Systems and controls

Effect of controls on the audit

 

This  considers the basic components of control systems and how the auditor fulfils their objectives for assessing control risk.

 

The auditor will ascertain the internal control system to assess whether it is likely to be reliable. If so, they will test the controls to ensure they are in place and working effectively.

 

Impact of tests of controls on the audit strategy and plan

 

The extent of substantive testing to be carried out will depend on the results of the tests of controls which will affect the auditor’s assessment of control risk.

 

 

If control risk is low

 

• The auditor can place more reliance on internal controls and evidence generated internally within the entity.

 

• This increases the appropriateness of interim audit testing and allows the auditor to reduce the quantity of detailed substantive procedures performed at the final audit stage.

 

• The audit strategy and plan will be updated to reflect that fewer substantive procedures may be required or smaller sample sizes can be tested at the final audit stage.

 

If control risk is high

 

• Increase the volume of procedures conducted at and after the year-end. [ISA 330, A2]

 

• Increase the level of substantive procedures, in particular, tests of detail. [ISA 330, A2]

 

• Increase the locations included in the audit scope. [ISA 330, A2]

 

• Place less reliance on analytical procedures as the information produced by the client’s systems is not reliable.

 

• Place less reliance on written representations from management if the control environment generally is considered to be weak.

 

• Obtain more evidence from external sources e.g. external confirmations from customers and suppliers.

 

• Update the audit strategy and plan to reflect the additional testing required at the final audit stage.

 

Limitations of internal controls

 

The auditor can never eliminate the need for substantive procedures entirely because there are inherent limitations to the reliance that can be placed on internal controls due to:

 

• Human error. [ISA 315, A54]

 

• Ineffective controls. [ISA 315, A54]

 

• Collusion of staff in circumventing controls. [ISA 315, A55]

 

• The abuse of power by those with ultimate controlling responsibility (i.e. management override). [ISA 315, A55]

 

• Use of management judgment on the nature and extent of controls it chooses to implement. [ISA 315, A56]

 

As a result, the auditor must always perform substantive testing on material balances in the financial statements. [ISA 330, 18]

 

2      Components of an internal control system

 

ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment, states that auditors need to understand an entity’s internal controls. To assist this process it identifies five components of an internal control system:

• The control environment

 

The control environment includes the governance and management function of an organisation.

 

It focuses largely on the attitude, awareness and actions of those responsible for designing, implementing and monitoring internal controls.

 

[ISA 315, A77]

 

Elements of the control environment that are relevant when the auditor obtains an understanding include the following:

 

• Communication and enforcement of integrity and ethical values

 

• Commitment to competence

 

• Participation by those charged with governance

 

• Management’s philosophy and operating style

 

• Organisational structure

 

• Assignment of authority and responsibility

 

• Human resource policies and practices.

 

[ISA 315, A78]

 

When assessing the control environment the auditor may also consider how management has responded to the findings and recommendations of the internal audit function regarding identified deficiencies in internal control relevant to the audit, including whether and how such responses have been implemented, and whether they have been subsequently evaluated by the internal audit function. [ISA 315, A80]

 

Evidence regarding the control environment is usually obtained through a mixture of enquiry and observation, although inspection of key internal documents (e.g. codes of conduct and organisation charts) is possible.

 

• The risk assessment process

 

The risk assessment process forms the basis for how management determines the business risks to be managed, i.e. threats to the achievement of ongoing business objectives. These processes will vary depending on the nature, size and complexity of the organisation. [ISA 315, A88]

 

Threats to business objectives can lead to misstatement in the financial statements, e.g. non -compliance with laws and regulations may lead to fines and penalties, which require disclosure or provision in the financial statements.

 

If the client has robust procedures for assessing the business risks it faces, the risk of misstatement overall will be lower.

 

(iii)    The information system

 

The information system refers to all of the business processes relevant to financial reporting and communication. It includes the procedures within both information technology and manual systems.

 

The information system includes all of the procedures and records which are designed to:

 

• Initiate, record, process and report transactions.

 

• Maintain accountability for assets, liabilities and equity.

 

• Resolve incorrect processing of transactions.

 

• Process and account for system overrides.

 

• Transfer information to the general/nominal ledger.

 

• Capture information relevant to financial reporting for other events and conditions.

 

• Ensure information required to be disclosed is appropriately reported. [ISA 315, A90]

 

(iv)  Control activities

 

The control activities include all policies and procedures designed to ensure that management directives are carried out throughout the organisation.

 

Examples of specific control activities include those relating to:

 

• Authorisation

 

• Performance review

 

• Information processing

 

• Physical controls

 

• Segregation of duties. [ISA 315, A99]

 

 Examples of control activities

 

Authorisation – approval of transactions prior to being processed

 

• A manager signing off an employee’s timesheet to confirm that the hours stated have been worked and can be paid. This should ensure the employee is not claiming for hours not worked.

 

• A manager signing a purchase order to confirm the order can be placed with the supplier. This should ensure that the goods are for a valid business use and the items are needed.

 

Performance review – to identify unusual differences between data

 

• Managers should compare actual spend against budgeted spend to detect unusual fluctuations. If actual spend is significantly higher than budget the department may have spent more than it should or it could indicate an error when processing the transactions.

 

• Management may compare the company’s results with those of competitors as a benchmark.

 

Information processing – to ensure completeness and accuracy of processing

 

• Preparation of a bank reconciliation to ensure cash transactions have been recorded completely and accurately.

 

• Batch totals used when inputting data to ensure items are not omitted.

 

Physical controls – to prevent unauthorised access

 

• Restrictions on access to assets such as keeping cash in a safe to prevent theft.

 

• Password restrictions to prevent unauthorised access to computer files.

 

Segregation of duties – Assigning the responsibility for recording transactions, authorising transactions and maintaining custody of assets to different employees to prevent the risk of fraud and error.

 

• Warehouse staff should not be responsible for the inventory count as this would not detect if goods were being stolen by staff throughout the year.

 

• Employees who authorise transactions should not be the ones who originate the transaction.

 

IT controls

 

IT affects the way in which control activities are implemented. It is important that auditors assess how controls over IT maintain the integrity and security of information held. Such controls are normally divided into application and general controls. [ISA 315, A107]

 

An effective IT system should include both application and general control procedures.

 

Application controls

 

Application controls are either manual or automated and typically operate at the business process level. Application controls relate to data integrity and ensure that only valid data is being processed and is being processed completely and accurately. [ISA 315, A109]

 

Examples include:

 

• Batch total checks (e.g. when entering invoices onto the system the system may give a batch total i.e. the number of invoices actually entered. The clerk entering the invoices can then double check that the correct number of invoices has been entered and none have been missed or entered twice).

 

• Sequence checks (to ensure the number sequence is complete and no items are missing).

 

• Matching master files to transaction records (e.g. sales invoice discounts to ensure the prices/discount levels being applied are correct).

 

• Arithmetic checks (to verify arithmetical accuracy).

 

• Range checks (to ensure that data stays within reasonable ranges).

 

• Existence checks (e.g. to check employees exist).

 

• Authorisation of transaction entries (to ensure the transaction is valid and should be processed).

 

• Exception reporting (the system may generate an exception report when something which isn’t usual has occurred e.g. changes to bank details of employees which wouldn’t be expected to change often).

 

General controls

 

General IT controls are policies and procedures that relate to many applications. They support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.

 

E.g. controls over:

 

• Data centre and network operations e.g. not allowing non-company issued laptops to connect to the network.

 

• System software acquisition – tendering, testing, controls during installation, training.

 

• Program change and maintenance – testing, authorisation, restricted access.

 

• Access security – passwords, door locks, swipe cards.

 

• Business continuity/disaster recovery – back up procedures to enable data to be restored, backup power supply.

 

[ISA 315, A108]

 

• Monitoring of controls

 

This is the client’s process of assessing the effectiveness of controls over time and taking necessary remedial action. If a control is not implemented properly, or is simply considered ineffective, misstatements may pass undetected into the financial statements.

 

Monitoring can be either ongoing or performed on a separate evaluation basis (or a combination of both).

 

[ISA 315, A110]

 

Monitoring of internal controls is often the key role of internal auditors.

 

3         Ascertaining the systems

 

Procedures used to obtain evidence regarding the design and implementation of controls include:

 

• Enquiries of relevant personnel.

 

• Observing the application of controls.

 

• Tracing a transaction through the system to understand what happens (a walkthrough test).

 

• Inspecting documents, such as internal procedure manuals.

 

It should also be noted that enquiry alone is not sufficient to understand the nature and extent of controls.

 

Auditors can also use their knowledge of the client and the operation of the systems from prior years. However, the auditor cannot simply rely on their knowledge from the prior year audit as changes may have occurred. Systems knowledge must be updated and the systems tested once more.

 

4         Documenting client systems

 

The auditor must document the client’s control systems before evaluating whether the system is adequate and working effectively.

 

Possible ways of documenting systems include:

 

• Narrative notes – a written description of a system.

 

• Flowcharts – diagrammatical representation of the system.

 

• Organisation chart – diagram showing reporting lines, roles and

 

• Questionnaires – a prepared list of questions in relation to the clients control system. There are two types of questionnaire that can be used:

 

Internal Control Questionnaire (ICQ) – a list of controls is given to the client and they are asked whether or not those controls are in place.

 

Internal Control Evaluation Questionnaire (ICEQ) – the client is asked to describe the controls they have in place for a given control objective. A control objective identifies the risk that the entity needs to manage.

 

ICQ wording	ICEQ wording
Does a supervisor authorise all	How does the company ensure that
weekly timesheets?	only hours worked are recorded on
	timesheets?
Does the company perform a	How does the company try to
regular credit check on all	minimise the risk of irrecoverable
customers?	debts?
Does a manager or director	How does the company ensure
authorise purchase orders	goods are only purchased for a valid
before an order is place?	business use?
Is a bank reconciliation	How does the company ensure
performed regularly?	discrepancies in the cash book are
	identified and resolved?
Is a regular inventory count	How does the company ensure its
performed?	inventory system is up to date and
	discrepancies in the inventory
	records are identified?
Is a regular reconciliation	How does the company ensure the
performed between the physical	non-current asset register is up to
non-current assets and the non-	date and accurate?
current asset register?

