UNDERSTANDING OF INTERNAL CONTROL AND CONTROL , RISK ASSESSMENT
1 like1,078 views
The document provides an overview of internal controls related to the sales system of an entity. It discusses control objectives, control activities, and tests of controls for the order department, dispatch department, and invoicing/billing department of the sales system. The key control objectives covered are related to authorization of sales orders and credit limits, accuracy of order recording and invoicing, and segregation of duties. The document also provides examples of control activities and procedures that can be implemented to achieve the control objectives as well as examples of audit tests that can be performed to evaluate the operating effectiveness of the controls.
UNDERSTANDING OF INTERNAL CONTROL AND CONTROL , RISK ASSESSMENT
- 1. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment CHAPTER ELEVEN UNDERSTANDING OF INTERNAL CONTORL AND CONTROL RISK ASSESSMENT LLOO ## LLEEAARRNNIINNGG OOBBJJCCTTIIVVEE IICCAAPP''SS SSTTUUDDYY TTEEXXTT RREEFFEERREENNCCEE** PPAARRTT AA –– UUNNDDEERRSSTTAANNDDIINNGG AANNDD TTEESSTTIINNGG OOFF IINNTTEERRNNAALL CCOONNTTRROOLLSS LLOO 11 ✯✯ DDEEFFIINNIITTIIOONN AANNDD LLIIMMIITTAATTIIOONNSS OOFF IINNTTEERRNNAALL CCOONNTTRROOLL 55..11..22,, 55..33..11 LLOO 22 ✯✯✯✯ OOBBTTAAIINNIINNGG UUNNDDEERRSSTTAANNDDIINNGG OOFF IINNTTEERRNNAALL CCOONNTTRROOLL 55..22..11,, 55..22..33,, 55..22..44,, 55..22..55,, 55..22..66,, 55..22..99 LLOO 33 ✯✯✯✯✯✯ CCOONNTTRROOLLSS OOVVEERR TTHHEE SSAALLEESS SSYYSSTTEEMM 77..22..11,, 77..22..22,, 77..22..33,, 77..22..44 LLOO 44 ✯✯✯✯✯✯ CCOONNTTRROOLLSS OOVVEERR TTHHEE PPUURRCCHHAASSEESS SSYYSSTTEEMM 77..33..11,, 77..33..22,, 77..33..33,, 77..33..44 LLOO 55 ✯✯✯✯✯✯ CCOONNTTRROOLLSS OOVVEERR TTHHEE PPAAYYRROOLLLL SSYYSSTTEEMM 77..44..11,, 77..44..22,, 77..44..33,, 77..44..44,, 77..44..55,, 77..44..66 LLOO 66 ✯✯✯✯✯✯ CCOONNTTRROOLLSS OOVVEERR BBAANNKK AANNDD CCAASSHH SSYYSSTTEEMM 77..55..11,, 77..55..22,, 77..55..33 LLOO 77 ✯✯✯✯✯✯ CCOONNTTRROOLLSS OOVVEERR IINNVVEENNTTOORRYY AANNDD NNOONN--CCUURRRREENNTT AASSSSEETTSS SSYYSSTTEEMM 77..66..11,, 77..66..22 PPAARRTT BB –– DDOOCCUUMMEENNTTAATTIIOONN OOFF UUNNDDEERRSSTTAANNDDIINNGG OOFF EENNTTIITTYY AANNDD IINNTTEERRNNAALL CCOONNTTRROOLL LLOO 88 ✯✯ MMEETTHHOODDSS OOFF DDOOCCUUMMEENNTTAATTIIOONN OOFF AA SSYYSSTTEEMM 66..11..11,, 66..11..22,, 66..11..33 LLOO 99 ✯✯ DDIIFFFFEERREENNCCEE BBEETTWWEEEENN IICCQQ AANNDD IICCEEQQ 66..11..33 LLOO 1100 ✯✯ CCHHEECCKKIINNGG TTHHEE AACCCCUURRAACCYY OOFF PPRREEVVIIOOUUSS YYEEAARR’’SS IICCQQ 66..11..33 PPAARRTT CC –– AADDDDIITTIIOONNAALL CCOONNCCEEPPTTSS LLOO 1111 ✯✯ MMAANNAAGGEEMMEENNTT LLEETTTTEERR AANNDD IITTSS CCOONNTTEENNTTSS 55..44..33 LLOO 1122 ✯✯ AAUUDDIITT CCOORRRREESSPPOONNDDEENNCCEE NN//AA *Explanation of Reference: First digit in Study Text’s Reference represents chapter number, second and third digits represents section and sub-section number. Contents in brackets (if any) represent part of the sub-section which is covered by the learning objective. 1
- 2. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Coverage from Question Bank: After completion of this chapter, you will be able to attempt following questions in ICAP's Question Bank: Question # in ICAP’s Question Bank Type of Question Question # in ICAP’s Question Bank Type of Question Q. # 35 (Controls) Concept Review Question Q. # 38 (Danish) Case Study Q. # 36a (Shahzad) Concept Review Question Q. # 39bi (Roses Anytime) – sales Case Study Q. # 39a (Roses Anytime) Concept Review Question Q. # 39bii (Roses Anytime) – cash Case Study Q. # 68a (Tahira Transporters) Concept Review Question Q. # 41a (Granger) – cash Case Study Q. # 71a (Bubbles) Concept Review Question Q. # 78a (Zeedin Co) – purchases Case Study Q. # 40 (Trade Receivables) Concept Review Question Q. # 78d (Zeedin Co) – inventory Case Study Q. # 79a (Sahito Co) Concept Review Question Q. # 79b (Sahito Co) – sales Case Study Q. # 36b(Shahzad) – inventory Case Study Q. # 80ab (Bashir Co) – payroll Case Study Q. # 37abc (Waheed Engine.) – payroll Case Study 2
- 3. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment PART A – UNDERSTANDING OF INTERNAL CONTROL LLOO 11:: DDEEFFIINNIITTIIOONN AANNDD LLIIMMIITTAATTIIOONNSS OOFF IINNTTEERRNNAALL CCOONNTTRROOLL:: Definition of Internal Control: Internal Control means policies and procedures designed, implemented and operated by management and TCWG to provide reasonable assurance about achievement of entity’s objectives with regard to: Effectiveness and efficiency of its operations Compliance with applicable laws and regulations Reliability of the entity’s financial reporting Limitations of Internal Control: Internal Control system is never perfect. It cannot provide absolute assurance about achievement of objectives because of Inherent Limitations of Internal Control i.e. i. Breakdowns caused by human errors ii. Management override of controls. iii. Segregation of duties in smaller entities not possible. iv. Collusion i.e. internal control is circumvented intentionally through collusion among more than one person. v. Cost-benefit trade off may not justify a control vi. Often non-routine transactions are not subject to internal control. vii. Often Judgments are involved in risk assessment, and implementation of control which can be faulty CONCEPT REVIEW QUESTION State the responsibilities of external auditors and directors in relation to the design and operation of internal control systems. (06 marks) (ICAEW - 2006 December) Describe some inherent limitations of Internal Controls. (04 marks) (CA Inter -Spring 2001) LLOO 22:: OOBBTTAAIINNIINNGG UUNNDDEERRSSTTAANNDDIINNGG OOFF IINNTTEERRNNAALL CCOONNTTRROOLL:: Auditor is required to obtain understanding of internal control of entity. This understanding shall cover following elements: Control Environment: Auditor shall evaluate whether entity has a strong control environment. Control environment includes attitude, awareness and actions of TCWG and management regarding entity’s internal control and its importance in the entity. In evaluating the control environment, auditor considers the following matters: Audit committee and board of directors have significant influence in the organization and actively participate in business. Management actions and attitudes show character, integrity, and ethics. Management is committed towards Competence. 3
