Lecture 5

1. Internal controls: address the business risks that threaten:

 Reliability of reporting
 Effectiveness and efficiency of operations
 Compliance with laws

2. Control activities: policies and procedures established to ensure the management’s

directives are carried out
Can pertain to:
 Authorisation and approvals
 Reconciliations: compare 2 or more data elements and see the difference.
Address the completeness and accuracy of processing transactions
 Verifications: compare 2 or more items with each other or compare an item with
a policy and see if they match or if it is not consistent with the policy. Address
completeness, accuracy and validity of processing transactions
 Physical or logical controls: address the security of asset against unauthorised
access, acquisition, use or disposal
 Segregation of duties

3. Segregation of duties related to a transaction

A transaction will pass through 4 phases:
 Authorisation
 Execution
 Custody
 Recording

4. Why the auditor needs to understand the internal control system?

 Provide a preliminary understanding of how the auditor identifies business risk
and how they respond to them
 Affect the auditor’s identification and assessment of the risk of material
misstatement in different ways
 Assist the auditor in designing and performing further audit procedures including
any plans to test the operating effectiveness of controls
 The auditor may determine certain policies are not appropriate to the nature and
circumstances of the entity -> assist the auditor in identifying control deficiencies
-> consider the effects of those deficiencies on the design of further audit
procedures
 Determine whether the deficiencies constitute a significant deficiency and use
professional judgment

5. Inherent limitation of internal control

 Internal control can’t assure a reliable financial report due to its inherent
limitations:
- Control breakdown as a result of careless actions or intentional collusions
- Management override
 - Existence of non-routine transactions for which internal controls were not
devised
- Management evaluates the cost-benefit trade-off when adopting internal
control measures
- Management makes accounting estimates

6. Tests of control
 Control risk is low -> more control testing, less substantive testing
- Any compensation controls? -> if no -> substantive test, if yes -> control
testing
 Control risk is high -> less control testing, more substantive testing
- Control risk is high if:
+ controls do not exist
+ controls that exist will not provide reliable evidence
+ it is more efficient or effective to gather required evidence by undertaking
substantive testing
 1 exception: when the substantive procedure alone can’t provide sufficient
reliable evidence to reduce the risk of material misstatement to an acceptable
level. Areas including revenue, purchases, cash receipts and cash payments.
These systems are often highly automated with little or no manual intervention

7. Aspects of internal control for which evidence is gathered

 Existence: whether prescribed internal control procedures actually exist.
- Existence is identified when evaluating the design of the internal control
policy and activity
 Effectiveness: whether the control is operating effectively (does the control
prevent or protect the misstatements?)
- Is part of control testing, including reperforming the control, sighting
documents to see that controls were compiled with, if control is programmed
 Continuity: whether the control operated throughout the period of intended
reliance
- Is part of control testing, achieved by ensuring the sample of transactions to
be tested is selected from throughout the year

8. Test of control procedures

 Including types of evidence: inspection, observation, reperformance, inquiry
 Auditor must undertake testing of control procedures at various times during the
audit year to ensure the control have been operating effectively for the majority
of the time

9. Test of control and test of details

 Test of control: relate to control only and not directly measure monetary error
 Test of details: concern with whether monetary errors have occurred

10. If control is not working:

 Auditor identifies compensating control that will reduce the risk of material
misstatement and test this control
  If no compensating control -> auditor revises audit program and undertake
substantive procedures

Lecture 6

1. Audit strategy
 Controls are good -> more tests of control, less substantive testing, less test of
details, substantive analytical procedures can be used
 Controls are poor -> less tests of control, more substantive testing, more tests of
details, substantive analytical won’t be done (because the control is now reliable
so the comparison between data will not be reliable evidence)

 Audit strategies are not statistic:

- New information about business risk becomes available
- Tests of control show that the controls were thought to have worked don’t
actually work
- Substantive tests show the risk of material misstatement is higher or lower
than it was originally thought

2. Sampling
Not all auditing procedures involve sampling
 Sampling risk: relate the sample size, relate to sampling rather than 100%
examination
- Sampling risk can never be eliminated
 Non-sampling risk: other than sample size that cause an auditor to reach an
incorrect conclusion such as the possibility that:
- The auditor will fail to recognise misstatements included in examined items
- The auditor applies a procedure that is not effective in achieving a specific
objective or not linked correctly to the relevant assertion
 Statistical sampling: have characteristics:
- Random sample selection
- Use of probability theory including the measurement of sampling risk
- Advantage: defensibility in court, thorough quantification of sampling risk
 Non-statistical sampling: don’t have characteristics as statistical sampling
- Advantage: application of audit judgment and experience
- Deviations or misstatements in a population are not random

