Accounting and reporting systems, controls and compliance

08 The role of accounting 

It is important to understand why accounts are prepared. Sections 1 and 2 of this chapter introduce some basic 
ideas about accounts and give an indication of their
purpose. You also need to consider what makes
accounting information useful, and the qualities which
such information should have.
We outline the standard setting process in
Section 3.
Section 4, we will look at the types of accounting
information produced.
Sections 5 and 6 examine the main transactions and
financial systems undertaken by a business, before going
on to consider manual and computerised financial
systems in
Section 7.
Questions may ask you to discuss the advantages and
disadvantages of databases and spreadsheets (
Section 8).

Study Guide Intellectual  



                              C2 Accounting and finance functions within business

(a) Explain the contribution of the accounting function to the formulation, implementation, and control of the organisation’s policies, procedures, and performance.



                             (b) Identify and describe the main financial accounting functions in business: K
(i)        Recording financial information

(ii)      Codifying and processing financial information

(iii)     Preparing financial statements

                             C3 Principles of law and regulation governing accounting and audit

(a) Explain basic legal requirements in relation to retaining and submitting proper records and preparing and auditing financial reports.











                             (b) Explain the broad consequences of failing to comply with the legal requirements for maintaining and filing accounting records. K
                             (c) Explain how the international accountancy profession regulates itself through the establishment of reporting standards and their monitoring. K
                             C4 The sources and purpose of internal and external financial information, provided by business

(a) Explain the various business purposes for which the following financial information is required.





(i)        The statement of profit or loss

(ii)      The statement of financial position

(iii)     The statement of cash flows

(iv)     Sustainability and integrated reports

(b) Describe the main purposes of the following types of management accounting reports.











(i)        Cost schedules

(ii)      Budgets

(iii)     Variance reports

                                C5 Financial systems, procedures and related IT applications

(a) Identify an organisation’s system requirements in relation to the objectives and policies of the organisation.








                              (b) Describe the main financial systems used within an organisation. S
(i)        Purchases and sales invoicing

(ii)      Payroll

(iii)     Credit control

(iv)     Cash and working capital management

(c) Explain why it is important to adhere to policies and procedures for handling clients’ money.










                             (d) Identify weaknesses, potential for error and inefficiencies in accounting systems including computerised accounting systems. S
                             (e) Recommend improvements to accounting systems to prevent error and fraud and to improve overall efficiency. S
                             (f) Explain why appropriate controls are necessary in relation to business and IT systems and procedures. S
                             (g) Understand business uses of computers and IT software applications.

(i)        Spreadsheet applications

(ii)      Database systems

(iii)     Accounting packages







Study Guide Intellectual
                             (h) Describe and compare the relative benefits and limitations of manual and automated financial systems that may be used in an organisation. K


  1   The purpose of accounting information
Accounting is a way of recording, analysing and summarising transactions of a business.

1.1 What is accounting?

  • The transactions are recorded in ‘books of prime entry’.
  • The transactions are then analysed and posted to the ledgers.
  • Finally the transactions are summarised in the financial statements.

The accounting function is part of the broader business system, and does not operate in isolation. It handles the financial operations of the organisation, but also provides information and advice to other departments.


Factor Example
Size A small business like a greengrocer will have a simple accounting system, where the main accounting record will probably be the till roll. A large retail business, such as a chain of supermarkets, will have elaborate accounting systems covering a large number of product ranges and sites.
Type of organisation A service business might need to record the time employees take on particular jobs. Accounting on a job or client basis might also be a feature of service businesses. A public sector organisation, such as a government department, may be more concerned with the monitoring of expenditure against performance targets than recording revenue. A manufacturing company will account both for unit sales and revenue, but needs to keep track of costs for decision-making purposes and so forth.
Organisation structure In a business managed by area, accounts will be prepared on an area basis. In a functional organisation, the accounts staff are in a separate department.

Accounts are produced to aid management in planning, control and decision-making and to comply with statutory regulations. The accounting system must be adequate to fulfil these functions. An organisation’s accounting systems are affected by the nature of its business transactions and the sort of business it is.

Be aware that accounting work has to comply with a wide range of regulations to avoid penalties, including law such as the Companies Act. As a result, it tends to be rather formalised and procedural in order to make sure that nothing is overlooked. Organisations often lay down their accounting rules and procedures in writing, and this may form part of an organisation manual or procedures manual.

1.2 The need for accounts

Renaissance scholar Luca Pacioli wrote the first printed explanation of double-entry bookkeeping in 1494. Double-entry bookkeeping involves entering every transaction as a debit in one account and a corresponding credit in another account, and ensuring that they ‘balance’. Pacioli’s description of the method was widely influential.

The first English book on the subject was written in 1543. The practice of double entry bookkeeping has barely changed since then and is standard across the world, based upon the concept that every transaction has a dual effect that balances to zero. The original role of the accounting function was to record financial information and this is still its main focus.

Why do businesses need to produce accounts? If a business is being run efficiently, why should it have to go through all the bother of accounting procedures in order to produce financial information?

A business should produce information about its activities because there are various groups of people who want or need to know that information. This sounds rather vague: to make it clearer, we should look more closely at the classes of people who might need information about a business. We need also to think about what information in particular is of interest to the members of each class.

Large businesses are usually of interest to a greater variety of people than small businesses, so we will consider the case of a large public company whose shares can be purchased and sold on the Stock Exchange.

1.3 Users of financial statements and accounting information 

The people who might be interested in financial information about a large public company may be classified as follows.

  • Managers of the company. These are people appointed by the company’s owners to supervise the day-to-day activities of the company. They need information about the company’s financial situation as it is currently and as it is expected to be in the future. This is to enable them to manage the business efficiently and to take effective control and planning decisions.
  • Shareholders of the company, ie the company’s owners. These will want to assess how effectively management is performing its stewardship function. They will want to know how profitably management is running the company’s operations and how much profit they can afford to withdraw from the business for their own use.
  • Trade contacts, including suppliers who provide goods to the company on credit and customers who purchase the goods or services provided by the company. Suppliers will want to know about the company’s ability to pay its debts; customers need to know that the company is a secure source of supply and is in no danger of having to close down.
  • Providers of finance to the company. These might include a bank which permits the company to operate an overdraft, or provides longer-term finance by granting a loan. The bank will want to ensure that the company is able to keep up with interest payments, and eventually to repay the amounts advanced.
  • Her Majesty’s Revenue and Customs, who will want to know about business profits in order to assess the tax payable by the company.
  • Employees of the company. These should have a right to information about the company’s financial situation, because their future careers and the size of their wages and salaries depend on it.
  • Financial analysts and advisers, who need information for their clients or audience. For example, stockbrokers will need information to advise investors in stocks and shares; credit agencies will want information to advise potential suppliers of goods to the company; and journalists need information for their reading public.
  • Governments and their agencies. Governments and their agencies are interested in the allocation of resources and therefore in the activities of enterprises. They also require information in order to provide a basis for national statistics.
  • The public. Enterprises affect members of the public in a variety of ways. For example, enterprises may make a substantial contribution to a local economy by providing employment and using local suppliers. Another important factor is the effect of an enterprise on the environment, for example as regards pollution.

Accounting information is organised into financial statements to satisfy the information needs of these different groups. Not all will be equally satisfied.

Managers of a business need the most information, to help them take their planning and control decisions; and they obviously have ‘special’ access to information about the business, because they can get people to give them the types of statements they want. When managers want a large amount of information about the costs and profitability of individual products, or different parts of their business, they can arrange to obtain it through a system of cost and management accounting.

QUESTION                                                                                                      Information

It is easy to see how ‘internal’ people get hold of accounting information. A manager, for example, can just go along to the accounts department and ask the staff there to prepare whatever accounting statements they need. But external users of accounts cannot do this. How, in practice, can a business contact or a financial analyst access accounting information about a company?


Limited companies (though not other forms of business such as a sole trader) are required to make certain accounting information public. They do so by filing the required information with the Registrar of Companies at Companies House. The information filed at Companies House is available, at a fee, to any member of the public. Other sources include financial comment in the press and company brochures.


In addition to management information, financial statements are prepared and perhaps published for the benefit of other user groups.

  • The law provides for the provision of some information. The Companies Acts require every company to publish accounting information for its shareholders; and companies must also file a copy of their accounts with the Registrar of Companies, so that any member of the public who so wishes can go and look at them.
  • The HM Revenue and Customs authorities will receive the information they need to make tax assessments.
  • A bank might demand a forecast of a company’s expected future cash flows as a pre-condition of granting an overdraft.
  • The professional accountancy bodies have been jointly responsible for issuing accounting standards and some standards require companies to publish certain additional information. Accountants, as members of these professional bodies, are placed under a strong obligation to ensure that company accounts conform to the requirements of the standards.
  • Some companies provide, voluntarily, specially prepared financial information for issue to their employees. These statements are known as employee reports.

1.3.1 Non-commercial undertakings

It is not only businesses that need to prepare accounts. Charities and clubs, for example, prepare financial statements every year. Accounts also need to be prepared for government (public sector organisations).

1.4 Qualities of good information

You should be able to identify the qualities of good information. Below are some features that accounting information should have if it is to be useful.

  • Relevance. The information provided should satisfy the needs of information users. In the case of company accounts, clearly a wide range of information will be needed to satisfy a wide range of users.
  • Comprehensibility. Information may be difficult to understand because it is scant or incomplete; but too much detail is also a defect which can cause difficulties of understanding.
  • Reliability. Information will be more reliable if it is independently verified. The law requires that the accounts published by limited companies should be verified by auditors, who must be independent of the company and must hold an approved qualification.
  • Completeness. A company’s accounts should present a rounded picture of its economic activities.
  • Objectivity. Information should be as objective (free from bias) as possible. In the context of preparing accounts, management may be inclined to paint a rosy picture of a company’s profitability to make their own performance look impressive.
  • Timeliness. The value of information decreases if it cannot be used to impact events.

Increasingly, organisations need ‘real-time’ information to enable informed decision-making.

  • Comparability. Information should be produced on a consistent basis so that valid comparisons can be made with information from previous periods and with information produced by other sources (for example the accounts of similar companies operating in the same line of business).

1.5 The structure of the accounting function

In UK companies, the head of the accounting management structure is usually the finance director. The finance director has a seat on the board of directors and is responsible for routine accounting matters and also for broad financial policy.


In many larger companies the finance director has one or more deputies below him.

  • Some responsibilities of the Financial Controller
    • Routine accounting
    • Providing accounting reports for other departments
    • Cashiers’ duties and cash control
  • Management accounting is such an important function that a Management Accountant is often appointed with status equal to the financial controller and separate responsibilities.
    • Cost accounting
    • Budgets and budgetary control
    • Financial management of projects
  • A very large organisation might have a Treasurer in charge of treasury work.
    • Raising funds by borrowing
    • Investing surplus funds on the money market or other investment markets  Cash flow control

Sections in the accounts department

  • The financial accounts section is divided up into sections, with a supervisor responsible for each section (eg for credit control, payroll, purchase ledger, sales ledger).
  • Similarly, management accounting work is divided up, with a number of cost accountants as supervisors of sections responsible for keeping cost records of different items (eg materials, labour and overheads; or production, research and development, and marketing).
  • Some companies that spend large amounts on capital projects might have a section assigned exclusively to capital project appraisal (payback appraisal, DCF appraisal, sensitivity analysis, the capital budget).

An accounts function is depicted in the following diagram. People are grouped together by the type of work they do. In an area structure, accounts staff might be dispersed throughout the different regions of an organisation. Management accounting work is often decentralised to departments because it provides vital information for management control purposes.

Note that some of these functions may be brought together under a single job description, particularly in smaller businesses. For example, there may be one person who does the job of a financial accountant and a cost accountant.

Many organisations have an internal audit department. This functions as an internal financial control. One of its responsibilities is to control the risks of fraud and error. For this reason it should be separate from the finance department and the chief internal auditor should report to the audit committee of the board of directors, bypassing the Financial Director. Internal audit is covered in Chapter 9.

  2   Nature, principles and scope of accounting
You may have a wide understanding of what accounting is about. Your job may be in one area or type of accounting, but you must understand the breadth of work which an accountant undertakes.

2.1 Financial accounting and management accounting

Financial accounting is mainly a method of reporting the results and financial position of a business.


It is not primarily concerned with providing information towards the more efficient conduct of the business. Although financial accounts are of interest to management, their principal function is to satisfy the information needs of persons not involved in the day-to-day running of the business.

This is particularly clear in the context of the published accounts of limited companies. Accounting

Standards (and company law) prescribe that a company should produce accounts to be presented to

the shareholders. There are usually detailed regulations on what the accounts must contain and this enables shareholders to assess how well the directors (or management board) have run the company. Also there are certain outsiders who need information about a company: suppliers, customers, employees, tax authorities, the general public. Their information needs are satisfied, wholly or in part, by the company’s published financial statements.

Management (or cost) accounting is a management information system which analyses data to provide information as a basis for managerial action. The concern of a management accountant is to present accounting information in the form most helpful to management.


2.2 The application of information

Financial reporting is not an optional extra. The published accounts are an important source of communication with outsiders. Reported levels of profit determine the return that investors can receive. They also indirectly affect the company’s cost of capital by affecting the share price.

The management accountant is even nearer the policy-making and management process. This is because the management accountant is not primarily interested in reporting to interested parties external to the organisation. After all, the requirements of external users of accounts may be different to those involved in managing and running the business in several respects.

  • Aggregation of information 
  •   Level of detail
  • Classification of data 
  • The period covered

Internally, accountants therefore provide information for planning and controlling the business.

  • Competitors’ performance 
  • Product profitability
  • Cost/profit centre performance 
  • Sensitivity analysis
  • Desirability of investments 
  • Alternative options 
  • Past cost information

The accountant provides information essential for the current management and decision-making of the business. If line decisions are assessed in accounting terms, even in part, then the accountant will be involved in them. Accountants assess the future financial consequences of certain decisions.

2.2.1 Control and stewardship

The accountant’s staff authority is generally expressed in procedures and rules. For example, staff have formal expenditure limits. In many respects, money and funds are a business’s lifeblood, and monitoring their flow is a necessary precaution. If the flow of funds dries up, a business can fail very easily. Proper financial control ensures that the business is adequately financed to meet its obligations.

2.3 Financial management

Financial management is a separate discipline from both management accounting and financial accounting, although in a small organisation the three roles may be carried out by the same person.

The financial manager is responsible for raising finance and controlling financial resources, including the following decisions.

  • Should the firm borrow from a bank or raise funds by issuing shares?
  • How much should be paid as a dividend?
  • Should the firm spend money on new machinery?
  • How much credit should be given to customers?
  • How much discount should be given to customers who pay early?

2.4 Auditing

The annual accounts of a limited company above a certain size (in terms of revenue) must generally be audited by a person independent of the company. The members of the company usually appoint a firm of registered auditors to investigate the financial statements and report as to whether or not they show a true and fair view. When the auditors have completed their work they must prepare a report explaining the work that they have done and the opinion they have formed.

In simple cases they will be able to report that they have carried out their work in accordance with the Auditing Standards  and that, in their opinion, the accounts show a true and fair view and are properly prepared in accordance with company legislation. This is described as an unqualified (or an unmodified, clean) audit report.

Sometimes the auditors may disagree with management on a point in the accounts. If they are unable to persuade the management to change the accounts, and if the item at issue is large or otherwise important, it is the auditors’ duty to prepare a qualified (or modified) report, setting out the matter(s) on which they disagree with the management.

The financial statements to which the auditors refer in their report comprise the following.

  • The profit or loss account (sometimes referred to as the income statement)
  • The statement of financial position (formerly called the balance sheet)
  • The statement of cash flows (formerly called the cash flow statement)  Supporting notes

The auditors’ report is included as part of the company’s published accounts. It is addressed to the members of the company (not to the management).

2.4.1 Internal audit

Internal auditors are employees of the company whose duties are fixed by management and who report on the effectiveness of internal control systems.

2.5 Other departments and sections

Accounting management provides a good example of the need for close co-ordination between managers and sections, and this need is particularly acute in financial accounts work because of the internal controls dividing up responsibilities.

Department Accounts section Relationship
Purchases dept (PD) Payables ledger


Cashier (C)

PD advises PL of purchase orders

PD indicates valid invoices

C informs PD and PL of payment

Human resources dept Payroll Personnel gives details of wage rates, starters and leavers to payroll
Sales dept (SD)

Credit control (CC)

Receivables ledger


SD advises RL of sales order

RL might give CC information about overdue debts RL might give details about debtors ageing and other reports

Operations, inventory controllers Cost accounting staff Operations might give details of movements of inventory, so that the accounts staff can value inventory and provide costing reports
Senior management Financial accounting and cost accounting staff The accounts department as a whole produces management information for decision-making and control

Importance of the relationship

The accounts department is crucial to the organisation.

  • If it provides the wrong information, managers will make bad decisions.
  • If it confuses the data, important transactions might slip through the net, and fraud may result.  There is a legal duty to ensure that accounting records are in good order.
  3   The regulatory system
You should be able to outline the factors which have shaped the development of financial accounting.

3.1 Introduction

You may be aware that there have been considerable upheavals in financial reporting, mainly in response to criticism. The purpose of this section is to give a general picture of some of the factors which have shaped financial accounting. We will concentrate on the accounts of limited companies because this is the type of organisation whose accounts are most closely regulated by statute or otherwise.

The following factors can be identified.

  • Company law
  • Accounting concepts and individual judgement
  • Accounting standards
  • The European Union
  • Other international influences
  • Limited companies are required by law (the UK Companies Act 2006 or CA 2006 for example) to prepare and publish accounts annually. The form and content of the UK accounts are regulated primarily by CA 2006, but must also comply with accounting standards.
    Generally accepted accounting practice (GAAP)

    • Company law

The Companies Act 2006 (TSO, 2006) requires companies to keep proper accounting records in order to be able to prepare financial statements. These statements are then required to be audited and an auditor’s report appended (see Section 2.4 above), before being filed at Companies House. These financial statements are then available for inspection by members of the public. A company can be fined for failing to keep proper accounting records or for failing to file financial statements within the statutory period after the year end.

  • Accounting concepts and individual judgement

Financial statements are prepared on the basis of a number of fundamental accounting concepts (or accounting principles as they are called in the UK Companies Act 2006). Many figures in financial statements are derived from the application of judgement in putting those concepts into practice.

It is clear that different people exercising their judgement on the same facts can arrive at very different conclusions. Other examples of areas where the judgement of different people may differ are as follows.

  • Valuation of buildings in times of rising property prices
  • Research and development. Is it right to treat this only as an expense? In a sense it is an investment to generate future revenue.
  • Accounting for inflation
  • Brands such as ‘Jaffa Cakes’ or ‘Walkman’. Are they assets in the same way that a forklift truck is an asset?

Working from the same data, different groups of people would produce very different financial statements. If the exercise of judgement is completely unfettered any comparability between the accounts of different organisations will disappear. This will be all the more significant in cases where deliberate manipulation occurs in order to present accounts in the most favourable light.

3.4 UK accounting standards

In an attempt to deal with some of the subjectivity, and to achieve comparability between different organisations, accounting standards were developed.

3.4.1 The old UK regime

Between 1970 and 1990 the standards (Statements of Standard Accounting Practice or SSAPs) were devised by the Accounting Standards Committee. However, it was felt that these standards were too much concerned with detailed rules in which companies found it all too easy to find loopholes.

The Accounting Standards Committee was replaced in 1990 by the Financial Reporting Council. Its subsidiary, the Accounting Standards Board (ASB), issued standards ‘concerned with principles rather than fine details’. Its standards were called Financial Reporting Standards (FRSs). However, it adopted all existing SSAPs and some of these are still relevant, although most have been replaced by FRSs. It was supported in its aim by the Urgent Issues Task Force and the Review Panel.

3.4.2 The current UK regime

In 2012, a number of reforms took place that made the FRC a unified regulatory body. As part of this reform, the Accounting Council and the UITF was disbanded and responsibility for setting accounting standards came under the FRC Board.

3.4.3 Accounting standards and the law

The Companies Act 2006 (TSO, 2006) requires companies to include a note to the accounts stating that the accounts have been prepared in accordance with applicable accounting standards or, alternatively, giving details of material departures from those standards, with reasons. The Review Panel and the Secretary of State for Trade and Industry have the power to apply to the court for revision of the accounts where non-compliance is not justified.

These provisions mean that accounting standards now have the force of law, whereas previously they had no legal standing in statute.

