the assistance of client personnel. If the assistance is not provided and the auditors must complete the work themselves, this section of the letter would provide justification for additional fees to the client. Interactions with specialists, internal auditors, and the predecessor auditor needed to conduct the audit: Some specialists needed on an audit may include engineers to verify the stage of completion of electronic components, real estate appraisers to appraise realizable value of real estate used as collateral for loans, actuaries to evaluate the funding requirements and future cash flows associated with pensions or postretirement health costs, and attorneys to evaluate the likely disposition of contingent losses arising from litigation. A disclaimer: Describing the limits of the audit. Typically this expresses that an audit is not designed to detect all forms of fraud or illegal acts; rather, an audit checks the financial position of a client with reference to generally accepted accounting principles. A description of the basis for fees: This may include a fixed fee or an estimate of fees based on expected completion time and billing rates of firm employees assigned to the engagement. Ownership and accessibility of the auditors files to external parties.

The management letter(send at the end of auditor period); MANAGEMENT LETTER identifies issues not required to be disclosed in the Annual Financial Report but represent the auditors concerns and suggestions noted during the audit.
The comfort letter;A letter given to organizations or persons of interest by external auditors regarding statutory audits, statements and reports used in a prospectus. The comfort letter will be attached to the preliminary statements as assurance that it will not be materially different from the final version. Comfort letters can be used by lenders, such as banks as solvency opinions on whether a borrower can meet the payment obligations of a loan. They are opinions and are not guarantees that the underlying company will actually remain solvent. Comfort letters can also be used by underwriters as their obligation to carry out "reasonable investigation" into offerings of securities. These letters of comfort will ensure that the reports provided conform to the generally accepted accounting principles (GAAP). This helps the underwriter better understand aspects of the financial data which might not otherwise be reported such as changes to financial statements and unaudited financial reports. A comfort letter is a document prepared by an accounting firm assuring the financial soundness or backing of a company. The comfort letter can be issued by a auditor declaring no indication of false or misleading information in the financial statements and that the company's prospectus follows GAAP. This is sometimes used in connection with an initial public offering. Comfort letters are also sometimes provided by those involved in evaluating a company's assets, for instance, in the case of oil and gas companies, third-party reserve engineering firms. A comfort letter may also be used as written assurance by a subsidiary's parent company or bank used to offer 'comfort' to the buyer as to the seller's ability or willingness to perform its obligations. Comfort letters are often used because the seller is unable or unwilling to provide a guarantee on a certain outcome, such as the performance of a security. Comfort letters are typically signed prior to the pricing decision or closing date for a given public offering or other transaction, as a part of the due diligence process. Subsequently, a "bring-down" letter is used to re-verify, as of a later date, that the original comfort letter is still valid. Letter of Comfort (LOU) in finance terminology is a type guarantee provided by one bank to other bank. Letter of Comfort is also used by importers to arrange funds in products like buyers credit. For example, a bn importer in India may want cheap funds on LIBOR rates, an international bank can provide these funds subject to letter of comfort provided by importer's existing working capital bank, stating that on due date it guarantee the payment for the loan extended to importer.

5
Additionally acknowledgement letter;A letter written to somebody to say that something that he or she sent has been received Representation Letter: Written confirmation from management to the auditor about the fairness of various financial statement elements. The purpose of the letter is to emphasize that the financial statements are management's representations, and thus management has the primary responsibility for their accuracy. Also, the letter provides supplementary audit evidence of an internal nature by giving formal management replies to auditor questions regarding matters that did not come to the auditor's attention in performing audit procedures. Some auditors request written representations of all financial statement items. All auditors require representations regarding receivables, inventories, plant and equipment, liabilities, and subsequent events. Frequently, all these representations are included in one letter. The letter is required at the completion of the audit fieldwork and prior to issuance of the financial statements with the auditor's opinion. Management acknowledges its responsibilities for running the company, the adequacy of financial policies employed, confirmation of practices observed during the audit, and confirmation to the auditor that management has made full disclosure of all material activities and transactions in its financial records and statements.

6
ISA 260: Communication of audit matters with those charged with governance; ISA 260 requires the external auditor to communicate audit matters of governance interest to those charged with governance of the entity. Those charged with governance means those entrusted with the supervision, control and direction of an entity and would therefore include the audit committee and non-executive directors. They only include management when it performs such functions. Procedures: Such communications should be on a sufficiently prompt basis to enable those charged with governance to take appropriate action. All communications will be before the financial statements are finalized. The form of communications and the addressee of communications should be established at an early stage in the audit process (i.e. planning). Before reporting issues to the board, auditors should first discuss those matters with management. This gives management an opportunity to provide further information or explanations. If possible, matters should be addressed to the audit committee, or to the board if there is no audit committee. Generally, the communication should be two-way and ongoing, with either party keeping the other informed about relevant matters throughout the year. Summary of responsibilities: Audit matters of governance include: Effects of significant accounting policies. Potential financial effect of risks/uncertainties. Material audit adjustments Disagreements with management concerning the financial statements. Expected modifications to the audit report. Internal control weaknesses including Fraud.

7 and communication required) Timing of Communication: (stages of audit

Pre-Audit (Planning): the following issues are discussed and communicated
1. Practical matters concerning forthcoming audit 2. Audit expected fees 3. Nature and scope of audit work 4. Ensure Engagement letter are Up to date 5. Independence of auditor.

During the Audit : any situation occurs that needs to be immediately addressed. It would not be appropriate to delay communication until the audit is concluded. After the audit(conclusion of audit) : takes the form of mgt letter including: 1. Major findings from the audit work 2. Observations on ICSs Weaknesses 3. Audit recommendations 4. Final draft of letter of representation 5. Expected modifications to audit report 6.Qualitative aspects of accounting /reporting practices. 7.uncorrected misstatements

Control objectives, procedures, tests

In the next few chapters, controls will be looked at for several major areas of a business. As an introduction to this, we need to understand what the terms control objective, control procedure, and control test mean. Control objective; That only good quality products are sent to our customers. Control procedures; Before goods are sent to customers, our quality control department test a sample to ensure quality levels are high. Feedback is obtained from customers to avoid any quality issues being repeated. Control tests; Auditor observes quality control department testing items before they are despatched. Auditor enquires asks quality control department how many items they test, and what tests they do. Auditor inspects despatch notes because the quality control staff would sign them to show they had finished their checks.