THE ACCOUNTING AND CONTROL SYSTEM

Definition

ISA 400 Risk Assessment and Internal Control accounting system is the series of tasks and records of
an entity by which transactions are processed as a means of maintaining financial records. Such
systems identify, assemble, analyze, calculate, classify, record, summarize and report transactions
and other events.

ISA 400 Risk Assessments and Internal Controls states that the auditor should obtain an understanding of
the accounting and internal control systems sufficient to plan the audit and develop an effective audit
approach. The auditor should use professional judgment to assess audit risk and to design audit
procedures to ensure it is reduced to an acceptably low level.

The Companies Act Cap 486 places a duty upon the auditor in preparing his report to carry
out investigations that will enable him form an opinion on the financial statements in accordance
with the seventh schedule to the Companies Act Cap 486

The objective of the accounting system is to ensure that all transactions are completely and
accurately processed and recorded and that the resulting accounting entries are valid.

Managements interest in the accounting system

Management needs complete and accurate books of accounts because:

i. There is no other way the business can be controlled;

ii. Records of debtors and creditors are indispensable;
iii. The best way to safeguard assets is to have a proper record of them;
iv. Accounts can only be prepared if proper primary books exist;
v. The Companies Act has specific requirements on keeping of proper books of accounts;
vi. The various acts covering NSSF, NHIF, PAYE, VAT, LEVY require proper books.

What constitutes an adequate system of accounting depends on the circumstances. The important
thing is that the system should provide for the orderly assembly of accounting information to enable
accounts to be prepared. A system of accounting cannot succeed in completely and accurately
processing and recording all transactions, unless internal arrangements set up by the management
known as Internal Controls are built into the system.

2.1 Internal Control Systems

ISA 400: “Internal control system” means all the policies and procedures (internal controls) adopted by
the management of an entity to assist in achieving management’s objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including adherence to management policies,
the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness
of the accounting records, and the timely preparation of reliable financial information. The internal
control system extends beyond those matters which relate directly to the functions of the accounting
system and comprises:

(a) “The control environment”

 Which means the overall attitude, awareness and actions of directors and management regarding the
internal control system and its importance in the entity. The control environment has an effect on the
effectiveness of the specific control procedures. A strong control environment, for example, one with
tight budgetary controls and an effective internal audit function, can significantly complement specific
control procedures. However, a strong environment does not, by itself, ensure the effectiveness of the
internal control system. Factors reflected in the control environment include:
 The function of the board of directors and its committees.
 Management’s philosophy and operating style.
 The entity’s organizational structure and methods of assigning authority and responsibility.
 Management’s control system including the internal audit function, personnel policies and
procedures and segregation of duties.

(b) “Control procedures” which means those policies and procedures in addition to the control
environment which management has established to achieve the entity’s specific objectives. Specific
control procedures include:
• Reporting, reviewing and approving reconciliations.
• Checking the arithmetical accuracy of the records.
• Controlling applications and environment of computer information systems, for example, by
establishing controls over changes to computer programs
• Access to data files.
• Maintaining and reviewing control accounts and trial balances.
• Approving and controlling of documents.
• Comparing internal data with external sources of information.
• Comparing the results of cash, security and inventory counts with accounting records.
• Limiting direct physical access to assets and records.
• Comparing and analyzing the financial results with budgeted amounts.
AUDITING

Exam Focus
This is a fertile area for examiners. Invariably in every examination paper set on auditing there
will always be a question on internal controls.
We will consider the definition, the theory, the practice and its impact on the accountant being
audited and the accountant who is doing the auditing.

The management is concerned that errors and irregularities should not occur because if they did occur
they would result either in the loss of assets or the production of accounting records that are
unreliable in that they will fail to disclose a true and fair view of the financial position and the results
from operations of the entity concerned.

Meaning of the definition

a) Orderly and efficient manner: An organization that is run in an orderly and efficient manner
is able to satisfy the needs of its managers, shareholders, auditors, customers, suppliers and
anybody else interested in the operations of the entity. It will be able to satisfy the needs of its
production facilities. The results of orderliness include the timely production of information
that is reliable, they also include the cooperation of all parties concerned. An organization that
is run in a disorderly and inefficient manner will soon degenerate into chaos and would
probably have to close down sooner or later. This is important to the auditor in that where the
organization is well run he will expect reliable information timely received or provided and he
will receive the cooperation of the management, the staff and other third parties from whom he
 may seek representations. This reduces the amount of detailed work the auditor has to do.

