Chapter 8: Systems and controls

Chapter learning objectives

Upon completion of this chapter you will be able to:

  • Describe and explain the five key components of an internal control system;
  • Explain how auditors record internal control systems;
  • Explain how auditors identify deficiencies and significant deficiencies in internal control systems;
  • Explain, analyse and provide examples of internal controls;
  • List examples of application controls and general IT controls; and
  • Discuss and provide examples of how to report internal control deficiencies to management.

1 Introduction

We dealt with the importance of internal control systems to the auditor in an earlier chapter.

This chapter considers the basic components of control systems and how the auditor fulfils their objectives for assessing control risk.

Control systems – basic principles

The auditor's main focus is on those systems relevant to the financial statements and, therefore, the audit. The basic objectives of these systems are to:

  • measure the effects of transactions and other relevant issues;
  • record those transactions and effects;
  • summarise them into a useable form; and
  • publish those summaries to the relevant users of the information to assist decision making.

A simple system can be illustrated as follows:

It should be noted that the above illustration represents a typical manual accounting system. These are rare nowadays due to the use of readily available (and cheap) accounting software. However, the basic principles of those systems are still the same and it is worth understanding how the flow of information in a system works.

Computerised systems

There are a number of things to understand about the impact of computerised accounting systems:

  • The need to transfer information from one piece of paper to another is greatly reduced.
  • The outputs from the system – the listings, trial balances, even the financial statements themselves – usually do not form part of a strict chronological sequence. So once an invoice is entered into the system, the TB, the ledger, the financial statements are all updated. There is no delay waiting for the purchase ledger clerk to 'do the postings'.
  • Once a transaction is entered into the system it will be processed.
  • Calculations will be accurate (unless someone has programmed them otherwise).
  • Human error (inputting data for example) and fraud can still lead to misstatement in computerised systems.

2 How do internal control systems operate?

The components of an internal control system

ISA 315 states that auditors need to understand an entity's internal controls. To assist this process it identifies five components of an internal control system:

  • the control environment;
  • the entity's risk assessment process;
  • the information system;
  • the control activities; and
  • the monitoring of controls.

i. The control environment

The control environment includes the governance and management function of an organisation. It focuses largely on the attitude, awareness and actions of those responsible for designing, implementing and monitoring internal controls. Elements of the control environment that are relevant when the auditor obtains an understanding include the following:

  • communication and enforcement of integrity and ethical values;
  • commitment to competence;
  • participation by those charged with governance;
  • management's philosophy and operating style;       
  • organisational structure;
  • assignment of authority and responsibility; and
  • human resource policies and practices.

Evidence regarding the control environment is usually obtained through a mixture of enquiry and observation, although inspection of key internal documents (e.g. codes of conduct and organisation charts) is possible.

ii. The risk assessment process

The risk assessment process forms the basis for how management determines the risks to be managed. These processes will vary hugely depending upon the nature, size and complexity of the organisation. However, larger organisations (usually listed ones) will have internal audit departments, whose roles focus heavily on risk identification and assessment.

If the client has robust procedures for assessing the business risks it faces, the risk of misstatement, overall, will be lower.

iii. The information system

The information systems relevant to financial reporting objectives include all the procedures and records which are designed to:

  • Initiate, record, process and report transactions;
  • Maintain accountability for assets, liabilities and equity;
  • Resolve incorrect processing of transactions;
  • Process and account for system overrides;
  • Transfer information to the general/nominal ledger;
  • Capture information relevant to financial reporting for other events and conditions; and
  • Ensure information required to be disclosed is appropriately reported.

iv. Control activities

The control activities include all policies and procedures designed to ensure that management directives are carried out throughout the organisation. Examples of specific control activities include those relating to:

  • Authorisation;
  • Performance review;
  • Information processing;
  • Physical controls; and
  • Segregation of duties.

IT affects the way in which control activities are implemented. It is important that auditors assess how controls over IT maintain the integrity and security of information held on them. Such controls are normally divided into two categories:

  • Application; and
  • General.

Application controls

Application controls are either manual or automated and typically operate at the business process level and apply to the processing of transactions. Examples include:

  • batch total checks;
  • sequence checks;
  • matching master files to transaction records;
  • arithmetic checks;
  • range checks (to ensure that data stays within reasonable ranges);
  • existence checks (e.g. to check employees exist);
  • authorisation of transaction entries
  • exception reporting

An example is that Quickbooks, a small business accounting package, will not let you enter a sale until you have set up an 'item', which means you have to allocate the sale to a revenue account, set up the customer as a receivable, decide on VAT treatment, etc.

General controls

General IT controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems, e.g. controls over:

  • data centre and network operations
  • system software acquisition
  • program change and maintenance
  • access security – passwords, door locks, swipe cards
  • backup procedures.