 

The method adopted is a matter of auditor judgment.

 

	Documentation	Advantages		Disadvantages
	Method
	Narrative notes	•	Simple to record	•	May be time consuming
		•	Facilitate		and cumbersome if the
					system is complex
			understanding by all
			audit staff	•	May be more difficult to
					identify missing controls
	Flow charts	•	Easy to view the	•	May be difficult to amend
			whole system in one		as the whole diagram may
			diagram		need to be re-drawn
		•	Easy to spot	•	There is still a need for
			missing controls due		narrative notes to
			to the use of		accompany the flow chart
			standard symbols		increasing the time
					involved to document the
					system fully
	Internal control	•	Quick to prepare	•	Controls may be
	questionnaires	•	Can ensure all		overstated as the client
	(ICQs)				knows the answer the
			controls are present
					auditor is looking for is
					‘yes’
				•	Unusual controls are
					unlikely to be included on
					a standard questionnaire
					and may not be identified
				•	May contain a number of
					irrelevant controls
	Internal control	•	The client has to	•	The client may still
	evaluations		respond with the		overstate controls as they
	(ICEs)		control they have in		may say a control is in
			place rather than a		place for the control
			yes/no answer		objective even if it is not
			which should mean	•	The checklist may contain
			controls are less
					control objectives not
			likely to be
					relevant to the client
			overstated
				•	Unusual risks and
		•	Quick to prepare as
					therefore objectives may
			a list of control
					not be identified
			objectives can be
			compiled and the
			client is asked what
			controls they have
			in place to address
			them

 

5      Testing the system

 

A test of control involves the auditor obtaining evidence that the client has implemented the controls they say they have, and that they have worked effectively, during the period.

 

Typical methods of controls testing include:

 

• Observation of control activities, e.g. observing the inventory count to ensure it is conducted effectively and in accordance with the count instructions.

 

• Inspection of documents recording performance of the control, e.g. inspecting an order for evidence of authorisation.

 

• Computer assisted audit techniques (such as test data to ensure the programmed controls are working effectively. See the ‘Evidence’ ).

 

 

Designing valid tests of controls

 

To design a test of control the auditor must first identify the controls they want to test.

 

A control is an activity applied in addition to the normal processing of the system to ensure that the system has operated as it should.

 

Just because errors have not been made does not mean that controls have worked effectively. The person performing the processing may not have made any errors. There may have been no controls in place.

A control would be an additional activity to ensure the person has not made any errors.

 

For example if the client claims to perform bank reconciliations the auditor should look at the file containing the reconciliations to verify that they are done and then re-perform the reconciliation to ensure it has been done properly to test the effectiveness of the control. Simply performing the reconciliation and finding that it reconciles does not prove that the client has done the reconciliation themselves. Therefore, re-performance of the reconciliation on its own is not a valid test of control.

 

Similarly, performing a sequence check on a set of documents does not mean the client has performed a sequence check. It may just mean that no documents have gone missing. A sequence check is the control to ensure that no documents have gone missing.

 

6         Communicating control deficiencies

 

ISA 265 Communicating Deficiencies in Internal Control to Those Charged with

Governance and Management requires the auditor to:

 

• Communicate any deficiencies that are of sufficient importance to merit management’s attention to management, and

 

• Communicate significant deficiencies to those charged with governance. [ISA 265, 9 & 10]

 

Deficiencies occur when:

 

• A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct misstatements in the financial statements on a timely basis, or

 

• A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing.

 

[ISA 265, 6a]

 

Significant deficiencies are those which merit the attention of those charged with governance. [ISA 265, 6b]

 

Examples of matters the external auditor should consider in determining whether a deficiency in internal controls is significant include:

 

• The likelihood of the deficiencies leading to material misstatements in the financial statements in the future.

 

• The susceptibility to loss or fraud of the related asset or liability.

 

• The subjectivity and complexity of determining estimated amounts.

 

• The financial statement amounts exposed to the deficiencies.

 

• The volume of activity that has occurred or could occur in the account balance or class of transactions exposed to the deficiency or deficiencies.

 

• The importance of the controls to the financial reporting process.

 

• The cause and frequency of the exceptions detected as a result of the deficiencies in the controls.

 

• The interaction of the deficiency with other deficiencies in internal control. [ISA 265, A6]

 

The auditor communicates the deficiencies in a management letter or report to management. It is usually sent at the end of the audit process.

 

In the exam you may be required to prepare extracts for inclusion in a report to management. This requires you to identify and explain the deficiencies within the control system described in a scenario. You will have to suggest a recommendation to overcome each deficiency.

 

Deficiency                              A clear description of what is wrong.

 

Consequence                       What could happen if the deficiency is not corrected?

 

Focus on what matters to the client – the risk of lost profits, stolen assets, extra costs, errors in the accounts.

 

Recommendation             This must deal with the specific deficiency you have

 

observed. It must also provide greater benefits than the cost of implementation.

 

Try to specify exactly how the recommended control would operate including suggesting who should carry out the control procedures, and how frequently it should be performed.

 

When the auditor reports deficiencies, it should be made clear that:

 

• The report is not a comprehensive list of deficiencies, but only those that have come to light during normal audit procedures.

 

• The report is for the sole use of the company.

 

• No disclosure should be made to a third party without the written agreement of the auditor.

 

• No responsibility is assumed to any other parties.

 

If you are asked for a covering letter in the exam, you should include the above matters within it.

 

 

Management letter extract

 

Deficiency	Consequence	Recommendation
Purchase invoices	There is a possibility	All invoices should be
were missing from	that purchases and	sequentially filed on
the sequentially	liabilities are not	receipt by the
numbered invoice	completely recorded.	accounts department.
file.	This could result in	Regular sequence
	late payment of	checks should be
	invoices which could	performed to ensure
	cause damage to the	completeness. Any
	company’s	missing items should
	relationship with the	be investigated and
	supplier resulting in	copies requested if
	removal of credit	necessary.
	terms or discounts.

 

Objectives

 

The objectives of controls in the sales system are to ensure that:

 

Stage	Objective
Ordering	•	Goods are only supplied to customers who pay
		promptly and in full.
	•	All orders are processed.
Despatch	•	Orders are despatched promptly and in full to
		the correct customer.
	•	All orders are despatched.
Invoicing	•	All goods despatched are invoiced.
	•	Invoices are raised accurately.

 

Recording	•	Only valid sales are recorded.
	•	All sales and related receivables are recorded
		and in the correct accounts.
	•	Revenue is recorded in the period to which it
		relates.
	•	Sales are recorded accurately and related
		receivables are recorded at an appropriate
		value.
Cash received	•	Cash received is allocated against the correct
		customer and invoices to minimise disputes.
	•	Overdue debts are followed up on a timely
		basis.
	•	Irrecoverable debts identified and written off
		appropriately.

 

 



Test your understanding 1

 

Murray case study: Sales cycle

 

Ordering

 

For all new customers, a sales manager completes a credit application which is checked with a credit agency and a credit limit is entered onto the sales system by the credit controller. The sales system prompts sales managers to complete an annual credit check for existing customers, and the credit controller amends or approves existing credit limits for these customers. Approved customers are assigned with a unique customer account number.

 

Orders are placed with the sales team. The orders are entered onto the sales system by a sales assistant. The system automatically checks that the goods are available and that the order will not take the customer over their credit limit. The system generates two order confirmations, one of which is sent to the customer by mail/email confirming the goods ordered and likely despatch date, the other is retained on file.

 

Goods despatch

 

The warehouse receives the order electronically and goods despatch notes (GDNs) are generated automatically. A member of the warehouse team packs the goods from the GDN and a second member of the team double checks the goods packed to the GDN, signing the GDN to evidence the check.

 

Two copies of the GDN are sent with the goods ordered. One copy is retained by the customer and the other is signed by the customer and returned to Murray Co to confirm receipt of the goods and retained by the warehouse.

 

A copy of the GDN is sent to the sales team who update the system, confirming despatch of the goods. A weekly report is sent automatically to the sales manager who follows up on any incomplete orders with the warehouse manager.

 

Invoicing

 

Once despatched, a copy of the GDN is sent to the accounts team at head office and a sequentially numbered sales invoice is raised from the GDN. Periodically a computer sequence check is performed for any missing sales invoice numbers.

 

When the invoice is sent to the customer, the system GDN is marked as “invoiced”. A system report is reviewed by the senior accountant on a fortnightly basis for any GDNs that have not been invoiced. The report is printed and signed as evidence of review.

 

The system generates customer invoices using the company price list, which is updated quarterly. Discounts must be requested by a sales manager and authorised by the sales director to allow the accounts team to raise an invoice.

 

Recording transaction

 

The receivables ledger is reviewed for credit balances by the senior accountant on a monthly basis and the receivables ledger is reconciled with the receivables ledger control account on a monthly basis by the sales ledger manager and reviewed by the company accountant.

 

Monthly customer statements are sent to customers.

 

Cash receipt

 

Receipts are counted by the office assistant, recorded by the cashier in the cash book, and the sales ledger clerk is notified of the receipt. The sales ledger clerk agrees the amount received to the amount invoiced and marks the invoice as paid.

 

The credit controller reviews the aged receivables analysis on a fortnightly basis and investigates any old balances. Overdue debts are chased with a telephone call initially, followed by a copy invoice, and then a warning letter before the debt is passed to a debt collection agency.

 

Required:

 

Identify and explain the controls in Murray Co’s sales system and suggest how the auditor would test those controls.

