Auditing Course Material: Principles & Process

AUDITING 378 MADE BY TAKINGNOTES.CO.ZA to CAS WWW.TAKINGNOTES.CO.ZA Auditing 288/388 The following topics will be dealt with in Audit 288/388: - Introduction and background to auditing - Internal control and cycles - Ethics and auditor’s legal responsibility - Audit process Introduction and background to auditing: (AF Ch. 1,3) Foundational principles: - Auditor - Definition of an audit - Purpose of an audit - Auditing profession - Types of audits - Types of auditors - Types of services - Company act requirements Learning outcomes: - Describe the definition of an audit, and explain the duties and environment in which the auditor works - Describe the underlying principles of the audit profession - Differentiate between types of audits, services and auditors - Discuss the companies act requirements - Discuss the link between the different subjects - Fundamental principles in auditing – auditing postulates Background: Why the need for accounting records? Used by management to: - Record and keep track of transactions and economic activities - Obtain relevant information in a timely manner so management can make informed decisions - Measure results and evaluate performance against goals and targets - Prepare financial statements for reporting to external parties Objective of financial statements: To provide financial information about an entity that is useful to users in making economic decisions. Responsibilities w.r.t the financial statements: Accounting department = day-to-day responsibilities of the financial function Directors = Responsible for accounting records and financial statements CFO = Overseeing and finalisation of the financial statements Audit committee = Subcommittee of the directors, for assistance What is an auditor? - They are assurance givers, express conclusion designed to enhance the degree of confidence of the intended user - Satisfy him of herself to the truth of bookkeeping of others - Independent Why do we need auditors? - Statutory audits – Required by statute - Principal-Agent theory - Owners (Sh/h) and management are split: • Owners delegate decision-making powers to the directors • The directors have to act in the best interest of the owners • Therefore, independent party (auditor) reports to the owners whether the directors fairly present the financial effects of activities in the financial statements Auditors reinforce trust What is the definition of an audit? - Systematic process - To gather and evaluate evidence and information objectively - To evaluate the assertions about economic actions and situations made by management of the entity - To determine the correlation with predefined criteria - quantitative and qualitative - And communicate the results in writing - To users What is the purpose or objective of an audit? - To express an opinion on the financial statements - That they are free of material misstatements - And that they are a fair representation in all material aspects - Of the financial position and performance of the company/ entity - In accordance with the appropriate financial reporting framework The objective is to provide reasonable assurance. There are unavoidable risks due to the inherent limitations of an audit. The objective is NOT to: - Guarantee the existence of the company - Detect fraud The auditors’ opinion enhances the credibility of the financial statements but does not warrant the future feasibility of the company and does not warrant the capability and effectiveness with which management manages the operations of the entity. How does an external audit add value? - Encourages good corporate governance - Makes it safer to invest in an entity - Improves legitimate tax collection, therefore reducing tax for all - Improves the accuracy of information in financial statements - Enhances credibility from the users perspective - Leads to better decision-making What are the inherent limitations of an audit? 1. The nature of financial reporting: • Management use judgement in preparing financial statements when applying IFRS and making estimates 2. The nature of audit procedures: • Practical and legal limitations on audit • Management provides documentation and explanation on which to base conclusions, may be intentionally or unintentionally wrong (incorrect, incomplete or misrepresented) • Management may try to hide fraud 3. Timeliness of financial reporting and balance between benefit and cost • Reliability of evidence versus cost • Time and resources available – Use of sampling Impractical to verify or audit all information due to cost constrains on time and resources available. Therefor samples are used and unavoidable risks rise due to undetected errors Auditing profession: Types of auditors: - External auditor: Independent auditor - Internal auditor: Employee, renders a service to the entity - Attorney General (Public auditor): Auditor General, SARS - Forensic auditor: Investigates fraud - Special purpose auditor: Whether particular provisions of a contractual agreement, such as a loan agreement have been complied with. What are the duties and responsibilities of an auditor? - To communicate opinion - To investigate annual financial statements - To ensure that appropriate accounting records have been kept in accordance with the company’s requirements - To ensure that minute books and attendance registers in respect of company, directors’ and managers’ meetings have been kept in the appropriate form as required by the Companies Act - To acquire all information and explanations, that to his/her knowledge and conviction are necessary for the purpose of the performance of duties - To ascertain that annual financial statements agree with the accounting records and accounts - To investigate the accounting records of company and to perform tests and other audit procedures found necessary to ensure that annual financial statements: • Reasonably reflect the financial position of the company • The results of its operations are in accordance with generally accepted accounting practise, applied on a basis that is compatible with that of the previous year - To ensure that the directors’ report is not in breach of or its meaning distorted with a reasonable interpretation of the annual financial statements and accompanying notes - To adhere to any appropriate requirements of the Auditing Profession Act at all times What are the characteristics of an auditor? - Independence - Integrity - Objectivity - Professional competence and due care - Confidentiality - Professional behaviour Types of audits: - Financial statement audit - Compliance audit - Operational or performance audit Types of services: - Assurance services • Reasonable assurance – Audit • Moderate assurance – Independent Review - Non-assurance services • Consultation services – Tech, International, Financial planning, Taxation • Compilation • Agreed upon procedures What elements have to be present to have an assurance engagement? - Three party relationship (Owner, Director, and Auditor) - Appropriate subject matter - Suitable criteria - Evidence - Assurance report What is the difference between a private audit and a public sector audit? Private audit: - Audit of entities - In terms of the auditing profession act - Audit of: Financial statements Public Sector Audits: - Audit of government - In terms of The Public Audit Act - Audit of: • Financial statements • Compliance with laws and regulations • Performance in terms of predetermined criteria What are the Companies Act requirements Directors/ Company: - Fin YE date - Accounting records - Compile AFS - Approve & AGM Auditor: - With inception - members or directors - Otherwise Registrar - Annual appointment - Access to records, books, docs, info and explanations - Report to members - Other responsibilities (s90-93) What are the postulates or assumptions on which the theory of auditing is based? - The information subject to an audit is verifiable - The information subjected to an audit must be compiled or prepared in accordance with an identified set of criteria - When an auditor investigates information with the purpose of expressing an opinion about it, he/ she acts exclusively in his/ her capacity as auditor - An audit must be performed by a person who is independent from the entity being audited and who is able to make objective decisions and come to unbiased conclusions - The process of creating an opinion consists of the collection of persuasive audit evidence in accordance with a risk approach - The auditor’s opinion is expressed in the form of a report on the audited information - The professional status of an independent auditor imposes commensurate obligations The auditing postulates are based on: - Truth and fairness - Independence Internal control and introduction to cycles (AF Ch. 4) Underlying principles of internal control: - Audit process - Definition of internal control - Inherent limitations of internal control - Auditor’s duty - Components of internal control - Control objectives Learning outcomes: - Outline and discuss the definition of internal control (IC) - Describe the inherent limitations of IC - Outline the auditor’s responsibility in respect of IC - Name, describe and practically apply the components of IC - Formulate control objectives for different transactions (TO ENSURE THAT) How does the audit process look? International Standards on Auditing (ISA’s) govern the audit process. There are 4 stages of the audit process: 1. Pre-engagement 2. Planning 3. Obtaining evidence 4. Evaluation, conclusion and reporting Covered in detail in the topic: Audit Process Internal controls are part of the planning stage of the audit process. The auditor has to gain an understanding of the accounting system and the internal controls of the company (client) it is auditing. The planning stage consists of: Gaining knowledge of the business, Risk evaluation, Materiality What is the definition of a system of IC? The process designed and effected by management to provide reasonable assurance about the achievement of entity’s objectives relating to: - Reliability of financial reporting - Effectiveness and efficiency of operations - Compliance with laws and regulations Discuss the definition a system of IC: - Process • System of IC that involves a combination of systems, policies and procedures • 5 Components of IC - Responsibility • IC executed by people/ computers. Board should acknowledge responsibility - Objectives • IC measures implemented are determined based on risks which threaten the achievement of the entity’s objectives relating to reporting, operations and compliance - Reasonable assurance • Due to the inherent limitations of a system of internal control. What are the inherent limitations of IC? IC can only provide reasonable assurance because: - Cost vs Benefit: Implement cost-effective IC’s, not always the best - Directed at routine, repetitive transactions - Risk of human error: Judgement of employee can be incorrect (time constraints, insufficient information) - Collusion to circumvent controls - Abuse of responsibility and override IC measures for own benefit - IC become inadequate over time What are the auditor’s duties and responsibilities in an audit? For what should an auditor obtain an understanding of the client’s IC? - Risk evaluation • To identify types of potential material misstatements and • Consider factors that influence material misstatements Response to controls as evaluated • Influence nature, timing and extent of audit procedures • Also consider other parties Of what should the auditor gain an understanding? The design and implementation of controls - Properly developed and implemented - Properly designed to detect and prevent mistakes What does the auditor do? - Evaluate applicability/ risk (CR) • Determine how it is addressed by management - 2. Test/ measure • Conduct tests of control How does an auditor gain the necessary knowledge to perform his/ her duties? - Prior experience and knowledge - Discussions and enquiries with staff - Reading manuals - Inspect documentation and records - Observation - Walk through tests What needs to be present in the documentation? - System description - Internal control questionnaire • Yes: Sound IC • No: Weakness in IC – potential risk • Consider compensating control - System flow charts • Standardised symbols • Flow of documents • Sequence of events • Duties and responsibilities of staff. How do you design a system of internal control? Identify risks > Formulate your control objective > Use components of IC to design Internal Control Components: What are the IC components? Components used by management to design a suitable system of IC to mitigate risks Five components: 1. Control environment 2. Risk assessment process 3. Information system for financial reporting and communication 4. Control activities 5. Monitoring All five these components have to be present for a sound system of IC. Description of the components of a system of IC: 1. Control environment The control environment is created by management and provides a favourable environment in which the other components of IC could function. Encompasses the attitude of management toward IC. What are the characteristics of a sound system of IC? Management can create and foster a positive attitude by implementing the characteristics. - Integrity and ethical values - Commitment to competence - Board of Directors and Audit Committee - Managements philosophy and operating structure - Organisational structure - Assignment of authority and responsibility - Human resource policies and procedures Why does an auditor want to evaluate the control environment? It is important for the auditor to evaluate the environment, because an effective system of IC is not possible if a favourable control environment was not created. This helps us to access the risk of material misstatements of the financial statements 2. Risk assessment process What is the definition of risk assessment in a system of IC? The risk assessment process is the way that management of an organisation: - Identifies risks relevant to the business - Estimates the significance and likelihood of the risk occurring (or assesses the risk) - Decides on actions to respond to manage the risk = Risk management What is risk management? It is the identification and evaluation of actual and potential risks followed by a procedure of adequate response. Risk identification – Identify risks to which the entity is exposed using: - Triple context: Economic, Environment and Society - Capitals: Financial: Financial, Manufactured, Intellectual, Human, Social and Relationship, and Natural. Risk evaluation – Determine the significance of the risk. - Consider impact and likelihood of materialisation - Quantify, rank and prioritise the identified risks After the risks is identified and evaluated – Decide on appropriate risk response On what does an appropriate risk response depend? - Risk appetite How much and which type of risk entity is willing to accept - Levels of risk tolerance (determined by Board) Specific quantified limits of risk the entity can tolerate to achieve objectives - Residual risk Risk that remains after treating the risk with the most appropriate risk response What types of risk responses are there? - Tolerance or acceptance of the risk • Only react if/ when risk occurs • Insignificant risks, cost to recover < cost to plan - Transferring the risk to a third party • Moving risk to third party • Not eliminating risk, you only have insurance for when the risk occurs - Mitigation (treatment/ reduction) of identified risks • Reduce the probability or impact of unacceptable risk • Suitable system of IC - Avoidance/ termination of activity or process that creates the risk • Possibility of the risk occurring is eliminated - Exploitation of the opportunity created by the risk • Exploit the opportunity to entity’s benefit • Take the action to ensure that risk occurs • Thus, there are no uncertainty - Combination or integration of all of the above Keep a risk register of the relevant information regarding the identified risks. It should be regularly updated and include the following: - Key risks to which the entity is exposed - Likelihood of them materialising - Potential impact on business - Management’s responses 3. Information system for financial reporting and communication What is the information system? It is the procedures and records established to initiate, record, process and report entity transactions, events and conditions and to maintain accountability for related assets, liabilities and equity It consists of the following 4 stages: - Initiate and execute – transaction Physical activities relating to where transaction initiated (decision and approval) or execution through performing activities to complete the transaction (implementation) - Record – documentation/ records Information applicable to the transaction is recorded on a source document (HC/ ET) - Process – accounting records and FS closing process Transaction is processed and corresponding entries are made in accounting records Accounting records are records of initial accounting entries and supporting records Includes general and subsidiary ledgers, journal entries and spreadsheets - Report – financial statements Stage where the transaction included in the financial statements, embody assertions 4. Control activities What are control activities? They are IC measures, policies and procedures implemented and designed by management to ensure the objectives are achieved There are six control activities: (SCRRAM): - Segregation of duties - Access control - Independent review and reconciliations - Documentation and records - Authorisation - Monitoring (detective) S – Segregation of duties - Segregate incompatible functions - Reduces the probability that one person can commit error or fraud and hide it - Authorisation, execution, record, control and safeguarding should always be segregated. Guidelines to effect proper segregation of duties: - No transaction is performed by the same person from beginning to end - Optimally each irreconcilable function should be performed by different individuals - The irreconcilable functions that should be separated are: • Authorisation of transaction • Execution of transaction • Record-keeping of transaction • Control over/ safekeeping of asset - There should be identification of responsibility with regard to persons who have completed the work (e.g. stamp/ signature) - Person in charge of an asset should not also be in charge of its accounting records C – Access control - Restricting physical access including control to protect assets, stationary, and information - Logical and physical access. Rv – Independent review and reconciliations - The work/ duties of one person independently reviewed/ checked by second person - Evidence of review by signature, also assigns responsibility Rc – Documentation and records - Document design – pre-printed, pre-#, layout, initials, numerous copies, - Stationary control – safeguarded, sequential numbering, register - Chart of accounts – list of general ledger accounts A – Authorisation - Different levels of approval for various classes of transactions/ values determined by the company policy - Before authorisation, review is allowed. - Evidence of authorisation required – signature M – Monitoring - Comparison (actual vs recorded) and reconciliation (SL vs GL) 5. Monitoring of controls What is monitoring? - Evaluate effectiveness of IC and take corrective actions where needed What are the control objectives? Validity: Control ensures that transaction/ event: - Authorised AND - Occurred - During the period AND - Supported by documentation Completeness: Control ensures that all the transactions that occurred during the period are: - All recorded - Recorded in a timely manner - None omitted Accuracy: Control ensures that the transaction/ event accounted for: - Correct amounts (quantity, calculations, price) - Correctly classified - Correctly summarised and posted to … Very important. When formulating control objective remember to ask yourself: What do you want to do? And start answer with: TO ENSURE THAT! Remember when you formulate a control objective, there are NO PEOPLE, ACTIONS, OR DOCUMENTS. How do you formulate control objectives? Ask the following: - Which part of transaction? - What is the specific control objective? - What are the risks linked to that control objective? - Then formulate: TO ENSURE THAT… Cycles: The following cycles will be covered in Audit 288/388: - Revenue and receipt cycle - Purchases and payment cycle - Inventory and production cycle - Bank and cash cycle - Salaries and wage cycle - Investment and financing cycle (Self-study) How does a business work? Framework of cycles: - Transaction types and functions - Risks - Controls - Recommendations - Weaknesses Learning outcomes for cycles: - Describe the nature of various cycles including the application accounts and transaction types and functions - Describe the control objectives applicable in the cycle - Explain what could go wrong (risks or weaknesses) in the cycle including the consequences thereof - Make recommendations to improve weaknesses - Design a suitable internal control system Remember: Consequences are always linked to a control objective CASH SALES CYCLE Stuvia.com - The Marketplace to Buy and Sell your Study Material ACCEPT AND PROCESS ORDER ORDER FORM 1. 2. 3. 4. 5. Customers’ orders goods The order clerk must prepare a prenumbered order form that includes the details of the purchaser, description & amount • Prices as quoted to client • Prices according to approved price lists • The previous year sales levels to determine if the person qualifies for discount The order must be sent to the credit manager: • Check that all info is correct and if client is a member • Ensures that clients fill credit form / authorizes credit • Sign document • Compare the prices with the approved prices The copy that remains in the dept. must then be: • Filed in # sequence & check • Outstanding orders must be followed up on Copies: • Customer – as evidence that order is executed • Acc dept. – as evidence that the order has been received • Warehouse – order can be prepared • Order clerk – for our own records and invoicing WHEN THE GRANTING OF CREDIT OCCURS ORDER FORM 1. 2. New client • There should be a credit application and approval • Credit checks • A credit limit should also be set Existing client • Available credit • Additional credit DISPATCHING OF GOODS DELIVERY NOTE (INVENTORIES AVAILABLE) 1. 2. 3. 4. 5. 6. 7. 8. In the warehouse: • The order is sent to the WH • The storeman then sends an email to the sales dept. to confirm receipt of the order • The chief storeman then instructs the packers to pack the order The delivery note must be & incl: • Pre-numbered and prepared by one of the storeman • Date of dispatch • The purchaser and address • The description and amount in fivefold The delivery note must be authorised & signed by chief storeman Before goods leave WH, the storeman must: • Compare physical goods with delivery note • Check QQD and ensure correct stock has been dispatched • If differences à notify order clerk in writing A list of undelivered items should be kept à once available the storeman should inform the order clerk The # sequence of the delivery note must be checked and outstanding items must be followed up on The delivery register must be reviewed regularly by the security guard Copies: • Two copies to client for QQD review • One signed by the client and returned to delivery staff • The order must be signed by delivery staff to ensure he is happy with the conditions of goods • Sales dept. – as evidence that order was executed • Remains at WH – as evidence that inventories have been dispatched • Inventory clerk – so inventory records can be updated Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal INVOICING AND RECORDING SALES INVOICE 1. 2. 3. 4. 5. 6. 7. 8. 9. The signed delivery note is sent to the Invoicing clerk who checks signature and a pre-numbered sales invoice is drawn up in duplicate: • Info of purchaser • Sales transaction & amount owing • Payment conditions The # sequence is checked by the accountant & outstanding orders must be followed up on The invoicing clerk/accountant (SoD) must: • Agree to info on invoice • Check castings and VAT • Compare price with the authorised price list A suspense file for no signed delivery notes must be kept and checked regularly by the accountant The accountant will then post the invoice to the sales journal and then to debtors and general journal The accountant must then perform a monthly recon and signs as proof Copies: • Customer – so that he can pay for the goods delivered • Acc dept. – as evidence that the goods have been invoiced Account/monthly statement • Monitoring of control objectives • A pre-numbered monthly statement must be created in twofold: i. Customer – inform of account balance ii. Acc dept – as a record of statements issued • Details: Invoices issued, payments made, discounts allowed, returns & end balance Payment advice slip – attached to the monthly statement indicating payment CASH RECEIPTS CYCLE Stuvia.com - The Marketplace to Buy and Sell your Study Material RECEIVE MONEY RECEIPT 1. Cash receipt • Payment by cash, cheque and credit card, together with the payment advice presented via mail or in person • To ensure good internal control, the mail must be opened by 2 people and there should be a mail register 2. The cash receipts must be kept safe & the accuracy is checked and authorised by the manager and signed 3. Copies: • Once payment is received, a pre-numbered cash receipt in twofold is issued. • Details include: details of payee, the date and amount. • Customer – as proof of payment • Acc dept. – for recording money received. This can be done in either a receipt book or in a cash register roll DEPOSIT RECEIPTS DEPOSIT SLIP 1. Segregation of duties • Deposit cash daily • CRJ posted to GL and DL by a different person • Bank reconciliation 2. Deposit slip – this is a bank document filled in by the business to record a deposit of payments received from customers 3. Details include: • Date of deposit • Details of the cheque • Amount of the cash and cheque • Total amount received 4. The accuracy should be checked & authorised my management and signed (SoD) 5. The depositing of cash should be done daily 6. The deposit slip is then used to complete the CRJ which is posted to the GL & DL (SoD) 7. Monitoring • Monthly recons must be conducted by the accountant • Bank recon • Debtors’ recon 8. All these docs must be signed as evidence that they have occurred 9. The recording and recons of deposit slips must be done by separate people 10. Copies: • Bank – for depositing of money received • Acc dept. - so that the business can record money deposited Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal RECORDING 1. 2. 3. 4. CRJ GL DL Reconciliations performed RETURNS CYCLE & CREDIT LOSSES Stuvia.com - The Marketplace to Buy and Sell your Study Material 1. 2. 3. 4. 5. 6. 7. RETURNS AND GRANTING OF CREDIT ALLOWANCE FOR CL & WRITE-OFF OF BAD DEBTS CREDIT NOTE BAD DEBT AUTHORISATION FORM Credit note – when goods are received back from customers, the clerk 1. Provision for bad debts checks the returned goods (QQD) with proof of purchase (invoice) • Management must calculate a figure for P4BD by using a debtors’ age analysis A pre-numbered credit note is then issued • Details on the person returning the goods • Management must authorise the P4BD by issuing a signed notice • Description of goods and amount • The amount must equal a % of the debtors balance The credit note must be checked and authorised by the credit manager • The amount may need to be adjusted at the end of the period and signed • The provision must be correctly recorded in the SFP and SCI The credit note is then used to compile the sales return journal, which is • Authorised à Calculated à Adjustment of the provision à then posted to the ledgers recorded in the SFP & SCI 2. Write off debtor as a bad debt The returned goods must then be sent to inventory dept. or WH. The goods are checked by the storeman with the credit note • When the debtor is not paying & we have launched an investigation – a pre-numbered bad debt authorisation form must be compiled by The number sequence must be checked and then missing orders followed up on a committee or minutes of meeting and presented in two-fold The inventory records are then updated and include goods returned • Details must include: i. Info on the debtor ii. The date iii. The amount written off • The debtors recording dept. will decrease the debtors account by the amount stipulated • Own records of the committee authorising the write-off must be adjusted in order to have a history of debt written off • The writing off of bad debts must be authorised by management after an independent staff member has checked whether the client can pay or not • The write off must then be recorded in the SCI where the decrease of debtors and increase in bad debts occurs. Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal TEST OF CONTROLS REVENUE & RECEIPTS CYCLE FORMULATE CONTROL OBJECTIVES CASH RECEIPTS To ensure that • cash receipts are authorised in terms of the company policy. – N/a • cash receipts relate to actual cash that has been received during the current financial period. • no cash receipts are stolen. • cash receipts are supported by a receipt. • all cash receipts recorded in the cash receipts journal and none were omitted. • all cash receipts that occurred are recorded in a timely manner. • cash receipts were recorded at the correct amounts in the cash receipts journal • calculations on the receipts were performed accurately • cash receipts are classified currently/included in the correct general ledger accounts. • cash receipts were correctly summarised and posted from the cash receipts journal to the general ledger ORDERS FROM CUSTOMERS To ensure that • orders are from valid customers (real customers/not fictitious) • orders are only accepted when there is inventory available to sell • orders are only accepted from credit worthy customers • credit is approved in terms of the company policy INVOICING OF SALES TO CUSTOMERS To ensure that • the correct quantity and type of goods that were delivered to the customer are invoiced (accuracy) • goods are only invoiced if they were ordered by & delivered to the customer (validity) • goods are invoiced at the correct prices (accuracy) • calculations on invoices are correct (accuracy) INTIAL RECEIPT OF THE LONG TERM LOAN To ensure that: • The long term loan is appropriately authorised in accordance with company policy and if applicable is allowable in terms of the requirements of the Companies Act • The long term loan that has been recorded has occurred during the period (thus not be fictitious) • The long term loan relates to funds actually received by the business during the current period. • The long term loan is accounted for at the correct amount in the financial records. • The long term loan is classified correctly in the accounting records. FORMULATE CONTROL OBJECTIVES IN RESPECT OF VALIDITY AND ACCURACY FOR DELIVERY & INVOICING To ensure that: • Delivery only occurs to clients who actually ordered products (validity). • Goods do not go missing during consignment (validity). • Delivery occurs to the correct client (who ordered the products) (accuracy). • The delivery of the correct quantity and type of products takes place (delivery corresponds to the order placed) (accuracy). • Invoicing only takes place for products that were ordered and delivered (validity). • Invoicing is accurate (correct debtor, correct amount) (accuracy). CONTROL OBJECTIVES FOR THE VALIDITY AND ACCURACY OF INVIOCING To ensure that: • Invoicing only occurs for actual deliveries that have occurred. (1) • Invoicing is to the correct customer. (1) • Invoicing is based on the quantity, type and description of goods delivered. (1) • Invoicing is based on the correct price (and VAT). • Invoicing calculations are accurate. INVOICING AND RECORDING IN THE SALES JOURNAL: • • • • One of the invoicing clerks should prepare a pre-printed, pre-numbered invoice in triplicate. The invoice should be based on the signed delivery note returned from the customer and the approved sales order form. The other invoicing clerk checks performs an independent review of the invoice as follows: - re-performs the calculations on invoice - compares the prices on invoices with the approved sales order form, approved price lists (if general) or, in the case of a contract, the contract prices - compares the quantities and descriptions with the approved sales order form and delivery note and stamps both invoiced - and then signs the invoice as evidence of doing so. On a monthly basis the accountant (Mr Ngobese) should prepare sales journal from the invoices (in number sequence) and follow up on missing invoices. The sales journal should then be reviewed by Miss Fourie, the financial manager, by: - recalculating the journal for accuracy and - agreeing a sample of the sales entries signed by both invoicing clerks. - she must sign as evidence of this review. Select a sample entries from the sales journal and trace it to the delivery notes received back from clients, picking slips and order forms to confirm that the journal entries are valid (validity). (1) • Compare (re-perform) the quantity and description of inventory ordered according to the picking slips with the order forms (accuracy). (1) • Inspect the delivery notes received back from clients for their signatures (validity). (1) • Compare (re-perform) the entries in the sales journal with: o The delivery notes signed by clients to confirm the quantities of each product sold (accuracy). (1) o The approved price list to confirm the price of each product sold (accuracy). (1) o Recalculate the quantities x price per item sold to confirm the accuracy of the journal entries (accuracy). (1) Select a sample of order forms and trace it to the delivery notes received back from clients, picking slips and entries in die sales journal to confirm that the sales journal is complete (completeness). (1) Attend the packaging and consignment process of inventory and: • Observe and confirm that John Smith, the finished product foreman, compares the quantity, quality and description of the packaged items with the picking slips before the packaged goods leave the finished product warehouse (accuracy). (1) • Compare (re-perform) a sample of packaged items yourself and ensure that the quantity, quality and description of the packaged inventory corresponds with the picking slips, before the inventory leaves the finished product warehouse (accuracy). • By means of observation, confirm that the truck driver compares the quantity and description of the packaged items with the delivery notes before the packaged goods were loaded onto the truck (accuracy). (1) • Compare (re-perform) a sample of packaged items loaded onto the truck yourself, to ensure that the quantity and description of the goods correspond with the relevant delivery notes (accuracy).(1) Select a sample of sequentially filed order forms. Confirm, by means of inspection and re-performance, that the order forms were actually filed in number sequence and confirm that there are no order form that are not paired with a delivery note. Follow up on any outstanding delivery notes with the sales manager (completeness). (1) Confirm by means of observation and enquiry and studying the organisation charts, that proper segregation of duties exists between (validity, accuracy): (1) • The receipt and processing of orders; (½) • Consignment of goods; and (½) • Recording of sales transaction (½) Formulate the tests of controls you would perform to evaluate the company’s controls over consignment, invoicing and recording the transaction 1. Confirm by means of observation, enquiry and studying the organogram and job descriptions that sufficient segregation of duties exists between incompatible functions. 2. Select a number of transactions from the sales journal to the supporting invoice and delivery note and confirm as follows: validity a Inspect and compare the details with those on the invoice and the delivery note accuracy b Re-perform the calculations and castings of the invoice. accuracy c Inspect the delivery note for the signature of the client. validity d Inspect the date on the delivery note and confirm that it was recorded in the correct accounting period. cut-off e Compare the prices on the invoice with the official pricelist accuracy validity 3. a For goods ready to leave the premises: . inspect that there are two copies of the delivery note, that the number corresponds to the number written on the container and that it actually appears on the list of deliveries. Through observation inspect that the driver is present when the delivery vehicle is loaded and that he compares the delivery note-number with the list of deliveries 4. Follow a few transactions through from the source documents via the audit trail to the sales journal. b 5. validity accuracy completeness completeness Select the daily list of deliveries for a few days a Inspect for the signature of both the driver and the accounting clerk. validity b Reperform the reconciliation accuracy c Enquire regarding reconciling items validity 3. Select a number of weeks’ sales journals and a Recalculate the castings and calculations in the sales journal and debtors ledger to ensure accuracy. (1) accuracy b Follow the entry through to the debtors ledger and inspect that the entry was posted to the correct debtor. classification Formulate the tests of control you would perform on the SALES AND RECEIPTS cycle 1. a b c d e Select a number of entries from the sales journal and follow it through to the invoice, delivery note signed by the client, quote, credit application form and order form and compare the unique debtors’ number on the respective documents Inspect the credit application form for the signature of the financial accountant to ensure that the client’s credit limit was actually approved. validity accuracy Direct enquiries to the financial accountant to determine the criteria for the approval of credit limits to ensure that the background checks were actually performed before credit limits were approved. Compare (re-perform) the invoice with the following documents: - Signed delivery note received back from the client: to confirm the quantity and description of the goods delivered. - Most recent quote: to confirm the cost of the design and manufacturing of the furniture. - Order form: to confirm the location of the client and consequently, the delivery distance and Recalculate the delivery cost by multiplying the distance in kilometres with R3. Compare the amount with the cost of delivery on the invoice Recalculate the total amount (design, manufacturing and delivery) on the invoice. Inspect the delivery note received back from the client for the client’s signature. 2. Select a number of approved quotes and follow it through along the audit trail to the sales journal to ensure that all transactions were actually recorded completeness 3. Follow the details of the invoice through to the sales journal and debtors’ ledger to ensure accurate recording of the transactions. completeness 4. Compare (re-perform) the outstanding amount per debtor in the debtors’ ledger with the debtor’s credit limit according to the debtor’s approved credit application form to ensure that the credit limit was not exceeded. 5. Inspect the debtors’ ledger for the signature of the debtors’ manager to ensure that he reviewed the age analysis and credit limits. 6. Observe the consignment process to ensure that the foreman of the consignment division actually compares the delivery note with the physical goods to ensure that the description and quantity agrees. 4. By means of re-performance, compare the delivery note with the furniture before consignment to ensure that the description and quantity agree. 5. Select a number of approved bad debt forms and follow it through to the collection register and the age analysis and compare the unique debtors’ number on the various documents validity a Inspect the bad debt form for the signature of the head of the collection division to ensure that the writeoff of the balance was approved. b Compare the amount according to the bad debt form with the amount that has been overdue for longer than 30 days as per the age analysis c Inspect the collection register to confirm that the debtor was actually contacted three times before the balance was written off. 6. Select a number of debtors, who have outstanding balances for more than 30 days according to the age analysis, and follow it through to the collection register and the bad debt form to ensure that all debtors’ balances that should have been written off, were indeed written off 7. Confirm by means of observation and enquiry and studying the organisation charts, that proper segregation of duties exists between: • Setting credit limits; a • Consignment of furniture; • Invoicing; and • Write-off of bad debts. completeness Formulate the tests of controls you would perform on the SALES AND RECEIPTS system: rendering of services 1. Select a sample of quotations throughout the financial year and follow to the performance or job log, deposit invoice, final invoice & revenue journal and perform the following completeness Compare the rate used on the quotation to the rate contained in the approved pricelist and follow up on any difference accuracy Inspect the performance log and compare the hours quoted to the hours indicated in the performance log & follow up on any differences validity Recalculate the amount on the deposit invoice based on the quotation accuracy completeness accuracy completeness completeness Inspect the quotation and invoice for the signature of the manager as proof the documents were compare Inspect the reconciliation of performance logs received back from the employees (at the end and beginning of the day) for the manager’s signature 2. Recalculate the amount on the final invoicing noting the following through inspection: that the total hours on the final invoice agrees to the quotation the rate used is the appropriate rate according to the quotation accuracy accuracy the deposit invoice amount deducted agrees to the deposit invoice issued to the customer accuracy Inspect the performance log for the signature of the manager as proof of the reconciliation between the performance log and invoice was performed completeness 3. Inspect the revenue journal and compare amounts, dates and customer details between revenue journal & invoices accuracy completeness 4. Inspect the invoices for the signature of the revenue clerk, indicating that the revenue journal has been updated with the invoice Reperform a sample of reconciliations between the invoice packs and jobs listed on the performance logs and follow up on any differences completeness 5. completeness Formulate the tests of controls you would perform on the SALES AND RECEIPTS system: cancellations & credit notes 1. Select a sample of credit notes from the accounting records & follow through to the booking cancellation logs to perform the following: completeness Inspect the booking cancellation logs to confirm that the booking orders were cancelled validity Inspect the booking form to confirm the time of cancellation was in line with the policy accuracy completeness Formulate the tests of controls you would perform on the SALES system to ensure all sales transactions are accurate, complete & valid using a system-based audit approach 1. Select a number of entries from the sales journal and follow it through to the invoice, delivery note validity signed by the client, quote, credit application form and order form and compare the unique debtors’ number on the respective documents Inspect the credit application form for the signature of the financial accountant to ensure that the client’s credit limit was actually approved. Direct enquiries to the financial accountant to determine the criteria for the approval of credit limits to ensure that the background checks were actually performed before credit limits were approved. Inspect the delivery note received back from the client for the client’s signature Recalculate the total amount (design, manufacturing and delivery) on the invoice. Compare (re-perform) the invoice with the following documents: The delivery notes signed by clients to confirm the quantities of each product sold The approved price list to confirm the price of each product sold Most recent quote: to confirm the cost of the design and manufacturing of the furniture Recalculate the quantities x price per item sold to confirm the accuracy of the journal entries Recalculate the delivery cost by multiplying the distance in kilometres with R3. Compare the amount with the cost of delivery on the invoice 2. Select a sample of order forms and trace it to the delivery notes received back from clients, picking completeness slips and entries in the sales journal to confirm that the sales journal is complete 3. Select a number of approved quotes and follow it through along the audit trail to the sales journal to ensure that all transactions were actually recorded completeness 4. Follow the details of the invoice through to the sales journal and debtors’ ledger to ensure accurate recording of the transactions 5. Compare (re-perform) the outstanding amount per debtor in the debtors’ ledger with the debtor’s credit limit according to the debtor’s approved credit application form to ensure that the credit limit was not exceeded. 