Speaker 1: In one of my previous videos, I gave an overview of testing internal controls. We know it's really important for the audit risk model and planning out our audit. But a really great question arose from that video from a whole lot of viewers, which was, how exactly do I identify control weaknesses? So that's what we're going to do in this video. I'm going to talk about why identifying control weaknesses are important and give you three ways to actually be able to identify control weaknesses in a case or in a real-life audit. So let's get into it. What's up, audit fans? Welcome back to Amanda Loves to Audit to all of my regular subscribers. If you're new, hi, my name is Amanda. I do love audit and I teach audit at a major Australian university to undergrads. I did my PhD in behavioral audit and I was an auditor at Coopers and Lybrand, which is now PWC. Now, before I get onto today's content, I wanted to give a shout out to all the people who have let me know in the comments where they're from. And I know that there's lots of you out there, lots of new subscribers. So thank you. Uganda, Madagascar, the UAE, Jamaica, Solomon Islands, Kenya, China, India, Ghana, France, the Philippines, Nigeria, Somalia, Bangladesh, Myanmar. I'm sorry if I missed yours in the list there, but if you want to let me know where you're from in the comments, I love hearing where people are from. Oh, I think, did I say India? I have lots of students out there in India, obviously Australia and New Zealand as well, studying the Chartered Accountants or CPA Australia program. So it is great to be reaching out to you everywhere around the world. Now I'm just going to shift my camera angle a bit because I've got some writing and stuff that I wanted to talk to you about today in identifying control weaknesses. So give me one second. So today I'm going to cover control weaknesses in three parts. The first, well, so three parts and another one has three parts. So I guess that's six parts. The first part is going to be the what, what is an internal control weakness? The second part is going to be, you know, why is it important that we understand what these control weaknesses are? And then the third part is going to be the how, the how do I actually identify these control weaknesses? So let's get into the first part. And the first part is the what, what exactly is a control weakness and what are we looking for? What does it mean? So a control weakness is usually one of two different things here. It's either going to be a gap. So a gap is going to be no control. All right. So, you know, there's nobody that counts the cash register at the end of the day. There's just no control in place. So the first option is that you might have a control weakness that's a gap. The second option is that you might have a control that is a poorly designed control. Okay. So it could be that, yes, somebody counts the cash register at the end of the day, but that person is also the person who's been using the cash register at the end of the day. They complete all the paperwork and there's no segregation of duties. So in terms of the what, a what can be a gap or a poorly designed internal control. So now that we know what control weaknesses are, the second thing that we want to get into is the question about why. Why is it really important that I actually understand what a control weakness is? And it comes down to a few different things. We need to know what control weaknesses are because we use the audit risk model. Okay. And the audit risk model, remember, it has the formula detection risk is a function of the audit risk, the inherent risk, and the control risk of our client. So we need to be able to assess the level of control risk. And so remember the level of control risk is affected by the control activities that the client has, the controls in place to minimize risk, and also the weaknesses. Because the weakness, you know, controls are going to lower your control risk and your control weaknesses are going to increase your control risk. Okay. And so because we have to make that overall risk assessment about internal controls, we need to understand control weaknesses. So that's sort of the first reason why we need to understand what is happening in controls and control weaknesses. The second reason why we need to understand where the control weaknesses are is because control weaknesses, either that gap or the poorly designed control can result in essentially they're making an opening for misstatements. Oops, I can't spell. So they're making an opening for misstatements, a place, it's like having an unlocked door, right? Or there's no door that allow misstatements into the accounting information. So it's an opening for misstatement. And that misstatement could be an error. All right. Somebody just makes a mistake doing something, or it could be more intentional in terms of fraud. And if you follow me on Facebook and LinkedIn and Twitter, I've been talking recently about some cases where fraud has occurred inside companies, people stealing money. We had one company where 8,000 tons of gold or rock was stolen so that they could mine or refine the gold out of it. So a control weakness is an opening for a misstatement. Now, remember my job as the auditor is my job is to detect those misstatements. All right. So if I know in the financial statements, for example, here are my different accounts in the financial statements, and I know that control weaknesses are more likely over here and over here, then I can focus my substantive detailed testing. Okay. And so then I don't have to test everywhere looking potentially for errors. This helps improve my audit. Oops. Can't spell. It's a Saturday. I didn't get much sleep last night. My spelling is atrocious, so I apologize for that. But it allows us to focus our substantive testing and gather evidence more efficiently. It allows us to be more efficient more efficient, have efficiency on our audit. And that efficiency essentially manifests itself as spending less time. Okay. Because we know where to look for errors because we know where the weaknesses are. And then spending less time means potentially for the audit partner, we're helping them increase their profit. That doesn't necessarily help us as the auditors on the job, but spending less time searching for errors in one place might allow us to reallocate that time and spend more effort where there is more risk somewhere else. Because remember, when we have an audit, we're also given a budget and we need to try and do our audit within budgetary constraints as well. So we've talked about the what, we've talked about the why. Now. All right. So now let's get into the how. How exactly am I supposed to identify the control weaknesses? And sometimes this is something that