ACCA F8 (INT) Audit & Assurance - 2010 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Chapter 9: Tests of controls
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 195
An auditor should be aware of the control objectives for each of the transaction
cycles, and should assess the effectiveness of the controls that the client entity
has in place to achieve those objectives. (If there are obvious weaknesses in the
controls, the auditor should notify these to the client entity’s management).
If the auditor is satisfied that the controls seem adequate, he should devise tests
to establish whether they work in practice. The auditor therefore devises and
carries out tests of control.
Tests of control should therefore be seen within the context of:
Risks
Control objectives
Controls
Tests of those controls.
If you are required to suggest suitable tests of controls in answer to an exam
question, you should be able to explain why the control is needed and how the test
will establish the effectiveness of the control. It may help you to present tests of
controls in a tabular form in your answer, as follows:
Test of control Reason for the control
Paper F8: Audit and assurance (International)
196 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
The sales system
Elements of the sales system
Customer ordering
Despatch of goods and invoicing
Recording sales and accounting
2 The sales system
2.1 Elements of the sales system
Excluding the collection of payments from credit customers, the main elements of
the sales accounting system may be classified as follows:
Receiving orders from customers
Despatching the goods and invoicing customers
Recording sales and amounts receivable in the accounts
For each of these elements of the system, we can identify risks, control objectives,
design internal controls and devise ways of checking whether the controls are
applied in practice (tests of control).
2.2 Customer ordering
Risks
So what are the risks in a system of receiving and processing customer orders? The
following list is not complete, but contains some of the risks.
Orders may be accepted from new customers and new customers may be given
credit, without checking the customer’s references or without formal
authorisation of a credit account for the customer with a credit limit.
Orders may be accepted from existing customers that take them over their credit
limit.
Some orders are overlooked and are not processed. Some orders are processed
twice.
The customer is given a price discount without proper authorisation.
Control objectives
Suitable control objectives may therefore be as follows:
Giving credit to new customers and existing customers must be controlled, and
must be consistent with company policy.
All orders from customers are processed correctly. Orders should not be
processed if they would take the customer above his agreed credit limit.
Chapter 9: Tests of controls
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 197
Principal controls
Suitable controls may be as follows:
There should be a segregation of duties, and the individuals who process orders
from customers should not also carry out credit reference checks on new
customers or credit limit checks on existing customers. The latter could be done
manually by reference to a file of approved credit limits, or it could be a
programmed control whereby the system will only accept an order if the
customer will still be within his credit limit.
All new customer accounts, and their credit limit, should be authorised.
Orders should be recorded on sequentially-numbered documents or the system
should allocate sequential numbers to documents.
For every sales order, a despatch note should be produced (manually, or
generated by the system from the order details). Goods should not be
despatched to customers without a despatch note.
Tests of control
How might an auditor test whether these controls are actually applied in practice?
The client can assist the auditor by collecting evidence that the controls have been
applied. One way of doing this is to use the customer order document to record that
checks have been completed; for example, by providing space on the order form for
individuals to sign their name or write their initials as confirmation that they have
carried out a particular task.
Here are some suggested tests of control:
The auditor can establish which individuals take orders and process them, and
which individuals carry out credit reference checks on new customers and credit
limit checks on existing customers. The auditor could observe these individuals
to see if procedures are being properly followed. In an IT system he could use
test data to check that orders which would take a customer over his credit limit
would be rejected by the system.
Further evidence that credit checks have been carried out can be checked by
looking at the signatures or initials of credit checking staff on customer orders or
by using test data as described above.
Evidence that new customer accounts have been approved should be checked by
looking for the signature of the manager giving the authorisation on the
appropriate approval document.
The auditor can look at lists of customer orders, sequentially numbered, and
confirm that for every customer order there is a despatch note number.
Alternatively, for an integrated IT system, he can follow test data through from
order to despatch note and confirm that sequences are complete by viewing
documents on screen.
It is important to remember that this list of controls and tests of controls is not
complete, but it may help you to understand the process by which tests of control
are carried out, and the way in which they should give the auditor the evidence that
he needs for a systems-based approach to the audit. You need to take care in the
exam that the controls or tests of controls you suggest are appropriate to the system
Paper F8: Audit and assurance (International)
198 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
described, taking careful note of which parts of the system are manual and which
are IT-based. The control objectives will be the same for both types of systems – it is
the specific controls (and therefore also tests of controls) that will sometimes be
different.
2.3 Despatch of goods and invoicing
The same approach can be applied to the despatch of goods and invoicing.
Risks
Here are some of the risks in this part of the sales system:
For some customer orders, goods are not despatched, or the goods are
despatched twice.
Goods are despatched to customers who do not have sufficient credit (either
because no credit terms have been agreed, in the case of a new customer, or
because the order takes an existing customer above his credit limit).
Invoices are not produced for goods that have been despatched to some
customers.