6. Inspect the debtors’ ledger for the signature of the debtors’ manager to ensure that he reviewed the age analysis and credit limits 2. Observe the consignment process to ensure that the foreman of the consignment division actually compares the delivery note with the physical goods to ensure that the description and quantity agrees. 3. By means of re-performance, compare the delivery note with the furniture before consignment to ensure that the description and quantity agree. 4. Select a number of approved bad debt forms and follow it through to the collection register and the validity age analysis and compare the unique debtors’ number on the various documents Inspect the bad debt form for the signature of the head of the collection division to ensure that the write-off of the balance was approved. Compare the amount according to the bad debt form with the amount that has been overdue for longer than 30 days as per the age analysis. Inspect the collection register to confirm that the debtor was actually contacted three times before the balance was written off 5. 6. Select a number of debtors, who have outstanding balances for more than 30 days according to the age analysis, and follow it through to the collection register and the bad debt form to ensure that all debtors’ balances that should have been written off, were indeed written off Confirm by means of observation and enquiry and studying the organisation charts, that proper segregation of duties exists between: The receipt and processing of orders; Consignment of goods; and Recording of sales transaction completeness validity accuracy Formulate the tests of controls you would perform on the SALES system to ensure all sales transactions are accurate, complete & valid using a system-based audit approach 1. Select sample entries from the sales journal and trace it to the delivery notes received back from clients, picking slips and order forms to confirm that the journal entries are valid validity Compare the quantity and description of inventory ordered according to the picking slips with the order forms accuracy Inspect the delivery notes received back from clients for their signatures validity Compare (re-perform) the entries in the sales journal with: The delivery notes signed by clients to confirm the quantities of each product sold accuracy The approved price list to confirm the price of each product sold accuracy Recalculate the quantities x price per item sold to confirm the accuracy of the journal entries accuracy 2. Select a sample of order forms and trace it to the delivery notes received back from clients, picking slips and entries in die sales journal to confirm that the sales journal is complete 7. Attend the packaging and consignment process of inventory and: 8. completeness Observe and confirm that John Smith, the finished product foreman, compares the quantity, quality and description of the packaged items with the picking slips before the packaged goods leave the finished product warehouse accuracy Compare (re-perform) a sample of packaged items yourself and ensure that the quantity, quality and description of the packaged inventory corresponds with the picking slips, before the inventory leaves the finished product warehouse accuracy By means of observation, confirm that the truck driver compares the quantity and description of the packaged items with the delivery notes before the packaged goods were loaded onto the truck accuracy Compare (re-perform) a sample of packaged items loaded onto the truck yourself, to ensure that the quantity and description of the goods correspond with the relevant delivery notes accuracy Select a sample of sequentially filed order forms. completeness Confirm, by means of inspection and re-performance, that the order forms were actually filed in number sequence and confirm that there are no order form that are not paired with a delivery note. Follow up on any outstanding delivery notes with the sales manager 9. Confirm by means of observation and enquiry and studying the organisation charts, that proper segregation of duties exists between: The receipt and processing of orders; Consignment of goods; and Recording of sales transaction validity accuracy Formulate the tests of controls you would perform on the SALES AND RECEIPTS system: authorisation of sales orders 1. 2. Confirm by means of observation and enquiry studying the organisation charts that there is proper segregation of duties between: - setting credit limits - consignment of inventory - invoicing - writing off bad debts For a sample of the debtor’s accounts: Inspect the related credit application forms for evidence of a credit limit allocated to the customer validity validity Inspect the supporting documentation attached to the application from as evidence of the credit check having took place Enquire about changes made to the system during the year Observe staff performing a credit background check Inspect the credit application for the review and signature of the credit manager Recalculate the credit limits and inspect for the credit manager’s signature to ensure operating effectiveness ALSO: perform a similar TOC for existing debtors whose credit limits have changed during the year Formulate the tests of controls you would perform on the SALES AND RECEIPTS system: dispatch of goods 1. 2. For goods ready to leave the premises Compare the details of the customer signed copy of the invoice with the details of the original invoice sent to the customer accuracy Inspect that an approved order form and invoice exists validity 3. Observe & inspect that the driver is present when the delivery vehicle is loaded and that the compares the delivery note number with the list of deliveries Reperform security checks by comparing the delivery notes to the goods leaving the premises 4. Select the daily delivery list for a few days: 10. validity completeness accuracy Inspect the signature of the driver and accounting clerk validity Reperform the reconciliation accuracy Enquire about reconciling items validity Observe the consignment process to ensure the foreman and consignment division actually compare the delivery note with the physical goods to ensure the description and quantity agree validity AUDIT PLAN OF TESTS OF CONTROL TESTS OF CONTROL TO EVALUATE THE CONTROLS OF THE COMPANY’S OVER RESERVATIONS AND DEPOSITS AND CANCELLATIONS • Inspect the approved tour schedules from a number of tours for the signature of the managing director as proof of his authorisation. Inspect the booking spreadsheets to ensure that they are properly written up, they contain all the suite numbers and that there is a separate sheet for each tour. Compare the tours on the tour schedule with the booking spreadsheets to ensure that each tour has a spreadsheet (completeness) Inspect the layout of booking forms and cancellation forms to ensure that they are pre-numbered and pre-printed. • • Inspect the file with used booking forms and check the numerical order/sequence of the booking forms. Investigate any missing or duplicate numbers and obtain explanations for the missing numbers • Inspect the file with booking forms and ensure that each booking form has a cancellation form or proof of payment of the deposit attached to it Enquire from the senior booking agent about the process that is followed to identify and follow up outstanding deposits. Page through the filed booking forms to identify forms that contain notes (date, time and contact person) as proof that this function has been performed. (Note: these details will only appear on the booking forms if the customer has delayed payment of the deposit) • • • • • Select a number of booking forms to which cancellation forms are attached and by examining it, verify that the booking details does not appear (are omitted)(are re-performed) on the printed booking spreadsheet. • For cancelled bookings that have been refunded: - Inspect the customer’s written request for cancellation. Inspect the copy of the cheque issued and compare the name of the customer and the amount of the cheque (deposit as paid) with the booking form. Compare the date of the cheque with the date of the request to cancel to, ensure that the customer was refunded in time. Inspect the cheque for the signature of the managing director, as proof of his approval. Inspect all supporting documentation for the initials of the managing director as proof of hid review, and to prevent that the documents are used more than once for a refund. Ensure that the date of the request is more that one month prior to the date of arrival. • Select a number of booking forms attached to proof of deposits and test the system and controls by inspecting and reperforming as follows: - inspect the booking form for the signature of the senior booking agent as proof of her verification. - Compare the tariffs on the booking form with the authorised tariff schedule for the specific suite. - Compare the tours as indicated on the booking form with the authorised tour schedule - recalculate the total costs on the booking form regarding the reservation; - trace the booking form through to the relevant month’s booking spreadsheet and; - Inspect the spreadsheet to ensure that the correct suites have been booked as indicated on the booking form. - Inspect the dates blocked out on the booking spreadsheet and compare them with the dates on the booking form. - Compare the customers name on the booking form with the spreadsheet. - Compare the tour(s) as indicated on the booking form with the spreadsheet • Recalculate the deposit as 50% of the total tour income. - Inspect the proof of receipt of the deposit and compare the amount with the calculated amount. - Inspect the date of the proof of deposit and ensure that this date is within two weeks after the date on the booking form. • Inspect the booking spreadsheets for the signature of the senior booking agent and date of the signature as proof of the weekly controls she did. PURCHASES CYCLE Stuvia.com - The Marketplace to Buy and Sell your Study Material RECEIVING OF GOODS GOODS RECEIVED NOTE PLACE AN ORDER PURCHASE REQUISITION (informs purchasing dept. of goods needed) 1. 2. 3. A pre-numbered purchase requisition made out by production/factory manager (when goods are needed) in a twofold approved and signed by the head store manager It should contain details on: description of the items, amount, date and department Copies: • Purchasing division – in order to request the goods • Own records – as a proof of goods requested 1. PURCHASE ORDER (completed by purchasing dept. and addressed to supplier detailing goods requested) 1. 2. 3. 4. 5. 6. 7. 8. RECORDING (Segregation of Duties) A pre-numbered purchase order must be created in fivefold (purchasing clerk) when the requisition is received and has been signed and approved by the head store manager Details include: • Supplier info • Date • Description of items • Quantity ordered Purchasing orders must be: according to approved suppliers list (policy) and must be contacted regarding quantity and price available If no satisfactory supplier, purchasing clerk must get a number of quotations The purchasing manager must approve the purchasing order after checking the details of above and he must sign Purchasing orders exceeding a certain amount must be approved by the financial manager and signed Outstanding orders must be kept in a suspense file by the purchasing division and followed Copies: • Supplier – in order to request the goods • Acc dept. – in order to match the invoice when the payment is acquired • Store manager – to inform that the order has been placed so that he can update the list of outstanding requisitions • Receiving division – to match against the delivery note from the supplier and to ensure that goods ordered are accepted • Purchasing dept. - in order to record the orders placed 2. 3. 4. 5. 6. 7. Receiving division: • There should be a separate area for receiving goods • Two goods receiving clerks who check QQD and compare the purchase order and supplier’s delivery note • The supplier deliver note must be signed after rejecting incorrect deliveries and shortages Two receipt clerks must make pre-numbered GRN’s in six fold – must agree to supplier delivery note and physical goods received, and must sign Details include: supplier info, description of goods and quality Goods received must immediately be placed in safe keeping (access control) GRNs must be pre-numbered and be in the correct number sequence that must be checked by the receipt clerks. All outstanding orders should be followed up on. Inventory and production cycle: • Inventory is transferred from the goods receiving dept.to the WH • The inventory records are updated to include the new stock received Copies: • Supplier – proof of goods received • Storeman – to check physical goods received • Inventory records – updating inventory records • Purchasing division – to match the purchase order and as proof of delivery and follow up on outstanding orders • Accounting division – as agreement with invoice and purchase order • Own records – as the goods are received Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal 1. 2. 3. 4. 5. 6. 7. 8. 9. Accounting division • Recording in Acc dept. • The accountant or invoicing clerk will receive the supplier’s invoice/monthly statement The supplier’s invoice must be compared with: • The purchase order • Delivery note • GRN The accountant should check the invoice prices against the approved price list The accountant should also check the accuracy of the calculations in order to ensure that quantities and descriptions agree The clerk or accountant who does the above must sign the invoice as proof of performance The monthly statements should be checked by an independent person Monitoring (Reconciliation) • The invoice received is used to compile the purchases journal by the clerk/accountant • The journals are then posted to the ledgers • There should be a number sequence check of the GRN to ensure all purchases are recorded, and outstanding orders should be followed up on • At the end of the month: i. Monthly recons of invoices and creditors ledger, Creditors control and CL The accountant/credit manager must check and sign the recons Regular inventory counts must be performed Stuvia.com - The Marketplace to Buy and Sell your Study Material PAYMENTS CYCLE MAKE PAYMENT CHEQUE REQUISITION & EFT REQUISITION RECORDING (completed by creditors’ section that a cheque be made out for a particular creditor) When payment is required by the creditor, a pre-numbered cheque requisition must be prepared in twofold by the creditors clerk/payment clerk A. 2. The cheque requisition details: the cheque, the supplier, date, amount and reason for payment 3. The cheque requisition must be signed and compiled by the payment clerk A and must be approved be senior management (signed) 4. Copies: • Cheque preparer – to use info to compile cheque • Own records of credit section – as a record of cheques requested 1. CHEQUE (the bill of exchange used to pay the supplier) The payment clerk B must prepare a pre-numbered cheque in twofold Should contain details on: the supplier, date, amount in words & figures The details of the cheque must be: • Checked against supporting documentation and • Signed and authorised by two members of senior management, with reference to vouchers 4. The cheque must also be crossed to vouchers and cheques marked “nonnegotiable” 5. The supporting documentation must then be cancelled in order to prevent duplication of payment (PAID stamp) 6. The accountant/senior management must check if supplier actually exists 7. The cheque book must be kept safe with a register to access (access control) 8. No cash cheques should be written out rather use a petty-cash voucher 9. In order to ensure that the payment was made to the correct creditor, the cheque should not be returned to the person who wrote it but rather someone else e.g. secretary – in order to ensure that the person who wrote the cheque cannot change info on the cheque 10. Payment by cash: • Done by either cashing a cheque or • By issuing a petty cash voucher 1. 2. 3. The CPJ should be compiled by the cash book clerk (clerk C) based on the cheque counterfoil 2. This must then be posted to the GL and CL 3. The accountant must: • Review that all cheques have been recorded in the relevant journals and the ledgers • He must sign as evidence of doing so and he must follow up on all differences 4. At the end of the month, the following should occur: • Reconciliations between the bank statement and the cash book must be conducted by the cash book clerk • Reconciliations between the creditors’ ledger, then creditors’ control account and the invoice must be done by the creditor clerk • The accountant must review the bank reconciliation and sign as evidence of doing so • The accountant must also review the accuracy of the creditors’ reconciliations and sign as evidence of doing so • Any differences should be followed up on 1. Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal PURCHASES & PAYMENTS CYCLE FORMULATE CONTROL OBJECTIVES PURCHASE AND PAYMENT SYSTEMS To ensure that: • Orders for stock are only placed when and according to the need that has been identified. (validity and accuracy) • All orders placed have been authorized – no orders for private use. (validity) • All orders placed are executed (delivered). (completeness) • Stock delivered (receipts) agree with the relevant order. (accuracy) • Stock is only accepted if it has been ordered. (validity) • Suppliers are only paid if items have been ordered and delivered – no fictitious and unauthorized payments. (validity) • Suppliers are paid the correct amount. (accuracy) • No duplicate payments are made to suppliers. (completeness and validity) • All goods receipts and payments are recorded and recorded correctly RAW MATERIAL ORDERS To ensure that: • raw material orders are approved in terms of the company policy (or unusual or excessive amounts are specifically authorised). (V) • raw material orders (and the amounts thereon) relate to valid purchase request/ need. (V) • raw materials are always ordered when the need for it arises during the period. (V) • all raw material orders are in fact executed (or delivered). (C) • raw material orders are completed accurately and correctly (A) • raw material orders are from approved suppliers. (V) • raw material orders are at the approved price. (V) EFT PAYMENTS To ensure that: • EFT payments are captured at the correct amount paid. • All EFT payments are recorded in the accounting records. • Unusual EFT amounts are specifically authorised. • EFT payments are authorised in terms of the approved payment policy. • EFT payments are for transactions that actually occurred and goods and services were received. • EFT payments are to the correct suppliers. • EFT payments are classified in the correct accounts in the financial records. • EFT payments are correctly and accurately summarised and posted from the cash book to the general ledger. PAYMENTS To ensure that: • invoices are not presented as payment more than once • payment is made to the right creditor • all payments are recorded • payments have been posted correctly in the GL and CL BAD DEBTS WRITTEN OFF To ensure that: • All bad debts written off are authorised. • Only debts that are no longer recoverable are written off. • All debts that are not recoverable are written off. • Bad debts are classified correctly in the accounting records. • Bad debt calculations are accurate (contain no errors). Formulate the tests of controls for PAYMENTS TO CREDITORS if following a system-based audit approach 11. 12. Select a sample of payments made from the cash-book: validity Inspect that an order, GRN, delivery note and invoice exist for each payment Validity Agree the name of the creditor and amount paid according to the cash-book with the details on the order, GRN and invoice (and amount on the invoice), delivery note and list of payments Accuracy Agree the prices on the invoice with the signed contract from the supplier Accuracy Agree the amount and name of the creditor that was paid according to the cash-book with: the list of creditor payments as prepared by Greg Nel with the bank statement Inspect that the supporting documents used to do the payment were actually stamped as “paid” Accuracy Select a sample of payments according to the list of creditor payments and vouch with the order, invoice, GRN, bank statement and cash-book to ensure that all payments that were requested, were recorded Validity completeness Formulate the tests of controls for CREDITORS RECONCILIATION if following a system-based audit approach 1. 2. Select a sample of creditor reconciliations and: Recalculate the mathematical accuracy and check the logic of the creditors’ reconciliation Accuracy Follow up on the reconciled items with discussions with Greg Nel and supporting documentation Validity Agree the opening balance according to the reconciliation with the creditors’ statement received from the creditor Agree the closing balance with the creditors’ ledger Accuracy Inspect the creditors’ reconciliation for the signature of the office manager Validity Select a sample of creditors from the creditors’ list and follow it through to the creditors’ reconciliations to ensure that creditors’ reconciliations exist for all the creditors Accuracy completeness Formulate the tests of controls you would perform on PURCHASES & RECEIPTS CYCLE 1. Reperform the numerical sequence of orders and goods received notes (GRNs) issued. Obtain explanations for any missing numbers. accuracy 2. Enquire the purchasing manager to confirm that he does check the numerical sequences. 3. Inspect the order and goods received notes (GRN) that they are indeed prenumbered and pre-printed. 4. Reperform the sequence check of the orders and goods received notes (GRN) issued. Obtain explanations for any missing numbers. 5. Trace transactions from the inventory records to the underlying documents and confirm as follows: GRN: inspect whether it has been signed by the storeman, and that it contains the number and condition of the items received. Order: - inspect for the signature of the purchasing manager. - recalculate the purchase price in rand value as entered on the order (taking into account the details of the rate) Requisition: inspect for the signature of the marketing manager. Reperform and inspect that the forward-cover documentation is attached and effected on the date of the transaction. Reperform and inspect that the details on the above underlying documents agree with those entered in the inventory records. 6. Compare the details on the above-mentioned underlying documents (GRN) with that which have been recorded in the inventory records. 7. Trace a number of transactions from the source documentation along the transaction trail as indicated above to the inventory records. Reperform and ensure that transactions have been recorded, and that they have been recorded correctly (number and type). Inspect the reconciliations of the inventory records and the ledger to confirm that these are done monthly. Inspect the reconciliations for the signature of the ledger clerk Reperform the logic of the accuracy of the reconciliations to ensure that it was perfronmed accurately 8. Confirm by means of observation, enquiry and inspection job descriptions that there is adequate separation of duties between the following functions: - authorization for purchases (purchasing manager); - receipt and storing of items (storeman); - updating the inventory records (inventory clerk in accounting division). 3. Observe the storemen while they are receiving the inventory and confirm that the goods are checked properly with regard to accuracy and completeness of the delivery Perform the receipt of inventory above yourself during receipts to confirm it. 4. Inspect the stationery register, in which employees sign for receipt of stationery, is kept with regard to all stationery Inspect and enquire that stationery is kept safely 8. Check the accuracy and test the logic of the reconciliations by reperforming the reconciliation. Investigate any unusual reconciling items. INVENTORY & PRODUCTION CYCLE Stuvia.com - The Marketplace to Buy and Sell your Study Material 1. PLACING OF ORDERS PURCHASES & PAYMENTS CYCLE PURCHASE REQUISITION (informs the purchasing department what goods are needed) • A pre-numbered purchase requisition made out by the production/factory manager (when goods are needed in two-fold approved & signed by the head store manager • Details: description, amount, date & dept. • Copies: o Purchasing division- in order to request the goods o Own records – as proof of goods requested • A purchasing clerk must prepare purchasing orders on a prenumbered purchasing order • Only a purchasing clerk may prepare purchasing orders if he has received a purchasing requisition, signed by the head storeman • Purchasing orders must be prepared according to a list of approved suppliers • If no satisfactory supplier, purchasing clerk must get quotations before preparing the order • The purchasing manager must approve the purchasing order after has agreed the details with the approved requisition & suppliers & he must sign • Purchasing orders exceeding a certain amount must also be approved by the financial manager & signed • 5 copies of purchasing orders should be made: o Accounting division – agreement with the invoice o Head storeman – to update list of outstanding requisitions o Receipts division – ensure that only goods have been ordered are accepted o Supplier – to place the order o Own records – As evidence that the order has been placed • Outstanding purchase orders must be kept in a suspense file in the purchasing division & followed up regularly all orders are finalised timely 2. RECEIPT OF GOODS (RMs) PURCHASES & PAYMENTS CYCLE 3. STORING OF RMS • There should be a separate demarcated area for receiving goods • Two receipt clerks must receive the delivered inventory • The supplier’s delivery note must be signed after the following have been done: (QQD) o Details: on the delivery note from the supplier must be compared with the delivered items & the details on the purchasing order o Goods that have not been ordered may not be received o Quality aspects of the goods must be reviewed • The two receipt clerks must take out a prenumbered goods-received note (GRN) of which the details must agree with the supplier’s delivery note & the physical goods received • 6 Copies of the GRN should be generated: o Accounting division - agreement with the invoice & purchasing order o Accompanies the goods to the inventory store o Purchasing division – for comparison with outstanding purchasing orders o Inventory clerk – for updating the inventory records o Own records – file with purchasing order to show that order has been received o Supplier – if supplier has not provided a delivery note • Goods received must be placed in safekeeping immediately • The receipt clerks must perform sequence checks & follow up on all outstanding orders • The inventory records must then be updates to record new stock (RMs) • RMs must be stored & protected until required in production • Stock should be barcoded onto the perpetual inventory system o To ensure physical stock can be checked against theoretical stock on a frequent basis (weekly) & there is a tracking system o The system should record: serial number, title, director, description ß for smaller items • All RMs purchased & received must be stored & protected until needed in the production process, the goods should be stored as follows: o Stored in a separate isolated area o Access to the material must be limited (only one entrance from within the shop) o Any doors or windows from the outside must be secured o The shop must have security gate at the entrance so that it only opens with a press of a button located at the cashier’s counter. It must also have an alarm system o The shop must be protected against fires & there must be fire extinguishers & sprinklers on the premises o Authorised & signed documentation (requisition) required for the movement of the RMs. GOODS RECEIVED NOTE (GRN) Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material 4. PRODUCTION CYCLE a. Issuing Inventory from the central inventory WH to the branches: • Branch managers/manufacturing clerk must place an order at the central inventory WH by making use of a pre-printed standard RM requisition (order form) • The RM requisition must be prepared in triplicate: o RM WH – to prepare the correct quantity & type of product for dispatching & to update their records regarding the movement of inventory o Accounting department – to update inventory records o Branch/ WH – as evidence of quantity & type of product requested § Must be pre-numbered, Contain the date of request, Authorised signature of the branch manager, Indicate the branch name, Accurately explicate the quantity & description of the product • The WH assistant at the central WH prepares the items for issuing to the branch/factory on the basis of the RM requisition & completes a RM transfer note (issue note) for the materials/products that must be issues • A RM transfer note should be prepared in triplicate: o Branch/factory together with the items – branch can be sure of the quantity & type of materials issued to them o Held at central WH – evidence of quantity & type of … issued to the branch o Accounting Dept – after delivery in order to update inventory records. Copy also serves as proof of delivery § Contain dispatching date; Must be pre-numbered; Contain the authorised signature of the WH reviewer after he compared it with the order form received; Indicate branch name; QQD • With dispatch, the security guard/head store manager must compare the items being sent with the RM transfer note & must not allow that any items leave the premises that do not appear on the documentation & sign as evidence from doing so • Daily basis – the WH reviewer of the central WH must check that all RM transfer notes refer to & are supported by a valid authorised RM requisition • Branch/production managers must compare their duplicate RM requisition with the RM transfer notes received with delivery on a daily basis • The WH reviewer & the branch/production managers respectively must review the number sequence of RMs requisition & RM transfer notes & followed up on missing numbers b. Receipt of invent at c. Physical control over the inventory at the • The branch managers must be responsible for the receipt of the inventory items from the central WH • With receipt the branch manager must: o Compare the quality & quantity of the items with the issue note & order form o Initial/sign as evidence that it has been checked & corresponds • If there are any deviations between the physical items & the documentation, it must be recorded on the issue note a& signed by both the deliverer & branch manager • The branch manager must keep the issue note & file it with the order form • The branch manager must keep records of the inventory on hand. These records must be updated with the issue note & sales invoice • The branch manager & sales assistant must frequently hold inventory counts on a sample basis & compare the counted inventory per item with the quantity according to the inventory records • The internal auditor must perform inventory counts at the branches on a surprise basis & must compare the physical inventory with the inventory records. The branch managers must be held liable for any shortages • The storeroom of each branch must only have an entrance from within the shop. Any doors or windows must have security gates. • Staff must have access to the storeroom, but it is very important that staff make sure that no delivery people go into the storeroom • The shop must be protected against fires & have a security gate with an alarm system • Sales assistants must count the amount of items clients want to buy & that they come out with the right amount • The layout of the shop must be designed so that clients must walk past the cashier before they leave • A security guard must be appointed & all clients’ purchases must be compared with the cash register slip & sales invoice before they may leave the shop • The staff’s packages must be examined when they leave they do not walk out with inventory items branches Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal branches Stuvia.com - The Marketplace to Buy and Sell your Study Material 5. TRANSFER TO FINSIHED GOODS STORE a. Finished Goods Transfer Note b. Stock Records c. Cost System d. Determination & Calculation of production costs of e. Additional (for that of a perpetual system) finished goods • Record transfer of • Inventory records should manufactured goods from be updated to reflect the the production division to transfer by an independent accounting the finished goods store personal (accountant) • A pre-numbered finished o Finished goods goods transfer note must should increase be issued in 3 fold by one o Work in Progress of the production foremen decreases & must be authorised & signed by the production manager • Details: o The QQD o Date o Department sent to • Copies: o Finished goods store (whilst accompanying the goods) - can match to the physical goods received o Own records (factory) -proof that the goods have been transferred o Accounting department - to update inventory records • Unit costs determined by a variety if methods o Processing costing o Job costing o Standard costing • Each method requires different ways of accumulating costs & unit cost calculations I • Production reports (made up of the calculations within them) provide information concerning amount of raw materials used in production, labour required to produce goods, & allocation of overheads • Production cost will depend on the system in use • Calculation of production costs must be checked & authorised (signed) by management Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal • The stock should be barcoded rather than maintaining A4 pieces of paper • The barcoded physical stock must be checked against the theoretical stock on a frequent basis (Weekly) & have a tracking system, by the sales assistant / branch managers • There should be a designated accountant that should be employed to keep record & update the perpetual system, when stock is received, sold, destroyed, etc. This person should not have access to the stock • The re-order level should be put into the system so that stock can be reordered when the levels are too low • There should be frequent stock counts, this must be done in conjunction with an independent person & shortages/surpluses must be reported to the general manager for further investigation. The GM must also perform regular surprise stock takes Stuvia.com - The Marketplace to Buy and Sell your Study Material 6. SEND FINISHED GOODS TO CUSTOMERS PICKING & DISPATCH OF ORDERS BEFORE THE GOODS ARE LOADED ONTO 7. DELIVERY 1. The approved sales order form is sent to an access-controlled demarcated area of the WH where the storemen pack boxes for dispatch & one of the storemen then. Sends an email to the sales department to confirm receipt of the order. The chief storemen then instructs the packers to pack the order accordingly. 2. Pre-numbered, pre-printed delivery note is prepared by the storeman responsible & then attached to the packed goods. 3. Delivery note details: o Order #, Quantity, Product Code, Customer, Delivery Date, Delivery Address, Storeman signed the delivery note as proof that all is correct 4. The chief storeman then compares the physical goods to the delivery note as well as the approved sales order form & checks the QQD is correct thereafter he signs the delivery note as evidence of doing so 5. Delivery note is distributed as follows: o 2 copies accompanying the goods to client – one must be signed by the client & returned with the delivery staff. The signed copy is then sent to the accounting dept. so that an invoice can be prepared o Sales dept. - as evidence that order has been executed o Remains @ WH – evidence that inventories have been dispatched & for number sequence check o Inventory clerk – inventory records can be updated as evidence that order has been executes 6. The number sequence of the delivery notes must be checked by the chief storeman (independent person) on a regular basis & outstanding items must be followed up. 1. The driver then packs the goods into the delivery vehicle ensuring the goods match the delivery note 2. He signs as evidence of doing this 3. Before the delivery vehicle leaves the premises, the gatekeeper ensures that all the physical goods have been provided with delivery notes that agree with the delivery note, this can be documented on a gate register or the delivery not 4. The client must sign the delivery note as proof of receipt of the physical goods, that the QQD match what was ordered & what is on the delivery note 5. The client keeps one copy & the other copy is returned to the invoicing department by the delivery vehicle 6. [insert name] must review the number sequence of the delivery notes & investigate any missing numbers TRUCKS FOR DELIVERY BY THE DRIVER Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Inventory count: • Describe the inventory count procedures that you would recommend Before count: • [Insert name Ltd.] must inform all persons concerned of the date on which the inventory count will take place by means of written instructions • Inventory count has to take place as close as possible to year-end • A planning meeting should be held with all persons concerned so that everybody can know what their duties and responsibilities are (must take place well in advance of the inventory count date) • Based on the nature of the stock, the following staff must be appointed: - 3 supervisors (one per store) - 12 counters (two teams of two per store) or 6 counters (three teams of two rotating) - 1 coordinator • Staff involved in the inventory count should not be responsible for the daily control and recording of stock items • The three stores must be neatly packed before the inventory count so that items can be easily counted • Make sure there are no open spaces on the shelves and that all items are appropriately identifiable • Stock should be marked in such a way that it can be identified during the inventory count • Access to the premises must be restricted to the counters, supervisors and the coordinator • If it is practically possible, there must be no movement of stock items during the counting day • If there is a movement of stock, it should be kept separately and documented appropriately • Two counting teams must be allocated per store • The counting teams that have to follow up on differences must be appointed in advance During count: • Prenumbered counting sheets must be issued to the counting teams by the supervisors and the counters must sign for it • Supervisors are responsible for all counting sheets (even unused ones) handed in by the counters after counting has been concluded and all counters have signed as confirmation of delivery • A counting sheet register can be used for the purpose of recording which sheets have been issued to which counting teams • The counting sheets should have headlines so that the following information can be recorded: - Description of the items - Location of the items • • • • • - Count per item - Space for signature of the counters All counting sheets must be completed in ink Unused lines must be crossed out Counters must make sure that they work through the store systematically so that all items are counted After an item has been counted, it should be marked as counted to prevent it from being counted twice (with a sticker) All stock items must be counted by the second team After count: • The supervisors receive the counting sheets and confirm that: - All counting sheets have been received back (check number sequence) - There are no errors or missing numbers - That no unauthorised changes have been effected to the counting sheets - That the counters have signed as confirmation • After the supervisors have received all counting sheets, they sign the counting sheet register and hand in the complete counting sheets over to the coordinator • The coordinator confirms that all stores and items haven been counted • The coordinator reconciles the counting sheets of the two counting teams and if there are any differences they should be counted again (by pre-identified counting teams) • No additional unauthorised changes may be made on the inventory sheets once returned • The inventory manager should compare the figures from the first and second count to confirm that the two figures are the same • Teams may not leave the premises until all differences between the first and second counts have been resolved • The quantities on the inventory system and the physical count sheet must be compared • If the quantities do not correspond: - The inventory item must be returned - The necessary corrections must be made on the system • An independent person must review the comparison and the inventory corrections • She/ he must sign as evidence of having performed the review Stuvia.com - The Marketplace to Buy and Sell your Study Material PRODUCTION CYCLE DOCUMENTS Raw Material Requisition Raw Material Transfer Note (RMT) (RM) Finished Goods Transfer Note (FGT) 1. # • Pre-numbered • Pre-numbered • Pre-numbered 2. Details • Date of request • Dispatch date (transfer) • Dispatch date (transfer) • • 3. Check • • Quantity • Description of raw material Production manager only authorises by Cost of item Description of order • • 2 storemen pick & prepare RMT & sign • The factory storeman must compare the • records w.r.t. the movement 2) Manufacturing – evidence of 5. Number Sequence • Signed by storeman & head storeman • as evidence. QQD Signed by the factory supervisor & the production manager 1) Finished goods WH – evidence of 2) Manufacturing – to be sure of quantity 2) Manufacturing – as evidence of the quantity & type of RM issued store 3) Accounting dept. – Update inventory Production manager review number Head storeman review number sequence of missing/outstanding numbers missing/outstanding numbers sequence of RM requisitions & investigate Compare it to the physical goods & sign 1) Raw material store – evidence of 3) Accounting dept. – Update inventory records & then; prepared – (Raw Materials Foreman & type of RM issued by raw materials quantity/type of RM RMTs quantity & description to the FGT checks QQD) • quantity & type for dispatching & update Match (compare) raw material requisition to RMT & physical goods been agreed to the production schedule 1) Raw material store – prepare right Quantity • signing, after details on the RM have 4. Copies • Description of RMs dispatched • Manufacture clerk prepares & signs Quantity records RMT (issue note) & investigate Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal quantity & type of finished goods issued quantity & type of finished goods issued 3) Accounting dept. – Update inventory records Production manager must do a sequence check for any missing/outstanding numbers INVENTORY & PRODUCTION CYCLE FORMULATE CONTROL OBJECTIVES INVENTORY To ensure that: 1. 