- 4. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment No tolerance over code of conduct (e.g. petty theft) Management's operating style and philosophy is not aggressive towards financial reporting. Organizational structure is appropriate according to business. Management assigns authority and responsibility appropriately. Human resource policies emphasize on strong control environment. Information System Relevant to Financial Statements: Relevant Information system means processes by which entity obtains, process and records transactions to prepare financial statements e.g. Sales System, Purchases System. Auditor should consider following aspects of information system: Entity’s principal business transactions. How information system captures and records these transactions (including process to prepare financial statements). Related accounting records in support of transactions. Whether IT system is implemented. Entity’s Risk Assessment Process: Auditor shall evaluate whether entity has a good Risk Assessment Process. It means process to identify, assess and manage business risks. Identifying risk means recognizing existence of risk. Assessing risk means deciding whether risk is significant or not. Managing risk means designing and operating internal controls to minimize the risk. Risk can arise or change due to following circumstances: changes in the entity’s operating environment new personnel new or revamped information systems rapid growth new technology new business models, products or activities corporate restructurings expanded foreign operations new accounting pronouncements. Control Activities Relevant to Audit: Control activities are the policies and procedures (other than control environment) to ensure that entity’s objectives are achieved. Their objective is to stop errors from occurring in the first place (called Preventive Controls), identify errors which have occurred (called Detective Controls) and correct errors which have been detected (called Corrective Controls). Control activities could be Manual or IT/Automated/Programmed. In evaluating the control activates in an area, auditor considers the following categories: Authorization Controls (All significant transactions should be authorised/approved by an appropriate level of management.) Physical Controls (These are controls to prevent unauthorized access to tangible assets and computer programs/data files) Segregation of duties (It means assigning responsibilities of authorising transactions, recording transactions and custody of assets to different people. Thereby, error/fraud by a single person is detected by other persons). 4
- 5. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Controls over Information Processing (These are used to check accuracy, completeness and authorization of transactions.) Reconciliations (These include comparing data from one source with data from other source to confirm accuracy and completeness of data e.g. bank reconciliation, inventory reconciliation, debtors’ reconciliation etc.) Performance Reviews/ Management Controls (These are reviews/analysis of actual performance against budget, forecasts and prior period. These are usually performed by management to supervise subordinates.) Monitoring of Controls: Monitoring of control is a process to evaluate the internal control. It includes evaluation of whether internal control system is operating effectively and, if necessary, taking necessary remedial actions. CONCEPT REVIEW QUESTION International Standards on Auditing require an auditor to evaluate the control environment and assess its effectiveness. State the factors that the auditor should consider in evaluating the control environment. (04 marks) (CA Inter - Autumn 2015) Briefly explain the components of internal control as referred to in the International Standards on Auditing. (09 marks) (CA Inter - Spring 2010) LLOO 33:: TTHHEE SSAALLEESS SSYYSSTTEEMM –– OOBBJJEECCTTIIVVEESS,, AACCTTIIVVIITTIIEESS AANNDD TTEESSTTSS OOFF CCOONNTTRROOLLSS:: There should be segregation of duties between Sales Order (to prepare sales order), Despatch Department (to despatch goods and prepare GRN), Invoicing Department (to prepare invoice) and Accounts Department (to post invoices into Sales Journal & Ledgers). Order Department Control Objectives Control Activities Tests of Controls Orders are approved only when customer has authorized credit limit and order is within credit limit There should be segregation of duties between person who processes the sale order and person who approves credit limit. Auditor should observe whether segregation of duties exist between person who processes the sales order and person who approves credit limit. A separate credit department should set authorized credit limit for every customer. Select a sample of customers and inspect signature/initial of appropriate authority as evidence of approval of credit limits. Order department should check credit limit before approving order and order should be rejected if it exceeds credit limit. -Select a sample of customers and compare their outstanding balance with their credit limits. -Use "Test Data" to check that an order over authorized limit is rejected (if IT system is used). Orders are approved only when inventory is available Order department should check inventory limit before approving order and order should be rejected if inventory is not available. Auditor should observe whether inventory balance is checked before approving sales order. Orders are approved on the basis of authorized Rates and Discounts. A separate authority (e.g. CFO/BOD) should set rate list and discount policy for every product. Select a sample of products and inspect their authorized rate list approved by appropriate authority (e.g. CFO/BOD). Order department should approve sales order only at authorized rates and discounts. -Select a sample of sales orders and compare with authorized rate list and discounts. -Use "Test Data" to check that an order at unauthorized rate or discount is rejected (if IT system is used). 5