b) Ensure adherence to management policy: Every organization must have aims or

objectives. For a company these are usually to be found in its Memorandum and
Articles of Association. The management is charged with the responsibility of
designing policies that will enable the organization's objectives to be achieved. So the
management must set policies that have to be followed or adhered to, to achieve the
objectives of the organization. To do this, management identifies broad policies such as:
the industry in which to operate, the products to produce, where the factory is to be
located and which market its products are aimed at. Management also sets detailed
policies such as the number of accounts clerks to be employed and their remuneration.
For the auditor adherence to management policy places the whole organization in
perspective. Only if the auditor understands the organization's objectives and the
policies adopted by the management to achieve those objectives will he be able to
determine whether measured against those objectives, the accounts give a true and fair
view. The policies adopted particularly in determining the values attached to assets and
liabilities and the amounts to be charged as revenue or expenditure in the profit and loss
account must be in accordance with generally accepted accounting principles.

c) Safeguard the assets: The assets are the resources of the organizations. They must therefore
be protected from loss. This protection can be done directly i.e. physically locking the assets
under lock and key and trying to prevent their deterioration or safeguarding can be done
indirectly through records and documentation. Safeguarding the assets means restricting
access to the assets. Indirect restriction means that access to the assets should be through
authorised documentation. For the auditor, the accounts cannot give a true and fair view if he
cannot confirm that the assets concerned actually exist and have the value attributed to them.

d) Secure as far as possible the completeness and accuracy of the records. It is difficult to
control any business unless you have got reliable and accurate records. Business decisions
cannot be made unless all the transactions have been completely and accurately processed and
recorded. The Companies Act requires proper records being kept for all the company's
transactions and activities. It further requires that these records should be such that accounts
that give a true and fair view can be extracted from them. Therefore, the organization must
keep reliable records and therefore the management must take the appropriate steps to ensure
that it secures as far as possible the completeness and accuracy of the records. For an auditor,
his interests in this element of internal control arises out of his statutory responsibility to
investigate and report whether proper books of accounts have been kept, whether the accounts
he is examining are in agreement with those books, and whether the Companies Act
requirements have been complied with in all material respects. He therefore has a direct
interest in complete and accurate records.

2.2 Fraud and Error

ISA 240 The Auditor’s Responsibility to Consider Fraud And Error states that when planning and
performing audit procedures and evaluating and reporting the results thereof, the auditor should consider
the risk of Material misstatements in the financial statements resulting from fraud or error.

Misstatements in the financial statements can arise from fraud or error.

The term “error” refers to an unintentional misstatement in financial statements, including the omission
of an amount or a disclosure, such as the following:
 A mistake in gathering or processing data from which financial statements are prepared.
 An incorrect accounting estimate arising from oversight or misinterpretation of facts.
 A mistake in the application of accounting principles relating to measurement,
recognition, classification, presentation, or disclosure.

The term “fraud” refers to an intentional act by one or more individuals among management, those
charged with governance, employees, or third parties, involving the use of deception to obtain an unjust
or illegal advantage.

Although fraud is a broad legal concept, the auditor is concerned with fraudulent acts that cause a
material misstatement in the financial statements. Misstatement of the financial statements may not be the
objective of some frauds. Auditors do not make legal determinations of whether fraud has actually
occurred. Fraud involving one or more members of management or those charged with governance is
referred to as management fraud;” fraud involving only employees of the entity is referred to as
“employee fraud.” In either case, there may be collusion with third parties outside the entity.

Two types of intentional misstatements are relevant to the auditor’s consideration of fraud –
misstatements resulting from fraudulent financial reporting and misstatements resulting from
misappropriation of assets.

Fraudulent financial reporting involves intentional misstatements or omissions of amounts or

disclosures in financial statements to deceive financial statement users. Fraudulent financial reporting
may involve the following:
 Deception such as manipulation, falsification, or alteration of accounting
records or supporting documents from which the financial statements are
prepared.
 Misrepresentation in, or intentional omission from, the financial
statements of events, transactions or other significant information.
 Intentional misapplication of accounting principles relating to
measurement, recognition, classification, presentation, or disclosure.

The distinguishing factor between fraud and error is whether the underlying action that results in the
misstatement in the financial statements is intentional or unintentional. Unlike error, fraud is intentional
and usually involves deliberate concealment of the facts. While the auditor may be able to identify
potential opportunities for fraud to be perpetrated, it is difficult, if not impossible, for the auditor to
determine intent, particularly in matters involving management judgment, such as accounting estimates
and the appropriate application of accounting principles.