2. 3. 4. 5. 6. 7. inventory is properly protected against damage (accuracy) inventory is properly safeguarded against theft (validity) accuracy, valuation & allocation of inventory the factory has the correct & sufficient raw materials during the production process only raw materials needed during the production process are requisitioned only valid transfers of raw materials to production are needed no theft of inventory takes place during manufacturing and spillage is minimised TRANSFERING OF FINISHED GOODS TO THE FINISHED GOODS STORE: To ensure that: • only finished goods that have completed the production process and are transferred to the finished goods store. (Validity) • finished goods transferred from production to the finished goods store are not damaged. (Validity) • finished goods transfers accounted for in the inventory records actually occurred during the financial period and are supported by a supporting documentation (transfer note). (Validity) • all finished goods that have completed the production process are in fact transferred from production to the finished goods store. (Completeness) • all finished goods transferred from production are in fact received at the finished goods store. (Completeness) • all finished goods transferred from production to the finished goods store are recorded in the inventory or accounting records. (Completeness) BANK & CASH CYCLE Stuvia.com - The Marketplace to Buy and Sell your Study Material 2. RECEIPTS 1. GENERAL CONTROLS 1. 2. 3. 4. 5. 6. 7. 8. 9. There should be notices at a cashier counter or a policy (e.g. notice on insisting on evidence/receipts) Receipt’s/slips should be kept as a proof of purchase a. Issued in triplicate: i. Client – evidence of execution ii. Own records – evidence of cash received iii. Accounting dept – for bookkeeping Regular number sequence checks of the receipts must be done (number sequence should be automatically created by the cash register) There should be reconciliations between accounting records: CRR & the physical money in the cash register a. Must be done by an independent accounting senior person Cash should be cleared out of the cash register on a frequent basis & placed in a drop sage with one key being held on-site & the other off, until cash uptime. (When money is moved, it must be locked up) The general manager should perform surprise inspections & cash counts to determine if cashiers & office managers are doing their work The manager should review: sales register, deposit slips, bank recon & follow up on differences The staff should be well trained & should receive additional training as the need arises – staff should be rotated on a regular basis Adequate segregation of duties: a. Making the sale: cashier b. Recording the receipt: bookkeeper c. Making the bank deposit: general manager & security guard d. Review the bank recon: accountant e. Review of registers: general manager, etc. a. 1. 2. 3. 4. 5. 1. 2. 3. 4. CREDIT CARD RECEIPTS b. CASH RECEIPTS CONTINUED Online sales by credit card should be processed online to the banks or the cashier should review the credit card number against a list of invalid or stolen credit cards the customer is creditworthy & has sufficient funds. Alternatively, the cashier could also request the client’s ID & review the signature & details to the details on the credit card slip The cashier could make an imprint or photocopy of the customer’s credit card thus maintaining records of the customer’s details & the card’s security code The cashier should review the: a. Customer’s signature b. Details such as the expiry date, name & signature & details on the credit card slip The credit card slips should be prenumbered & the manager should perform a sequence review when the cash register is cashed up The payment should be followed up with the bank until payment is received 5. b. CASH RECEIPTS 2. Cash registers should be used over cash drawers with the price & amount due being displayed prominently, visible to the client. Prices should not be rounded amounts to force the cashier to open the cash register & give the customer change All sales on the cash register should be recorded on a CRR to which the cashier does not have access The cash register should be lockable, with the cash register being removed if the cashier goes on a break. The till should only be opened when an amount is entered on the till or if the manager opens the till with his key 6. 7. The till role should be used to write up the accounting records, not the deposit slips The manager should review the CRR for unusual amounts, or any altered transactions The following should occur with the cash that is received: a. Should be deposited into the bank daily/weekly b. Safeguarded on the safe from the time of receipt until banking c. There should be SoD between all the functions involving cash (same as that of general controls) 1. 2. 3. 4. c. RECEIPT OF CHEQUES BY POST 1. 3. 4. 5. 6. 7. There should be at least 2 persons (1 independent) who opens the post. They should review the details: a. Cheques are made out in the company’s name b. Is crossed (non-transferable) c. The date (post-dated cheques should not be accepted until payment is due) d. Signatures on the cheque e. Clients had been pre-approved by GM A mail register should be kept & record the following details: a. Date of receipt b. Debtors name c. Amount received Both staff members who open the post should sign the mail register They should hand the cheques received to the cashier & must sign as proof of receipt The cheques should be inspected by 2 staff members for any amendments. There should also be a company policy in place to reject amended cheques The GM should have copies of all their clients’ IDs or proof of incorporations, contact details & address & there should be pre-approval before cheques are accepted & approval by the bank Downloaded by: notesbyjana | janagrey1401@gmail.com E DEPOSITS Distribution of this document is illegal 5. 6. 7. 8. B. 1. 2. 3. 4. a. DEPOSITING CASH RECEIPTS Chief cashier completes duplicate bank deposit slip indicating total cash received a. One copy goes to the bank – in order to deposit the money received b. One copy remains in own records – as evidence of cash being deposited Cash kept securely in safe Security company collects cash daily & banked by guard The cashbook clerk should file the stamped deposit slip & compare it to the carbon copy & investigate any amendments. Must sign Person independent from cashing up & banking: Reconcile bank-stamped deposit slip with company’s copy of deposit slip & cashing up sheets (compiled by cashiers) File deposit slip in date sequence & regularly review for unbanked cash Update cash journal Reconcile bank statement with cash journal DIRECT DEPOSITS The person responsible for funds received should provide the bookkeeper with details of the deals/sponsorships negotiated in order to clear direct deposits to the correct debtor account & to write up journal A suspense account should be used for all uncleared/unknown direct deposits & follow up List of unidentified deposits must be prepared by the cashbook clerk The accountant should regularly reconcile the list of unidentified deposits with unusual (recurring items) Stuvia.com - The Marketplace to Buy and Sell your Study Material 3. PAYMENTS a. • • • • • • PAYMENT BY DIRECT BANK There should be segregation of duties between the person that prepares the details & the authorisation & the person who checks the details when sent. There should be strict access controls to the computer & its functions. There should be double authorisation o From a senior member of management o Passwords & pins The manager must check the details of the payment with the various documents & inspect all payment terms. Other controls applicable to documents still remain such as cancel all supporting documents. The underlying documents or the general ledger must be reconciled to the actual amount stated on the bank statement. 4. PETTY CASH b. PAYMENTS BY CHEQUE TRANSFER & EFT • • • • • • • • • • There should be adequate stationary control over blank, pre-printed unused cheques. The cheque book should be locked away in safekeeping when not used. There should be an authorised cheque requisition for all cheques. The cheques should contain the following: o Beneficiaries name o Reasons should be clearly stipulated o Crossed (non-transferrable) Cash cheques (except for wages) & cheques with open spaces & non- crossed cheques should be rejected. The cheque should be authorised by the payments manager & there should be segregation of duties among the following functions: o Preparing the cheque o Signing the check o Cheque should not be returned to the person requesting the cheque. The cheque should be signed by a senior member of management o It should be signed only after it has been clarified whether the cheque is authorised. o The cheque requisition has been checked. o The accuracy of the details of the cheque has been checked. All supporting documentation should be cancelled (cheque requisition). The payment terms should be inspected. There should be a review & investigation by the manager: o Number sequence check as well as following up on all missing numbers. o All returned cheques should be investigated: § Check number sequence § The amount on the cheque agrees with the amount of the counterfoil. 1. The responsibility of controlling the petty cash must be allocated to a single, competent, independent person. 2. Petty cash should be kept secured in a lockable box. 3. The cash in the petty cash must not be mixed with other funds or activities of the enterprise, specifically customer receipts. 4. A policy must be determined regarding the maximum amount & type of expenses which will be allowed to be compensated from petty cash. 5. All cash expenses should be paid from the petty cash. 6. Petty cash receipts must be properly authorised (by referring to the amount & the reason for the expense) & signed as proof of this. 7. The person in control of the petty cash must prepare a reconciliation in which the cash in the petty cash is reconciled with the amount of the petty cash advance, by adding the total amount of the petty cash receipts issued (according to the petty cash journal). This person must do the reconciliation once a month. 8. Surprise counts must be performed by the owner or independent person who performs the reconciliation at that stage. 9. Any differences/errors/irregularities found by performing abovementioned reconciliation must immediately be investigated. 10. At the end of each month, the total amount of the petty cash receipts issued (per petty cash journal) must be compensated from the cashbook by means of cheque that is cashed 11. All petty cash slips already compensated must be cancelled to prevent submission & compensation thereof 12. Petty cash slips must be pre-printed & pre-numbered & an independent person should perform a number sequence check on a regular basis & follow up missing petty cash slips 13. Supporting documentation: a. The amount should be paid first & then the amount may be claimed from the petty cash with a petty cash slip b. Money could be requested; the change is then brought back & given a slip 14. Petty cash slips should be issued for each expense paid (when money is taken from petty cash journal, a pre-numbered petty cash receipt must be issued): a. Pre-numbered b. Date, requester, purpose & proof Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material 5. CASH COUNT At the end of each shift & surprise occasions, the cashier & general manager/supervisor (2 persons) should count the cash & the petty cash doing the following: • Keep the cash takings in a till bag with a lock which should be sealed until it is counted. • Calculate the sales for the day from the cash register roll. • Reconcile the cash received to the total sales calculated & recorded in the general ledger according to the cash register roll in order to identify any shortages & surpluses. • Enter the details on the sales return form/reconciliation. • The cash book clerk & the general manager/supervisor should sign the sales return form/reconciliation/count sheet/roll as evidence of: o Cash being taken custody of o Reviewed o Evidence of this being accurately performed 6. BANK RECONCILIATION What is it? • Monitoring of differences between balances in: o company records o cashbook & general ledger o balance according to bank Controls: • The bank reconciliation must be drafted on a monthly basis by an independent person/cashbook clerk. • An independent review (e.g. by the accountant) must be performed & the following must be tested: o The logic of the reconciliation o Ensure that the reconciling items match the subsequent documentation such as the bank statements. o Investigate long outstanding items 7. OTHER NB CONSIDERATIONS: FRAUD Cause • Occurs due to time span between transaction date & date recorded. • Purpose: to hide fraud or theft or to overstate bank. Examples: • Lapping • Kiting • Window dressing Fraudulent financial reporting techniques • Kiting o Company with > 1 bank account with different banks o Timespan to cash cheque & carry it over from one account to another o Manipulate transfers during y/e – to overstate the bank & cash balance in the AFS. Misappropriation risk • Rolling of cash / Lapping o Cashier takes cash paid by a debtor, covers the shortfall with a subsequent debtor's receipt. o Higher risk in companies where: § Cash & cheques are received from debtors; § Poor SOD between cashier & recording of receipts functions; § Lack of review over the abovementioned functions • Window dressing o Manipulate the ratio between current assets & liabilities o Write cheque out before y/e & give it to the creditor after y/e. • Theft of cash • Dishonoured cheques o A cheque is made out by a client, but there are no funds available in the client's bank account. • Fictitious deposits o Where clients can pay via direct deposit / EFT → Receive fictitious proof of payment from the client & consequently deliver the goods/service to them Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material 5. CASH COUNT CALCULATION: 6. BANK RECONCILIATION CALCULATION BANK RECONCILIATION AS AT 31 MARCH 2014 Balance according to cash book XXX Plus: outstanding cheques (payments) + XX Less: outstanding deposits -XX Plus/Min: other reconciling items +/- XX Balance according to bank statement follow XXX Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal BANK & CASH CYCLE FORMULATE CONTROL OBJECTIVES BANK & CASH To ensure that: 1. 2. 3. 4. 5. 6. payments are authorised in terms of the company policy payments made to the correct supplier payments calculated correctly payments for transactions actually occurred & goods and services were received payments classified in the correct accounts in the financial records all payments recorded in the accounting records RECEIPT OF CASH To ensure that: 1. All receipts relate to genuine tickets sales or sponsorships and are therefore supported by underlying documents such as tickets, deposit slips, sponsorship agreements et cetera evidencing as having actually taken place. 2. All discounts and refunds (i.e. adjustments) of cash are either authorised specifically by management or general authorisation exists in terms of management policy. 3. All receipts are adequately safe guarded. 4. All receipts in cash, credit card or via direct deposits are recorded at the correct amount (not duplicated) actually received. 5. 6. 7. 8. All receipts are correctly calculated net of discounts. All direct deposits are recorded in the correct debtors or revenue account. All receipts of cash are recorded to the correct sales account. All receipts, discounts et cetera are correctly summarised, classified and posted to the correct accounts in the general ledger and annual financial statements according to nature. 9. All receipts (from for example ticket sales and direct deposits) are recorded in the accounting records and no receipts are misappropriated or omitted. 10. All receipts from ticket sales are banked. 11. All receipts of cash are recorded timely in the correct accounting period. All receipts from ticket sales and sponsorships are banked timely. CASH SALES PERFECT CYCLE RECEIVING ORDERS FROM CUSTOMERS & APPROVAL: • • customer calls to place an order & order clerk prepares a pre-numbered sales order form pre-numbered sales form contains: complete details: • • a copy of the sales order form is sent to the customer & returned must be signed before sales order is approved = proof that they are happy with the order • approved order form must be distributed in quadruplicate: 1) to customer – evidence order has been placed 2) to inventory store – to select goods for delivery 3) to sales department – for sequence check & follow up of orders 4) to accounting department – to match documents before invoicing • an independent person must: review the number sequence – to investigate missing numbers agree approved delivery notes – follow up outstanding orders product codes, quantity, approved price per price list, delivery date, address & name of customer SALES APPROVAL FOR CREDIT SALES: - credit manager received completed sales order form and checks: credit limits, current outstanding balances, creditworthiness for new customers - before sales order form is approved, approved credit manager must perform checks: - appropriate inventory in store - price agrees to approved price list - credit manager sign form - evidence client may purchase on credit - re-calculate invoice – for accuracy PICKING & DISPATCHING OF ORDERS BEFORE GOODS ARE LOADED ONTO TRUCKS FOR DELIVERY BY DRIVER: • approved sales order form is sent: sent by email 1) to access controlled, demarcated area of warehouse where storeman packs boxes for dispatch 2) receipt of order to sales department – to confirm receipt of order • • • delivery note = pre-numbered, pre-printed, prepared by responsible storeman & attached to packed goods delivery note includes: order number, quantity, product code, customer, delivery date, delivery address delivery note signed by storeman – proof all inventory packed correctly & to assign responsibility • delivery note copies: 1) 2) 3) 4) remains in warehouse – evidence inventories dispatched & for number sequence check to inventory clerk – to update inventory records 2 copies to customer – one copy signed by customer & returned to warehouse -> forwarded to accounting dep (invoice can be prepared) to sales department – evidence order is executed number sequence check of delivery notes by independent person (chief storeman) on a regular basis & follow up on outstanding items DELIVERY: • driver packs goods into delivery goods making sure goods match delivery note & signs as evidence before delivery vehicle leaves – gatekeeper ensures physical goods been provided with delivery notes that agree with the delivery note, documented on gate register / delivery note • client must sign delivery note – to confirm receipt of goods • COPIES: 1) client keeps one 2) one returned to invoicing department by delivery vehicle • independent person must review the number sequence on delivery note and investigate missing numbers INVOICING / SENDING OUT OF MONTHLY STATEMENTS: • • one of the invoicing clerks prepares a pre-numbered invoice in triplicate on account of the signed delivery note returned from the customer & approved sales order form invoice contain: • • order number, date, delivery note number, quantity, product code, price according to approved order, signature of preparer other invoicing clerk checks calculations on invoices & compares prices on invoices with approved sales order form & quantities and descriptions with the approved sales order form & delivery note – signs as evidence of doing so three invoices sent: 1) CLIENT– to know the outstanding amount / amount payable 2) SALES DEPARTMENT – filed as evidence of transaction and number sequence check 3) ACCOUNTING DEPARTMENT – record sale in sales journal & debtor’s ledger • • • on monthly basis an independent person (accountant) prepares prenumbered statements for credit clients contains: starting balance, invoices purchased, interest, payments / returns, closing balance • two copies prepared: 1) ACCOUNTING DEPARTMENT - remains in accounting department for future reference 2) CUSTOMER – remittance advice for payment & to assess details - CASH RECEIPTS PERFECT CYCLE RECEIVING MONEY • • • cash receipt = payment by cash contains: details of payee, date & amount mail opened by 2 people & a mail register • pre-numbered cash receipt issued: 1) CUSTOMER – proof of payment 2) ACCOUNTING DEPARTMENT – money received (receipt book) 3) cash kept safe, accuracy checked & authorised by manager + SIGNED CMISS DEPOSIT MONEY • deposit slip = bank document filled in by the business to record a deposit of payments received from customers details: date of deposit, details of cheque, amount of cash & cheque, total amount received - copies: • monitoring: o monthly reconciliations by the accountant o bank reconciliation (cash book & bank statement) o debtor’s reconciliation (debtor’s control v debtor’s ledger balance) • • • accuracy checked by management & signed depositing of cash daily deposit slip = used to complete the cash receipts journal which is posted to the GL and the DL • • recording & reconciliations done by separate people all documents signed as evidence of occurring • 1) ACCOUNTING DEPARTMENT – record money deposited 2) BANK – deposit money received DRAB MACRO SALARIES & WAGES CYCLE Stuvia.com - The Marketplace to Buy and Sell your Study Material 1. APPOINTMENT & AUTHORISATION • • • • • • • • Specific department/head of the personnel division requiring employees; informs the personnel division of the position needing to be filled The personnel division will then do the following: o Advertise the position (with authorization from higher management) o Receive applications together with the CV (which should contain their qualifications) o Suitable candidates are then interviewed § The interview should be performed by the personnel division § Two employees (one from the personnel division & one from the division requiring employees should conduct the interview) § Aptitude tests must be performed The individual shall then be offered the job A pre numbered appointment letter or contract of employment shall be authorized & signed by the personnel manager in twofold: o One copy shall go to the new employee o One copy should be kept by the personnel division Appointment letter / contract of employment should contain details on the terms & conditions of the employment It must be signed by the employee accepting the job The hourly wage shall be determined by the wage form & an authorized & signed by the personnel wage manager Or factory foremen together with the personnel Department must decide on a wage & this shall be authorized & signed by management 2. PERSONNEL RECORDS a) Employee file (or permanent file) • Information about every employee is kept in the personnel division with an employee file o Each employee shall have their own file o The file can be a physical paper file or a computerized file • The following information should be kept in the files: o Personal information, Employee number, Appointment date, Compensations, Fringe benefits, Deductions • Any amendment in the wages must be recorded in the employee's personnel file by the personnel Department b) Deduction authorisation form (NB: signing) • A pre numbered deduction authorization form should be completed by the wage foreman giving permission to the company to deduct certain amounts of the employee’s wage & to pay those amounts to third parties on his behalf • This should be signed by the employee as proof • This form must be authorized & signed by the personnel manager & shall be issued in two-fold o 1 is kept by the employee o One should be kept by the personnel division c) Compensation amendment form • Any change in the following functions: o Remuneration rate; Working conditions; Terms of employment Must be recorded in this document • A pre numbered compensation amendment form must be issued in two-fold & authorized & signed by the head of the personnel division: o One copy shall go to the employee in order to notify the employee of wage changes o One copy should be kept by the personnel division • Wage scale adjustment shall be authorized by the wage foreman • Made out by two persons from the personnel division in writing • The following party shall be notified in writing: o The payment division wages division o The employee (compensation amendment form) d) Termination of service form • When either party decides to terminate the employment contract, this must occur in writing • This form can be completed by either parties: o Employee upon resignation or employer through retrenchment or firing • A pre numbered termination of service form must be completed by either one of the parties in two-fold & must be authorized & signed by the head of the personnel division: o One copy should be kept by the employee o One copy should be kept by the personnel division o Both parties must sign Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal wages Stuvia.com - The Marketplace to Buy and Sell your Study Material 3. TIMEKEEPING & CHECKING HOURS WORKED a) Timecard/clock card/timesheet: record the hours of which a wage earner has worked • Clock card / time sheets should be prenumbered & prepared by the personnel department using the employee list & must be authorized inside by the foreman/supervisor • Details include o Employee number, name, date, number of hours worked, overtime hours worked • There should be control over the issue & receiving of clock cards namely that there should be a register for cards issued & received back • The issuing of the timecard shall be done by admin clerk A & the receiving of the card shall be done by admin clerk B of the personnel division (segregation of duties over issuing & receiving) • The blank clock card shall be kept secure in a safe b) Clock card machine • Location: entry slash exit point (only in one location preferably) • protected by a turnstile mechanism - where employees must use their timecards to swipe in & swipe out • There should be adequate supervision/foreman: o Only one clock card machine o Supervision during clocking in & out times the employee only swipes their own card & to ensure the validity of information recorded • All clock cards / timesheets must be collected at the end of the day & not left for a period of time • Clock card should be checked for errors & manipulation by the supervisor/ foreman which should be signed • Overtime hours recorded on the clock card should be checked by an independent person an approved in terms of the company's policy • • • • 4. CALCULATION & PREPARATION OF PAYROLL The wages journal / payroll should be prepared with reference to the hours worked through the club cards as well as the reference to the Clock card machine The following details should be included in the wages journal/payroll: o Employee number, employee name, date, tariff, number of hours worked, overtime hours worked, gross wage, deductions The wage journal / payroll shall be checked & authorized independent person / manager of the wage department for validity (common weakness): o Recalculation o Checked with reference to the budget o Checked for unusual expenses o Check that hours indicated match the Clock cards o Any difference should be investigated by the supervisor wage foreman Calculation: Hours (clock card) x tariff (tariff form) = gross wage Less deductions = net wage Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material 5. PAYMENTS • • • A cheque shall first be requested for total wages for the week from the personnel division & the wage journal / payroll should be sent as proof / supporting documentation (which has been signed & authorized), The supporting documentation should be cancelled to prevent double recording A cash cheque shall be then issued by the payment’s division with evidence of the money withdrawn such as a bank slip. The cheque is then cashed immediately, the cash should be kept in a safe until they are placed in the pay packets. The wage manager must compare the total of the wage journal with their cheques & cancel the wage journal in order to prevent double recording a) Wage slip / wage record • The wages for the employees are placed in a pay packet by the wage clerk: o Wage clerk my sign is evidence of receipt of the cash o The making up of the pay packet should be performed by two wage clerks from the payment division o The contents must be checked & authorized by the manager of the wage department • A pre-numbered wage slip shall be issued by the payment wage clerk in two-fold which indicates all the transactions applicable to the employee & total of their wages to date these shall be approved & signed by the manager of the wages department: o One copy sent to the employee and one is sent to the payment’s division b) Wage payout 1. The payout must be attended by the accountant & the foreman (i.e. two persons). 2. Employees must identify themselves when they come to fetch their wages e.g. by means of a personnel card of identity document. 3. Employees must sign the wage journal as evidence that they received their wages. 4. The employee must immediately check the cash in the envelope under supervision of the accountant & foreman & any differences must be recorded immediately. 5. Wage envelopes must be handed to the employees in person only. 6. Wage envelopes, not fetched, must be taken back to the secretary who will keep it safe together with an unclaimed wage register. Wage must be recorded unpaid in wage journal & entered in the unclaimed wage register. 7. The unclaimed wage register & the wage journal must be reconciled weekly. 8. Similar procedures must be in place as in 1-4 above, when the employee claims his/her wage envelope at a later stage. Entries then in unclaimed wage register only & not in wage journal. 9. The unclaimed wages must be banked again within a reasonable period. 10. Long-outstanding wages must be checked by a senior member & reasons must be obtained. c) • • • • • Unclaimed wages The details of all unclaimed wage envelopes (employee name & number, date of payout & amount of wages) must immediately be recorded in a register of unclaimed wages & it must be indicated in the wage journal that the relevant wage was not paid out. The wage envelope, together with the register of unclaimed wages, must be handed over to the accountant who must sign the register as proof of receipt. Until it is claimed (or banked) unclaimed wages must be placed in for example, a safe. If an employee comes to claim his/her wage: o the employee must be identified property (by for example, an employee card or identity book); the employee must check his/her wage & sign the register as proof of receipt of his/her wage; & wage must be handed to the employee in person only. • All envelopes which are not claimed in a reasonable time (3-5 days), must be handed to the cashiers, who must sign the register as proof of receipt of the money. • The cash must then be deposited in the bank account of the company. The register of unclaimed wages must be reviewed by the managing director in order to identify & follow up on any long-outstanding wages or regular unclaimed wages. Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material SALARIES Salaries are similar to wages but: • There are no clock cards • No unclaimed wages a) Calculation and preparation of the payroll Basic salary (tariff form) + fringe benefits Less deductions = net salary b) Salary journal • A pre-numbered salary journal must be prepared by the payments division with reference to the employee list provided by the personnel division, which shall be authorised and signed by the head of the personnel division. • This shall be prepared a week before payment is made • Details: o Employee number o Employee name o Date o Salary scale o Net salary o Fringe benefits o Gross salary o Deductions • The salary journal shall be checked by the head of the personnel division and authorised and signed: o Recalculated o Checked with reference to the budget o Checked for the unusual expenses o Any differences shall be investigated c) Payslip • A pre-numbered pay slip shall be issued in two-fold by the payments division in order employees receive their correct amount • Copies: o Employee o Personnel division • Details: o Employee number o Employee name o Basic salary o Salary scale o Net salary o Fringe benefits o Gross salary o Deductions Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material d) Payments by cheque (refer to payments & purchases cycle) • The cheque shall be requested with the necessary supporting documentation (cheque requisition) • Supporting documentation shall be cancelled to prevent double recordings • The cheque number shall be noted in the salary journal, to note if the cheque has already been paid • The cheque shall be signed and authorised by 2 persons • The cheque shall be made out in the employee’s name and crossed (non-transferrable) • The cheque shall be compared with the salary journal to ensure the results are the same before the cheque is signed • A salary control account or separate bank account shall be used to pay the salaries e) Payments by direct bank transfer and electronic funds transfer • This shall be performed by the responsible individual • Should prepare an EFT file and details shall be recorded in the file such as: salary, name & number of the employee and banking details, etc. • The manager of the payments division should review the file and compare it to the salary journal, the file shall then be approved by a password being entered • The actual paying of the salaries should occur from a separate bank account or a salary control account • Proof of payment must be printed out as evidence • The head of the personnel division/accountant should check for fictitious employees • There shall then be reconciliation between the separate salary control/bank account and the transfer made by the accountant f) Payments of deductions to third parties I. IRP 5 FORM: deals with the income tax of the employee • Must be pre-numbered • Details on: payments received by the employee for the year and the corresponding tax deductions • 2 Copies o Employee o Own records (accounting department) • Other deductions included should be checked and authorised by the head of the payments division/accountant II. • • • • Monthly return: all deductions of company in total Includes: tax, pension funds, medical aid fund, RAF, RSC UIF (All these amounts must be checked against the company own records) Shall be checked, authorised and signed by the accountant of the personnel division o Preparation and authorisation of the cheque (supporting documentation, supporting documentation cancelled, signed by 2 persons, etc.) The deductions shall then be paid over the 3rd party after being authorised and signed Late payments will lead to the business being liable for fines and penalties 6. Account • Preparation of the age journal entries • Processing of the wage journal entries to the general journal and general ledger Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material Additional theory to look at List the controls that should be in place over the authorising and payout of bonuses 1. The directors’ resolution on the bonus issues (in detail per employee or per post level) must be recorded in the minutes of the meeting. 2. Minutes must be approved and kept safe in a systematic manner. 3. A separate ledger account for bonuses must be opened, so that the bonus payout is easy to identity 4. The financial accountant must: a. Agree amount in ledger account with amount in minutes. b. Select a sample of employees and ask the wage manager to provide him with the payslips and IRP5 certificates of the relevant employees in order to check that bonus amount per individual agrees with approved list. 5. The financial accountant must check the supporting documentation before he authorises the bonus cheques. 6. The cheques must be approved by a member of management as second assignee. Internal control objectives: Salary systems To ensure that…. • • • • • • • • • • • • Only authorised engagements of competent, qualified persons occur. Payments take place at authorised, approved scales or tariffs. All salary calculations are accurate. All deductions and fringe benefits/ allowances are properly authorised. Payments to employees (salary cheques) are properly authorised. All salary changes/increases/adjustments are properly authorised. All dismissals are duly authorised. No fictitious employees exist in the salary system (or that payments only occur to valid employees). All salary transactions (salary expenses and payments) are properly (completely) recorded in the accounting records. All salary transactions are recorded accurately in the accounting records. Salary journals are correctly casted and that all salary transactions are accurately posted to the correct general ledger account. All salary transactions are recorded in time and are classified correctly in the accounting records. Internal control objectives: wages To ensure that…. • • • • • • • • • • All wage pay-outs are prepared according to actual hours worked as per authorised clock cards All wages calculated at authorised rates All changes to wage rates are correct and authorised All deductions and fringe benefits are authorised All payments of deductions are correctly calculated All deductions are paid to the correct organisation All wage payments are correctly calculated All wage payments are made to actual employees of the organisation All wage payments are made to the correct employee All wage workers are paid for services rendered Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Powered by TCPDF (www.tcpdf.org) SALARIES & WAGES CYCLE CONTROL OBJECTIVES: VALIDITY - appointments are authorised - employees on system are actual employees of the business - changes to salaries / wages are authorised i.t.o company policy - dismissals are authorised - employees who resign are removed from the journal - payment of wages relates to services rendered in the period - clock cards issued & collected are for actual employees only and only for actual hours worked - cash is kept in safe custody ACCURACY - changes to salaries & wages are recorded accurately - normal and overtime hours calculated correctly - payment takes place at authorised rates - calculations of salaries & wages done accurately - correct wage amount is requested - correct wages placed in wage enveloped for each employee - deductions & liabilities calculated correctly and paid over to the third party COMPLETENESS - all wage earning employees paid for their services - all employees who worked are paid - salaries are paid to all employees entitled to payment SALARIES To ensure that: • only authorised engagements of competent, qualified persons occur. • payments take place at authorised, approved scales or tariffs. • all salary calculations are accurate. • all deductions and fringe benefits/ allowances are properly authorised. • payments to employees (salary cheques) are properly authorised. • all salary changes/increases/adjustments are properly authorised. • all dismissals are duly authorised. • no fictitious employees exist in the salary system (or that payments only occur to valid employees). • all salary transactions (salary expenses and payments) are properly (completely) recorded in the accounting records. • all salary transactions are recorded accurately in the accounting records. • salary journals are correctly cast and that all salary transactions are accurately posted to the correct general ledger account. • all salary transactions are recorded in time and are classified correctly in the accounting records. WAGES To ensure that: • all wage pay-outs are prepared according to actual hours worked as per authorised clock cards. • all wages are calculated at authorised rates. • all changes to wage rates are correct and authorised. • all deductions and fringe benefits are authorised. • all payments of deductions are correctly calculated. • all deductions are paid to the correct organisation. WAGES: preparation and calculation - validity Internal control objectives: VALIDITY: Wages calculation and preparation of wages & deductions in wage journal To ensure that: • Only authorised appointment occur. • Payment of wages are only made for hours actually worked. • Payment of wages takes place at authorised tariffs/rates. • Deductions and fringe benefits/ allowances are properly authorised. • Dismissals are duly authorised. • Wage payments only for authorised hours DESIGN A SYSTEM OF INTERNAL CONTROL : WAGE PAYOUT 1) There should be limited access to the wage pay out area 2) Each employee should only be allowed access to the wage pay out area if they show valid identification (identity document/employee card). 