Internal Control – Assessing Control Risk & Tests of Control




Definition and components

ISA 315 defines internal control as the process designed and implemented by those charged with governance to provide reasonable assurance about the achievement of the entity’s objectives.

Internal control consists of the following components:

  • The control environment,
  • The entity’s risk assessment process,
  • The information system,
  • Control activities, Monitoring of controls.



The management team of a company is responsible for achieving an entity’s objectives such as:

  • The reliability of financial reporting,
  • The effectiveness and efficiency of operations and
  • Compliance with applicable laws and regulation.

Good corporate governance dictates the existence of a sound system of internal control.   It follows therefore that internal controls should be designed and implemented to address business risks that threaten the achievement of an entity’s objectives.

An entity’s systems collect and summarise data that are used to produce financial information.  An effective system of internal control will help management manage the business effectively, produce timely and accurate information, safeguard the assets of a company and prevent and detect fraud.

Responsibilities – Auditors

Control risk is an element of audit risk.  Control risk exists where the client’s controls fail to prevent, detect and/or correct material misstatements.

Therefore, auditors need to assess the controls put in place by management and ascertain whether they are effective and can be relied upon for the purposes of the audit.  The auditor’s primary consideration is whether a specific control prevents detects or corrects material misstatements. The auditor carries out tests to ensure that the systems operate as they are supposed to.  If the controls are ineffective, the control risk is high and it is likely that it will be necessary to undertake higher levels of substantive testing.

Gaining an understanding of internal control

ISA 315 states that the auditor should obtain an understanding of internal controls relevant to the audit.  The auditor uses this understanding to identify types of potential misstatements and to help design the nature, timing and extent of further audit procedures.

The way in which internal control is designed and implemented will vary with an entity’s size and complexity.  Smaller entities may use less formal means and simpler processes and procedures to achieve their objectives.

In obtaining an understanding of internal control, the auditor must gain an understanding of the:

  • Design of the internal control:

It should be capable of preventing, detecting or correcting material misstatements,;

  • Implementation of that control:

It should be operating correctly throughout the period in question.

Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include

  • Inquiring of personnel,
  • Observing the application of specific controls,
  • Inspecting documents and reports,
  • Tracing transactions through the information system.

Control environment

The control environment includes the governance and management functions and the attitudes, awareness and actions of those charged with governance and management concerning the entity’s internal control.  The control environment sets the tone of an organisation, influencing the control consciousness of its people.  It is the foundation for effective internal control, providing discipline and structure. The control environment is heavily influenced by management.

In evaluating the design of the control environment the auditor considers the following elements:

  • Communication and enforcement of integrity and ethical values — essential elements   which influence the effectiveness of the design, administration and monitoring of controls.
  • Commitment to competence — management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.
  • Participation by those charged with governance — independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the


information they receive the degree to which difficult questions are raised and pursued with management and their interaction with internal and external auditors.

  • Management’s philosophy and operating style — management’s approach to taking and managing business risks, and management’s attitudes and actions toward financial reporting, information processing and accounting functions and personnel.
  • Organisational structure — the framework within which an entity’s activities for achieving its objectives are planned, executed, controlled and reviewed.
  • Assignment of authority and responsibility — how authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established.
  • Human resource policies and practices — recruitment, orientation, training, evaluating, counselling, promoting, compensating and remedial actions.

The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of material misstatement and influences the nature, timing, and extent of the auditor’s further procedures. Conversely, weaknesses in the control environment may undermine the effectiveness of controls and, therefore, becomenegative factors in the auditor’s assessment of the risks of material misstatement, in particular in relation to fraud

The Entity’s Risk Assessment Process

The auditor should obtain an understanding of the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof. The process forms the basis for how management determines the risks to be managed.

In evaluating the design and implementation of the entity’s risk assessment process, the auditor determines how management:

  • Identifies business risks relevant to financial reporting,
  • Estimates the significance of the risks,
  • Assesses the likelihood of their occurrence and
  • Decides upon actions to manage them.

If the entity’s risk assessment process is appropriate to the circumstances, it assists the auditor in identifying risks of material misstatement.