Responsibility of Those Charged With Governance and of Management

The primary responsibility for the prevention and detection of fraud and error rests with both those
charged with the governance and the management of an entity. The respective responsibilities of those
charged with governance and management may vary by entity and from country to country. Management,
with the oversight of those charged with governance, needs to set the proper tone, create and maintain a
culture of honesty and high ethics, and establish appropriate controls to prevent and detect fraud and error
within the entity. This responsibility arise out of the contractual relationship between the directors,
managers and the company
Recent Pronouncements on corporate governance have reinforced this responsibility

Responsibilities of the Auditor

The Auditor ha no responsibility for the prevention and detection of fraud and error although the annual
audit may act as a deterrent.
As described in ISA 200, “Objective and General Principles Governing an Audit of Financial
Statements,” the objective of an audit of financial statements is to enable the auditor to express an opinion
whether the financial statements are prepared, in all material respects, in accordance with an identified
financial reporting framework. An audit conducted in accordance with ISAs is designed to provide
reasonable assurance that the financial
statements taken as a whole are free from material misstatement, whether caused by fraud or error. The
fact that an audit is carried out may act as a deterrent, but the auditor is not and cannot be held responsible
for the prevention of fraud and error.

An audit does not guarantee all material misstatements will be detected because of such factors as the use
of judgment, the use of testing, the inherent limitations of internal control and the fact that much of the
evidence available to the auditor is persuasive rather than
conclusive in nature. For these reasons, the auditor is able to obtain only reasonable assurance that
material misstatements in the financial statements will be detected.

In planning the audit, the auditor should discuss with other members of the audit team the susceptibility
of the entity to material misstatements in the financial statements resulting from fraud or error. The
auditor should make inquiries of management:

(a) To obtain an understanding of:

(i) Management’s assessment of the risk that the financial statements may be
materially misstated as a result of fraud; and
(ii) The accounting and internal control systems management has put in place to address such
risk;
(b) To obtain knowledge of management’s understanding regarding the accounting and
internal control systems in place to prevent and detect error;
(c) To determine whether management is aware of any known fraud that has affected the entity or
suspected fraud that the entity is investigating; and
(d) To determine whether management has discovered any material errors.

Procedures When Fraud is suspected

When the auditor encounters circumstances that may indicate that there is a material misstatement in the
financial statements resulting from fraud or error, the auditor should perform procedures to determine
whether the financial statements are materially misstated.

When the auditor identifies a misstatement, the auditor should consider whether such a misstatement may
be indicative of fraud and if there is such an indication, the auditor should consider the implications of the
misstatement in relation to other aspects of the audit, particularly the reliability of management
representations.

Evaluation and Disposition of Misstatements, and the Effect on the Auditor’s Report
When the auditor confirms that, or is unable to conclude whether, the financial statements are materially
misstated as a result of fraud or error, the auditor should consider the implications for the audit.
.
Documentation
The auditor should document fraud risk factors identified as being present during the auditor’s assessment
process and document the auditor’s response to any such factors. If
during the performance of the audit, fraud risk factors are identified that cause the auditor to believe that
additional audit procedures are necessary, the auditor should document the presence of such risk factors
and the auditor’s response to them.

Communication
When the auditor identifies a misstatement resulting from fraud, or a suspected fraud, or error, the auditor
should consider the auditor’s responsibility to communicate that information to management, those
charged with governance and, in some circumstances, to regulatory and enforcement authorities.

Communication of Misstatements Resulting From Error to Management and

to Those Charged With Governance
If the auditor has identified a material misstatement resulting from error, the auditor should communicate
the misstatement to the appropriate level of management on a timely basis, and consider the need to
report it to those charged with governance in accordance with ISA 260,

“Communication of Audit Matters With Those Charged With Governance.”

The auditor should inform those charged with governance of those uncorrected misstatements aggregated
by the auditor during the audit that were determined by management to be immaterial, both individually
and in the aggregate, to the financial statements taken as a whole.

Communication of Misstatements Resulting From Fraud to Management and

to Those Charged With Governance
If the auditor has:
(a) Identified a fraud, whether or not it results in a material misstatement in the financial
statements; or
(b) Obtained evidence that indicates that fraud may exist (even if the potential effect on the financial
statements would not be material); the auditor should communicate these matters to the
appropriate level of management on a timely basis, and consider the need to report such matters
to those charged with governance in accordance with ISA 260.

Communications to Regulatory and Enforcement Authorities

The auditor’s professional duty to maintain the confidentiality of client information ordinarily precludes
reporting fraud and error to a party outside the client entity. The auditor considers seeking legal advice in
such circumstances.

Errors can be described as an intentional mistake and they can occur at any stage in a business transaction
and they can be of any type. Auditors would primarily be interested in the prevention, detection and
disclosure of errors for the following reasons:

(a) Existence of errors may indicate that accounting records are unreliable and are therefore not a
satisfactory basis from which to prepare financial statements. The auditor could therefore
conclude that proper books of accounts have not been kept where there are too many material
errors. This is a ground for qualification of an auditor's report.
(b) Too many errors may also indicate that the system of internal control is not reliable, and
therefore the auditor wishing to place any reliance on a system of internal control may not be
able to do so.