- 6. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Orders are correctly recorded (regarding quantity, item and customer details) Sales orders should be in writing. Auditor should observe whether oral sales orders are accepted. All orders from customers are processed. No order is processed twice. Sales orders should be sequentially pre- numbered. -Auditor should inspect numerical sequence of sales orders. -Use test data to check that a sales order is allocated next number in the sequence. Despatch Department Control Objectives Control Activities Tests of Controls -Goods are despatched for all sales orders. -Goods are not despatched twice, for the same sales order. Sequentially prenumbered GDNs are prepared and are matched with sequentially prenumbered Sales Orders. Auditor should inspect numerical sequence of GDNs. If there is any non-sequential numbering of GDN, it should be investigated to explain reason. Goods are despatched with right specification to right customer Goods should be cross-checked with sales orders before despatch. A GDN should be accordingly prepared and signed by authorized member of despatch department. -Observe the despatch process to assess whether goods are despatched as per sales order and GDN is prepared as per goods despatched. Customer should acknowledge receipt of goods. Customer should sign a copy of GDN and should return it as acknowledgement of receipt. -Select a sample of GDN and inspect for signature of customer as acknowledgement of receipt. Invoicing/Billing Department Control Objectives Control Activities Tests of Controls Invoice is prepared for all goods despatched Sequentially prenumbered sales invoices are prepared and are matched with sequentially prenumbered GDN. -inspect numerical sequence of sales invoices. There should be segregation of duties between person who despatches goods and person who prepares sales invoices. Observe whether segregation of duties exist between person despatching goods and person preparing sales invoices. Invoices are correctly prepared (using correct quantity, price and discount) Each sales invoice should be linked to GDN and authorized Sales Order (to be used in preparing sales invoices) -Select a sample of sales invoices and check whether it includes reference to relevant GDN and authorized Sales Order. -Sales invoices should be rechecked by an independent person. -Alternatively, there should be strong IT controls over accuracy of invoices, if IT system is used. -Auditor should select a sample of sales invoices and inspect evidence for rechecking of accuracy. -Auditor should test controls over IT system to ensure accuracy of invoices, if IT system is used. For goods returned by customers, there must be an authorized credit note. -A Credit Note should be issued only by authorized staff member. -Credit note should be sequentially prenumbered and should contain reference of relevant sales invoice. Select a sample of credit notes and inspect for numerical sequence, authorization and cross reference to relevant sales invoice. 6
- 7. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Accounting Department Control Objectives Control Activities Tests of Controls -Sales invoices (and credit notes) are correctly and completely recorded in Sales Journal. -Sales invoices (and credit notes) are correctly posted in relevant customers' account. "Transaction Counts" and "Control Totals" of source documents should be compared with recorded transactions. Select documentary evidence on sample basis and inspect whether Transaction Counts and Control Totals of source documents have been performed on recorded transactions. -Accounts statements are sent to customers monthly and exceptions are followed up. Select a sample of Account statements sent to customers and inspect evidence of its preparation, review and follow-up of exceptions. -Debtors' Control Account and Sales Ledger are reconciled monthly. Select a sample of Reconciliation statements between Debtors' Control Account and Sales Ledger; and inspect evidence of its preparation, review and follow-up of exceptions. Bad debts are written off only when authorized. A list of overdue debts should be prepared and followed up. -Select exception reports of overdue debts, and inspect evidence of its preparation, review and follow-up. An appropriate authority should give approval for write-off of receivables. -Select a sample of write-offs during the year and inspect approval for write-off by appropriate authority. Sales are recorded promptly in books of accounts. All GDNs and Sales invoices are processed and posted in accounts daily. Select a sample of sales recorded in Sales Daybook and compare date of recording with date of GDN. CONCEPT REVIEW QUESTION Being the auditor of M/s. XYZ Limited, describe to the management about the necessary internal control that should be in place to strengthen the sales system of the company over the receipt, processing and recording of orders. (07 marks) (ICMAP - 2015 August) State internal control procedures in respect of the following functions: - Dispatches and invoice preparation for sales (05 marks) (CA Inter -Autumn 2004) LLOO 44:: TTHHEE PPUURRCCHHAASSEESS SSYYSSTTEEMM –– OOBBJJEECCTTIIVVEESS,, AACCTTIIVVIITTIIEESS AANNDD TTEESSTTSS OOFF CCOONNTTRROOLLSS:: There should be segregation of duties between Purchase Order Department, Despatch Department, Invoicing Department and Accounts Department. Order Department Control Objectives Control Activities Tests of Controls All Purchase Orders must be properly authorized Purchase Orders should be sequentially prenumbered. -Inspect numerical sequence of purchase orders. -Use test data to check that a purchase order is allocated next number in the sequence. There should be segregation of duties between individuals who make requisition and individuals who place order with supplier. Auditor should observe whether segregation of duties exist between the person who made requisition and person placing the order. All purchase orders must be authorized by head of purchase department. -select a sample of large purchase orders and inspect for approval by appropriate authority. 7