Information Systems, Including the Related Business Processes, Relevant to Financial Reporting and Communication

The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures and records established to initiate, record,  process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity.

The auditor should obtain an understanding of the information system, including the following areas:

The classes of transactions in the entity’s operations that are significant to the financial statements.

The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and reported in the financial statements.

The related accounting records, whether electronic or manual, supporting information,   and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting transactions.

How the information system captures events and conditions, other than classes of transactions that are significant to the financial statements.

The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.

Control Activities

The auditor should obtain a sufficient understanding of control activities to assess the risks of material misstatement at the assertion level and to design further audit procedures responsive to assessed risks. Control activities are the policies and procedures that help ensure that management directives are carried out.

Examples of specific control activities include those relating to the following:


Performance reviews, supervision.

Information processing.

Physical controls.

Segregation of duties.

Specific examples of controls would include:

  • Approval and control of documents through signing off or pre-numbering,
  • Checking the arithmetical accuracy of records,
  • Reviewing control accounts for large or unusual items,
  • Reconciling figures,
  • Matching figures or documents,
  • Limiting physical access to assets and records,
  • Matching physical existence to book records and other external data,
  • Segregating duties such as custody of assets from initiation of transactions to recording of transactions to review of transactions.


Monitoring of Controls

The auditor should obtain an understanding of the major types of activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates corrective actions to its controls.

Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions modified for changes in conditions. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities.

In many entities monitoring generally falls on the internal audit department.  The external auditor may make use of the work of internal audit when carrying out their own work.

Limitations of Internal Control


Internal control, no matter how well designed and operated, can provide an entity with only reasonable assurance about achieving the entity’s financial reporting objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include:


  • The realities that human judgment in decision-making can be faulty and that breakdown in internal control can occur because of human failures, such as simple errors or mistakes.
  • Additionally, controls can be circumvented by the collusion of two or more people or inappropriate override by management of internal control.
  • Smaller entities often have fewer employees which may limit the extent to which segregation of duties is practicable. However, for key areas, even in a very small entity, it can be practicable to implement some degree of segregation of duties or other form of unsophisticated but effective controls.
  • The potential for override of controls by the owner-manager depends to a great extent on the control environment and in particular, the owner-manager’s attitudes about the importance of internal control.
  • The costs of control may outweigh their benefits.
  • Many controls are designed to deal with routine transactions and as such may fail to detect non-routine transactions.


The existence of these limitations is the reason why the auditor just doesn’t check the system of internal control.  Irrespective of the assessed risk of material misstatements, the auditor should design and perform substantive tests for each material class of transaction, account balance and disclosure.   An auditor’s assessment of risk is judgemental and there are inherent limitations to internal control.

Small companies

Due to the size of small companies, many of the controls that would be relevant may not exist or be even practical.  In addition, their cost may severely outweigh their benefit.  These means many small companies rely on the close involvement of the owner/managers.  This can be a good thing.  However, it also gives rise to the risk of override of existing controls and the omission of transactions.

Lack of operating controls and insufficient records can cause the auditor great difficulty in carrying out an audit.

Specific controls such as segregation of duties are likely to suffer in small companies.

Auditors will be faced with additional difficulties in the event that a small company is managed by a person other than the owner.  It would be important to assess the controls exercised by the owner over the management of the company.



The auditor is required to assess the risk of material misstatements.  Misstatements can arise through inherent risks and control risks.

So the auditor is concerned with assessing policies and procedures of the entity which are relevant to the financial statements.  The auditor should:

  • Assess the accounting information system as to its adequacy in producing a set of accounts for the entity,
  • Seek to identify any potential misstatements that could occur,
  • Consider all factors that might affect the risk of misstatements,
  • Design appropriate audit procedures whose nature, timing and extent are responsive to the risks.

The assessment of controls will have a big impact on risk assessment.

Where good controls are identified, the auditors should perform work in that area to provide the necessary audit evidence.

Where there are weak controls identified the auditor needs to consider:

  • What errors could be possible,
  • Could such errors be material to the accounts,
  • What substantive procedures will enable such errors to be detected and quantified?