 

Illustration 1: Murray Co goods despatch note

 

The key document in the sales cycle is the goods despatch note:

 

Murray Co				Goods Despatch Note
“Supplying Equipment to the Sporting Nation”				Ref: AB123456MC
		www.murraysports.com
				Murray Company
				1 Murray Mound,
				Wimbledon, London
				WN1 2LN
Destination
Customer Ref: W004				Order Number:
Customer Name: Winners Co				ZY987654WS
Customer Address: 2 Edinburgh St,
Dunblaine, Scotland DL2 2ES
Line  Product		Description	Quantity Quantity
Number				Quality and
				quantity of
				goods checked
				and agreed

 

 

001	4378493729	Tennis racket	24
002	3257845743	Tennis balls	6
		(packs of 6)

 

Yes

 

Yes

 

 

003	4357849574	Tennis court net	3
004	3473895789	Tennis	3
		scoreboard

 

Yes

 

Yes

 

 

005	4574895743	Winner’s trophy	1
006	3457435437	Runner-up	1
		trophy
007	4830998543	Participant’s	24
		medal

 

Signed:

 

Yes

 

Yes

 

Yes

A Warehouse Packer

Objectives

 

The objectives of controls in the purchases system are to ensure that:

 

Stage	Objective
Ordering	•	All purchases are made with suppliers who
		have been checked for quality, reliability and
		pricing.
	•	Purchases are only made for a valid business
		use.
	•	Orders are placed taking consideration of
		delivery lead times to avoid disruption to the
		business.
Goods received	•	Only goods ordered by the company are
		accepted.
	•	Goods received are recorded promptly.

 

Invoice received	•	Invoices received relate to goods actually
		received.
	•	Invoices received relate to the company.
	•	Invoices received are correct in terms of
		quantities, prices, discounts.
Recording	•	All purchases and related payables are
		recorded.
	•	Purchases are recorded accurately and related
		payables are recorded at an appropriate value.
	•	Purchases are recorded in the period to which
		they relate.
	•	Purchases and payables are recorded in the
		correct accounts.
Cash payments	•	Payments are only made for goods received.
	•	Payments are only made once.
	•	All payments are made on time.

 

 

Test your understanding 2

 

Murray case study: Purchases cycle

 

Ordering

 

Goods or services are obtained by placing a purchase requisition with the centralised purchasing department. Requisitions are sequentially pre-numbered and a weekly sequence check is performed. All requisitions must be authorised by an appropriate manager.

 

On receipt of a purchase requisition, a purchase officer agrees the manager’s signature to the signatory list held on file and checks inventory levels where appropriate. Orders are placed with suppliers using sequentially pre-numbered purchase orders.

 

Orders can only be placed with suppliers from the approved supplier list. Suppliers can only be added to the approved suppliers list by the procurement team once the terms of the contract have been agreed, and references obtained. Written confirmation is requested for all orders placed, and the purchase officer agrees the quoted price against the agreed price list and ensures any bulk discounts to which Murray Co is entitled, have been honoured.

 

Goods receipt

 

Goods are received into the central warehouse. Goods are inspected for condition and quantity by a warehouse operative, and agreed to the purchase order before the supplier’s delivery note is signed to accept the goods.

 

A sequentially pre-numbered goods received note (GRN) is prepared by the warehouse team manager, and grid-stamped. The grid stamp is signed by the warehouse operative to confirm that the goods have been inspected for condition and quantity and agreed to the purchase order.

 

The warehouse manager updates the inventory system on a daily basis from the prepared GRNs. The warehouse manager checks the sequence of purchase orders received on a weekly basis and informs the purchasing department of any missing orders so that they can be followed up.

 

Invoicing

 

On receipt of an invoice by the head office accounts team, the invoice is matched to and filed with the relevant GRN, using the purchase order number marked on the invoice (if there is no purchase order number marked on the invoice, this must be obtained from the supplier). The invoice number is noted on the GRN grid stamp. The invoice is also checked to the original purchase order to ensure the agreed prices and discounts have been honoured.

 

A monthly check of GRNs is made by the purchases ledger manager, to identify any GRNs for which no invoice has been received.

 

Recording transaction

 

The purchases ledger clerk enters invoices into the system in batches. A batch control sheet is used, which details the number of invoices and the total value. These details are checked to the system batch report.

 

Each invoice is stamped as “recorded” once the details have been entered onto the system. The purchase ledger manager inspects the file of invoices on a monthly basis to ensure that all invoices have been recorded.

 

Suppliers are required to submit monthly supplier statements, which are reconciled to the supplier’s ledger account by the purchases ledger manager. The purchase ledger is reconciled to the purchase ledger control account on a monthly basis by the purchase ledger manager, and reviewed by the company accountant.

 

Cash payment

 

The list of payments is sent to the company accountant, who agrees the details of each payment to the relevant invoice and signs each invoice to authorise payment and evidence the check. The list of payments is signed by the accountant once all invoices have been checked, and sent to the cashier’s office for payment.

 

If any individual payment is for more than $25,000 or total payments are for more than $250,000 a second signatory is required. These payments must also be checked and signed by either the financial controller, or finance director.

 

Payments are made by the cashier’s office by bank transfer. Invoices are stamped as “paid”, and returned to the purchases ledger team who record the payment and file the invoices (separately from invoices not yet paid).

 

The purchase ledger manager checks GRNs on a monthly basis to ensure that invoices have been received and paid on a timely basis.

 

Required:

 

Identify and explain the controls in Murray Co’s purchases system and suggest how the auditor would test those controls.

 

 

Illustration 2: Murray Co goods received note

 

The key document in the purchases cycle is the goods received note:

 

Murray Co			Goods Received Note
Quality of goods checked			A2012/123478
Purchase Order number:
MC/34324832809/RC
Date of receipt: 31st August 20X4
Time of receipt: 12:48pm
Description	Quantity	Quantity	Quality of goods
	ordered	received	checked
Vectran	75kg	75kg	Yes

 

 

Sign to confirm

 

quantity and quality of

goods checked:       Warehouse Operative

 

Inv

Problems with fraud

 

Fraud is specifically designed to mislead people. Consider the following example:

 

• A company only deals with suppliers on a list authorised by the finance director (FD).

 

• Payments to suppliers are made after the purchases clerk identifies the monthly payments to be made and prepares the cheques.

 

• The cheques are signed by the FD, who confirms the amounts paid and supplier names to supporting documentation.

 

• The cheques are countersigned by the managing director, who does not check the details but has a good knowledge of who the suppliers are.

 

• This appears like a sensible combination of authorisation controls and segregation of duties. The auditor would place reliance on the control system and reduce substantive testing of purchases.

 

However, now consider the implication if one of the suppliers is actually controlled by the FD. The supplier regularly overcharges the company and the purchases clerk is being bribed by the FD in return for their silence.

 

It is for this reason that the auditor must always perform some substantive procedures and must always maintain an attitude of professional scepticism.

 

 

Non-current assets

 

Expenditure on non -current assets should be controlled in a similar way to other purchases. However, because of the significant amounts involved, additional controls should be in place.

 

Control objectives:

 

• Assets are only purchased if there is a business need.

 

• Assets are purchased at an appropriate price.

 

• The company can afford the capital expenditure proposed.

 

• Capital expenditure is appropriately treated in the accounting records.

 

• Capital expenditure is completely and accurately recorded in the accounting records.

 

• Assets are covered by adequate insurance to prevent loss to the company.

 

• Documents relating to assets are safeguarded from theft or damage.

Control	Test of control
Requisitions for capital	Inspect the requisition for the
expenditure should be made by	signature of the person
an appropriate person.	requisitioning the assets.
	Ensure this is a person of
	suitable authority by agreeing
	the name to a list of people
	authorised to make such
	requisitions.
Authorisation for purchases of	Inspect the purchase order for
non-current assets should be at	signature of appropriate senior
a more senior level.	person(s).
Several quotations should be	Inspect the purchase
obtained before purchase in	requisition for the quotations to
order to obtain the best price.	ensure they have been
	obtained.
An annual capital expenditure	Inspect the annual budget to
budget for each department	ensure it has been prepared.
should be prepared and	Inspect board minutes to
authorisation should only be
	confirm the budget has been
given for purchases which have
	approved by the board.
been budgeted.
	Inspect orders for capital
	expenditure items to ensure
	they have been authorised by
	a responsible official.
Regular review of revenue	Inspect management
expenditure should be	accounts/revenue expenditure
performed to ensure items of a	lists for evidence of review.
capital nature have not been	Enquire of management how
written off in error.	discrepancies are dealt with.
A regular reconciliation of the	Inspect the reconciliation of the
asset register to the physical	asset register and evidence of
assets held should be	approval by a senior person to
performed.	ensure the reconciliation has
	been performed correctly.

 

	An asset register should be	Inspect the asset register to
	maintained which includes cost,	ensure details expected to be
	depreciation, location,	recorded have been recorded
	responsible employee,	to ensure good control is
	insurance details, etc.	maintained over assets.
	Adequate insurance cover	Inspect insurance policies to
	should be purchased.	ensure they are in place.
		Review the policies to
		ascertain the level of cover in
		place and compare this with
		the value of assets to ensure it
		is sufficient.
	Documentation such as title	Inspect the storage facilities for
	deeds, vehicle registration	important documentation to
	documents, insurance policies,	ensure it is appropriately
	etc. should be stored in a	secure and adequate back ups
	secure, fire-proof location.	have been maintained in case
		of a fire or flood.

Objectives

 

The objectives of controls in the payroll system are to ensure that:

 

Stage	Objective
Clock cards (or timesheets)	•	Employees are only paid for work
submitted.		actually done.
Payroll calculation	•	Only genuine employees are paid.
	•	Employees are paid at the correct
		rates of pay.
	•	Gross pay is calculated and
		recorded accurately.
	•	Net pay is calculated and
		recorded accurately.
Standing data amendments	•	Standing data is kept up to date.
	•	Access to standing data is
		restricted to prevent fraud or error
		occurring.
Recording	•	All payroll amounts are recorded.
	•	Payroll amounts are recorded
		accurately.
	•	Payroll costs are recorded in the
		period to which they relate.
Payments to employees and tax	•	Correct amounts are paid to the
authorities		employees and taxation
		authorities.
	•	Payments are made on time.
	•	Payments are only made to valid
		employees.