- 8. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Orders are given to approved suppliers only. -Company should have standard operating procedures to approve a supplier and should maintain a list of approved suppliers. Access rights to this list should be restricted (in IT system). -Purchase Orders should include "approved supplier reference number" to ensure that orders are given only to suppliers on approved list. -Select a sample of approved suppliers and inspect documentation to ensure that standard operating procedures to approve a supplier operate as intended. -Test controls over master file of approved suppliers. -Select a sample of purchase orders, inspect approved reference number and compare with list of approved suppliers. -Use test data to check orders to unauthorized suppliers are rejected (in IT system) Orders are made at competitive rates. -Quotations/Bids should be obtained for all purchase orders. Select a sample of purchase orders and inspect documentary evidence to ensure quotations were called and order is given to lowest quotation. Receiving Department Control Objectives Control Activities Tests of Controls Goods are received against all purchase orders Sequentially prenumbered GRNs are prepared for every receipt of goods; and are matched with sequentially prenumbered Purchase Orders. Auditor should inspect numerical sequence of GRNs. Any break (identified by auditor or produced by system) should be investigated to explain reason. Goods are received in accordance with valid purchase orders -Quantity and specification of goods received should be physically inspected and checked with purchase order before acceptance. -Observe the receiving process to assess whether goods are cross-checked with purchase order before acceptance. -A GRN is signed for every receipt of goods by an authorized officer of receiving department. -Select a sample of GRN and inspect signature of receiving staff. Invoicing/Billing Department Control Objectives Control Activities Tests of Controls Suppliers' invoices are processed only if goods are received from them. Suppliers' invoices should be compared with sequentially prenumbered GRN and purchase orders. -Select a sample of suppliers' invoices and inspect for evidence that they are matched with relevant GRN and Purchase Orders. Suppliers' Invoices are checked for accuracy (of quantity, price and discount) -Suppliers' invoices should be rechecked by invoicing department to ensure correct quantity, rate and applicable discounts are used by supplier. -Auditor should select A sample of suppliers' invoices and inspect evidence for rechecking of invoice for accuracy. For goods returned to suppliers, credit must be taken. A Debit Note should be issued for all purchases returns, which should be sequentially prenumbered and matched with suppliers' credit note when it is received. Select a sample of credit notes and inspect for numerical sequence, and cross reference to suppliers' credit note. 8
- 9. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Accounts Department Control Objectives Control Activities Tests of Controls -Purchase invoices (and debit notes) are correctly and completely recorded in Purchase Journal. -Purchase invoices (and debit notes) are correctly posted in relevant suppliers' account. Before recording in accounts, purchase invoices must be checked against purchase order, and purchase order # should be printed on purchase invoice . Select a sample of purchase invoices and inspect for relevant purchase order # on invoice, and signature of individual who checked with purchase order. "Transaction Counts" and "Control Totals" of source documents should be compared with recorded transactions. Select documentary evidence on sample basis and inspect whether Transaction Counts and Control Totals of source documents have been performed on recorded transactions. -Accounts statements are sent to suppliers monthly and exceptions are followed up. Select a sample of Account statements sent to suppliers and inspect evidence of its preparation, review and follow-up of exceptions. -Creditors' Control Account and Purchase Ledger are reconciled monthly. Select a sample of Reconciliation statements between Creditors' Control Account and Purchase Ledger; and inspect evidence of its preparation, review and follow-up of exceptions. Purchases are recorded promptly in books of accounts. All GRNs and Purchase invoices are processed and posted in accounts daily. Select a sample of purchases recorded in Purchases Daybook and compare date of recording with date of GRN. Supplier’s Statement: A supplier’s statement is a printed statement, received at regular intervals from a supplier (usually each month), showing details of transactions between the supplier and its customer (purchases, purchase returns and payments) since the previous statement, and the amount owing as at the date of the statement. CONCEPT REVIEW QUESTION You have been assigned to plan the test of controls in respect of receiving of goods and invoices from suppliers of Bhurban Limited. In this regard, you are required to identify the following: (a) The related risks (b) Controls that you expect to see to address the above risks (c) Audit procedures that you need to perform to test the controls (10 marks) (CA Inter -Spring 2015) Your senior has asked you to carry out an internal control review of the purchasing department of a manufacturing company. What control procedures would you expect in the following functions of the department: a) Ordering of goods (05 marks) b) Receipts of goods (05 marks) c) Payment for goods (05 marks) (CA Inter -Autumn 2000) State FOUR objectives of the internal controls that should be exercised over the purchases and trade payables system of Country Co. (04 marks) (CAT - December 2009) 9
- 10. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment LLOO 55:: TTHHEE PPAAYYRROOLLLL SSYYSSTTEEMM –– OOBBJJEECCTTIIVVEESS,, AACCTTIIVVIITTIIEESS AANNDD TTEESSTTSS OOFF CCOONNTTRROOLLSS:: Calculation of Gross Wages and Salaries Control Objectives Control Activities Tests of Controls Payroll is calculated only for real employees. (i.e. no payment to former or phantom employee) -New employees in payroll should be authorized by HRD. -Employees who resigned should be promptly communicated to Payroll Department. -Select a sample of joiners during the year and check documentation for authorization of new employees. -Select a sample of leavers during the year and check that they do not exist on payroll after the month they left. -Select a sample of workers from payroll sheet and check whether they are physically present. Wages are calculated only for work done by employees. (i.e. no overtime if employees did not work) Supervisor should maintain sequentially prenumbered "Time Sheets" for each employee working on hourly based; and should