The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of material misstatement and influences the nature, timing, and extent of the auditor’s further procedures. In particular, it may help reduce the risk of fraud, although a satisfactory control environment is not an absolute deterrent to fraud.

Conversely, weaknesses in the control environment may undermine the effectiveness of controls and therefore become negative factors in the auditor’s assessment of the risks of material misstatement, in particular in relation to fraud.

In some extreme cases, the control environment may be so poor as to raise questions as to whether the accounts are capable of being audited.  The control risk may be so high that audit risk cannot be reduced to an acceptable level.

Where substantive procedures alone do not provide the auditor with sufficient evidence and risks remain, the auditor should evaluate the design and determine the operational effectiveness of controls.  This is particularly important where systems are highly computerised with little or no manual intervention.


When the auditor’s assessment of risks of material misstatement includes an expectation that controls are operating effectively, the auditor should perform tests of controls to obtain sufficient appropriate audit evidence that the controls were operating effectively at relevant times during the period under audit.


Tests of controls may include the following:

  • Inspection of documents such as: have transactions been authorised,
  • Inquiries as to who carried out the controls rather than who is supposed to carry out the control,
  • Re-performance of controls such as reconciling a bank account as distinct from reviewing the bank reconciliation prepared by someone else,
  • Examination of evidence such as minutes of meetings of management team or board of directors,
  • Observation of controls in action.

When assessing the evidence, the auditors need to consider:

  • How the controls were applied,
  • The consistency with which they were applied throughout the period,
  • By whom they were applied.

The use of computer assisted auditing techniques (CAATs) may be appropriate particularly where there is a huge amount of data or complex computer systems in use by the entity. Assessment of Control Risk 

Poor controls or non-existent controls relevant to the financial statement assertions could lead to a higher degree of control risk.  The auditor will need to consider how to respond to this.

Furthermore, the auditors may find that the evidence they obtain suggests that controls did not operate as expected.  If the evidence contradicts the original risk assessment the auditors will have to amend the further audit procedures they had planned to carry out.  In particular, if control testing reveals that controls have not operated effectively throughout the period the auditor may have to extend his substantive testing.

Management Letter Reporting

At the “gaining an understanding” stage of the audit you could draw up a letter to management recommending any improvements you consider from your findings, even at this early stage.  Perhaps you have noted weaknesses in the design of a control or the actual absent of a vital control.  In addition, what you have learned here may influence the type of further audit testing you may carry out later on.

Furthermore, during your test of the operating effectiveness of controls you may uncover significant weaknesses in internal controls and these should also be communicated in writing to those charged with governance.



An effective internal control system may allow an auditor to have more confidence in the reliability of audit evidence generated internally within the entity. If there are weaknesses in the control environment, the auditor needs to:

  • conduct more procedures as of the period end rather than an interim date,
  • seek more extensive audit evidence from substantive procedures,
  • modify the nature of procedures to obtain more persuasive audit evidence.


The evaluation of the control environment will help the auditor determine whether there should be a substantive or a combined approach (tests of controls and substantive procedures).

In designing further audit procedures, the auditor should consider:

  • the significance of the risk,
  • the likelihood that a material misstatement will occur,
  • the characteristics of the class of transactions or account balances,
  • the nature of specific controls and whether they are manual or automated,
  • the evidence gathered in determining if controls are effective in preventing, or detecting and correcting material misstatements.

There are several techniques for recording the assessment of control risk.  One or more may be used depending on the complexity of the system.

1. Narrative notes


These are written descriptions of the processes and procedures.  They are easy to prepare but can become longwinded and timeconsuming.


2. Flowcharts


Diagrams setting out the flow of the process and the procedures.Great visually but can be difficult to prepare.


3. Questionnaires



Internal Control Questionnaire or

Internal Control Evaluation Questionnaire

4. Checklists  


Whatever method is used the data should be retained on the permanent audit file and updated each year where relevant.


ICQs  (Internal control questionnaires)

They comprise a list of questions designed to determine whether desirable controls are present within an entity.  They are designed to ensure that each of the major transaction cycles is covered.  Their primary purpose is to evaluate the system rather than describe it.  Therefore, a yes/no answer will suffice.