 

Test your understanding 3

 

Murray case study: Payroll cycle

 

Clock cards submitted and input

 

Murray Co employs a total of 300 people, 200 of these being workers who are paid weekly in cash. Weekly paid workers are required to record their times of arrival and departure at the factory using a clock card which is inserted in a time recording clock. Use of the time recording clock is supervised by the relevant factory manager.

 

On a weekly basis the cards are collected and passed to the works office where the clerk totals up the hours worked on each card and lists the total hours worked (a ‘hash’ total). The cards and the total hours list are then passed to the wages clerk who enters the hours worked into the payroll system and agrees the total entered.

 

Gross pay, deductions and net pay calculated

 

The payroll system calculates the gross and net pay and a payroll report is generated by the payroll manager. The payroll manager recalculates a sample of employee wages and compares his figures to the amounts calculated by the payroll system. He passes the payroll report to the wages clerk who creates a payment list detailing the payments to be made to the monthly paid employees and the taxation authority.

 

The payroll report and payment list are passed to the company accountant. The company accountant reviews the payment list for any unusual amounts and compares each employee’s net pay on the payroll report to the payment list. He also compares the totals with the previous week as a reasonableness check. Once all of these procedures are complete, the company accountant signs both documents and raises a cheque requisition for the weekly paid workers. The signed payroll report is returned to the payroll clerk who generates the payslips from the payroll system. The payslips, cheque requisition and signed payment list are then passed to the cashier’s department for processing.

 

Payments to employees and tax authorities

 

The cashier draws a cheque for the net amount of the payroll which is then signed by two directors. The cheque is given to a secure cash transit company who draw the money from the bank and deliver it under guard to the cashier. The cashier then puts the money into pay envelopes along with a pay slip for weekly paid workers.

 

The sealed envelopes and relevant clock cards are then used for payouts. Each worker obtains their money once they have identified themselves and signed their clock card. Unclaimed wages are held for three weeks before being banked.

 

Monthly paid workers and the tax authorities are paid by bank transfer on the last day of each month, as per the payment list authorised by the company accountant.

 

Payroll costs and payments recorded

 

A copy of the payroll list is sent to the head office accounts team who record the payroll expense and payments made. Any unclaimed wages are notified by the wages office to the head office team on an anomalies list completed once all of the clock cards have been returned. The head office accounts team check the bank statements to ensure that this money has been banked.

 

Standing data and other amendments

 

Leaver and joiner forms must be completed and authorised by the employee’s immediate manager and the finance director at least one month before the amendment is required to the payroll. Other amendments to standing data, e.g. pay rises and hourly rates, are completed on a specific form for this purpose, and authorised in the same way. A monthly report of amendments to standing data is sent to the finance director for review and authorisation. Standing data files are sent to departmental managers on a quarterly basis for review.

 

Required:

 

Identify and explain the controls in Murray Co’s payroll system and suggest how the auditor would test those controls.

Objectives

 

The objectives of controls in the inventory system are to ensure that:

 

• Inventory levels meet the needs of production (raw materials and components) and customer demand (finished goods).

 

• Inventory levels are not excessive, preventing obsolescence and unnecessary storage costs.

 

• Inventory is safeguarded from theft, loss or damage.

 

• Inventory received and despatched is recorded on a timely basis.

 

• All inventory is recorded.

 

• Inventory should be recorded at the appropriate value.

 

• Only inventory owned by the company is recorded.

 

The following controls over inventory relate to the period after purchase and before sale i.e. when the goods are being stored in the warehouse.

 

Control	Test of control
Inventory should be maintained at	Use test data to place an order to
an appropriate level through the use	reduce inventory of an item to below the
of automatic ordering systems when	reorder level and trace through the
inventory reaches a certain level or	system to see if an order is
by checking inventory levels before	automatically generated.
orders are placed.	Observe the ordering clerk checking
	inventory levels before placing an order.
Inventory should be kept in a	Visit the warehouse and attempt to
warehouse with access restricted to	enter. Ensure that doors are kept closed
warehouse staff by the use of swipe	requiring the swipe card or code to gain
card or keypad access.	access.
CCTV should be in place to monitor	Inspect the warehouse area to see the
people around the entrance to the	CCTV in place and visit the location of
warehouse to ensure people don’t	the camera feed to ensure the cameras
follow other people into the	are monitored.
warehouse to avoid the need for a
code/swipe card.
Inventory should be kept in	Visit the warehouse and inspect the
appropriate conditions e.g.	conditions of storage. Inspect evidence
temperature controlled environment	of monitoring the conditions on a regular
for perishable items.	basis such as temperature logs.
Fire/smoke/heat detectors and	Inspect the warehouse to see the
sprinkler systems should be in place	detectors and sprinkler systems are in
to reduce the risk of damage	place.
caused by fire.	Inspect certificates confirming they have
	been checked and tested on a regular
	basis.
Inventory should be insured in case	Inspect insurance policies to ensure
of theft or damage.	they cover inventory, that adequate
	cover is in place by comparing against
	inventory value and that the policy has
	not lapsed.
Inventory movements should be	Inspect the GRNs and GDNs to see
recorded in the system promptly	they have been stamped as entered into
using the GRNs and GDNs. The	the system.
GRNs and GDNs should be	Compare the date on the stamp to the
stamped to confirm they have been
	date on the GRN/GDN to ensure they
input to ensure the system is up to
	have been entered promptly.
date.

 

Inventory counts should take place	Obtain inventory counting instructions
on a regular basis so that physical	and review to ensure the count will be
inventory quantities can be	appropriately organised and controlled.
reconciled with the accounting	Attend the inventory count to ensure the
system on a regular basis to ensure
	count is carried out in accordance with
the records are accurate and up to
	the instructions and perform test counts
date.
	to ensure the client’s counts are carried
	out accurately.
Inventory should be reviewed during	During the count review the inventory to
the count for damage or	ensure damaged or obsolete items are
obsolescence and valued	separately identified.
separately from the other inventory
by making an allowance to write the
inventory down to NRV.

 

See the ‘Procedures’  for detailed controls over inventory counts.

Objectives

 

The objectives of controls in the cash cycle are to ensure that:

 

• Petty cash levels are kept to a minimum, preventing theft.

 

• Payments can only be made for legitimate business expenditure.

 

• Cash can only be withdrawn for business purposes.

 

• Cash is safeguarded to prevent theft.

 

• Receipts are banked on a timely basis to prevent theft.

 

• Cash movements are recorded on a timely basis.

 

The following controls over cash relate to the period after receipt from a customer and before being used to pay for expenses. In addition, there should be adequate controls over access to cash and bank records.

 

Control	Test of control
An imprest system of petty cash	In the presence of the client, count the
should be used for items of	petty cash to ascertain that the level is
expenditure less than $x. All other	at the limit set. Inspect the petty cash
reimbursements should be made	vouchers to ensure amounts reimbursed
through an expense claim and	are below the limit stated.
processed as a bank payment.
Petty cash reimbursements must be	Inspect the petty cash reimbursements
supported by an invoice to confirm	for the supporting invoice and the
the expenditure was incurred and is	signature of the person authorising the
business related before being	reimbursement.
authorised and paid.
Cash withdrawals must be	Inspect the withdrawal request for
authorised by a manager.	evidence of the manager’s signature
	authorising that the money can be taken
	out of the bank.
Cash and cheque books/stationery	In the presence of the client, inspect
should be stored in a locked safe	where the cash and cheque books are
with restricted access.	stored to ensure they are secure e.g.
	within a safe.
	Enquire of management who has
	access to the safe to ensure this is
	restricted to people with suitable
	seniority.

 

Controls over bank transfers and	Enquire of management who has
online banking should be in place,	access to the online banking system.
e.g. secure passwords and PINs.	Inspect transactions in the banking
	system for the username of the person
	initiating and authorising transactions to
	ensure this corroborates what has been
	said. Assess whether the person
	authorising the transactions is of
	suitable seniority.
Cash and cheques received should	Inspect the paying in books or bank
be banked frequently.	statements to identify how frequently
	deposits are paid in to ensure this is
	adequate.
Regular bank reconciliations	Inspect the file of bank reconciliations to
prepared and then reviewed by	ensure they are performed regularly.
personnel of appropriate seniority.	Inspect the reconciliation for a
	manager’s signature as evidence it has
	been reviewed and approved.
	Reperform the reconciliation to ensure it
	has been carried out effectively.

 

 

Exam question approach

 

The exam will regularly feature a requirement asking for identification and explanation of control deficiencies from a scenario and recommendations to overcome the deficiencies identified.

 

Identification and explanation

 

Identification of the deficiencies is usually quite straightforward. You should look for information which indicates:

 

• Controls are missing e.g. Sales orders are not sequentially numbered.

 

• Controls are not effective e.g. Bank reconciliations are supposed to be performed but often don’t get done due to lack of time.

 

Work with the information provided. Do not assume that because something isn’t mentioned it isn’t happening.

 

Explanation of the deficiency requires you to give a business risk or a risk of misstatement in the accounting records. It is not an explanation if you only say this should not be done or this should be done. You must explain what the control would achieve if it was in place and working effectively. The explanation needs to be sufficiently detailed. If you only explain the deficiency in part you will not earn the explanation marks.

 

Recommendation

 

The recommendation also needs to be sufficiently detailed. Try and recommend which person within the company should perform the control and how frequently. Sometimes a control requires more than one element to be effective therefore make sure you suggest everything that needs to happen to make the control effective.

 

	Control deficiency	Recommendation
Poor	Sales orders are not	Orders should be
answer	sequentially numbered.	sequentially
	Deficiency is not explained.	numbered.
	Why does it matter if the sales	Recommendation is
	orders are not sequentially	not sufficiently
	numbered?	detailed. How does the
		client know the
		sequence is complete?
Better	Sales orders are not	Orders should be
answer	sequentially numbered.	sequentially
	Orders will be difficult to trace	numbered.
	and orders may not be	A sequence check
	fulfilled.	should be performed
	Deficiency is still not fully	and any breaks in the
		sequence investigated
	explained.
		and resolved.
	What are the consequences to
	the company if they have	Recommendation is
	unfulfilled orders?	now sufficiently
		detailed.
Good	Sales orders are not	Orders should be
answer	sequentially numbered.	sequentially
	Orders will be difficult to trace	numbered.
	and orders may not be	A sequence check
	fulfilled.	should be performed
	Customers will be dissatisfied	and any breaks in the
		sequence investigated
	if orders are not fulfilled
		and resolved.
	resulting in complaint and loss
		Recommendation is
	of future revenue.
	Deficiency is now fully	sufficiently detailed.
	explained as a business risk.