A healthy IT system should include both application and general control procedures.

Control examples

One way to try and remember the typical controls that a business operates is by using the mnemonic ACCAMAPS:

A uthorisation – e.g. of expense claims, of purchases, of cash transfers.

C omputer controls – e.g. passwords, backups, virus checks, maintenance.

C omparison – e.g. comparing budget versus actual and reviewing for variances.

A rithmetic controls – e.g. recalculating hours worked on time sheets.

M aintain and review control accounts – e.g. sales/purchase ledger control account, bank.

A ccount reconciliations – e.g. bank reconciliation, sales/purchase ledger reconciliation

P hysical controls – e.g. locking mechanisms, CCTV, safes.

S egregation of duties – e.g. purchase ledger clerk does not process payments to suppliers (to reduce risk of false supplier fraud).

A changing world

Rapid developments in IT have implications for systems and controls. Examples of such issues include:

  • Transactions automatically triggered by predetermined system criteria, e.g. stock purchases, automated utility billing;
  • High volume transactions enabled through the use of barcodes and scanning, e.g. supermarkets;
  • On-line purchasing
  • On-line account management
  • Automated goods delivery, e.g. Amazon
  • Automated cash collection, e.g. Amazon
  • On-line/virtual products, e.g. on-line gambling.

All of these modern business practices require systems that operate effectively and use the most up to date information available. Without excellence in IT systems and controls these businesses would simply not be possible.

v. Monitoring of controls

This is the process of assessing the effectiveness of controls over time and taking necessary remedial action. Clearly if a control is not implemented properly or is simply considered ineffective then misstatements may pass undetected into the financial statements.

Monitoring can be either ongoing or performed on a separate evaluation basis (or a combination of both). Either way, it needs to be effective for the system to work. Monitoring of internal controls is often the key role of internal auditors.

3 Ascertaining the systems

Procedures used to obtain evidence regarding the design and implementation of controls include:

  • enquiries of relevant personnel;
  • observing the application of controls;
  • tracing transactions through systems; and
  • inspecting documents, such as internal procedure manuals.

In addition to this, auditors can also use their prior knowledge of the client and the operation of the systems in prior years. However, it must be noted, that auditors cannot simply rely on their systems knowledge from the prior year's audit; much can happen in a year and systems knowledge must be updated and the systems tested once more.

It should also be noted that ISA 315 specifies that enquiry, alone, is not sufficient to understand the nature and extent of controls.

4 Documenting client systems

Possible ways of documenting systems include:

  • narrative notes (which can prove bulky if systems are large or complex)
  • flowcharts (which can make a complex system easier to follow)
  • organisation charts – showing roles, responsibilities, and reporting lines
  • Internal Control Questionnaire (ICQ)
  • Internal Control Evaluation Questionnaire (ICE).

ISA 315 states that the method adopted is a matter of auditor judgement.


An ICQ is a list of possible controls for each area of the Financial Statements. The client is asked to review the list and confirm which are applicable to their system.


In contrast to ICQ's an ICE lists control objectives. Client's are then asked to confirm how they meet that objective.

For example; an ICQ might ask a client: "does a supervisor authorise all weekly timesheets?" An ICE would ask "how does the company ensure that only hours worked are recorded on timesheets?"

5 Testing the system

Having documented the systems the auditor needs to assess whether:

  • they are actually implemented; and
  • they are effective.

In order to assess the operating effectiveness of controls in preventing and detecting material misstatement the auditor performs tests of controls. These are designed to gather evidence concerning:

  • how controls were applied during the period;
  • the consistency of application; and
  • who (or what) they were applied by.

Typical methods of controls testing include:

  • walkthrough tests, where a transaction is followed through the system;
  • observation of control activities, e.g. the inventory count; and
  • computer aided audit techniques (as seen in the audit evidence chapter).

Problems with fraud

Fraud is specifically designed to mislead people. Consider the following example:

  • A company only deals with suppliers on a list authorised by the Finance Director (FD).
  • Payments to suppliers are made after the purchases clerk identifies the monthly payments to be made and prepares the cheques.
  • The cheques are signed by the FD, who confirms the amounts paid and supplier names to supporting documentation; and
  • The cheques are countersigned by the Managing Director, who does not check the details but has a good knowledge of who the suppliers are.

This appears like a sensible combination of authorisation controls and segregation of duties.

However, now consider the implication if one of the suppliers is actually controlled by the FD. The supplier regularly overcharges and the purchases clerk is being bribed by the FD in return for their silence.

Of course, this is a potentially criminal scheme, but that is what a fraud is. The auditor, unfortunately, would place reliance on the control system and reduce substantive testing of purchases. It is for this reason that the auditor must always perform some substantive procedures and must always maintain an attitude of professional scepticism.