Advantages Disadvantages
They can ensure that all controls are considered Client may be able to overstate controls


Quick to prepare May be a large number of irrelevant controls


Easy to use and control


May not include unusual controls


  Can give impression that all controls are of equal weight


ICEQs (Internal control evaluation questionnaires)

These are used to determine whether there are controls which prevent or detect specified errors or omissions.  These are more concerned with assessing whether specific errors are possible rather than establishing whether certain desirable controls are present.  These questions concentrate on significant errors or omissions that could occur at each phase of a cycle if controls were weak





Queries            objectives        rather   than             specific controls Can be drafted vaguely, hence misunderstood  
Can identify key controls to be tested


Important control may not be identified


Can highlight areas of weakness




ICQ example- Goods inwards

    YES NO
1. Are goods examined on arrival, checking quantity and quality?    
2. Are these checks evidenced by appropriate person?    
3. Is the receipt recorded on a goods received note/docket?    
4. Are GRNs prepared by a person other than someone who ordered the goods and/or processes the invoice?    
5. Are the records controlled to ensure that all receipts are matched to invoices?    
6. Are records followed up for exceptions?    
7. Are these records reviewed by a responsible person?    


ICEQ example-Purchases cycle

        Is there reasonable assurance that: Answer Comment if yes
1. Goods or services could not be received without a liability being recorded?    
2. Receipt of goods is required in order to establish a liability?    
3. A liability is recorded only for authorised items and the proper amount?    
4. All payments are properly authorised?    
5. All credits due from suppliers are received?    
6. All transactions are properly accounted for?    
7. At the period end liabilities are neither overstated nor understated by the system?    
8. The balance at the bank is properly recorded at all times?    
9. Unauthorised cash payments could not be made and that the balance of petty cash is correctly recorded at all times?    




Control Objectives

1. Ordering and granting of credit Goods and services should only be given to customers with good credit background.
    Customers should be encouraged to pay promptly.
    All orders are recorded correctly.
    All orders are filled.


2. Dispatch and invoicing of goods

All despatches are recorded.

All goods and services are invoiced correctly.

    All invoices raised relate to goods and services supplied.
    Credit notes are only raised for valid reasons.


3. Transactions processing and credit control All invoices, credit notes and payments received are recorded in sales ledger and nominal ledger.
  All transactions are recorded in the correct sales ledger account.
  Cut-off is applied correctly.
  Potential bad debts are identified.


Control Activities

1. Ordering and credit approval

Segregation of duties

Authorisation of credit terms and other data

    Review of credit terms
    Document numbering
    Examination of correct pricing
    Matching of orders with despatches
    Dealing with customer queries


2. Dispatch and invoicing Authorisation of despatches
    Examination of despatches – quantity & condition
    Matching of despatches to orders and invoices and review of unmatched items
    Checking number sequence on documents
    Checking conditions of returns
    Signatures on delivery notes
    Checking pricing, quantity and details on invoices
    Checking update of stock records


3. Transactions processing and credit control

Segregation of duties

Review sequence of invoices

    Match receipts to invoices
    Review customer remittance advices
    Cut-off procedures
    Regular customer statements sent out
    Review of customer statements
    Authorisation of any adjustments to accounts
    Reconcile sales ledger to debtors control account
    Review of margins




Tests of controls

Ordering and granting of credit
1.Check that for all new customers credit references are obtained.

2. Check that authorisation by senior staff has been obtained for all new accounts.

3. Check that all new orders are only accepted for those customers adhering to the credit terms and within agreed credit limits.

4. Check that orders match production and despatch notes.

Despatches and invoicing
1. Match despatch notes with sales invoices.  Check quantity, price, calculations, VAT, posting to sales ledger and if appropriate analysis details.

2. Match sales items with inventory movement records.

3.Check non-routine sales have appropriate authorisation, supporting evidence and entry to fixed asset registers in the case of plant disposals.

4. Verify credit notes for approval, backup documentation, and entry in stock, entry in goods returned records, calculations, entry in daybook and posting to sales ledger.

5.Review sequence of despatch notes and enquire about missing numbers.