 

		Control deficiency	Recommendation
	Poor	Bank reconciliations are	Bank reconciliations
	answer	supposed to be performed but	should be performed.
		often don’t get done due to	Recommendation is
		lack of time.
			not sufficiently
		Deficiency is not explained.	detailed. Who should
		Why does it matter if the bank	perform the bank
		reconciliation does not get	reconciliation?
		performed?	How often should it be
			performed?
			How does
			management know it
			has actually been
			done?
	Better	Bank reconciliations are	Bank reconciliations
	answer	supposed to be performed but	should be performed
		often don’t get done due to	weekly.
		lack of time.	Recommendation is
		Errors could occur.	slightly better but is still
		Deficiency is still not fully	not sufficiently
			detailed.
		explained.
		Errors in what?
	Good	Bank reconciliations are	Bank reconciliations
	answer	supposed to be performed but	should be performed
		often don’t get done due to	on a weekly basis by
		lack of time.	someone independent
		Errors could occur.	of maintaining the cash
			book and the
		The cash book may be
			reconciliation should
		incorrect resulting in	be reviewed by a
		misstatement of the bank and	responsible official.
		cash figure in the financial	Recommendation is
		statements.
			now sufficiently
		Deficiency is now fully
			detailed.
		explained as a risk to the
		accounting records.

 

Test your understanding 4

 

Rhapsody Co supplies a wide range of garden and agricultural products to trade and domestic customers. The company has 11 divisions, with each division specialising in the sale of specific products, for example, seeds, garden furniture, and agricultural fertilizers. The company has an internal audit department which provides reports to the audit committee on each division on a rotational basis.

 

Products in the seed division are offered for sale to domestic customers via an Internet site. Customers review the product list on the Internet and place orders for packets of seeds using specific product codes, along with their credit card details, onto Rhapsody Co’s secure server. Order quantities are normally between one and three packets for each type of seed. Order details are transferred manually onto the company’s internal inventory control and sales system and a two part packing list is printed in the seed warehouse. Each order and packing list is given a random alphabetical code based on the name of the employee inputting the order, the date and the products being ordered.

 

In the seed warehouse, the packets of seeds for each order are taken from specific bins and despatched to the customer with one copy of the packing list. The second copy of the packing list is sent to the accounts department where the inventory and sales computer is updated to show that the order has been despatched. The customer’s credit card is then charged by the inventory control and sales computer. Bad debts in Rhapsody are currently 3% of the total sales.

 

Finally, the computer system checks that for each charge made to a customer’s credit card account, the order details are on file to prove that the charge was made correctly.

 

Required:

 

In respect of sales in the seeds division of Rhapsody Co:

 

• Explain FOUR deficiencies in the sales system, and

 

• For each deficiency provide a recommendation to overcome that deficiency.

 

(8 marks)

 

Test your understanding 5

 

Whilst performing tests of controls, many control deviations were found. The auditor has therefore concluded that reliance cannot be placed on the internal controls.

 

Required:

 

Explain THREE actions that the auditor may now take in response to this problem.

 

(3 marks)

 

 

Test your understanding 6

 

• Define ‘tests of control’ and explain the importance of tests of control in the audit of a company.

 

(2 marks)

 

• You are an audit senior working at a medium sized firm of auditors. One of your clients is an exclusive hotel called ‘Numero Uno’ situated in the centre of Big City. As part of your audit procedures you are assessing the controls surrounding payroll. You have read last year’s audit file and have obtained the following information:

 

The hotel employs both full and part time staff. Due to the nature of the business most of the work is done in shifts. All staff are paid on a monthly basis.

 

New members of staff are given an electronic photo identification card on the day they join by the personnel department. This card is used to ‘clock in’ and ‘clock out’ at the start and end of the shift to record the hours worked.

 

At the end of each week the information recorded on the system is sent automatically to the payroll department and also to the head of each of the three main operating divisions: Rooms, Food & Beverage and Corporate Events. Each division head must reply back to the payroll department by email to authorise the hours worked by their staff.

 

The payroll clerk collates all the authorised information and then inputs the hours worked into a standardised computerised payroll package. This system is password protected using an alphanumerical password that only the payroll clerk and the finance manager know.

 

Once the hours have been entered, the calculations of gross pay and taxation are calculated automatically along with any other statutory deductions. At the end of the calculations a payroll report is produced and printed. The finance manager reviews the report and compares the data to last month to identify and follow up any unusual variances. When he is satisfied with the information he authorises the payroll run by signing the payroll report and the payroll clerk submits the data.

 

Payslips are sent to the home address of each employee and payment is made by bank transfer.

 

Required:

 

With reference to the scenario:

 

• Identify and explain FOUR STRENGTHS within the hotel’s internal control system in respect of payroll.

 

(4 marks)

 

• For each of the identified strengths, state a test of control the auditor could perform to assess if the controls are operating effectively.

 

(4 marks)

 

 

Test your understanding 7

 

You are testing the controls over the payroll system of Bunbury Co. You have confirmed that the following controls have operated throughout the year:

 

• Sample check of payroll calculations by a payroll manager.

 

• Review of the payroll listing once prepared before details are entered into the banking system.

 

• Segregation of duties between calculation of monthly payroll and responsibility for changes to standing data.

 

• Each department manager receives a list of employees in their department for them to sign to confirm those employees should be paid.

 

• Which of the following is the main reason for the control of segregation of duties between calculation of payroll and responsibility for changes to standing data?

 

A Changes to standing data must be performed by a manager whereas payroll calculations can be performed by a payroll clerk

 

B If one person was responsible for both they would be more likely to make errors due to a high workload

 

C If one person was responsible for both they could increase their salary and make fraudulent payments to themselves

 

D Each individual role within an organisation must be carried out by different people

 

• Which of the following procedures would provide the most reliable evidence that the first control, payroll calculations are checked by a payroll manager, is working effectively?

 

A Enquiry with the payroll clerk performing the payroll calculation B Enquiry with the payroll manager performing the check

C  Recalculation of the payroll amounts by the auditor

 

D Inspection of the payroll report for evidence that a sample of payroll amounts are checked

 

• Which of the following is NOT a test of control?

 

A Inspection of employee contracts to confirm the salary the employee should be paid

 

B Inspection of payroll reports for evidence of authorisation by the manager

 

C Inspection of the list of employees for each department for evidence of the department manager’s review

 

D Observation of the payroll function to confirm segregation of duties is in place

 

• Which of the following is a control objective relevant to the control that each department manager reviews the list of employees?

 

A To ensure payroll is accurately calculated B To ensure only valid employees are paid

C To ensure employees are paid for the correct hours D To ensure employees are paid at the correct salary

 

• Which of the following could be used by Bunbury Co to monitor the effectiveness of the company’s controls? A Internal audit assignments

 

B Performing bank reconciliations C Authorisation of payments

D  Segregation of duties

 

 

Test your understanding 8

 

You are performing the risk assessment for the audit of Kununurra Co, a client your firm has audited for the past two years. From your review of last year’s audit file you have found that no significant control deficiencies were identified. The systems are documented on the permanent audit file in the form of flow charts and narrative notes.

 

• Which of the following best describes the requirement of the auditor in respect of the controls documentation?

 

A The auditor must document the systems this year as they may have changed since last year

 

B The auditor may enquire whether the systems have changed since last year and if not no further work is necessary

 

C The auditor must perform procedures to ensure the systems work as documented on file e.g. by performing walkthrough tests

 

D No work is necessary on systems documentation unless the client informs the auditor that changes have occurred

 

• Which of the following best describes the auditor’s approach in respect of reliance on internal controls?

 

A Tests of controls must be performed over material areas of the financial statements

 

B Tests of controls must be performed each year over the areas where the auditor is hoping to place reliance on the controls

 

C Tests of controls are not necessary this year as no deficiencies were identified last year

 

D Tests of controls must be performed over all areas irrespective of whether the auditor is planning to place reliance on those controls

 

• Which of the following would NOT be included in an internal control evaluation questionnaire?

 

A How does the company ensure sales are only made to creditworthy customers?

 

B How does the company ensure that purchases are only made for a valid business use?

 

C How does the company ensure that all purchases are recorded?

 

D Is access to the warehouse restricted to authorised personnel only?

 

• Internal controls should be monitored on an ongoing basis to ensure they are adequate, relevant and working effectively. Which of the following will NOT monitor the internal controls of a company?

 

A External auditor B Management

C Consultancy firm hired by management D Internal auditor

 

• Match the description to the appropriate method of documenting a control system.

 

                                                                 ICQ/ICE                     Flowchart                        Narrative

 

notes

 

A diagram depicting the

controls in place at each stage

of a process

 

A disadvantage of this method

may be that controls are

overstated

 

An advantage of this method

is that they are easy to

prepare in advance and

therefore efficient

 

For larger systems this

method may be time

consuming and it may be

difficult to identify missing

controls

Test your understanding 1

 

Ordering

 

Control	Test of control
Credit checks, setting of credit	Inspect a sample of new and
limits, and checks that an order	existing customer files to ensure a
will not take a customer over their	recent, satisfactory credit check
credit limit: ensures that sales are	has been obtained.
only made to customers that are	Review the customer’s file and
likely to make a full and prompt
	ensure that credit reports are
payment, reducing the risk of
	obtained on a regular basis by
irrecoverable debts. Irrecoverable
	looking at the dates on the reports.
debts will reduce profit and cash
	Inspect the customer’s account to
inflows.
	ensure that credit limits have been
	put in place.
	Try to enter an order into the
	system that will take the customer
	over their credit limit. The system
	should reject it.
Checking that the goods are	With the client’s permission,
available: ensures that orders can	attempt to enter an order for goods
be fulfilled and despatched	that are known to be out of stock.
promptly. Goods not despatched	The system should reject the
promptly can result in complaints	order.
from customers resulting in a loss	Where orders are taken when the
of customer goodwill.
	goods are out of stock, review the
	unfulfilled orders file for evidence
	of review such as a log in the file
	detailing when it was last
	reviewed. This ensures it is
	checked frequently so that orders
	are fulfilled as soon as possible.
Written confirmation of the order:	Select a sample of sales made and
ensures that orders are recorded	inspect a copy of the written order
accurately and that customers	retained on file to ensure the order
receive the goods they ordered.	was confirmed in writing to
Incorrect orders will result in	minimise the risk of discrepancies.
dissatisfied customers and a loss
of customer goodwill.