3.5 The European Union

Since the United Kingdom became a member of the European Union (EU) it has been obliged to comply with legal requirements decided on by the EU. It does this by enacting UK laws to implement EU directives. For example, all companies listed on an EU Stock Exchange are required to use International Financial Reporting Standards (IFRSs) when preparing their consolidated financial statements.

3.6 International Accounting Standards Board

One important influence on financial accounting is the International Accounting Standards Board (IASB). The forerunner of the IASB was set up in 1973 to work for the improvement and harmonisation of financial reporting. Its members are the professional accounting bodies.

The objectives of the IASB are:

  • To develop, in the public interest, a single set of high quality, understandable and enforceable global accounting standards that require high quality, transparent and comparable information in financial statements and other financial reporting to help participants in the world’s capital markets and other users make economic decisions
  • To promote the use and rigorous application of those standards.
  • To bring about convergence of national accounting standards and International Accounting Standards to high quality solutions

3.6.1 The use and application of International Financial Reporting Standards (IFRSs)

IFRSs have helped both to improve and to harmonise financial reporting around the world. The standards are used:

  • As national requirements, often after a national process
  • As the basis for all or some national requirements
  • As an international benchmark for those countries which develop their own requirements
  • By regulatory authorities for domestic and foreign companies  By companies themselves

3.7 Generally Accepted Accounting Practice (GAAP)  

This term signifies all the rules, from whatever source, which govern accounting.

GAAP is a set of rules governing accounting. The rules may derive from:

  • Company law (mainly CA 2006)
  • Accounting standards
  • International accounting standards and statutory requirements in other countries (particularly the US)  Stock Exchange requirements


3.8 True and fair view


Company law requires that:

  • The statement of financial position must give a true and fair view of the state of affairs of the company as at the end of the financial year.
  • The profit or loss account (income statement) must give a true and fair view of the profit or loss of the company for the financial year.

3.8.1 True and fair ‘override’

The Companies Act 2006 (TSO, 2006) states that the directors may depart from any of its provisions if these are inconsistent with the requirement to give a true and fair view. This is commonly referred to as the ‘true and fair override’. It has been treated as an important loophole in the law and has been the cause of much argument and dissatisfaction within the accounting profession.

QUESTION                                                                                                             Forces

List the forces that have shaped financial accounting, stating the effect of each.


  • Company law requires companies to prepare accounts and regulates their form and content.
  • Accounting concepts are applied by individuals using their subjective judgement.
  • Accounting standards help to eliminate subjectivity.
  • The European Union issues directives on accounting matters which we must apply.
  • International Financial Reporting Standards aim to harmonise accounting around the world. (f) GAAP is a collection of rules from various sources, governing accounting.


  4   Internal and external financial information
The two most important external financial statements are the statement of financial position and the profit or loss account. Reports produced for internal purposes include budgets and costing schedules.

4.1 External reports

Businesses prepare financial statements for external stakeholders, such as shareholders, banks, suppliers and the Government.

The main reports produced for external purposes are the financial statements, which give the historic position of the business. The main statements are as follows.

  • The profit or loss account (also known as the income statement, or statement of profit or loss)
  • The statement of financial position (also known as a balance sheet)  The statement of cash flows
    • The profit or loss account
The profit or loss account is a record of income generated and expenditure incurred over a given period.

The profit or loss account of a limited liability company will be made up for the period of a year, commencing from the date of the previous year’s accounts. It shows whether the business has more income than expenditure (a profit) or vice versa (a loss) during a period.

Management accountants might need quarterly or monthly income statements for internal purposes.

Organisations which are not run for profit (charities etc) produce a similar statement called an income and expenditure account which shows the surplus of income over expenditure (or a deficit where expenditure exceeds income).

  • The statement of financial position
The statement of financial position is a list of all the assets owned by a business and all the liabilities owed by a business at a particular date.

Assets are the business’s resources, eg buildings to operate from, plant and machinery to manufacture goods, inventory to sell and cars for its employees. These are all resources which it uses in its operations. Also, it may have bank balances, cash and amounts of money owed to it. These provide the funds it needs to carry out its operations and are also assets. It may owe money to the bank or to suppliers: these are liabilities.

  • The statement of cash flows
The statement of cash flows shows sources of cash generated during a period and how these funds have been spent.

The statement of cash flows takes the information presented in the profit or loss account and statement of financial position and analyses it into cash flows from different types of activity (such as operating (trading profit or loss) and investing (eg buying or selling non-current assets)).

  • Sustainability and integrated reports

Pressure from shareholders, customers, regulators and the media has led to companies recognising the need to collect and report non-financial data.

Integrated reporting refers to the integration (combining) of financial and non-financial information into a single document. However, there are considerable differences of opinion over the type of non-financial information that should be included, and how it should relate to financial data.

One area on which most agree information should be reported is sustainability. Sustainability is concerned with protecting the environment from damage – to be sustainable, an activity should be able to continue forever.

  • Internal reports
Businesses will wish to prepare internal reports to help them run the day-to-day operations of the business.

Examples of internal reports include the following.

4.7 Cost schedules

  • Cost schedules
  • Budgets
  • Variance reports

Cost schedules are needed at regular intervals to enable managers to keep a check on what the business is spending. Cost schedules may be produced, for example, for the following areas.

  • Wages and salaries 
  • Departmental costs
  • Cost of sales
  • Selling expenses
  • Administration costs
    • Budgets

Most businesses will prepare a budget. This may be a budget for the year ahead, showing projected sales, the costs involved in generating those sales, overheads and projected profits. Budgets may be produced for the business as a whole and for individual departments. The finance department will also produce a cash flow budget (or cash flow forecast) identifying the amounts of cash likely to come into and out of the business each week or month. This will enable the department to identify potential problems and arrange overdraft facilities or loans with the bank well in advance.

  • Variance reports

Once the budget has been agreed, the actual costs must be measured. The cost schedules should be compared to the budget and any differences accounted for. These differences are called variances and the variance report details the differences between actual and budgeted costs, and explains any material variances. Action can then be taken as needed.

  5   Control over business transactions

5.1 Office organisation

There are a number of areas or functions to be administered and managed within a business. For example, the ‘head office’ of a business may cover the following areas:

  • Purchasing 
  • Sales and marketing
  • Human resources 
  • General administration
  • Finance

5.1.1 Purchasing

Whether a business manufactures products or sells bought-in products, there will be a large purchasing function, either purchasing raw materials for manufacture or purchasing finished goods for resale. The function of the purchasing department will be to ensure that the business purchases from suppliers providing the best overall deal in terms of price, service, delivery time and quality. The purchasing department will also be responsible for ensuring that only necessary purchases are made by the business.

5.1.2 Human resources

Any business that employs a significant number of people is likely to have a human resources function. This area of the office will be responsible for the hiring and firing of staff, for training of staff and for the general welfare of the employees.

5.1.3 Finance

The finance function is also very wide ranging. On a day-to-day level the accounts department will deal with the sending invoices to customers, receiving invoices from suppliers, payment of suppliers, receiving money from customers and making other payments, such as purchases of non-current assets and payment of employees. The higher levels of management in the accounting function may also be responsible for management of the cash balances and for the overall financing of the organisation.

5.1.4 Sales and marketing

The selling and marketing function will deal with all aspects of taking sales orders, advertising, and any sales personnel.

5.1.5 General administration

General administration functions are very wide ranging but might include secretarial support, dealing with telephone queries and arranging matters such as rent of properties.

QUESTION                                                                                      Departmental functions

Which of the following is not a function of the purchasing department?

  • Ensuring that only required goods are purchased
  • Ensuring that suppliers used give the best price
  • Paying suppliers’ invoices
  • Negotiating discounts with suppliers


The answer is C. Paying suppliers’ invoices.


5.2 Policies

In any organisation there is a need for order, co-ordination and control to ensure efficiency. To achieve this, management often implement rules and procedures. For example there will be authorisation policies for the purchase of non-current assets, procedures for choosing new suppliers, procedures for accepting new customers, etc.

Policies and procedures may be grouped in the form of a policy manual, perhaps stored on the organisation’s computer network for easy reference. Although a policy manual is to be recommended as a form of control over the activities of employees, care must be taken that strict adherence to the rules does not create inflexibility.

5.3 Business transactions

It was mentioned earlier that businesses come in all shapes and forms. However, there will be a number of types of transaction which will be common to most businesses.

  • Making sales
  • Paying employees
  • Making purchases
  • Purchasing non-current assets
  • Paying expenses

This diagram shows, in a simplified form, the flow of funds, documentation and information.

Effective systems and procedures should ensure that:

  • Relationships with customers are effectively managed
  • Relationships with suppliers are effectively managed
  • Office functions interrelate properly and are not duplicated

Within the overall system, which we can consider to be how each department relates to the other departments and to outside bodies, there will be sub-systems. For instance, the purchase ledger function will have its own system, which will be designed to ensure that only authorised payments are made, that no invoice ever gets paid twice and that expenses are coded to the correct accounts.

Weaknesses in office procedures may be signalled by:

  • Arguments over job functions              Disputes with customers/suppliers
  • Missing paperwork  Goods not delivered

5.3.1 Sales

In a retail organisation sales are of course made on the shop floor. However, in a manufacturing organisation, there will normally be a sales and marketing function whose responsibility is to market the organisation’s products and take orders from customers. Often the day-to-day responsibility for taking orders will be with the salesmen and women. This may be done over the telephone or via personal visits to customers or potential customers.

If a sale is being made to an existing customer, provided that customer has not exceeded their credit balance then the procedure will be for the salesperson to take details of the order and pass those details to the stores department for despatch and to the accounts department for invoicing of the customer.

However, if the sale is to a new customer, then a more senior level of management will have to be involved if the sale is to be on credit. The credit status of the new customer must be determined and a decision made as to whether sales on credit should be made to this customer.

Once the goods have been despatched to the customer, responsibility then passes to the accounting function to invoice the customer for the goods and to ensure that payment is received.

5.3.2 Purchases

The making of purchases will initially be started by either the purchasing department or the stores department. The need for the purchase of more goods will be recognised by, for example, the stores manager when he realises that an item of inventory is running low. He will then complete a purchase requisition which must be authorised and then the purchasing function will determine the most appropriate supplier on the basis of price, delivery and quality. An order will be placed by the purchasing function and the goods will normally be received by the stores department.

After this, responsibility then goes to the accounting department which will await the arrival of the invoice for the goods from the suppliers, check that the invoice is accurate and for goods that have in fact been received and then in due course pay the amount due to the supplier.

5.3.3 Overheads

Organisations will incur a variety of expenses such as rent and rates, insurance, telephone bills, energy bills, advertising expenses, etc. In some cases these will be incurred by a specific department of the business, such as the marketing department investing in an advertising campaign, or alternatively the receipt of the telephone bill will be part of the general administration of the business.

When bills for expenses are received they will be passed to the accounting function which will check that the expense has been incurred or is reasonable and then will process the expense for payment.

5.3.4 Payroll

Every week and/or every month the employees of the business must be paid. For this process to take place there are a lot of calculations to be made and a lot of paperwork to be filled out. In larger organisations there will be a payroll department which will deal with this; otherwise, it will be the responsibility of the payroll clerk in the accounting function.

The payroll function will determine the gross pay for each employee, based on a variety of different remuneration schemes, and then will calculate the statutory and other deductions that must be made before calculating the net pay due to the employee. Finally the payroll function must then organise the method of payment to the employees.

5.3.5 Capital expenditure

From time to time an organisation will need to purchase non-current assets. These are assets that are to be used in the business for the medium to long term rather than being purchased for resale. This will include items such as machinery, cars, computer equipment, office furniture, etc.

In order for the purchase of non-current assets to be put in motion the manager of the department which requires the asset must firstly fill out a purchase requisition. As most non-current assets are relatively expensive this will probably have to be authorised by more senior management. Once the requisition has been authorised the purchasing function will then find the most appropriate supplier for the assets.

Once a purchase order has been placed the details will then be passed to the accounting function which will then process and pay the invoice when it is received.

QUESTION                                                                                           Purchasing function

Which of the following personnel in an organisation would not be involved in the purchase of materials?

  • Credit controller C             Accountant
  • Stores manager D             Purchasing manager


  1. The credit controller chases unpaid debts.


5.4 Control over transactions  

As you may have noticed in the last section, any transaction that a business is involved in will tend to involve a number of different people within the organisation. You will have also noticed the requirement for transactions to be authorised.

The management of a reasonably large business cannot have the time to personally be involved in every transaction of the business. However, in order to keep control of the sources of income of the business and the expenditure that the business incurs, it is important that transactions are authorised by a responsible member of the management team.

In particular, this means that management must have control over the following areas.

  • Sales on credit made to new customers. If a sale is made on credit the goods are sent out with a promise from the customer to pay in the future, therefore the management of the business must be as certain as they can be that this new customer can, and will, pay for the goods. This means that the credit controller must be happy that the new customer has a good credit rating and is fairly certain to pay for the goods.
  • Purchases of goods or non-current assets and payments for expenses. This is money going out of the business therefore it is essential that these are necessary and valid expenditures so a responsible official must authorise them.
  • Payroll. One of the largest payments made by most organisations is that of the wages bill for their employees. It is essential that only bona fide employees are paid for the actual hours that they have worked therefore authorisation of the payroll is a very important part of any business.

5.5 Financial control procedures

Financial control procedures exist specifically to ensure that:

  • Financial transactions are properly carried out.
  • The assets of the business are safeguarded.
  • Accurate and timely management information is produced.

These are some examples of financial control procedures:

  • Cheques over a certain amount to need two signatories
  • Authorisation limits for purchase orders
  • Authorisation for petty cash and expenses claims
  • Effective credit control procedures
  • Computer security procedures and access levels

Weaknesses in financial control procedures may be signalled by:

  • Cash or cheques going missing
  • Excessive bad or doubtful debts
  • Customers not paying within credit terms
  • Suppliers not being paid on time
  • Unauthorised purchases being made
  • Failure to produce accounts or other reports at the specified time
  6   The main business financial systems

6.1 Controlling the payroll system

Key controls over payroll cover:

•              Documentation and authorisation of staff changes

•              Calculation of wages and salaries

•              Payment of wages and salaries

•              Authorisation of deductions

6.1.1 Data held on a payroll file
The purpose of a payroll system is to compute the gross wages and salaries of employees and produce payslips, cheques and/or listings sent to banks instructing them to make payments. A computerised payroll system will be expected to carry out these tasks in accordance with how much employees should receive, how they should receive it and when it should be paid. The system should also be able to calculate tax deductions, national insurance deductions, savings, loan repayments, etc as well as printing various other outputs connected with employees’ pay.

Payroll files will consist of an individual record for each employee.

  • Standing data on each employee will include:
    • Personal details (eg name, employee number, job grade, address) (ii) Rate of pay
    • Details of deductions (including tax code)
    • Holidays
  • Variable (transaction) data will include:
    • Gross pay to date
    • Tax to date
    • Pension contributions etc

6.1.2 Inputs to a payroll system

The main inputs into a wages system (ie into a weekly paid payroll) are as follows.

  • Clock cards or timesheets (sometimes both are used). Details of overtime worked will normally be shown on these documents. Sometimes payroll might be directly linked to an electronic time recording system.
  • Amount of bonus, or appropriate details if the bonus is calculated by the computer.

Salary systems (ie a monthly paid payroll) are similar to those for wages but it is usual for the monthly salary to be generated by the computer from details held on the master file and therefore (with the exception of overtime, bonuses, etc) there is no need for any transaction input. So the inputs for a salary system are just overtime, bonuses, etc (because the basic salary is already on the master file).

6.1.3 Processing in a payroll system

The primary action involved in processing a payroll is calculating an employee’s gross pay, calculating and implementing the various deductions in order to find net pay, and then making payment by the appropriate method.

In the case of wages, this means taking the input data on hours worked and pay details, and calculating the weekly wage due to the employee. The same calculation is carried out every week.

In the case of salaries, payroll processing might just mean picking an option to pay all the monthly paid employees the same amount as they received the previous month. This could happen in theory, but in practice there are usually some amendments to make to the monthly pay details, and these are implemented during payroll processing.

6.1.4 Outputs from a payroll system

Typical outputs in a payroll system are:

  • Payslips
  • Payroll (this is often a copy of the payslips)
  • Payroll analysis, including analysis of deductions (tax, national insurance, etc) and details for costing purposes
  • Various forms required for income tax purposes
  • Coin analysis, cheques, credit transfer forms
  • Electronic payment through the BACS system

Segregation of duties within the payroll department is particularly important. Well-planned fraud, such as the payment of ‘ghost’ employees, then requires collusion involving two or more people, and is consequently less likely to take place.

The most important aims of the control system relating to wages and salaries are:

Feature Aims
Setting of wages and salaries •       Employees are only paid for work that they have done.

•       Gross pay has been calculated correctly and authorised.

Recording of wages and salaries •       Gross and net pay and deductions are accurately recorded on the payroll.

•       Wages and salaries paid are recorded correctly in the bank and cash records.

•       Wages and salaries are correctly recorded in the general ledger.

Payment of wages and salaries  The correct employees are paid.
Deductions •       Statutory and non-statutory deductions have been calculated correctly and are authorised.

•       The correct amounts are paid to the taxation authorities.

6.1.5 Controls

While in practice separate arrangements are generally made for dealing with wages and salaries, the considerations involved are broadly similar and for convenience the two aspects are here treated together.

Responsibility for the preparation of pay sheets should be delegated to a suitable person, and adequate staff appointed to assist them. The extent to which the staff responsible for preparing wages and salaries may perform other duties should be clearly defined. In this connection full advantage should be taken where possible of the division of duties, and checks available where automatic wage-accounting systems are in use.

Setting of wages and salaries

  • Staffing and segregation of duties
  • Maintenance of personnel records and regular checking of wages and salaries to details in personnel records
  • Authorisation required for:
    • Engagement and discharge of employees
    • Changes in pay rates
    • Overtime
    • Non-statutory deductions (for example pension contributions)
    • Advances of pay
  • Recording of changes in personnel and pay rates
  • Recording of hours worked by timesheets, clocking in and out arrangements
  • Review of hours worked
  • Recording of advances of pay
  • Holiday pay arrangements
  • Answering queries
  • Review of wages against budget

Recording of wages and salaries

  • Bases for compilation of payroll
  • Preparation, checking and approval of payroll
  • Dealing with non-routine matters

Payment of cash wages

  • Segregation of duties
    • Cash sheet preparation
    • Filling of pay packets
    • Distribution of wages
  • Authorisation of wage cheque
  • Custody of cash
    • Encashment of cheque
    • Security of pay packets
    • Security of transit arrangements
    • Security and prompt banking of unclaimed wages
  • Verification of identity
  • Recording of distribution

Payment of salaries

  • Preparation and signing of cheques and bank transfer lists
  • Comparison of cheques and bank transfer list with payroll
  • Maintenance and reconciliation of wages and salaries bank account

Deductions from pay

  • Maintenance of separate employees’ records, with which pay lists may be compared as necessary
  • Reconciliation of total pay and deductions between one pay day and the next
  • Surprise cash counts
  • Comparison of actual pay totals with budget estimates or standard costs and the investigation of variances
  • Agreement of gross earnings and total tax deducted with income tax returns to the HM Revenue and Customs

Appropriate arrangements should be made for dealing with statutory and other authorised deductions from pay, such as national insurance, income tax, pension fund contributions and savings held in trust. A primary consideration is the establishment of adequate controls over the records, and authorisation of deductions.


The purchases and sales systems will be the most important components of most company accounting systems.

6.2 The purchases and sales cycles

6.2.1 Purchase and sales systems

Purchasing is an important area to control, especially where items of high value are concerned. There are likely to be specific authorisation procedures for the purchase of non-current assets.

Businesses have to ensure that only properly authorised purchases which are necessary for the business are made. All stages of the purchase process – ordering, receiving goods and being charged for them – should be documented and matched. In this way it can be ensured that the business gets what it ordered and only pays for what it orders and receives. The payables ledger makes it possible for the business to keep track of what it owes each supplier.


Feature Aims
Ordering •      All orders for, and expenditure on, goods and services are properly authorised, and are for goods and services that are actually received and are for the company.

•      Orders are only made to authorised suppliers.

•      Orders are made at competitive prices.

Receipt and invoices •      Goods and services received are used for the organisation’s purposes and not private purposes.

•      Goods and services are only accepted if they have been ordered, and the order has been authorised.

•      All goods and services received are accurately recorded.

•      Liabilities are recognised for all goods and services that have been received.