6. Review sequence of invoices and credits and enquire about missing numbers.

7.Review sequence of orders and enquire about missing numbers.

8.Review any items free of charge and check for authorisation.

Processing sales
1. Check entries in daybooks and match to invoices and credit notes.

2. Check down totals and cross totals of daybooks.

3 Check totals of daybooks match debtors control account.

4. Check individual transactions from daybooks to sales ledger accounts.

5. Check a sample of entries in sales ledger accounts back to daybooks.

6. Check calculations in sales ledger accounts.

7. Check that debtors control account is reconciled to a list of balances from the sales ledger.

8. Review and enquire about contra entries in sales ledger accounts.

9.  Examine specific sales ledger accounts to see if credit terms and limits are been adhered to.

10. Enquire and examine evidence as the follow up on overdue accounts.

11.  Check for authorisation re any write offs on an account.



Control Objectives

1. Ordering All orders are authorised, received and are actually for the entity.
    All orders are to authorised suppliers.
    Orders are at a fair price.


2. Receipts and invoices All receipts are for the entity and not for personal use.
    Receipts are only accepted if proper authorised orders exist.
    All receipts are recorded accurately.
    Liabilities are recognised for all receipts.
    All credits due are claimed and received.
3. Accounting All invoices are for orders received.
    All invoices are authorised.
    All invoices are recorded in appropriate ledgers and daybooks.
    All credits are recorded in appropriate ledgers and daybooks.
    All entries are in the correct purchase ledger account.
    Cut-off is applied correctly.



Control Activities

1. Ordering Segregation of duties
    Evidence of re-order quantities and levels
    Orders prepared from pre-numbered requisitions
    Orders authorised
    Pre-numbered order books and safe custody of such books
    Review orders not received
    Regular monitoring of supplier terms and conditions


2. Receipts and invoices Examine goods received. Checking quality and quantity
    Record receipt in goods inwards records
    Match receipts with order details
    Appropriate referencing of invoices
    Examine invoice and check price, quantity and calculations. Match to receipts and order documents
    Record all goods returned and ensure credit is claimed


3. Accounting Segregation of duties
    Record all purchases and returns in daybooks and appropriate ledgers
    Review purchase ledger and reconcile accounts to supplier statements
    Payments should be authorised only after all checking procedures complete
    Reconcile creditors control account to a list of purchase ledger accounts
    Cut-off is appropriate




Tests of controls

1.   Check that all new suppliers are authorised.

2.     Check that authorisation by senior staff has been obtained for all new orders and is within limits set.

3.   Review order books for orders not completed and enquire of same.

Receipts and invoicing
1.   Check invoices are supported by a goods received note and order, are entered in stock records, priced correctly, calculations are checked and are appropriately referenced.

2.   Check all returns are matched to a received credit note and this credit note should be traced to the stock records.

3.   Check all invoices and credit notes have been entered to the purchase ledger and the appropriate daybooks.

4.  Check all credit notes received for relevant supporting documentation.

5.    Review numerical sequence of order books, goods received notes and goods returned books and enquire of unmatched numbers or missing numbers.

6.    Enquire of supplier invoices not matched with goods received notes or orders.


Processing purchases
1.   Check all invoices and credit notes in the daybooks are evidenced as having been checked re prices, calculations, matched to orders and goods received notes and authorised for payment.

2. Check down totals and cross totals in the daybooks.

3.   Match totals in the daybooks to the control accounts.

4.    Check postings from the daybook to the appropriate purchase ledger accounts.

5.  Check a sample of purchase ledger accounts and agree transactions back to the appropriate daybooks. Check the totals of the balances.

6.  Review purchase ledger accounts for contras and enquire of same.

7.  Review supplier reconciliations and trace balances and reconciling items to the appropriate books.

8.  Confirm creditors control account agrees to list of balances of purchase ledger accounts.

9. Review creditors control for unusual transactions.



Control Objectives

1. Setting of wages and salaries

Employees only paid for work they have done

Gross pay calculated correctly and properly authorised


2. Recording Gross pay, net pay and all deductions are recorded correctly
    Payments are recorded correctly in the bank account
    Full cost is recorded in the nominal ledger


3. Payment Employees are paid exactly what they are owed


4. Deductions All deductions correctly calculated and appropriately authorised
    Revenue get paid what they are owed




Control Activities

1. Setting of wages and salaries

Segregation of duties

Personnel records should be maintained with proper employment letters etc.