Customers may claim that they did not receive the goods that have actually been
delivered to them.
Returns from customers are not properly recorded, so that the client company
does not know the correct figure for sales net of sales returns.
Control objectives
Control objectives may therefore be as follows:
Goods should be despatched for every authorised customer order.
Goods should not be despatched twice, for the same sales order.
Customers should acknowledge the receipt of goods.
For every despatch note, there must be an invoice.
Invoices should be for the correct amount.
For all goods returned by customers, there must be an authorised credit note.
Principal controls
Suitable controls may be as follows:
Despatch notes or Goods Delivery Notes (GDNs) should be numbered
sequentially, and should be attached to a copy of a specific customer order. The
GDN should be signed by an authorised member of the despatch staff.
Sequential numbering of GDNs allows a check to be made that all deliveries can
be accounted for.
Customers should sign a delivery note for the receipt of goods, as confirmation
of receipt.
The signed delivery note should be attached to a copy of the despatch note and
customer order. Copies of these documents should be transferred to the accounts
department after despatch, so that a sales invoice can be produced.
Chapter 9: Tests of controls
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 199
Each sales invoice should be linked to a copy of the despatch note and customer
order or produced automatically from them.
Sales invoices should be sequentially numbered or the system should allocate
sequential numbers to documents.
There should be a segregation of duties, and the individuals who despatch
goods should not be the same as those who prepare sales invoices or process the
customer orders.
Credit notes should be sequentially numbered and authorised.
There should be periodic checks by someone in the accounts staff on the
accuracy of invoices or strong IT controls to ensure the accuracy of invoices.
Tests of control
The auditor needs to test whether these controls operate properly. Here are some
suggested tests of control:
Some delivery notes should be checked to confirm that customers do sign them.
The auditor can check that the segregation of duties does exist.
There should be a check to ensure that all GDNs have been sequentially
numbered, and that if there is any non-sequential numbering of GDNs an error
report has been produced by the system to explain the reason for the error.
The auditor should check that (sequential) lists of invoices show a customer
order number and a despatch note number.
The auditor should check a list of credit notes to make sure that they cross-refer
to a sales invoice number.
Credit notes should be checked to make sure that they contain the authorisation
signature of the appropriate manager or have been raised, on the computer, only
by a member of staff with authority to do so.
The auditor can observe the despatch process in operation.
There should be documentary evidence that a member of the accounts staff has
carried out arithmetical checks on the accuracy of invoices. Alternatively, the
auditor may prove that there are strong IT controls which will ensure the
accuracy of invoices by checking the calculations himself.
Remember that for each test of control, there should be a purpose. In other words,
what control is being tested and how does the test succeed in doing this? For
example:
Test of control Reason for the control
Review error reports on non-
numerical sequencing of GDNs
and ask about action taken to
investigate or deal with the error.
Test to ensure that all GDNs have been in
numerical sequence, and if not that errors
can be satisfactorily explained.
Test a sample of GDNs for the
customer’s signature
To ensure that the customer did receive the
goods and has acknowledged receipt.
Paper F8: Audit and assurance (International)
200 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
Test of control Reason for the control
Observe the despatch process
To check that goods are despatched only
where a GDN exists and that the goods
actually despatched correspond with the
details on the GDN.
Observe the credit checking
process
To ensure that authorisation is not given for
the despatch of goods if this would take the
customer over his credit limit.
2.4 Recording sales and accounting
Again, a similar approach can be taken in identifying tests of control for the
recording of sales in the accounting system.
Risks and control objectives
Here are some of the risks and control objectives in this part of the sales system:
There is a risk that invoices and credit notes may not be recorded in the
accounting system. A control objective is to ensure that they are all recorded.
There is a risk that invoices and credit notes are recorded in the wrong customer
accounts. A control objective is to prevent this from happening, or to detect
errors when they do occur.
There is a risk that debts may be written off as uncollectable (‘bad’) without
proper consideration. A control objective is to make sure that this does not
happen.
Principal controls
Suitable controls may be as follows:
Invoices and credit notes should be sequentially numbered.
Regular statements should be sent to customers.
Control account reconciliations should be carried out on trade receivables.
Bad debts must be authorised.
There are procedures for identification and follow-up of overdue accounts and
unpaid invoices.
Tests of control
Here are some suggested tests of control:
Lists of invoices and credit notes can be checked to make sure that there is
sequential numbering or documents can be viewed on screen.
There should be a segregation of duties between the individuals who prepare
and send out invoices, and individuals who collect payments, and individuals
who follow up late payments.
Chapter 9: Tests of controls
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 201
The auditor can check that statements are produced and despatched to
customers.
The auditor can look for documentary evidence that control total checks have
been made.
There should be documentary evidence that proper authorisation is given for a
debt to be written off as bad.
There should be individuals responsible for collecting overdue debts, and
evidence of their work. Alternatively the auditor might check that an exception
report is regularly produced by the system, listing all overdue debts, and look
for evidence that this is followed up.