3) Wage pay-outs must be attended by the wage clerk and the head of the human resources division. 4) Workers must identify themselves properly when they come to fetch their wages e.g. by means of a personnel card of identity document. 5) No employee should be allowed to claim wages on behalf of any other employee. 6) Each employee should present their proof of identification (employee card) and: 7) Mr Moore should validate they have worked for him in the week and confirm they are the person on the photo, 8) Mr Moore and Miss Jackson must agree the employee number on their employee card to the corresponding pay packet. 9) Wage envelopes must be handed to the workers in person only. 10) The workers must immediately, under the supervision of the wage clerk and the head of the human resources division, check the cash in the envelope and immediately record any differences in the wage journal. 11) Workers must sign the wage journal as evidence that they received their wages 12) The wage clerk and the head of the human resources division must record all unclaimed wages as 'unpaid’ in the wage journal and then also record it in the unclaimed wage register . 13) Uncollected wage envelopes, together with the unclaimed wage register, must immediately be handed over to the financial accountant for safekeeping (e.g. in a safe). 14) The financial accountant must reconcile the unclaimed wage register and the wage journal on a weekly basis. 15) Similar procedures must be in place as in 1-5 above, when the worker claims his/her wage envelope at a later stage. 16) The unclaimed wages not claimed after a reasonable time, must be deposited at the bank. 17) Long outstanding or regularly unclaimed wages must be checked by the financial director and reasons must be obtained. TEST OF CONTROLS: WAGE PAYOUT PASTE TAPE P Observe an interview to confirm that the HR manager, GM and foreman are present in the interview. If not possible to observe an interview, enquire from them if they are always present in every interview A Select a sample of new appointments from the new appointment list and obtain the employee files to perform the following: • Inspect the file: - contract signed by the manager and the employee - each employee is allocated a unique employee number - certified copy of the employee’s ID book • Follow the employees to the applicable wage journal in the month of first payment based on the date on the contract. Inspect the contract for the normal and overtime wage rate included in the contract and agree it to the approved wage rate authorisation form on the date of employment • S Obtain the wage rate approval forms and inspect the form for the owner’s signature as well as normal and overtime rates. T Select a sample of sequential timesheets and follow up and missing timesheets (re-performing the timesheet sequence check.) Observe the handing out of timesheets to the employees, confirming that she agrees the employee number on their employee card to their timesheet and their photo to the person Select a sample of timesheets from the weekly files and trace the timesheets through to the wage journal for the applicable month E Inspect a sample of employee cards and confirm the detail to their employee file T Select a sample of transactions from the wages account where the whole amount was not transferred out of the account in one batch (beneficiaries that were not loaded) - Inspect that the wage journals themselves have been signed by the accountant Recalculate the totals of the wage journals. Re-perform the reasonability check and enquire from the factory manager regarding any abnormalities identified in his comments to the reasonability check A Inspect the access profile / authorization of the wages bank account to confirm that only the FD can add beneficiaries to the wages account P Select a sample of wage payments from entries in the wage journal and perform the following - E Agree (re-perform) the hours worked to the approved timesheet that has been signed by the employee as well the factory manager Inspect the timesheets for specific approval of overtime with by the factory manager, note his signature Recalculate the gross and net wage Agree (re-perform) the workings from the wage journal to the wage slips Inspect the wage slips are signed by the accountant as evidence of the review Observe that employees’ employee cards are checked by the foreman at the beginning and end of a day Formulate the tests of controls you would perform on the WAGES system 1. Enquire of managers if all interviews are conducted by both the human resources manager and the factory manager and corroborate with new employees. validity 2. Select a sample of new appointments from the new appointment list and obtain the employee files to perform the following: validity Inspect that the file contains a contract signed by the manager and the employee Inspect that each employee is allocated a unique employee number by reviewing a sample of consecutive appointments’ employee numbers are not duplicated. Inspect the personnel file for the certified copy of the employee’s identity book Follow the employees to the applicable wage journal in the month of first payment based on the date on the contract. Inspect the contract for the normal and overtime wage rate included in the contract and agree it to the approved wage rate authorisation form on the date of employment 3. Select a sample of new wage employee files and confirm (reperform) that the employees were completeness added to the new employee list on the appropriate date. 4. 5. 6. 7. 8. Obtain the wage rate approval forms and inspect the form for the owner’s signature as well as normal and overtime rates. Inspect a sample of employee cards and confirm the detail to their employee file Observe Mrs Jackson handing out the timesheets to the employees, confirming that she agrees the employee number on their employee card to their timesheet and their photo to the person Select a sample of sequential timesheets and follow up and missing timesheets (re-performing the timesheet sequence check.) Select a sample of wage payments from entries in the wage journal and perform the following: validity Agree (re-perform) the hours worked to the approved timesheet that has been signed by the employee as well the factory manager Inspect the timesheets for specific approval of overtime with by the factory manager, note his signature Agree the wage rate to the appropriate quarterly wage approval form signed by the owner Recalculate the gross and net wage Agree (re-perform) the workings from the wage journal to the wage slips Inspect the wage slips are signed by the accountant as evidence of the review 9. 10. Select a sample of timesheets from the weekly files and trace the timesheets through to the wage journal for the applicable month Select a sample of months’ wage journals and perform the following: completeness validity Inspect that the wage journals themselves have been signed by Mr Ngobese. Recalculate the totals of the wage journals. Re-perform the reasonability check and enquire from the factory manager regarding any abnormalities identified in his comments to the reasonability check. Formulate the tests of controls you would perform on the WAGES system 1. Observe an interview to confirm that the HR manager, GM and foreman are present. If not possible to observe an interview, enquire from them if they are always present in every interview Select a sample of appointments that were made in the year from list of appointments and follow through to employee files to perform the following validity a Inspect that the file contains an employment contract signed by the employee and the HR manager validity b Inspect the employee contract to confirm that each employee has been issued with a staff number and confirm by inspection that none of the staff numbers are the same validity Inspect the copies of the ID, driver’s license and certified letter from the bank and compare details to employment contract 3. Select a sample of payments from the wages bank account and follow through to the wage requisition, monthly wage calculation, weekly wage journals and logbooks and perform the following a Reperform the comparison of the amounts on the wage requisition, current account bank statement and wage account bank statement and follow up any differences accuracy validity validity Inspect the wage requisition, current account bank statement and wage account bank statement for the signature of the FD Reperform the comparison of the wage requisition to the monthly wage calculation and follow up any differences accuracy accuracy e Reperform the comparison of the monthly wage calculation to the total of weekly wage journals and follow up any differences Confirm by inspection that the foreman initialed next to any amendments in the weekly wage journal f Reperform the wage calculation and follow up any differences 2. c b c d Inspect the weekly wage journal for the foreman’s signature Reperform the comparison between the weekly wage journal and logbooks for the week Inspect the logbook for the foreman’s signature at the end of the day to confirm that he had checked the employee cards upon their return Inspect the logbook for the foreman and gardeners’ signatures to confirm that they were assigned to the particular truck on a day 4. Observe that employees’ employee cards are checked by the foreman at the beginning and end of a day 5. Inspect the access profile / authorization matrix of the wages bank account to confirm that only the FD can add beneficiaries to the wages account 6. Select a sample of transactions from the wages account where the whole amount was not transferred out of the account in one batch (beneficiaries that were not loaded) a For these transactions, confirm through inspection that the wage clerk sent an email to the FD requesting for the beneficiary to be loaded b Reperform the comparison of the bank details in the employee file to the bank details of the beneficiary loaded on the bank account accuracy validity accuracy accuracy accuracy validity accuracy accuracy validity accuracy validity validity validity validity validity validity validity validity Formulate the tests of controls you would perform on the WAGES system 1. 2. Observe an interview to confirm that the HR manager, GM and foreman are present. If not possible to observe an interview, enquire from them if they are always present in every interview Select a sample of appointments that were made in the year from list of appointments and follow through to employee files to perform the following validity Inspect that the file contains an employment contract signed by the employee and the HR manager validity Inspect the employee contract to confirm that each employee has been issued with a staff number and confirm by inspection that none of the staff numbers are the same validity Inspect the copies of the ID, driver’s license and certified letter from the bank and compare details to employment contract accuracy validity accuracy validity Inspect the contract for the normal and overtime wage rate included inthe contract and agree it to the approved wage rate authorisation form on the date of employment. 3. Select a sample of new wage employee files (completeness) and confirm (reperform) that the employees were added to the new employee list on the appropriate date. 4. Follow the employees to the applicable wage journal in the month of first payment based on the date on the contract 5. Select a sample of sequential timesheets and follow up and missing timesheets (re-performing the timesheet sequence check.) 7. Select a sample of wage payments from entries in the wage journal (validity) and perform the following: Agree (re-perform) the hours worked to the approved timesheet that has been signed by the employee as well as Mr Moore. validity accuracy Inspect the timesheets for specific approval of overtime with by Mr Moore, note his signature. Agree the wage rate to the appropriate quarterly wage approval form signed by Mrs Harris. ( Recalculate the gross and net wage. Agree (re-perform) the workings from the wage journal to the wage slips Inspect the wage slips are signed by Mr Ngobese as evidence of the review. (1) a sample of timesheets from the weekly files (completeness) and trace the timesheets through to the wage journal for the applicable month. 8. Select a sample of months’ wage journals and perform the following: validity Recalculate the totals of the wage journals. Inspect that the wage journals themselves have been signed by Mr Ngobese. Re-perform the reasonability check and enquire from Mr Moore regarding any abnormalities identified in his comments to the reasonability check. 9. Observe that employees’ employee cards are checked by the foreman at the beginning and end of a day validity Stuvia.com - The Marketplace to Buy and Sell your Study Material INVESTMENT & FINANCING CYCLE FINANCING Issue of shares (shares certificate) Dividends Raising a long-term loan Finance charger & loan repayments A. INVESTMENTS Acquisition of PPE Disposal of PPE Depreciation & Net Asset Values Property – title deed Equipment – invoice Market value – registered in your name INITIATION • • • • • B. Authorisation: o company policy & director’s resolution (minutes of director’s meetings) Adhere to any limitations set out in the MOI any requirements in the Companies Act (e.g. section 40 regarding the share price) cash flow considerations, budget preparation & cash flow statements liquidity & solvency must be considered TRANSACTION TYPES I. Investment transactions • • • • II. Acquisition & disposal of tangible non-current assets & financial instrument investments Acquisition internal generation & disposal of intangible assets Receipt & accrual of interest income & dividends received on investments Accounting for the use of & changes in value of tangible & intangible assets through: i. Depreciation / amortization ii. Revaluation / other fair value adjustments iii. Impairments & write downs iv. Profits / losses on disposal Financing transactions • • • • Issue an repurchase of shares Receipt of loan funding & payment thereof Issue of debentures & subsequent repayments Handling of accounting for the obligations that arise out of financing i. Dividends declared & paid ii. Finance charges accrued & paid (on loans) iii. Finance charges & accounting adjustment in relation to debentures Purpose of the transaction: • Ensure that an entity invest funds in non-current assets to commence & operate a business & generate working capital that ultimately provide profits for the entity (directly or indirectly) • Also invest funds into to other investment assets to generate investment returns • Ensure that the entity obtain sufficient financing in order to be able to comment & operate a business Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal Stuvia.com - The Marketplace to Buy and Sell your Study Material C. CHARACTERISTICS OF THEY CYCLE • • • • • D. i. Magnitude of transactions in the cycle are usual material on FS Frequency of transactions are usually lower than for other cycles Transaction is not subject to routine IC. Since many transactions are done internally, often done without supporting external documentation Transactions are governed by statutory & governance requirements such as: o Company acts 2007 o MOI FUNCTIONAL AREAS FINANCING Issue of shares Payment of dividends Raising a long term loan Finance charges & loan repayment PURPOSE To obtain cash flows by allowing potential or current shareholders to purchase an interest in the company To provide returns for shareholders for their investment in the company To obtain cash flows from a bank or lender for funding purposes To account for finance charges & lonely payments in terms of agreement • • • • • • • • • • • • • 1. 2. 3. 4. 5. ACTIVITY Approval of issue of additional shares by board of directors (approval must be had by parent company & resolution minuted) Above must be in accordance with S 38, S39 & S 40 of the companies act Shareholders agreement must be drawn up & entered into by new investors & the entity Investor pays for shares in terms of the agreement Share certificate issues. Transaction record it in accounting records Dividend is authorised by a resolution of the board of directors )must comply with S46 companies act.) Must be minuted. Settlement of dividend takes place in accordance with the decision of the board of directors. Dividend recorded in accounting records Directors decide on the best financial decision to acquire new PPE Obtain approval from board & reach agreement with lenders on details of loan & repayments Documented in a formal agreement Signing of loan agreement, funds advanced & general ledger accounts updated to reflect transaction Interest calculated by Linda Ann added to loan account Statement sent entity on a monthly basis reflect monthly interest charge Payment of interest takes place automatically Accounting records updated monthly to reflect payment of interest Repayments have to be made in terms of agreement. Take form in monthly amount, usually automatically paid Updates to accounts in general Ledger are made Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal PEOPLE 1. Board of directors 2. Company secretary 3. Accountant 1. Board of directors 2. Company secretary 3. Accountant 1. Board of directors (specifically financial director) 2. Accountant 1. Accountant Stuvia.com - The Marketplace to Buy and Sell your Study Material ii. INVESTMENTS PURPOSE Acquisition of To invest PPE funds in noncurrent assets to commence and operate the business & to generate working capital provides for profits for the entity Disposal of PPE • • • • • • • • Accounting for use of assets & changes in asset values To account for the use of and changes in value of PPE over time • • • • • E. ACTIVITY Gaining approval from board of directors for significant transactions Conducting feasibility studies Acquisition process ensues - invoice by suppliers processed Acquisition of requisition document is completed for less significant acquisitions All new PPE are recorded on the fixed asset register and general ledger Significant transactions require approval by board of directors and have to be within memorandum mandate of MOI Once board of directors approved sales, asset is advertised for sale, buyers are identified, invoice for the sale price issued by the entity. Buyer settles the invoice and takes delivery of the asset Original cost and accounting Department of asset must be removed from general Ledger account after sale. Profit or loss must also be recorded she's here she's with me Depreciation is calculated according to useful life of the category class of PPE Accordingly, entity staff estimate useful lives and residual values Recorded on fixed asset register and GL Qualified member of staff consider the impairment of assets annually If no one is suitably qualified – expert in the field may be appointed by BoD DOCUMENTS AND RECORDS I. Investment activities • Ordering and acquisition of assets o Capital budget o MOI o Minutes of the board meeting o Asset requisition o Specific purchase agreements/contracts Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal PEOPLE 1. BoD 2. Department head / person requesting asset 3. Relevant accounting personnel 1. BoD 2. Accountant 3. Relevant accounting personnel 1. BoD 2. Production managers/directors 3. Accountant 4. Other relevant accounting personnel Stuvia.com - The Marketplace to Buy and Sell your Study Material • II. Receipt and custody of assets o Share certificate o Detailed fixed asset register o Master file amendments forms o Schedule calculations Financing Activities • Receipt of debt or equity funds o Minutes of board meeting o MOI o Specific financing agreement/contract • Holding of debt or equity funds o Securities register o Master file amendments forms o Schedules of financing calculations F. RISKS IN THE CYCLE I. • • • • • • • II. • • • • G. Investing activities Fictitious or obsolete assets no longer used recorded in SFP Management manipulate asset values as IFRS estimates are subjective Inappropriate capitalisation of expense costs may occur Entity may record an asset it does not have rights to An asset may need to be impaired due to a loss in value owing to various internal and external (necessary write-down may be recorded incorrectly) Accounting of complex financial instrument investments may be incorrect Misappropriation risk may arise because of theft of tangible assets and personal use of assets by management Financing activities Failure to recognise financial liabilities at reporting date Understanding of value of loans/debentures at reporting date Accounting of complex liabilities incorrectly Failing to account for accruals in relation to financing expenses (e.g. interest expense and dividends declared) CONTROL VALIDITY • • ACCURACY • Incorrect recording of investment revenue & expenditure • Financing: o Inaccurate recording of equity and loan receipts / repayments o Over/understatement of OE o Overstatement of expenditure due to invalid recording of finances COMPLETENESS • Investments: o Assets purchased are omitted from recording = understatement of assets o Incorrect recording of investment revenue and expenditure • Financing: o Incomplete equity and loan receipts or invalid recording of loan repayments = understatements of equity o Incomplete recording of financing expenditure o Investments: o Invalid purchases or capitalisation of assets o Overstatements of assets due to fictitious purchases o Invalid development costs being capitalised Financing: o Unauthorised financing obtained o Overstatement of owners’ equity and liabilities o Overstatement of expenditure due to invalid recording of finances Investments: o Purchases or capitalisation of assets recorded inaccurately Downloaded by: notesbyjana | janagrey1401@gmail.com Distribution of this document is illegal INVESTMENT & FINANCING CYCLE FORMULATE CONTROL OBJECTIVES INITIAL RECEIPT OF LONG-TERM LOAN To ensure that: • The long term loan is appropriately authorised and is allowed in terms of the Companies Act. • The long term loan relates to funds actually received by the business during the current period. • The long term loan is accounted for at the correct amount in the financial records. • The long term loan is classified correctly in the accounting records. • The long term loan is accounted for timeously in the accounting records. INTERNAL CONTROLS FOR THE LOAN FROM XXX BANK • • The approval must be given at a directors’ meeting and noted in the minutes of the meeting. Before the decision is authorised, the following must be considered: o Statutory requirements such as the Companies Act; o The company’s policy and Memorandum of Incorporation; o The estimated cash requirements of the company, supported by cash flow estimations and budgets. o Any other valid point. • Legal advice should be obtained to consider any legal implications for the company. Contracts with all relevant terms and conditions must be signed by an authorised staff member of TGS (one of the directors), as well as a representative from the party advancing the loan. Formulate the tests of controls you would perform on the LOAN FINANCING 11. Inspect the financial statements to ensure the loan balances are correctly disclosed in terms of IFRS accuracy completeness 12. Recalculate the interest expense & agree it to the loan accuracy 13. Confirm the outstanding capital & interest amount with the party providing the loan SIC Formulate the tests of controls you would perform on INVESTMENT 1. 2. 3. Select a sample of fixed asset purchases and inspect the supporting requisition Enquire about the procedures in terms of purchasing fixed assets & the comparison of the physical assets with the recorded assets Inspect the signature of senior management as proof the comparisons were performed Enquire about the policies in terms of purchases & disposals validity validity completeness Inspect supporting documentation and the minutes as proof of authorisation 4. Inspect the requisitions for numerical sequences and proof the client’s signature completeness 5. Inspect the fixed asset register for proof of a senior management’s signature completeness 6. Select & compare a sample of purchases from records & compare to the invoice amount accuracy 7. Inspect for the reviewer’s signature as evidence accuracy 8. 9. Select purchases & disposals of fixed assets from the cash book & follow through to the source documents, fixed asset register and entries in the ledger must agree the date / amount / description and category Inspect the reconciliation and agree it with the accounting records and source documents Inspect the signature as evidence of review 10. Verify the procedure by enquiry 11. Select purchases & disposals from source documents and follow through to the ledger accounts & fixed asset register to ensure all is recorded in the correct period 12. Enquire about the company’s policy and inspect the application accuracy completeness Audit Approach ISA 300, 330 Learning outcomes: • Explain the difference between a combined approach and a substantive approach • Explain elements which must be included in an overall audit approach • Formulate an overall audit approach for practical situations • Distinguish between audit plan and overall audit approach Overview of the Audit Process Audit Approach background: • Why? Plan of action or work method on how to approach the audit to obtain sufficient audit evidence to evaluate the fair representation of the financial statements as a whole or per account • What? Audit procedures to be performed based on the nature, timing and extent • Procedures? 1. Test of Controls (TOC) - test working of controls 2. Substantive procedures (SP) - Detailed tests - verify year end balances, transactions Reasons for the Audit Approach: • Why do we formulate an Audit Approach? - Co-ordinate the audit - Limit audit risk - Audit evidence in cost effective way • - Determine the nature/extent/timing of audit procedures Using what? - Knowledge of the business and industry - Planning materiality - Risk evaluation Overall Audit Approach: ISA 330 Risk based Audit Approach: AR = IR x CR x DR Risk identified at financial statement level Risks identified at account/ assertion level Determine the overall approach: - Nature - Timing - Extent Specific audit procedures applied to respond to material misstatements of assertions Nature, timing and extent of the Audit Approach: Nature: Refers to the purpose of the procedures that the auditor chooses to perform and to the types of procedures used for obtaining audit evidence Timing: Refers to when the audit procedure is performed • The most common factor that affects timing of the audit procedures is the risk of • • Test of controls Substantive procedures • Extent: Refers to the quantity of the audit procedures to be performed, therefore often referring to the sample size used for an audit procedure • • • Year-end stage The higher the assessed risk is, the more likely auditors are to perform procedures at or after the end of the financial reporting period Interim period The controls have proved effective in prior periods Test up to year-end, in order to obtain evidence that the controls tested at the interim stage operated effectively for the entire year under review Extensive Limited None • Two scenarios: Nature CR Ý • Timing • Substantive approach Therefore, substantive procedures Substantive procedures Year-end stage CR ß • • • Extent • Substantive procedures Extensive • • Combined audit approach Test of controls Substantive procedures Test of controls Year-end stage Interim period Substantive procedures Year-end stage Test of controls CR ß Extensive CR Ý Limited Substantive procedures Limited How to know what audit approach to follow: • Can you rely on the Internal Controls? • Yes = Combined approach • No = Substantive approach How to answer a question: CR Ý • • • • • Control risk was previously evaluated as high, which means that there is no proper system of internal control in place No reliance can therefore be placed on the system of internal control, consequently no tests of control will be performed This will be achieved by following substantive based audit approach Extensive substantive procedures will be performed Extensive substantive procedures will be performed after year-end Audit Materiality ISA 320 Learning outcomes: • Discuss the concept of materiality and apply in practical situations • Describe the role that materiality plays in the different stages of the audit • Calculate the materiality figure (with discussion of the factors which were evaluated) • Describe the relationship of materiality with audit risk and apply practically Introduction: ISA 220: Purpose of audit of FS – to enable the auditor to express an opinion as to whether the FS in all material respects are prepared in accordance with the applicable financial reporting framework ISA 320: Auditor should consider materiality and its relation to the audit risk whilst concluding an audit What is ‘material’? Info is material if: • omission thereof or misstatement thereof can influence the economic decisions of users made on financial statements Depends on: • The size (rand value) of item/ mistake (quantitative) or • Nature (qualitative) • Judged in surrounding circumstances • Professional judgement Why is it necessary? • Auditor does not provide 100% guarantee • Only reasonable assurance • That financial statements are free from material misstatements • Planning: Determine acceptability materiality level - For the detection of qualitative material misstatements - Determining factor: extent of audit tests What will cause the AFS to be materially misstated Help determine which financial items to inspect, audit procedures When? Materiality needs to be considered during various stages of the audit process • Planning (ISA 320): - Materiality during planning of the audit - Preliminary information - Helps identify which FS items to investigate • • - Determine audit procedures Review during audit (ISA 315): - Re-evaluate Completion (ISA 320): - Materiality during finalisation of the audit - Audited figures - More knowledge, circumstances can change - Evaluate audit differences How is it determined? Apply professional judgement • Quantitative indicator: calculate figure - Follow framework - Provide cut-off point/ threshold • Qualitative considerations: - Consider nature of item/ mistake • Material account balance: - Contains risk of material misstatement - Based on size (quantitative) or qualitative characteristics Materiality: • Last phase of the planning process involves the auditor determining the level of misstatement that will be acceptable to the users of the FS • Planning materiality can only be properly determined once the auditor has: - Fully understood the entity and its users - Assesses the inherent and control risk at FS level to determine the detection risk at this level - Considered the auditor’s response to this required level of detection risk Audit (AR) Detection Risk (DR) Want low = 0 RMM (Risk of Material Misstatement) Business High Want low = 0 Want low = 0 Medium Low Medium High Determination of IR and CR DR WTA Types of materiality: 1. Planning materiality 2. Performance materiality 3. Final materiality Auditor Low Materiality figure Low figure – more audit evidence Average figure High figure – less audit evidence Planning materiality: • For the overall financial statements • 5 step materiality approach 1. Which financial information should be used 2. Bases available 3. Bases suitable for client, discuss: - User - Nature of business - Stability of bases 4. Calculate range 5. Decide on materiality Identify IR and CR level so that you can decide on DR Performance materiality: • Calculate for each individual account • % of planning materiality • Performance materiality may not be higher than planning or final materiality Final materiality: • Final check after any audit adjustments that materiality if calculated on the 5 step approach is higher than materiality used to adjust PLANNING MATERIALITY Step 1: Which financial information is used? CURRENT YEAR ◦ The current year's figures are not available for the entire year and the turnover cannot be compared with the previous 9 months, therefore we cannot use it. ◦ The current year’s financial information (2018 actual) is available and there is no indication of any significant changes since the preparation of this information ◦ ◦ The current year's figures are available and show the actual results for nine months. There is no indication of any significant changes since this information was compiled or indications that this information will change significantly The current year’s figures are available and there is no indication that these figures will change significantly. ◦ CURRENT YEAR BUDGET: ◦ The current year budgeted sales (revenue) show a significant decrease and is below actual figures for 2018 and consequently the budgeted figures are not appropriate. ◦ The current year's budget is available and the budget higher than the actual results achieved and is not applicable to be used for materiality. It looks like the original budget will not be reached and therefore it cannot be used. ◦ PREVIOUS YEAR: CONCLUSION: ◦ They say that the Financial Manager is known for his accurate budget preparations. The figures that would give the most accurate indication for planning purposes are the adjusted budgeted figures for 2010 ◦ Figures of the previous financial year are available and have been audited, but cannot be used as the company’s financial situation has changed significantly from the previous year audit, mainly due to acquisition of new airplanes.) ◦ Figures of the previous financial year are available and have been audited, but cannot be used as the company’s financial situation has changed considerably since the previous year’s audit. ◦ The previous financial year’s figures are available and were audited, but are not appropriate since the company’s business model changed since the previous year’s audit and the previous year's figures are no longer a reasonable account of the financial situation of OCC. The actual figures for 2018 are the most accurate indication of the company’s substance, because it reflects the change in the company’s operations best and will be used. ◦ ◦ The actual figures for 2019 is the most accurate reflection of the company’s operations for the financial year under review, if it is adjusted to represent the entire financial year (12 months, thus 12/9). Step 2: Bases as given • • • 0.5% to 1% of income 5% to 10% of net profit before tax; 1% to 2% of total assets 3. Which basis to use Users: • Owners: ◦ ◦ The company is not listed and is owned, in equal parts, by middle-aged brothers. They want to earn a good income from the company and want to expand to earn additional income. Therefore their dividends are their main focus and the statement of comprehensive income will be an appropriate basis. ◦ Statement of Comprehensive Income Shareholders: • ◦ ◦ • The company is a listed company. The owners will mainly be interested the firm’s profitability and dividend payable to them and capital growth. Statement of Comprehensive Income ◦ Statement of profit and loss ◦ Statement of Comprehensive Income. SARS: The financial statements would also be of importance to the South African Revenue Service since the company has to pay tax on its taxable income • ◦ Credit providers: SHORT-TERM ◦ The short-term credit providers consist of creditors and overdraft bank account and they will be interested in the profitability ◦ Statement of Comprehensive Income. LONG-TERM: ◦ The long-term credit providers will be interested in the firm’s profitability- which is needed to maintain interest rates and do capital repayments and which might have impact on the company’s ability to redeem the finance charges ◦ Statement of Comprehensive Income ◦ ◦ The long-term credit providers will be interested in financial stability and the assets, that may be assessed when the company experiences financial problems ◦ Statement of Financial Position. ◦ The bank (that provided the long term loan) is one of the main users of the financial statements. They are especially interested in two factors: assets, which are security for the loans and may be claimed if the company experiences financial problems (statement of financial position) and the firm's profitability which can have an impact on the company’s ability to redeem finance charges and capital ◦ Statement of profit and loss Statement of comprehensive income The company is a manufacturing company which manufactures furniture. As a result of the nature of the business the company owns inventory and assets that are used for the production of inventory (capital intensive). Without the assets the business will not survive. ◦ Statement of Financial Position The company is a producer and distributer of food products. As a result of the nature of the business the company owns inventory and assets that are applied for the production of inventory. Without the assets the business will not survive. ◦ Statement of Financial Position ◦ The companies’ main business is the selling of goods Revenue is what drives the business. This is confirmed by the size of the revenue figures on the statement of profit and loss and other comprehensive Income. ◦ Statement of comprehensive income Statement of comprehensive income The business is also driven by income from rendering services and upgrades This is supported by the size of income compared to the other elements of the financial statements. ◦ ◦ ◦ Nature of the business: MANUFACTURING COMPANY ◦ ◦ DISTRIBUTION COMPANY SALE OF GOODS RENDERING SERVICES ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Statement of Profit & Loss Statement of comprehensive income CAPITAL INTENSIVE BUSINESS ◦ ◦ The business is also capital intensive and require airplanes to operate The size of the assets in relation to the other elements of the financial statements is significant ◦ Statement of Financial Position NON-CURRENT ASSETS = KEY DRIVER ◦ With the change in the business model during the current year, expensive, specialised machinery is required for services and upgrading. Therefore the non- current assets are the key drivers of the business This is supported by the size of the assets compared to the other elements of the current year's financial statements ◦ Statement of Financial Position ◦ The expansion in the bank overdraft will be applied for the payment of salaries, for overtime and for the purchasing of generators. ◦ ◦ As a result of the high debt levels credit suppliers will focus on the stability of the Statement of Financial Position. Yet, they will not ignore the Statement of Comprehensive Income and will be interested in profit before tax. ◦ Statement of Comprehensive Income Statement of Financial Position • information is not very stable. Income decreased from R850 million in 2016 to R756 million in 2017 and then increased again, to R829 million in 2018. • information is very volatile and can therefore it cannot be used. • With the change in business model, there was also an increase in the net profit before tax percentage (18% to 33%) as well as sales (41%, attributed to 12/9 months) The statement of comprehensive income is therefore not stable. ◦ Funding of the business: Stability: Statement of Comprehensive Income • Statement of Financial Position Net profit before tax • The statement of financial position figures is not stable due to the acquisition of the airplanes. • • Total assets • the company made a net loss ð not a suitable measurement or an appropriate basis A loss is budgeted for the current year therefore profit before tax will not be an appropriate basis. There was a once-off classification error between work-in-progress and finished products, but it does not affect the total asset basis, since it is within the basis and can easily be corrected. It is only an allocation error and does not eliminate the basis. With the new business model and purchase of machinery, PPE also increased considerably during the current year and therefore the total assets are also not stable. not suitable - expect problems with the inventory count and doubts exist about inventory figure. • • • the assets are fully depreciated even though they are still in use, indicating that the total asset base might not be appropriate. • There might be uncertainty regarding when ownership transferred on the generator (as it was delivered on year end in an emergency), which might mean that assets are misstated – this eliminates this base. Revenue • Revenue figures showed a steady increase, and is thus more stable Income • A decrease in income is expected during the year therefore it does not show a steady growth pattern and will not be an appropriate basis. Gross Profit • The gross profit percentage stays stable at 40% Since all users are interested in the Statement of financial position of the company and since the value of the company is in its assets, total assets will be selected as basis. Step 4: Calculations 5% to 10% of profit before tax of R1 200 000 x 12/9 = R1 600 000 = R80 000 to R160 000 1% to 2% of Total Assets: (R11 850 000* 1% - 2%) R 118 500 - R 237 000 Step 5: Decide on materiality figure Conclusion: • • • INHERENT RISK Inherent risk was determined to be low and control risk is also low. Inherent risk was determined to be medium and control risk is also medium. Inherent risk was evaluated high and control risk is also high. • • • DETECTION RISK Therefore detection risk should be estimated at a high level. Detection risk is medium Therefore detection risk should be estimated at a lower level • • • WHERE at the top of the margin a figure in the middle of two margins will be selected at the bottom of the margin • PLANNING MATERIALITY Therefore the planning materiality figure in the bracket (R 118 500 - R 237 000) for the 2010 audit of Bakersman Limited is R 237 000 • The planning materiality figure is therefore R120 000. (R80 000 to R160 000) • Therefore the planning