(c) If errors are of sufficient magnitude, they may be sufficient to affect the true and fair view
given by the accounts.

Irregularities
Irregularities can be described as intentional distortions of financial statements for whatever purpose
and also as misappropriation of assets whether or not a company by distortions of financial
statements. The auditor's responsibility towards fraud and other irregularities is exactly the same as
that of errors.

Materiality
If the auditor knows or suspects that an error or irregularity has occurred or exists, then he cannot
apply materiality consideration until he has sufficient evidence of the extent of the error or
irregularity

Indication of irregularities

Possible indications of irregularities include:

(a) Missing documents or vouchers, these could have been deliberately destroyed to conceal an
irregularity;
(b) Evidence of altered documents: alterations can take place after the transaction has been
approved;
(c) Unsatisfactory explanation: these are explanations that are vague and are unsupported;
(d) Evidence of disputes;
(e) Existence of suspense accounts or unexplained differences on reconciliations;
(f) Evidence that internal control is not operating as it is intended to;
(g) Unduly lavish life styles of employees and officers;
(h) Figures not agreeing with expectations.

Reporting
To the members: unless the errors and irregularities result in the accounts not giving a true and fair
view, or do not conform to statute, or proper books have not been kept, then there is no need to report.
To the top management: if the auditor suspects that management are involved in irregularities, then he
should report to the main board or to the audit committee. To management: all actual or potential
irregularities should be reported with recommendations for changes. To third parties: the auditor
should take legal advice or advice from his professional body to ensure the accounts give a true and
fair view, but only disclose those matters where he has a clear public duty to disclose for example, if a
serious crime has been committed.

TYPES OF INTERNAL CONTROL

1. Organization: Enterprises should have a plan of their organization defining and allocating
 responsibilities and identifies lines of reporting for all aspects of the enterprises' operation,
including the controls. The delegation of authority and responsibility should be clearly
specified.
2. Segregation of duties: One of the prime means of control is the separation of those
responsibilities or duties which would if combined enable one individual to record and process
a complete transaction. Segregation reduces the risk of intentional manipulation and error and
increases the element of checking. Functions which should be separated include those of
authorization, execution, custody, recording and in the case of a computer based accounting
system, systems development and daily operations.
3. Physical: These are concerned mainly with the custody of assets and involve procedures and
security measures designed to ensure that access to assets is limited to authorised personnel.
This includes both direct access and indirect access through documentation. These controls
assumes importance in the case of valuable, portable, exchangeable or desirable assets.
4. Authorization and approval: All transactions should require authorization or approval by an
appropriate responsible person. The limits for this authorization should be specified.
5. Arithmetical and accounting: These are the controls within the recording function which
check that the transactions to be recorded and processed have been authorised, that they are all
included and that they are correctly recorded and accurately processed. Such controls include:
the checking of the arithmetical accuracy of the records, the maintenance and checking of
totals, reconciliations, control accounts and trial balances and accounting for documents.
6. Personnel: There should be procedures to ensure that personnel have capabilities
commensurate with their responsibilities. Inevitably, the proper functioning of any system
depends on the competence and integrity of those operating it. The qualifications, selection
and training as well as the innate personal characteristics of the personnel involved are
important features to be considered in setting up any control system.
7. Supervision: Any system of internal control should include the supervision by responsible
officials of day to day transactions and the recording thereof.
8. Management controls: These are the controls exercised by the management outside the day to
day routine of the system. They include: the overall supervisory controls, exercised by
management, the review of management accounts, and comparison thereof with budgets, the
internal audit functions and any special review procedures.
AUDIT TESTING
The auditor is not entitled to place any reliance on internal controls based solely on his preliminary
evaluation. He should carry out compliance tests to obtain reasonable assurance that the controls on which
he wishes to rely were functioning both properly and throughout the period.

Compliance Tests
Compliance tests are defined as those tests which seek to provide audit evidence that internal control
procedures are being applied as prescribed. We have seen that the auditor first ascertains a system of
internal control through various means, he then records that system again through various possible means,
then through the use of walkthrough tests he seeks to corroborate the record. After corroboration he must
carry out an evaluation of the system to determine whether conceptually it is reliable, or has certain key
controls upon which he can place reliance.

If he evaluates the system and reaches the conclusion that the system has controls upon which he can place
reliance, then the auditor has to make a further decision and this is whether he should carry out compliance
tests or not. A point must be made here, it is the application of the system that is being tested not the
transactions although the testing is through the medium of transactions. So in carrying out his compliance
tests and as exceptions are noted where the system has not been complied with in any particular, then the
auditor may need to revise his system description and re-evaluate its effectiveness. He also will need to
determine if the failure of compliance was an isolated case or is symptomatic.