6 The revenue cycle


The objectives of controls in the revenue cycle are to ensure that:

  • sales are made to valid customers
  • sales are recorded accurately
  • all sales are recorded
  • cash is collected within a reasonable period.

This is a summary of the sales cycle, showing the possible risks, related controls and example tests:

7 The purchases cycle

The objectives of controls in the purchases cycle are to ensure that:

  • orders are made for valid and necessary business purchases;
  • purchase solutions are cost effective;
  • appropriate inventory items are received and stored securely;
  • purchases and related payables are recorded accurately; and
  • cash is paid within a reasonable period and recorded accurately.

This is a summary of the purchases cycle, showing the possible risks, related controls and example tests:

8 The payroll system


The objectives of controls for the payroll cycle are to ensure that the company:

  • pays the right people
  • pays the right rate
  • pays for valid work done
  • deals correctly with taxes and other deductions.

This is a summary of the payroll cycle, showing the possible risks, related controls and example tests:

9 The inventory system


The objectives of controls in the inventory cycle are to ensure that:

  • inventory levels are in keeping with the needs of:
    • production (raw materials and bought in components).
    • customer demand (finished goods).
  • inventory levels are not:
    • excessive.
    • too low ('stockouts').
  • inventory is safeguarded from theft, loss or damage.
  • value for money is achieved.
  • goods/services delivered are what was ordered.
  • quality of goods/services delivered is satisfactory.

10 Capital expenditure

Capital and revenue expenditure

This area looks at expenditure on items other than purchases. However, the controls are virtually identical to controls over purchases as seen above. Some controls may vary, such as:

  • Capital expenditure is often for substantial amounts. As such, most companies would require such items to be included in an annual budget and authorised by very senior level management.
  • Regular revenue expense items may be monitored by simple variance analysis (i.e. actual versus budget) on a monthly basis.
  • Capital items are likely to be stored on an asset register, which records details of supplier, price, insurance details, current location, responsible employee, etc.
  • Just as inventories are counted, assets are likely to be checked against the register on a regular basis.
  • When assets are sold second-hand, the items will be checked against similar items or price guides to ensure the company receives fair value.
  • Ownership documents (title deeds, vehicle registration documents) will be safely stored.

11 Bank and cash system


The objectives of controls over bank and cash are to ensure that:

  • cash balances are safeguarded.
  • cash balances are kept to a minimum (i.e. no large amounts of physical cash are kept, which would be susceptible to theft).
  • money can only be extracted from bank accounts for authorised purposes.

Possible controls

12 Reporting to those charged with governance

Auditors should communicate deficiencies in internal control to those charged with governance and management. In particular, significant deficiencies should be communicated in writing to those charged with governance. This is a requirement of ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management.

The form, timing and addressees of this communication should be agreed at the start of the audit, as part of the terms of the engagement. This report, traditionally known as a management letter or report to management, is usually sent at the end of the audit process.

When the auditor reports deficiencies, it should be made clear that:

  • the report is not a comprehensive list of deficiencies, but only those that have come to light during normal audit procedures
  • the report is for the sole use of the company
  • no disclosure should be made to a third party without the written agreement of the auditor
  • no responsibility is assumed to any other parties.

In the exam, an internal control question may require you to analyse controls and report deficiencies in the form of a management letter. The best structure is:


(A table format is the best format, it keeps you structured and the markers find it easier to mark.)

Test your understanding 1

After performing tests of controls, the auditor is of the opinion that audit evidence is not sufficient to support the audit opinion; in other words many control errors were found.


Explain THREE actions that the auditor may now take in response to this problem.

Real exam question: June 2008(3 marks)

Test your understanding 2

Rhapsody Co supplies a wide range of garden and agricultural products to trade and domestic customers. The company has 11 divisions, with each division specialising in the sale of specific products, for example, seeds, garden furniture, agricultural fertilizers. The company has an internal audit department which provides audit reports to the audit committee on each division on a rotational basis.

Products in the seed division are offered for sale to domestic customers via an Internet site. Customers review the product list on the Internet and place orders for packets of seeds using specific product codes, along with their credit card details, onto Rhapsody Co's secure server. Order quantities are normally between one and three packets for each type of seed. Order details are transferred manually onto the company's internal inventory control and sales system and a two part packing list is printed in the seed warehouse. Each order and packing list is given in a random alphabetical code based on the name of the employee inputting the order, the date and the products being ordered.

In the seed warehouse, the packets of seeds for each order are taken from specific bins and despatched to the customer with one copy of the packing list. The second copy of the packing list is sent to the accounts department where the inventory and sales computer is updated to show that the order has been despatched. The customer's credit card is then charged by the inventory control and sales computer. Bad debts in Rhapsody are currently 3% of the total sales.