materiality figure for the audit of Supaspa Limited is R41 700 (R 41 700- R 83 400) Audit Risk ISA 200, 315 Learning outcomes: • Describe and evaluate audit risk • Name and describe components of audit risk • Identify the factors that influence the components of audit risk and apply practically • Describe the relationship between audit risk and audit evidence Risk Evaluation Audit risk as low as possible Risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated AR = IR x CR x DR Inherent risk Susceptibility to a misstatement that could be material, before any related controls Control risk Detection risk Risk that a misstatement that could be material, will not be prevented, detected and corrected, on a timely basis by the entity's internal control Risk that specific audit procedures performed will not detect a material misstatement Use detection risk to reduce audit risk to an acceptable level Evaluate risks on two levels: • ROMM on financial level: - Risk factors affecting the overall financial statements • ROMM on account/ assertion level: - It affects a specific account/ assertion Business risk Inherent risk: Absence of Internal Control Risk Factors Staff competence and experience New industry Well established brand with good reputation Complexity of transactions or unusual/ difficult transactions • Forex • Large assets • Provisions for guarantees • Contingent liabilities Management/ staff incentives or aggressive financial targets • Mgt cannot reach budgeted figures • Business has suffered a loss New client Established client Impact (Why?) Staff does not have knowledge of the business system or know the risk profile of the industry which may lead to the team making errors This is due to good customer services/ quality products/ sustainable practices Complex calculations or calculations for which staff is not qualified Link to AFS Increase errors in AFS Decrease going concern risk Increase risk of errors in AFS Overstated income or assets Increase risk to manipulate and understated liabilities AFS and expenses Client- may not be well established and may have a small market share There is no proven track record of profits Well established with proven track record = high probability of certainty of future cash flows Founders have extensive experience in the industry which indicates that they are competent to perform the role of running the business Continually made a profit having built a brand that has Increase going concern risk and increase errors in AFS Decrease going concern risk a proven track record of being profitable and sales continue to grow which indicates that the company has a proven track record Types of products/ services • Luxury Limited market share Impact on cash flow and profits as demand drops Increase going concern risk • Unique High demand for product and have competitive advantage Decrease going concern risk • Obsolete due to technology Write down inventory to NRV (complex) = overvalued and thus errors in AFS Loss of revenue due to the inability to sell products Increase going concern risk • Manufacturing products Manufacturing of the products leads to complex calculations and the accounting treatment This increases the risk of errors in FS with reference to the inventory balance and cost of sales • Product is sold in a highly competitive industry Many businesses are selling the product it may lead to a decrease in the market share and an excess supply and a decrease in sales Increase going concern risk Forex exchange risks and delays due to an increase in complex calcs Foreign sales may be subject to exchange rate fluctuations that may impact the company’s profit if negative Increase going concern risk and increase errors in AFS Location and geographical distribution • Products imported from overseas suppliers • Products are sold to poorer countries Decrease their market share and affect cash flow Increase going concern risk • Located in all main centres within SA Competitive advantage and therefore increase sales Decrease going concern risk Widely distributed Difficult to implement and monitor IC = poor IC Increase errors in AFS and increase control risk Distribute to both global and local markets Related party transactions Increases the available market which could increase sales Bias judgement calls and familiarity of the parties may result in manipulation of figures Decrease going concern risk Cash flow issues Increase going concern risk Poor quality equipment purchased: - Less popular - Client submits claims - Contingent liab - Inventory val Level of sophistication of information system Loss of market share (reputation) and thus cash flow issues Complex calcs and valuations may be over or undervalued which may lead to errors Increase going concern risk and increase errors in AFS High degree of computerisation and transactions via the internet allows for theft and fraud Increase going concern risk and increase the risk of fraud in AFS Age of information system New systems may be new to staff and errors may occur or loss of data Impact the current year’s AFS if there are prior misstatements If there are poor quality goods, NRV may be estimated too high or too low Contravene the CPC and mgt integrity is questioned = indicates the possibility of the manipulation of the AFS and can damage the business’s reputation which may lead to loss of sales Must be in compliance with the regulations otherwise it Increase errors in AFS • • Cashflow challenges or financial position • Business makes a loss • History of misstatements Transactions that require judgements/ Estimates • Inventory valuations False marketing Non-compliance with laws Increase risk to manipulate AFS Increase errors in AFS Increase errors in AFS Increase going concern risk and increase the risk of fraud in AFS Increase going concern risk Compliance with laws Decrease in the availability of natural resources Delays due to bad weather Not replacing machinery that has reached the end of its useful life Specialised machinery No remaining cash reserves to replace machinery Management integrity • Senior employee resigns • Aggressive targets will result in penalties and legal liabilities which result in cash outflow This can also harm the business’s reputation This highlights mgt integrity and improves the brand’s reputation This affects the cost of raw material which may increase the cost of production and decrease the profits of the business A delay in the production may lead to a loss of market revenue This may lead to inferior quality products which could impact the sales of the products Decrease the risk of fraud and errors in AFS Increase going concern risk Increase going concern risk Increase going concern risk This may also indicate that the incorrect useful life was determined for their fixed assets and that fixed assets are incorrectly valued May require complex calculations to determine the value of the machinery and the depreciation Need to apply for a loan and this could negatively influence cash flows Accumulating interest on loans resulting in cash flow issues Increases the risk of errors in the AFS Mgt may want to manipulate the FS for them to be more appealing for an Investor to secure a loan Increase the risk of fraud in the AFS Estimates require mgt to exert judgement and mgt might manipulate the machinery figure to assist in securing the bank loan Increase the risk of fraud in the AFS Increase the risk of errors in AFS Increase going concern risk Listed company Client pays a deposit Recording of revenue takes place over end year Imports • Reliability Increases risk since the Increase the risk of fraud in existing shareholders want the AFS to see the growth in the company’s earnings, which may give directors reason to fraudulently increase earnings May not meet the JSE or other listing requirements which can lead to penalties or errors in the FS Record keeping of the deposit may be complex and subject to errors Increase the going concern risk and increases the risk of errors in AFS Non-refundable deposit will decrease the risk of clients not paying, thus decreasing the risk of bad debts The recording of revenue over year end may be complex with adjustments required which may result in errors Decrease the going concern risk Reliability of foreign suppliers to provide products on time and of correct quantity and to render proper after-sales services which may result in delay of productions and sales (which leads to loss of market share) Increase going concern risk Increase the risk of errors in AFS Increase the risk of errors in AFS • Quality Quality of imported parts Increase going concern risk and equipment may be poor since it’s imported from overseas which may lead to manufacturing defects and a loss of market share • Impact on cash flow Imports are exposed to exchange rate fluctuations that can influence prices and profits negatively Increase going concern risk Forex transactions are complex due to the different currencies and exchange rates which results in errors if the employee is not properly trained • Complexity of transactions • Laws and regulations There will be regulations and tariffs which is not complied with may result in the products not being able to be imported which will affect sales and the reputation of the company Increase the risk of errors in the AFS Increase going concern risk Control risk: Absence of internal controls Risk factors New accounting system or internal control New accounting personnel Degree to which the duties are segregated Good internal control activities Weak internal control activities: • New company = internal controls not well established • New accounting system Good internal control environment Impact (Why?) Complexity of implementation of new systems Staff does not know how to operate the system Lack of SOD results in one person performing incompatible functions and higher chance of ROMM and incomplete accounting records Improvements in IC due to positive attitude of mgt Good internal control activities will prevent, detect and correct misstatements from reaching the AFS Weak internal control or lack of monitoring means there is never any improvement leading to many misstatements not being prevented and the business may not succeed Mgt places emphasis on sound internal control and staff members are aware Link to AFS Increases the risk of errors in the AFS Increase the risk of errors in the AFS Increase the risk of errors in the AFS and increases the risk of theft and fraud Decrease risk of errors in AFS Increases risk of errors in the AFS Increases going concern risk Decease risk of fraud and errors in the AFS Weak internal control environment Many mistakes Few mistakes Types of payments • Only cash sales permitted and thus fewer misstatements Mgt does not place emphasis on sound internal control and misstatements are generally overlooked by staff and likely to occur May indicate similar mistakes in the AFS Indicates that there will likely be limited mistakes on AFS Increase risk of fraud and errors in AFS Increase risk of errors in AFS Decrease errors in AFS There are no receivables = simplified admin and thus no risk of bad debts Decrease going concern risk • Large amounts of cash Large amounts are held on the premises Increase the risk of fraud and theft • How is cash kept safe? Easy access to the safe and staff could easily steal Increase the risk of fraud and theft • How are transactions accounted for? Cash receipts only accounted for upon request of staff = incomplete AFS May indicate a bad attitude of mgt towards IC Increase the risk of errors in AFS Increase the risk of errors in AFS Detection risk: Absence of internal control Risk factors Time pressure/ pressure on auditor Impact (Why?) Risk that there won’t be enough time to perform a proper audit – may influence independency and objectivity Contact with previous Could obtain needed auditor information which will decrease ROMM in the RS will remain undetected New industry Don’t have enough New system knowledge of the business – New client relevant experience and don’t know the risk profile Auditors have been auditing Therefore, they will have the company for many years the necessary knowledge Link to AFS Increase the risk of errors remaining undetected in the AFS Decrease the risk of errors remaining undetected in the AFS Increase the risk of errors remaining undetected in the AFS Decrease the risk that misstatements in the AFS Auditor has extensive experience in the industry and experience in order to perform the audit or risk of familiarity and fraud if there are no external reviews Therefore, has the appropriate knowledge to perform the audit may not be detected by the audit procedures Decrease the risk that misstatements in the AFS may not be detected by the audit procedures Evaluate audit risk on account and assertion level Management assertions: Claims made by the members of management regarding certain aspects of a business Structure of test of controls • • • Test of controls are used when control risk is evaluated as low (good internal controls are in place, meaning well designed and have been implemented) The auditor then chooses to rely on the internal controls and tests the operating efficiency thereof One cannot perform test of controls if there is no or insufficient internal controls in place INHERENT RISKS ON AN ASSERTION LEVEL Discuss: the inherent risks at account/assertion level for the audit the factors evident which will increase the risk of material misstatement on account/assertion level IDENTIFY THE RELEVANT TRANSACTION / BALANCE APPLY RELEVANT ASSERTIONS SHIPPED FROM A DIFFERENT COUNTRY (IMPORTS) Inventory is sent free-on-board and some was still at sea on year-end. The risk exists that all inventory is not recorded in the financial records Inventory Completeness Inventory is imported which results in complicated foreign exchange transactions, which may increase errors during the conversion and recording in the accounts which could be affected by this Inventory Accuracy, valuation & allocation Inventory is imported which increases the risk regarding the right of ownership Inventory Rights & Obligations There are foreign creditors to be revalued at year-end to calculate the liability outstanding at the spot rate. Errors can be made with the re-valuation Inventory Creditors Accuracy, valuation & allocation Inventory is imported which results in complicated foreign exchange transactions, which may increase errors during the conversion and recording in the accounts which could be affected by this Inventory Purchases Exchange rate profit & loss Accuracy Accuracy STANDARD COSTING SYSTEM IS USED Standard costing is a complex system & the inventory value may be incorrectly determined Inventory Accuracy, valuation & allocation Luxury market: due to the luxury nature, furniture may not sell under the current economic circumstances which increases the risk that adequate write-off to NRV is not made MANUFACTURING COMPANY Inventory Accuracy, valuation & allocation Raw materials / WIP may be incorrectly classified or % completion may not be calculated accurately COMPANY OBTAINS A LOAN Inventory Classification Interest on the loan may be capitalised rather than expensed Loan Accuracy, valuation & allocation Split between current & non-current liabilities may be incorrect Loan Accuracy, valuation & allocation LUXURY PRODUCT COMPANY EMPLOYS WAGE WORKERS Company employs many labourers & therefore can easily create fictitious hours for employees / record them Wages Occurrence Different rates are used for overtime / normal hours worked. Errors can occur with the calculation of wages if incorrect rates are used Wages Accuracy Wages can be incorrectly capitalised to inventory / incorrectly calculated due to standard costing Wages Accuracy Gardeners work without supervision and might attend to private jobs without bookings while receiving cash for these services. Doubled its workforce in the last year which makes it harder to detect fictitious employees. Completeness Wages Occurrence The company employs many labourers, can therefore create fictitious employees or fictitious hours for employees & record them Wages Occurrence The company employs many labourers, and so they have to pay many employees so can therefore make mistakes easily when recording payroll Wages Accuracy LABOUR INTENSIVE COMPANY DISTRIBUTION TO MAJOR RETAILERS ACROSS THE COUNTRY Due to distribution throughout the country, shipping terms there could be cut-off issues Income Cut-off DIRECTORS ARE EXPECTING PERFORMANCE BONUSES A performance bonus is paid to directors, the risk is that no provision is created Provision for bonus Completeness A provision for bonus must be created in the financial statements which could be subjective. The risk is that the provision is calculated incorrectly Provision for bonus Accuracy, valuation & allocation Since a significant part of the trade debtors are in Africa, it could be difficult to determine the provision for credit losses. Provision for credit losses Accuracy, valuation and allocation Debtors’ credit terms are exceeded by far. It increases the risk of bad debt. (If worked out and not just going by what the company told us) Bad Debts / Debtors Accuracy, valuation and allocation DEBTORS Risk of determining whether the debtors really belongs to the company as a result of the acceptance of returns and free on board transaction terms of exported goods. Rights and obligations Difficult to determine if the debtors in Africa really exist. Existence PPE A new generator was delivered in an emergency on year end. The risk exists that ownership did not transfer on the same day according to the purchase agreement. PPE Rights & Obligations Most of the property, plant and equipment are fully depreciated, yet they are still in service. This might indicate that the useful life estimation and consequently depreciation period of fixed assets are inadequate. PPE Accuracy, valuation and allocation INVENTORY Bakersman is a manufacturing enterprise. A risk exists that the overheads can be allocated incorrectly. Inventory Accuracy, valuation and allocation There were problems with the inventory system’s ability to determine the stage of completion / will be determined incorrectly at year-end. Inventory Accuracy, valuation and allocation A risk exists that all costs to bring the inventory to the current condition and location (including labour and raw material costs) are not included in the inventory balance. Inventory Accuracy, valuation and allocation Inventory days on hand are much more than the prior year and for the comparable company, this increases the risk that inventory might be spoilt / overstated. Inventory Completeness Accuracy, valuation and allocation There is a risk that not all transport costs to bring inventory to current condition and location (including labour and material costs) might be accurately included in the value of inventory. Raw Materials Purchases Existence Accuracy Completeness A risk exists that not all labour and material cost are allocated to inventory. Completeness Accuracy, valuation and allocation Inventory can be over-valuated since it quickly becomes obsolete and because management possibly do not want to write-off the inventory. Accuracy, valuation and allocation Inventory levels are increasing as sales decrease. This could be an indication of obsolete inventory. Accuracy, valuation and allocation Invoicing is done at different rates and hours. This increases the complexity of calculations and errors can be made. Accuracy The inventory is sold at lower than cost. This inventory must therefore be written off to net realisable value. No provision was however created for obsolete inventory in this regard, which means that inventory is overvalued. Inventory Accuracy, valuation and allocation The risk of inventory gone bad is increased. Inventory Accuracy, valuation and allocation The risk exists that the inventory items may have been stolen and no longer exist in inventory. Inventory Existence Revenue Cut-off Classification TRANSACTIONS Since deposits expire within 24 hours of the service delivery, there is a risk at year end that not all deposits relating to the services that are scheduled for the next day are reclassified to revenue. Each job is invoiced in two different invoices. This increases the complexity of calculations and errors can be made in final invoicing Accuracy MACHINERY The manufacturing machine consists of various components, of which the useful lives differ. It would be difficult to distinguish between the different components and it can lead to complicated calculations, which can lead to the incorrect valuation of this machine. Accuracy, valuation and allocation There is no indication that the useful life and residual value is reviewed annually as required by IAS 16. It can lead to the incorrect valuation of machines. Accuracy, valuation and allocation OTHER Fraud risk in recognition of revenue (ISA 240) Revenue ALL ASSERTIONS Owned by a family: Increases the risk that profits might be understated to evade taxes. Income Completeness Occurrence Describe and motivate the audit approach set inherent risk as ‘low' • • • • • • • • • • • • • Inherent risk’s provisional evaluation is low, control risks’ evaluation is low, and therefore the auditor will only be willing to accept a high detection risk. Extensive tests of control will therefore be performed, since the auditor will want to place reliance on the effective functioning of controls (To review CR as low). The auditor will follow a system based approach to the audit of the company Tests of control will need to test the functioning of the controls for the entire year (timing). If the tests of control show that the internal controls are in working order, limited substantive procedures can be performed Control risk for the audit has been provisionally evaluated as low which indicates there is a good system of internal control in place A combined or control based audit approach will be followed therefore reliance can be placed on the internal control system Consequently extensive tests of the controls will be performed These tests will be performed before year-end Since the inherent risk has been evaluated as low it means that the detection risk the auditor will be willing to accept to bring the audit risk to an acceptable level will be higher in order to maintain the audit risk at an acceptably low level Therefore, limited substantive procedures will be performed Some of the substantive testing will be done before year-end with early verification and the rest done at or after year-end set inherent risk as ‘medium' • • • • • • Control risk is medium, which means that a moderate degree of reliance can be placed on the internal controls A combined (or system-based) audit approach will be followed. A moderate amount of tests of control will be performed. Since the inherent risk were evaluated as medium the auditor will be willing to accept a medium level of detection risk will be accepted to keep the audit risk at an acceptable level. Therefore a moderate amount of substantive procedures will be performed. Tests of control will be performed before year-end and substantive procedures on or after year-end. control & inherent risk evaluated as ‘high' • • • • • • Control risk for the audit has been provisionally evaluated as high which indicates there is not a good system of internal control in place therefore no reliance can be places on the internal control system and consequently no test of the controls will be performed since inherent risk and control risk are both evaluated as. high it means that the detection risk the auditor will be willing to accept to bring the audit risk to an acceptable level will be low this will be achieved by following the substantive based audit approach by performing substantive procedures extensive substantive procedures will be performed all audit procedures will be performed after year-end risk based audit approach The International Auditing Standards currently applicable in South-Africa are based on a risk based approach to auditing. This implies that the auditor: • through a process of obtaining knowledge of the business and its environment, (performs risks assessment procedures); • the auditor assesses the risk of misstatement in the financial statements; and then • determines if the identified risks exists at financial statement-level, or are risks which influences specific assertions/accounts, and then • responds to the risks in the design of an appropriate audit approach (the nature, extent and timing of audit procedures) to the audit (more audit attention will be paid to risk areas), • which will ultimately decrease the risk that material misstatement will not be detected, to an acceptable level. audit risk at financial statement level Inherent risk • The accountants are focussed on takeover transaction under time pressure which increases the risk of errors in the [recording of transactions due to carelessness] or [financial statements]. • The audited statements will be submitted to the acquiring company in an order to calculate the value of Rafiki Limited, which could lead to intentional errors in the financial statements to improve the company’s financial position. • The results will be used to determine if performance bonuses should be paid out in the following financial year, which could lead to intentional errors in the financial statements in order to improve the company’s financial position. Detection risk • I was recently appointed as the auditor of Rafiki Limited and therefore risk that [I do not have any previous knowledge or experience of the client.] or [This might result in me not detecting some material misstatements.] • The previous auditor immigrated to India. Problems may be experienced with contacting and communication with him to obtain information required to properly perform the audit. • Rafiki Limited’s year-end falls with most of my other clients’ year-ends. As a result of work pressure I may be under a lot of time pressure when the audit must be completed possibly resulting in misstatements not being detected. risk assessment procedures: why they alone no not provide sufficient audit evidence to support the audit opinion • Risk assessment procedures are the procedures that the external auditor performs to understand the entity and its environment (including internal control) and identify and assess the risks of material misstatement at the financial statement and assertion levels. • Risk assessment procedures alone do not provide sufficient evidence to support the audit opinion as they merely identify the risk of material misstatement but do not test if the misstatement is present in the financial statements (or provide a basis for designing and implementing the response to the assessed risk of material misstatement). risk assessment procedures: the external auditor can perform As set out in ISA 315 par 6 – 10 the risk assessment procedures include: • Inquiries of management, internal audit and others within the entity • Analytical procedures • Observation and inspection • Consideration of the pre-engagement (acceptance and continuance) process • Information from prior experience within the industry or the client Explain during which stage of the audit planning process would the auditors use analytical procedures and for what purpose. 1. Analytical procedures in the planning phase of the audit assist with: • Obtaining an understanding of entity and environment - Provides useful information on the short-term and long-term financial position of the client. • Risk evaluation - Early identification of potential risks - Identify accounts which could contain potential misstatement • Formulation of the audit approach - in reaction to risks identified the nature, extent and timing of audit procedures can be determined. Explain why performance materiality is calculated & which aspects of the audit are affected by it • • Performance materiality is determined to decrease the probability that the total of unadjusted audit differences in the financial statements exceed the materiality for the total of the financial statements or that it exceeds the class of transactions, account balances and disclosure that are determined. (ISA 320.10) It will influence the number of items selected(extend), the nature and timing selected for testing x, the risk assessment. (ISA 320.11) Risk & reason why I would like to spend extra audit time Account Assertion Mohair is made using the hair from the Angora goat. The goats’ hair is sheared, sorted into different quality fibres and after being washed, these fibres are spun into mohair yarns ð Manufacturing of products leads to complex calculations (eg: apportionment of labour overheads / material) and accounting treatment. This increases the risk of errors in the financial statements, with reference to the inventory balance & cost of sales Moses Weave is a manufacturing enterprise. There is a risk that overheads can be allocated incorrectly Inventory Accuracy, Valuation & allocation A risk exists that not all labour and material cost are allocated to labour Inventory Completeness There has been a lower quality of goat feed (raw materials) which may impact on the quality of mohair produced ð This may also impact on inventory valuation which increases the risk of errors in the financial statements Inventory can be over-valued as inventory might be obsolete & management might not want to write-off inventory Inventory Accuracy, Valuation & allocation The machinery in use has reached the end of its useful life. ð This may indicate that the incorrect useful life was determined for their fixed assets and that these are incorrectly valued and so may increase the risk of errors in the financial statements This may indicate that the incorrect useful life was determined for their fixed assets and that these are incorrectly valued and so may increase the risk of errors in the financial statements Property, Plant & Equipment Accuracy, Valuation & allocation Depreciation may be calculated incorrectly Depreciation Accuracy The company farms Angorra goats ð The valuation of land & agricultural goods as well as the calculation of tax may be complex which may increase the risk of errors in the financial statements The valuation of biological assets may be complex and the valuation may be wrong Biological assets must be valued at fair value and the valuation might be wrong Valuation of agricultural land and equipment can be complex & involves judgement, errors can be made Biological assets Accuracy, Valuation & allocation Fair value adjustment Accuracy Property, Plant & Equipment Accuracy, Valuation & allocation The machinery used by Moses Weave is specialised ð The valuation of land & agricultural goods as well as the calculation of tax may be complex which may increase the risk of errors in the financial statements This may require complex calculations & increase the risk of errors Depreciation may be calculated incorrectly re-valuation = complex transaction calculate amount that is wrong Balances Property, Plant & Equipment Depreciation Accuracy, Valuation & allocation Accuracy Accuracy Accuracy Accuracy, Valuation & allocation Discuss: the inherent risks at account/assertion level for the audit the factors evident which will increase the risk of material misstatement on account/assertion level RISK & MOTIVATION ASSERTION SHIPPED FROM A DIFFERENT COUNTRY (IMPORTS) Inventory is sent free-on-board and some was still at sea on year-end. The risk exists that all inventory is not recorded in the financial records Completeness Inventory is imported which results in complicated foreign exchange transactions, which may increase errors during the conversion and recording in the accounts which could be affected by this Accuracy, valuation & allocation Inventory is imported which increases the risk regarding the right of ownership Rights & Obligations There are foreign creditors to be revalued at year-end to calculate the liability outstanding at the spot rate. Errors can be made with the re-valuation Accuracy, valuation & allocation Inventory is imported which results in complicated foreign exchange transactions, which may increase errors during the conversion and recording in the accounts which could be affected by this STANDARD COSTING SYSTEM IS USED Accuracy Standard costing is a complex system & the inventory value may be incorrectly determined Accuracy, valuation & allocation LUXURY PRODUCT Luxury market: due to the luxury nature, furniture may not sell under the current economic circumstances which increases the risk that adequate write-off to NRV is not made Accuracy, valuation & allocation MANUFACTURING COMPANY Raw materials / WIP may be incorrectly classified or % completion may not be calculated accurately Classification COMPANY OBTAINS A LOAN Interest on the loan may be capitalised rather than expensed Split between current & non-current liabilities may be incorrect Accuracy, valuation & allocation Accuracy, valuation & allocation COMPANY EMPLOYS WAGE WORKERS Company employs many labourers & therefore can easily create fictitious hours for employees / record them Occurrence Different rates are used for overtime / normal hours worked. Errors can occur with the calculation of wages if incorrect rates are used Accuracy Wages can be incorrectly capitalised to inventory / incorrectly calculated due to standard costing Accuracy LABOUR INTENSIVE COMPANY The company employs many labourers, can therefore create fictitious employees or fictitious hours for employees & record them Occurrence The company employs many labourers, and so they have to pay many employees so can therefore make mistakes easily when recording payroll Accuracy DISTRIBUTION TO MAJOR RETAILERS ACROSS THE COUNTRY Due to distribution throughout the country, shipping terms there could be cut-off issues Cut-off DIRECTORS ARE EXPECTING PERFORMANCE BONUSES A performance bonus is paid to directors, the risk is that no provision is created Completeness A provision for bonus must be created in the financial statements which could be subjective. The risk is that the provision is calculated incorrectly Accuracy, valuation & allocation DEBTORS Since a significant part of the trade debtors are in Africa, it could be difficult to determine the provision for credit losses. Accuracy, valuation and allocation Debtors’ credit terms are exceeded by far. It increases the risk of bad debt. (If worked out and not just going by what the company told us) Accuracy, valuation and allocation Risk of determining whether the debtors really belongs to the company as a result of the acceptance of returns and free on board transaction terms of exported goods. Rights and obligations Difficult to determine if the debtors in Africa really exist. Existence INVENTORY Bakersman is a manufacturing enterprise. A risk exists that the overheads can be allocated incorrectly. Accuracy, valuation and allocation There were problems with the inventory system’s ability to determine the stage of completion. Accuracy, valuation and allocation Inventory can be over-valuated since it quickly becomes obsolete and because management possibly do not want to write-off the inventory. Accuracy, valuation and allocation Inventory levels are increasing as sales decrease. This could be an indication of obsolete inventory. Accuracy, valuation and allocation A risk exists that not all labour and material cost are allocated to inventory. Completeness Accuracy, valuation and allocation IDENTIFY SPECIFIC MANAGEMENT ASSERTIONS FROM WHICH EACH SPECIFIC AUDIT OBJECTIVE WAS DERIVED . All salary & wage transactions are included in the SFP and SCI Test all operating expenses incurred in the financial year were actually recorded Test if all clients who attended were included in the sales figure and all transactions correctly recorded All corrections made to salary & wage transactions in the period were recorded All payments to creditors during the period were recorded Completeness Completeness Completeness Salary & wage transactions were carried over correctly from the source documents Test all sales transactions were recorded with the correct quantities and amounts Test sales relating to amounts still outstanding at year-end were only made to debtors who were approved as being able to settle their debts Accuracy Accuracy Accuracy, valuation and allocation Salary & wage transactions were recorded in the correct accounting period Test all sales transactions were recorded in the correct financial period Cut-off Cut-off Salary & wage transactions included in the SFP and SCI took place and relate to the company under audit Only salary & wage transactions were recorded in the account Appropriate disclosures have been made concerning the director’s salaries Debtors represent amounts receivable from valid customers in the SFP Creditors in the SFP represent legal claims of the entity on customers for payment Occurrence Completeness Completeness Classification – proper account Presentation Existence Rights / obligations INTERNAL CONTROL System of internal control  The process designed and affected by management to provide reasonable assurance about achievement of entity’s objectives relating to; o Reliability of financial reporting o Effectiveness and efficiency of operations o Compliance to laws and regulations Inherent limitations of a system of internal control Internal control can provide only reasonable assurance       Cost benefit consideration Ability to cope with non-routine transactions Human error or misunderstanding Management judgement Inappropriate management override of controls Measures may become inadequate over time The five components of a company’s internal control 1. The control environment  The control environment encompasses the attitude of management towards internal control  Management can create and foster a positive attitude towards internal control by doing the following o Communicate and enforce integrity and ethical values throughout the entity to all employees who are involved in the development, application and monitoring of internal control o Be committed to competence o Ensure that those people charged with governance participate, and that they act appropriately and support management in their internal control efforts o Demonstrate good leadership and judgement o Develop and put in place an organisational structure which clearly assigns authority and responsibility and sets out clear reporting lines within the entity 2. The company’s risk assessment process  An entity’s risk assessment process refers to the way in which the entity deals with governance of risk 3. The information system, including the related business processes, relevant to financial reporting, and communication  The information system relevant to financial reporting creates the audit trail of each transaction and event to which the entity is party, and includes all the processes and activities of the entity involved in preparing the financial information  The information system relevant to financial reporting o Initiate/Execute  This stage pertains to the physical activities relating to where the transaction is initiated or the performing of activities relating to complete the initiated transaction  Transaction o Record  This stage is where the information applicable to each activity is recorded  Source document o Process  During this stage, the transaction is processed and corresponding entries are made in the accounting records of the entity  Accounting records and financial statement closing process o Report  This stage is where the transaction is included in the financial statements  Financial statements WWW.TAKINGNOTES.CO.ZA see 4. Control activities relevant to the audit  Control activities refer to those internal control measures, policies and procedures that management designs and implements to ensure that their objectives are achieved Documentation and records Document  Documents used in the accounting system should be pre-printed and designed design in a way to assist in the process of using them and to minimise the chances of making mistakes in the completion and use thereof  Stationery controls Proper stationery controls include the sequential pre-numbering of documents to facilitate the checking of the number sequence later on to ensure completeness of recording and the cancellation of documents after use to prevent them from being reused for fraudulent purposes Chart of  To ensure proper control over the accounting records in which transactions are accounts recorded, a chart of accounts is necessary Authorisation  Management should set different levels of authorisation and should assign and approval responsibility for the approval of transactions to suitable employees whose duties are not incompatible  Before authorising, the approver should review the supporting documents and records to determine whether the transaction is allowed in terms of the entity’s approval policy Segregation of  Transactions go through various stages in the accounting process duties  Certain transactions are more susceptible to fraud and error when one employee is responsible for handling the particular transaction from beginning to end Access control  It is necessary to control access to the assets properly 5. Monitoring of controls  It is important that management assesses the effectiveness of the design and operation of internal control measures on an ongoing and timely basis, and take the necessary corrective actions 6. Independence checks and reconciliations  It is necessary that the work of a person be independently checked or reviewed by a second person  Should be evidenced by a signature of the reviewer Control objectives  Validity   Completeness  Accuracy All transactions and events that are executed were properly authorised in accordance with management’s policy, and All transaction and events that are recorded o Occurred (i.e. are not fictitious) o During the period, and o Are supported by sufficient documentation All transactions and events that occurred during the period o Are recorded, o In a timely manner, and o No transactions or events are omitted Transactions and events are recorded o At the correct amounts (quantity, price, calculations) o Are correctly classified in terms of the entity’s chart of accounts o Are correctly summarised and posted to the entity’s accounting records WWW.TAKINGNOTES.CO.ZA BUSINESS CYCLES Underlying Principles    Risks (identify risks, weaknesses, consequences) Controls (identify the controls / lack of controls in place and make suggestions) Test of Controls (Test the identified controls) Designing a System of Internal Control What must be taken into Be careful for: consideration? Internal Control Objectives: Limitations in question  Validity  Accuracy  Completeness Categories of Internal Control: Or specific requirements  Control Environment  Risk Assessment Process  Information Systems  Control Activities (SCRRAM)  Monitoring Controls Suggested System of Internal Control How