Controls and their exercise can leave a visible trail like a signature or a stamp on a document or they may
leave no visible trail. Compliance tests therefore can be carried out through inspection of documents to
determine whether appropriate signatures and evidence of approval and checking exists, or through
observation whereby there is no evidence that a procedure was carried out as expected. The tests carried out
by examination of documents can usually be extended and conclusions extrapolated to cover the whole
population concerned. However, for those subject to observation we can only draw conclusions based on
what was actually observed and we have no evidence that the procedure is performed that way throughout
the period.

In compliance tests the issue of materiality does not arise. Every exception is material and should be
investigated. If compliance tests disclose no exceptions the auditor may reasonably place reliance on the
effective functioning of the internal controls tested. He can therefore limit his substantive tests on the
relevant information in the accounting records.

The accountant is concerned as far as every transaction is concerned that it has been recorded and processed
completely and accurately and that it is valid. Internal controls are arrangements established by the
management to ensure that this is so, therefore compliance tests provide the auditor with indirect evidence
that all transactions have been completely and accurately processed and recorded. Example: A key control
that the auditor wishes to rely on may be that before the payroll is paid the chief accountant, the personnel
manager, and the managing director must sign to approve it. The auditor would therefore select a sample of
payrolls and going through them seek to confirm that the appropriate signatures have been appended. Now
if he finds that the appropriate signatures are actually appended then it gives him some assurance that
everything relating to the payrolls was completely and accurately processed and recorded and all the
resultant entries are valid. This is so because we would not expect the chief accountant, the personnel
manager and the managing director to approve a payroll that is wrong in some particular. You can see from
this that the auditor has not referred to any information contained in any records or any financial statements
and yet he has some assurance. Therefore as a result of this, he may limit his detailed tests on the payroll to
a minimum.
If the compliance tests have disclosed exceptions which indicate that the control being tested was not
operating properly in practice the auditor should determine the reason for this. He needs to assess whether
each exception is only an isolated departure or is representative of others and whether it indicates the
possible existence of errors in the accounting records. If the explanation he receives suggest that the
exception is only an isolated departure then he must confirm the validity of the explanation for example by
carrying out further tests. If the explanation or the further tests confirm that the control being tested was not
operating properly throughout the period then he cannot rely on that control. In these circumstances, the
auditor is unable to restrict his substantive testing unless he can identify an alternative control on which to
rely. Before relying on the alternative control he must carry out suitable compliance tests on it. Example:
In our payroll example above, suppose the auditor picks five payrolls and on further examination finds that
one of them does not have the appropriate signatures. This may mean that maybe responsible officials were
on leave in which case the control was not exercised. He could therefore select five more payrolls to
confirm that the exception was an isolated one. If he finds out that the payroll is never approved by the
three officials as required then he cannot limit his detailed substantive tests and he will have to look for
evidence that all the employees on the payroll were genuine, they were paid for work done and the
recording was correctly done.

Substantive tests
These are defined as those tests of transactions and balances and other procedures such as an
analytical review which to seek to provide audit evidence as to the completeness, accuracy and
validity of the information contained in the accounting records or in the financial statements. You
can see from this definition that all audit work comes within substantive tests, we however use the term to
mean all tests other than compliance tests. A substantive test seeks to provide direct evidence of the correct
treatment of a transaction, a balance, a liability or any item in the books or the accounts.

The emphasis here is on the information contained in the records or the financial statements and seeking
evidence to prove its completeness, accuracy and validity and not a check on the procedures established by
the management to ensure that it is so.

Some examples:

1. Transactions: you may find the sale of a fixed asset recorded in the accounting books. The
auditor would need to examine the copy invoice, the authority for the transaction, the
elimination of that item of fixed assets from the plant register and other books, the accounting
treatment and he will also seek evidence that the price obtained was reasonable.
2. Balances: a bank balance recorded in the books. The auditor would need to obtain direct
confirmation from the bank, and compare that confirmation with the bank reconciliation
and the cash book.
3. Analytical review: the auditor seeks evidence that proper cut off has been achieved. He can do
this by examining the gross profit ratio and the accounting treatment of receipts and issues of
stock items.
4. Completeness of evidence: the auditor can obtain representation from the company's lawyers
that there are no pending legal cases against the company that could result in significant losses.

ROTATIONAL TESTS
In practice the auditor will carry out only compliance tests and substantive tests. Compliance tests to
provide him with indirect evidence and substantive tests - direct evidence.
Occasionally however there is reference to rotational tests and these are of two kinds:

1. Visit rotation: this is where the client has numerous branches, factories or locations. It may be
 impractical to visit all of them each year. In such cases the auditor visits them in rotation such
that each will not be visited each year, but all will be visited over a period of time.