•      All credits to which business is due are claimed.

•      Receipt of goods and services is necessary to establish a liability.

Accounting •      All expenditure is authorised and is for goods that are actually received.

•      All expenditure that is made is recorded correctly in the general and payables ledger.

•      All credit notes that are received are recorded in the general and payables ledger.

•      All entries in the payables ledger are made to the correct payables ledger accounts.

•      Cut-off is applied correctly to the payables ledger.

The most important aims of the control system relating to payables and purchases are:

6.2.3 Controls

The purchasing system tests will be based around:

             Buying (authorisation)                      Accounting (recording)          Goods inwards (custody)


Controlling the sales cycle

Like the purchase cycle, the sales system tests will be based around:

             Selling (authorisation)                       Accounting (recording)          Goods outwards (custody)

For sales, businesses want to give credit only to customers who will pay their debts. The processes of handling sales, matched orders, despatching goods and invoicing all need to be documented and matched, so that customers receive what they ordered and are correctly billed. The receivables ledger makes it possible to keep track of what is owed by each customer.

Feature Aims
Ordering and granting of credit •      Goods and services are only supplied to customers with good credit ratings.

•      Customers are encouraged to pay promptly.

•      Orders are recorded correctly.

•      Orders are fulfilled.

Despatch and invoicing •      All despatches of goods are recorded.

•      All goods and services sold are correctly invoiced.

•      All invoices raised relate to goods and services that have been supplied by the business.

•      Credit notes are only given for valid reasons.

Recording, accounting and credit control •      All sales that have been invoiced are recorded in the general and receivables ledgers.

•      All credit notes that have been issued are recorded in the general and receivables ledgers.

•      All entries in the receivables ledger are made to the correct receivables ledger accounts.

•      Cut-off is applied correctly to the receivables ledger.

•      Potentially doubtful debts are identified.

6.3.2 Controls

The tests of controls of the sales system will be based around:

             Selling (authorisation)                       Accounting (recording)          Goods outwards (custody)

Controlling cash

Cash and petty cash must be regularly reconciled.

Although we still talk in terms of cash, very few business transactions involve its use. Even at the retail level, many purchases are now being made by debit and credit card.

When we consider sales and purchases made on credit between businesses, transfer of funds will probably be by:

  • Company cheque  Internet transfer, or in some cases
  • Bank transfer              Standing order/direct debit

The only use of cash in non-retail businesses will probably be for petty cash. So what controls need to be in place?

6.4.1 Control over receipts

In any business controls over cash receipts are fundamental if the company is to keep a healthy cash position. Control over cash receipts will concentrate on three main areas.

  • Receipts must be banked promptly.
  • The record of receipts must be complete.
  • The loss of receipts through theft or accident must be prevented.

The difference between these three controls can be demonstrated with an example.

6.4.2 Example: control over cash receipts

Suppose that your company sells goods for $10,000 during the month of April to XYZ & Co. You receive a payment of $10,000 by cheque along with a remittance advice which shows exactly which invoices the cheque covers.


  • You examine the cheque to ensure it is valid and completed correctly and you pay it in to the company account within 24 hours as company policy dictates (banked promptly).
  • A colleague records the cheque details and compares the amount of the cheque to the remittance advice (checking for completeness). Usually the payment would also be checked against the total amount owed by the customer as part of the completeness check.


  • The segregation of duties between the person who banks the money and the person who records it is considered to be a very good control to prevent theft and accidental loss. This prevents the fraud known as ‘teeming and lading’ where receipts for customers are misappropriated and this is then covered up by misposting future receipts.
  • Now that cheques can only be paid into the account in whose name they are made out, the opportunities for misappropriation of cheque receipts are much less.

6.4.3 Controls over payments

Controls over payments by a business must be strict. This should apply to all payments, from the smallest to the largest. The need for controls should be fairly obvious: if any business allowed some of its employees to pay out its money without needing to obtain permission, the scope for cheating and dishonesty would be very wide.

There are three main steps in applying controls over payments.

Step 1 Obtaining documentary evidence of the reason why the payment is being made and the amount of the payment. In the case of payments to suppliers, the documentary evidence will be a supplier’s invoice (or statement).
Step 2 Authorisation of the payment, which means giving formal ‘official’ approval to make the payment.
Step 3 Restricting the authority to actually make the payment to certain specified individuals.

The difference between Steps 1, 2 and 3 can be illustrated with an example.

6.4.4 Example: controlling a payment

Suppose that a company buys goods costing $5,000.

Step 1 It will receive an invoice from the supplier. This is the documentary evidence of the reason for and amount of the payment.
Step 2 The invoice will be approved by the purchasing director. This approval is the authorisation of the payment.
Step 3 At some time later, the payment will be made to the supplier, probably by cheque. For a payment of $5,000, perhaps only the finance director or managing director will be permitted to sign the cheque, and so the authority to make the payment would be limited to these two people.

6.4.5 Authorisation

Every payment must be approved by an authorised person. This person will often be a manager or supervisor in the department that initiated the expense, but every organisation has its own system. The following control limits must be set.

  • Which individuals can authorise particular expenses
  • The maximum amount of expenditure that an individual can authorise

The controls described above are designed to prevent fraud and error in the cash cycle. The most important controls designed to detect fraud and error which may already have taken place are reconciliations.

Petty cash should be reconciled whenever there is a need to replenish the float. The vouchers plus the remaining cash should equal the original float. If this balances, the only other check needed is to make sure that the vouchers are all valid and authorised.

A bank reconciliation should be done at least once a month. Many businesses, even those with sophisticated computer systems, still keep a manual cash book. If not, a printout of the bank record from the computer can be used. This is reconciled to the bank statement. There will always be differences, but they should come into the following categories.

  • Timing differences due to unpresented cheques
  • Timing differences due to uncredited lodgements
  • Standing orders and direct debits not entered in the cash book
  • Bank charges not entered in the cash book
  • Funds received by transfer and not recorded in the cash book

6.5 Reviewing controls

Controls should be regularly checked and any problems reported to management.

It is not sufficient to set up controls and assume that they work. The control system needs to be regularly tested and reviewed by means of an internal audit (see next chapter). This will highlight any problems in practice and the internal auditors can make recommendations to the management for improvements to the control system. This will help to prevent error and fraud and to improve efficiency.

  7   Manual and computerised accounting systems                                       

Most references to computerised accounting talk about accounting packages. This is a rather general term, but most of us can probably name the accounting package that we use at work. An accounting package consists of several accounting modules, eg receivables ledger, general ledger.
Most accounting systems are computerised and anyone training to be an accountant should be able to work with computerised systems. The most important point to remember is that the principles of computerised accounting are the same as those of manual accounting.

We are going to look specifically at ‘applications software’; that is, packages of computer programs that carry out specific tasks.

  • Some applications are devoted specifically to an accounting task, for example a payroll package, a non-current asset register or a inventory control package.
  • Other applications have many uses in business, including their use for accounting purposes.

Examples of this are databases and spreadsheets, which are covered in Section 8.

  • Accounting packages

Accounting functions retain the same names in computerised systems as in more traditional written records. Computerised accounting still uses the familiar ideas of day books, ledger accounts, double entry, trial balance and financial statements. The principles of working with computerised sales, purchase and nominal ledgers are exactly what would be expected in the manual methods they replace.

The only difference is that these various books of account have become invisible. Ledgers are now computer files which are held in a computer-sensible form, ready to be called on.

  • Manual systems vs computerised systems
In many situations manual systems are inferior to computerised systems in terms of productivity, speed, accessibility, quality of output, incidence of errors, ‘bulk’ and when making corrections.

Disadvantages of manual systems include the following.

Disadvantage Comment
Productivity Productivity is usually lower, particularly in routine or operational situations such as transaction processing.
Slower Processing is slower where large volumes of data need to be dealt with.
Risk of errors The risk of errors is greater, especially in repetitive work like payroll calculations.
Less accessible Information on manual systems is generally less accessible. Access to information is often restricted to one user at a time.
Alterations It is difficult to make corrections. If a manual document contains errors or needs updating it is often necessary to recreate the whole document from scratch.
Quality of output Quality of output is less consistent and often not well designed. At worst, handwritten records may be illegible and so completely useless.
Bulk Paper-based systems are generally very bulky both to handle and to store

However, don’t assume that computerised systems are best in every situation. For example, a post-it note stuck on a colleague’s desk with a brief message may in some cases be quicker than typing up an email message.

  • Coding

Computers require vital information to be expressed in the form of codes. For example, general ledger accounts might be coded individually by means of a two-digit code.

  • Ordinary share capital
  • Share premium

05         Statement of profit or loss and other comprehensive income

15         Purchases

22         Receivables control account

  • Payables control account
  • Interest
  • Dividends

In the same way, individual accounts must be given a unique code number in the receivables ledger and payables ledger.

7.3.1 Example: coding

When an invoice is received from a supplier (example code 1234) for $3,000 for the purchase of raw materials, the transaction might be coded for input to the computer as:

General ledger                                                    Inventory

Supplier Code                               Debit               Credit                          Value               Code             Quantity

1234                                               15                    41                            $3,000             56742                150

Code 15 in our example represents purchases, and code 41 the payables control account from the list in Paragraph 6.3. This single input could be used to update the payables ledger, the general ledger and the inventory ledger. The inventory code may enable further analysis to be carried out, perhaps allocating the cost to a particular department or product. Thus the needs of both financial accounting and cost accounting can be fulfilled at once.


An accounting package will consist of several modules. A simple accounting package might consist of only one module (in which case it is called a standalone module), but more often it will consist of several modules. The name given to a set of several modules is a suite. An accounting package, therefore, might have separate modules for:

  • Invoicing 
  • Payroll
  • Inventory 
  • Cash book
  • Receivables ledger 
  • Job costing
  • Payables ledger 
  • Non-current asset register 
  • General ledger 
  • Report generator

7.5 Integrated software

Control is enhanced by an integrated accounting system.

Each module may be integrated with the others, so that data entered in one module will be passed automatically or by simple operator request through into any other module where the data is of some relevance. For example, if there is an input into the invoicing module authorising the despatch of an invoice to a customer, there might be automatic links:

(a)           To the receivables ledger, to update the file by posting the invoice to the customer’s account (b)          To the inventory module, to update the inventory file by:

  • Reducing the quantity and value of inventory in hand
  • Recording the inventory movement
  • To the general ledger, to update the file by posting the sale to the sales account
  • A diagram of an integrated accounting system is given below.To the job costing module, to record the sales value of the job on the job cost file
  • To the report generator, to update the sales analysis and sales totals which are on file and awaiting inclusion in management reports


  • It becomes possible to make just one entry in one of the ledgers which automatically updates the others.
  • Users can specify reports, and the software will automatically extract the required data from all the relevant files.
  • Both of the above simplify the workload of the user, and the irritating need to constantly load and unload disks is eliminated.

7.5.2 Disadvantages

  • Usually, it requires more computer memory than separate (standalone) systems – which means there is less space in which to store actual data.
  • Because one program is expected to do everything, the user may find that an integrated package has fewer facilities than a set of specialised modules.
  8   Databases and spreadsheets
A database may be described as a ‘pool’ of data, which can be used by any number of applications. Its use is not restricted to the accounts department.

The database approach can also be summarised diagrammatically.

* The range of applications which make use of a database will vary widely, depending on what data is held in the database files.

Note the following from the diagram.

  • Data is input, and the DBMS software organises it into the database. If you like, you can think of the database as a vast library of fields and records, waiting to be used.
  • Various application programs (sales, payroll etc) are ‘plugged into’ the DBMS software so that they can use the database, or the same application used by different departments can all use the database.


  • As there is only one pool of data, there is no need for different departments to keep many different files with duplicated information.

8.1 Objectives of a database

The main virtues of a database are as follows.

  • There is common data for all users to share.
  • The extra effort of keeping duplicate files in different departments is avoided. (c) Conflicts between departments who use inconsistent data are avoided.

A database should have four major objectives.

  • It should be shared. Different users should be able to access the same data in the database for their own processing applications (and at the same time in some systems) thus removing the need for duplicating data on different files.
  • The integrity of the database must be preserved. This means that one user should not be allowed to alter the data on file so as to spoil the database records for other users. However, users must be able to update the data on file, and so make valid alterations to the data.
  • The database system should provide for the needs of different users, who each have their own processing requirements and data access methods. In other words, the database should provide for the operational requirements of all its users.
  • The database should be capable of evolving, both in the short term (it must be kept updated) and in the longer term (it must be able to meet the future data processing needs of users, not just their current needs).

8.2 Example: Non-current assets and databases

An organisation, especially a large one, may possess a large quantity of non-current assets. Before computerisation these would have been kept in a manual non-current asset register. A database enables this non-current asset register to be stored in an electronic form. A database file for non-current assets might contain most or all of the following categories of information.

  • Code number to give the asset a unique identification in the database
  • Type of asset (for example motor car, leasehold premises), for published accounts purposes
  • More detailed description of the asset (for example serial number, car registration number, make)
  • Physical location of the asset (for example address)
  • Organisational location of the asset (for example accounts department)
  • Person responsible for the asset (for example, in the case of a company-owned car, the person who uses it)
  • Original cost of the asset
  • Date of purchase
  • Depreciation rate and method applied to the asset
  • Accumulated depreciation to date
  • Net book value of the asset
  • Estimated residual value
  • Date when the physical existence of the asset was last verified
  • Supplier

Obviously, the details kept about the asset would depend on the type of asset it is.

Any kind of computerised non-current asset record will improve efficiency in accounting for non-current assets because of the ease and speed with which any necessary calculations can be made. Most obvious is the calculation of the depreciation provision which can be an extremely onerous task if it is done monthly and there are frequent acquisitions and disposals and many different depreciation rates in use.

The particular advantage of using a database for the non-current asset function is its flexibility in generating reports for different purposes. Aside from basic cost and net book value information a database with fields such as those listed above in the record of each asset could compile reports analysing assets according to location, say, or by manufacturer. This information could be used to help compare the performance of different divisions, perhaps, or to assess the useful life of assets supplied by different manufacturers. There may be as many more possibilities as there are permutations of the individual pieces of data.

  • Spreadsheets


The intersection of each column and row of a spreadsheet is referred to as a cell. A cell can contain text, numbers or formulae. Use of a formula means that the cell which contains the formula will display the results of a calculation based on data in other cells. If the numbers in those other cells change, the result displayed in the formula cell will also change accordingly. With this facility, a spreadsheet is used to create financial models.

Below is a spreadsheet processing budgeted sales figures for three geographical areas for the first quarter of the year.

  A B C D E
2 Jan Feb Mar Total
3 £’000 £’000 £’000 £’000
4 North 2,431 3,001 2,189 7,621
5 South 6,532 5,826 6,124 18,482
6 West 895 432 596 1,923
7 Total 9,858 9,259 8,909 28,026
  • The use of spreadsheets

Spreadsheets have many uses, both for accounting and for other purposes. It is perfectly possible, for example, to create proforma statements of financial position and statements of comprehensive income on a spreadsheet, or set up the notes for financial accounts, like the non-current assets note.


N Accounting is a way of recording, analysing and summarising transactions of a business.
N You may have a wide understanding of what accounting is about. Your job may be in one area or type of accounting, but you must understand the breadth of work which an accountant undertakes.
N You should be able to outline the factors which have shaped the development of financial accounting.
N The two most important external financial statements are the statement of financial position and the profit or loss account. Reports produced for internal purposes include budgets and costing schedules.
N Businesses prepare financial statements for external stakeholders, such as shareholders, banks, suppliers and the Government.
N The profit or loss account is a record of income generated and expenditure incurred over a given period.
N The statement of financial position is a list of all the assets owned by a business and all the liabilities owed by a business at a particular date.
N The statement of cash flows shows sources of cash generated during a period and how these funds have been spent.
N Businesses will wish to prepare internal reports to help them run the day-to-day operations of the business.





Key controls over payroll cover:

–             Documentation and authorisation of staff charges

–             Calculation of wages and salaries

–             Payment of wages and salaries

–             Authorisation of deductions

N The purchases and sales systems will be the most important components of most company accounting systems.




The purchasing system tests will be based around:

–             Buying (authorisation)

–             Goods inwards (custody)

–             Accounting (recording)





Like the purchase cycle, the sales system tests will be based around:

–             Selling (authorisation)

–             Goods outwards (custody)

–             Accounting (recording)





The tests of controls of the sales system will be based around:

–             Selling (authorisation)

–             Goods outwards (custody)

–             Accounting (recording)

N Cash and petty cash must be regularly reconciled.
N Controls should be regularly checked and any problems reported to management.
N In many situations manual systems are inferior to computerised systems in terms of productivity, speed, accessibility, quality of output, incidence of errors, ‘bulk’ and when making corrections.
N Control is enhanced by an integrated accounting system.
N A database may be described as a ‘pool’ of data, which can be used by any number of applications. Its use is not restricted to the accounts department.
N Spreadsheets, too, are often used both in financial accounting and cost accounting.




  • Transactions are initially recorded in which of the following?
    • Books of first entry C             Books of prime entry
    • Books of ledger entry D             Books of financial entry
  • The person responsible for cost accounting is most likely to be the company treasurer. Is this true or false?
  • Internal auditors are employed by
    • The company that they audit C             Either A or B
    • An independent auditing/accounting firm
  • Which of the following factors have not influenced financial accounting?
    • National legislation C             Accounting standards
    • Economic factors D             GAAP
  • What does GAAP stand for?
    • Group audit and accountancy policy C Generally accepted audit policy
    • Generally accepted accounting practice D      Guidelines for accepted accounting principles

6  What do the key controls over payroll cover?

  • What are the three main steps in controlling payments?
  • A series of cells arranged in columns and rows which can contain calculations, numbers or text is called a:

A Word document C Calculation sheet B Spreadsheet D Cell document


  • C Books of prime entry.
  • Cost accounting is usually done by the management accountant.
  • A Internal auditors are employees of the company that they audit.
  • B Economic factors do not influence the development of financial accounting.
  • B Generally accepted accounting practice.
  • Controls cover documentation and authorisation of staff changes, calculation and payment of wages and salaries, and authorisation of deductions.
  • The three steps are: obtaining documentary evidence of the amount and reason for payment, obtaining authorisation and restricting the authority to actually make the payment to certain specified individuals.
  • B












Now try …
Attempt the questions below from the Practice Question Bank









09Control, security and audit

In this chapter we move to the main elements of internal
control systems that organisations operate (
Section 1).
Controls must be linked to organisational objectives and
the main risks that organisations face (
Section 2). In
addition, internal control systems do not just consist of
the controls themselves but also the control environment
within which controls operate.
Internal audit is a key part of the control system of larger
companies (
Section 3) and the external audit function
exists to review controls and report on the financial
statements (
Section 4).
Organisations are becoming increasingly
reliant on
computerised information systems
. It is vital therefore to
ensure these systems are secure – to protect the
information held on them, to ensure operations run
smoothly, to prevent theft and to ensure compliance with
legislation (
Sections 5 and 6).
Security and legal issues are likely to crop up regularly in
the examination.

Study Guide Intellectual level  



                               C2 Accounting and finance functions within business

(e) Identify and describe the main audit and assurance roles in business.



(i)        Internal audit

(ii)      External audit

(f) Explain the main functions of the internal auditor and the external auditor and how they differ.







                             C6 Internal controls, authorisation, security of data and compliance within business

(a) Explain internal control and internal check.





                             (b) Explain the importance of internal financial controls in an organisation. K
                             (c) Describe the responsibilities of management for internal financial control. K
               (d) Describe the features of effective internal financial control procedures in an organisation, including authorisation. K
                             (e) Identify and describe the types of information technology and information systems used by the business organisation for internal control. S
                             (f) Describe general and application systems controls in business.

C8 The impact of Financial Technology (Fintech) on accounting systems

(a)       Describe cloud computing as a capability in accountancy and how it creates benefits for the organisation.

(b)      Explain how automation and artificial intelligence (AI) in accounting systems can affect the role and effectiveness of accountants.

(c)       Describe how the application of big data and data analytics can improve the effectiveness of accountancy and audit.

(d)      Outline the key features and applications of Blockchain technology and distributed ledgers in accountancy.

(e)      Define cyber security and identify the key risks to data that cyber-attacks bring.

(f)       Identify and describe features for protecting the security of IT systems and software within business.




















