What's up audit fans. I'm back and today
we're looking at designing
internal controls. A big thank you to
Charlene who wrote to me
through facebook and said, "Oh look I'd
really love something
about how to design internal controls".
This isn't something that the auditor
would normally
do because when we design internal
controls for our client we
actually create a self-review
independence threat.
But if you're an internal auditor or
you're providing some recommendations
or if you're studying and it's quite a
common question to be asked
what sort of internal controls should be
used
to minimize a particular risk, today I'm
going to address it with a four-step
process.
Let's get into it.
[Music]
Hi and welcome to AmandaLovesToAudit.
My name is Amanda, I do love
audit, and I'm really excited to be
here back again on my YouTube channel.
We're just starting our
university semester here in Australia so
it's full steam ahead for me,
really, really busy. But I wanted to give
a shout out to
all of my returning viewers from places
like
Canada, Indonesia, Namibia, Nigeria, South
Africa, USA,
Germany, Uganda, did I say Uganda twice?
No.
Ghana. It's really amazing. Somebody in
the comments asked if I'm Malaysian
and I'm not. So my parents are both from
China
in the Guangzhou region of China. I
don't speak any Chinese. So my parents
came here, my mom came here when she was
five years old,
my dad came in his teenage years.
And when my mom was growing up, she
went to kindergarten not knowing any
English,
so when she talked with an accent she
received a lot of bullying,
even then you know a lot of racism
against Asians. So
when she had kids, and we were the only
Asian kids in our school,
she said I want you to sound Aussie. I
want you to be able to blend in so that
if you can sound like everybody else,
then hopefully you won't experience the
same
levels of racism and discrimination
that she experienced as a child growing
up.
And so when I was, I think three or four
years
old, my mother said to my grandmother,
who she looked after us a lot. She
said look that's it, we're not speaking
any Chinese anymore,
English only. So I really only know
enough
Cantonese to get by at Yum Cha. I know
that I want to eat
ha gao, cha siu bao,
pai gwat, dan tats. I know that I don't want
to eat the fung jao which is
the chicken foot, but really that's the
extent of
my Chinese language skills, so that's
enough about me.
I've been a tiny bit busy recently,
I've just won the national teaching
excellence award
for the business, economics law and
related
category. I'll have a video more on that
a little bit later because I'm doing a
big speech,
a whole lot of other things, so I was
really excited to
receive that. And all of you out there in
YouTube land were a really big part of
that as well, so
I did a survey a little while ago asking
about whether you thought the resources
were high quality
and some feedback and a lot of those
quotes and a lot of those
pieces of information made it into my
application so thank you
so much to everybody that's out there
that filled in that survey.
For everyone who's new, welcome! I love
audit,
and you'll hear that, you'll see that in
everything that we do. So I'm just going
to switch camera positions a little bit
so that then I can have my writing
coming up here so just hang on.
So today we're getting into how do I
design an internal control? It's a really
common exam
question just to see that you can do the
other perspective.
And if you're studying management
accounting, how to design an internal
control can be really important because
management accounting is about,
number one doing accounting from within
the firm, but also
designing the management systems that
make sure that
everyone in the organization is working
together, moving in the same direction.
There are going to be four steps in our
process. So step number one
is going to be about identifying
the potential misstatement.
Now the reason that we need to do this
is that remember a control is a response
to a risk. So essentially we have to
identify the risk. What is the potential
misstatement,
the potential error that could occur? So
that's
step number one. Then step number two,
And I'm going to just move that up a
little bit, is
we have to ask ourselves the question, do
we want to
prevent the issue from happening or
are we trying to detect an error
afterwards? So in a lot of circumstances
where it's a control around a process,
I want to try and prevent, right?
Prevention is always better than a cure.
So you have to think am I going to
prevent
or do I want to detect. Now detecting is
about
picking up that there's a mistake
perhaps after a process has happened.
So you have a manufacturing process,
you're making a good and then
there is quality control. So you know you
have everything in the process, the
machines doing the right things, checking
their parts.
And the quality control at the end is to
make sure
that you detect any issues before they
go out, you know the product goes out to
the customer. So you have to think
do I want to try and prevent or do I
want to try and detect.