2. Emphasis: there are times the auditor rotates audit emphasis. The auditor performs a systems
audit on all areas of the clients business every year but he would select one area for special in
depth testing. There is opinion that every audit every year must cover all areas adequately,
however, as auditors usually serve for several years rotational testing makes sense in terms of
effectiveness and efficiency. It is vital that rotational tests are carried out at random so that
client staff do not know which areas or locations will be selected in any one year.

TECHNIQUES OF AUDIT TESTING

Under our review of audit evidence we examined techniques of obtaining audit evidence and these are the
techniques for audit testing.

Timing of audit testing

1. Walk through tests: their purpose is to conform the correct recording of an accounting system
and the auditor's understanding of that system and the related controls. These are therefore
best performed:

a) After recording the system.

b) The following year if you are the auditor because it is inefficient to ascertain and record
the system every year. All the auditor needs to do is to ask the client whether there has
been any changes in the system and if there has been no changes then a walk through
test confirms that the record is still appropriate.
c) After an interim audit visit when the auditor comes in for the final audit he can
carry out walk through tests to confirm that the systems have not changed.
d) When the auditor did not prepare the record of the system then he carries out
walkthrough tests to confirm his understanding of the system.

2. Compliance tests: the sample should be representative of the whole years transactions. They
are usually carried out at the interim audit visit and up-dated at the final visit to ensure that the
whole period has been covered.
3. Substantive test: these tests are applied to:

a) Transaction records where internal controls are weak or non-existent or where the
system cannot be relied on.
b) Unusual, extraordinary or one off transaction and transactions which are not covered by
the system.
c) All assets and liabilities at the balance sheet date.

Therefore we can see that substantive tests are usually carried out at any time during the audit but
mostly concentrated at the final visit.
To summarise audit testing
The stages in audit testing are:

1. Internal control evaluations which will be followed by.

2. Compliance testing which gives satisfaction to some extent on the reliability of the records and
the controls. This will be followed by:-

3. An overall analytical review designed to expose apparent inconsistencies and abnormalities in

the financial statements and the underlying records. These three help us determine the extent
of substantive testing. Substantive testing consists of tests that are designed to substantiate the
completeness, accuracy and validity of information contained in the accounting records and
financial statements. They consist of:

a) detailed analytical review which is designed to help locate material mis-statements in the
accounts by comparing transactions and balances with related items both for the same
period and for previous periods.
b) tests of detail which consist of transaction testing and balance testing and are
designed to substantiate individual items in the accounts and so gain assurance
either about the validity of similar transactions or about the details that underlie
the various accounts balances. Test of details consist of transaction testing which
is achieved by vouching whereby vouching is defined as proving the authenticity
of a recorded transaction, the checking of casts and cross casts, checking of
postings and reconciliations. Balance testing is achieved by direct confirmation
and the physical inspection, all these give the necessary confidence for the auditor
to express an opinion on the accounts.

The Relationship between External Auditing and Internal Auditing.

Introduction
Very large organisations (and some small ones) have found a need for an internal audit in addition
to an external audit. Internal auditors are employees of the organisation and work exclusively for
the organisation. Their functions partly overlap those of the external auditors but in part are quite
different.

The precise functions of external auditors are either laid down by statute or embodied in a letter of
engagement. The functions (which are rarely precisely laid down) of internal auditors are
determined by management and vary greatly from organisation to organisation.

Internal audit can be defined as:

"an independent appraisal function within an organisation for the review of systems of control and
the quality of performance, as a service to the organisation. It objectively examines, evaluates and
reports on the adequacy of internal control as a contribution to the proper, economic, efficient and
effective use of resources."

Internal auditing is thus:

a. Carried on by independent personnel. Internal auditors are employees of the firm and thus
independence is not always easy to achieve. However it can be assisted by:
 • having the scope to arrange its own priorities and activities
• having unrestricted access to records, assets and personnel
• freedom to report to higher management and where it exists to an audit committee
• Having internal audit personnel with an objective frame of mind

The ISA 610, deals with Reliance by External Auditors on the work of the Internal Auditor.

• IA personnel who have no conflicts of interests or any restrictions placed upon their
work by management.
• IA personnel having no responsibility for line work or for new systems. A person
cannot be objective about something he/she has taken responsibility for. On the other
hand the IA should be consulted on new or revised systems
• IA personnel who have no non-audit work.

Since internal auditors are employees it is difficult to ensure that they are truly independent in mind and
attitude.

b. an appraisal function. The internal auditor's job is to appraise the activity of others, not to
perform a specific part of data processing. For example, a person who spent his time checking
employee expense claims is not performing an internal audit function. But an employee who
spent time reviewing the system for checking employee expense claims may well be
performing an internal audit function.

c. as a service to the organisation.