 

Approved customers are assigned a unique customer account number: to ensure that sales are only made to customers that have been approved for credit, therefore minimising irrecoverable debts. Irrecoverable debts will reduce profit and cash inflows.

 

With the client’s permission, attempt to enter an order for a fictitious customer account number. The system should reject the order.

 

 

Goods despatch

 

Control	Test of control
Order received electronically by	Input a fictitious order into the
warehouse and automatic	system and trace it through to the
generation of GDN: eliminates risk	despatch system to ensure the
of human error/oversight ensuring	GDN is automatically generated.
that all orders are fulfilled.
Unfulfilled orders can result in
dissatisfied customers resulting in
a loss of customer goodwill.
Second member of warehouse	Visit a warehouse and observe the
team checks the goods packed,	goods despatch process to assess
signing the GDN to evidence the	whether all goods are double
check: segregation of duties	checked against the GDN prior to
reduces the risk of	signing and sending out.
misappropriation of assets which	Inspect the GDN for evidence of
results in loss for the company.
	the signature to confirm the
	physical goods have been checked
	to the GDN and the GDN has been
	checked against the order prior to
	despatch.
Customers sign the GDN and	Inspect a sample of GDNs retained
return it to Murray Co: helps to	by the warehouse to ensure they
ensure that customers pay in full	are signed by customers to confirm
as proof of delivery and	receipt of goods and to confirm
acceptance of goods is obtained.	they are retained in the warehouse
This reduces the risk of disputes	in case of disputes.
with customers which can result in
a loss of customer goodwill or
goods being sent again to a
customer which results in loss for
the company.

 

	Weekly report to sales manager:	Inspect the weekly sales report for
	monitors despatch of goods to	the sales manager’s signature as
	ensure that all orders are fulfilled.	evidence of his review. Enquire of
	Unfulfilled orders can result in	the manager what actions are
	dissatisfied customers resulting in	taken where orders have not been
	a loss of customer goodwill.	fulfilled.
	Invoicing
	Control	Test of control
	The invoice is checked to the GDN:	Inspect the GDNs for evidence of
	the invoice is raised from the GDN	being matched to invoices. Agree
	and not the original order, ensuring	the details on both to ensure the
	the invoice is sent for the correct	control has been effective.
	quantity of goods despatched. This
	reduces the risk of the customer
	being invoiced incorrectly for goods
	not received which could cause
	customer dissatisfaction and a loss
	of customer goodwill.
	Sequentially numbered sales	Review the last system generated
	invoice and computer sequence	sequence check of sales invoices
	check: to ensure that all invoices	to identify any omissions.
	are processed – if any invoice in	Review the report produced by the
	the sequence is missing it can be
		system and inspect for evidence of
	traced. Goods which have not been
		a manager’s review to confirm the
	invoiced will result in lost revenue	sequence is complete and the
	and profit for the company.
		report has been reviewed.
	System GDN marked as	Inspect the GDNs to make sure
	“invoiced” to prevent the customer	they have been marked ‘invoiced’.
	being invoiced twice. If a customer
	is invoiced twice this could cause
	customer dissatisfaction and a
	loss of customer goodwill.
	System report reviewed by the	Inspect the file of GDNs with no
	senior accountant: to ensure that	invoice system reports for
	all goods are invoiced. Goods	evidence of completion on a
	which have not been invoiced will	fortnightly basis such as a
	result in lost revenue and profit for	manager’s signature.
	the company.
	Company price list: to ensure that	Inspect the price list for approval
	customers are charged the correct	by the directors.
	price. This reduces the risk of the	Obtain a copy of the current price
	customer being invoiced
		list and agree for a sample of
	incorrectly which could cause
		invoices that relevant/current
	customer dissatisfaction and a
		prices have been used.
	loss of customer goodwill.

 

		Agree the prices in the system to
		the approved price list.
		Enquire of management who has
		authority to amend standing data
		such as prices in the system to
		ensure only persons of suitable
		authority have access. Try to input
		a change to the prices in the
		system using a user ID of a clerk
		to ensure that the system does not
		allow access to this standing data.
	Discounts must be requested by a	With the client’s permission,
	sales manager and authorised by	attempt to process an invoice with
	the sales director: segregation of	a sales discount without
	duties and authorisation prevents	authorisation from the sales
	fraud and unauthorised discounts	director. The system should reject
	which will result in loss of revenue	the invoice.
	for the company.	Inspect sales orders with discounts
		given for evidence of the sales
		director’s signature authorising the
		discount.
	Recording transactions
	Control	Test of control
	Review of receivables ledger for	Inspect the receivables ledger for
	credit balances: identifies	evidence of monthly review for
	overpayments which may be	credit balances such as a
	caused by goods invoiced where	manager’s signature.
	no sale was recorded. This helps
	to identify errors in the accounting
	records which can then be
	corrected.
	Receivables ledger reconciliation:	Inspect the receivables ledger
	ensures that debts and receipts	reconciliations for evidence of
	recorded in individual customer	performance on a monthly basis.
	ledgers have also been recorded	Inspect the reconciliations for the
	in the accounts (and vice versa).
		company accountant’s signature
	Segregation of duties monitors	as evidence of review.
	performance of controls and	Reperform the reconciliation to
	prevents fraud which could cause
		ensure it has been carried out
	loss for the company.
		effectively.

 

Monthly customer statements sent to customers: enables customers to identify errors in invoices and receipts and notify the company. Statements may also act as a reminder of payment and reduce the risk of irrecoverable debts. Irrecoverable debts will reduce profit and cash inflows.

 

For a sample of customers with outstanding balances, inspect copies of monthly statements sent out to confirm statements are in fact issued.

 

 

Cash receipt

 

Control	Test of control
Receipts are counted by the office	Observe the cash receipt process
assistant, recorded by the cashier,	to assess the adequacy of
and the sales ledger clerk agrees	segregation of duties.
the amount received to the
amount invoiced: Segregation of
duties prevents fraud which could
cause loss for the company.
The invoice is marked as paid:	For a sample of cash receipts,
ensures that customers are not	inspect the relevant invoice to
chased for debts they have paid	ensure it has been marked as
which could result in dissatisfied	paid.
customers and a loss of customer
goodwill.
The credit controller reviews the	Inspect the aged receivables
aged receivables to identify old	analysis for evidence of fortnightly
balances which require	review such as a manager’s
investigation. This reduces the	signature.
risk of irrecoverable debts which
will reduce profit and cash inflows.
Credit control procedures are then	Inspect records of contact made
followed: to ensure full and prompt	with customers who have overdue
payment by customers. This	debts, to ensure compliance with
reduces the risk of irrecoverable	credit control procedures.
debts which will reduce profit and	E.g. notes of telephone calls,
cash inflows.	copies of letters sent.

 

		Test your understanding 2
		Ordering
		Control	Test of control
		Centralised purchasing	Inspect organisation chart to verify
		department: ensures that	that a centralised purchasing
		purchasing is cost effective and	department is in place.
		only necessary goods and	Enquire of the purchasing director
		services are procured reducing
			whether all purchases must go
		the risk of loss to the company
			through the department or if some
		and unnecessary cash outflow.
			purchases are made within
			individual departments to assess
			the effectiveness of the control.
			Inspect a sample of purchase
			orders to ensure they have been
			generated by the central
			purchasing department.
		Sequentially pre-numbered	Enquire of the staff responsible for
		requisitions and sequence check	the sequence check what they do
		performed by the purchasing	to evidence the control e.g. a log in
		department: ensures that all	the file with a signature to confirm
		requisitions are fulfilled,	the sequence check has been
		preventing stock outs/	performed for that week.
		manufacturing delays.	Inspect the log and ensure it is
		Delays will result in dissatisfied	completed weekly and is up to
		customers which will reduce	date.
		customer goodwill.	Inspect the log for a signature to
			confirm the check has been
			performed.
		Requisitions are authorised and	Inspect a sample of requisitions for
		manager’s signature agreed:	the signature of an appropriate
		ensures only necessary goods	manager.
		and services are procured
		reducing the risk of loss to the
		company and unnecessary cash
		outflow.
		Inventory levels are checked prior	Inspect a sample of requisitions for
		to ordering: ensures only	evidence of inventory levels having
		necessary goods and services are	been checked first, such as a
		procured reducing the risk of loss	signature.
		to the company and unnecessary	Observe the ordering process to
		cash outflow.
			see the ordering clerk checking
			inventory levels first.