textbooks don't really talk about. They don't talk about the process of how you do this. And in my almost 20 years of teaching and my years of practical experience, I've sort of determined that there are three key approaches in doing this. All right. So those three key approaches, let's look at the first one. So number one is about mapping processes. All right. So this is where you draw a flow chart. You say, okay, I've got a process that leads to a decision. Then there's other processes and other things happen here. So what happens in the first option is you look at the process and you go, hmm, do I identify any control weaknesses? Oh, well, in this process here, we have a big problem. There's a potential control weakness there. So this involves us looking at the process map or the interview or the steps or however you document the process and just see if you notice something. See if you see something that's out of the ordinary. Now, the idea with using this mapping process or this evaluation, looking at the process sort of relies on that you have a whole lot of experience. All right. And that you know what to look for. So you know what controls should be in place. Now, that is really difficult because if you're a new auditor, knowing what should be in place is not really that easy. That's quite difficult to actually figure out how to do. So, you know, if you've got a lot of experience, option one works really well because you might know a lot about an industry and then you can say like, yeah, there should be this control. I've seen this on other clients. So that's option one, which is like just evaluating the process just on face value. Okay. So now let's look at option two. And option two is one that I've seen in a few textbooks and a few casebooks where you imagine various forms of misstatements or errors. Now, the beauty of this one is that you're really trying to brainstorm potential things that could go wrong. Oh, we send the customer the wrong quantity or I charge the customer the wrong price. Okay. And then we say, okay, is there a control for this first one? Oh, there's not a control for the first one. So there's no control. Oh, hang on. If I, you know, I've got an automated pricing system, so yep, there is a control there. So this idea of imagining potential misstatements and seeing if there is or is not a control works quite well, but it does require you to be able to brainstorm everything that could go wrong. Now, the benefit of this option is that you could really think about all the potential types of fraud or error that might happen in the financial statements. However, it relies on the quality of your and your team's brainstorming to think about everything potentially that could go wrong. Now, that's fine if you've got experienced people, you're working as a team, this can be a really great approach. But again, it's only depends on the quality of your brainstorming. So let's move on to the third option, which is using the assertions. And you might think, hang on a second, Amanda, the assertions are related to, you know, the financial accounts and substantive testing. And yes, they are. But we can use them for internal controls. So I might have a control, control 1, 2, 3, 4, 5. And then I'm going to look at those controls. And I'm going to say, okay, this control of barcode scan for a price, all right, that let me just move these down a little bit. So the idea of barcode scanning for a price really helps us with accuracy of our transactions. All right. So that's really good. We've got a control. You might look at the other controls and say, hey, what assertions do these map to? And then you go back and you say, are there any assertions? Is there a control for completeness? Is there a control for rights and obligations? Is there a control for occurrence? Is there a control for classification? Is there a control for cutoff? All right. Because there's normally transactions, lesser balances that we're looking at. But we use the assertions to analyze each of the controls and see. So usually you would map this out in some sort of matrix. You've got all of your different controls here, 1, 2, 3, 4, 5. You've got your assertions. So occurrence, accuracy, valuation, allocation, completeness, cutoff, classification. All right. And then you can actually go through and say, oh, yeah, control 1 is an occurrence control. Control 2 is about accuracy of valuation. Control 3, which might be automated journal entries. Yep. That's for cutoff. I've got some sort of control over the journal posting process. That's classification. And this one here, again, is accuracy. Now, in going through this process, I might discover, oh, my gosh, I have absolutely no control over completeness. So then we know that there is a weakness in the areas around completeness. Now, what happens in practice is that we will likely use a combination of all three approaches. All right. So as you're reviewing the internal controls, you'll identify the things that are just really like, yeah, there should be a control there. Or, hey, I see that the password to the banking is written on a post-it note on someone's computer. So you'll see that first option, oh, look, I clearly see something is wrong. You might then also say, oh, well, at a previous client, we know that we had a problem with people putting the journal entries in on the wrong date. Is there a control for that? And then you might go back to the matrix approach or the assertion approach as that last safety net and say, OK, do we definitely have a control for occurrence, completeness, accuracy, valuation, allocation, cutoff, classification? So it's possible that you could use a combination of all of these three. When I talk to students and I say, OK, what approach might be best for students, I think that when you have less work experience, less practical audit experience, the assertion approach is the easiest way to help you identify control weaknesses. But try the other two first. If you try the first two and go like, I'm really stuck, I can't identify anything, then perhaps switch to the third. Now, for those people who are watching out there who are practicing auditors, if you have another suggestion for our learning community about how you might identify internal control weaknesses, I'd love to hear about it in the comments. And I'm sure the students out there would really appreciate it. If you have any further questions, of course, just pop them there and I'll follow up as quickly as I can. I know there's been a bit of a delay in responding to comments, but I'm going to try and manage that or catch up this weekend. Thank you, everyone, for watching. I want you to stay safe, stay socially distant, wash your hands wherever you are, wear your mask, and I'll see you next time. Bye.