do I formulate my answer? Clear and specific for management Answer must be executable for client Answer must be understandable How to answer a test of controls question 5. Remember control objectives (accuracy, validity and completeness) 6. Formulate the test of control: a. Inspect (not often used) b. Observe, c. Enquire, d. Reperform (often comparison of journals or other sources to supporting documents is done by the auditor by means of reperformance), e. Recalculate 7. What are you testing? Remember to include: a. Person, b. Price, c. Amount, d. Description, e. Value, f. Date 8. Reason or purpose of conducting the test: a. “To obtain information that the IC are applied and to ensure that accuracy is obtained”  When testing for completeness, select a sample of source documents and follow it to financial statement level  When testing for accuracy and validity, select a sample from the financial statements and trace down to source document level Salary and Wage Cycle Personnel Division  Control Objectives: Validity  Confirmed by means of:  Observation, inspection of organisational charts and enquiry that the following functions are performed by different employees  Appointment  Maintenance of permanent files  Safe guarding of clock cards & calculations WWW.TAKINGNOTES.CO.ZA e   Account Pay-out Appointment Letter (A.L)  Appointment, conditions and stipulations  Two copies:  Employee  Personnel Division  Control Objectives: Validity  Inspect A.L for signature of employee and personnel manager to ensure that it was authorised correctly Personnel Records (P.R)  Personal info, employee number, appointment date, compensation, fringe benefit, deductions  Control Objectives: Validity, accuracy, completeness  Compare P.R to A.L to ensure that details actually agree Deduction Authorisation Form (D.A.R)  Two copies:  Employee  Personnel division  Control Objectives: Validity, accuracy, completeness  Inspect D.A.R for signature of employee to ensure that he authorised the deduction  Compare D.A.F to wage journal to ensure that deductions were taken into account in the wage journal accurately Tariff Authorisation Form (T.A.F)  Two copies:  Employee  Personnel Division  Control Objectives: validity, accuracy, completeness  Inspect T.A.F for signature of head personnel division to ensure authorisation  By means of reperformance compare TAF to wage t wage journal to ensure that tariff is correctly accounted for in wage journal Termination of Service Form (T.S.F)  Two copies:  Employee  Personnel division  Control Objectives: Validity, Completeness  Inspect TSF for signature to ensure authorisation  Select a sample of termination of service forms and compare them to the age journal for dates after termination of service to ensure the employee is no longer in the wage journal Clock Card  Employee name, number, date, hours  Control Objectives: Validity, accuracy, completeness  By means of reperformance compare CC to the wage journal to ensure that hours worked are recorded accurately  Inspect CC for signature of supervisor to ensure that CC are authorised  Observe clocking in/out process to ensure that supervisor is present and check that only one clock card is used by each employee  Recalculate the counting of hours Wage Journal (W.J)  Hours x Tariff = Gross Wage – Deductions = Net Wage  Control Objectives: Validity, accuracy, completeness WWW.TAKINGNOTES.CO.ZA D • • • Recalculate wage calculations to ensure that it was calculated correctly Inspect for signature to ensure authorisation Take a sample of journal entries from the W.J and trace to supporting documentation to ensure there are no fictitious entries Wage Slip (W.S) • Two Copies: • Employee • Payment division • Control Objectives: accuracy, completeness • Reperform calculations to ensure accuracy • Inspect signing of the documents to ensure authorisation • Ensure there are controls over the safe keeping of cash Wage Payout • Control Objectives: Validity, accuracy, completeness • Observe the wage payout to ensure that • Responsible person • Two people hand out and the foreman • Identification of employee must be present • Sign the register on receipt of cash • Only pay the employee in person (a friend may not collect) • Count the money before signing the register • Inspection of organisational charts, enquiry and observe that the following functions are performed by different people: • Preparation of wages • Authorisation of wage cheque • Payment of wages Unclaimed Wages • Control Objectives: Validity • Ensure the following has taken place: • Indicate on wage journal as unclaimed • Immediately take the cash back to a responsible person • Sign on receipt • Keep in secure place • Keep a register of unclaimed wages • Date, employee number, amount • Foreman signs • Inspect for indication that wage was unclaimed • Inspect register of unclaimed wages for signature of responsible person as proof of receipt • Compare the amount on the unclaimed wage register to the amount indicated as unclaimed in the wage journal • If wages are claimed: o Only pay to the employee in person o Proof of identification must be present o Employee must count money o Sign as proof of receipt • Monitoring: o If cash is not claimed within a reasonable time, deposit in the bank o Independent person must check and follow up on the register for: o Long outstanding o Regularly unclaimed wages Salary Journal (S.J) • Employee number, name, date, scale, allowances, deductions, gross and net salary • Basic Salary + Allowances / Fringe Benefits – Deductions = Net Salary WWW.TAKINGNOTES.CO.ZA t • • • Control Objectives: Validity, accuracy, completeness Recalculate calculations to ensure accuracy (A) Select a sample from the salary journal and trace back to supporting documents to compare details (V) Compare salary calculations to salary journal (C) Payslip • Employee name, number, basic salary + allowances – deductions = net salary • Inspect payslip for signature of authorised person (V) • Recalculate, reperform and compare calculations to ensure accuracy (A) IRP5 Form • Payments received and tax deducted per employee for the year • Control Objectives: Validity, accuracy, completeness • Recalculate and reperform to ensure accuracy ‘ • Take a sample of the letter of employment and trace through to IRP5 form to ensure completeness • Take a sample of IRP5 forms and trace through to supporting documents Returns • Tax pension fund, medical aid, RAF • Inspect for the signature of the accountant to ensure that returns are authorised • Compare returns to supporting documents to ensure accuracy a WWW.TAKINGNOTES.CO.ZA SUBSTANTIVE PROCEDURES UNDERLYING PRINCIPLES S b a i e ced e a e ced e ha he a di ef m i de b ai a di e ide ce specifically designed to detect material misstatements at the assertion level. They are specially aimed at detecting material misstatements of amounts and disclosures x Objective of TOC/SP distinguishes the two o TOC: to test the operating effectiveness of controls when deciding to rely on internal controls Æ therefore support control risk o SP: to obtain evidence of material misstatement in the financial statements to support or prove a series of actions conducted in a certain order or manner Æ reduce detection risk to an acceptable level Management responsibility for SP: o Preparation and presentation of financial statements o Design, implementation and maintenance of internal controls and systems o Retain supporting documents to support financial events x COMBINED AUDIT APPROACH/SYSTEM BASED x Reliance on internal control system x Focus on tests of controls x TOC results determine whether further SP should be performed x SP always performed for all material balances SUBSTANTIVE AUDIT APPROACH x x Little/no reliance on internal controls Extensive substantive procedures TYPES OF SUBSTANTIVE PROCEDURES GENERAL SUBSTANTIVE PROCEDURES x Performed on every audit in so far as they are applicable 1. Agreeing opening balances for accounts in SFP with the prior year s audited AFS and the audit working papers 2. Agreeing closing balances of the GL accounts with the TB and then with the FS 3. Agreeing closing balances of GL accounts with underlying records 4. Casting, cross-casting and recalculating the underlying records 5. Examining GL accounts for provisions, reversals and adjustments 6. Examining GL accounts for unusual or suspicious transactions 7. Obtaining a written representation from management 8. Evaluating all disclosures in AFS in terms of IFRS SUBSTANTIVE ANALYTICAL PROCEDURES x Use comparisons and analyses of relationships among financial and non-financial data to assess whether account balances, totals and disclosures appear reasonable compared to the auditor s expectations 1. Month on month analysis of a class of transactions 2. Analysis of FS amounts as a percentage of other directly related FS items WWW.TAKINGNOTES.CO.ZA 2 Performing Substantive Analytical Procedures x x x x Key prerequisite is for the auditor to be able to develop an expectation that is precise enough in the circumstances to be able to detect unusual results as well as to define a limit beyond which fluctuations will have to be investigated further When to use? If risk of material misstatement is high Æ DR low Æ lower reliance on substantive analytical procedures Need to consider the audit evidence available directed towards the specific assertion Need to consider the reliability of the data which includes (1) source of data, (2) comparability of data, (3) controls applied over preparation of data, (4) ability of auditor to develop sufficiently precise expectations Evaluating Results x If the auditor does not believe that substantive analytical procedures have provided sufficient appropriate audit evidence for the assertion concerned, further audit procedures (tests of details) should be performed SUBSTANTIVE TESTS OF DETAILS x Drill down into the details of the transactions that make up a particular amount or disclosure in the FS, with the objective of obtaining audit evidence to support the amount or disclosure x More accurate than substantive analytical procedures but takes more time 1. Inspection of relevant source documents or physical assets Source Documents: Review for date (cut-off), name of entity (occurrence), amount of transaction (accuracy, valuation), correct signatures (occurrence) Asset: verify existence of asset and valuation 2. Reperformance of procedure 3. External confirmation from third parties (ISA 330 A48) 4. Recalculation to ensure accuracy of source documents is correct 5. Enquiry through discussions with internal parties (ie. management), and external parties Substantive Tests of Details classes of transactions x Performed on all material classes of transactions for key business processes to verify all the assertions x Auditor follows the following steps to develop the substantive tests of details: Step 1: Identify all classes of transactions impacting the relevant account for which the substantive procedures are to be formulated (normally by drawing up a T account) Step 2: Formulate the audit objectives that has to be verified by means of the substantive procedures for each class Step 3: Identify all relevant documents and client personnel involved in each class Step 4: Select the type of procedure to be performed to achieve the audit objective for each class Substantive Tests of Details disclosures in the FS (follow same 4 step process as above) WWW.TAKINGNOTES.CO.ZA NATURE (WHAT?): EXTENT (HOW MUCH?): TIMING (WHEN?): AUDIT STRATEGY: PER ACCOUNT AND ASSERTION Detection risk high Detection risk low Substantive analytical More tests of details (better source of procedures evidence) Fewer tests of details External confirmation reliance Internal confirmation reliance Fewer substantive procedures More substantive procedures Smaller sample size Bigger sample size At year-end and during year At year-end (this takes more time but provides better evidence) General substantive procedures Substantive analytical procedures Tests of details on transactions Tests of details on balances at yearend BALANCE SHEET ITEM YES YES YES YES TRANSACTIONS WHICH ARE TESTED WWW.TAKINGNOTES.CO.ZA f INCOME STATEMENT ITEM YES YES YES NO Nature of audit procedures Depends on the purpose and relates to the type of procedures. Determined by: 1. Necessity of placing reliance on internal controls x The controls are operating effectively or x Substantive procedures alone cannot provide sufficient appropriate audit evidence x TOC-based approach may be chosen because of: o The nature of the business and the effect of IT on the audit o Client dependence on a computerized system (some date may only be available in electronic format) o Tight audit deadline o Complexity of the computerized system or a large volume of information processed 2. Possibility placing reliance on internal controls x The system of internal control needs to be sufficiently strong to justify reliance x Entity has to allow the auditor access to the system for sufficient periods in order for adequate testing x Computerized environment – IT systems of client and auditor need to be compatible 3. Desirability of placing reliance on internal controls x Cost-effectiveness x Experts could be required which can be costly Is WWW.TAKINGNOTES.CO.ZA Dual purpose audit procedures x Objectives and evidence obtained from TOC and SP differentiates the two. Eg: auditor reperforming bank reconciliation: TESTS OF CONTROLS Objective is to verify that the bank reconciliation has been properly performed (daily/weekly/monthly) and signed as evidence of review SUBSTANTIVE PROCEDURES Objective is to verify the YE bank balance by obtaining substantive audit evidence that the bank balance as included in the FS is free from material misstatement DIFFERENCES BETWEEN TESTS OF CONTROLS AND SUBSTANTIVE PROCEDURES TESTS OF CONTROLS SUBSTANTIVE PROCEDURES Tests operating effectiveness of a control activity Tests the correctness of the rand value of balances or classes of transactions and whether disclosures in the FS are free from material misstatement Results justify assessed level of control risk Results justify levels of detection risk being achieved The result will be a YES/NO answer. “is the control The result will always provide a measure of the operating effectively – yes or no?” Does not enable rand value of misstatement that exists in an the auditor to conclude on the rand value effect of assertion relating to an account balance/class of misstatements in the account balance/class of transactions transactions The number of errors found does matter – rand Number of misstatements does not matter – rand value is irrelevant values are relevant Results of TOC have an impact on the related SP Results of SP never have any impact on the amount of TOC to be performed. TOC are always performed prior to SP so that the level of control risk can be established Æ then the level of detection risk can be determined. The level of detection risks drives the nature, timing and extent of SP One type of procedure: TOC General substantive procedures, substantive analytical procedures and substantive tests of details Timing of audit procedures When the audit procedure is performed, or the period or date to which the audit evidence applies. Determinants of the timing of audit procedures x x Influenced by risk of material misstatements Æ higher risk, more likely that procedures will be performed o or after YE Influenced by practical factors: o Involvement of other parties, such as internal auditors and experts o Non-negotiable dates that the client has set (eg: inventory count) o Tight reporting deadline o Availability of audit and client staff Interim substantive procedures - SP aim ide di ec e ide ce ab he e i YE bala ce Æ testing at an interim date can cause potential problems with the appropriateness of audit evidence gathered To address this, roll-forward procedures have to be performed (compare YE account balance with that at the interim date and then performing SP on the movement in the account balance) WWW.TAKINGNOTES.CO.ZA __ Consider the following factors: x Objective of SP Æ more critical objective is, less likely that interim testing will be considered x Assessed risk of material misstatement in the account Æ higher risk, more likely YE will be chosen x Control environment and relevant controls Æ stronger control environment, more likely interim SP x Nature of the class of transactions, account balance or disclosure and relevant assertion Æ more material, less likely interim SP x Availability of the information at a later date x Ability of the auditor to reduce the risk that misstatements existing at YE are not detected If material misstatements are identified when SP are performed at an interim date, the auditor may need to: 1. Revise the assessed risk of material misstatement for the account balance, class of transaction or disclosure 2. Revise the planned SP for remainder of period 3. Perform additional SP at YE Relying on audit evidence obtained in prior audits x x x x Possible for the auditor to used evidence about the operating effectiveness of controls obtained in prior year audits but only after establishing its continuing relevance (ie. that there has been no change in the design of the control) Cannot rely on prior year audit evidence for controls that address a significant risk It is a matter of professional judgement of the auditor to decide whether to rely on evidence for controls that have not changed and that do not mitigate a significant risk. Have to consider: o Risk of material misstatement for the assertions affected by the control o Effectiveness of the control environment o Whether the control is automated or manual Auditor required to test controls in at least every third audit, and some controls have to be tested in every audit Extent of audit procedures Quantity of audit procedures Æ often refers to sample size (ISA 330) x Extent of substantive tests of details increases as the risk of material misstatement increases x Ways of selecting items for testing: 1. Selecting key or problem items a. Audit judgement is used to select items that may include unusual items, high-value items, items prone to higher risk or items in which errors were identified in previous audits 2. Selecting all items over a certain rand amount a. No conclusions can be drawn about the items not selected for testing, therefore the auditor should also consider using audit sampling Audit sampling Application of audit procedures to less than 100% of items in a class of transactions, account balance or disclosure. The auditor should then be able to draw a reasonable conclusion concerning the whole population from which the sample is drawn (ISA 530). x The population is the entire set of data o The objective as well as the type of audit procedure is NB in identifying the population to be used Eg: objective is to test existence of accounts receivable, the population could be the accounts receivable listing at YE o If a population is not homogenous (ie. items in the population vary significantly), it may be stratified by grouping similar items together in smaller subpopulations Usually based on factors such as monetary value or nature and characteristics Eg: debtors balance consists of several large debtors as well as many small balances Æ two strata: high value accounts and low value accounts WWW.TAKINGNOTES.CO.ZA __ x x x x Sample sizes for substantive tests of details are directly affected by the level of detection risk o Lower risk, greater sample size and vice versa Auditor wants to draw a sample that is representative of the population to avoid bias and minimise the risk of drawing erroneous conclusions o When using sampling in performing substantive tests of details, the auditor is concerned with the expected rand amount of error in the population tested Sampling risk i he ibili ha he a di c cl i , ba ed a am le, ma be diffe e from the conclusion reached if the entire population were subjected to the same audit procedure o For substantive tests of details, the auditor may erroneously conclude: That a class of transactions is free from material misstatement when it does contain material misstatements or vice versa Methods used: Statistical sampling Random selection of a sample whereby all units have the same chance of selection and probability theory is used to evaluate sample results Non-statistical sampling Using judgemental reasoning, rather than probability theory concepts, for the determination of the sample size, the selection of the sample items, and/or evaluating sample results To determine which sampling method that should be used, auditor considers: x When auditors suspect serious error or manipulation in a class of transactions or YE balance, they will use their professional judgement to select a directed judgement sample as this will be more effective in addressing the assessed risk of material misstatement Æ non-statistical sampling x In substantive tests of details, a statistical analysis and extrapolation of the projected error may be considered a more appropriate method to use, owing to the difficulty in projecting rand misstatements to the entire population Æ statistical sampling x In tests of controls, identifying the nature and cause of errors may be more valuable than statistically analysing the presence or absence of a particular control Audit objectives x x Auditor s objective with audit procedures is to gather sufficient appropriate evidence that each assertion made by management is true (free from material misstatement) “The auditor s objective is to test that …” o Formulate the audit objective for a particular class of transactions, account balances or disclosures so that it is directly derived from the applicable assertions For example, “the auditor s objective is to test that … all purchases transactions have been completely recorded in the accounting records and none have been omitted” (completeness assertion) x The auditor can achieve this objective and, in doing so, gather the necessary audit evidence by performing o Tests on the operating effectiveness of controls over the completeness of purchases, but more evidence (substantive procedures) will be required, and or o Substantive procedures on the completeness of purchases The remainder of the audit evidence required (combined audit approach), or All the audit evidence required (substantive approach) WWW.TAKINGNOTES.CO.ZA x Audit objectives ASSERTION Occurrence Completeness Accuracy Classification Cut-off Presentation ASSERTION Existence Rights and obligations Completeness Accuracy, valuation and allocation Classification Presentation AUDIT OBJECTIVE To test that all transactions that have been recorded in the accounting records actually took place To test that transactions that took place have been completely recorded in the accounting records and none have been omitted To test that transactions have been recorded in the accounting records at the correct amounts and on the basis of correct calculations To test that transactions have been appropriately classified in the accounting records in accordance with their nature To test that transactions have been recorded in the accounting records in the accounting period to which they pertain To test that all disclosures relating to the transactions that should have been included in the FS are appropriately presented and described Financial and other information relating to is disclosed fairly and in the appropriate accounts AUDIT OBJECTIVE To test that all amounts included in the account balance at the end of the year actually exist To test that the entity is the legal owner of all amounts included in the account balance at the end of the year To test that all amounts have been accounted for at the end of the year and nothing has been omitted To test that the account balance at the end of the year is correctly valued in terms of IFRS requirements To test that the account balances have been recorded in the proper accounts To test that all disclosures relating to the account balances that should have been included in the FS are appropriately presented and described Financial and other information relating to is disclosed fairly and in the appropriate accounts WWW.TAKINGNOTES.CO.ZA What is the difference between a control objective and an audit objective? Specific considerations Wages: Attendance of wage payout (1) Before the payout x Take custody of all the pay packets and obtain the week s payroll printout in order to compare and agree the following: o Payment details, such as the names of employees and wage amounts o The total number of pay packets into which wages have been placed x Select a sample of employees from the payroll for the week and: o Compare and agree the details recorded on the payroll to the relevant employee details as recorded in the employee masterfile o Inspect the employee s personnel records, such as their employment contract, UIF, medical aid and union details, to confirm their actual existence, and o Inspect evidence that authorised clock cards, or employee ID cards that operate electronically, exist for the employee s selected x Select a sample of pay packets, open them, count the money in them, agree the amount with the employee payslips and the week s payroll printout and reseal the packets. (2) During the payout x x Observe the identification of each employee Verify that the following occurs as the paymaster distributes the wages: o Positive identification of each wage earner is inspected, and/or o The use of biometric fingerprint authentication is used and appears to be operating effectively (3) After the payout x Observe whether pay packets that were not collected (i.e. unclaimed wages) are appropriately recorded on the payroll and in an unclaimed wage register WWW.TAKINGNOTES.CO.ZA __ x x x x x Observe the unclaimed pay packets being delivered to the entity s cashier Inspect the unclaimed wages register for the period since the last payout for evidence of proof of collection during the period Identify whether any employee names appear regularly in the unclaimed wage register, and if so inspect employee personnel records to investigate and confirm their existence in order to identify possible fictitious employees Confirm that unclaimed wages are banked within a reasonable period of time, by inspection of the necessary entries in the unclaimed wages register, bank deposit slips and bank statements, Inspect the signature of the persons responsible for paying out the wages on the payroll printout. Bank and Cash (1) Surprise cash counts x All cash must be counted by staff simultaneously x Cash count should be performed in the presence of the cashier x Compare actual amounts to theoretical amounts per supporting documentation (2) Interbank transfer schedule x This shows the details of transfers between accounts around year end x Investigate the transfer schedule to ensure that all transfers out of an account are matched by transfers into an account in the same year and that the transaction was timeously recorded (3) Bank reconciliations x Obtain external confirmation of bank account balances x Inspect evidence that the reconciliation has been reviewed by management and any reconciling items have been investigated x Investigate reasons for long outstanding items x x x x x x x x Agree bank statement balance on the reconciliation to the bank statement and the GL balance on the reconciliation with the bank account in the general ledger Reperform castings and calculations Review reconciling items for logic and reasonableness Review subsequent reconciliations to verify that reconciling items have since been resolved If reconciling items are significant, inspect supporting documentations (EFT payment documentation and proof of deposits) Ensure errors or omissions identified in reconciliation that relate to accounting records have been corrected Obtain cut-off bank statement (bank statement for 7-10 days after YE) in order to test reconciling items in reconciliation and clearing of these items Extend audit procedures to examine reconciling items in prior months reconciliations and compare to current month o Identify long-outstanding and suspicious items BANK RECONCILIATION COMPANY S NAME AT 31 DECEMBER 2011 Closing balance as per cash book – 31/12/11 Add: Outstanding payments (C) Cheques Chq 564 Chq 581 EFTs 30/12 31/12 Less: Outstanding Deposits (D) Balance as per Bank Statement – 31/12/11 WWW.TAKINGNOTES.CO.ZA R 11,367 3,150 (5,230) 9,287 Inventory - Attendance of inventory counts: (1) Before the count x Obtain and evaluate management s instructions, are they adequately designed? o Have competent staff been assigned? o Are the staff in teams of two or more people? o Is there sufficient control over stationery? o Are there procedures in place for marking of counted items? x Understand the area, observe the area if possible, noting how inventory is packed and identifying items that may be difficult/impractical to count Æ discuss alternative arrangements with management (2) During count x Observe and evaluate the following count procedures to ensure that they are performed properly and in accordance with management s instructions: o There is a correct issue of count sheets, signing of the teams and supervisors and recording thereof in the register o Counters count in teams of two, one person counts and one records o There is appropriate supervision and control, all changes are authorised and the supervisor s signature appears next to each change o There is control over completed count sheets, and there are count and recount procedures in place o There are controls over cut-off and movement of inventory o All inventory items that are counted are then marked x Perform test counts to corroborate effectiveness of controls: o Trace a sample of items from the count records to floor and vice versa x Look out for slow-moving items or obsolete/damaged items (3) After count x Obtain copies of count records, and avoid alteration thereof o Perform subsequent procedures: ensure that the final inventory records reflect the correct amounts counted x Document observations made during the count and report weaknesses to management (4) Other considerations x If there is inventory held in multiple locations: o Audit strategy may state that it is necessary to visit other locations to perform counts, or other auditors must be appointed to attend these counts x If the auditor cannot attend the count: o If it is impractical to do so, alternative procedures should be in place to verify existence and valuation of inventory Verify the sale of material inventory items o If other procedures are not possible or do not provide sufficient appropriate evidence, consider the effect of this limitation on the audit report Creditors reconciliations: (1) General audit procedures x Compare and inspect reconciling items of this month to that of the previous and following months to determine whether the items are repetitive in nature x Agree creditors GL balance on the creditor s reconciliation to the creditors account in the GL x Agree outstanding creditors balance on the reconciliation to the statement received from the creditor x Recalculate the reconciliation (cast and extension) x Obtain a management written representation confirming the reconciliations are accurate and complete (2) If there is a debit balance per the GL x Test for unrecorded purchase invoices and cut-off errors WWW.TAKINGNOTES.CO.ZA x x x Inspect creditor s account for unusual entries/causes of the debit balance Inspect the financial statements to determine whether this balance is classified as a debtor (as required by IFRS) With the client s consent, obtain direct confirmation about the debit balance from the supplier o If this is not possible, enquire from the supplier about the validity of the reconciling items that make up the debit balance (3) If there are payments made that do not appear on the statement x Agree the payment with: o Deduction on the bank statement or cashed cheque o Subsequent creditor s statement or receipt x Inspect the creditor s statement and verify that the payment is not present x Inspect the creditor s GL account and verify that the payment is present (4) If there are goods returned that do not appear on the statement x Agree the amount of the credit entry to: o Subsequent month s statement received from creditor o Journal entry, as a deduction or credit against the inventory account o Debit notes x Inspect return documentation: goods returned note or credit note o Ensure that the note has issued before year end and it has been singed x Inspect the creditor s statement and verify that the goods are not present x Inspect the creditor s GL account and verify that the goods returned are present (5) Goods not received x Inspect the subsequent statement and confirm the adjustment x Obtain proof of delivery from the creditor x Inspect GRN and confirm that a GRN is not made out for these goods x Enquire from store personnel whether the inventory had arrived x Inspect the creditor s GL account and verify that the goods are not included (6) Goods received but no invoice received, therefore no recording x Agree description and amount to the GRN or delivery note x Inspect the outstanding invoice (if received) to confirm amount agrees with statement x Inspect the following month s reconciliation to determine that the amount is no longer a reconciling item x Inspect inventory (or sales records if sold) to confirm that goods have been received x Inspect the GL to confirm that provision has been made for the receipt of goods x Inspect the creditor s statement to confirm the invoice is present x Inspect the creditor s GL account to confirm that the goods are not present WWW.TAKINGNOTES.CO.ZA Substantive procedures 1. Objective (assertion) 2. Tool (documentation) 3. Action (audit procedure) STEP 1 Identify applicable classes of transactions, account balances STEP 2 Identify the relevant documents STEP 3 Formulate audit objectives directly derived from assertions Audit procedures to be used STEP 4 x x x x x x Inspection Examining records or documents Observation cannot serve as a substantive procedure as it cannot provide audit evidence about an amount or disclosure External Confirmation Audit evidence obtained by the auditor as a direct written response to the auditor from a third party Recalculation Checking the mathematical accuracy only of documents already recorded or records Reperformance Auditor s independent execution Inquiry Seeking information of knowledgeable persons Select the type of procedure to be performed STEP 5 1. General procedures These are substantive procedures that are performed on every audit in so far as they are applicable 2. Detail tests of transactions These consist of inspection, external confirmation, recalculation, reperformance and inquiry 3. Detail tests of balances These consist of inspection, external confirmation, recalculation, reperformance and inquiry 4. Analytical procedures These involve evaluations of financial information through analysis of plausible relationships among both financial and non-financial data e WWW.TAKINGNOTES.CO.ZA 1. General substantive procedures, are the following 1. Obtain a schedule, and recalculate it 2. Agreeing opening balances for the accounts in the SFP with the prior year s audited annual financial statements and auditing working papers Also inspecting the notes to the prior year s financial statements for the accounting policies used to derive the opening balances, and comparing this to the corresponding current year s accounting policies 3. Agreeing closing balances of x General ledger accounts with the trial balance and then with the financial statements; x Closing balances of general ledger accounts with underlying records o These underlying records include subledgers (casting, cross-casting and recalculating the underlying records) Casting Adding up a column of figures Cross-casting Adding up the totals of a number of columns to see whether the total agrees with the grand total x For example, adding the totals of each column in the debtors age analysis, to see whether the totals agree with the total amount owing by debtors x Other general ledger accounts they could include schedules, analyses and calculations prepared by management 4. Examining general ledger accounts for unusual or suspicious transactions (duplicated transactions, negative amounts, journal entries processed very close to year-end) and transactions that fall outside the normal course of business and may therefore be indicative of fraud 5. Obtaining a written representation letter from management 6. Evaluating all disclosures in the annual financial statements in terms of accounting standards, IFRS and other relevant legislation x Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year 2 & 3. Substantive test of details, has the objective of obtaining audit evidence to support the amount or disclosure that makes up a particular amount or disclosure in the financial statements 1. Inspection of relevant source documents or physical assets 2. Reperformance whereby the auditor repeats the exact same procedure as that previously performed by the entity s staff or computer system x Key objective is to verify that the amounts and classifications included in the financial statements are free from material misstatement 3. External confirmation by obtaining direct written confirmation from external (third) parties 4. Recalculation by verifying mathematical accuracy of source documents and accounting records is correct 5. Enquiry through discussions with internal parties and external parties related to the entity t WWW.TAKINGNOTES.CO.ZA TO BE PERFORMED FOR EACH OF THE CLASSES OF TRANSACTIONS Verified by selecting from accounting records to source documents, and when inspecting these source documents, verifying they relate to the entity Occurrence o By doing so, detect any transactions that are not valid (for which a valid source document does not exist) and thus been invalidly recorded in the accounting records, resulting in the class of transactions being overstated Verified by selecting from source documents (such as invoices, sales contracts and agreements of loans provided) to the accounting records Completeness o By doing so, detect any documents that have not been recorded Accuracy Cut-off Verified by verifying that correct data (such as quantities, prices) has been used and that calculations have been performed correctly o Verify the amounts in the underlying source documents and the correctness of underlying calculations Verified by selecting transactions around year-end (just before and after) from the accounting records and tracing them to the source documents And also, from source documents to the accounting records, verifying that the transactions are recorded in the correct period based on the dates of the documentation inspected o Inspect documentation for dates TO BE PERFORMED ON THE BALANCE OF THE ACCOUNT AT YEAR-END x Whether all the assets and liabilities recorded are valid and thus exist x Selecting balances from the accounting records and agreeing the balance to source documents, third parties or by physical inspection Existence o By doing so, the auditor will detect any asset or liability recorded in the entity s records that is invalid (does not exist) and thus resulted in an overstatement of assets x Verified by confirming that the entity is the legal owner of the assets and is obliged to settle the liabilities recorded o Reviewing documents (title deeds, contracts) for assets owned by the entity o Enquiry of third parties and obtaining third party external confirmations from banks (e.g. for bank account balances), the entity s lawyers o Reviewing minutes of meetings of the entity for any possible discussions Rights and and decisions with regard to the entity not remaining the legal owner of any obligations assets or not being liable for any of its liabilities o Review the terms, conditions and other information in contracts By doing so, verifies that the entity has the legal right to recorded assets (or obligation for recorded liabilities), thus detecting any account balances that have been incorrectly recorded in the accounting records and have thus resulted in the balance being overstated (assets) or understated (liabilities) x Verified by auditing from source documents (such as invoices, banks statements, minutes of meetings, third party confirmations) to the accounting records, in order Completeness to test for an understatement o By doing so, detect any amounts that have not been recorded x Detailed testing of management s valuation or valuation methods to gain an Accuracy, understanding thereof, and evaluate the calculation for reasonableness based on valuation and any assumptions applied allocation o Consider the possible use of an expert to review the reasonableness of the valuation or the valuation methods WWW.TAKINGNOTES.CO.ZA 4. Substantive analytical procedures, are the following x Compare and inspect the following for: o o o x x x Reconcile data used in ratios with the general ledger Develop an expectation about the account using knowledge of the business Inspect the results on the analytical procedures, data and general ledger accounts for unusual items o x Current year; Budget; Previous year(s) And investigate and confirm significant deviations in management Substantive analytical procedures are performed if: x Control risk for the audit is provisionally evaluated as low, which means that the provisional evaluation of the internal control design appears to be appropriate. x You will place reliance on the internal control system. x If the inherent risk can be evaluated as low it means that you will be willing to accept a higher level of detection risk in order to get audit risk to an acceptable level. x Therefore a system based audit strategy will be followed. x Consequently extensive tests of control will be performed. x Few detail tests will be performed, to WWW.TAKINGNOTES.CO.ZA Substantive procedures Debtors Opening balance Credit sales Debtors Bank (customer receipts) Sales returns Discount allowed Bad debts Allowance for credit losses Closing balance General substantive procedures x x x x x Agreeing opening balances with the prior year s audited financial statements and audit working papers o (SP) Opening balance in the general ledger account is always compared to the prior year s financial statements and the audit working papers Agreeing closing balances of general ledger accounts with the trial balance and then with the financial statements o (SP) Agreeing closing balances of the Total of outstanding debtors' balances per the age analysis; to the debtors ledger Total of the balances in the debtors ledger; to general ledger Debtors control account balance in the ledger to the trial balance and then to the financial statements Examining general ledger accounts for unusual or suspicious transactions Obtaining a written representation from management o (SP) Regarding the existence of