authorize all time sheets. Select a sample of time sheets, and inspect for signature/initial of supervisor as evidence of approval of hours worked. Alternatively, Clock-card system should be maintained and monitored. -Observe whether clocking-in process is being monitored so that a worker cannot clock-in for multiple workers. All overtimes and bonuses should be approved by appropriate authority. Select a sample of overtime/bonus payments, and inspect that they are properly calculated and authorized. Payroll should be calculated correctly. -Payroll Preparation department should use Authorized Time Sheet and Approved Rates of Pay. Select a sample of employees from payroll and inspect that hours worked and rates of pay are in accordance with Time-sheet and approved rates. A senior member should ensure that payroll expense is not excessive, and should approve payroll sheet. Select a sample of payroll sheets and inspect signature/initial of appropriate authority as evidence of approval of payroll. If an IT system is used, an exception report should be produced for wages beyond pre- set limits, and it should be followed up by an independent person. -Use Test data to check that exception report is generated for wages beyond pre-set limits. -Inspect exception reports (of salaries & wages beyond pre-set limits) as evidence of preparation and follow-up. Calculation of tax and other deductions Control Objectives Control Activities Tests of Controls -Statutory deductions from pay (e.g. Tax) should be calculated correctly. -Voluntary deductions from pay (e.g. pension contributions) should be authorized by employee. -Payroll procedures should provide deduction of tax using up-to-date rates of tax. -Auditor should review manual procedures to ensure that tax deduction is correctly made. -Use Test-data for calculation of tax and compare results with independently calculated amount (if IT system is used). All voluntary deductions must be authorized by employee in writing; and this consent should be kept in file of employee. -Select a sample of employees and inspect written consent of employee regarding voluntary deductions and their amounts. A senior member should check that amount of total deductions is reasonable, and should approve it. Select a sample of payroll sheet and inspect signature/initial of appropriate authority as evidence of approval of deductions. 10
- 11. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Payment of wages and salaries Control Objectives Control Activities Tests of Controls The correct amounts of net pay should be paid to employees. -Cheques and bank transfer list should be prepared and authorized by appropriate authority. -Cheque and bank transfer list should be compared with payroll to ensure correct amount is paid. -Inspect cheque and bank transfer list for evidence of authorization. -Inspect documentary evidence for comparison of list with payroll. The correct amount of deductions is paid to the appropriate authority (for example, the tax authority). There should be formal procedures and timetable for payment of deductions. Auditor should inspect whether formal procedures and timetable for payment of deductions are being followed. Wages are paid only to genuine employee. -There should be segregation of duties between person who prepares payroll and person who distributes payroll. Auditor should observe whether segregation of duties exist between the person who prepares payroll and person who distributes payroll. Payroll distributor should confirm identity of employee before making payment. Observe payroll distribution process to ensure whether identification of employee if confirmed before making payment. Recording wages and salaries payable in the accounts Control Objectives Control Activities Tests of Controls Gross pay, deductions and net pay should be properly and accurately recorded in the accounts. Payroll file should be reconciled with accounts in general ledger. Review reconciliation of payroll file to general ledger. Confirm whether discrepancies are followed-up and resolved. Payroll should be accounted for within a strict deadline. Review whether payroll is being recorded within timescale. Authorized payroll should be used to record wages in accounts. Auditor should inspect whether authorized payroll has been used to record wages in accounts. CONCEPT REVIEW QUESTION You have been assigned to plan the test of controls in respect of salaries and wages. In this regard you are required to identify the following: (a) Possible control weaknesses in overtime payments (b) Principal controls over payment of overtime (07 marks) (CA Inter - Autumn 2015) State FIVE objectives of the internal controls that should be exercised over a wages system. (05 marks) (CAT - June 2008) Discuss any four (04) audit procedures for M/s. Farooq Enterprise for the test of control of Payroll. (04 marks) (ICMAP - 2014 May ) 11
- 12. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment LLOO 66:: BBAANNKK AANNDD CCAASSHH SSYYSSTTEEMM –– OOBBJJEECCTTIIVVEESS,, AACCTTIIVVIITTIIEESS AANNDD TTEESSTTSS OOFF CCOONNTTRROOLLSS:: Cash Receiving Control Objectives Control Activities Tests of Controls All money received is recorded. Controls over cash received through Post: -Process of opening the mail should be monitored. -A listing should be prepared by independent person for all cash and cheques received through mail. -Observe whether mail-opening process is being monitored. -Check amount received from customers (as appearing in listed) with remittance advices sent by customers (confirming amount paid). Controls over Cash received at counter: -There should be segregation of duties between Receiving, Recording and Reconciliation functions. -Only a restricted number of employees should be authorised to receive cash. -Cash should be kept in locked-boxes and in secured area until it is deposited. -Till-Roll (or sequentially prenumbered cash-receipts) should be used to record cash sales; and a copy should be retained. -At day end, till roll totals (or cash-receipts totals) should be balanced with cash received, by an independent person. -Surprise cash counts are conducted by persons independent of custodian of cash. -Observe whether segregation of duties exist between receiving, recording and reconciliation. -Observe whether authority to receive cash is limited. -Check whether cash