3. Stratification
 Dividing the population into a series of sub-populations, each of which has an
identifying characteristic
 Can assist with audit efficiency as it allows the auditor to reduce the sample size
by reducing variability within each stratum without a proportional increase in
sampling risk
 Is a mean of reducing audit cost while increasing efficiency of the audit
 Popular technique for helping with audit sampling, particularly in areas of
accounts receivable, inventory and PPE
 4. Fraud
 Intentional act by 1 or more individuals among management, those charged with
governance, employees or third parties, involving the use of deception to obtain
an unjust or illegal advantages
 Risk of fraud is the risk of material misstatement resulting from fraud will not the
detected

 2 types of misstatement
- Resulting from fraudulent financial reporting
- Resulting from inappropriateness of assets

 Fraud triangle: (risk factors for fraudulent financial reporting

- Pressure: incentives or pressure
+ decline in the company’s financial prospects; employees with excessive
financial obligations
- Rationalisation: attitude, character or set of ethical values
+ CEO/ executives display a significant disregard for the financial reporting
process
- Opportunity (from circumstances)
+ turnover in accounting personnel; companies with accessible cash or other
valuable asset

5. Use of experts
 The complexity of business operations and the nature of business transactions
may cause an external auditor to seek expert assistance as the audit process is
undertaken

Lecture 7

1. General controls: relate to various applications, support effective functioning of

application controls by helping to ensure the continued proper operation of
information system
 Segregation of duties
- Separation between IT and user department functions
- Separation between functions within IT department

 Control over program: which program is running, its exact function

- Acquisition, development and changes of programs
- Computer security

 Control over data: data is not lost, data is not stolen, data is consistent and free
from error, only allowed changes can be made to data

2. Application controls: relate to individual applications

- Manual control: require judgment, unusual or non-recurring transactions,
errors are difficult to predict
 - Automated control: high volume of usual or recurring transactions, errors can
be predicted

 Input controls: source of errors are poor inputs. Are designed to check
information at the point of input and prevent or correct errors before they enter
the system
- Field check: right field, right format, all fields are fill in

- Validity check: only valid data is entered

+ a code field in a record is compared to a table of valid codes stored online
+ used when there is limited number of valid entries for an item
+ the user may be forced to pick the item from a list

- Limit/ range check: data outside the range -> take actions

- Self-checking digits: determine the validity of the number entered. When a

formula is applied to the digits in the number, the correct answer must be
obtained. If not, the number is invalid
+ no need to access to a list of all valid number

 File and processing controls

- File controls: ensure proper version or file are used in processing
+ external file labels – computer-readable data that identifies content of the
file
+ internal file labels – printed or handwritten labels attached to disk or tape

- Processing controls: detect errors in data and errors in processing as a result

of logic errors in application programs or systems software errors
+ checking numerical sequence of records
+ run-to-run control totals

 Output controls: ensure complete and accurate output is distributed to

authorised persons

3. Testing of IT controls
 Control testing in IT systems differ from that in manual system for 2 reasons:
- The nature of errors differs between manual and computerised systems
+ manual: idiosyncratic
+ computerised: fewer errors as controls are stronger; errors come in groups
caused by control weaknesses; errors are less common in routine
transactions

- There are specific class of general and application controls that only occur in
IT systems that require specific types of tests of controls

a. Testing strategy
 For routine transactions:
 - Less errors => More control testing, less substantive testing except where
control weaknesses are found

 For non-routine transactions:

- More errors as controls are limited
- Less control testing, more substantive testing

 Starting with examining general control

- If general controls are unreliable -> little confidence in automated application
controls, reduced confidence in manual application controls -> more
substantive test
- If general controls are reliable -> preliminary evaluation of application
controls. If application controls are reliable -> appropriate degree of control
testing and substantive testing

 Tests for manual controls: observation, inspection, inquiry, reperformance

 Tests for computerised controls: test data, integrated test facility, parallel
simulation, program code review

Lecture 8

1. GAS
 Valuable in selecting sample of transactions
 Printout all transactions in a logical order
 Auditor must then perform the detailed substantive tests

2. Exception reports
 Selecting items fit the criteria
 Goal: to be alerted to an element in the database where an attribute of an
transactions is unusual, unexpected or outside the normal operating parameters
of the operating cycle of the client’s business.

3. Normal GAS report – occurrence and accuracy

4. Exception report – occurrence and accuracy