Now I'm going to do this with a live
example as well after, so I'm just going
to go through the theory first.
So part one, identify the potential
misstatement, so what is the risk?
Part two, am I thinking about preventing
or detecting?
Then, you actually need to design
an effective
and efficient
internal control. Now what do I mean by
effective?
Effective, I mean, that it has to work. It
has to prevent
the error that you've got. And when I say
efficient,
I mean that efficient is it's not going
to cost us too much resources
because remember when it comes to
internal controls
you have to think about the cost versus
the benefit.
So, in a supermarket, to make sure that
people don't
steal from a supermarket, I could make
every single person have to go through
an airport
x-ray screening type of thing when they
leave the store.
That would be very, very beneficial,
however, it would cost a lot in terms of
time
for my customers, effort
to get it done, and also
it would be really expensive, okay?
So I need to balance the benefit
of preventing or detecting a
misstatement with the cost.
So you got to think about that in
your design. Now
also, when you're thinking about the
design, you have to consider whether you
want
a manual control, so somebody physically
doing something, versus some sort of
automated or
IT or systems
based solution, okay? Because if you do
have
something that needs a manual control,
remember humans can make mistakes.
With an automated system you've got to
be really careful because
if you don't program the system
correctly, it can still make a mistake so
if you don't program it correctly it
could still
go wrong. So our
fourth thing that we want to think about
is monitoring,
all right? Are we doing something to
check the control?
Essentially we need to make sure that we
are
checking the
operation
of the control.
Okay, a really great example of that
monitoring aspect
is if we have a bank and you go with
your card,
and I have one in my pocket actually,
so here's my card for my bank account.
I go to the ATM, I put it in, I get the
pin wrong.
Oh okay, that's the wrong pin. I remember
the right pin, I put it in.
The bank at the end of the day, will get
a report
that says what are all the cards where
an incorrect pin was entered
or perhaps an incorrect pin was entered
more than
three times or we actually chewed up the
card.
So we want to check that the control is
operating effectively. We want to check
that the operation of the control is
working because remember,
we know that when the control
stops working,
what happens? My regular viewers will
know this. When the control stops working
then we have an increased risk
of errors and misstatements,
all right? And we definitely don't want
that. We don't want to have misstatements
going
into the financial records and
the
accounting of the firm. So to recap,
I'm going to scroll quickly back up.
Number one, identify the potential
misstatements.
Number two, decide whether you want to
prevent or detect.
Number three, design an effective
and efficient internal control, thinking
about the cost versus the benefit.
That cost could be the time it takes, the
dollars
to actually implement it, the effort it
might take.
Think about whether you want manual or
automated systems.
And then consider the monitoring. What
are we doing to monitor this control
to make sure that it's always working? Is
it if something goes wrong a system
flags with us.
So now let's look at a practical example.
So in my practical example, I'm going to
think about
a retail operation. And I'm using a
retail operation
because it's something that we can
imagine in our minds, we've all been
shopping to a store. Now I need to find
something, oh let's just, I have a
notebook here.
So a big thank you to Microsoft for
they sent me a notebook the other day.
I'm an MIE expert which is a Microsoft
Innovative
Educator expert and I got a little
goodie bag from them and it includes a notebook.
So say we're
a retail operation and we're selling
fancy notebooks. So let's say this is
like, you know, it's leather and it's
really fancy.
So what is the risk? So let's start with
step one.
The risk is going to be
theft of inventory,
all right? If people steal the inventory
they're not buying it and we're not
making revenue, so we've got our risk
of misstatement, is a theft of inventory.
And we might also have the, so let's talk
about the theft of inventory risk.
So then I have to think prevent
or detect so that's P or D. In this one, I
definitely want
to try and prevent theft, okay? I don't
want to detect the theft
after it's happened, I want to try and
prevent people from stealing
my item from my store, so prevent or
detect.
Now number three comes the actual part
of
designing the internal control. Well I
want something
that will stop people from stealing my
product. I got a couple of different
options
here. And it might be that I might need
to have multiple things in place.