  1   Internal control systems
Internal controls should help organisations counter risks, maintain the quality of reporting and comply with laws and regulations. They provide reasonable assurance that the organisations will fulfil their objectives.
  • Direction of control systems

In order for internal controls to function properly, they have to be well directed. Managers and staff will be more able (and willing) to implement controls successfully if it can be demonstrated to them what the objectives of the control systems are, while objectives provide a yardstick for the board when they come to monitor and assess how controls have been operating.

  • Purposes of internal control systems

An internal control system should:

  • Facilitate the business’ effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving its objectives, including the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed
  • Help ensure the quality of internal and external reporting, requiring the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within the organisation and from external sources
  • Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business’

1.3 Need for control framework

A sound system of internal control reduces but does not eliminate the possibilities of poorly judged decisions, human error, deliberate circumvention of controls, management override of controls and unforeseeable circumstances. Systems will provide reasonable (not absolute) assurance that the company will not be hindered in achieving its business objectives and in the orderly and legitimate conduct of its business, but won’t provide certain protection against all possible problems.

Internal control frameworks include the control environment within which internal controls operate. Other important elements are the risk assessment and response processes, the sharing of information and monitoring the environment and operation of the control system.

Organisations need to consider the overall framework of controls since controls are unlikely to be very effective if they are developed sporadically around the organisation, and their effectiveness will be very difficult to measure by internal audit and ultimately by senior management.

1.4 Control environment and control procedures

The internal control system comprises the control environment and control procedures. It includes all the policies and procedures (internal controls) adopted by the directors and management of an entity to assist in achieving their objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to internal policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. Internal controls may be incorporated within computerised accounting systems. However, the internal control system extends beyond those matters which relate directly to the accounting system.


Perhaps the simplest framework for internal control draws a distinction between

  • Control environment – the overall context of control, in particular the attitude of directors and managers towards control
  • Control procedures – the detailed controls in place

The Turnbull report on Internal Control also highlights the importance of

  • Information and communication processes
  • Processes for monitoring the continuing effectiveness of the system of internal control

However, any internal control system can only provide the directors with reasonable assurance that their objectives are reached. This is because of inherent limitations, such as human error or fraud, collusion between employees and controls being overridden by managers.

  2   Internal control environment and procedures
The control environment is influenced by management’s attitude towards control, the organisational structure and the values and abilities of employees.

2.1 Nature of control environment

The control environment is the overall attitude, awareness and actions of directors and management regarding internal controls and their importance in the entity. The control environment encompasses the management style, and corporate culture and values shared by all employees. It provides the background against which the various other controls are operated.


The following are elements of a strong control environment.

  • Clear strategies
    for dealing with the significant risks that have been identified
  • The company’s culture, code of conduct, human resource policies and performance reward systems supporting the business objectives and risk management and internal control systems
  • Senior management demonstrating through its actions and policies commitment to competence, integrity and fostering a climate of trust within the company
  • Clear definition of authority, responsibility and accountability so that decisions are made and actions are taken by the appropriate people
  • Communication to employees of what is expected of them and scope of their freedom to act
  • People in the company having the knowledge, skills and tools to support the achievements of the organisation’s objectives and to manage effectively its risks

However, a strong control environment does not, by itself, ensure the effectiveness of the overall internal control system although it will have a major influence on it.

The control environment will have a major impact on the establishment of business objectives, the structuring of business activities and dealing with risks.  

Controls can be classified in various ways including administrative and accounting; prevent, detect and correct; discretionary and non-discretionary; voluntary and mandated; manual and automated.

The mnemonic SPAMSOAP can be used to remember the main types of control.

2.2 Classification of control procedures 

You may find internal controls classified in different ways; these are considered below. Classification of controls can be important because different classifications of control are tested in different ways.

Classification Detail
Administration These are concerned with achieving the objectives of the organisation and with implementing policies. These controls relate to channels of communication and reporting responsibilities.
Accounting These controls aim to provide accurate accounting records and to achieve accountability. They apply to recording transactions and establishing responsibilities for records, transactions and assets.
Prevent These are controls designed to prevent errors from happening in the first place. For example, checking invoices from suppliers against goods received notes before paying the invoices.
Detect These are designed to detect errors once they have happened. Examples include bank reconciliations and physical checks of inventory against inventory records.
Correct These are designed to minimise or negate the effect of errors. An example would be a back-up of computer input at the end of the day.

QUESTION                                                                                                Prevent controls

How can prevent controls be used to measure performance and efficiency?


In the above examples the system outputs could include information about, say, the time lag between delivery of goods and invoicing:

  • As a measure of the efficiency of the invoicing section
  • As an indicator of the speed and effectiveness of communications between the despatch department and the invoicing department
  • As relevant background information in assessing the effectiveness of cash management

You should be able to think of plenty of other examples. Credit notes reflect customer dissatisfaction, for example: how quickly are they issued?


2.2.1 Other classifications

Classification Detail
Discretionary These are controls which are subject to human discretion. For example, checking a signature on a purchase order
Non-discretionary These are controls which are provided automatically by the system and cannot be overridden. For example, entering a pin number at a cash dispensing machine
Voluntary These controls are chosen by the organisation to support the management of the business.
Mandated These controls are required by law and imposed by external authorities.
Manual These controls demonstrate a one-to-one relationship between the processing functions and controls, and the human functions.
Automated These controls are programmed procedures designed to prevent, detect and correct errors all the way through processing.
Classification Detail
General These controls are used to reduce the risks associated with the computer environment. General controls are controls which relate to the environment in which the application is operated. For example, change management controls are designed to ensure that changes meet the organisation’s requirements and have  been authorised.
Application These controls are used to reduce the risks associated with the computer environment. Application controls are controls that prevent, detect and correct errors. For example, completeness checks to ensure that all records have been processed from initiation to completion.
Financial These controls focus on the key transaction areas, with the emphasis being on the safeguarding of assets and the maintenance of proper accounting records and reliable financial information.

2.3 Types of financial control procedure

The following is a useful summary of the types of financial control procedure, it is often remembered as a mnemonic, ‘SPAMSOAP’.

  • Segregation of duties. For example, the chairman/Chief Executive roles should be split.
  • Physical. These are measures to secure the custody of assets, eg only authorised personnel are allowed to move funds on to the money market.
  • Authorisation and approval. All transactions should require authorisation or approval by an appropriate responsible person; limits for the authorisations should be specified, eg a remuneration committee is staffed by non-executive directors (NEDs) to decide directors’ pay.
  • Management. Management should provide control through analysis and review of accounts, eg variance analysis, provision of internal audit services.
  • Supervision. Supervision of the recording and operations of day-to-day transactions ensures that all individuals are aware that their work will be checked, reducing the risk of falsification or errors, eg budgets, managers’ review, exception or variance reports.
  • Organisation. By identifying reporting lines, levels of authority and responsibility, this ensures everyone is aware of their control (and other) responsibilities, especially in ensuring adherence to management policies, eg avoid staff reporting to more than one manager. Procedures manuals will be helpful here.
  • Arithmetical and accounting. The correct and accurate recording and processing of transactions eg reconciliations and trial balances should be checked.
  • Personnel. Attention should be given to selection, training and qualifications of personnel, as well as personal qualities; the quality of any system is dependent on the competence and integrity of those who carry out control operations, eg use only qualified staff as internal auditors.

2.4 Internal checks

Internal controls should not be confused with internal checks, which have a more restricted definition.

Internal checks are defined as the checks on the day-to-day transactions whereby the work of one person is proved independently or is complementary to the work of another, the object being the prevention or early detection of errors and fraud. It includes matters such as the delegation and allocation of authority and the division of work, the method of recording transactions and the use of independently ascertained totals, against which a large number of individual items can be proved.


Internal checks are an important feature of the day-to-day control of financial transactions and the accounting system. Arithmetical internal checks include pre-lists, post-lists and control totals.

  • A pre-list is a list that is drawn up before any processing takes place.
  • A post-list is a list that is drawn up during or after processing.
  • A control total is a total of any sort used for control purposes by comparing it with another total that ought to be the same.


A pre-list total is a control total so that, for example, when cash is received by post and a pre-list prepared and the receipts are recorded individually in the cash book, and a total of amounts entered in the cash book is obtained by adding up the individual entries, the control total obtained from the cash book can be compared with, and should agree with, the pre-list control total. Control totals, as you should already be aware, are frequently used in computer processing.

2.5 Aims of internal checks

Segregate tasks, so that the responsibility for particular actions, or for defaults or omissions, can be traced to an individual person.

Create and preserve the records that act as confirmation of physical facts and accounting entries.

Break down routine procedures into separate steps or stages, so as to facilitate an even flow of work and avoid bottlenecks.

Reduce the possibility of fraud and error. The aim should be to prevent fraud and error rather than to be able to detect it after it has happened. Efficient internal checks make extensive fraud virtually impossible, except by means of collusion between two or more people.

Internal checks, importantly, imply a division of work, so that the work of one person is either proved independently or else is complementary to the work of another person.

2.6 Characteristics of a good internal control system

  • A clearly defined organisation structure
    • Different operations must be separated into appropriate divisions and subdivisions.
    • Officers must be appointed to assume responsibility for each division.
    • Clear lines of responsibility must exist between each division and subdivision and the board.
    • There must be overall co-ordination of the company’s activities (through corporate planning).
  • Adequate internal checks
    • Separation of duties for authorising a transaction, custody of the assets obtained by means of the transaction and recording the transaction.
    • ‘Proof measures’ such as control totals, pre-lists and bank reconciliations should be used.
  • Acknowledgement of work done: persons who carry out a particular job should acknowledge their work by means of signatures, initials, rubber stamps, and so on
  • Protective devices for physical security
  • Formal documents should acknowledge the transfer of responsibility for goods. When goods are received, a goods-received note should be used to acknowledge receipt by the storekeeper.
  • Pre-review: the authorisation of a transaction (for example a cash payment, or the purchase of an asset) should not be given by the person responsible without first checking that all the proper procedures have been carried out
  • A clearly defined system for authorising transactions within specified spending limits
  • Post-review: completed transactions should be reviewed after they have happened; for example, monthly statements of account from suppliers should be checked against the purchase ledger accounts of those suppliers.
  • There should be authorisation, custody and re-ordering
    • Funds and property of the company should be kept under proper custody. Access to assets (either direct or by documentation) should be limited to authorised personnel.
    • Expenditure should only be incurred after authorisation and all expenditures are properly accounted for.
    • All revenue must be properly accounted for and received in due course.
  • Personnel should have the capabilities and qualifications necessary to carry out their responsibilities properly.
  • An internal audit department should be able to verify that the control system is working and to review the system to ensure that it is still appropriate for current circumstances.

2.7 Limitations on the effectiveness of internal controls

Not only must a control system include sufficient controls, but these controls must also be applied properly and honestly.

  • Internal controls depending on segregation of duties can be avoided by the collusion of two or more people responsible for those duties.
  • Authorisation controls can be abused by the person empowered to authorise the activities.

      3   Internal audit and internal control 

    Management can often override the controls they have set up themselves.

  • Internal audit

Internal audit has been defined as:

An independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls. The investigative techniques developed are applied to the analysis of the effectiveness of all parts of an entity’s operations and management.


The work of internal audit is distinct from the external audit which is carried out for the benefit of shareholders only and examines published accounts. Internal audit is part of the internal control system.

  • The need for internal audit
The role of internal audit will vary according to the organisation’s objectives but is likely to include review of internal control systems, risk management, legal compliance and value for money.

The UK Corporate Governance Code (FRC, 2018) states that companies without an internal audit function should provide an explanation for the absence, describe how internal assurance is achieved, and how this affects the work of external audit.

The need for internal audit will depend on:

  • The scale, diversity and complexity of the company’s activities
  • The number of employees
  • Cost-benefit considerations
  • Changes in the organisational structures, reporting processes or underlying information systems  Changes in key risks


  • Problems with internal control systems
  • An increased number of unexplained or unacceptable events

Although there may be alternative means of carrying out the routine work of internal audit, those carrying out the work may be involved in operations and hence lack objectivity.

3.3 Objectives of internal audit

The role of the internal auditor has expanded in recent years as internal auditors seek to monitor all aspects (not just accounting) of the business, and add value to their organisation. The work of the internal auditor is still prescribed by management, but it may cover the following broad areas.

  • Review of the accounting and internal control systems. The establishment of adequate accounting and internal control systems is a responsibility of management and the directors. Internal audit is often assigned specific responsibility for the following tasks.
    • Reviewing the design of the systems
    • Monitoring the operation of the systems by risk assessment and detailed testing  Recommending cost-effective improvements

Review will cover both financial and non-financial controls.

  • Examination of financial and operating information. This may include review of the means used to identify, measure, classify and report such information and specific enquiry into individual items including detailed testing of transactions, balances and procedures.
  • Review of the economy, efficiency and effectiveness of operations
  • Review of compliance with laws, regulations and other external requirements and with internal policies and directives and other requirements including appropriate authorisation of transactions
  • Review of the safeguarding of assets
  • Review of the implementation of corporate objectives. This includes review of the effectiveness of planning, the relevance of standards and policies, the company’s corporate governance procedures and the operation of specific procedures, such as communication of information.
  • Identification of significant business and financial risks, monitoring the organisation’s overall risk management policy to ensure it operates effectively, and monitoring the risk management strategies to ensure they continue to operate effectively
  • Special investigations into particular areas, for example suspected fraud

3.4 Internal audit and risk management

Internal audit will play a significant part in the organisation’s risk management processes, being required to assess and advise on how risks are countered. Internal audit’s work will be influenced by the organisation’s appetite for bearing risks, but internal audit will assess:

  • The adequacy of the risk management and response processes for identifying, assessing, managing and reporting on risk
  • The risk management and control culture
  • The internal controls in operation to limit risks
  • The operation and effectiveness of the risk management processes

The areas auditors will concentrate on will depend on the scope and priority of the assignment and the risks identified. Where the risk management framework is insufficient, auditors will have to rely on their own risk assessment and will focus on recommending an appropriate framework. Where a framework for risk management and control is embedded in operations, auditors will aim to use management assessment of risks and concentrate on auditing the risk management processes.

3.5 The features of internal audit

From these definitions the two main features of internal audit emerge.

  • Independence. Although an internal audit department is part of an organisation, it should be independent of the line management whose sphere of authority it may audit.
  • Appraisal. Internal audit is concerned with the appraisal of work done by other people in the organisation, and internal auditors should not carry out any of that work themselves. The appraisal of operations provides a service to management.

6 Types of audit 

Internal audit is a management control, as it is a tool used to ensure that other internal controls are working satisfactorily. An internal audit department may be asked by management to look into any aspect of the organisation.

Five different types of audit can be distinguished. (The first three types are considered further in the following paragraphs.)

         Operational audit           Social audit
•              Systems audit

•              Transactions audit

           Management investigations

Operational audits can be concerned with any sphere of a company’s activities. Their prime objective is the monitoring of management’s performance at every level, to ensure optimal functioning according to predetermined criteria. They concentrate on the outputs of the system, and the efficiency of the organisation. They are also known as ‘management’, ‘efficiency’ or ‘value for money’ audits.

A systems audit is based on a testing and evaluation of the internal controls within an organisation so that those controls may be relied on to ensure that resources are being managed effectively and information provided accurately. Two types of tests are used.

  • Compliance tests seek evidence that the internal controls are being applied as prescribed.
  • Substantive tests substantiate the entries in the figures in accounts. They are used to discover errors and omissions.

The auditor will be interested in a variety of processing errors when performing compliance tests.

         At the wrong time             Error
•              Incompleteness

•              Omission

           Fraud

The key importance of the two types of test is that, if the compliance tests reveal that internal controls are working satisfactorily, then the amount of substantive testing can be reduced, and the internal auditor can concentrate the audit effort on those areas where controls do not exist or are not working satisfactorily.

3.7 Example

Suppose a department within a company processes travel claims which are eventually paid and recorded on the general ledger.

  • When conducting compliance tests, the internal auditor is looking at the controls in the travel claim section to see if they are working properly. This is not the same as looking at the travel claims themselves. For example, one of the internal controls might be that a clerk checks the addition on the travel claim and initials a box to say that they have done so. If they fail to perform this arithmetic check, then there has been a control failure – regardless of whether the travel claim had, in fact, been added up correctly or incorrectly.
  • When conducting substantive tests, the internal auditor is examining figures which they have extracted directly from the company’s financial records. For this sort of test, the auditor is concerned only with establishing whether or not the figure in the ledger is correct. They are not concerned as to how it got there.

A transactions or probity audit aims to detect fraud and uses only substantive tests.

3.8 Accountability 

The internal auditor is accountable to the highest executive level in the organisation, preferably to the audit committee of the Board of Directors. There are three main reasons for this requirement.

  • The auditor needs access to all parts of the organisation.
  • The auditor should be free to comment on the performance of management.
  • The auditor’s report may need to be actioned at the highest level to ensure its effective implementation.

3.9 Independence

Given an acceptable line of responsibility and clear terms of authority, it is vital that the internal auditor is and is seen to be independent. Independence for the internal auditor is established by three things.

  • The responsibility structure 
  • The auditor’s own approach 
  • The auditor’s mandatory authority

Internal audit requires a highly professional approach which is objective, detached and honest. Independence is a fundamental concept of auditing and this applies just as much to the internal auditor as to the external auditor. The internal auditor should not install new procedures or systems; neither should they engage in any activity which they would normally appraise, as this might compromise their independence.

QUESTION                                                                                      Internal control systems

The Midas Mail Order Company operates a central warehouse from which all merchandise is distributed by post or carrier to the company’s 10,000 customers. An outline description of the sales and cash collection system is set out below.

Sales and cash collection system


Stage                                        staff responsible        Documentation

  • Customer orders Sales dept              Multiple copy order form (with date, quantities, price merchandise               Sales assistants      marked on them)

(orders by phone or

Copies 1-3 sent to warehouse. Copy 4 sent to accounts

through the postal dept. Copy 5 retained in sales dept


  • Merchandise Storekeepers         Copies 1-3 handed to storekeepers. Forms marked as requested from           merchandise taken from inventory. (Note. If inventory rooms by       merchandise is not in inventories held, the

despatch clerks                                                 storekeepers retain copies 1-3 until inventory room is


Copies 1-2 handed to despatch clerks. Copy 3 retained by storekeepers.

  • Merchandise Despatch bay Copy 2 marked when goods despatched and sent to despatched Despatch clerks accounts department


Stage                                        staff responsible        Documentation

  • Customers invoiced Accounts dept:      2-copy invoice prepared from invoiced details on copy receivables   2 of order form received from despatch bay ledger clerks

Copy 1 of invoice sent to customer. Copy 2 retained by accounts dept and posted to receivables ledger

  • Cash received (as Accounts dept: 2-copy cash receipt list cheques, bank giro cashier

Copy 1 of cash receipt list retained by cashier

credit, or cash)

Copy 2 passed to receivables ledger clerk

(a)  State four objectives of an internal control system.

  • For the Midas Mail Order Company list four major controls which you would expect to find in the operation of the accounting system described above, and explain the objective of each of these controls.
  • For each of the four controls identified above, describe briefly two tests which you would expect an internal auditor to carry out to determine whether the control was operating satisfactorily.


  • Four objectives of an internal control system
    • To enable management to carry on the business of the enterprise in an orderly and efficient manner
    • To satisfy management that their policies are being adhered to
    • To ensure that the assets of the company are safeguarded
    • To ensure, as far as possible, that the enterprise maintains complete and accurate records
  • Four major controls
    • Control over customers’ creditworthiness. Before any order is accepted for further processing, established procedures should be followed in order to check the creditworthiness of that customer. For new customers procedures should exist for obtaining appropriate references before any credit is extended. For all existing customers there should be established credit limits and before an order is processed the sales assistants should check to see that the value of the current order will not cause the customer’s balance to rise above their agreed credit limit.

The objective of such procedures is to try to avoid the company supplying goods to customers who are unlikely to be able to pay for them. In this way the losses suffered by the company as a result of bad debts should be minimal.

  • Control over the recording of sales and receivables. The most significant document in the system is the multiple order form. These forms should be sequentially pre-numbered and controls should exist over the supplies of unused forms and also to ensure that all order forms completed can be traced through the various stages of processing and agreed to the other documents raised and the various entries made in the accounting records.

The main objective here will be to check the completeness of the company’s recording procedures in relation to the income which it has earned and the assets which it holds in the form of receivables.

  • Control over the issue of inventory and the despatch of goods. Control procedures here should be such that goods are not issued from stores until a valid order form has been received and the fact of that issue is recorded both on the order form (copies 1-3) and in the inventory records maintained by the storekeepers.