    Authorisation of rates of pay, deductions
    Maintain details of holiday entitlement, advance of pay etc.
    Procedures for dealing with queries


2. Recording Records maintained of timesheets, clock cards etc.
    Review of hours worked
    Review of wages cost against budgets
    Review by senior staff of data input and calculation work by other staff including checking procedures
    Appropriate analysis codes
    Maintenance and reconciliation of wages bank account


3. Payment Custody of cash procedures
    Segregation of duties
    Verification of identity
    Preparation of pay packets, cash, cheque, payslip etc.
    Records of amounts distributed
    Authorisation of cheques and bank transfers
    Dealing with queries


4. Deductions Maintenance of separate records for each employee
    Review deductions as between differing periods
    Review control accounts for deductions




Tests of controls

Setting of wages and salaries
1.  Check that wages summary is approved for payment.

2. Review details for changes from previous period and check for authorisation for differences.

3.   Check letters of employment exist for all new employees and relevant forms are prepared for all leavers.

4.    Check calculation of gross pay and agree rate of pay to authorised pay, hours worked etc.

5.    Check a sample of names on payroll lists to phone records, floor plans etc.


1.   Reconcile wages to previous weeks payroll, timesheets, changes in pay rates etc., looking for unusual or explained variances.

2.  Re-perform key calculations and seek evidence of controls checking.

3.  Check down totals and cross totals on payroll sheets and trace to the appropriate ledger accounts.

4.   Review all payroll control accounts.

5.   Enquire as to payroll queries from staff.


1.   If cash payments made, attend such an event and note procedures.

2.  Compare pay packets with list of payments to be made.

3.    Ensure signatures for all packets collected and enquire about uncollected packets.

4.    Review list of cheques/ bank transfer list and agree back to payroll details.


1.  Check calculations on payroll details and that authorisation does exist.

2.   Check down totals on payroll summaries and match to entries in appropriate ledger accounts.

3.  Examine third party documentation.

4. Review the deduction control accounts and compare against previous periods.




Control Objectives

1. All monies received are recorded, processed to the appropriate ledger accounts and banked where necessary
2. Cash and cheques are safeguarded from loss through theft or otherwise
3. All payments are authorised, properly recorded and made to the correct person
4. Duplicate payments are avoided


Completeness of income (recording of all cash receipts) is extremely important.  If there are inadequate controls, these may cause limitations in the scope of your audit.

Segregation of duties is vital when dealing with cash.  The receiving, recording, banking and reconciling functions should ideally be done by separate persons within an entity.

Control Activities

1. Cash at bank and in hand- receipts

Segregation of duties

Post opening procedures. Safeguards over security, supervision, listing of items when opened, cheques crossed, remittance stamped.

  Policy over who can receive cash, pre-numbered company receipts books.  Ensure safe custody.
  Regular clearance of cash registers and matching to till rolls.
  Reconcile cash collection with sales records.
  Investigation of shortages/surpluses.
  Prompt recording of receipts in daybooks and ledger accounts.
  Daily bankings, matching cash records with bank lodgement receipt slip.
  Authorisation to open bank accounts.
  Set limits on cash floats. Regular review and authorisation.
  Restrictions on payment out of cash receipts.
  Access controls over cash.
  Surprise cash counts.
  Bank reconciliation process. Follow up of un-reconciled transactions.


2. Payments – cash and cheques Custody over supply and issue of cheques, especially ones with printed signatures.
  Restrictions on issue of incomplete cheques or signing blank cheques.
  Cheque requisitions with appropriate supporting documentation and approval.
  Authority limits to sign cheques.  Keep separate from approval process. No signatures without full documentation.
  Prompt despatch of signed cheques and recording in daybooks and ledgers.
  Authorisation and suitable backup documentation for cash payments.
  Separate cashier listing payments to person recording in daybooks and ledgers.
  Limits on cash disbursements.