is kept in locked boxes in secured area. -Check for evidence that till roll totals (or cash- receipts totals) are checked against cash received by an independent person. Controls over Cash received through Boxes (e.g. in donation): -Boxes should be numerically sequenced. -Boxes should be appropriately sealed so that opening prior to recording is apparent. -There should be process for regular collection and recording of cash boxes. -Process of opening boxes should be monitored. -Inspect a sample of boxes for numerical sequence and appropriate sealing. -Observe the process of collection, opening box and recording. All money received is banked. -Cash should be immediately recorded and promptly banked. -Inquire frequency of deposit into bank. -Compare amounts and dates of cash received and cash deposited into bank. Total of listing of cash should be matched with cash book and deposit slip. Check whether total of till-roll matches with deposit slip, entry in cash book and in bank statement. 12
- 13. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Cash Payments Control Objectives Control Activities Tests of Controls All payments should be properly authorised, made to the correct person and are properly recorded All payments (except petty expenses) should be made through cross cheque and should be backed by supporting documents. -Select a sample of paid cheques and inspect: (a) supporting documents are available and (b) supporting documents are duly cancelled. (c) signatories are authorized. (d) entry into accounting record, bank statements and creditors' account. Supporting documents should be cancelled once cheque is prepared (to avoid duplicate payment). There should be established authority levels for cheque signing (usually two signatures required for cheques above a certain amount) Payments must be recorded promptly. Cash Balance Control Objectives Control Activities Tests of Controls All money held as cheques, notes and coins is properly safeguarded Controls over Bank Balance: -New bank accounts should be opened only in accordance with established procedures. -Responsibility for holding of cheque book and preparation of cheques should be given to restricted person. -There should be safe custody of cheque book and cheques should not be pre-signed. -Confirm that new bank accounts have only been opened under established procedures. -Observe which people are involved in holding of cheque book and preparation of cheques. -Inquire as to custody of cheque book and inspect whether any cheque is pre-signed (i.e. blank cheque). Controls over Cash in hand: Cash and coins should be kept in a heavy locked box in secured place. Access to cash should be restricted to authorized employee. -Observe cash custody procedures. PETTY CASH Control Objectives Control Activities To avoid or reduce the risk of petty cash being stolen. Maximum Limit for petty cash should be one month's petty cash spending. Petty cash should be kept in a locked cash box or drawer. There should be 'occasional checks' of petty cash by a senior person. To ensure that all spending out of petty cash is properly authorized All Petty cash expenses should be authorized in advance by a properly authorized person. All withdrawals of petty cash should be recorded on a sequentially prenumbered Petty Cash Voucher. Supporting documents should be attached with the petty cash voucher. To ensure that only correct amount of cash are withdrawn from bank to go into Petty Cash. When petty cash is 'topped up', the amount of withdrawal from bank should be equal to total of petty cash vouchers. To ensure that all spending out of petty cash is accounted for. Petty cash expenses should be periodically recorded and each entry in petty cash book should include voucher number, to ensure all expenses are recorded. 13
- 14. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment CONCEPT REVIEW QUESTION List six key controls over cash sales and cash handling. (06 marks) (CA Inter - Spring 2016) Describe and explain the purpose of the internal controls you might expect to see in the sales system at audit client over the collection of cash. (10 marks) F8 (ACCA - December 2002) Discuss any four (04) audit procedures for M/s. Farooq Enterprise for the test of control of Cash payment. (04 marks) (ICMAP - 2014 May) LLOO 77:: IINNVVEENNTTOORRYY AANNDD NNOONN--CCUURRRREENNTT AASSSSEETTSS SSYYSSTTEEMM –– OOBBJJEECCTTIIVVEESS,, AACCTTIIVVIITTIIEESS AANNDD TTEESSTTSS OOFF CCOONNTTRROOLLSS:: INVENTORY Control Objectives Control Activities Tests of Controls -Inventory records should be accurate and complete. There should be segregation of duties between Ordering, Recording and Custody of inventory. Auditor should observe whether segregation of duties exists. Appropriate inventory records should be properly maintained. Auditor should inspect inventory records of inventory. All inventory movements should be recorded and authorized. -Every receipt of inventory should be recorded in Inventory ledger Card and should be supported by approved GRN. -Auditor should select a sample of GRN and should inspect correct quantity is entered in Inventory Ledger Card. -Every issue of inventory should be recorded in Inventory ledger Card and should be supported by approved GDN or Inventory Requisition. -Auditor should select a sample of inventory issues from Inventory Ledger Card and should inspect relevant GDN or authorized Inventory Requisition as supporting evidence. Inventory is protected against theft and damage. -Access to secure storage areas should be restricted (e.g. through locked ware-house, CCTV Camera). -Auditor should check compliance with access restrictions. -Regular inventory counts (i.e. Stock-take) should be performed using appropriate procedures; and physical balance should be reconciled with book balance, differences should be followed up. -Auditor should check for evidence that periodic inventory counts are performed, and any difference between physical balance and book balance is identified. Inventory should be correctly valued at lower of Cost and NRV in accordance with IAS - 2. -Standard Costs should be developed by management which should be compared with actual cost and variances should be appropriately adjusted. Review and test entity's procedures for determination of standard cost and disposal of variance. -There should be procedures for identification of obsolete and slow moving items e.g. aging report of inventory items, or separation of damaged inventory during stock count. -Auditor should check that procedures are in place for identification of obsolete items. Auditor should monitor these procedures. 14