The objectives here are to see that no goods are released from inventory without appropriate authority and that a record of inventory movements is maintained. (iv)       Control over the invoicing of customers. The main control requirement here will be to use sequentially pre-numbered invoices with checks being carried out to control the completeness of the sequence. Checks should also be conducted to ensure that all invoices are matched with the appropriate order form (copy 2) to confirm that invoices have been raised in respect of all completed orders.

The major concern here will be to ensure that no goods are despatched to customers without an invoice subsequently being raised.

(v)        (The question merely required four controls to be considered, but for the sake of completeness, each of the five main stages in processing as indicated by the question are considered here.)

Control over monies received. There should be controls to ensure that there is an adequate segregation of duties between those members of staff responsible for the updating of the sales records in respect of monies received and those dealing with the receipt, recording and banking of monies. There should also be a regular independent review of aged debtor balances together with an overall reconciliation of the receivables control account with the total of outstanding debts on individual customer accounts.

The objectives here are to ensure that proper controls exist with regard to the complete and accurate recording of monies received, safe custody of the asset cash and the effectiveness of credit control procedures.

  • Appropriate tests in relation to each of the controls identified in (b) above would be as follows.

(i)         Controls over customers’ creditworthiness

  • For a sample of new accounts opened during the period check to see that suitable references were obtained before the company supplied any goods on credit terms and that the credit limit set was properly authorised and of a reasonable amount.
  • For a sample of customers’ orders check to see that, at the time they were accepted, their invoice value would not have been such as to cause the balance on those customers’ account to go above their agreed credit limit.

(ii)         Controls over the recording of sales and receivables

  • On a sample basis check the completeness of the sequence of order forms and also that unused inventory of order forms are securely stored.
  • For a sample of order forms raised during the period ensure that they can be traced through the system such that there is either evidence that the order was cancelled or that a valid invoice was subsequently raised.

(iii)        Control over the issue of inventory and the despatch of goods

  • For a sample of entries in the inventory records check to ensure that a valid order form exists for all issues recorded as having been made.
  • Attend the inventory rooms to observe the procedures and check that goods are not issued unless a valid order form has been received and that the appropriate entries are made in the inventory records and on the order form at the time of issue.

(iv)       Control over the invoicing of customers

  • On a sample basis check the completeness of the sequence of invoices raised and also that the unused inventory of invoice forms are securely stored.
  • For a sample of invoices raised during the period ensure that they have been properly matched with the appropriate order form (copy 2).


  4   External audit
Internal auditors are employees of the organisation whose work is designed to add value and who report to the audit committee. External auditors are from accountancy firms and their role is to report on the financial statements to shareholders.

Both internal and external auditors review controls, and external auditors may place reliance on internal auditors’ work providing they assess its worth.

External audit is a periodic examination of the books of account and records of an entity carried out by an independent third party (the auditor) to ensure that they have been properly maintained, are accurate and comply with established concepts, principles, accounting standards and legal requirements and give a true and fair view of the financial state of the entity.


It cannot be overemphasised that the primary purpose of an external audit is to review the books and records in order to give a professional opinion on whether the financial statements represent a true and fair view of the organisation.

  • Differences between internal and external audit


  Internal audit External audit
Reason Internal audit is an activity designed to add value and improve an organisation’s operations. External audit is an exercise to enable auditors to express an opinion on the financial statements.
Reporting to Internal audit reports to the board of directors, or others charged with governance, such as the audit committee. The external auditors report to the shareholders, or members, of a company on the stewardship of the directors.
Relating to Internal audit’s work relates to the operations of the organisation. External audit’s work relates to the financial statements. They are concerned with the financial records that underlie these.
Relationship with the company Internal auditors are very often employees of the organisation, although sometimes the internal audit function is outsourced. External auditors are independent of the company and its management. They are appointed by the shareholders.

The following table highlights the differences between internal and external audit.

The table shows that, although some of the procedures that internal audit undertake are very similar to those undertaken by the external auditors, the whole basis and reasoning of their work is fundamentally different.

The difference in objectives is particularly important. Every definition of internal audit suggests that it has a much wider scope than external audit, which has the objective of considering whether the accounts give a true and fair view of the organisation’s financial position.

  • Relationship between external and internal audit

Co-ordination between the external and internal auditors of an organisation will minimise duplication of work and encourage a wide coverage of audit issues and areas. Co-ordination should have the following features.

  • Periodic meetings to plan the overall audit to ensure adequate coverage
  • Periodic meetings to discuss matters of mutual interest
  • Mutual access to audit programmes and working papers
  • Exchange of audit reports and management letters
  • Common development of audit techniques, methods and terminology

4.3 Assessment by external auditors

Where the external auditors wish to rely on the work of the internal auditors, then the external auditors must assess the internal audit function, as with any part of the system of internal control. The following important criteria will be considered by the external auditors.

  • Organisational status

Internal audit’s specific status in the organisation and the effect this has on its ability to be objective. Ideally, the internal audit function should have a direct line of communication to the entity’s main board or audit committee, and be free of any other operating responsibility. External auditors should consider any constraints or restrictions placed on internal audit.

  • Scope of function

The nature and extent of the assignments which internal audit performs. External auditors should also consider whether management and the directors act on internal audit recommendations and how this is evidenced.

  • Technical competence

Whether internal audit work is performed by persons having adequate technical training and proficiency as internal auditors. External auditors may, for example, review the policies for hiring and training the internal audit staff and their experience and professional qualifications and also how work is assigned, delegated and reviewed.

  • Due professional care

Whether internal audit work is properly planned, supervised, reviewed and documented. The existence of adequate audit manuals, work programmes and working papers may be considered, as well as consultation procedures.

In regards to audited finance statements, the Financial Reporting Review Panel is responsible for monitoring the use of accounting standards in published financial statements and for examining and questioning the departure from accounting standards by large companies.

QUESTION                                                                                  External and internal audit

The growing recognition by management of the benefits of good internal control and the complexities of an adequate system of internal control have led to the development of internal auditing as a form of control over all other internal controls. The emergence of internal auditors as specialists in internal control is the result of an evolutionary process similar in many ways to the evolution of independent auditing.


Explain why the internal and independent auditors’ review of internal control procedures differ in purpose.


The internal auditors review and test the system of internal control and report to management in order to improve the information received by managers and to help in their task of running the company. The internal auditors will recommend changes to the system to make sure that management receive objective information that is efficiently produced. The internal auditors will also have a duty to search for and discover fraud.

The external auditors review the system of internal control in order to determine the extent of the substantive work required on the year-end accounts. The external auditors report to the shareholders rather than the managers or directors. It is usual, however, for the external auditors to issue a letter of weakness to the managers, laying out any areas of weakness and recommendations for improvement in the system of internal control. The external auditors report on the truth and fairness of the financial statements, not directly on the system of internal control. The auditors do not have a specific duty to detect fraud, although they should plan the audit procedures so as to have reasonable assurance that they will detect any material misstatement in the accounts on which they give an opinion.


  5   IT systems security and safety
Security is the protection of data from accidental or deliberate threats and the protection of an information system from such threats.

If you own something that you value – you look after it. Information is valuable and it deserves similar care.
5.1 The responsibilities of ownership

Security, in information management terms, means the protection of data from accidental or deliberate threats which might cause unauthorised modification, disclosure or destruction of data, and the protection of the information system from the degradation or non-availability of services.

Security refers to technical issues related to the computer system, psychological and behavioural factors in the organisation and its employees, and protection against the unpredictable occurrences of the natural world.

Security can be subdivided into a number of aspects.

  • Prevention. It is in practice impossible to prevent all threats cost effectively.
  • Detection. Detection techniques are often combined with prevention techniques: a log can be maintained of unauthorised attempts to gain access to a computer system.
  • Deterrence. As an example, computer misuse by personnel can be made grounds for disciplinary action.
  • Recovery procedures. If the threat occurs, its consequences can be contained (for example checkpoint programs).
  • Correction procedures. These ensure the vulnerability is dealt with (for example, by instituting stricter controls).
  • Threat avoidance. This might mean changing the design of the system.

5.2 Physical threats

Physical threats to security may be natural or man made. They include fire, flooding, weather, lightning, terrorist activity and accidental damage.

The physical environment quite obviously has a major effect on information system security, and so planning it properly is an important precondition of an adequate security plan.

5.2.1 Fire

Fire is the most serious hazard to computer systems. Destruction of data can be even more costly than the destruction of hardware.

A fire safety plan is an essential feature of security procedures in order to prevent fire, detect fire and put out the fire.

5.2.2 Water

Water is a serious hazard. Flooding and water damage are often encountered following firefighting activities elsewhere in a building.

This problem can be countered by the use of waterproof ceilings and floors together with the provision of adequate drainage.

5.2.3 Weather

Wind, rain and storms can all cause substantial damage to buildings. In certain areas the risks are greater, for example the risk of typhoons in parts of the Far East. Many organisations make heavy use of prefabricated and portable offices, which are particularly vulnerable.

Lightning and electrical storms can play havoc with power supplies, causing power failures coupled with power surges as services are restored.
5.2.4 Lightning

Power failure can be protected against by the use of a separate generator or rechargeable battery. It may be sufficient to maintain power only long enough to close down the computer system in an orderly manner.

Terrorist activity

Political terrorism is the main risk, but there are also threats from individuals with grudges.

In some cases there is very little that an organisation can do: its buildings may just happen to be in the wrong place and bear the brunt of an attack aimed at another organisation or intended to cause general disruption. Physical access to buildings should be controlled (see the next section).

5.2.6 Accidental damage

People are a physical threat to computer installations: there can be few of us who have not at some time spilt a cup of coffee over a desk covered with papers, or tripped and fallen doing some damage to ourselves or to an item of office equipment.

Combating accidental damage is a matter of having a good office layout and eliminating hazards, such as trailing cables.

QUESTION                                                                                               Fire and flooding

You are the financial controller of your organisation. The company is in the process of installing a mainframe computer and, because your department will be the primary user, you have been co-opted onto the project team with responsibility for systems installation. You have a meeting at which the office services manager will be present, and you realise that no one has yet mentioned the risks of fire or flooding in the discussions about site selection. Make a note of the issues which you would like to raise under these headings.


  • Fire. Fire security measures can usefully be categorised as preventative, detective and corrective. Preventative measures include siting of the computer in a building constructed of suitable materials and the use of a site which is not affected by the storage of inflammable materials (eg stationery, chemicals). Detective measures involve the use of smoke detectors. Corrective measures may include installation of a sprinkler system (water based or possibly gas based to avoid electrical problems), training of fire officers and good siting of exit signs and fire extinguishers.
  • Flooding. Water damage may result from flooding or from fire recovery procedures. If possible, large installations should not be situated in basements.


5.3 Physical access controls

Physical access controls are designed to prevent intruders getting near to computer equipment and/or storage media.

Physical access controls including the following.

  • Personnel, including receptionists and, outside working hours, security guards, can help control human access.
  • Door locks can be used where frequency of use is low. (This is not practicable if the door is in frequent use.)
  • Locks can be combined with:

(ii)  A card entry system, requiring a card to be ‘swiped’
(i)   A keypad system, requiring a code to be entered

(d) Intruder alarms can also be used.

The best form of access control would be one which recognised individuals immediately, without the need for personnel or cards. However, machines that can identify a person’s fingerprints or scan the pattern of a retina are relatively more expensive, so their use is less widespread.

It may not be cost effective or practical to use the same access controls in all areas. The security requirements of different departments should be estimated, and appropriate measures taken. Some areas will be very restricted, whereas others will be relatively open.

Important aspects of physical access of control are door locks and card entry systems. Computer theft is becoming more prevalent as equipment becomes smaller and more portable.

QUESTION                                                                                             Security measures

You are the chief accountant at your company. Your department, located in an open-plan office, has five networked desktop PCs, two laser printers and a dot matrix printer.

You have just read an article suggesting that the best form of security is to lock hardware away in fireproof cabinets, but you feel that this is impracticable. Make a note of any alternative security measures which you could adopt to protect the hardware.


  • ‘Postcode’ all pieces of hardware. Invisible ink postcoding is popular, but visible marking is a better deterrent. Heated soldering irons are ideal for imprinting postcodes onto objects with a plastic casing.
  • Mark the equipment in other ways. Some organisations spray their hardware with permanent paint, perhaps in a particular colour (bright red is popular) or using stencilled shapes.
  • Hardware can be bolted to desks. If bolts are passed through the desk and through the bottom of the hardware casing, the equipment can be rendered immobile.
  • Ensure that the organisation’s standard security procedures (magnetic passes, keypad access to offices, signing in of visitors, etc) are followed.


  6   Building controls into an information system and cyber security
It is possible to build controls into a computerised information system. A balance must be struck between the degree of control and the requirement for a user-friendly system.

Controls can be classified as:

  • Security controls
  • Contingency controls
  • Integrity controls

6.1 Security controls

Security is needed to mitigate the risks to data which include:

  • Human error
    • Entering incorrect transactions
    • Failing to correct errors
    • Processing the wrong files
  • Technical error such as malfunctioning hardware or software
  • 6.2 Integrity controlsNatural disasters such as fire, flooding, explosion, impact, lightning
  • Deliberate actions such as fraud
  • Commercial espionage
  • Malicious damage
  • Industrial action
  • Cyber-attacks
  • Data integrity in the context of security is preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed.
  • Systems integrity refers to system operation conforming to the design specification despite attempts (deliberate or accidental) to make it behave incorrectly.


Data will maintain its integrity if it is complete and not corrupted. This means that:

  • The original input of the data must be controlled in such a way as to ensure that the results are complete and correct.
  • Any processing and storage of data must maintain the completeness and correctness of the data captured.
  • Reports or other output should be set up so that they, too, are complete and correct.

6.2.1 Input controls

Input controls should ensure the accuracy, completeness and validity of input.

  • Data verification involves ensuring data entered matches source documents.
  • Data validation involves ensuring that data entered is not incomplete or unreasonable. Various checks can be used, depending on the data type.
    • Check digits. A digit calculated by the program and added to the code being checked to validate it, eg modulus 11 method
    • Control totals. For example, a batch total totalling the entries in the batch
    • Hash totals. A system-generated total used to check processing has been performed as intended
    • Range checks. Used to check the value entered against a sensible range, eg statement of financial position account number must be between 5,000 and 9,999
    • Limit checks. Similar to a range check, but usually based on a upper limit, eg must be less than 999,999.99

Data may be valid (for example in the correct format) but still not match source documents.

6.2.2 Processing controls

Processing controls should ensure the accuracy and completeness of processing. Programs should be subject to development controls and to rigorous testing. Periodic running of test data is also recommended.

6.2.3 Output controls

Output controls should ensure the accuracy, completeness and security of output. The following measures are possible.

  • Investigation and follow-up of error reports and exception reports
  • Batch controls to ensure all items processed and returned
  • 6.2.4 Back-up controls
    Controls over distribution/copying of output
  • Labelling of disks/tapes
A back-up and archive strategy should include:

•              Regular back up of data (at least daily)

•              Archive plans

•              A disaster recovery plan including off-site storage

Back-up controls aim to maintain system and data integrity. We have classified back-up controls as an integrity control rather than a contingency control (see later in this section) because back ups should be part of the day-to-day procedures of all computerised systems.

Back up means to make a copy in anticipation of future failure or corruption. A back-up copy of a file is a duplicate copy kept separately from the main system and only used if the original fails.


The purpose of backing up data is to ensure that the most recent usable copy of the data can be recovered and restored in the event of loss or corruption on the primary storage media.

In a well-planned data back-up scheme, a copy of backed-up data is delivered (preferably daily) to a secure off-site storage facility.

A tape rotation scheme can provide a restorable history from one day to several years, depending on the needs of the business.

A well-planned back-up and archive strategy should include:

  • A plan and schedule for the regular back up of critical data
  • Archive plans
  • A disaster recovery plan that includes off-site storage (including the cloud)

Regular tests should be undertaken to verify that data backed up can be successfully restored.

The intervals at which back ups are performed must be decided. Most organisations back up their data daily, but back ups may need to be performed more frequently, depending on the nature of the data and of the organisation.

Even with a well planned back-up strategy some re-inputting may be required. For example, if after three hours’ work on a Wednesday a file becomes corrupt, the Tuesday version can be restored – but Wednesday’s work will need to be re-input.

6.2.5 Archiving

A related concept is that of archiving. Archiving data is the process of moving data from primary storage, such as a hard disk, to tape or other portable media for long-term storage.

Archiving provides a legally acceptable business history, while freeing up hard-disk space. If archived data is needed, it can be restored from the archived tape to a hard disk. Archived data can be used to recover from site-wide disasters, such as fires or floods, where data on primary storage devices is destroyed. Archiving also helps avoid the slowdown in processing which may occur if large volumes of data build up on the main operational storage.

How long data should be retained will be influenced by:

Legal obligations

Other business needs

Data stored for a long time should be tested periodically to ensure it is still restorable – it may be subject to damage from environmental conditions or mishandling.

6.2.6 Passwords and logical access systems

A password is a set of characters which may be allocated to a person, a terminal or a facility which is required to be keyed into the system before further access is permitted.


Unauthorised persons may circumvent physical access controls. A logical access system can prevent access to data and program files through measures such as the following.

  • Identification of the user
  •    Checks on user authority
  • Authentication of user identity

Virtually all computer installations use passwords. Failed access attempts may be logged. Passwords are not foolproof.

  • Standard system passwords (such as 1234) given when old passwords are reset or provided to new employees must be changed.
  • Passwords must never be divulged to others and must never be written down.
  • Passwords must be changed regularly – and changed immediately if it is suspected that the password is known by others.
  • Obvious passwords must not be used.

Passwords are also used by administrators to control access rights for the reading, modifying and deleting functions.

6.2.7 Administrative controls

Personnel selection is important. Some employees are always in a position of trust.

  • Computer security officer  Database administrator    Senior systems analyst

Measures to control personnel include the following.

  • Careful recruitment  Systems logs
  • Job rotation and enforced vacations             Review and supervision

For other staff, segregation of duties remains a core security requirement. This involves division of responsibilities into separate roles.

  • Data capture and data entry             Systems analysis and programming     Computer operations

6.2.8 Audit trail

An audit trail shows who has accessed a system and the operations performed.

The original concept of an audit trail is to enable a manager or auditor to follow transactions stage by stage through a system to ensure that they have been processed correctly. The intention is to:

          Identify errors                                Detect fraud

Modern integrated computer systems have cut out much of the time-consuming stage-by-stage working of older systems, but there should still be some means of identifying individual records and the input and output documents associated with the processing of any individual transaction.

An audit trail is a record showing who has accessed a computer system and what operations they have performed. Audit trails are useful both for maintaining security and for recovering lost transactions. Accounting systems include an audit trail component that is able to be output as a report.

In addition, there are separate audit trail software products that enable network administrators to monitor use of network resources.


Typical contents of an accounting software package audit trail include the following items.
An audit trail should be provided so that every transaction on a file contains a unique reference (eg a sales system transaction record should hold a reference to the customer order, delivery note and invoice).

  • A system-generated transaction number
  • A meaningful reference number eg invoice number
  • Transaction type eg reversing journal, credit note, cashbook entry, etc
  • Who input the transaction (user ID)
  • Full transaction details eg net and gross amount, customer ID
  • The PC or terminal used to enter the transaction
  • The date and time of the entry
  • Any additional reference or narration entered by the user

6.2.9 Systems integrity with a PC

Possible controls relevant to a standalone PC are as follows.

  • Installation of a password routine which is activated whenever the computer is booted up, and activated after periods of inactivity.
  • The use of additional passwords on ‘sensitive’ files eg employee salaries spreadsheet.
  • Any data stored on floppy disk, DVD or CD should be locked away.
  • Physical access controls, for example door locks activated by swipe cards or PIN numbers, to prevent access into the room(s) where the computers are kept.

6.2.10 Systems integrity with a LAN

The main additional risk (when compared with a standalone PC) is the risk of a fault spreading across the system. This is particularly true of viruses. A virus introduced onto one machine could replicate itself throughout the network. All files coming in to the organisation should be scanned using anti-virus software and all machines should have anti-virus software running constantly.

A further risk, depending on the type of network configuration, is that an extra PC could be ‘plugged in’ to the network to gain access to it. The network management software should detect and prevent breaches of this type.

6.2.11 Systems integrity with a WAN

Additional issues over and above those already described are related to the extensive communications links utilised by Wide Area Networks. Dedicated land lines for data transfer and encryption software may be required.

