Chapter 8
Understanding and
Assessing Internal Control

Copyright  2006 McGraw-Hill Australia Pty Ltd

8-1


Learning Objective 1:

Audit Strategy and Internal Control
•

Internal control is the process designed and
implemented by those charged with governance,
management and other personnel to provide
reasonable assurance regarding the achievement of the
entity’s objectives concerning financial reporting, the
effectiveness and efficiency of operations, and
compliance with laws and regulations. Refer AUS
402.42/ASA 315.54 (ISA 315.42).
• It is designed and implemented to address business
risks that threaten any of these objectives.
• The importance of internal control has increased as
business entities become larger and more complex.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-2


Auditor’s requirements
•

AUS 402.41/ASA 315.52 (ISA 315.41) requires that the
auditor obtain an understanding of internal control
relevant to the audit.
• At the financial report level the auditor’s assessment of
risk of material misstatement is affected by their
understanding of the control environment. Refer AUS
406.05/ASA 330.10 (ISA 330.05).
• At the assertion level, the auditor needs to consider
control risk in their assessment of the risk of material
misstatement. Refer AUS 406.12/ASA 330.19 (ISA
330.12).

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-3


Audit strategy
•

To reach a conclusion on accuracy and reliability of
underlying accounting data, an auditor can:

–
–

–

Test the accounting data (substantive approach); or
Perform procedures to review and evaluate the internal
control to see whether accounting data was developed
under conditions likely to ensure accuracy and reliability
(lower assessed level of control risk approach).
An auditor adopts the best combination of these
approaches.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-4


Learning Objective 2:

Responsibility for Internal Control
•

Achieving satisfactory internal control is initially a
management responsibility, although ultimate
responsibility rests with the directors.
• To maintain control over operations and accounting
data, management needs to adopt, maintain and

supervise an appropriate internal control system.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-5


Inherent limitations of internal control
•

Internal control cannot assure a reliable financial report
because it has inherent limitations. Therefore, an
auditor can never rely completely on the internal control.
• Inherent limitations arise because of:
–
–
–

Control breakdowns as a result of the actions of careless,
fatigued or deviant staff;
The possibility of management override; and
The existence of non-routine transactions for which
internal controls were not devised.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett


8-6


Reasonable assurance
•

Internal control should be designed to provide
reasonable assurance that assets are safeguarded and
accounting records are reliable.
• The concept of reasonable assurance recognises
that, in some cases, the cost of establishing and
maintaining controls can outweigh benefits of adopting
controls.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-7


Learning Objective 3:

Internal Control Objectives
•
•
•
•
•
•

•

Risks are identified and minimised;
Management decision making is effective and business
processes efficient;
Transactions are carried out in accordance with
management’s authorisation;
Laws, rules and regulations are complied with;
Transactions are promptly and accurately recorded;
Access to assets is limited in accordance with
management’s authorisation; and
Asset records are compared with existing assets at
reasonable intervals.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-8


Management controls
Management Controls are the activities undertaken by
senior management to mitigate strategic risks to the
entity and to promote the effectiveness of decision
making and the efficiency of business activities.
• These include:
•

–

–
–
–
–
–

Communicating business objectives and goals;
Establishing lines of authority and accountability;
Establishing and enforcing appropriate codes of conduct;
Monitoring risk environments;
Defining policies and procedures for dealing with these
risks; and
Monitoring performance through performance indicators
and benchmarking.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-9


Transaction controls
•

•

These are performed by staff and lower level management.
Every transaction goes through the identifiable steps of
authorisation, execution and recording.

These controls:
are generally focused on internal risks and reflect the formal
policies and procedures defined by senior management;
– deal primarily with the reliability of accounting information and
compliance with rules and regulations; and
– control the flow of transactions through the accounting system
and safeguard related assets by authorising and recording
transactions, restricting access to assets and checking for
existence of recorded assets.
–

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-10


Characteristics of satisfactory internal
control
•
•
•

•
•

Controls to monitor and minimise business risks;
Segregation of incompatible duties and responsibilities;
System of authorisation, recording and procedures to

provide control over assets, liabilities, revenues and
expenses;
Sound business practices in performance of duties and
functions; and
Capabilities commensurate with responsibilities.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-11


Learning Objective 4:

Elements of Internal Control
•
•
•
•
•

Control environment;
Entity’s risk assessment process;
Information system;
Control activities; and
Monitoring of controls.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett

Slides prepared by Roger Simnett

8-12


Control environment
•

The control environment includes management’s overall
attitude, awareness and actions regarding internal
control and its importance in the entity.
• Refer AUS 402.67/ASA 315.80 (ISA 315.67).