debtors o (SP) Regarding the reasonableness of the disclosed debtors figure and that it has not been overstated, therefore, valued correctly Evaluating all disclosures in terms of accounting standards, IFRS and other relevant legislation o (SP) Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year It is disclosed as a current asset That the amount of bad debts has been deducted from debtors Substantive analytical procedures x x x x x x Compare and inspect the following for: o Current year o Budget o Previous year Debtors balance Debtors payment term Current ratio Outstanding balances Quick-asset ratio Calculate the total outstanding per the different terms (30 days, 60 days) o Calculate it as % of the debtors figure and o Calculate it as % of sales for the relevant month And compare and inspect with previous year, budget and company policy Compare and inspect the total outstanding per category with the previous year Follow up any significant deviations through queries to management and further audit procedures Compare and inspect list of debtors with that of previous year to determine whether any are missing or have been added wrongly WWW.TAKINGNOTES.CO.ZA 0 Test of details to be performed on each class of transactions x x x x x x x x x Select a sample of order forms and particularly take note of abnormalities Test the selected orders above as follows: o Inspect for the signature of the client and credit controller o Compare and inspect details with DN Dispatch documentation (registered postal slip) Invoice of which the details are checked as follows x Price lists and catalogues x Summations and calculations and x Entry in debtors ledger and sales journal Select a sample of credit notes and take note of abnormalities Test and inspect the credit notes against o Debit notes or correspondence (also checked like invoices) o Original invoices o Entry in SRJ an debtor s ledger Select a sample of payments received Inspect details against o Bank stamped deposit slip for Drawer, amount and date Entries on the bank statement Entry in the cash book and debtors ledger Reperform number sequence of the following o Invoices entered in the sales journal o Credit notes entered in SRJ Inspect the following suspense files for long outstanding items o Orders awaiting a DN o DN awaiting invoices And obtain explanations for all long-outstanding items Cut-off procedures: o Obtain last DN numbers from inventory records and check that no later document numbers have been entered in the records for the year o Select a number of DN around YE and trace to relevant documentation Æ verify been recorded in correct period Tests of details to be performed on account balances at year end x x Inspect the reconciliation between the debtor s ledger total and debtors control account balance All significant reconciling items must be followed up through enquiries and obtaining supporting evidence x Obtain the age analysis and select sample of debtors accounts Circular startso Forward a debtors circular to each debtor. Ensure that the sample is representative and includes the following: High-worth accounts Credit balances Nil balances Normal accounts (more high-worth than low-worth) o High risk items must be circulated positively – off-shore accounts, balances > 1m and debtors more than 90 days outstanding o Select a sample from the remaining categories of debtors and circulate these accounts – either positive or negative according to judgement o Examine differences brought to your attention by the returned debtors circulars as follows: Unacknowledged invoices with OF, DN, dispatch documentation WWW.TAKINGNOTES.CO.ZA x x Unacknowledged returns with credit notes Any other differences through discussion with management o Follow up debtors who have not reacted to the circular as follows: Determine whether debtors have not directed their responses to the client by mistake Address a second circular to the debtors by registered post and request confirmation of balances Telephone, with the client s permission, the debtors and x Request confirmation of the balances x Perform tests of detail on the unpaid invoices x Test the summation of the account If the debtor still fails to react, or if the alternative procedures do not give sufficient assurance, consider the unsuccessful answers in the sample result x If an unsatisfactory result is obtained, the tests on debtors will be expanded Contact, with the client s permission, the company s legal representatives and enquire about any legal actions instituted against the debtors Review the debtor s creditworthiness documents to obtain assurance of their creditworthiness and ensure that the credit terms have not been exceeded WWW.TAKINGNOTES.CO.ZA Accounting Estimates and Presentation (allowance for credit losses or provisions) General substantive procedures x x x x x x Enquire from management whether the same procedures and assumptions for the provisions of doubtful debts were used as in previous years and investigate changes Evaluate reasonableness of management s estimates by comparing previous years estimates with actual bad debts written off in subsequent years Determine whether the data used in the estimate is reasonable and accurate by performing the following on the age analysis: o Test the mathematical accuracy horizontally and vertically o Agree the total on the age analysis and the provisions calculation with the ledger balance and the annual FS o Test the ageing of a number of amounts, as shown in the analysis by tracing them to the supporting documentation Obtain a management representation regarding the reasonableness of the provision for doubtful debts and that the debtors have been valued correctly Scrutinize the provision for doubtful debts account in the ledger for any unusual entries that must be followed up with queries to management Determine through reading the minutes of the board and management meetings whether any of the long-outstanding debtors have been liquidated Tests of details to be performed on balances at year end use the explanation in one notes x x x Determine by means of the necessary routine investigations whether any of the long-outstanding debtors have perhaps not been liquidated Perform the following tests with regard to the collectability of long-outstanding debtors (by drawing a sample) o Follow up the posting register entries after YE with the payment advices and debtors account to determine whether the accounts have not been settled after YE o Inspect the posting register entries and compare to deposit slips to determine whether cash rolling took place o Inspect the correspondence with debtors according to their correspondence files to detect problems with collectability o Discuss the problem cases with the credit controller and enquire specifically about legal action taken, suspension of credit facilities and the existence of possible disputes o Examine the accounts and be alert to indications of non-collectability Debtors who pay off lump sums on their accounts Long-outstanding invoices Payment of later invoices while earlier ones are outstanding o Review payments received after YE against the debtors ledger accounts and the schedule o Examine any debtors who have been handed over to the attorneys Review the calculation of provision for bad debts by referring to the following o The investigations mentioned above o The debtors age analysis o The basis on which it was done the previous year o Post SFP events such as the sequestration or liquidation of a debtor o Discussions with management WWW.TAKINGNOTES.CO.ZA Fixed assets Fixed Assets Disposals Closing balance Opening balance Additions Closing balance Accumulated Depreciation Opening balance Depreciation General substantive procedures Fixed assets x x x x x Agreeing opening balances with the prior year s audited financial statements and audit working papers o (SP) Agree the opening balance with the previous year s financial statements or working papers Agreeing closing balances of general ledger accounts with the trial balance and then with the financial statements o (SP) Agree the totals of the cost price, accumulated depreciation, depreciation (expense) and book value column as per the fixed asset register with the trial balance, general ledger and the financial statements o (SP) Cast and cross cast all calculations of the general ledger, fixed assets register and the financial statements Examining general ledger accounts for unusual or suspicious transactions Obtaining a written representation from management o (SP) Relating to the existence, valuation and presentation of property, plant and equipment Evaluating all disclosures in terms of accounting standards, IFRS and other relevant legislation o (SP) Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year Depreciation x x x x x Agreeing opening balances with the prior year s audited financial statements and audit working papers o (SP) From the statement of comprehensive income, therefore there is no opening balance Agreeing closing balances of general ledger accounts with the trial balance and then with the financial statements o (SP) Agree the depreciation per class asset with the general ledger, trial balance and financial statements Examining general ledger accounts for unusual or suspicious transactions o (SP) Investigate deprecation account for any unusual entries and follow up with management Obtaining a written representation from management o (SP) Acquire a management representation regarding the accuracy and reasonability of the depreciation expense Evaluating all disclosures in terms of accounting standards, IFRS and other relevant legislation o (SP) Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year Substantive analytical procedures x x Develop expectations regarding fixed assets and depreciation based on knowledge of the client s business, experience of previous audits, etcetera. Compare the data used to calculate the ratio below with the financial information system. WWW.TAKINGNOTES.CO.ZA x x Calculate each of ratios below and investigated ANY significant variances/fluctuations to obtain acceptable representations o Calculate the ratio of each class asset s depreciation expense as % of the total expense o Calculate the ratio of the depreciation expense, per class asset, as % of the class asset's total cost price. Inspect/evaluate the results of the ratio analysis as set out above and acquire reasons and corresponding explanatory documentation to confirm any unusual variances. Test of details to be performed on each class of transactions x Depreciation o Confirm, through enquiry, that the depreciation policy applied is consistent with prior years o Investigate the reasonability of any residual values used in the calculation of depreciation by comparing it with recent sale prices o Establish if the depreciation rates used are reasonable through Discussions with management Considering the useful life of equipment Comparing it to industry norms o Examine the previous year s working papers and financial statement to confirm the depreciation policy o Examine the client s fixed assets register and confirm that this policy was applied during the current year o Select a sample of individual assets, recalculate the current year s depreciation expenses and agree it with the fixed assets register Follow any differences up through enquiry with management o Obtain a sample of depreciation from the fixed assets register and re-calculate such an amount to determine the accuracy thereof x Improvements o Follow the improvements from the fixed asset register through to the capital budget, minutes of board of directors for audit evidence of authorisation of the purchase o Physically inspect the improvements and cross reference to the descriptions in the contacts or purchase documentation o Inspect the purchase documentation (invoice, contract) to confirm that it has been made out to the client for the selected improvements and has been signed o Inspect bank statement and confirm that payment has been made for the improvements o For the improvements, inspect the cost schedules or correspondence and recalculate cost calculations to ensure correct treatment of Accurate cost price of material Accurate transport cost and insurance o Discuss the reasonableness of any other expenses included with the financial director o Inspect the dates on all documentation e.g. invoice to confirm that the transaction has been recorded in the correct accounting period (cut-off) o Follow the entries through from the source documents to the general ledger and fixed-asset register to confirm that the transaction has been recorded in the correct accounts and is complete o Inspect the ledger or the fixed asset register and confirm that no depreciation was written off on improvements o Inspect the fixed asset register to confirm that the improvements were divided in components according to IAS 16 o By inspection of the purchase documentation and the general ledger account, ensure that the VAT has not been included in the cost o Acquire a schedule e.g. the fixed asset register containing all the assets, improvements, acquisitions and disposals, and recalculate the register and confirm with the general ledger (general) o Acquire a management representation letter that confirms that the improvements are not overstated and therefore have been accurately measured and valuated (general) o Inspect the asset account or improvements for unusual entries and examine these items (general) WWW.TAKINGNOTES.CO.ZA o Scrutinise the repair work account for any items which may need to be capitalised Test of details to be performed on account balances at year-end x x x x x x Select balances from the accounting records and agree them to source documents or physical inspection o Select a sample of assets from the fixed asset register and vouch it to the physical asset Review documents (title deeds, contracts) and confirm all details Obtain external confirmation of assets from banks (if used as a security) Review minutes of meetings to confirm that the entity is the legal owner of the asset (perhaps the entity is no longer the legal owner) Select items from the floor and trace them to the fixed asset register Test management s valuations of the assets or valuation methods and evaluate the calculation for reasonableness o Consider the use of an expert to review the valuation o During inspection of assets, confirm that the value according to the register is reasonable Inspect for any indications of damages WWW.TAKINGNOTES.CO.ZA Creditors Payments Returns Discounts Closing balance Creditors Opening balance Purchases General substantive procedures x x x x x x Obtain a creditors schedule and recalculate the schedule Agreeing opening balances with the prior year s audited financial statements and audit working papers o (SP) Agree the opening balance with the previous year s financial statements or working papers Agreeing closing balances of general ledger accounts with the trial balance and then with the financial statements o (SP) Compare the following Total of the list of creditors' balances Balance of the creditors' control account Creditors amount taken up in the financial statements and accompanying schedules Examining general ledger accounts for unusual or suspicious transactions o (SP) Scrutinise the creditors' ledger and creditors' control account for strange entries and test them against valid documentation Obtaining a written representation from management o (SP) Obtain a management representation with regard to the completeness of creditors and that the disclosure of creditors in the financial statements is appropriate Evaluating all disclosures in terms of accounting standards, IFRS and other relevant legislation o (SP) Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year o (SP) Review the disclosure of creditors in the financial statements and ensure that It is disclosed as a current liability A note is made of all contingent liabilities Debit balances under creditors have been carried forward to current assets Substantive analytical procedures Sub analytical procedures for creditors in One Note Accrued expenses x x x x Develop an expectation regarding the expenses with reference to the prior year, budgeted figures, industry norm as well as knowledge obtained from the operations during the financial year under review Compare the following with the prior years figures, expectations (budgets) o Accrued expenses balance (per annum or per month); o Accrued expenses as % of creditors; o Accrued expenses against actual expenses in the following financial year; Obtain explanations and supporting documentation for any significant fluctuations Compare the expenses figures with the budget where the actual amount is significantly lower than the budgeted figures Tests of details on transactions Accrued expenses x Perform the following procedures to identify any possible omitted expenses for which provisions are still to be made: o Inspect the list of accrued expenses and enquire from management and staff about any other expenses for which provision should be made WWW.TAKINGNOTES.CO.ZA o o o o o o o Compare and inspect the schedule with that of the previous years for any items appearing on the previous year s list but not on the current year s Select a sample of accrued expenses from supporting documentation and trace to ledger Inspect the expense account for any missing expenses to confirm that 12 entries have been made for monthly expenses Inspect all long-term contracts to ensure that a provision has been made where appropriate Inspect the YE reconciliations from the creditors ledger to the monthly statements for any reconciling items that indicate invoices for which provision has yet to be made Inspect the suspense file for expenses incurred for which the invoice has not been received and for which provision has not been made Confirm the reasonableness of provisions by inspecting the cash book or bank statement for payments made during the first two weeks of the month following and trace these to the supporting documentation Test of details on balances at year end Creditors x x Verify that the entity is legally obliged to settle liabilities by: o External confirmation o Review of minutes of directors meetings (perhaps something was disclosed about the entity not being liable) o Review of contracts Test for understatement: o Select a sample of creditors accounts in the GL and compare to monthly statement o Compare current year s creditor list with prior years to detect if any are missing o Draw a sample of order forms/goods received notes and test as follows: Follow through and compare details with goods received notes, delivery notes and invoices Verify the transaction has been accurately recorded in the purchase journal and creditors ledger Verify that the transaction has been accurately transferred from the purchase journal to the creditors GL account o Draw a sample of payments and follow through to the cash payments journal, creditor s ledger and creditors GL account o Check the number sequence of entries in the purchase journal to test for omissions/duplications o Check the following suspense files for long-awaiting items: Order form awaiting a goods received note Goods received note awaiting an invoice Obtain explanations for long-outstanding items o Inspect the cash book and bank statement after year end and test any large items, could be relevant to transactions before year end and maybe should be included in creditors o Inspect the debtor s ledger for debtors with credit balances, ensure they are included in creditors o Select a sample of delivery notes and inspect validity WWW.TAKINGNOTES.CO.ZA Income General substantive procedures x x x x x Agreeing opening balances with the prior year s audited financial statements and audit working papers o (SP) From the statement of comprehensive income, therefore there is no opening balance Agreeing closing balances of general ledger accounts with the trial balance and then with the financial statements o (SP) From the statement of comprehensive income, therefore there is no closing balance, however, agree closing total of general ledger to the trial balance and then to the financial statements Examining general ledger accounts for unusual or suspicious transactions Obtaining a written representation from management o (SP) In respect of al assertions applicable to income, mainly completeness and accuracy Evaluating all disclosures in terms of accounting standards, IFRS and other relevant legislation o (SP) Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year, of income Substantive analytical procedures x x x x Develop an expectation for the income received based on your current knowledge of business, industry, etc. Compare the sales data used to calculate the ratio with the financial information system. Calculate the following ratios and compare with the previous year's bonuses (previous year s working papers), budgeted income figure, month-to-month income: o Income as % of total income; o Total income; Inspect/evaluate the results of the ratio analysis as set out above and acquire reasons and corresponding documentation to confirm any unusual variances Test of details to be performed on each class of transactions x x Select a sample of transactions on the schedule for income received and: o Follow the transactions to the contract (if applicable) and confirm details o Recalculate the income in terms of the contract/approved selling price list and agree with the schedule o Confirm the income is correctly classified as income o Inspect the date of the invoice to see whether the transaction was accounted for in the correct period o Inspect the bank statement for receipt of the total income amount Select a sample of invoices before and after year end and follow through to the general ledger to ensure that the transaction is recorded in the correct period Occurrence Completeness Accuracy Cut-off Verified by selecting from accounting records to source documents, and when inspecting these source documents, verifying they relate to the entity Verified by selecting from source documents (such as invoices, sales contracts) to the accounting records Verified by verifying that correct data (such as quantities, prices) has been used and that calculations have been performed correctly Verified by selecting transactions around year-end (just before and after) from the accounting records and tracing them to the source documents And also, from source documents to the accounting records, verifying that the transactions are recorded in the correct period based on the dates of the documentation inspected o (SP) Inspect documentation for dates tee WWW.TAKINGNOTES.CO.ZA Expenses General substantive procedures x x x x x Agreeing opening balances with the prior year s audited financial statements and audit working papers o (SP) From the statement of comprehensive income, therefore there is no opening balance Agreeing closing balances of general ledger accounts with the trial balance and then with the financial statements o (SP) From the statement of comprehensive income, therefore there is no closing balance, however, agree closing total of general ledger to the trial balance and then to the financial statements Examining general ledger accounts for unusual or suspicious transactions Obtaining a written representation from management o (SP) In respect of al assertions applicable to expenses, mainly completeness and accuracy Evaluating all disclosures in terms of accounting standards, IFRS and other relevant legislation o (SP) Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year, of expenses Substantive analytical procedures x x x x Develop an expectation for the expense based on your current knowledge of the business, sales contract etc. Compare the sales data used to calculate the ratios with the financial information system. Calculate the following ratios and compare it with the prior year s expenses (prior years workpapers), budgeted expenses figure, month-on-month expenses: o Gross and net profit percentage; o Total expenses; Inspect/evaluate the results of the ratio analysis above and obtain reasons and underlying documentation which corroborate any unusual fluctuations. Test of details to be performed on each class of transactions Wages x x x Select a number of employees from the salary journal and perform the following: o Inspect that each employee has an appointment letter in their personnel file which is signed o Inspect the personnel file and confirm that there are no letter of resignation or dismissal o Physically inspect the employee and identity number to confirm existence o Compare and inspect the gross salary per the salary journal with letter of appointment or authorised salary increase letter o Recalculate the income tax deducted according to the tables from SARS o Compare and inspect amounts of medical aid contribution with tariffs o Compare and inspect deductions – pensions and UIF – with personnel file and ensure they meet the statutory requirements o Recalculate the net salary payable and compare with the salary journal o Compare and inspect the net amount on the salary journal per employee with the net amount on the list sent to the bank Select a number of personnel files for (1) new appointments, (2) dismissals or resignations and (3) existing employees, and perform the following: o Resignations/dismissals: ensure persons with these letters are removed from the salary journal o Appointments: ensure persons with these letters are added to the salary journal and that they exist on the system Select a fe months transactions from the salary journal and perform the following: o Test casting and cross casting of the salary journal o Follow a gross amount from the salary journal to the salary account in the GL o Compare and inspect the total of net payment column in the salary journal with the signed list of net payments set to the bank WWW.TAKINGNOTES.CO.ZA Inventory Purchasing inventory Opening balance Purchases (creditors) Costs Manufacturing inventory Inventory Sales (debtors) Provision for obsolete inventory Closing balance General substantive procedures Inventory x x x x x Agreeing opening balances with the prior year s audited annual financial statements and audit working papers o (SP) Confirm, through investigation, that the opening balance of the inventory general ledger account agrees with prior year s audited annual financial statements and audit working papers o (SP) Compare and inspect the provision for obsolete inventory with that of the previous year Agreeing closing balances of the underlying records with the general ledger accounts and figures with the trial balance and then with the financial statements o (SP) Compare and inspect the total of the inventory listing with The inventory balance per the general ledger account, and Figures per the trial balance and the financial statements Examining general ledger accounts for unusual or suspicious transactions o (SP) Scrutinise the inventory general ledger account for any unusual or suspicious transactions that may affect the existence or valuation of inventory Obtaining a written representation from management o (SP) On the valuation of the inventory Evaluating all disclosures in terms of accounting standards, IFRS and other relevant legislation o (SP) Reviewing accounting policies in order to verify appropriateness, in accordance with IFRS and legislation as well as consistent with prior year Confirm that inventory is disclosed as a current asset Substantive analytical procedures x x x x Develop expectations regarding inventory based on knowledge of the client s business, experience of previous audits, etcetera. Compare the data used to calculate the ratio below with the financial information system. Calculate each of ratios below and investigated ANY significant variances/fluctuations to obtain acceptable representations o Calculate the ratio of inventory to total assets o Total inventory on hand Inspect/evaluate the results of the ratio analysis as set out above and acquire reasons and corresponding explanatory documentation to confirm any unusual variances. Test of details to be performed on account balances at year-end x x x Select items from the inventory list and physically inspect the inventory Confirm ownership of inventory by referring to purchase invoices of inventory as per the inventory listing Test valuation methods and evaluate calculations for reasonableness: o Reperform calculations of the value of inventory (quantity x price) and test summations and cross summations on the inventory list o Select a sample of inventory listing and perform the following: Compare the cost price to the invoice Confirm cost price as per the supplier price list Imported inventory – confirm cost price to bank exchange rate slip WWW.TAKINGNOTES.CO.ZA o o o o o Enquire at management and inspect previous year s annual financial statements and working papers to confirm that the inventory valuation methods have been applied consistently Consider use of expert to review methods Inspect minutes of meetings to ensure there is no change in valuation methods Investigate, through enquiries, and physical inspection of damaged/obsolete inventory that proper provisions Obtain a sample of inventory from the inventory listing and ensure that the cost price is greater than the net realisable value, and if not, ensure that adjustments have been made WWW.TAKINGNOTES.CO.ZA Loans Bank (repayment of loan) Closing balance Loans Opening balance Interest General substantive procedures x x x x x Agreeing opening balances with the prior year s audited financial statements and audit working papers o (SP) Confirm, through investigation, that the opening balance of the loan general ledger account agrees with prior year s audited annual financial statements and audit working papers Agreeing closing balances of general ledger accounts with the trial balance and then with the financial statements o (SP) Compare the closing balance of the loan in the general ledger, with the balance on the trial balance and the financial statements Examining general ledger accounts for unusual or suspicious transactions o (SP) Inspect the general ledger to identify any unusual or suspicious transactions, and enquire to management or inspect supporting documents to substantiate the transactions Obtaining a written representation from management o (SP) Obtain a management representation that loans are shown completely and at the correct value in the financial statements Evaluating all disclosures o (SP) Inspect the financial statements and confirm in respect of the loan That the long-term potion of the loan has been classified as non-current liability and that the short-term portion is classified as a current liability That all securities offered for the loan facility have been disclosed adequately Other disclosures regarding financial instruments Substantive analytical procedures x x x x Develop expectations regarding the long-term loan based on knowledge of the client s business, experience of previous audits, etcetera. Compare the data used to calculate the ratio below with the financial information system. Calculate each of ratios below and investigated ANY significant variances/fluctuations to obtain acceptable representations o Calculate the ratio of long-term loan to total non-current liabilities o Ratio of short-term portion of loan to current liabilities Inspect/evaluate the results of the ratio analysis as set out above and acquire reasons and corresponding explanatory documentation to confirm any unusual variances Test of details to be performed on each class of transactions x x x x x x Obtain a bank confirmation letter of the loan with client s approval o Compare and inspect the balance outstanding on the letter with the GL loan balance o Ensure that the letter agrees to the loan agreement Inspect minutes of meetings to confirm that adequate authorisation was given for the loan Inspect the memorandum of association to confirm that adequate authorisation is given Inspect the bank statement or cash book to confirm that the loan amount has been received Recalculate the interest expense and confirm that this has been provided for Recalculate the short-term portion of the loan, and inspect the annual financial statements and confirm that: o Long-term portion of the loan is disclosed as a non-current liability and the short-term portion of the loan is classified as a current liability o Securities have been disclosed adequately WWW.TAKINGNOTES.CO.ZA COMPUTER INFORMATION SYSTEMS Introduction x x x x Two or more computers are connected to form a network o One location – local area network (LAN) o Different geographical locations – wide area network (WAN) o Virtual private network uses telecommunication infrastructure Software: programme that gives the computer the infrastructure to perform tasks o System software: runs in the background of computers and gives hardware instructions on how to run a specific application. E.g.: Microsoft Windows 7 o Application software: performs specific functions required by users. E.g.: Pastel Accounting and Microsoft Office Database can consist of transaction details or cumulative balances stored in a master file o Master files are used to store permanent information (such as client information) as well as cumulative totals or balances of transactions from transaction files o Transaction files record the transaction details of each transaction in real time and batch processing systems Real-time processing system: Masterfile is updated with the cumulative totals or balances when the transactions occur Batch processing system: details of transactions are stored in a transaction file until the system processes the data, then the information is used to update the master file Each file is made up of rows and columns of data o When data is captured, it is stored in a field o Multiple fields that relate to a particular transaction are stored in a record o The records of all transactions are saved in a file o A collection of files that relate to a similar class of transactions or balance make up a database WWW.TAKINGNOTES.CO.ZA How has information technology evolved? mainframe computer standalone personal computer networked computers online networks and virtual or extended enterprises convergent systems TRENDS THAT ARE CHANGING THE MODERN IT LANDSCAPE Explanation x Shift away from centralised computer centres towards decentralised end-user computing over a network Æ processing and storage of information is done on the user s device. x Decentralised networks make it more difficult to restrict access and implement proper segregation of duties Mobility x Mobility combined with the concentration of information that can be stored on a mobile device increases risk of theft of hardware and any confidential information stored thereon Open source x Open source software: software that can be changed and amended by any user, because the underlying computer programming code (source code) is available to anyone to review, change and redistribute x Software distributed under an open source license has reduced costs of software and improved functionality x Increased risk of hackers however as the code is available to anyone, as soon as a weakness is identified, there are many programmers who work simultaneously to find a solution Image x Most devices are image code input devices, have fingerprint scanners etc therefore processing reducing data input errors Convergence x Hardware devices are more integrated and have a lot of functionalities (hardware and software functionalities – e.g.: computer + camera + communication device + data storage device + digital scanner = iPad) x This blends numerous risks into one device and increases risk of hacking and viruses Cloud x Store data online and run application using internet browser or application computing x User s device contains only the user interface, all processing and storage takes place on internet x Disruption of business processes if data is not available due to slow connections and increase of risk of interception or loss of data Trends Distributed networks How and why do companies have to govern their computer information systems? x The IT governance framework includes the human, financial, physical and informational aspects of IT Advantages when good IT governance practices are implemented Reputation of company is improved, trust of internal and external parties enhanced Align IT with business goals and processes Æ makes business operations more efficient and creates competitive advantage Non-IT executives gain a better understanding of IT and better decision-making processes are possibly (information is timely and is of quality) Greater level of compliance with laws and regulations Risk management procedures are maximised Risks when good IT governance practices are not implemented Problems in running operations Loss of confidentiality Systems become less available, less reliable and function less effectively Unauthorised use, access to and changes to IT systems WWW.TAKINGNOTES.CO.ZA t What is the impact of upgrading a manual accounting system to an electronic accounting system? Benefits of using a computerised system Apply predefined business rules and perform complex calculations x Improve the timeliness, availability and accuracy of information x Extensive analysis of large volumes of information x Enhance the ability to monitor the performance of an entity x Reduce the risk that controls will be circumvented by people x Enhance the ability to achieve effective segregation of duties x x x x x x x x x x Risks of using a computerised system Unwarranted reliance on systems that could be incorrectly processing data or processing incorrect data Unauthorised access to data that could result in the manipulation of data IT personnel can gain access beyond what is allowed Unintentional amendments to data and systems Errors during input and the processing of transactions Inappropriate manual intervention Potential loss of data whilst it is being processed Output may contain duplicate or incomplete information Overreliance on IT What are the key components of a computer information system x Computer Information System (CIS) exists when any IT equipment plays a part in or impacts on the processing of financial information Hardware Software People Data All the physical electronic equipment and parts that make up a CIS All programmes that reside on any or all components of hardware Those who interact with the processing of transactions are part of a CIS Includes all forms of data stored on the hardware How does a computerised accounting system operate? WWW.TAKINGNOTES.CO.ZA Input and processing environments x Individual hard-copy source documents are collected for a period of time (a day) into bundles (batches) x Manual checks are performed on the batches x Bundles are then captured onto the computer system and converted into a format that the computer can read, checked and stored in a transaction file Batch entry x Master file is updated with the data in the transaction file at a later stage when and batch convenient processing Advantages: x All transactions in the batch are subject to the same activity, tasks x Transactions are processed accurately x Only valid transactions are processed x All transactions are processed x Transaction data is entered directly onto the system from a terminal as the transaction occurs (create source documents) Online entry, batch x Checks are performed, and data is authorised and processed to a transaction file processing x At a later stage (when convenient), the master file is updated with the transaction file data x Transaction data is entered directly onto the system which is linked to the accounting system Online entry, real- x The accounting system immediately performs checks, creates source documents and time processes the transaction to the master file processing Advantages: x Master file is always up to date (unlike above two) x A copy of the master file is used during the day and is updated continuously as transaction data is captured x System also simultaneously creates a batch file of the day s transactions and this file is used to update the original master file at the end of the day Shadow Advantages: processing x If the system crashes during the day, the original file is not corrupted and also acts as a backup x The shadow copy of the master file allows users to have real-time information available at any point in time How are computer controls classified? Controls in an IT environment General controls Application controls Policies and procedures that relate to Manual or automated procedures that typically operate at a many applications and that support the business process or application level effective functioning of information systems Relate to the overall information They focus on the processing of a specific computer processing environment application, programme or system as opposed to general controls that focus on the computer processing environment Implemented before transactions can be Application controls relating to the computer programs used processed and implemented in the various business cycles may be different for each independently of transaction different application If general controls do not work, application controls do not service much purpose as they are overridden Have a direct effect on specific assertions WWW.TAKINGNOTES.CO.ZA How are general controls classified? (1) ORGANISATIONAL CONTROLS AND PERSONNEL PRACTICES Controls about how the CIS department is structured (policies, procedures and operations) and staff practices (a) Introduction: x x x Company must establish organizational framework that delegates responsibility Æ achieve SOD, clear structure and reporting lines o Work of EEs supervised and reviewed, and qualified staff must be hired o Staff must be kept up to date with new trends Organizational structure not in place: o Unauthorised transactions o Collusion Æ theft or fraud o Lack of SOD Æ unauthorised transactions o Misstatement going undetected o Incompetent persons being employed When implementing new organisational controls Æ Create ethical culture and control environment (b) Answering a question: x Examples of Organisational Controls which should be implemented o Computer steering committee and CIS director: There should be a computer steering committee (CSC) (CIS manager and representatives of all user departments) for communication between the CIS department and users The CSC should be responsible for: x Long-term planning of the CIS department x Setting system development and operational standards x The approval of system development requests The CIS department should report directly to top management and the CSC The CIS director must be appointed who is solely responsible for the CIS, with no other responsibilities o Personnel practices: The CIS should draft personnel practices and user manuals which should be freely available and