Chapter 7 Systems work: basic ideas 1...•Members – systems analyst group – programming group...

Use with The Audit Process: Principles, Practice and Cases, 6th edn ISBN 978-1-4080-8170-9 © Iain Gray, Stuart Manson and Louise Crawford, 2015

Chapter 7

Systems work:

basic ideas 1


Learning objectives

• To explain the significance of the layers of regulation and control.

• To define internal control and explain the significance of the control environment and related components, and accounting and quality assurance/control systems.

• To explain the nature and role of systems development/maintenance controls and describe the main features of these controls.

2


Internal controls and control risk

• Main interest at interim is to determine accounting records are genuine,

accurate and complete.

• If accounting and control systems good, and general control environment satisfactory, more likely accounting records will be reliable.

• Effectiveness of accounting and control systems closely related to control risk – has a bearing on extent of substantive procedures.

• An understanding of internal control assists the auditor in identifying types of potential misstatements and factors that affect risks of material misstatement, and in designing the nature, timing and extent of further audit procedures (ISA 315, para A42).

• Important relationship between tests of controls and extent of substantive procedures.

3


Definitions: substantive procedure and test of control (ISA 330, para 4)

• Test of control – An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting material misstatements at the assertion level.

• Substantive procedure – ‘An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise:

(i) Tests of details of classes of transactions, account balances, and disclosures, and

(ii) Substantive analytical procedures’.

4


5

Layers of regulation and control expanded

(1) Figure 7.1

5


Layers of regulation and control expanded (2)

• Controls are to prevent, detect or correct events that the entity

does not wish to happen.

• Internal control: The process designed, implemented and maintained by those charged with governance (TCWG), management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control (ISA 315, para 4).

6


Business risk approach – impact on extent of audit tests

• Business risk approaches may result in reduced tests of controls and substantive tests of detail; more reliance on effectiveness of control environment and analytical evidence.

• Auditors are becoming more selective in detailed work they perform, concentrating on systems critical to their ability to form an opinion.

• Important part of control environment is effective internal audit function and quality standards group, if one exists.

7


Potential limitations in internal control Table 7.1

8


Layers of regulation and control expanded (3)

• Components of internal control are:

– Control environment – Entity’s risk assessment process – Information system – Control activities – Monitoring of controls

9


The control environment

• Includes: – Governance – Management functions and attitudes – Attitude of TCWG and management to internal controls

• Control environment sets tone of organization

• Elements of control environment: – Communication and enforcement of integrity and ethical values – Commitment to competence – Participation by TCWG – Management’s philosophy and operating style – Organizational structure – Assignment of authority and responsibility – Human resource policies and practices

10


Entity’s risk assessment process

• Entities should consider likelihood of business risks crystallizing and the significance of the consequent financial impact on the business.

• Once this has been done suitable controls should be introduced to reduce risks to acceptable level.

11


Information system

• Includes related business processes, relevant to financial reporting and communication.

• Relevant and timely information about internal activities and external factors essential if an entity is to be successful – including Key Performance Indicators (KPIs).

12


Control activities

• Include:

– Authorization

– Performance reviews,

– General and application controls over information processing

– Physical controls

– Segregation of duties

13


Monitoring of controls

• Basic task is to assess the performance of controls and their adequacy and relevance over time.

• Monitoring may be a special responsibility of a quality standards group, internal audit or even external audit.

14


Case study 7.1 High Quality Limited (small independent supermarket)

1. How relevant are the matters we discussed under the heading ‘layers of regulation and control expanded’ to the management of this small company? What kind of objectives could the business have?

2. If you were the proprietors, how would you ensure that sales and purchases were fully and accurately recorded?

15


Case study 7.2 Entity in the financial services sector: Caiplie Financial Services

• What policy features would be relevant in an entity giving advice to individuals about such matters as personal pensions, life assurance and investments in bonds and securities, and what kind of controls might be particularly important?

• Remember that the entity is advising people about some of the more important investment decisions they will make during their lives.

16


Accounting and quality assurance/control systems

• Distinguish between accounting systems and systems of internal control. Control systems imposed on accounting system to ensure, within reason, transactions and balances valid.

• Internal control: process for achieving objectives identified beforehand. It gives reasonable but not absolute assurance control objectives are met.

• Users of information primarily concerned with the information derived from systems and its reliability.

• Two kinds of control:

– General controls

– Application controls

17


Distinction between general controls and application controls

• General controls: controls over environment in which entity operates. Role to ensure that applications are trouble free and prevent, detect or correct events that management do not wish to happen

• Include: – Systems development/maintenance controls – Organizational controls

• Application controls are designed to ensure individual applications run smoothly.