I could have security cameras,
all right? But if i have security cameras
someone's going to need to be watching
them, so if i have security cameras
that could be a deterrent potentially.
I could also have RFID
stickers
on the inventory,
all right? So an RFID sticker or one of
those security tags, so
often it could be like a little sticker
that's placed on an individual item or
it could be a big removable tag. So if
you bought clothing
from a department store often those will
have like a big tag on it
that the sales checkout person will have
to remove. So
an RFID sticker or some sort of security
tag,
or security tag.
Now given that this is a book, like
a hole, I don't want to punch a hole in
my notebook for the tag,
so a little RFID sticker might be a good
idea and that's why a lot of stuff comes
shrink wrapped in plastic. That is
just so
that they can then stick the RFID
sticker on there and it's come a long
way.
The old days RFID stickers were really
expensive, now I'm seeing supermarkets
even,
use them on things like expensive meat
products. So
I've got my security cameras. I've got my
RFID stickers.
I'm going to have, with the RFID
sticker,
needed with that is going to be the RFID
detectors
at the store, woops
can't spell store, entry exit.
That is also why a lot of stores will
only have one entry exit point
so that they can put those big gates up
and often you will see those gates will
be covered in advertising and things so
you don't notice that it's there. So
you've got
your RFID, your stickers, etc.
The last thing that we might do is also
a store bag check,
all right? So that when you leave the
store they say look,
can you open your bag, you know bags
of a bigger size
to make sure that that's happening. So
that's an example here for the fact that
we've got our theft. Let's do another
example. My next example is still going
to go back to my notebooks,
but my risk is going to be
the risk of charging the customer
the wrong price, right? And that
is going to result, for us, in inaccurate
sales. So that's affecting our accuracy
assertion.
Now of course, in terms of prevention or
detection, I want to try and
prevent, okay? Then coming
into the control.
One thing that I could do and I can
remember the days where when you went to
the supermarket,
you didn't actually have barcodes. There
was a little sticker that somebody
manually added to the product and then
you typed it in
into the cash register. So we could use
barcode scanning,
barcodes on good
and scan
at the register,
okay? So that's going to be my control.
Now,
in terms of the control it's very cheap,
it's efficient, you have to have,
obviously, a cash register system,
but the one thing that we want to do
here in terms of the monitoring,
all right? Is that we might want to do
something like
check price overrides,
all right? So if somebody tries to
override the price,
there's a couple of different options,
you could have you need
manager, whoops that's meant to be an r,
manager
to approve any price overrides
or at the end of the day, you could have
a daily report
about those overrides. And that's really
common in retail stores where they'll
say okay,
give me the end of day report, oh
yeah this was overwritten because this
was damaged,
this person had an extra discount, this
was the manager's discretion,
so you want to monitor how many prices
were incorrect.
Often there's also a thing that says
oh look if the shelf says
five dollars, but your thing says ten
dollars you get whatever the shelf
price is, so that could be one of your
override codes.
Now I realized back here when I was
designing the controls for
the risk of theft. Then,
the store bag check
could be one of those monitoring
controls, so I realized I forgot there that I
forgot to talk about the monitoring,
but the store bag check could also
be part of that monitoring process.
I hope that that clarifies to everybody
how you can design an internal control
and remember to take it step by step.
Think about the risk,
do I want to prevent or detect, what are
the control activities that I could do,
automated or manual or with our systems
or a combination of both,
and then what am I going to put in place
to monitor to make sure that control
works properly. So I want to thank you
for watching this video. Of course, if you
haven't already considered subscribing.
For all of those internal auditors out
there, you might want to check out
auditopia. It's a new
internal audit community that I'm
involved with.
It has free resources that people are
sharing,
internal audit checklists, and
documentation.
And we've also got regular webinars to
help you become
a better internal auditor. I'm really
excited to be part of the auditopia team.
I'll be working with them to create some
content for some courses
that they're going to have. Big thank you,
I want everybody to stay safe,
stay well, I've checked myself on the
vaccination schedule, I'm hopefully
going to be vaccinated in September or
October of this year,
so I'm really excited about that. But,
stay safe, stay well wherever you are
and I'll see you next time.
[Music]