If commercially sensitive data is being transferred it would be necessary to specify high quality communications equipment and to use sophisticated network software to prevent and detect any security breaches.

6.3 Contingency controls


The preparation of a contingency plan (also known as a disaster recovery plan) is one of the stages in the development of an organisation-wide security policy. A contingency plan is necessary in case of a major disaster, or if some of the security measures discussed elsewhere fail.

A disaster occurs where the system for some reason breaks down, leading to potential losses of equipment, data or funds. The system must recover as soon as possible so that further losses are not incurred, and current losses can be rectified.

What actions or events might lead to a system breakdown?
QUESTION                                                                               Causes of system breakdown


System breakdowns can occur in a variety of circumstances, for example:

  • Fire destroying data files and equipment
  • Flooding
  • A cyber-attack completely destroying a data or program file
  • A technical fault in the equipment
  • Accidental destruction of telecommunications links (eg builders severing a cable) (f) Terrorist attack

(g)           System failure caused by software bugs which were not discovered at the design stage (h)          Internal sabotage (eg logic bombs built into the software)


6.3.1 Disaster recovery plan

Any disaster recovery plan must provide for:

  • Standby procedures so that some operations can be performed while normal services are disrupted
  • Recovery procedures once the cause of the breakdown has been discovered or corrected
  • Personnel management policies to ensure that (a) and (b) above are implemented properly

6.3.2 Contents of a disaster recovery plan

A disaster recovery plan must cover all activities, from the initial response to a ‘disaster’ through to damage limitation and full recovery. Responsibilities must be clearly spelt out for all tasks.

6.4 Cyber risk, cyber-attack and cyber security

Cyber-attacks have been briefly mentioned in this section, we shall now consider them in more detail in connection with cyber risk and cyber security.

  • Cyber risk is a term that covers a number of organisational risks which are possible consequences of a cyber-attack. Cyber risks include; financial losses, reputational damage and operational disruption.
  • Cyber-attacks are deliberate attempts to damage an organisation by using the Internet to take advantage of poor security controls and system integrity.
  • Cyber security is the protection of computer systems from the risk of cyber-attack through the use of hardware and software security procedures and controls.


6.4.1 Key cyber risks

The main risks to an organisation that cyber-attacks may bring include:

  • Financial loss – the risk that the organisation will lose money, either through having funds directly stolen, but also the cost of repairing the damage caused by a cyber-attack (including the payment of fines if IT controls are deemed not sufficient to protect customer data).
  • Damage to reputation – the risk that customers and suppliers may view the organisation as a potentially risky partner to deal with.
  • Loss of faith by customers – customers may fear that they will be affected by a cyber-attack themselves through the organisation in future.
  • Disruption to the organisation – the risk that operations will either be reduced or entirely cease due to the attack. For example, an attack may affect the organisation’s financial systems that allow it to pay suppliers or collect money from customers.

6.4.2 Types of cyber attack

The table below contains examples of the common types of cyber-attack.

Type of cyber attack Description
Phishing The cyber-attacker sends emails to the victim which appear to be from a trusted source, for example a bank. The emails request the victim sends back security information (such as usernames and passwords) and personal details and uses them to steal funds from the victim.
Pharming The cyber-attacker targets an organisation’s website by automatically redirecting visitors from the organisation’s website to a bogus website. The intention is to collect data in order to commit fraud and is similar to phishing.
Hacking The cyber-attacker uses specialist software and other tools to gain unauthorised access to an organisation’s computer system and take administrative control. Such control allows them to view and copy system records, as well as amend or delete information that they find. Some hackers may try to stop the system working altogether.
Type of cyber attack Description
Distributed Denial of Service (DDoS) attack The cyber-attacker attempts to disrupt an organisation’s online activities by preventing people from accessing the organisation’s website. Botnets (large numbers of individual computers which have been taken over without the user knowing) are instructed to overwhelm the organisation’s website with a wave of internet traffic so that the system is unable to handle it and may cause it to crash.
Webcam manager The cyber-attacker uses software to take control of the user’s webcam.
File hijacker/ransomware The cyber-attacker gains access to the user’s system to hijack their files and hold them to ransom
Keylogging The cyber-attacker plants software onto the user’s computer to record what the user types onto their keyboard. The objective is to learn passwords and user details to gain access to confidential information.
Screenshot manager The cyber-attacker obtains information from the victim by installing software onto the user’s computer to enable screenshots of the user’s computer screen to be taken. Like other cyberattacks, the purpose can be to steal information, funds, or may even be to perform corporate espionage.
Ad clicker The cyber-attacker directs the victim’s computer to a bogus website by encouraging them to click on a specific link contained in online advertising.

Several types of cyber-attack, such as webcam manager, keylogging and screenshot manager rely on the cyber-attacker installing software onto the victim’s computer. This is often achieved through the use of Trojans. A Trojan  is a software program that masquerades as a desirable application, eg a virus checker, which the victim is happy to download and install.

6.4.3 Cyber security methods

The table below contains some common cyber security methods used by organisations.

Cyber security method Description
Access control These are physical and network procedures to restrict access to a system.
Boundary firewalls and internet gateways Firewalls and internet gateways are software protection that intercept data being transmitted in and out of a system.
Malware and virus protection Malware protection software prevents installation and removes suspicious programs (such as Trojans) and viruses from a system.


Cyber security method Description
Patch management This is a system procedure rather than a hardware or software solution. The organisation should ensure that the latest software updates are installed on the system when available.
Secure configuration The organisation should have a policy which states that systems should be set up with cyber security as a priority.


  7   Impact of Financial Technology (Fintech) on accounting systems
Cloud computing and accounting, automation, artificial intelligence, big data, data analytics,

Blockchain and distributed ledger technology have all impacted on accounting systems and the work of accountants and auditors.

7.1 Cloud computing and accounting

  • Cloud computing involves the provision of computing as a consumable service instead of a purchased product. It enables system information and software to be accessed by computers remotely as a utility through the Internet.
  • Cloud accounting is the provision of accountancy software through the cloud. Users login into the accountancy software to process financial transactions and produce management reports in the same way as if the software was installed on their own machine.

In the UK, Sage, Quickbooks and Xero (as well as others) provide cloud accounting services. The main benefits of a cloud accounting system over a traditional system installed on individual machines include:
A cloud service can be private or public. A public cloud sells services to anyone on the Internet. (such as Amazon Web Services and Dropbox.) A private cloud is a proprietary network or a data centre that supplies hosted services to a limited number of people. When a service provider uses public cloud resources to create their private cloud, the result is called a virtual private cloud. Private or public, the goal of cloud computing is to provide easy, scalable access to computing resources and IT services.

  • System data and the software itself is automatically refreshed and kept up-to-date.
  • Information in the system is available to multiple user simultaneously and globally, providing the users have internet access and a login.
  • Duplication and other system errors and inconsistencies are eliminated because only one set of data is kept and is synchronised to all users.
  • Data is stored in one offsite location and users simply access the information when required. There is no need to transmit the data between users over the internet or by USB stick, increasing data security.
  • Multiple users mean key people can access financial and customer details should they need to.
  • It reduces the cost and complexity of keeping backups of the data because this is performed by the cloud service provider.
  • It reduces the cost and time involved in upgrading the software.
  • It improves support and customer service because the service provider can access the user’s information to help resolve issues.

Despite these benefits, cloud accounting does increase the risk of cyber-attacks and therefore the loss of, or damage to data. Users are reliant on cyber security and back-ups being taken by the service provider. There is also a need for organisations to ensure subscriptions and corporate accounts for cloud services are kept up to date because there have been instances of data loss where organisations have failed to pay for the service or update payment details which have changed and this has led to services to be withdrawn and data deleted.

Developments in cloud accounting technology has increased the need for staff training in accountancy firms to use the new systems. It has also created a need for new guidance and procedures on using cloud-based infrastructures to be created and for new infrastructures to be developed to make best use of cloud-based systems.

7.2 Other Financial Technologies (Fintech) 

  • Automation in the context of Fintech refers to the ability of systems to perform routine activities and processing of data without the input of a human.
  • Artificial intelligence refers to the ability of a computer system to assist a human operator to make business decisions or help solve problems.
  • Big data describes sets of data of such size that traditional databases are unable to store, manage or analyse them.
  • Data analytics is the collection, management and analysis of large data sets (such as big data) with the objective of discovering useful information, such as customer buying patterns, that an organisation can use for decision making.
  • Distributed ledger technology (Blockchain) is a technology that allows organisations and individuals who are unconnected to share an agreed record of events, such as ownership of an asset.


7.2.1 Automation and artificial intelligence

A key feature of automation and artificial intelligence systems (collectively known as intelligent systems) is that they harness the ability of computers to learn, make decisions and perform actions based on those decisions. They enable, for example, transactions to be processed without input from humans and for humans to be assisted in making decisions, such as whether to extend credit to customers.

Industries such as manufacturing, transport, and technology have used such systems for some time (such as the use of robots in car manufacturing). However, systems are increasingly being developed for use in professional services, including accountancy and audit.


An example of the use of automation and artificial intelligence in accountancy is in the recording of transactions in financial systems. Accounting software can automatically download transactions from an organisation’s online bank account. Once this has been done, the system’s artificial intelligence can assign transactions to appropriate nominal codes and record the transactions appropriately in the accounts. This intelligence is achieved by the user recording the transactions manually a few times before the system learns what types of transactions should be assigned to which nominal codes.

For the auditor, systems are available that perform complete checks on financial data held, allowing 100% of transactions to be audited automatically on a continuous basis, removing the need for an auditor to perform routine audit checks to verify transactions.


Such developments mean that the role of the accountant and auditor is changing from recording and verifying low-level transactions to higher-level activities such as producing and analysing reports. This increases the effectiveness of accountants because they can spend less time on simple, routine tasks and more on value-adding services, making better use of the professional knowledge and skills that they have.

7.2.2 Big data and data analytics

The advent of technologies such as social media and smart phones mean that organisations are increasingly able to  access vast amounts of data. This data may be in various forms (for example, numbers, words, pictures, videos and phone messages) and may originate from both inside and outside the organisation and is commonly known as big data.

Big data originates from a number of sources:

  • Processed data – originating from existing databases of business and other organisations.
  • Open data – originating from the public sector data (for example transport, government financial and public service data).
  • Human-sourced data – originating from social networks, blogs, emails, text messages and internet searches.
  • Machine-generated data – originating from fixed and mobile sensors, as well as computer and website logs

Big data has four characteristics.

Characteristic Description
Volume This refers to the quantity of data that is available. Big data is available relatively easily and in vast quantities.
Velocity This refers to the speed at which big data can be streamed into the organisation. Big data is often available to an organisation in real time rather than over longer periods such as on a weekly or monthly basis.
Variety Variety concerns the different forms that big data can take. Big data comes from many sources (such as from customers, competitors, suppliers and social media). This variety of sources means that big data is unstructured, can take many forms and means that it needs to be analysed carefully before it becomes useful. It also makes it harder to store this data in traditional databases.
Veracity Veracity concerns the trustworthiness or accuracy of big data. Despite an organisation’s best efforts, data sets will contain inaccuracies, bias, anomalies and ‘noise’. Therefore as much as possible needs to be done to clean up the data before it can be trusted as accurate.

Capturing and managing big data is one thing, but to be of use to the organisation the data needs to have  meaning. The process of data analytics creates value for the organisation by drawing meaning from the data that the organisation has. This process typically involves assembling the data using fields within the source data itself. The data is then be filtered, sorted, highlighted and presented visually using, typically, bar charts and pie charts.


For the accountant and auditor big data and data analytics can increase the effectiveness of their work. Data analytics on big data can assist with the identification, quantification and management of risk. Predictive analytics helps auditors better target their work on key risks, improving the relevance of audits, for example it can be used by an auditor to find all sales transactions recorded near to or over the materiality level. Audit technologies may also be embedded within an organisation’s accounting system, allowing the auditor to increasingly rely on the work of the internal audit team.

The main effect of big data and data analytics on the work of auditors is that their focus is shifting towards validating controls within the accounting software and on interpreting data rather on the verification of transactions and traditional control tests. Big data and data analytics also allow an organisation to improve its effectiveness and efficiency in terms of reducing the amount of time it takes to do accounting and audit work, which in turn reduces fess for clients and provides greater assurance over the work performed.

7.2.3 Distributed ledger technology (Blockchain)

Distributed ledger technology (also known as Blockchain) is a technology that eliminates the need for data and information to be stored and managed centrally. Furthermore, this technology allows an accurate, up-to-date, single, trusted and transparent record to be shared between numerous organisations. The concept of Blockchain is best explained through its practical uses.


The diamond industry uses a Blockchain system named Everledger to help prevent fraud and the transfer of stolen goods. All diamonds have unique characteristics (similar to how humans have individual fingerprints). The Everledger system creates an identity for every diamond by recording these unique characteristics. Every time a diamond is brought or sold, the sale is recorded by the system on the Blockchain so that the diamond’s ownership can be traced.

Another example is in relation to the cryptocurrency Bitcoin. Bitcoins are created by individuals or organisations processing data and solving problems (known as mining). Once mined, Bitcoins become the property of the miner and can be traded or transferred. Every transaction is recorded on a Blockchain. The Blockchain stores the transaction history of all Bitcoins, enabling the assurance that only legitimate owners of Bitcoins can spend or transfer them. It also prevents Bitcoins being copied or being illegally generated.


For accountants and auditors, distributed ledgers and Blockchains allow for increased clarity and transparency in the recording of business transactions. This is because transactions can also be posted to a public ledger on a Blockchain. This extra information means that there are more resources available for business planning and valuation, especially in regards to measuring the value of assets (since transactions concerning assets will have an indelible record). Distributed ledgers also reduce the need for auditors to audit transactions and verify the ownership of assets because they have a source of information about the assets that they can trust.




N Internal controls should help organisations counter risks, maintain the quality of reporting and comply with laws and regulations. They provide reasonable assurance that the organisations will fulfil their objectives.
N Internal control frameworks include the control environment within which internal controls operate. Other important elements are the risk assessment and response processes, the sharing of information and monitoring the environment and operation of the control system.
N The control environment is influenced by management’s attitude towards control, the organisational structure and the values and abilities of employees.


Controls can be classified in various ways including administrative and accounting; prevent, detect and correct; discretionary and non-discretionary; voluntary and mandated; manual and automated.

The mnemonic SPAMSOAP can be used to remember the main types of control.

N The role of internal audit will vary according to the organisation’s objectives but is likely to include review of internal control systems, risk management, legal compliance and value for money.
N Internal auditors are employees of the organisation whose work is designed to add value and who report to the audit committee. External auditors are from accountancy firms and their role is to report on the financial statements to shareholders.
N Both internal and external auditors review controls, and external auditors may place reliance on internal auditors’ work providing they assess its worth.
N Security is the protection of data from accidental or deliberate threats and the protection of an information system from such threats.
N Security, in information management terms, means the protection of data from accidental or deliberate threats which might cause unauthorised modification, disclosure or destruction of data, and the protection of the information system from the degradation or non-availability of services.
N Physical threats to security may be natural or man made. They include fire, flooding, weather, lightning, terrorist activity and accidental damage.
N Physical access controls are designed to prevent intruders getting near to computer equipment and/or storage media.
N It is possible to build controls into a computerised information system. A balance must be struck between the degree of control and the requirement for a user-friendly system.




A back-up and archive strategy should include:

–             Regular back up of data (at least daily)

–             Archive plans

–             A disaster recovery plan including off-site storage

N An audit trail shows who has accessed a system and the operations performed.
N A disaster recovery plan must cover all activities, from the initial response to a ‘disaster’ through to damage limitation and full recovery. Responsibilities must be clearly spelt out for all tasks.
N Cloud computing and accounting, automation, artificial intelligence, big data, data analytics,

Blockchain and distributed ledger technology have all impacted on accounting systems and the work of accountants and auditors.

  • The internal control system comprises which two of the following.
    • Control accounting
    • Control environment
    • Control procedures D Control audit
  • Match the control and control type.
    • Checking of delivery notes against invoices
    • Back up of computer input
    • Bank reconciliation
    • Prevent
    • Detect
    • Correct
  • A …………………………………. control is required by law and imposed by external authorities.
  • An operational audit is also known as: (tick all that apply).
    • system audit               An efficiency audit

A management audit                          A value for money audit

  • Internal auditors are not required to consider fraud.


  • A record showing who has accessed a computer system is called:
    • A fraud trail
    • An audit trail
    • A computer trail
    • A password trail
  • Pharming is a form of cyber-attack that directs the victim’s computer to a bogus website by encouraging them to click on a specific link contained in online advertising


  • Which of the following is an impact of automation on the role of accountants?
    • There is an increased need to verify business transactions
    • Their time is freed up so they can focus on value-adding activities
    • They no longer need to verify the ownership of assets
    • They can trust the valuation of assets within the accounting system



  • B, C The internal control system comprises the control environment and control procedures


  • A mandated control is required by law and imposed by external authorities.


  • A system audit
  • An efficiency audit

A management audit

A value for money audit                   

  • Internal auditors should be alert to fraud as part of risk management.
  • B An audit trail shows who has accessed a system and the operations performed.
  • It is ad clicker that directs the victim’s computer to a bogus website by encouraging them to click on a specific link contained in online advertising. Pharming has a similar effect, but involves automatically redirecting a visitor from an organisation’s legitimate website to a bogus website.
  • B Automation takes over the routine processing of transactions so that accountants can focus their attention on value-adding activities such as producing and analysing reports. Distributed ledger technology reduces the need to verify ownership of assets and enables the valuation of assets to be trusted.











Now try …
Attempt the questions below from the Practice Question Bank







10 Identifying and preventing fraud 


This chapter considers the various types of fraud that an
organisation may be prone to (
Section 1) and which may
have to be investigated by internal audit (
Chapter 9). It is
important that you are able to identify signs of fraud in
different circumstances (
Section 2).
You also need to have a good knowledge of both how
fraud is prevented and detected. Although there may be
significant costs involved in implementing a good system
of fraud prevention, the consequences of successful fraud
may be very serious, both for the reputation of the
organisation and the position of its directors.
Sections 3,
4 and 5 explore these issues.
Money laundering can be a serious problem.
Section 6
shows how systems can be set up to help detect and
prevent this.

Study Guide Intellectual level  



                             C7 Fraud and fraudulent behaviour and their prevention in business

(a) Explain the circumstances under which fraud is likely to arise.



                                (b) Identify different types of fraud in the organisation. K
                                 (c) Explain the implications of fraud for the organisation. K
                             (d) Explain the role and duties of individual managers in the fraud detection and prevention process. K
                             (e) Define the term money laundering. K
                             (f) Give examples of recognised offences under typical money laundering regulations. K
                             (g) Identify methods for detecting and preventing money laundering. K
                             (h) Explain how suspicions of money laundering should be reported to the appropriate authorities. K

The practical aspects of fraud (where it might actually occur, how it can be detected) are the most likely topics to be examined.
  1   What is fraud?

In a corporate context, fraud can fall into one of two main categories.

Category Comment
Removal of funds or assets from a business The most obvious example of this is outright theft, either of cash or of other assets. However, this form of fraud also encompasses more subtle measures, such as overstatement of claims.
Intentional misrepresentation of the financial position of the business This includes the omission or misrecording of the company’s accounting records.

1.1 Removal of funds or assets from a business


Common frauds include payroll frauds, conspiracy with other parties and stealing assets. More subtle measures include teeming and lading and manipulation of bank reconciliations and cashbooks to conceal theft.

1.1.1 Theft of cash

Employees with access to cash may be tempted to steal it. A prime example is theft from petty cash. Small amounts taken at intervals may easily go unnoticed.

1.1.2 Theft of inventory

Similarly, employees may pilfer items of inventory. The most trivial example of this is employees taking office stationery, although larger items may also be taken. These examples are of unsophisticated types of fraud, which generally go undetected because of their immateriality. On the whole, such fraud will tend to be too insignificant to have any serious impact on results or long-term performance.

1.1.3 Payroll fraud

Employees within or outside the payroll department can perpetrate payroll fraud.

  • Employees external to the department can falsify their timesheets, for example by claiming overtime for hours which they did not really work.
  • Members of the payroll department may have the opportunity deliberately to miscalculate selected payslips, either by applying an inflated rate of pay or by altering the hours to which the rate is applied.
  • Alternatively, a fictitious member of staff can be added to the payroll list. The fraudster sets up a bank account in the bogus name and collects the extra cash themselves. This is most feasible in a large organisation with high numbers of personnel, where management is not personally acquainted with every employee.

