KA T
H E A R N
Introduction
to
The
audit
process
Audit acceptan ce Plannin g Gatherin g evidenc e Completio n • Tende r • Appointing a new auditor • Engageme nt Letter • Understandi ng the entity.Term
2
focus
Gatherin g
evidenc e
Completio n
• How do we
perform controls tests?
• What is
substantive testing?
• What do audit reports look like?
• How do we know what type of
opinion to issue?
A C C A F 8 C H A P T E R
1 0
Learning
objectives
By the end of this lecture you should be able to:
Discuss management and the auditor’s
responsibilities in respect of internal controls.
Identify control weaknesses and risks and
make recommendations for control improvements in a scenario-based question.
Produce extracts of a Management Letter.
Explain how reliance on Internal Controls can
What are internal controls?
Quick re-cap
Internal controls are implemented by a
company’s management to reduce business risks.
For example: A company has a big warehouse
and are worried that stock will go missing.
This risk can be mitigated by putting controls in
place – these can be simple or complex.
For example, lock the warehouse door and only
How
does
the
auditor
test
controls?
Control objectiv es
• What management have designed the control to
achieve.
•Example: To ensure that authorised expenses are for business purposes only.
Control procedur es
• The actual control that management have put in place.
•Example: All expenses claims must have a receipt attached and must be signed off by the Finance Manager.
Tests of
control s
• The test that the auditor performs to verify
management’s control is working as it should be.
•Example: Select a sample of expenses claims and verify for each on that has been paid, there is a receipt present and the claim has been authorised by the Finance
Why
is
this
important
for
the
auditor?
Audits that are performed on clients with a
strong control environment can be more
efficient, since the auditor can rely on some of the internal controls and by testing that the
controls are working reliably, they can reduce the amount of substantive testing that needs to be performed.
Remember for some small companies it is
What
if
the
controls
are
weak?
It’s not the auditors job to implement controls,
this is one of management’s responsibilities.
However, if the auditor notes that a control is
deficient (either because it doesn’t meet its objective or isn’t being implemented
correctly) they can tell the client about this and make recommendations on how to
improve the control in the Management
Summary
of
responsibilities
Auditor’s responsibilitie s
To note any deficiencies
in the internal control systems (as a
by-product of their audit procedures), and report these in the
management letter, together with
consequences of the weakness and
recommendations on how to remedy.
Management’ s
responsibilitie s
To design and
Re-cap:
types
of
internal
controls
The types of internal control
include…
Organisation
Segregation of duties
Physical controls
Authorisation and Approval
Arithmetic and Accounting
Personnel
Supervision
Management controls
Acknowledgement of performance
Lecture
exercise
1
PopUp Ltd is a company that regularly buys
in the latest craze from suppliers to sell in it’s shop.
As a result, their supplier list grows rapidly,
with new suppliers being created in the purchases system all of the time.
Once entered onto the purchases system,
Step
1:
What
is
the
risk?
Fictitious suppliers may be created in the
purchases system and payments made to them.
This will result in higher costs (without
PopUp Ltd having received any inventory items) and lower profits.
Control objective: Ensure that only
legitimate suppliers are entered into the
What controls would you expect PopUp to
meet this objective?
Password controlled access to amend the
system to add a new supplier for payment.
Segregation of duty: One person
Management
Letters
The management letter is not given to the client
until the
completion stage of the audit.
However, it is practical for the auditor to gather
points for inclusion in the management letter throughout the gathering evidence stage of the audit.
This report is a by-product of the audit and may
not be a comprehensive list of deficiencies. ISA (265) does not require the auditor to carry out specific testing on internal controls for the
Management
Letters
A report to management would generally
include:
A covering letter.
Appendices showing, typically in tabular format, the
control deficiencies, implications and
recommendations for improvement.
The table in the appendix would normally
haveDeficiency3 sections:Consequences Recommendations
Expenses are
not authorised
by
management.
The company may be paying
out personal expenses
rather than business
expenses. This will result in
lower business profits.
Thefinance manager should
authorise all expenses on a
daily basis.
Any expenses above £X
shouldbe secondreviewed by
Lecture
example
2
You work for Leopard LLP, and are part of the
audit team working on the statutory audit for Cheetah Ltd.
Audit tests indicated that company policy
requiring purchase orders to be placed only by the company's buying department was not adhered to in 10% of the transactions
examined.
In respect of the above breach in company
policy, draft extracts suitable for
inclusion in the auditor's management
letter, which set out the possible
consequences and the recommendations
Lecture
example
2:
Solution
Deficiency Consequences Recommendations
The
company’s
policy to only
allow the buying department to place purchase orders is being breached in 10% of instances.
• Duplicate orders
• Useof unauthorised
suppliers
• Terms/prices negotiated
with unauthorised
suppliers generally less
favourable
• Purchase of unauthorised
non- business goodsand
services
• Goods may not be to
appropriate
standardsor
requirements
• May result in breach of
budgets and loss of control
by buying department
• Invoices may notbe
entered in purchase
ledger,resulting in
understated liabilities
• All significant purchase
orders over
pre-determined limit to be
placed by buying
department except for
small orders (say under
£1,000)
• Employees in breach of
company procedures to
be informed in writing
• Circulate company
policy to all staff, and staff to confirm in
writing that they
understand company
policy
• All suppliers to be
informed in writing of
Lecture
example
3
You are a member of the external audit of the
financial statements of Tiger Ltd. During the audit you have discovered:
References are not obtained for all new employees of
Tiger.
Authorisation had not been obtained for the purchase
of a NCA costing £42,000. It is company policy for all items of capital expenditure over £25,000 to be
approved by a director.
When evaluating controls over telephone orders from
customers you noted that sales staff receiving the telephone orders did not check customer credit limits before accepting the order.
What would you include in the
management letter in respect of these
Lecture
example:
Solution
Deficiency Consequence Recommendation
- References not
obtained
- Integrity of the
employees is
questionable
- May nothave the skills and
experiences they claimto
have.
- Obtain references
- Job offers made subject to
satisfactory references obtained -Authorisatio n not obtained for purchases - Misappropriation of resources/theft
- Duplication of
purchases - Incorrectly
recorded in
accounts
- Communicate policy
forauthorisation
- Segregation of duties
between personordering
and receiving
- Failure to
check credit limits before accepting an order from customers.
- Could result in high levels of
baddebts - Checkorder placedcredit limits before
- Staff training on taking
Summary:
Learning
objectives
You should now be able to:
Discuss management and the auditor’s
responsibilities in respect of internal controls.
Identify control weaknesses and risks and
make recommendations for control improvements in a scenario-based question.
Produce extracts of a Management Letter.
Explain how reliance on Internal Controls can
