Management is responsible for implementing a system of internal control, and these controls should be designed to ensure reasonable, rather than absolute, certainty in regards to the reliability of the financial statements, adequate security, control and responsibility for assets, as well as identifying and preventing misstatements and losses.
All these controls should be well documented to ensure all employees are aware of the process that should be followed, and ultimately, to take responsibility. In audit lingo we call it “system descriptions”, and the basic elements it should include, are the following:
- What is the starting point of a transaction? An order note, invoice or email order?
- Who authorise transactions? What is the process to be followed to authorise a purchase?
- Who records the transaction in the accounting records?
- Who process the transaction for payment?
- Who review accounting entries?
- Who authorise and/or release payment?
- Who has the authority to pass journals, and are any journal adjustments reviewed and authorised?
Ultimately, a well-documented system description should tell the whole story. More information is better, and you can add flow charts, graphs, tables, narratives, and any other information that you believe best illustrate how your systems work.
If you have a well-documented system description in place and you have tested the implementation thereof, you can better identify risk areas in your business. For example, insufficient segregation of duties between initiation, recording, processing and reporting of transactions might create an opportunity to commit fraud, or for errors to go undetected.
In terms of the International Standard on Auditing – ISA 315 (Revised), we as auditors need to gain an understanding of the control environment, and based on our understanding, perform a risk assessment. This risk assessment has a direct impact on the amount of audit procedures we need to perform to obtain sufficient and reliable audit evidence in support of our audit opinion. The higher the risk, the more procedures we need to perform and consequently the higher the audit fee.
Please contact us should you need our assistance in assessing risk in your internal control environment, or with the preparation of documented system descriptions.