 

	Sequentially pre-numbered	Review the purchase orders for
	purchase orders and weekly	evidence of the warehouse
	check by warehouse manager: to	manager’s weekly sequence check
	ensure that all goods and services	such as a signature to confirm it
	ordered are received so any	has been performed.
	missing purchase orders can be
	followed up. This reduces the risk
	of production delays which will
	result in dis-satisfied customers
	and a loss of customer goodwill.
	Approved supplier list: gives	For a sample of purchase orders
	assurance about the quality of	placed, agree the supplier name to
	goods and services and reliability	the approved supplier list.
	of the suppliers. Poor quality	Attempt to place an order with an
	supplies will affect the quality of
		unapproved supplier. The system
	the product sold resulting in
		should not allow it to proceed.
	complaints from customers and
	damage to the company’s
	reputation reducing future sales.
	Written confirmation for all orders:	For a sample of purchase
	ensures all and only necessary	requisitions, inspect the purchase
	goods and services are received.	order and written confirmation from
	This reduces the risk of disputes	the supplier.
	with suppliers which could cause
	production delays resulting in
	dissatisfied customers and a loss
	of customer goodwill.
	Price agreed to price list and	Inspect a sample of purchase
	discounts checked: ensures that	orders for evidence of prices
	the correct prices are being	having been agreed to price list
	charged by the supplier and	such as a signature of the person
	discounts are being obtained. This	checking.
	ensures the correct amounts will	Select a sample of orders and
	be paid reducing the risk of loss to
		agree to the authorised price list to
	the company and unnecessary	test the effectiveness of the
	cash outflow.
		control.

 

		Good receipt
		Control	Test of control
		Goods received into the central	Visit a warehouse and inspect the
		warehouse. Having one, secure	delivery area for security of goods
		delivery area prevents goods	e.g. locked area, security guard,
		received being lost or stolen	CCTV.
		reducing the risk of loss to the
		company.
		Goods are inspected for condition	Observe the goods receipt process
		and quantity and agreed to the	to ensure goods are inspected for
		purchase order. This prevents	condition and quantity before the
		Murray Co from having to pay for	supplier’s delivery note is signed.
		unnecessary, or poor quality	Inspect the delivery note for a
		goods which would result in loss
			signature confirming the goods
		for the company and unnecessary
			have been checked on arrival.
		cash outflow.
		Sequentially pre-numbered goods	Inspect evidence of the sequence
		received note (GRN) prepared by	check being performed such as a
		the warehouse team manager and	signature of the warehouse
		a sequence check performed by	manager.
		the purchase ledger manager.
		This ensures that all goods
		received are recorded which will
		reduce disputes with suppliers
		over payment for goods.
		Grid stamp: a grid stamp is a grid	Inspect a sample of GRNs to
		that can be ink-stamped onto any	ensure grid-stamped and signed
		document, with boxes for	by the warehouse operative to
		recording different information	confirm the goods have been
		such as confirmation the goods	inspected and agreed to the PO.
		have been inspected for condition
		and agreed to the PO. This
		prevents Murray Co from having
		to pay for unnecessary or poor
		quality goods reducing the risk of
		loss to the company and
		unnecessary cash outflow.

 

	Inventory system updated on a	Inspect a sample of GRNs for the
	daily basis by the warehouse	previous day to ensure the
	manager: prevents unnecessary	inventory system has been
	goods being ordered, ensures	updated for them.
	inventory levels are up-to-date
	when checked before acceptance
	of customer orders. This reduces
	the risk of not being able to fulfil
	customer orders which could
	result in dissatisfied customers
	and a loss of customer goodwill.
	Invoicing
	Control	Test of control
	The invoice is matched to the	Inspect a sample of invoices and
	GRN: by matching the invoice to	ensure filed with the relevant GRN,
	the GRN and not the original order	and the invoice number is written
	it ensures that only goods that	on the GRN.
	have been received are paid for
	reducing the risk of loss to the
	company and unnecessary cash
	outflow.
	Using the purchase order number	Inspect a sample of invoices for
	marked on the invoice: when	the PO number and that it is
	placing an order, the supplier will	matched to the relating GRN and
	be given the purchase order	requisition.
	number. This allows the purchase
	to be matched to the relevant
	GRN and requisition and the
	company can efficiently trace the
	relevant documentation in case of
	queries.
	The invoice number is noted on	Review the GRN for the grid
	the GRN grid stamp, and a	stamp.
	monthly check of GRNs with no	Inspect evidence of signature to
	invoice: this prevents the goods
		confirm the monthly check has
	received being invoiced twice
		been carried out by the purchase
	which would cause loss to the
		ledger manager.
	company.

 

		Recording transaction
		Control	Test of control
		Batch controls: the system will	Inspect a sample of batch control
		notify the clerk inputting the data	sheets for evidence of completion
		of how many invoices has been	and agreement to the batch
		input. This will be checked to the	system report.
		physical number of invoices and
		will highlight if too many or too few
		invoices have been entered. This
		ensures accuracy of the
		purchases and payables figures in
		the accounting records enabling
		invoices to be paid on time
		reducing the risk of disputes with
		suppliers.
		Invoice stamped as “recorded”	Select a sample of invoices
		and checks to ensure all invoices	recorded on the system and
		recorded: Prevents under or	inspect them to ensure they are
		overstatement of trade payables	marked as “recorded”.
		reducing the risk of disputes with
		or late payments to suppliers.
		Supplier statement reconciliations:	For a sample of suppliers, inspect
		enables mis-recorded purchases,	the monthly supplier statements
		payments and liabilities to be	received for evidence of the
		identified and corrected. This	reconciliation being performed.
		reduces the risk of disputes with	Reperform the reconciliation to
		suppliers and ensures accuracy of	confirm it has been reconciled
		the accounting system relating to	correctly to test the effectiveness
		purchases and payables.	of the control.
		Control account reconciliation:	Inspect the purchase ledger
		ensures that credits and payments	reconciliations for evidence of
		recorded in individual supplier	performance and review on a
		ledgers have also been recorded	monthly basis. Reperform the
		in the accounts (and vice versa).	reconciliation to ensure it has been
		Segregation of duties monitors	carried out effectively.
		performance of controls and
		ensures accuracy of the
		accounting system in relation to
		purchases and payables.

 

Cash payment

 

Control	Test of control
The company accountant checks	For a sample of payments made,
and authorises payments:	inspect the payment list for
payments should only be	evidence of the company
authorised by a senior member of	accountant’s review and
the finance department to prevent	authorisation.
error or fraud which could result in
loss for the company.
Individual payments of more than	Inspect a sample of invoices
$25,000 or total payments of more	> $25,000 for evidence of a second
than $250,000 require a second	signatory and agree that the
signatory: a second signatory	signature is of someone with
prevents fraud on unusual	authority to authorise such
transactions which could result in	amounts.
loss for the company. The	Inspect the invoices for the
additional check by the financial
	additional signature of the financial
controller or finance director
	controller or finance director.
further enhances this control.
Payments are made by the	Observe the process of payments
cashier’s office and recorded by	from the cashier’s office to ensure
the purchase ledger team:	segregation of duties is in place.
segregation of duties prevents
fraud which could result in loss for
the company.
Invoices are stamped as “paid”	Inspect the file of paid invoices and
and filed separately from invoices	ensure kept separate from invoices
not yet paid: this prevents invoices	not yet paid. Inspect them stamped
being paid twice which could	as ‘Paid’.
result in loss for the company and
unnecessary cash outflow.
GRNs are checked on a monthly	Review evidence of the purchase
basis: to ensure that suppliers are	ledger manager’s monthly invoice
paid on a timely basis, which	review such as a signature.
ensures that early settlement
discounts available are obtained,
and supplier goodwill is
maintained.

 

		Test your understanding 3
		Clock cards submitted and input
		Control	Test of control
		Clock card to record time and	Observe the use and
		supervision of clock card use:	supervision of clocking in and
		ensures that only genuine	out procedures to ensure that
		employees are paid for work done.	employees are not able to clock
		This reduces the risk of unnecessary	in for other people.
		additional expense for the company
		which reduces profit.
		Hash total and agreement of the	Observe the process of the
		total: segregation of duties by	works office clerk totalling the
		performing and checking the	hours and passing the list to the
		procedure reduces the risk of human	wages clerk to confirm
		error and therefore the risk of	segregation of duties is in place.
		incorrect payments being made	Inspect a sample of payroll
		which will affect profit.
			sheets for the wages clerk’s
			signature as evidence they have
			checked the total hours list.
		Payroll calculation and payment list created
		Control	Test of control
		Payroll is calculated automatically by	Review a sample of the
		the payroll system and the payroll	calculations performed by the
		manager recalculates a sample of	payroll manager.
		wages: Calculation by the system is
		less vulnerable to error and a
		sample check by the payroll
		manager ensures the system
		calculates the wages accurately,
		minimising the risk of incorrect
		payments being made.
		The company accountant’s review of	Inspect the payroll report and
		payroll: ensures that any anomalies	payment list for the signature of
		can be identified and resolved. Payroll	the company accountant
		is a significant cost for most	confirming the reports have
		companies and it is important that a	been checked to each other and
		responsible individual, independent of	a review has been performed.
		preparation of payroll undertakes this
		role. This reduces the risk of
		payments being made to ghost
		employees or incorrect amounts being
		paid which would cause unnecessary
		expense and reduce profit.

 

	Payroll is calculated by the payroll	Inspect the monthly payment list
	department. The company	and payroll report for the company
	accountant raises the cheque	accountant’s signature.
	requisition and authorises the	For a sample of cheques raised for
	payment list. The cashie’s
		wages, inspect the cheque
	department makes the relevant
		requisition to ensure it has been
	payments: segregation of duties
		completed by the company
	prevents fraud and error which
		accountant.
	could result in loss for the
	company.
	Payments to employees and tax authorities
	Control	Test of control
	Payroll cheque is signed by two	Inspect the bank mandate to
	directors: this is likely to be a large	ensure it requires the signature of
	amount of money and therefore	two directors for large cheques.
	requires authorisation by two
	senior personnel to prevent fraud
	and error which could result in
	loss to the company.
	Cash is delivered by a secure	Observe the cash being delivered
	transit company, under guard: due	by the security firm.
	to the amount of cash likely to be	Inspect invoices for services of the
	needed to pay the weekly paid
		security firm to ensure the service
	workers, it would not be
		is provided weekly.
	appropriate for Murray Co staff to
	go to the bank to get the money
	themselves as this would threaten
	their personal safety.
	Workers must identify themselves	Observe payment of weekly wages
	and sign their clock cards before	to confirm identification is checked.
	receiving their money. This	Inspect a sample of clock cards to
	ensures that only genuine
		ensure they have been signed by
	employees are paid, reducing the
		the worker.
	risk of unnecessary additional
	expense for the company which
	reduces profit.