The management requires that:

i. Its policies are fulfilled.

ii. The information it requires to manage effectively is reliable and complete.
iii. The organisation's assets are safeguarded.
iv. The internal control system is well designed.
v. The internal control system works in practice.

The internal auditor's activity will be directed to ensure that these requirements are met. The
internal auditor can be seen as the eye of the board within the enterprise.

d. Other duties may include:

i. Being concerned. An example of this is in energy saving.
ii. Being concerned with the response to the internal control system to errors and required
changes to prevent errors.
iii. Acting as a training officer in internal control matters.
iv. Auditing the information given to management particularly interim accounts and
management accounting reports.
v. Taking a share of the external auditor's responsibility in relation to the figures in the
annual accounts.

2. ESSENTIAL ELEMENTS OF INTERNAL AUDIT

The essential elements of internal audit are:

a. Independence—see above
b. Staffing—the internal audit unit should be adequately staffed in terms of numbers, grades and
experience.
c. Training—all internal auditors should be fully trained.
d. Relationships—internal auditors should foster constructive working relationships and mutual
understanding with management, with external auditors with any review agencies (e.g.
management consultants) and where appropriate with an audit committee. Mutual
understanding is the goal.
e. Due care—an internal auditor should behave much as an external auditor in terms of skill, care
and judgement. He should be up to date technically and have personal standards of
knowledge, honesty, probity and integrity much as an external auditor. It is desirable that an
internal auditor is qualified, because of ethical considerations as much as technical standards
implied by membership of a professional body.
f. Planning, controlling and recording—fundamentally the internal auditors should behave much
as external auditors in this respect. The plan should identify audit areas which may be:

i. Activity (e.g. payroll, income, stores, purchasing etc.)

ii. Nature of the audit (e.g. protective, systems audit, value for money)
iii. Level of audit required (e.g. degree of risk, frequency and extent of audit).

Internal auditors plan their work strategically (two to five years for all areas to be covered),
periodically (typically one year when the strategic plan is translated into a schedule of work)
and operationally (each piece of work, in detail).

Controlling includes supervision and review of internal audit work.

Working papers should be of a similar detail and standard as those of external auditors.

g. Systems control—the internal auditor must verify the operations of the system in much the
same way as an external auditor i.e. by investigation, recording, identification of controls and
compliance testing of the controls. However, the internal auditor is also concerned with:

• The organisation's business being conducted in an orderly and efficient manner

• Adherence to management policies and directives
• Promoting the most economic, efficient and effective use of resources and achieving the
management's policies.
• Ensuring compliance with statutory requirements
• Securing as far as possible the completeness and accuracy of the records
• Safeguarding the assets

h. Evidence—the internal auditor has similar standards for evidence as an external auditor, he
will evaluate audit evidence in terms of sufficiency, relevance and reliability.

i. Reporting—the internal auditor must produce timely, accurate and comprehensive reports to
management on a regular basis. These should report on the matters outline in g. above and
with the accuracy of information given to management and give recommendations for change.
3. EXTERNAL AND INTERNAL AUDITORS COMPARED AND CONTRASTED
Common interests
a. An effective system of internal control
b. Continuous effective operation of such system
c. Adequate management information flow
d. Asset safeguarding
e. Adequate accounting system (for example to comply with the Companies Act Cap 486)

Differences
a. Scope—the extent of the work undertaken. Internal audit work is determined by management
but the external auditor's work is laid down statute.

b. Approach. The internal auditor may have a number of aims in his work including an appraisal
of the efficiency of the internal control system and the management information system. The
external auditor is interested primarily in the truth and fairness of the accounts.

c. Responsibility. The internal auditor is answerable only to management. The external auditor
is responsible to shareholders and arguably to an even wider public. both are of course
answerable to their conscience and the ethical concepts of their professional bodies.

Areas of work overlap. This can apply in the following areas:

a. Examination of the system of internal control.

b. Examination of the accounting records and supporting documents.
c. Verification of assets and liabilities.
d. Observation, enquiry and the making of statistical and accounting ratio measurements.

Reasons for Co-Operation between External and Internal Auditors

Internal audit is an element of the Internal Control system established by management. Thus as external
auditors are accustomed to place reliance on internal controls they will consider if reliance can be placed on
this element.

Some of the objectives of internal audit are the same as those of the external auditor. For example, the
internal auditor will perform work on the documentation and evaluation of accounting systems and internal
controls and will carry out compliance and substantive tests. It makes economic sense to reduce the work of
the external auditor by relying on work done by the internal auditor.