Finally, the computer system checks that for each charge made to a customer's credit card account, the order details are on file to prove that the charge was made correctly. The order file is marked as completed confirming that the order has been despatched and payment obtained.


In respect of sales in the seeds division of Rhapsody Co:

(i)identify and explain FOUR deficiencies in the sales system;

(ii) explain the possible effect of each deficiency; and

(iii)provide a recommendation to alleviate each deficiency.

(14 marks)

Test your understanding 3

You are carrying out the audit of the purchases system of Spondon Furniture. The company has a turnover of about $10 million and all the shares are owned by Mr and Mrs Fisher, who are non-executive directors and are not involved in the day-to-day running of the company.

The bookkeeper maintains all the accounting records and prepares the annual financial statements.

The company uses a standard computerised accounting package.

You have determined that the purchases system operates as follows:

  • When materials are required for production, the production manager sends a handwritten note to the buying manager. For orders of other items, the department manager or managing director sends handwritten notes to the buying manager. The buying manager finds a suitable supplier and raises a purchase order. The purchase order is signed by the managing director. Purchase orders are not issued for all goods and services received by the company.
  • Materials for production are received by the goods received department, who issue a goods received note (GRN), and send a copy to the bookkeeper. There is no system for recording receipt of other goods and services.
  • The bookkeeper receives the purchase invoice and matches it with the goods received note and purchase order (if available). The managing director authorises the invoice for posting to the purchase ledger.
  • The bookkeeper analyses the invoice into relevant nominal ledger account codes and then posts it.
  • At the end of each month, the bookkeeper prepares a list of payables to be paid. This is approved by the managing director.
  • The bookkeeper prepares the cheques and remittances and posts the cheques to the purchase ledger and cashbook.
  • The managing director signs the cheques and the bookkeeper sends the cheques and remittances to the payables.

Mr and Mrs Fisher are aware that there may be weaknesses in the above system and have asked for advice.

Identify the deficiencies in controls in Spondon's purchases system, explain what the impact is and suggest improvements.

(12 marks)

Test your understanding 4

Bassoon Ltd runs a chain of shops selling electrical goods all of which are located within the same country.

It has a head office that deals with purchasing, distribution and administration. The payroll for the whole company is administered at head office.

There are 20 staff at head office and 200 staff in the company's 20 shops located in high streets and shopping malls all over the country.

Head office staff (including directors) are all salaried and paid by direct transfer to their bank accounts.

The majority of the staff at the company's shops are also paid through the central salary system, monthly in arrears. However, some students and part time staff are paid cash out of the till.

Recruitment of head office staff is initiated by the department needing the staff who generally conduct interviews and agree terms and conditions of employment. Bassoon has an HR manager who liaises with recruitment agencies, places job adverts and maintains staff files with contracts of employment, etc.

Shop managers recruit their own staff.

Shop staff receive a basic salary based on the hours worked and commission based on sales made.

The company has a fairly sophisticated EPOS (electronic point of sale) till system at all shops that communicates directly with the head office accounting system.

All staff when making a sale have to log on with a swipe card which identifies them to the system, and means that the sales for which they are responsible are analysed by the system and commissions calculated.

Store managers have a few 'guest cards' for temporary and part time staff, who generally do not receive commissions.

Store managers and regional supervisors are paid commissions based on the performance of their store or region. Directors and other head office staff usually receive a bonus at Christmas, depending on the company's performance. This is decided on by the board in consultation with departmental manages and put through the system by the payroll manager.

The payroll manager is responsible for adding joiners to the payroll and deleting leavers as well as for implementing changes in pay rates, tax coding and other deductions and for making sure that the list of monthly transfers is communicated to the bank.

The computerised payroll system is a standard proprietary system which is sophisticated enough to incorporate the commission calculations mentioned above which are fed in directly from the EPOS system.

The company employs an IT manager who is responsible for the maintenance of all IT systems and installing new hardware and software.

Comment on the strengths and deficiencies of the payroll system at Bassoon Ltd and recommend any changes which you think are appropriate.

(10 marks)

13 Chapter summary

Test your understanding answers

Test your understanding 1

The auditor could expand the amount of test of controls in that audit area. This may indicate that the control deficiency was not as bad as initially thought.

The problem could be raised with those charged with governance, either verbally or in a management letter, to ensure that they are aware of the problem.

The auditor could perform additional substantive procedures on the audit area. This action will help to quantify the extent of the error and makes the implicit assumption that the control system is not operating correctly.

If the matter is not resolved, then the auditor will also need to consider a modification to the audit report; the exact wording depending on the materiality of the errors found.

Test your understanding 2

Test your understanding 3

Test your understanding 4

Created at 5/24/2012 2:36 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 10/3/2012 5:51 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Recent Discussions

There are no items to show in this view.