1.1.4 Teeming and lading

This is one of the best known methods of fraud in the sales ledger area. Basically, teeming and lading is the theft of cash or cheque receipts. Setting subsequent receipts, not necessarily from the same customer, against the outstanding debt conceals the theft.

1.1.5 Fictitious customers

This is a more elaborate method of stealing inventory. Bogus orders are set up, and goods are despatched on credit. The ‘customer’ then fails to pay for the goods and the cost is eventually written off as a bad debt. For this type of fraud to work, the employee must have responsibility for taking goods orders as well as the authority to approve a new customer for credit.

1.1.6 Collusion with customers

Employees may collude with customers to defraud the business by manipulating prices or the quality or quantity of goods despatched.

  • For example, a sales manager or director could reduce the price charged to a customer in return for a cut of the saving. Alternatively, the employee could write off a debt or issue a credit note in return for a financial reward.
  • Another act of collusion might be for the employee to suppress invoices or underrecord quantities of despatched goods on delivery notes. Again, the customer would probably provide the employee with a financial incentive for doing this.

1.1.7 Bogus supply of goods or services

This typically involves senior staff who falsely invoice the firm for goods or services that were never supplied. One example would be the supply of consultancy services. To enhance authenticity, in many cases the individual involved will set up a personal company that invoices the business for its services. This type of fraud can be quite difficult to prove.

1.1.8 Paying for goods not received

Staff may collude with suppliers, who issue invoices for larger quantities of goods than were actually delivered. The additional payments made by the company are split between the two parties.

1.1.9 Meeting budgets/target performance measures

Management teams will readily agree that setting budgets and goals is an essential part of planning and an important ingredient for success. However, such targets can disguise frauds. In some cases, knowing that results are unlikely to be questioned once targets have been met, employees and/or management siphon off and pocket any profits in excess of the target.

1.1.10 Manipulation of bank reconciliations and cash books

Often the simplest techniques can hide the biggest frauds. We saw earlier how simple a technique teeming and lading is for concealing a theft. Similarly, other simple measures such as incorrect descriptions of items and use of compensating debits and credits to make a reconciliation work frequently ensure that fraudulent activities go undetected.

1.1.11 Misuse of pension funds or other assets

This type of fraud has received a high profile in the past. Ailing companies may raid the pension fund and steal assets to use as collateral in obtaining loan finance. Alternatively, company assets may be transferred to the fund at significant overvaluations.

1.1.12 Disposal of assets to employees

It may be possible for an employee to arrange to buy a company asset (eg a car) for personal use. In this situation, there may be scope to manipulate the book value of the asset so that the employee pays below market value for it. This could be achieved by overdepreciating the relevant asset.

1.2 Intentional misrepresentation of the financial position of the business

Here we consider examples in which the intention is to overstate profits. Note, however, that by reversing the logic we can also use them as examples of methods by which staff may deliberately understate profits. You should perform this exercise yourself.

1.2.1 Overvaluation of inventory

Inventory is a particularly attractive area for management wishing to inflate net assets artificially. There is a whole range of ways in which inventory may be incorrectly valued for accounts purposes.

  • Inventory records may be manipulated, particularly by deliberate miscounting at inventory counts.
  • Deliveries to customers may be omitted from the books.
  • Returns to suppliers may not be recorded.
  • Obsolete inventory may not be written off but rather held at cost on the statement of financial position.

1.2.2 Irrecoverable debt policy may not be enforced

Aged receivables who are obviously not going to pay should be written off. However, by not enforcing this policy, management can avoid the negative effects it would have on profits and net assets.

1.2.3 Fictitious sales

These can be channelled through the accounts in a number of ways.

QUESTION                                                                                  Sales fraud

See if you can come up with three ways of generating fictitious sales transactions or sales values.


The following are just three obvious suggestions.

  • Generation of false invoices
  • Overcharging customers for goods or services (c) Selling goods to friends (with a promise of buying them back at a later date)


1.2.4 Manipulation of year-end events

Cut off dates provide management with opportunities for window dressing the financial statements. Sales made just before year end can be deliberately over-invoiced and credit notes issued with an apology at the start of the new year. This will enhance turnover and profit during the year just ended. Delaying the recording of pre-year-end purchases of goods not yet delivered can achieve the same objective.

1.2.5 Understating expenses

Clearly, failure to record all expenses accurately will inflate the reported profit figure.

1.2.6 Manipulation of depreciation figures

As an expense that does not have any cash flow effect, depreciation figures may be easily tampered with. Applying incorrect rates or inconsistent policies in order to understate depreciation will result in a higher profit and a higher net book value, giving a more favourable impression of financial health.

  2   Potential for fraud

The UK has witnessed a number of high-profile frauds, most notably the BCCI, Maxwell and Barings Bank cases. The real incidence of fraud is difficult to gauge, particularly because companies are often loath to publicise such experiences. However, all businesses – without exception – face the risk of fraud: the directors’ responsibility is to manage that risk.

2.1 Prerequisites for fraud


There are three broad prerequisites or ‘preconditions’ that must exist in order to make fraud a possibility:

dishonesty, motivation and opportunity.

These are useful to know, because if one or more of them can be eliminated, the risk of fraud is reduced!

2.1.1 Dishonesty

Honesty is a subjective quality, which is interpreted variously according to different ethical, cultural and legal norms. However, we may define dishonesty as an individual’s predisposition or tendency to act in ways which contravene accepted ethical, social, organisational and legal norms for fair and honest dealing. This tendency may arise from:

  • Personality factors: a high need for achievement, status or security; a competitive desire to gain advantage over others; low respect for authority.
  • Cultural factors: national or familial values, which may be more ‘flexible’ or anti-authority than the law and practice prevailing in the organisation. (Cultural values about the ethics of business

‘bribes’ (or ‘gifts’), for example, vary widely. ‘Lying’ is also a very fluid concept: some cultures value ‘saving face’ (or agreeing) over giving strictly truthful responses.)

2.1.2 Motivation

In addition to a general predisposition or willingness to act dishonestly, should the opportunity arise, the individual needs a specific motivation to do so. We will be discussing the concept of motivation in Chapter 15 but, broadly, it involves a calculation of whether a given action is worthwhile. Individuals weigh up:

  • The potential rewards of an action: the satisfaction of some need, or the fulfilment of some goal; in relation to
  • The potential sanctions or negative consequences of an action, or the deprivations required to carry it through.

The individual’s goal or motive for fraudulent behaviour may be:

  • Financial needs or wants, or envy of others (in the case of theft or fraud for monetary gain)
  • A desire to exercise negative power over those in authority
  • A desire to avoid punishment (in the case of cover ups, say)

2.1.3 Opportunity

Even if a person is willing to act dishonestly, and has a motive for doing so, they must still find an opportunity or opening to do so; a ‘loophole’ in the law or control system that:

  • Allows fraudulent activity to go undetected, or
  • Makes the risk of detection acceptable, given the rewards available.

An individual will have a high incentive to commit fraud if they are predisposed to dishonesty and the rewards for the particular fraud are high and there is an opportunity to commit fraudulent action with little chance of detection or with insignificant sanctions if caught.

                          QUESTION                                                                            Fraud strategies

Just considering the three prerequisites of fraud, what immediate control strategies can you suggest for preventing fraud?


  • Don’t employ people with predispositions to dishonesty, if possible: undertake legitimate and appropriate background and CV checks when carrying out recruitment and selection. (The more opportunity for fraud there is in the job, the more carefully dishonesty should be screened.)
  • Reduce motivations for fraud. This is highly subjective, but the organisation should give attention to such matters as ensuring equity in pay and rewards; monitoring employees for signs of financial difficulty and its possible causes (eg gambling addiction) and offering counselling and support where required; providing generally good and equitable working terms and conditions; and establishing clear rules and strong sanctions for fraudulent behaviour.
  • Reduce opportunities for fraud. This is the function of a range of internal checks and controls, discussed in Section 4 of this chapter: separating duties so no one person has sole control over a system; requiring authorisations for expense/timesheets, cheques, and so on; using data security measures such as passwords; security checks; identification on office equipment to deter theft; and so on.



2.2 Assessing the risk of fraud

Signs of high fraud risk include indications of lack of integrity, excessive pressures, poor control systems, unusual transactions and lack of audit evidence.

The starting point for any management team wanting to set up internal controls to prevent and detect fraud must be an assessment of the extent to which the firm is exposed to the risk of fraud. The best approach is to consider separately the extent to which external and internal factors may present a risk of fraud.

2.2.1 External factors

Step 1 First, consider the marketplace as a whole. The general environment in which the business operates may exhibit factors that increase the risk of fraud. For instance, the trend to delayer may reduce the degree of supervision exercised in many organisations, perhaps without putting anything in its place.
Step 2 Next, narrow the focus a little and consider whether the industry in which the firm operates is particularly exposed to certain types of fraud. For example, the building industry may be particularly prone to the risk of theft of raw materials, the travel industry may face risks due to the extensive use of agents and intermediaries and the retail industry must be vigilant to the abuse of credit cards.

Think of some examples of such general external factors that might influence the degree of risk that a company is exposed to.
QUESTION                                                                                                       Risk factors


You might have thought of some of the following.

  • Technological developments
  • Increased competition
  • New legislation or regulations
  • Changing customer needs
  • Economic or political changes


2.2.2 Internal factors

Having considered the big picture, the next step is to apply the same logic at company level. Focus on the general and specific risks in the firm itself.

Be alert to circumstances that might increase the risk profile of a company.

  • Changed operating environment
  • Rapid growth
  • New personnel
  • New technology
  • New or upgraded management information systems
  • New products
  • New overseas operations
  • Corporate restructuring

A number of factors tend to crop up time and time again as issues that might indicate potential fraud. Attention should be drawn to them if any of these factors come to light when assessing external and internal risks.

2.2.3 Business risks

A number of factors tend to crop up frequently as indicators of potential fraud situations; these can be categorised under business and personnel risks.

An alert management team will always be aware of the industry or business environment in which the organisation operates.

  • Profit levels/margins deviating significantly from the industry norm

As a rule of thumb, if things seem too good to be true, then they generally are. If any of the following happen, alarm bells should start ringing.

  • The company suddenly starts to exhibit profits far above those achieved by other firms in the same industry.
  • Turnover rises rapidly but costs do not rise in line.
  • Demand for a particular product increases significantly.
  • Investors seem to find the firm unusually attractive.

Such patterns can indicate problems, such as the manipulation of accounting records, collusion with existing customers or the creation of fictitious customers.

Similarly, results showing that the organisation is underperforming relative to competitors may be an indication of theft, collusion with suppliers or deliberate errors in the accounting records.

  • Market opinion

If the market has a low opinion of the firm, this might indicate something about the company’s products, its people or its way of doing business.

  • Complex structures
  • 2.2.4 Personnel risks
    Organisations with complex group structures, including numerous domestic and overseas subsidiaries and branches, may be more susceptible to fraud.
  • The sheer size of the group can offer plenty of opportunities to ‘lose’ transactions or to hide things in intercompany accounts.
  • Furthermore, vast staff numbers contribute to a certain degree of employee anonymity, making it easier to conceal fraudulent activities.

Fraud is not usually an easy thing to hide. A person’s behaviour often gives clues to the fact that they are engaging in fraud.

  • Secretive behaviour

A High Court judge once described secrecy as ‘the badge of fraud’. If an individual starts behaving in a more secretive way than is generally considered normal, then there may be cause for concern.

  • Expensive lifestyles

A well-known indicator of fraud is a lifestyle beyond an individual’s earnings. A recent case involved an Inspector of Taxes who started driving expensive sports cars, taking lavish holidays and so forth. It was later discovered that he was being paid by a wealthy businessman in return for assisting him to evade tax.

  • Long hours or untaken holidays

Workaholics and staff who do not take their full holiday entitlement may be trying to prevent a temporary replacement from uncovering a fraud.

  • Autocratic management style

In some organisations a sole manager or director has exclusive control over a significant part of the business. This can provide ample scope for fraud, particularly when the situation is compounded by little, if any, independent review of those activities by anyone else at a senior level.

  • Lack of segregation of duties

Employees occasionally have more than one area of responsibility, particularly in small businesses where staff numbers are low. This can make it easy for the employee to conduct and conceal fraudulent actions. For example, if the employee who prepares the payslips were also the person who authorises the payments, payroll fraud would be relatively simple to put into practice.

  • Low staff morale

One motive for fraud is resentment towards the firm. Staff may start defrauding the firm because they feel that they are not rewarded sufficiently for their work or because they were passed over for a promotion that they believed they deserved. Alternatively, low staff morale may lead to the breakdown of internal controls, yielding opportunities for fraud.

3 Potential for computer fraud

Organisations are becoming increasingly dependent on computers for operational systems as well as accounting and management information. With this dependency comes an increased exposure to fraud. The computer is frequently the vehicle through which fraudulent activities are carried out.

Problems particularly associated with computers

  • Computer hackers. The possibility of unknown persons trying to hack into the systems increases the potential for fraud against which the firm must protect itself.
  • Lack of training within the management team. Many people have an inherent lack of understanding of how computer systems work. Senior management can often be the least computer literate. They may also be the most reluctant to receive training, preferring to delegate tasks to assistants. Without management realising it, junior staff can secure access to vast amounts of financial information and find ways to alter it.
  • Identifying the risks. Most firms do not have the resources to keep up to date with the pace of development in computer technology. This makes it ever more difficult to check that all major loopholes in controls are closed, even if management are computer literate.
  • Need for ease of access and flexible systems. In most cases, a firm uses computers in order to simplify and speed up operations. To meet these objectives, there is frequently a need for ease of access and flexible systems. However, implementing strict controls can sometimes suppress these features.
  3   Implications of fraud for the organisation

While it is clear that fraud is bad for business, the precise ways in which the firm is affected depends on the type of fraud being carried on.

  • Removal of funds or assets from a business

Immediate financial implications

Profits are lower than they should be. The business has less cash or fewer assets, and therefore the net asset position is weakened. Returns to shareholders are likely to fall as a result.

Long-term effects on company performance

The reduction in working capital makes it more difficult for the company to operate effectively. In the most serious cases, fraud can ultimately result in the collapse of an otherwise successful business, such as Barings.

  • Intentional misrepresentation of the financial position of the business

Financial statements do not give a true and fair view of the financial situation of the business. Results may be either artificially enhanced or, less frequently, underreported.

It is also possible that managers in charge of a particular division can artificially enhance their division’s results, thereby deceiving senior management.

QUESTION                                                                                               Reporting results

Try to think of reasons why someone might want to:

(a)         Artificially enhance the results          (b)        Underreport the results


  • Reasons for overstating profits and/or net assets
    • To ensure achievement on paper, may have to meet targets in order to secure a promotion, bonuses or remuneration may be linked to performance
    • Trying to conceal another form of fraud, such as theft
    • Need a healthy statement of financial position to convince bank to give loan finance
    • Ailing company may be trying to entice equity investors
  • Reasons for understating profits and/or net assets
    • To facilitate a private purchase of an asset from the business at less than market value
    • To defraud HM Revenue & Customs by reducing taxable profits or gains
    • Trying to force the share price down so that shares can be bought below market value by friends or relatives


3.2.1 If results are overstated

A company may distribute too much of its profits to shareholders.

Retained profits will be lower than believed, leading to potential shortfalls in working capital. This makes the day-to-day activities more difficult to perform effectively.

Incorrect decisions will be made, based on inaccurate knowledge of available resources.

The effects of fraudulent activities can also affect stakeholders if the financial statements on which they rely are misrepresentations of the truth.

  • Investors making decisions based on inaccurate information will find actual returns deviating from expectations.
  • Suppliers will extend credit without knowing the financial position of the company.

3.2.2 If results are understated

Returns to investors may be reduced unnecessarily.

If the company is quoted on the stock exchange, the share price might fall and market strength may be eroded.

Access to loan finance may be restricted if assets are understated.

The negative publicity can damage the business by affecting the public’s perceptions.

Legal consequences. Finally, fraudsters open themselves up to the possibility of arrest. Depending on the scale and seriousness of the offence some may even find themselves facing a prison sentence.

  4   Systems for detecting and preventing fraud

4.1 Prioritising prevention

In order to prevent fraud, managers must be aware of the risks and signs of fraud.

Prevention of fraud must be an integral part of corporate strategy. Managing the risk of fraud is a key part of managing business risks in general and, if the company’s risk management procedures are poor, management of fraud risk is also likely to be unsuccessful.

Certain recent developments, notably downsizing, have however meant that certain controls that are designed to prevent fraud, for example segregation of duties, may not be possible. Hence it is equally important the control system is designed so as to detect and investigate fraud.

4.2 Reasons for fraud

Management must have an understanding of how and why frauds might arise. Examples include:

(a)           The risk of fraud may be increased by factors that are specific to the industry. Lower profit margins due to increased competition may be a temptation to manipulate results. (b)                Factors specific to the business may also increase the risk of fraud.

  • Personnel factors such as extensive authority given to dominant managers
  • Organisation factors such as unclear structure of responsibility or lack of supervision of remote locations
  • Strategy factors such as a lack of a business strategy or great emphasis being placed on reward by results
  • Changes in circumstances may also increase the risk of fraud. Often a control system may become inadequate as a result of changes in the business, particularly changes in technology or the internal organisation.
  • Certain areas, for example cash sales, are normally high risk.

4.3 Reasons for poor controls

Management also need to understand factors that may prevent controls from operating properly.

  • Controls will not function well if there is a lack of emphasis on compliance or a lack of understanding of why the controls are required, how they should operate and who should be operating them.
  • Staff problems such as understaffing and poor quality or poorly motivated staff can impede the operation of controls.
  • Changes in senior personnel can lead to a lack of supervision during the transition period.
  • Emphasis on the autonomy of operational management may lead to controls being bypassed.

4.4 General prevention policies 

Prevention policies include emphasis on ethics and personnel and training procedures. Controls within particular business areas such as segregation of duties and documentation requirements are also significant.

Management can implement certain general controls that are designed to prevent fraud.

  • Emphasising ethics can decrease the chances of fraud. Several businesses have formal codes of ethics which employees are required to sign covering areas such as gifts from customers. Management can also ensure that they set ‘a good example’.
  • Personnel controls are a very important means of preventing fraud. Thorough interviewing and recruitment procedures including obtaining references can be an effective screening for dishonest employees. Appraisal and grievance systems can prevent staff demotivation.
  • Training and raising awareness can be important. There are many examples of frauds taking place where people who were unwittingly close were shocked that they had no idea what was happening. Fraud awareness education should therefore be an integral part of the training programme, particularly for managers and staff in high risk areas such as procurement, and staff with key roles in fraud prevention and detection, for example human resources.

4.5 Prevention of fraud in specific business areas

Controls will also be needed in specific areas of the business where a high risk of fraud has been identified.

  • Segregation of duties is a key control in fraud prevention. Ultimately operational pressures may mean that segregation is incomplete. Management should nevertheless identify certain functions that must be kept separate, for example separating the cheque signing function from the authorisation of payments.
  • Appropriate documentationshould be required for all transactions.
  • Limitation controls,such as only allowing staff to choose suppliers from an approved list and limiting access to the computer network by means of passwords, can reduce the opportunities for fraud.
  • Certain actions should be prohibited such as leaving a computer terminal without logging off.
  • Internal audit work should concentrate on these areas.

4.6 Detection and prevention

4.7 Internal controls

A primary aim of any system of internal controls should be to prevent fraud. However, the very nature of fraud means that people will find ways to get around existing systems. It is equally important, therefore, to have controls in place to detect fraud if and when it happens.

Controls must be developed in a structured manner, taking the whole spectrum of risk into account and focusing on the key risks identified in each area of the business.

Let us think about appropriate controls that could be introduced to combat fraud.

4.8 Physical controls

Basic as it seems, physical security is an important tool in preventing fraud. Keeping tangible assets under lock and key makes it difficult for staff to access them and can go a long way towards discouraging theft.

4.9 Segregation of duties

Staff who have responsibility for a range of tasks have more scope for committing and concealing fraud. Therefore the obvious way to control the risk is to segregate duties.

If an employee’s duties do not extend beyond one domain, it will be more difficult for an employee to conceal a fraud. It is more likely that it will be picked up at the next stage in the process.

So, for example, the employee responsible for recording sales orders should not be the same person responsible for maintaining inventory records. This will make it more difficult to falsify sales or inventory records, as a discrepancy between sales figures and inventory balances would show up.

