Risk Assessment and Internal Control Richard OCallaghan Risk

Risk Assessment and Internal Control Richard O’Callaghan

Risk Assessment and Internal Controls • Working Papers • Understand & Record the System of Internal Control • Assess the Risk of Material Misstatement

Working Papers Richard O’Callaghan

What are Audit Working Papers? • The documents which record all audit evidence obtained during the audit • Used to support the audit work done in order to provide assurance that the audit was performed in accordance with the relevant auditing standards. • Show that the audit was: • • Properly planned Carried out There was adequate supervision That the appropriate review was undertaken; & finally and most importantly • Ultimately, they demonstrate that the evidence is sufficient and appropriate to support the audit opinion

Audit Programmes • ‘A road map’ for the audit • Offers many advantages to the auditor • Usually filed in the Current Audit File

Audit Programmes: Advantages • Permanent record of work • Provide clear instructions • Easy to follow progress of audit • Helps allocation of work to audit team • Staff member can initial each audit test • Individual tests can be cross-referenced to ICQ flowchart etc • Specifies areas subject to compliance, substantive or verification tests

Audit Programmes: Disadvantages • Danger staff may become too mechanical in their work • Extra labour involved in audit programme difficult to justify for a small audit, but usually still required • More capable audit staff do not get opportunity to show initiative & superiority

Permanent Audit File and Current Working File • Permanent file • Records matters of ongoing relevance such as a description of the business, its information system and accounting policies • Current file • Records matters specific to the expression of an opinion on the current year’s financial statements and includes • Working trial balance • Schedules and analyses • Audit programme

Internal Controls Richard O’Callaghan

Internal Control Introduction • Helps ensure the quality of internal and independent reporting • requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation • Helps ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business

Control Environment • Relevant factors • • • Integrity and ethical values Commitment to competence Management’s philosophy and operating style Organisational structure Assignment of authority and responsibility Internal audit Use of information technology Human resource policies and practice Board of directors and audit committee

Control Activities • Information Processing Controls • proper authorisation • documents and records • independent checks • Segregation of Duties • between executing, recording and custody of assets resulting from transaction • between steps in executing a transaction • between certain accounting operations • Physical Controls • Performance Reviews

Control Activities: Limitations • Only provides reasonable assurance because of: • costs versus benefits • management override • mistakes in judgement • collusion • breakdowns

Internal Controls • Application to smaller entities • Control in computer information systems • Potential to both increase and decrease risk of errors

Approach to Internal Controls • 5 Components of Internal Control (ISA 315 par 41): • Control environment • Entity’s risk assessment process • Information system • Control activities • Monitoring of controls

Systems and Components of Internal Controls • Internal Controls: • ‘are all the means devised by an org to promote, direct, restrain & check upon its various activities for the purpose of seeing that the org’s objectives are met’

Classification of Controls • Preventative Controls • Built into system to foresee errors deliberate misuse of resources & avoid the cost & other implications of correcting them. • Example Segregation of Duties • Different person receiving inventory to the person dealing with payments to creditors. • Preventative Controls may not always be noticeable

Classification of Controls • Detection Controls • measure effectiveness of preventative controls and help identify errors and intentional/unintentional misuse of resources when they occur • Needed to highlight problems as preventative controls cannot work 100% of the time • Example Bank Reconciliations, Physical Inventory Counts • Detection Controls are generally obvious

Framework of Control • Organisational Controls • Policy Controls • Procedural Controls • Personnel Controls • Accounting • Budgets • Reporting • Internal Review

Types of Internal Controls • Organisation • Segregation of Duties • Physical • Authorisation & Approval • Arithmetical & Accounting

Procedure to Obtain an Understanding • Obtain Understanding by • Reviewing previous experience (Previous Years File) • Review Manuals • Inquiring • Inspecting documents and records • Observation and walkthrough

Internal Control Questionnaire (ICQ) and Internal Control Evaluation (ICE) • 2 ways an auditor can evaluate internal controls: • Internal Control Questionnaires (ICQ) • Internal Control Evaluation (ICE)

(ICQ) Internal Control Questionnaires • Records & Evaluates the system of Internal Control • Used to identify: • Internal controls the auditor can place reliance on • Any apparent weaknesses in the client’s system

(ICQ) Internal Control Questionnaires • Principles: • List of questions (suggest the best possible theoretical control- Yes/No) • Adaptable to many different systems • Can be easily used

(ICE) Internal Control Evaluation • Using standard method based on key control questions • Focuses on primary/key controls • Question format lead to detailed assessment of primary control areas • Normally linked & cross referenced to Flowcharts/ICQs/other system records • Encourages audit staff to design tests to each client’s needs/systems

Distinction between ICQ and ICE • ICQs: • Used to record & evaluate system of internal controls • Larger amount of questions – no distinction of materiality • Answer ‘No’ = weakness (significance not clear on form) • ICEs: • Used primarily to evaluate internal controls • Concentrates on ‘key control questions’ • Answer ‘No’ = must be commented on form whether material or not (i. e. a further Yes/No)

Flow Charting • Flow chart • schematic diagram using standardised symbols depicting • • operations performed methods of processing segregation of duties flow of documents

Walkthrough Test • Performed to confirm the system has been properly understood and recorded • Achieved by tracing 1 transaction of each type through the system • Performed after preparation of flowcharts, systems notes & ICQs

Tests of Controls • Test must ensure the control • is properly designed • exists • operated throughout period. • Tests include enquiry in combination with: • • • Observation Inspection Examination of evidence of management review Re-performance Testing computer controls

Risks and Controls by Transaction Type Richard O’Callaghan

Internal Controls in the Sales Cycle Richard O’Callaghan

The Sales Cycle What can go wrong? What are the risks? Ordering Despatch Or What are the objectives? Invoicing Receipt How can it be prevented? What are the controls?