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-13


Auditors’ understanding of control
environment
•

Auditors should consider:
–
–
–
–
–

–
–

Communication and enforcement of integrity and ethical
values;
Commitment to competence;
Participation by those charged with governance;
Management philosophy and operating style;
Organisational structure;
Assignment of authority and responsibility; and
Human resource policies and practices.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-14


Entity’s risk assessment process
•

An entity’s risk assessment process is its way of
identifying and responding to business risks.
• Once risks are identified, management needs to
consider their significance and how they should be
managed.
• Management may introduce plans to address specific
risks or it may accept a risk on a cost-benefit basis.


Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-15


Information system
•

Consists of methods and records established to:
–

–

Identify, assemble, analyse, classify, record and report
exchange transactions and relevant events and
conditions; and
Maintain accountability for an entity’s assets, liabilities,
revenues and expenditures.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-16


Effective information systems
•


An effective information system establishes records and
methods that:
–
–
–

–

–

Identify and record all valid transactions;
Describe on a timely basis the transactions in sufficient
detail to permit proper classification for financial reporting;
Measure the value of transactions in a manner that
permits recording of their proper monetary value in the
financial report;
Determine the period in which transactions occurred, to
permit recording of transactions in the proper accounting
period; and
Present the transactions and related disclosures properly
in the financial report.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-17



Audit trail
•

Audit Trail:
–

•

Individual transactions can be traced through each step of
the accounts to their inclusion in the financial report and,
similarly, from the financial report the amounts can be
vouched or traced back to original source documentation.

Main elements:
–

–
–

Source documents: the initial record of transactions in the
system. Processing usually creates a source document
when a transaction is executed;
Journal; and
Ledger.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-18



Control activities
•

Include both policies and procedures that management
has established to ensure its directives are carried out.
• Control activities may be categorised as policies and
procedures that pertain to:
–
–
–
–

performance reviews;
information processing;
physical controls; and
segregation of duties.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-19


Control activities (cont.)
•

Performance review control activities independently

check the performance of individuals or process (eg.
comparing actual performance with budget).
• Information processing control activities comprise
application controls and general IT controls. Application
controls apply to processing of individual applications
while general controls are policies and procedures that
apply to many applications.
• Physical control activities include measures such as
locked storerooms for inventory and fireproof safes for
cash and securities on hand.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-20


Segregation of duties
•

Is an integral part of the plan of organisation. A person
should not be in a position to both perpetrate and
conceal errors or fraud in the normal course of duties.
• The most basic segregation of duties is to have different
individuals or departments responsible for custody of
assets and the keeping of records relating to those
assets.

Copyright  2006 McGraw-Hill Australia Pty Ltd

Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-21


Transaction process
•

A transaction may be considered to pass through four
phases:
1. Authorisation: the initial authorisation or approval for an
exchange transaction;
2. Execution: the act commits the entity to the exchange,
such as placing an order;
3. Custody: the physical act of accepting, delivering or
maintaining the asset; and
4. Recording: the entry of the transaction data into the
accounting system.

•

Ideally, all four phases should be kept separate.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-22



Evaluating control activities
•

The auditor will be interested in control activities related
to the following assertions :
–

Occurrence


–

Completeness


–

e.g. checking dollar amounts back to supporting
documentation

Cutoff


–

e.g. accounting for sequence of transactions

Accuracy



–

e.g. authorisation and approval of transactions

e.g. independent review of transactions around balance data
of account coding.

Classification


e.g. independent checking of account coding.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-23


Monitoring of controls
•

Monitoring of controls:
–

A process to assess the effectiveness of the performance
of internal control. Involves:




Evaluating the design and operation of controls; and
Taking corrective action where necessary.

•

Management may monitor controls through ongoing
activities such as supervisory activities and/or separate
evaluations.
• In many entities internal auditors contribute to
monitoring process.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-24


Internal auditor as an aid to monitoring
•

Internal audit function:
–

An individual, group or department within an entity that
acts as a separate, higher level of control to determine
that the internal control is functioning effectively.



•

May make special inquiries at management’s direction or
generally review operating practices to promote increased
efficiency.

Effective internal audit function can significantly
strengthen the monitoring of control.

Copyright  2006 McGraw-Hill Australia Pty Ltd
Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett

8-25