- 15. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Appropriate levels of inventory should be held at all times. There should be maximum and minimum inventory levels for all inventory items. -Auditor should check whether inventory balances are below minimum level or above maximum level. -Use test data to check whether exception report is generated if inventory balance is above maximum level or below minimum level. -Auditor should check frequency of out of stock situations. CONTROLS OVER INVENTORY COUNT Control Objectives Control Activities Closing balance of inventory must be counted correctly. 1. Movements of inventory should be stopped during inventory counts. 2. Inventory counting sheets should be pre-printed with a description of the goods, but the quantities as per the records should not be pre-recorded. 3. Count-teams should be independent of warehouse department and should be sufficiently experienced and permanent employees of company. 4. Count-teams should consist of two members. One should count items, other should record item quantity. 5. Clear instructions should be given to all teams as to which area of warehouse is to be counted by which team to avoid omission or duplication of counting of items. 6. Count-sheets are signed by each staff member to determine accountability. 7. Counted inventory should be marked/tagged to indicate that it has been counted. 8. All inventory sheets should be prenumbered. 9. Damaged inventory should be separately identified. NON-CURRENT ASSETS Control Objectives Control Activities Tests of Controls All purchases and disposal of non- current assets are properly authorized and correctly recorded in accounting system. There should be proper authorization for purchase and disposal of fixed asset. Select a sample of fixed assets purchased/disposed during the year and inspect for evidence of authorization. Suppliers' Invoice should be approved by the person who authorized the purchase and should be marked with appropriate Account Code. Select a sample of suppliers' invoices and inspect for approval and correct account code. Purchases of fixed assets are included in and disposal of fixed assets are excluded from Fixed Assets' Register. Select a sample of fixed assets purchased/disposed during the year and trace their inclusion in /exclusion from Fixed Assets' Register. Fixed Assets' Register is periodically reconciled to General Ledger. Inspect reconciliation between Fixed Assets' Register and General Ledger as an evidence of its preparation, review and follow-up of discrepancies. All expenditures are properly analyzed as capital or revenue. Invoices must be bifurcated between capital expenditure and revenue expenditures and should be marked with appropriate Account Code. Select a sample of invoices and inspect for capital/revenue analysis of invoice and correct account code. All capital expenditures should be properly recorded. Management should review the classification between capital and revenue item to ensure compliance with standard accounting practice. Auditor should check that entries for capital expenditures are made in non-current asset register. 15
- 16. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment CONCEPT REVIEW QUESTION List six key controls to reduce possibility of misappropriation of inventory. (06 marks) (CA Inter - Spring 2016) State FOUR objectives of the internal controls that should be exercised over non-current assets. (04 marks) (CAT - June 2005) List and explain the reason for the audit procedures used in obtaining evidence in relation to the inventory count of inventory held in the shops. (10 marks) F8 (ACCA - December 2005) List the internal controls that a small printing company with office equipment, motor vehicles and plant and machinery should have in place to achieve the objectives described above. (10 marks) F8 (ACCA - June 2003) PART B – DOCUMENTATION OF UNDERSTANDING OF ENTITY AND INTERNAL CONTROL LLOO 88:: MMEETTHHOODDSS OOFF DDOOCCUUMMEENNTTAATTIIOONN OOFF AA SSYYSSTTEEMM:: There are three methods of documentation of a system/internal control system i.e. 1. Narrative Notes 2. Questionnaires 3. Flowcharts Narrative Notes Questionnaires Flowcharts Definition Narrative notes consist of a written description of the system; they would detail what occurs in the system at each stage and would include any controls which operate at each stage. Questionnaires contain a list of questions used to assess about existence and effectiveness of controls. Flowcharts are a graphic illustration of showing how a system (e.g. sales system) is processed in different steps. Lines usually demonstrate the sequence of events and standard symbols are used to signify controls or documents. Advantages – They are simple to record; discussions with client are easily written up as notes. – easily understandable for all team members specially for junior team members who find other methods too complex. – Questionnaires are quick to prepare. – As they emphasize on controls; hence missing controls or deficiencies are easily highlighted by the team. – It is easy to view entire system as all is presented together in one diagram. – Due to the use of standard symbols for controls, they are easy to spot as are any missing controls. Exam Tips In exam if a concept review question is set from “Controls”, you may be required to: 1. State control objectives for whole system or for a specific department. 2. State control activities for a specific department (sometimes, you may also be required to state reason of each control activity. If so, control objective is reason). 3. State tests of controls for a specific department (sometimes, you may also be required to state reason of each test of control. If so, control objective is reason). 4. State risks in each department. If so, not meeting objective is risk. Remember that Control Activities are performed by management; and Tests of Controls are performed by auditor. State them accordingly. 16