Ordering Risk Control Accept orders from a customer who will not pay Credit check all customers/ approved customer list Orders taken down incorrectly Use pre-printed order forms Orders not fulfilled Sequential order forms and match orders to GDNs Orders not accepted at correct prices Use authorised price list

Dispatch Risks Goods despatched wrong quantity & quality Goods not despatched Controls All goods checked to order by supervisor before leaving warehouse Review orders not matched to GRNs No record of goods despatched Supervision of goods despatched GRNs Goods not received by customer Customer signs Delivery Note

Invoicing Risks Controls Goods despatched not invoiced Periodic review of GRN not matched to invoices Errors in invoicing Check invoice to GRN and order form Invoice not recorded in N/L Sequence check of invoices posted to N/L

Receipts Risks Controls Cash not received or stolen. Formal mail opening procedures. Remittances not recorded Prompt banking Remittances not recorded in banking system Bank reconciliation

Internal Controls in the Purchases Cycle Richard O’Callaghan

The Purchases Cycle What can go wrong? Ordering What are the risks? Receipt Or What are the objectives? How can it be prevented? Invoicing Payment What are the controls?

Ordering Risks Controls Order goods of poor quality and high price Use recognised supplier list. Tendering process on large items Goods ordered not required Requisitions should be approved Goods ordered, not received Follow up of overdue orders

Receipt of Goods or Services Risks Controls Goods received not ordered All goods received agreed to order notes before accepted Goods received stolen/ damaged Secure storage Goods received of wrong quality/quantity Agree to order form

Invoicing (from supplier) Risks Controls Liability not recognised Regular review and follow up of GRNs unmatched to invoice Liability recognised for goods not received Liability only recognised if supported by GRN Liability recorded incorrectly Invoices recalculated and agreed to GRN

Payment (of Suppliers) Risks Controls Pay for goods not received Only make payment if supported by order, invoice and GRN Duplicate payments Stamp invoices PAID. Only pay on sight of original invoice Payments not recorded Bank reconciliation

Wages and Salaries Richard O’Callaghan

The Wages Cycle What can go wrong? What are the risks? Or What are the objectives? Record work done Recognise payroll liability Payment How can it be prevented? What are the controls?

Record of Work Done Risks Controls Failure to record all work done Sequence check on pre-numbered time sheets Work recorded not actually done Authorisation of hours by supervisor Clocking-in system

Recognise Payroll Liability Risks Controls Wrong rate of pay used Authorisation of pay rates and changes (by Personnel dept) Incorrect deductions calculated Manual check. Reconciliation to previous period. Authorisation of rate changes on system

Payment of Salaries Risks Controls Pay ghost/incorrect employees Cheque signing independent of payroll. Sequence check of unique code e. g. tax no. Cash payments loss Identification check. Security of cash. Unclaimed wage controls

Risk of Material Misstatement Richard O’Callaghan

Broad Approach to Risk Assessment • Understand Identify Risks • Discuss Risks among Engagement Team • Identify Risks at Financial Statements and Assertion levels • Auditors response to risks are identified and programme of work prepared accordingly

Assessing Risk of Material Misstatement • Purpose of preliminary assessment of control risk is to assess design effectiveness by: • identifying the potential misstatements • identifying the necessary controls • making the assessment

Assessing Risk of Material Misstatement • Extent of subsequent audit testing will depend on the results of evaluation of controls: • Internal Controls assessed as Strong • Compliance testing of internal controls • Limited substantive tests (including Audit Risk) • Internal Controls assessed as Weak • No compensating controls, Management Report issued • Extended Substantive Tests performed

Evaluating the Internal Controls Points to consider: • Division and clear definition of duties, responsibility and authority • Authorisation procedures • Extent and efficiency of internal audit • Adequacy of supervision of client staff • Competence of staff • Custody and handling arrangements, particularly in relation to highrisk assets

Record of Control Weaknesses • All weaknesses exposed recorded in detail in working papers • End products of preparation of Record of Control Weaknesses: • Ascertain any areas of weaknesses • Advise client accordingly in a Management Letter • Design an appropriate programme of audit tests

Types of Error Richard O’Callaghan

Types of Errors • Under/Overstatement of an asset/liability in the Balance Sheet, with a corresponding effect on the Income Statement • Failure to disclose a material loss which has been written off in the Income Statement • A major misclassification of items (failure to disclose an item properly in the Financial Statements or in notes to accounts)

Revise the Audit Plan • After internal controls have been evaluated, the auditor must re-plan the audit and prepare a supplementary audit programme to control the remaining audit work