 

Payroll costs and payments recorded

 

Control	Test of control
The head office accounts team	Inspect the anomalies list to see it
record the payroll expense and	has been prepared.
payments and the wages office	Enquire of the wages office and
notify the team of unclaimed
	the head office team that this
wages: segregation of duties
	notification occurs on a weekly
prevents fraud and error which
	basis to corroborate the control
could result in loss for the
	works effectively.
company.
Bank statements are checked for	Inspect the anomalies list or bank
deposit of unclaimed wages:	statements for evidence that the
prevents misappropriation which	bank statements are checked to
would result in loss for the	ensure any unclaimed wages have
company.	been banked.
Standing data and other amendments

 

Control	Test of control
Completion and authorisation of	Select a sample of employees with
standing data forms: ensures that	pay rises or other amendments
only genuine employees are paid	from human resources records and
and at authorised rates of pay.	inspect the system details to
This reduces the risk of payments	ensure that the relevant payroll
being made to ghost employees	form has been completed and
or incorrect amounts being paid	authorised on a timely basis.
which would cause unnecessary
expense and reduce profit.
Use of specific forms such as for	Select a sample of leavers and
starters and leavers: prevents	joiners from human resources
errors in processing information.	records and trace the changes to
This reduces the risk of incorrect	the system to ensure that payroll
	forms have been completed and
payments being made which
	authorised on a timely basis.
would result in employee
dissatisfaction or payments being
made to people no longer working
for the company which would
result in loss to the company.

 

	Monthly review of standing data	Select a sample of amendments
	amendments and quarterly review	made to standing data and trace to
	of standing data files: ensures that	the monthly report authorised by
	any unauthorised amendments to	the finance director, and the
	standing data are identified and	relevant amendment form.
	resolved. This reduces the risk of	Inspect the standing data files sent
	payments being made to ghost
		to departmental managers for
	employees or incorrect amounts
		evidence of review.
	being paid which would cause
		For any anomalies identified by
	unnecessary expense and reduce
	profit.	departmental managers, enquire of
		and corroborate the reasons for
		the anomaly and what action was
		taken to resolve the issue.
	Test your understanding 4
	Deficiency and effect	Recommendation
	Recording of orders
	Orders placed on the Internet site	The computer system should be
	are transferred manually into the	upgraded so that order details are
	inventory and sales system.	transferred directly between the
	Manual transfer may result in	two computer systems. This will
	error, for example in recording	remove manual transfer of details
	order quantities or product codes.	limiting the possibility of human
	Customers will be sent incorrect	error.
	goods resulting in increased
	customer complaints and a loss of
	customer goodwill.
	Control over orders and
	packing lists
	Each order/packing list is given a	Orders/packing lists should be
	random alphabetical code. This	controlled with a numeric
	type of code makes it difficult to	sequence.
	check completeness of orders.	At the end of each day, a
	Packing lists can be lost resulting	sequence check should be
	in goods not being despatched to	performed and any gaps in the
	the customer which will result in a	sequence should be investigated.
	loss of customer goodwill. The
	order may be sent but the
	customer’s credit card may not be
	charged which would result in loss
	for Rhapsody.

 

 

Obtaining payment

 

The customer’s credit card is charged after despatch of goods to the customer, meaning that goods are already sent to the customer before payment is authorised.

 

Rhapsody Co will not be paid for the goods despatched where the credit company rejects the payment request. Given that customers are unlikely to return seeds, Rhapsody Co will automatically incur an irrecoverable debt which reduces profit and cash inflow.

 

Completeness of orders

 

There is no overall check that all orders recorded on the inventory and sales system have actually been invoiced and the customer’s credit card charged.

 

Orders despatched may not have been invoiced resulting in understatement of revenue and profit. If the credit card has not been charged the company will experience a reduction in cash flow.

 

 

Authorisation to charge the customer’s credit card should be obtained prior to despatch of goods and the card should be charged on despatch to ensure Rhapsody Co is paid for all goods sent to customers.

 

An exception report should be generated each week of orders not invoiced. Orders where there is no corresponding invoice should be investigated.

 

Test your understanding 5

 

The auditor could expand the amount of controls testing in that audit area.

 

This may indicate that the control deficiency was not as bad as initially thought.

 

The problem could be raised with those charged with governance to ensure that they are aware of the problem.

 

The auditor could perform additional substantive procedures on the audit area. If controls have not worked effectively in this area there is a greater risk of misstatement. Substantive procedures will be used to quantify the misstatement.

 

If the matter is not resolved, then the auditor will also need to consider a modification to the auditor’s report.

 

Test your understanding 6

 

• Tests of control

 

A test of control tests the operating effectiveness of controls in preventing, detecting or correcting material misstatements.

 

It is important for the external auditor to test controls to ensure their initial understanding obtained when assessing the control environment and internal controls is appropriate.

 

This will allow the auditor to identify and assess the risks of material misstatements in the financial statements and to determine to what extent to rely on the internal control system during the audit.

 

The auditor will then be able to design sufficient and appropriate substantive audit procedures to reduce detection risk, and therefore audit risk, to an acceptable level.

 

• Payroll system strengths and tests of control

 

Strengths in the control system at the hotel in respect of payroll are set out below including the test of control to be performed by the auditor.

 

Strength (i)	Test of control (ii)
All staff are assigned a unique ID	Ask a sample of employees to
card by the personnel department	confirm who provided them with
to record hours worked.	their unique ID card on joining the
Segregation of duties between	business.
allocating the cards and	Inspect the ID cards for existence.
processing payroll will reduce the	Agree the employee details to HR
risk of the creation of ‘ghost’	records.
employees by the payroll
department which would result in
additional cost for the company
and a reduction in profit.
Hours worked are authorised by	Inspect the email sent by the
divisional heads.	divisional head for a sample of
There is a reduced risk that hours	months and agree to the
	employee’s hours recorded on the
are overstated as the divisional
	payroll system.
head is more likely to identify
errors or anomalies. This reduces
the risk of incorrect payments
being made which will affect profit.

 

		The payroll system is password	The auditor should use test data
		protected with an alphanumerical	and enter a ‘dummy’ password
		password known only to the payroll	into the payroll system to ensure
		clerk and finance manager.	that access is not granted.
		The password is difficult to guess
		and therefore will limit the risk of
		unauthorised access which could
		lead to payroll data being
		manipulated. This reduces the risk of
		fraud and loss to the company.
		Payroll calculations are automatically	The auditor should recalculate a
		calculated by the standardised	sample of employee’s monthly
		payroll software.	pay from across the year and
		There is a reduced risk of human	compare to the calculations on
		error as the calculations are	the payroll report for those
		automatically generated using a	months.
		standardised software package.
		This reduces the risk of incorrect
		payments being made to employees
		which could result in unnecessary
		expense for the company or
		dissatisfied employees.
		The finance manager reviews the	For a sample of months, inspect
		payroll report and compares to last	the payroll reports for evidence
		month before the final payroll is	of the finance manager’s
		processed.	signature confirming that the
		The comparison of data to the prior	review has been performed.
		month should highlight any unusual
		movements that could be errors
		before the payroll is processed. This
		reduces the risk of incorrect payments
		being made to employees which could
		result in unnecessary expense for the
		company or dissatisfied employees.
		Payslips are sent to the home	Ask a sample of employees to
		address of each employee.	confirm they receive their
		This should reduce the risk that	monthly payslips via post to
		payslips are misplaced or	their home address.
		manipulated. It would also reduce
		the risk of a confidentiality breach.
		Payments are sent by bank transfer	Inspect the bank statements to
		to each employee.	identify payments made to a
		This will reduce the risk of payments	sample of employees on the
		being stolen or handed to the wrong	payroll report for a selection of
		employee which could result in loss	months.
		for the company.

 

Test your understanding 7

 

(1)	C	Segregation of duties helps to prevent fraud.
(2)	D	Enquiry is not the most reliable form of evidence as the
		clerk or the manager could say what they think the
		auditor wants to hear. Recalculation of payroll by the
		auditor is a substantive test and does not confirm the
		manager has performed the necessary checks.
(3)	A	Inspection of employee contracts to confirm salary
		details is a substantive procedure.
(4)	B	The department manager would identify if any fictitious
		employees or employees who had left the company
		were included on the list and could notify the payroll
		department before any invalid payments were made.
(5)	A	Internal audit can monitor the effectiveness of controls
		by regularly testing them. B, C and D are all examples
		of control activities that would be tested for
		effectiveness.

 

Test your understanding 8

 

• CThe auditor must ensure the systems documentation held on file is still correct. This can be achieved through a combination of enquiry and walkthrough tests but enquiry alone is not sufficient appropriate evidence.

 

• BTests of controls are only performed when the auditor is planning to place reliance on those controls. If the auditor has decided that substantive testing is more efficient for a specific balance it is not necessary to test the controls over that area. Reliance cannot be placed on the results of tests of controls performed in previous years as the auditor would need to confirm they had worked effectively in the current year.

 

• DAn internal control evaluation questionnaire asks the client to respond with the control in place that addresses the risk. Restricted access as given in answer D is a control. This question would be included in an internal control questionnaire rather than an internal control evaluation questionnaire.

 

• AThe external auditor should not monitor the controls as this requires ongoing involvement in the company on a regular basis. Whilst the external auditor may test the controls and identify deficiencies, this does not constitute monitoring. Management are ultimately responsible for the internal controls including assessing whether they are effective and whether any improvements are required. They may utilise an external consultant or internal audit function to help them fulfil this responsibility.

 

(5)

 

	ICQ/ICE	Flowchart	Narrative
			notes
A diagram depicting the controls in		ü
place at each stage of a process
A disadvantage of this method may	ü
be that controls are overstated
An advantage of this method is that	ü
they are easy to prepare in advance
and therefore efficient
For larger systems this method may			ü
be time consuming and it may be
difficult to identify missing controls