- 17. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment Disadvantages – Narrative notes may prove to be too lengthy and time consuming. – This method can make it more difficult to identify missing internal controls as the notes record the detail but do not identify control weaknesses clearly. – It can be easy for client to overstate the level of the controls. – A standard list of questions may miss out unusual controls of client. – They can sometimes be difficult to amend, as any amendments may require the whole flowchart to be redrawn. – There is still the need for narrative notes to accompany the flowchart and hence it can be a time consuming method. –It can be complex for junior team members. CONCEPT REVIEW QUESTION Auditors are required to document their understanding of the client’s internal controls. There are various options available for recording the internal control system. Two of these options are narrative notes and internal control questionnaires. Required: Describe the advantages and disadvantages to the auditor of narrative notes and internal control questionnaires as methods for documenting the system. (06 marks) F8 (ACCA - June 2011) LLOO 99:: DDIIFFFFEERREENNCCEE BBEETTWWEEEENN IICCQQ AANNDD IICCEEQQ:: Internal Control Questionnaires (ICQs) Internal Control Evaluation Questionnaires (ICEQs) ICQs are used to check whether a particular control exists or not. ICEQs are used to check whether a certain existing control is operating effectively or not. ICQs are used to evaluate design of controls. ICEQs are used to evaluate operating effectiveness of controls. ICQs are developed by auditor as part of risk assessment procedures (after obtaining understanding of entity). ICEQs are developed by auditor as part of tests of controls (after obtaining understanding of entity and its Internal Control) CONCEPT REVIEW QUESTION (a) State THREE methods by which your firm may record the internal control system of Palm Co. (03 marks) (b) Explain how an Internal Control Questionnaire (ICQ) differs in nature and design from an Internal Control Evaluation Questionnaire (ICEQ). (06 marks) (CAT - June 2007) LLOO 1100:: CCHHEECCKKIINNGG TTHHEE AACCCCUURRAACCYY OOFF PPRREEVVIIOOUUSS YYEEAARR’’SS IICCQQ:: Following are the necessary steps to check the accuracy of the previous year’s internal control questionnaires. 1. Inspect last year’s audit working papers: Review the last year’s audit file for indications of weaknesses in the system (e.g. sales system) and note these for investigation this year. 2. Inspect current year’s system documentation of client: Obtain system documentation from the client. Review this to identify any changes since last year. 3. Inquire client: Interview client staff to ascertain whether systems have changed this year and to ensure that the internal control questionnaires produced last year are correct and relevant. 17
- 18. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment 4. Perform walk-through tests. During walk-through checks, ensure that the controls documented in the system notes are actually working, for example, verifying that documents are signed as indicated in the notes. CONCEPT REVIEW QUESTION Explain the steps necessary to check the accuracy of the previous year’s internal control questionnaires. (04 marks) F8 (ACCA - June 2008) PART C – ADDITIONAL CONCEPTS LLOO 1111:: AAUUDDIITTOORR’’SS CCOOUURRSSEE OOFF AACCTTIIOONN IIFF HHEE IIDDEENNTTIIFFIIEESS AA WWEEAAKKNNEESSSS IINN IINNTTEERRNNAALL CCOONNTTRROOLL:: Auditor’s course of Action if he identifies a weakness/deficiency in internal control: 1. Auditor shall increase risk of material misstatement. 2. Auditor may decide not to rely on internal controls, if weaknesses in internal control are unacceptably high. 3. Auditor should communicate deficiency in internal control to management on timely basis. 4. If deficiency is significant, auditor shall also communicate it to those charged with governance in writing. Management Letter and its Contents: Management Letter is a document prepared by auditor to communicate deficiencies in internal control to management and those charged with governance. Management Letter contains following elements: Description of internal control weakness Explanation of potential affect of control weakness Suggestions by auditor on how to remove control weaknesses Requirement of Listing Regulations: In case of a listed company, auditors are required to submit Management Letter to its board of directors within 45 days of the date of audit report. However, significant matters shall be communicated to board of directors before approval of audited accounts by directors. CONCEPT REVIEW QUESTION After performing tests of controls, the auditor is of the opinion that audit evidence is not sufficient to support the audit opinion; in other words many control errors were found. Required: Explain THREE actions that the auditor may now take in response to this problem. (03 marks) F8 (ACCA - June 2008) What is a Management Letter? What is the most appropriate time for issuing a Management Letter? (05 marks) (CA Inter -Autumn 2000) 18
- 19. Auditing – Study Notes Chapter 11 Understanding of Controls and Control Risk Assessment LLOO 1122:: AAUUDDIITT CCOORRRREESSPPOONNDDEENNCCEE:: Type of Letter By To Timing Brief Description Professional Clearance Letter Auditor Predecessor Auditor Before Acceptance of audit client To discuss whether there is any professional reason because of which engagement should not be accepted. Engagement Letter Auditor Management At start of the engagement Engagement Letter confirms acceptance and appointment of auditor Confirmation Letter Auditor External Parties During Audit To obtain information about entity from outside parties. Representation Letter Management Auditor Near the end of the audit It reminds management about their responsibility for preparation of financial statements and for completeness of information provided to auditor. Audit Report Auditor Members (or TCWG) At the end of the audit The audit report expresses opinion on financial statements. Management Letter/ Letter of weakness Auditor Management After the Audit Report It includes: –identified weaknesses in internal control, –risks because of weakness in internal control, and –recommendations to improve internal control. CONCEPT REVIEW QUESTION State the difference between an “Engagement Letter” and a “Professional Clearance Letter”. (03 marks) (ICAP – CA Inter, Autumn 2002) 19