Segregating responsibility for packaging goods for delivery from either of the recording tasks would also help to minimise the risk of theft and increase the likelihood of detection.

4.10 Authorisation policies

Requiring written authorisation by a senior member of staff is a good preventative tool. It increases accountability and also makes it harder to conceal a fraudulent transaction.

4.11 Customer signatures

Requiring customers to inspect and sign for receipt of goods or services ensures that they cannot claim that the delivery did not match their order.

It also provides confirmation that the delivery staff actually did their job and that what was delivered corresponded to what was recorded.

4.12 Using words rather than numbers

Insist that all quantities be written out in full. It is much more difficult to change text than to alter a figure.

4.13 Documentation

Separate documents should be used to record sales order, despatch, delivery and invoice details. A simple matching exercise will then pick up any discrepancies between them and lead to detection of any alterations.

4.14 Sequential numbering

Numbering order forms, delivery dockets or invoices makes it extremely simple to spot if something is missing.

4.15 Dates

Writing the date on forms and invoices assists in cut-off testing. For example, if a delivery docket is dated pre-year end but the sale is recorded post-year end it is possible that results are being manipulated.

4.16 Standard procedures

Standard procedures should be defined clearly for normal business operations and should be known to all staff. For example:

  • Independent checks should be made on the existence of new customers.
  • Credit should not be given to a new customer until his/her credit history has been investigated.
  • All payments should be authorised by a senior member of staff.  Wages/payslips must be collected in person.

Any deviations from these norms should become quite visible.

  • Holidays

As we have said, fraud is difficult to conceal. Enforcing holiday policy by insisting that all staff take their full holiday entitlement is therefore a crucial internal control. A two-week absence is frequently sufficient time for a fraud to come to light.

  • Recruitment policies

Personnel policies play a vital part in developing the corporate culture and deterring fraud. Something as obvious as checking the information and references provided by applicants may reduce the risk of appointing dishonest staff.

  • Computer security

This will be discussed in detail in Chapter 18. However, many of the above controls (access controls, segregation of duties, authorisations, and so on) will apply.

  • Manager and staff responsibilities
Managers and staff should be aware of their responsibilities to help in detecting fraud. Fraud detection is also helped by having information readily available and allowing whistleblowing.

If fraud is to be detected, it is important that everyone involved in detection should be aware of their responsibilities.

  • Operational managers should be alert for signs of petty fraud, as well as checking the work staff have done and also being aware of what staff are doing.
  • Finance staff should be alert for unusual items or trends in accounting data, as well as incomplete financial information.
  • Personnel staff should be alert for signs of discontent or low morale, and also should (if possible) be aware of close personal relationships between staff who work together.
  • Internal audit staff have responsibility for ensuring systems and controls are thoroughly reviewed. One-off exercises such as surprise visits may be undertaken alongside annual audit work.
  • 4.20.1 Fraud officerExternal audit staff are required to assess the risk that fraud may have a material impact on a company’s accounts when planning their audit work. They are required to report all instances of fraud found to management, unless they suspect management of being involved in the fraud. The external auditors should also report to management any material weaknesses in the accounting and internal control systems.
  • Non-executive directors should act on signs of dishonesty by senior executive management. The audit committee should review the organisation’s performance in fraud prevention and report any suspicious matters to the board.

Many large organisations have appointed a fraud officer, who is responsible for initiating and overseeing fraud investigations, implementing the fraud response plan, and for any follow-up actions. The fraud officer should be able to talk to staff confidentially and be able to provide advice without consulting senior management.

4.21 Availability of information

It is of course important that information should be available to enable management to identify signs of actual fraud, or of an environment where fraud may occur.

  • Cost and management accounting systems should provide promptly information with sufficient detail to enable management to identify parts of the business whose performance is out of line with expectations. Actual results should be compared with budgeted results and explanations sought for significant variances.
  • Personnel procedures such as staff meetings, appraisals and exit interviews may indicate low morale or staff who are under undue pressure.
  • Lines of reporting should be clear. Staff should know to whom they should report any suspicions of fraud.
    • Whistleblowing

The likelihood of fraud detection may have been increased by recent legislation in a number of countries that provides employment protection rights to ‘whistleblowers’, employees who reveal fraud or malpractice in a workplace. The legislation covers disclosure of certain ‘relevant failures’, including committal of a criminal offence, failure to comply with legislation, endangering health and safety or damaging the environment.

Some employers are introducing a formal concerns procedure, which sets out how potential whistleblowers should communicate their concerns.

  • Investigation of fraud
Organisations should establish a fraud response plan, setting out how the method and extent of the fraud and possible suspects should be investigated.

If the worst does happen there should be a fraud response plan, a strategy for investigating and dealing with the consequences of frauds that have occurred.

Certain actions might have to be taken as soon as the fraud comes to light. These may include ensuring the security of the records that will be used to investigate what has happened, and also the securing of assets that may be vulnerable to theft. Procedures may have to include suspending staff, changing passwords and so on.

Investigation procedures should be designed with the following aims in mind:

  • Establishing the extent of the loss, ascertain on whom it fell and assess how it may be recovered
  • Key decisions in fraud investigation will include who will be carrying out the investigation and also whether the investigation will be undercover. Guidance produced by the accountancy firm KPMG has highlighted the importance of quickly obtaining a picture of the activities of the suspected fraudster by reviewing their personal paperwork (diaries, files, expense claims, etc) and also contacting the people who worked with them.
    Establishing how the fraud occurred
  • Considering who else may have been implicated in the fraud
  • Assessing whether the fraud was not detected because existing controls were not operating properly, or whether existing controls would have been unlikely to prevent or identify the fraud

Ultimately the detection and prevention of fraud requires not only a clear strategy but also a willingness to enforce controls.

4.24 Evolving control systems

The environment in which organisations exist and operate changes constantly. The risks organisations face also change over time. Some risks will decrease with time, other risks will increase, new risks will arise.

For the systems intended to control and minimise the impact of risks to be effective they also must change and adapt. The control systems must evolve to deal with the risks present in the changing environment. Control systems must therefore be reviewed constantly and, if necessary, changed or adapted in order to cope with new risks.

This is particularly true where legislation changes, such as the relatively recent changes in the UK to money laundering and bribery legislation. Control systems must enable the organisation and the individuals that work within the organisation to meet their legal obligations under new legislation.

  5   Responsibility for detecting and preventing fraud
It is the responsibility of the directors to take such steps as are reasonably open to them to prevent and detect fraud.

5.1 The responsibility of directors

In a limited company, or plc, it is the responsibility of the directors to prevent and detect fraud. They should:

  • Ensure that the activities of the entity are conducted honestly and that its assets are safeguarded
  • Establish arrangements to deter fraudulent or other dishonest conduct and to detect any that occurs
  • Ensure that, to the best of their knowledge and belief, financial information, whether used internally or for financial reporting, is reliable

5.2 The role of the auditor

The responsibility of the external auditor is only to express an opinion on whether the financial statements give a true and fair view of the company’s financial situation and results.

The auditor should design audit procedures so as to have a reasonable expectation of detecting misstatements arising from fraud or error. It should be emphasised that, in the case of a sophisticated fraud, which has been designed to escape detection by the auditors, a reasonable expectation is all that they can have.

If the auditors become aware during the audit that fraud or error may exist, they should document their findings and report them to management.

If the auditors take the view that the financial statements are affected by fraud or error, they should qualify their report accordingly.
In the case of fraud, the auditors should then consider whether the matter should be reported to an appropriate authority in the public interest. If they decide that this is the case, they request that the directors make the report. If the directors do not do so, or if the fraud casts doubt on the integrity of the directors, the auditors should make the report themselves.

It is the responsibility of the directors to take reasonable steps to detect and prevent fraud and error.

  6   Money laundering
The growth of globalisation has created more opportunities for money laundering which governments and international bodies are trying to combat with legislation.

One of the side effects of globalisation and the free movement of capital has been the growth in money laundering.


Money laundering is used by organised crime and terrorist organisations but it is also used in order to avoid the payment of taxes or to distort accounting information. Money laundering involves therefore a number of agents and entities from criminals and terrorists to companies and corrupt officials or states as well as tax havens.

6.1 Risks associated with a company’s products and services

Some businesses are at higher risk than others of money laundering. For example, businesses dealing in luxury items of high value can be at risk of the products being resold through the black market or returned to the retailer in exchange for a legitimate cheque from them.

The increasing complexity of financial crime and its increase has prompted national governments and the European Union to legislate and regulate the conduct of transactions.

The effects of regulation 

The following information relates specifically to European companies but similar regulations exist in other countries.

Affected companies must assess the risk of money laundering in their business and take necessary action to alleviate this risk.

6.2.1 Assessing risk – the risk-based approach

The risk-based approach consists of a number of steps.

  • Identifying the money laundering risks that are relevant to the business
  • Carrying out a detailed risk assessment on such areas as customer behaviour and delivery channels
  • Designing and implementing controls to manage and reduce any identified risks
  • Monitor the effectiveness of these controls and make improvements where necessary
  • Maintain records of actions taken and reasons for these actions

The time and cost of carrying out such assessments will depend on the size and complexity of the business but will require considerable effort to ensure compliance with regulations.

6.2.2 Assessing the customer base

Businesses with certain types of customers are more at risk of money laundering activities and will therefore be required to take more stringent action to protect themselves. Types of customers that pose a risk include the following.

  • New customers carrying out large, one-off transactions
  • Customers who have been introduced by a third party who may not have assessed their risk potential thoroughly
  • Customers who aren’t local
  • Customers whose businesses handle large amounts of cash

Other customers who might pose a risk include those who are unwilling to provide identification and who enter into transactions that do not make commercial sense. Before companies commence business dealings with a customer, they should conduct suitable customer due diligence.

6.2.3 Customer due diligence

This is an official term for taking steps to check that customers are who they say they are. In practice, the best and easiest way to do this is to ask for official documents or details from these, for example company registration details. For individuals a passport or driving licence, together with utility bills and bank statements, would suffice.

If customers are acting on behalf of a third party, it is important to identify who the third party is.

6.2.4 Applying customer due diligence

Businesses should apply customer due diligence whenever they feel it necessary but as a minimum in any of the following circumstances.

  • When establishing a business relationship. This is likely to be a relationship that will be ongoing therefore it is important to establish identify and credibility at the start. The organisation may have a responsibility to establish such information as the source and origin of funds that the customer will be using, copies of recent and current financial statements and details of the customer’s business or employment.
  • When carrying out a high value ‘occasional transaction’ (a transaction that has not been carried out within an ongoing business relationship). The organisation should also look out for ‘linked’ transactions which are individual transactions that have been broken down into smaller, separate transactions to avoid due diligence checks.
  • When doubts exist about identification information obtained previously
  • When the customer’s circumstances change – for example, a change in the ownership of the customer’s business or a significant change in the type of business activity of the customer

6.2.5 Ongoing monitoring

It is important that an effective system of internal controls is in place to protect the business from being used for money laundering. Staff should be suitably trained in the implementation of these internal controls and be alert to any potential issues. A specific member of staff should be nominated as the person to whom any suspicious activities should be reported, known as the Money Laundering Reporting Officer.

Full documentation of anti-money laundering policies and procedures should be kept and updated as appropriate. Staff should be kept fully informed of any changes.

6.2.6 Maintaining full and up-to-date records

6.3 Categories of criminal offence

Businesses are generally required to keep full and up-to-date records for financial reporting and auditing purposes but these can also be used to demonstrate compliance with money laundering regulations.  Such records will include receipts, invoices and customer correspondence. European money laundering regulations require that such information be kept for each customer for five years beginning on either the date a transaction is completed or the date a business relationship ends.

In the UK, there are various offences relating to money laundering, including tipping off a money launderer (or suspected money launderer) and failing to report reasonable suspicions.

There are three categories of criminal offences under the Criminal Justice Act 1993 (HMSO, 1993).

  • Laundering: acquisition, possession or use of the proceeds of criminal conduct, or assisting another to retain the proceeds of criminal conduct and concealing, disguising, converting, transferring or removing criminal property. This relates to the nature, source, location, disposition, movement or ownership of the property. Money laundering includes possession of the proceeds of one’s own crime and facilitating any handling or possession of criminal property, which may take any form, including in money or money’s worth, securities, tangible property and intangible property.
  • Failure to report by an individual: failure to disclose knowledge or suspicion of money laundering

(suspicion is more than mere speculation, but falls short of proof or knowledge)

  • Tipping off: disclosing information to any person if disclosure may prejudice an investigation into, drug trafficking, drug money laundering, terrorist-related activities, or laundering the proceeds of criminal conduct

For the purposes of laundering, ‘criminal property‘ is property which the alleged offender knows (or suspects) constitutes or represents being related to any criminal conduct. This is any conduct that constitutes or would constitute an offence in the UK.

In relation to laundering, a person may have a defence if they make a disclosure to the authorities:

  • As soon as possible after the transaction
  • Before the transaction takes place

Alternatively, they may have a defence if they can show there was a reasonable excuse for not making a disclosure.

In relation to failure to report, the person who suspects money laundering must disclose this to a nominated officer within their organisation if it has one, or directly to the National Crime Agency (NCA) in the form of a Suspicious Activity Report (SAR). NCA has responsibility in the UK for collecting and disseminating information related to all forms of serious organised crime, including money laundering and related activities. The nominated officer in an organisation acts as a filter and notifies NCA too.

In relation to tipping off, this covers the situation when a person making a disclosure to the nominated officer or NCA also tells the person at the centre of their suspicions about the disclosure. There is a defence to the effect that the person did not know that tipping off would prejudice an investigation.

6.4 Penalties

The law sets out the following penalties in relation to money laundering.

  • 14 years’ imprisonment and/or a fine for knowingly assisting in the laundering of criminal funds
  • 5 years’ imprisonment and/or a fine for failure to report knowledge or the suspicion of money laundering and 2 years’ imprisonment and/or a fine for ‘tipping off’ a suspected launderer; the suspected launderer must not be alerted

QUESTION                                                                                             Money laundering

Why should a professional adviser not give a warning to a client whom they suspect of money laundering?


Tipping off a suspected money launderer is an offence. Alerting the suspect would be likely to hamper any subsequent investigation by the authorities.


6.5 Money laundering process 

The money laundering process usually involves three phases.

  • Placement – this is the initial disposal of the proceeds of the illegal activity into apparently legitimate business activity or property eg ‘smurfing’ whereby small amounts are banked with a number of institutions in order to avoid suspicion and anti-money laundering reporting requirements.
  • Layering – this involves the transfer of monies from business to business or place to place to conceal the original source eg under- or overvaluing invoices to disguise the movement of money.
  • Integration – having been layered, the money has the appearance of legitimate funds, eg an individual may use cash to gamble at a casino and receive a cheque for any winnings. This cheque can then be banked as proceeds from gambling, regardless of the original source of the money.

For accountants, the most worrying aspect of the law on money laundering relates to the offence of ‘failing to disclose‘. It is relatively straightforward to identify actual ‘knowledge’ of money laundering, and therefore of the need to disclose it, but the term ‘suspicion’ of money laundering is not defined. The nearest there is to a definition is that suspicion is more than mere speculation but falls short of proof or knowledge. It is a question of judgement.

6.6 The role of the Financial Conduct Authority

In addition to UK legislation, there are other rules which apply to investment firms (that is, firms which sell financial services or shares). The FCA SYSC sourcebook is one source of rules.


Although investment firms may be particularly at risk of being involved with clients who are seeking to launder money, methods used for laundering such dirty money can be extremely complex. They may involve trusts, companies (both offshore and onshore) and could involve the use of relatively complex bank instruments.

Therefore all companies, their managers and their advisers need to be aware of the issue of money laundering and not fall foul of the regulations.

There is a legal requirement for organisations to take the following actions.

  • To set up procedures and establish accountabilities for senior individuals to take action to prevent money laundering
  • To educate staff and employees about the potential problems of money laundering
  • To obtain satisfactory evidence of identity where a transaction is for more than €15,000
  • To report suspicious circumstances (according to the established procedures)
  • Not to alert persons who are or might be investigated for money laundering
  • To keep records of all transactions for five years
    • The costs of compliance

All of the activities listed above do not come cheaply, especially if policies and procedures are being established for the first time. In addition, regulations in the UK state that all accountants in public practice must be supervised and monitored in their compliance and registered with a supervisory body.

ACCA is one of the supervisory bodies and is responsible for monitoring its own members.  Such supervision comes at a cost, however, and monitored firms are expected to pay a fee for this service.

  • Financial Action Task Force (FATF)

The Financial Action Task Force (FATF) is an inter-governmental body which develops and promotes policies, at national and international levels, to combat money laundering and terrorist financing. FATF currently has over 30 member states, including the UK, many EU states, Turkey, India, China, Japan, New Zealand, the US, Brazil and Argentina.

FATF members are committed to implementing FATF standards and having their anti-money laundering (AML)/counter-terrorist financing (CTF) systems mutually assessed. A country needs to do the following in order to implement FATF’s recommendations effectively.

  • Successfully investigate and prosecute money laundering and terrorist financing
  • Deprive criminals of their criminal proceeds and the resources needed to finance their illicit activities
  • Require financial institutions and other businesses and professions to implement effective measures to detect and prevent money laundering and terrorist financing
  • Ensure that financial institutions and other businesses and professions comply with AML/CTF requirements
  • Enhance the transparency of legal persons and arrangements
  • Implement mechanisms to facilitate co-operation and co-ordination of AML/CTF efforts at the international and domestic level

6.9 International Monetary Fund (IMF)

The IMF is increasingly involved in addressing the risks of money laundering.

It promotes itself as a natural forum for sharing information, developing common approaches to issues and promoting desirable policies and standards in order to fight money laundering and the financing of terrorism.


N The practical aspects of fraud (where it might actually occur, how it can be detected) are the most likely topics to be examined.
N Common frauds include payroll frauds, conspiracy with other parties and stealing assets. More subtle measures including teeming and lading and manipulation of bank reconciliations and cashbooks to conceal theft.
N There are three broad prerequisites or ‘preconditions’ that must exist in order to make fraud a possibility:

dishonesty, motivation and opportunity.

N Signs of high fraud risk include indications of lack of integrity, excessive pressures, poor control systems, unusual transactions and lack of audit evidence.
N A number of factors tend to crop up frequently as indicators of potential fraud situations; these can be categorised under business and personnel risks.
N In order to prevent fraud, managers must be aware of the risks and signs of fraud.
N Prevention policies include emphasis on ethics and personnel and training procedures. Controls within particular business areas, such as segregation of duties and documentation requirements, are also significant.
N Controls must be developed in a structured manner, taking account of the whole spectrum of risk and focusing on the key risks identified in each area of the business.
N Managers and staff should be aware of their responsibilities to help in detecting fraud. Fraud detection is also helped by having information readily available and allowing whistleblowing.
N Organisations should establish a fraud response plan, setting out how the method and extent of the fraud and possible suspects should be investigated.
N It is the responsibility of the directors to take such steps as are reasonably open to them to prevent and detect fraud.
N The growth of globalisation has created more opportunities for money laundering which governments and international bodies are trying to combat with legislation.
N In the UK, there are various offences relating to money laundering, including tipping off a money launderer (or suspected money launderer) and failing to report reasonable suspicions.


  • Applying incorrect rates to understate depreciation will result in a higher profit, giving a more favourable impression of financial health. Is this true or false?
  • True False

Computers increase the risk of fraud

Motivation is a prerequisite for fraud


  • Who has the primary responsibility for preventing and detecting fraud?
    • The external auditors
    • The internal auditors
    • The directors
    • The shareholders
  • List five examples of internal controls (not computer related).
  • What are the main factors that might prevent controls operating properly?
  • What are the main personnel controls that can be used to limit the risk of fraud?
  • Depreciation does not have any actual cash flow which means it is easy to tamper with.
  • True, true. Computers tend to increase exposure to fraud because they are frequently the vehicles through which fraudulent activities are carried out.
  • C The directors are responsible for taking steps to prevent and detect fraud.
  • Examples include physical controls, segregation of duties, authorisation policies, using words rather than numbers and enforcing holiday policy.
  • Lack of emphasis on compliance
    • Lack of understanding of why controls are required
    • Staff problems
    • Changes in senior personnel
    • Excessive emphasis on the authority of line management
  • Rigorous recruitment procedures including interviews and references
    • Appraisals
    • Procedures to deal with grievances











Now try …
Attempt the questions below from the Practice Question Bank








(Visited 171 times, 1 visits today)
Share this:

Written by 

Leave a Reply

Your email address will not be published. Required fields are marked *