Paper F8: Audit and assurance (International)
202 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
The purchases and expenses system
Elements of the purchases and expenses system
Placing orders
Receiving goods and invoices
Recording and accounting for purchases and expenses
3 The purchases and expenses system
3.1 Elements of the purchases and expenses system
Excluding the procedures for making payments to suppliers, the main elements of
the accounting system for purchases and other expenses may be classified as
follows:
Placing orders
Receiving goods (or services) and receiving invoices
Recording and accounting for purchases and expenses.
The same basic approach to devising tests of control can be taken as for the sales
system. The risks, control objectives, controls and tests of control listed here are not
comprehensive. They are intended to show you the approach that can be taken.
Again, the control objectives will be the same for all systems, but the controls and
therefore tests of controls, are likely to differ to some extent between manual and IT
systems.
3.2 Placing orders
Risks
So what are the risks in a system of ordering goods or services from suppliers? The
following list is not complete, but contains some of the risks:
Orders for goods or services are made without approval or authorisation.
Orders may be placed with suppliers who are not on the ‘approved list’.
For large orders, suppliers are not asked to submit tenders. When suppliers are
asked to tender, the order might not be given to the supplier quoting the lowest
price.
Control objectives
Suitable control objectives may therefore be as follows:
All purchase orders must be properly authorised.
Orders should not be placed with ‘non-approved’ suppliers.
Competitive price quotations should be obtained for all large orders.
Chapter 9: Tests of controls
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 203
Principal controls
Suitable controls may be as follows:
There should be a segregation of duties. Individuals who make a requisition for
new supplies of inventory should not be the individuals who place the order
with the supplier.
Purchase orders should be sequentially numbered.
There should be a procedure for placing suppliers on the ‘approved list’. In an IT
system, physical controls must exist over access to the master file of approved
suppliers.
All orders must be placed with suppliers on an approved list. The purchase
order may include an ‘approved supplier reference number’. In an IT system the
system must only be able to address orders to approved suppliers as on the
master file.
Orders above a certain value must be authorised by a senior manager, who
should confirm that competitive tenders have been obtained from suppliers.
Tests of control
Here are some suggested tests of control:
The auditor can check that the segregation of duties does exist.
The auditor can look at lists of sequentially-numbered purchase orders or view
documents on screen. Alternatively, he could submit test data in the form of an
order and check it is allocated the next number in the sequence.
The auditor should ask management to provide documentary evidence that the
procedure for placing suppliers on the approved list operates as intended. In an
IT system, the controls over the master file of approved suppliers will need to be
tested.
Purchase orders can be checked to make sure that they contain an approved
supplier reference number.
Large orders can be checked for management authorisation.
3.3 Receiving goods and invoices
Risks and control objectives
Here are some risks and control objectives for this part of the purchases transaction
cycle:
There is a risk that goods may be accepted from a supplier without having been
ordered. Or suppliers may claim to have delivered goods, but may actually not
have done so. A control objective is therefore to make sure that all receipts of
goods are recorded and checked against a purchase order.
There is a risk that the company may fail to claim discounts from suppliers for
orders above a certain size, or as regular customers of the supplier. A control
objective should be that discounts are given by suppliers where these are
available.
Paper F8: Audit and assurance (International)
204 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
There is a risk that suppliers may invoice for goods that have not actually been
provided. A control objective is to prevent this from happening, or detect when
it does happen.
Principal controls
In this area there is little difference between manual and IT systems as this part of
an IT system will be dependent on controls over the physical receipt of goods and
invoices, which will be carried out by employees as opposed to by a computer
program. Suitable controls may be as follows:
A copy of all delivery notes should be retained, with a signature of the member
of staff who took receipt and checked the goods.
Goods received notes should be produced for each delivery, from the delivery
note or after a physical count of the items received.
A member of the accounts staff or purchasing staff must be responsible for
checking discounts allowed by suppliers.
There should be a segregation of duties between the individuals who take
delivery of goods, those who place the orders and those who record the
purchase invoices in the accounting system.
All purchase invoices should be checked against a purchase order and a goods
received note.
Tests of control
Here are some suggested tests of control:
The auditor should check that delivery notes, goods received notes and purchase
invoices are matched with each other. There should be evidence that they have
been checked against each other; for example, the person making the check
should sign or initial the purchase invoice.
The auditor should look for any evidence that invoices, purchase orders or
goods received notes cannot be properly matched (indicating that the controls
are not working in practice and a control objective is not being achieved).
The auditor should look for documentary evidence that discounts are checked
and claimed from suppliers when available.
The auditor should check that the segregation of duties does exist.
3.4 Recording and accounting for purchases and expenses
Risks and control objectives
Here are some risks and control objectives for this part of the purchases transaction
cycle:
There is a risk that purchase invoices will be recorded for goods or services that
were not provided. A control objective is to make sure that this does not happen.