What are the objectives of internal control systems?
To ensure orderly and efficient operations, safeguard assets, prevent and detect fraud and error, maintain accuracy of records, and ensure compliance with laws/regulations.
What are the limitations of internal controls?
Human error, collusion, management override, cost–benefit constraints.
What are the main components of the COSO internal control framework?
Control environment, Risk assessment, Control activities, Information & communication, Monitoring.
What is the control environment?
The overall attitude, awareness, and actions of directors and management regarding internal controls.
What are control activities?
Policies and procedures such as Segregation of duties, Organisation, Authorisation, Physical controls, Supervisory controls, Personnel controls, Arithmetic and accounting controls, Management controls.
What is monitoring of controls?
Processes to assess the quality and effectiveness of internal control performance over time.
What is the auditor’s responsibility regarding internal controls?
To obtain an understanding of internal controls relevant to the audit and assess risks of material misstatement.
When should auditors test controls?
When intending to rely on controls to reduce substantive testing, or when required by regulations (e.g. SOX for listed entities).
Give examples of tests of control.
Inspection of documents - eg look for signatures and matching and system settings,
observation of activities,
re-performance of controls in place to test effectiveness
, enquiry of staff.
What is the purpose of a management letter?
To communicate deficiencies in internal control to management and those charged with governance.
What should a management letter include?
Deficiency identified, its implications, and recommendations for improvement.
What is the difference between significant and material deficiencies?
Significant = important enough to merit attention by governance; Material = could result in a material misstatement in the FS.
Explain why an auditor needs to obtain an understanding of the components of internal control relevant to the preparation of the financial statements.
To identify risks of material misstatement, plan the audit effectively, determine testing strategy, and assess control reliability (ISA 315).
Explain how auditors record systems of internal control including the use of narrative notes, flowcharts and questionnaires.
Narrative notes: detailed written description.
Flowcharts: visual summary showing flow of documents and controls.
Questionnaires: structured questions to confirm control design and operation.
Evaluate internal control components, including deficiencies and significant deficiencies in internal control.
Deficiency: control missing or ineffective.
Significant deficiency: serious issue needing governance attention - reasonably likely to cause misstatement, previously resulted in actual errors, involves **senior management, **deficiency is pervasive, impacts compliance/regulatory requirements
Evaluate via walkthroughs, control testing, and assessing risk impact.
Describe computer systems controls including general IT controls and information processing controls.
General IT controls: restricted access, , recovery, change management.
Processing controls: input validation, accuracy, completeness, and authorisation.
Explain, in a report to management, significant deficiencies within a system of internal control and provide control recommendations.
Format: Intro → Findings → Implications → Recommendations.
Example: Missing authorisation → leads to fraud risk → recommend approval limits and dual signatures.
Discuss the need for auditors to communicate with those charged with governance.
Required by ISA 260—to report audit findings, significant risks, and independence issues; strengthens accountability and transparency.
Discuss the factors to be taken into account when assessing the need for internal audit.
Size and complexity, level of control risk, management competence, and regulatory requirements. More risk = greater need.
Discuss the elements of best practice in the structure and operations of internal audit.
Independence, direct access to the audit committee, clear charter, skilled staff, risk-based planning, and regular reporting.
Compare and contrast the role of external and internal audit.
External: independent opinion on financial statements.
Internal: assesses internal control, risk, and operations.
Both improve governance, but internal is part of management structure.
Discuss the scope of internal audit and the limitations of the internal audit function.
Scope covers risk, control, governance, and compliance. Limitations: lack of full independence, resource constraints, and reliance on management access.
Explain outsourcing and the associated advantages and disadvantages of outsourcing the internal audit function.
Advantages: expertise, independence, flexibility (can scale up or downwards), no need for additional staffing
Disadvantages: loss of internal knowledge, confidentiality risks, dependency on external providers.
Discuss the nature and purpose of internal audit assignments including value for money, IT, financial, regulatory compliance, fraud investigations and customer experience.
Each assignment assesses efficiency, control, and compliance in its area—helping management improve processes and reduce risk.