Tests of controls

Receipts received by post
1.Observe that post opening procedures are followed.

2.  Observe that all cheques received are crossed for protection.

3.  Trace items in the rough cash list to the cash book and appropriate ledgers.

4.   Verify amounts received agree with remittances advices.


Cash sales
1. Verify takings against till rolls.

2. Check takings to bank slip when lodged.


1.Trace amounts to cash book from appropriate collection sheets.

2.  Verify goods sent for collection have matching receipts.

3. Review numerical sequence of collection books.


Cash receipts book
1. Check a sample of entries in the daybook back to till rolls, collection sheets or rough cash sheets.

2.  Check entries in daybook to bank statement to ensure daily lodging.

3.   Check down totals and cross totals of daybook and trace totals to the nominal ledger.

4. Check transactions in daybooks to appropriate sales ledger accounts.

5.  Review the daybook and check for large or unusual items.


Cash payments book
  • Check a sample of payments recorded to supporting documentation. Suppliers’ statements, copy paid cheques.
  •  Ensure cheque amounts are within authority limits for signing.
  •  Check that invoices to be paid have been verified and passed for payment and that a “paid” stamp is inserted on such invoices.
  • Check the numerical sequence of cheque numbers and enquire as to missing numbers.
  • Trace transfers to other bank accounts, cash records etc.
  • Check additions and trace totals to the nominal ledger.
  • Check transactions in daybooks to appropriate purchase ledger accounts.
  • Review the daybook and check for large or unusual items.
  • Review bank reconciliations. Check balances and un-reconciled items against daybooks and other supporting information. Check done on a regular basis and review for any unusual items.


Petty Cash
  • Check a sample of payments to supporting documentation and appropriate approval.
  •  Ensure vouchers have been marked and signed off to prevent re-use.
  •  Trace a sample of amounts received to cash books and to relevant ledgers.
  •  Check additions of petty cash book and trace summary totals to the nominal ledger.




Control Objectives

1. Recording of stock All movements are recorded and authorised
  Record only items that belong to entity
  Records show all inventory that exists and is in stock
  All quantities are recorded correctly
  Proper cut-off procedures apply


2. Safeguarding of stock Loss, theft or damage is guarded against
3. Valuation of stock Stock is priced correctly


4. Holding of stock Levels of stock are reasonable



Control Activities

1. Recording of stock Segregation of duties between custody and recording of stock
  Checking receipt and recording of goods received
  Checking appropriate documentation of movement
  Maintenance of stock records. Ledger cards, bin cards etc.


2. Protection of stock Access rights to stock
  Controls over environment
  Security over third party stock on-site and stock on third party property
  Stock takes – Procedures, supervision, control, cut-off, recording.
  Reconciliation of book stock to physical.


3. Valuation of stock Checking calculations
  Compliance with accounting standards, company law etc.
  Examine condition of stock and provide for slow moving, obsolete or damaged stock
  Authorisation for any write offs and appropriate accounting for such


4. Holding of stock Agreed levels, regular review
  Max/min levels and re-order levels



Tests of controls

Recording movement of stock
1.     Select a sample of stock movements and trace back to either goods received notes or despatch notes.

2.     Confirm all movements were authorised.

3.     Select a sample of items from the goods received notes and the despatches and agree to the stock movement records.

4.     Check the sequence of records and enquire about potential missing items.


Safeguarding of stock
1.     Test check counts carried out and ascertain whether all discrepancies between book stock and actual physical stock levels have been investigated.

2.     All variances should be signed off by a senior member of staff.

3.     Slow moving, obsolete or damaged stock should be marked as such and should be written down in value. Trace a sample of these items through to the stock valuation reports.

4.     Note the security arrangements.


Valuation of stock
1. Tests are generally of a substantive nature rather than testing controls but you should review stock sheets prepared at stock take, taking note of slow moving, obsolete items etc.


Holding of stock
1. Examine stock records to check whether max/min levels are observed and whether reorder levels are applied.



(Visited 37 times, 1 visits today)
Share this:

Written by 

Leave a Reply

Your email address will not be published. Required fields are marked *