18


Systems development/maintenance controls

1. Organizational structure to manage project and ensure high standards.

2. Documentation of development process – to allow informed person to understand development process and how system works.

3. Testing at each stage before permission is given to proceed to the next stage.

4. Persons involved in the process take responsibility by confirmation in writing.

5. Parallel developments alongside technical development.

6. Reliable system for reporting system malfunctions.

7. Ensure unauthorized changes are not made to programs.

8. Ensure completeness of information/audit trail.

• In a small system, the process would be much truncated.

19


20

Development of computer applications Figure 7.4

20


Organizational structure to manage projects

• Member of the board with final responsibility for information systems

• Members – systems analyst group – programming group – data control group

• Representatives of main user groups

• Manager responsible for quality assurance.

• Manager with responsibility for security of data, software and hardware.

• Manager responsible for operations.

• Member of the database administration department.

• Representative of internal audit providing independent view on controls and completeness of information/audit trail.

21


Horton Limited information/audit trail

22


General controls – organizational controls

• Organization chart

• Segregation of duties: authorization of transactions; execution of transactions; custody of assets; recording of transactions and assets.

Determine decision-making points in computer systems. Features: a) Operation of program segregated from ability to change it. b) Alteration of master files in hands of responsible official. c) Rotation of duties, e.g. in data base administration department.

• Authorization and approval – by responsible persons – authority limitations.

• Supervision controls – higher level controls by responsible management.

• Management of data – e.g. way data collected, prepared and enters system.

23


General controls – security and quality assurance

• Security over: physical assets – Security plan: identify risks, threats, likely occurrence: fire and water

damage; energy variations; pollution; unauthorized intrusion.

• Security over: software. – Controls over security of data: restrict access; maintain information/audit

trails; hold data and programs externally; GFS system/file dumps

• Quality assurance

Developed software to meet user needs: reliability, ease of use, efficient in use, easy maintenance, clarity/completeness of system documentation, effective staff.

24


25

Organization chart of a computer department and its place in a large entity Figure 7.6

25


A word about collusion

• Value of segregation of duties depends on people being genuinely independent of each other.

• If work together – collude – to defeat the object of the control, it is as if the control does not exist.

• If A keeps inventory and B is required to count and compare it with inventory records = important control to safeguard assets. If A misappropriates inventory and B in cahoots states there were no differences between physical and book inventories = collusion.

• General control principle: management checks outputs for reasonableness and duties rotated periodically.

• Collusion is one reason fraud so often difficult to detect. Looks as though proper segregation of duties but ineffective where two people act as one.

26


27

An example of a grandfather, father, son (GFS) system Figure 7.7

27


Controls over master files

• Errors in master files cause systematic errors to occur every time a routine such as payroll preparation is run – GFS system to ensure master files can be reconstructed easily. – Master file copies in secure location outside computer room. – Master files identified internally and by external labelling. – Master files to be updated by persons not connected with the execution or processing of

transactions – password system.

– 100% validation of input data to master file updating run to ensure that master file is not corrupted.

– Checking of all input data by person inputting the data and an independent person. – Ideally there should be exception reporting and check digit controls in force.

28


Effective quality assurance function

• Important element of control: auditor assesses effectiveness by discussion with management on role, determining that: – Support of top management: statement from management highlighting importance of

quality of systems and information. – High status within the organization. – Action by management on recommendations, including those made during the

development process. – Adequate resources to perform function properly, including staff with wide skills.

• Similar to steps taken to ensure effectiveness of internal audit

• Audit work includes: examination of reports by quality assurance group at development stage and thereafter. – Discussion with users: determine effectiveness from user perspective. – Examine the educational and experience background of staff and the steps to keep staff up

to date.

29


Figure 7.1 Layers of regulation and controls – as

extended


Figure 7.2 Example of matrix organizational

chart


Figure 7.3 Raw data to information


Figure 7.4 Programme for the development of computer applications in a large-scale

system


Figure 7.5 Information trail/audit trail flowchart


Figure 7.6 Organization chart of the computer department

and its place in a large entity


Figure 7.7 An example of a grandfather, father, son (GFS)

system


Figure 7.8 Troston payroll master file update

Chapter 7 Systems work: basic ideas 1...•Members – systems analyst group – programming group...

Documents

Transcript of Chapter 7 Systems work: basic ideas 1...•Members – systems analyst group – programming group...