Basis of Co-Operation
The external auditor may utilize the work of the internal auditor in two ways:
a. By taking into account the work done by the internal auditor;
b. By agreeing with the management that internal audit will render direct assistance to the external
auditor.
Nature of Internal Auditing
The scope and objectives of internal audit ate set by management and vary widely. The areas of activity
may include:

a. Reviewing accounting systems and internal control;

b. Examining financial and operating information for management, including detailed testing of
transactions and balances;
c. Reviewing the economy, efficiency and effectiveness of operations and of the functioning of
non financial controls;
d. Review of the implementation of corporate policies, plans and procedures;
e. Special investigations.

Some of these functions are directly relevant to the objectives of the external auditor—seeking evidence of
the truth and fairness etc., of items in the Accounts. Even special investigations may be relevant. For
example, an investigation into the extent of slow moving stock is relevant to the value of stock or an
investigation into the viability of a branch may be evidence as to the correctness of using going concern
values for that branch's assets.

Some of the functions are clearly not relevant to the external auditor's objectives. For example, the cost of a
control is not relevant, only its effectiveness.

Some internal audit work is not audit work at all but is part of internal control. For example internal audit in
Local Authorities may scrutinize and approve expenses claims. Such work is an internal control but is not
auditing.

Assessment
Before placing any reliance on the work of an internal auditor, the external auditor must assess the internal
auditor and his work in the following areas:

a. Independence. The internal auditor may be an employee of the organisation, but he may be
able to organise his own activities and report his findings to a high level in management. an
internal auditor on whom the external auditor places reliance must be independent and be able
to communicate freely with the external auditor.

b. The scope and objectives of the internal audit function areas such as 6a. and b. are likely to be
useful to the external auditor. but c., d. and e. may also. For example, an investigation into a
fraud may supply evidence to the external auditor that the extent of the fraud is not material.
c. Due professional care. To be useful to an external auditor the internal auditor's work must be
done in a professional manner. That is, it must be properly planned, controlled, recorded and
reviewed. The auditor who arrives in the morning and says to himself "what shall I do today",
is not much use.
d. Technical competence. Membership of a professional body with its competence and ethical
implications is desirable. Ongoing training in specialist areas, such as computers, is useful.
e. Reporting standards. A useful internal auditor will provide high standard reports which are
acted upon by management.
f. Resource available. An internal audit department that is starved of resources will not be very
useful to the external auditor.

The assessment should be thorough and fully documented and included in the working papers. If the
conclusion is that the internal audit department is weak or unreliable, then this fact should be communicated
in the external auditor's "report to management".

Extent of Reliance
The extent of reliance depends on many factors including:

a. The materiality of the areas or items to be tested. Petty cash expenditure may probably be left
to the internal auditor.
b. The level of audit risk inherent in the areas or items. The value of work in progress in a Civil
Engineering company or the provision for doubtful debts in a Hire Purchase company, are high
risk areas which the external auditor must see to himself.
c. The level of judgement required. The level of delay repairs in a truck leasing company
requires careful judgement.
d. The sufficiency of complementary audit evidence. The internal audit may be relied upon to
audit debtors accounting procedures if the external auditor has evidence in the form of a
debtor's circularisation.
e. Specialist skills possessed by internal audit staff. In a Bank, the internal audit department will
have specialist knowledge and skills in the appraisal of the Bank's computer system.

Detailed Planning
Having decided that he may be able to place reliance on the work of the internal auditor, the external auditor
should.

a. Agree with the chief of internal audit the timing, test levels, sample selection procedures and
the form of documentation to be used;
b. Record the fact of his intended reliance, its extent and the reason for the fact and extent, in his
working papers;
c. Confirm with top management that he is doing so.

Controlling
In order to be able ultimately to place reliance on the work of the internal auditor, the external auditor
should:

a. Consider whether the work has been properly staffed, planned, supervised, reviewed and
recorded;

b. Compare the results with other evidence (e.g. Debtors circularisation);

c. Satisfy himself that any unusual or "put upon enquiry" items have been fully resolved;
d. Examined the reports made and the management's response to the reports;
e. Ensure the work is to be done in time.

At the conclusion, the arrangements should be reviewed to make things even better next year.

Recording
The external auditor will have a high standard of recording in working papers. The internal auditor's work
must be equally good if it is to be relied upon.
Evidence
The detailed material in this chapter is important for students, but you should not lose sight of the fact that
an audit is about audit evidence. The work of the internal auditor is evidential material. Whether it is good
evidence supplying a reasonable basis for conclusions to be reached, is a matter of judgement. It may be
desirable for the external auditor to test the work of the internal auditor by supplementary procedures or by
re-testing transactions or balances tested by the internal auditor.

Report to Management
Whether or not any work of the internal auditor is relied upon, the internal auditor may uncover and report
on weaknesses in internal controls. If the internal auditor reports to management and management
responds, then the matter may rest there. If, however, weaknesses are material and the response by the
management inadequate, then it may be desirable to include the weaknesses in the external auditor's own
report to management.