reviewed regularly The enterprise should have a formal recruitment policy to ensure only honest and competent staff are appointed x Conducting interviews x Obtaining proof of qualifications x Contacting references User manuals should include detailed guidelines which include: x Job descriptions for all CIS staff x Organisational structures and reporting guidelines x Leave: o Special procedures to be followed when a CIS member is on leave o CIS staff should be encouraged to take leave regularly There should be personnel scheduling – staff should be assigned to specific jobs Continuous monitoring of compliance to procedures and scheduling by the CIS staff (performed by independent individuals) Duties and tasks should be rotated to prevent boredom and to allow for crosstraining (SOD and knowledge must be considered) Continuous training must be offered to staff members Continuous evaluation of work performed by personnel WWW.TAKINGNOTES.CO.ZA e o CIS department: The CIS department must be segregated x Development x Operational x Data Control x Security Each CIS area should only perform the functions allocated to them There must be a segregation between the user-department and CIS department (c) Delegation of responsibility x x x x x King III Æ ethical IT governance environment be created o NB to communicate corporate culture The board of directors must take responsibility for IT and IT governance in a company by its actions, leadership, management philosophy and style, as well as by the strategic objectives that are set. Responsibility of IT governance can be delegated to computer steering committee Æ responsible for managing IT and acts as communication channel between users and IT department o Consist of knowledgeable executive management with a business and IT background Day-to-day management of IT delegated to IT manager In delegating responsibility, it is NB to establish clear reporting lines and levels of authority through which appropriate IT personnel can communicate with and report to the board of directors on a regular basis, if necessary. (d) Segregation of duties x SOD between IT and user departments: o IT department organizationally separate from user departments o IT department should report directly to executive management o IT personnel should not be able to initiate or authorize transactions or change the transaction or master file data unless this has been requested and authorised by a user department o IT personnel should be able to gain access to a company s resources o Once IT personnel have performed work, the user department should be responsible for reviewing the work and underlying data, records and files x SOD in IT department: o Between development function, operation function and security function o Initiation, authorization, processing, executing, custody of assets and reporting Disadvantages of computerising with regards to SOD: o Concentration of knowledge – risk that someone can make unauthorised changes to a system o Concentration of processing: Many functions which could be separated in a manual system are concentrated on a computerised system Computers now used for authorisation and initiation of transactions o Fewer staff members are required (less SOD) o Management and employees may have limited knowledge of a computerised system x (e) Reporting, supervision and review x x x x All work performed by IT staff must be initiated by staff in a user department o Only initiated by IT staff under exceptional circumstances and with special authorization While work is performed, it should be supervised Once work is performed, it must be reviewed by the manager and user IT manager should perform frequent reviews of the CIS WWW.TAKINGNOTES.CO.ZA (2) SYSTEM DEVELOPMENT AND CHANGE CONTROLS (a) System development General controls System development and acquisition: x System development: process followed when new system developed in house x System acquisition: process followed when a new system is acquired from a vendor Programme changes: x More frequent, lower cost and shorter period of time x May be required by users in order to obtain new features Application controls Processing: x CIS processes information in the computer package or system Masterfile changes: x Masterfile contains standing data that is frequently used by the accounting package but need not be changed frequently x A master file change occurs when the master file or standing data needs to be updated, say, for a new record or the details of a record are updated i. Request submission, needs assessment and selection x Project should originate from either a written user request or genuine business need identified by management o All requests documented and presented to BOD or computer steering committee (CSC) to investigate and approve Depending on the size of the project and risks involved, a feasibility study should be conducted including: o A comprehensive user needs assessment; o An investigation into the resources required for the project; o An investigation into various alternative solutions, considering the option to purchase an established package or system, make changes to the existing package or system, or develop a new package or system in-house; o Cost-benefit analysis, detailing all the costs, as well as all financial and other benefits of each option; and o A time planner showing all the deadlines. . x ii. x x x x Planning and design A system analyst should perform the following tasks during the planning phase: o Define and record the users needs o Control the requirements from the internal/external report o Draw up a preliminary system design The needs assessment and/or the system specification must be reviewed and signed off by the heads of all user departments before programming can commence CSC appoint project team to manage project o Include IT personnel and personnel from user departments affected and should include financial, operational and controls knowledge. o IT personnel are responsible for the system development, user departments personnel advise All work performed according to predefined standards and control frameworks Project team prepares project plan containing timeline, and tasks and highlights the milestones and tasks to be completed by certain deadlines o Tasks are allocated to appropriate IT staff members o Plan used to monitor and evaluate progress which is reported back to CSC on regular basis Multilevel approval is now required before programming can commence WWW.TAKINGNOTES.CO.ZA iii. System development and testing a. Development area x x x x x x The development area is used to program and develop the system. Programmers code/write software independently of live system and data Work on various versions of programme Programmer must make changes to copy in development area Sufficient documentation should be kept There should be a distinction between application of the system and programming of the system b. Test area x x x Once programming is completed, the programme is tested using test data Testing should take place independently of live system and data, and results reviewed and approved by the relevant manager Various tests can be performed on the operations and performance of the hardware and software, including: Programme test String/series test System test Stress/tension test Tests processing logic to verify whether all situations are treated correctly Tests linking to related programme, e.g. correctness of data transfer from one program to another Tests all programmes when used together as a single system Æ testing integration Tests performance and capacity of the system when high volume of data used c. Production area x x x Once testing is complete, programme moved to live system Before system goes live, should be reviewed again by all affected personnel for final approval Test results should be presented to CSC for review d. Implementation x x x Controls need to be implemented relating to the conversion to new programme and transfer of data from old program to the new program The process must be placed under supervision of senior experienced staff Once system has gone live, ensure that the entire development process is documented and stored in safe location for further use o Furthermore, documentation about the system and its operations, including training material, should be updated. System close off and data clean up x A changeover date must be set (e.g. year end, interim stock take date) x All financial transactions in the old system have to be closed off (e.g. record cost of sales entry in a periodic inventory system) x All data in the old system must be cleaned up and corrected and tests performed to ensure that all System conversion x One of three methods of implementing the new system can be used: o Parallel processing: The old and new systems run concurrently for a limited period of time. Most resource intensive and staff find it difficult to maintain two systems at the same time, as it Post-conversion review x x x WWW.TAKINGNOTES.CO.ZA The old and new data and files should be compared (e.g. reconcile the inventory codes between the two systems) All necessary control totals (e.g. has total of inventory codes), financial balances (e.g. total value of inventory per type) and record counts on the new system should be calculated. The calculated control totals, financial balances and record data is complete (e.g. perform inventory count) All necessary control totals and financial balances should be calculated (e.g. total inventory on hand, hash totals of inventory codes) Record counts should be performed (e.g. count number of inventory codes) Where possible, all data should be externally verified (e.g. perform inventory counts) Backup should be made of the old system Data on the old system must be signed off by all affected parties as accurate and complete. Any discrepancies identified in performing the abovementioned steps and unusual items must be investigated and resolved. x x x x x x iv. o o increases the risk of misstatement. Direct shut down: The entire old system is shut down at once and the new system launched immediately thereafter. Modular (phased) implementation: The old system is phased out in sections and the new system takes its place according to a set time frame. Least risky, and most cost effective. x x x x counts on the old system should be reconciled to the control totals, financial balances and record counts on the new system. The data on the new system should be compared to the results of the external confirmation (e.g. inventory count) (where applicable) Exception reports should be extracted from the new system on all files, noting unusual data fields (e.g. damaged inventory identified, incorrect control totals, negative quantities, alphabetic characters in quantity field). Any discrepancies must be investigated and resolved. A register or exception report of all discrepancies or unusual items identified should be maintained and approved by the user, once resolved. Post-implementation review x x Any errors that occur after the new system has become operational should be corrected and a register of these maintained by IT A couple of months after the system has become operational, a post-implementation review of the system should be conducted by the user department, IT personnel, internal (and external) auditors and members of management to determine whether: o The system meets the respective users needs in terms of performance and functionality; o The necessary controls have been implemented; o Misstatements that were detected have been resolved; o The system development process was effective; and o The system documentation and training material is sufficient. (b) Change controls x x Needs of users change, it is therefore necessary to make amendments to functionality of programmes or to update the program to meet the user s needs. These are known as program changes o Controlling the way program changes are made NB, as a small error when making program changes could have the same severe adverse consequences as making an error during system development. o The process is similar in principle to that of system development: The 5 stages of the system development life cycle should be followed. Answering a question: x Because of the frequent nature of program change requests, users should be required to complete written requests on pre-numbered, pre-printed standard forms. o Each request should be logged in a request register for later review and investigation. If feasible and justifiable, the program change request must be approved by the relevant line manager WWW.TAKINGNOTES.CO.ZA x Once a program change has been affected, it must be recorded in the register. x Periodically, management must follow up any requests not completed within a reasonable period. The same steps should be followed (i ± iv) as per the system development process ± outlined in summary below: o A conversion must be planned with timetables for instructions of when different tasks should be completed o Data Conversion: the standing data of the previous manual system must be prepared in electronic files The data control group from the information system division must be made responsible A senior member of management should supervise the data-conversion project o Training Users: Sufficient training must be provided to ensure everyone is familiar with the new system User manuals must also be prepared o System Documentation: E.g. flow charts, descriptions, operator manuals etc must be provided o Implementation Take place under supervision of management Approval of management required first o When data-conversion is finished, tests should be run to identify any errors x x Risks involved when developing a new system o Cost of the development may be too large o The new design may not meet the requirements of users o There may be errors in the new system o Important accounting principles and calculations may be wrongly implemented o The new system may ot have adequate controls to ensure integrity of data o The risk exists that it will be difficult to understand the new system and may not be user friendly (3) ACCESS CONTROL Controls, physical or computerized, that are implemented to prevent unauthorised access, and also limit the activities of authorised people to authorised areas. x x Focus shifted from physically securing access to securing information in system Management uses least privilege principle Æ personnel given access only to data and systems that are necessary for them to perform their duties properly Company should develop security management policy Æ documents process used to identify security risks and allocates responsibility to employees x x x Physical access controls Developed to control access from the outside into the company using a walkthrough methodology Physical security measures implemented around computers, files and hardware x x x Logical access controls If an authorised person gains access to a computer, access should be limited using these Username, password, firewalls etc Logs and audit trails used WWW.TAKINGNOTES.CO.ZA a. Preventative controls x Security management policy o x Physical access controls o o o o o o o o x A formal, written policy that only authorised persons may use terminals and that strict action will be taken against unauthorised users of terminals should be made Policy acknowledged by employees High electrified fences should restrict physical access and movement Access to the computer venue should be restricted through keys/magnetic card readers/security guard with a register A security guard must be present at all entrances to the building to accompany visitors through the building Doors to the venue must always be locked if the computer is not in use, as well as when staff leave the venue The venue should be visible so that unauthorised persons gaining access thereto can be easily identified Additional security gates must be installed at the computer venue s entrance and an alarm with motion sensors should be installed Access to the CIS venue should be limited to business hours Access after-hours should be restricted as follows: x A security guard should be present x Security cameras should be installed x An alarm with motion sensors should be installed Important hardware should be locked away in a library Logical access controls o o Authorisation tables should be used to ensure that: Computers are given terminal codes Restricts the access each user has to data according to that required for their respective function to be performed x Allows some users access to edit data whilst others may only read Each user should have a unique username and password/biometric access should be installed Password control: x Unique and not obvious x Combination of letters, figures and symbols and contain both uppercase and lowercase letters x Changed frequently x Not be displayed on the screen (ie. blocked by ******) x Electronic files in which passwords are stored should be encrypted to prevent unauthorised access x If a password is incorrectly entered three times, access should be blocked and only reinstated by management x If the system is inactive for a certain length of time, it should log the user out and thereafter only grant access by a re-entering of the password x If the system detects a breach in security, it should automatically shit down and only be reactivated once the IT managers have investigated the breach WWW.TAKINGNOTES.CO.ZA b. Detective and corrective controls x Logs, activity registers and security violation reports o o o x Data librarian whose job is to do the following: o o o o o o x The computers must keep a record of unsuccessful attempts to gain access to the terminal This should be printed daily and carefully investigated Every computer should have a list/log of daily activities This should be checked by an independent person for any unauthorised use or changes which should be investigated x Detection of unauthorised changes: o Backup copy of the system should be recovered and information with the updated system should be reconciled o The input documents should be reconciled with the system o Balance control totals with recovered control totals A log of changes to passwords should be printed and reviewed Ensure safe custody and maintenance of data files and documentation Limit access to programmes and documentation to authorised staff Monitor and control programme changes Ensure correct versions of programmes are being used Ensure regular backups are made Internal control considerations: Independent from system development and programmers Access to the library of masterfiles, documents and programmes restricted to authorised staff Procedures to control transfer of programmes from test status to production status Periodic review of library activities Data communication o Electronic security measures such as the following should take place: Encryption Firewalls A call-back facility Antivirus and antimalware programmes Assurance logos Software converts or encodes data x Software that restricts the inflow and outflow of information into and out of a computer system x Monitors content of data transmitted Æ suspicious data may be rejected x Equipped with antivirus and antimalware programme Once a valid device has been connected to the system, the system disconnects the device and reconnects the device using an identification number stored on the computer system Blocks viruses and malware from entering a system Certification logos are displayed on a website showing that the computer uses an encryption or security system WWW.TAKINGNOTES.CO.ZA (4) BUSINESS CONTINUITY CONTROLS Ensure the continuity of processing by preventing system interruptions or limiting the impact of interruptions. (1) Preventative controls x Non-physical dangers o x Unauthorised access Æ use physical and logical access controls Physical dangers The following controls can be implemented to protect the company against the elements: o Fire: fire alarms, extinguishers and smoke detectors o Construction and location: before a computer facility is planned, it should be located away from obvious hazards (rivers, high-traffic areas and production facilities). The construction should be solid and elevated if possible o Electricity: protect against power failures, use renewable energy suppliers o Water: cables must be protected against water damage (taps and pipes) and special cable protectors should be implemented o Environment: climate control, neat, dust-free o Time: regular maintenance to reduce chance of failure (2) x Detective and corrective controls Back-ups o x Emergency recovery plan consisting of: o o o o x Made frequently using formalised policy including: When and how backups must be made Which files, including all operating and financial information necessary for a business to recommence operations should a disaster occur Regular backups should be scheduled and made Backups should be stored in a secure location, offsite and fireproof Backups should be tested frequently A written emergency recovery plan containing set procedures relating to the duties and responsibilities of each employee during a disaster This should be widely distributed A list of data and programme files that are key to the operations of the business and that have to be recovered first in case of a disaster and which should be removed from the premises An alternative processing facility should be in place at which the company s core operations can continue to operation Provisions should be made for testing the emergency recovery plan Mitigating impact o Insurance cover should be in place that covers pertinent risks WWW.TAKINGNOTES.CO.ZA Application controls Overview of the key components of application controls x x x x x Input could be point-of-sale input, through an interface of another application (electronic data interchange) o Input of a transaction = raw data Processing converts raw data into information Independent manual controls: user controls that are performed independently of the operations of the computer system IT-dependent manual controls: user controls that are dependent on output produced by the computer system Programmed controls: solely dependent on, and performed by the computer system WWW.TAKINGNOTES.CO.ZA INPUT CONTROLS x x Ensure that data entered, and Masterfile amendments are valid, accurate and complete If objectives not addressed: o Unauthorised transactions o Data amended without authorisation o Errors occurring during creation of source documents o Errors going unnoticed o Not all data captured Comparison between control activities in manual and computerised environment: Manual environment Computerised environment Multiple copies of pre-printed, Documents replaced with screen containing prenumbered documents same data Manual comparison performed to Programme makes comparisons between Record confirm the correctness of the data data captured and the information already procedures Manual checks (such as number stored in the computer s memory sequence checks on invoice Automated checks (such as computer numbers) generating a report of missing invoice numbers) Approval of transactions granted by Application programmed not to proceed with senior staff member signing a task: document after reviewing x Conditions not met (algorithms and supporting documentation (such as parameters – implied authorisation) the financial manager signing a (such as a credit sale cannot be made Authorisation creditor invoice for processing after if a customer does not have a sufficient reviewing the underlying GRN) and approval credit balance) x Approval not granted (explicit authorisation) If authorisation is dependent on documents from another part of the transaction – the programme can perform matching Incompatible functions assigned to Access rights controlled Æ lease privilege different employees basis Segregation of Employees only have access to Responsibility assigned with usernames Duties documents necessary for duties Logs, records or audit trails used to track Responsibility assigned with unauthorised access signatures Physical barriers Electronic access rights Access control Logs provide additional security Staff members perform Computer automatically performs Æ comparisons between multiple sets exceptions recorded in log which is reviewed of data by management Reconciliations Reconciliations easier in this environment and because of availability and accessibility of independent data review Reports of balances per the computerised system are compared with the physical assets x Recording of data – inputting controls applied to: o Person capturing document and the hard copy document o Computer screen o Validity, accuracy and completeness of information o Management review of data WWW.TAKINGNOTES.CO.ZA x Users receive training on functionalities of programme to reduce the number of errors Users x Dedicated employees should act as capturing specialists x Employees should be held accountable for data capturing using access profiles Comply with document standards: x Well designed and easy to understand Documentation x Controls over custody of documents x After input is entered, comparison to hard-copy document should be done Review, Senior member of staff should extract logs, audit trails and registers to review reporting and activities and identify unusual transactions exception monitoring Features and procedures that are built into a programme and are reflected on the screen to assist the user to capture data with the least amount of effort and lowest probability of error. x Screen layout should require minimum data to be captured o Using drop-down menus and look-up functions x User should confirm details already displayed on screen to underlying documents x Highlight errors, prompt users to enter missing data or confirm data is Screen aids correct x Use compulsory fields – field must be completed before the program allows the user to continue capturing further data o Either: error messages displayed when compulsory fields are not completed/the function to complete the transaction is disabled until the fields are completed Ideal situation – majority of data obtained from underlying master files, and the input of data restricted to the data that would trigger the application to recall the underlying data Application controls that test the input of data against predetermined rules that are programmed into the computer package with the purpose of validating the input 1. Validity test Æ confirms data against database or Masterfile (V) 2. Limit/range test Æ tests data against a threshold or predetermined benchmark (prompts an error message that requires further authorisation or override to proceed if the data does not meet the benchmark) (A) 3. Related data test/matching Æ matches to related data (such as matching an invoice number to a GRN number) (V) and (A) 4. Field length test/size check Æ limit on number of characters entered (A) Logical 5. Completeness test/mandatory field test/missing data test Æ field must be programmed completed before the transaction can be continued (C) controls 6. Alphabetic/alphanumeric/numeric character test Æ types of characters restricted (A) 7. Reasonableness test Æ tests input against a number of logical tests (example: a programme can be set up to keep record of all price discounts granted to clients that exceed 5% of the norm) (V) and (A) 8. Sign test Æ field must be either positive or negative (A) x As soon as the programme detects errors/missing data, the transaction should be rejected by the computer and an error message should appear On a periodic basis, a senior member of staff should extract logs, audit trails and registers to review activities and unusual transactions. Various reports can be extracted: Review, x Logs and registers of computer activity reporting and x Exception reports of activities that are outside the norm or exceed a exception predetermined benchmark monitoring x An audit trail, which shows the flow of financial information and controls x Control reports reflecting, for eg, total amount invoiced for a particular period x Error reports WWW.TAKINGNOTES.CO.ZA x Additional controls for the input of information: o Computer should be programmed to check the sequential numbering and identify missing numbers o Descriptive data-echo tests: information entered is used by the system to retrieve descriptive information from the master file and to echo it back to the operator (display on the screen) so that the accuracy of input field can be confirmed x If batch system used, additional controls x Input controls Control totals Batch-control sheets Batch register Clerk should first review the sequential numbering of documents and then should place the documents into manageable batches or bundles (ie. daily) x Each batch receives unique bundle number (staff member must review sequential numbers and calculate various control totals) x Financial totals (total value of all sales transactions for example), hash totals (total number of document numbers added together), record counts (number of documents included in batch) x The programme should only authorise the transaction file for processing if the control totals agree x Contains: batch number, all calculated totals and details of transaction x Second staff member should review the batch, recalculate totals and sign as proof o Should also ensure that the batch contains transactions for only the period specified x Print batch control report as proof totals have been compared which should be filed with batch control sheet o If totals do not agree, entries should be reviewed for accuracy o Report with rejected transactions/errors should be generated and reviewed Contains information on batch and tracks movement of batch documents to be processed (initialled by staff) Error correction process: x x x Error made while capturing data: o Detected by logical programmed controls, transaction must be rejected by computer and error message displayed on screen o No further inputting must be allowed until error corrected If not possible, a register of errors must be maintained Error identified on original source document: o System must delete the rejected transaction and transfer it to an error suspense file Error-suspense file is reviewed by management on a regular basis o Report of rejected transactions must be generated o Person who captures entries must investigate rejected transactions, send source document back to person who prepared it to correct it, record returned documents in error register and take the rejected transactions into consideration for reconciliation of control totals o After the source document is corrected, it is returned to the person who captures entries The capturer makes the necessary corrections and then re-enters the corrected document (must be subjected to relevant input and validation controls) Control total on batch control sheet differs from control total calculated by the computer o System should not process the transaction file o Once transactions have been corrected, a new batch control report is printed WWW.TAKINGNOTES.CO.ZA PROCESSING CONTROLS x Risk of errors during processing increased as a result of the following: o Repetition of errors in processing as a result of incorrect programming o Duplication of errors o Loss of audit trail in computerised environment – audit trail less visible o Loss of SOD – increases the risk that irreconcilable functions will not be separated and Æ errors remain undetected o Errors during the conversion of data from the manual Æ computerised system o Data input errors due to inexperienced staff o Human judgement is lost Æ illogical processing can occur o Risk of unauthorised access and changes to the system User-related controls Those mentioned earlier particularly relating to access and isolation of responsibility x Backup should be made of data before processing x Data librarian should ensure correct version being used x Mitigate risk of incorrect or old data by having clear internal naming of files Correct and external labels of files programme x Processing schedule or register linking each production run with a specific and file data and time o Librarian can then record file names next to the appropriate date in the register x Financial fields, hash totals and record counts should be generated and should be compared before and after processing x Control totals of Masterfile, which must be updated with transaction data, must be compared with updated total of actual Masterfile o Differences must be investigated Computer o This is file/shadow balancing control totals o Alternative is run-to-run totals which can be reviewed and and reports calculated by system x The console log of processing (automatically updated by the system) and other control reports o Checked by data control group to identify processing disruptions and investigated x Computer should detect any missing transactions or data by performing: o File sequence investigation (programme investigates whether the Controls during first transaction s reference number follows on the last transaction s processing reference number) o Completeness test x Validation tests to detect data errors and processing errors Review, Refer to that above reporting and exception monitoring Error Refer to that above correction process WWW.TAKINGNOTES.CO.ZA A OUTPUT CONTROLS Output – distribution of data from where it is stored in one location to where it is viewed or restored in an electronic format. Userrelated controls Refer to those above Access controls over users and output itself x Controls over the distribution of output Controls when receiving output Should be written policy on how each type of output should be treated: o Distributed to all departments and each department should be made responsible for developing a procedure for output (where, when how and which format the data must be transferred) o Policy should address how output should be treated at the following stages: generation, during distribution, on receipt and after use x Dedicated person appointed to accepted responsibility of distribution of output x Names of persons authorised to receive the output documented in a register (manual or electronic) o If the output is paper based, a manual distribution register maintained/output is electronic, access to the output can be restricted using authorisation matrices o If the person reviews the output, proof of this should be provided o A senior person should review the distribution register to detect any unauthorised distribution Recipient should: x Reconcile input to output and control totals x Perform output count and review number sequence x Check page numbers x Match content of report with table contents x Check blank pages contain words such as “empty page” There should be fixed procedures to prevent unauthorised persons obtaining outputs after their intended use (ie. locked away or shredded after use) MASTERFILE CHANGE CONTROLS x x x x Where standing data is changed or added to the system Distinct from processing, where the computer updates the data form transaction files to a master file – which is subject to processing controls Data error in Masterfile could have a significant impact on an accounting system because the data is often captured once and then re-used by different programmes Controls over Masterfile amendments rely heavily on input controls x Same as those mentioned earlier relating to level of authorisation x The person making the changes to the masterfile should be independent of users of the particular information in the masterfile User-related x Approval granted by management Æ designated members should be controls given access rights x Any changes that could have a fundamental impact on the financial records should only be allowed to be made on a designated computer x Backups of Masterfile made before changes occur x All Masterfile amendment requests should be documented on a Request forms Masterfile change request form (meets acceptable document standards) Æ reviewed by senior member of staff Input controls Same as those mentioned above Review, reporting x Each request logged should be recorded in a Masterfile amendment and exception request register monitoring of logs o Regularly be reconciled with automated register of completed and registers, and requests financial data o Read-only rights should be granted to specific staff members WWW.TAKINGNOTES.CO.ZA x Both registers must be reviewed by a responsible senior staff member to ensure that: o All changes are supported by an authorised request form o Changes inputted agree with the request form o Only authorised staff members capture the Masterfile changes o There are no long-outstanding requests not dealt with to date x Senior member should on a regular basis: o Review the master file, and compare to master file amendment form o Reconcile the total on the relevant master file to the balance of the relevant control account in the GL Other controls x Data communication: transmission of data from a sender to a receiver in electronic form o Control achieved by: Using controls like processing controls (check validity, accuracy and completeness) Implementing specialized software (encryption, firewalls and antimalware programmes) Implementing specialized communication management software (manages communication between sender and receiver, limits access and manages the communication network) Physical cable protection x All the controls mentioned above that are implemented over the various stages of the transaction flows are relevant to advanced technologies x Process to follow when implementing or evaluation controls over any forms of technology: 1. Obtain an understanding of the technologies 2. Identify relevant risks 3. Identify and evaluate adequacy of existing controls 4. Break technology down into components 5. Match actual components against theoretical controls that should exist 6. Evaluate impact of controls and risk on business 7. Select controls to mitigate the remaining risk to an acceptable level x Controls implemented over the following for electronic commerce, EFT and other data communication: o Capturing data o Restricting and authenticating the user o Transfer of data over the internet o Policies and procedures o Continuity o Logs and reviews Service organizations, outsourcing and data warehousing x Outsourcing: function normally performed by the company is outsourced to another company x Data warehousing: a c m a da a i ed a he c m a e e f a m hl fee o Newest form: software as a service x Controls that service organizations need to implement: o Restricted and authenticating the user o Transfer of data o Protecting company against losses (controls ensure continuity of operations) o Policies and procedures (regarding legal issues relating to ownership and privacy) o Continuity o Logs and reviews WWW.TAKINGNOTES.CO.ZA THE AUDIT PROCESS IN A COMPUTER INFORMATION SYSTEM ENVIRONMENT (CIS) Introduction • • • Computer assisted audit techniques (CAATs) are computerised tools and functions that an auditor uses to assist in performing audit procedures, used for the purpose of gathering audit evidence CAATs may be applied when a client makes use of computers to record and process its data or manage aspects of its operations Characteristics of CIS: o Absence of input documents o No clear segregation of duties o Lack of a visible audit trail o Consistent processing § Advantage: programmed internal controls § Disadvantages: programming errors o High speed processing o Interdependence of controls § Programmed application controls – dependent on integrity of programme (general controls) § User control – dependent on programmed controls Approaches to auditing in a CIS Auditing around the computer • • • • • • An auditor does not consider the automated controls present in a computer application o Input to the system (hardcopy supporting documents) is compared to the system’s output o Example: auditor selects a sample of credit notes from the sales return journal (output) for inspection of the physical credit note and underlying goods returned voucher (input documents) Used in a combined or substantive audit approach Focus on substantive procedures Advantages: o Cost-effective where the client operates a single computer system with a strong audit trail (simplistic computer system) o Minimal risk of corrupting client’s computer data, as the auditor does not make use of hardware input or data extraction in relation to the client’s computer system Disadvantages: o Audit may be ineffective or become overly expensive where the client makes reasonable use of computer systems, as the auditor does not take full advantage of the efficiency of the computer o There is limited ability to isolate exact causes or risks of financial misstatements, if these are as a result of control failure of the computer Does not constitute CAATs as computer technology is not used to test internal controls or verify financial data WWW.TAKINGNOTES.CO.ZA Auditing through the computer • • • • • • The auditor tests the operating effectiveness of automated controls present in the computer application to be able to rely on internal controls for audit purposes o Example: entering data (test data) into the system and comparing the results of the rest (actual output) with expected output o If the automated control did not operate as expected, the auditor notes a deficiency in internal controls Forms part of system-oriented CAATs where the internal controls relating to input of information into the computer and the processing of information by the computer are tested Used in a combined audit approach o Relates specifically to TOC therefore not applicable when a purely substantive audit approach is applied Test (1) general (2) application controls and (3) user controls Advantages: o Highly effective where a large volume of homogenous transactions are subject to the same controls – complex computer system o It can pinpoint causes or risks of financial misstatements where these are due to computer-related control weaknesses Disadvantages: o It may be expensive as it requires specific computer technology (hardware and software) as well as expertise o There is a risk of corrupting data on the client’s system or disrupting the client’s computer operations Auditing with the computer • • • • • Can be used in addition to each of the above two The data stored on a client’s computer system is made available to the auditor in electronic form, and analysed for risks and exceptions o Auditor does not have to work through large volumes of output data manually Commonly used in a substantive audit approach but may be used in a combined audit approach Advantages: o Greater control over the auditing of the client’s system data as the auditor has direct access to it on his or her own computer o Potentially enables larger sample sizes to be drawn and the computer’s processing power can be put to use o Normally less expensive and more efficient than manually auditing client data Disadvantages: o Requires computer knowledge and expertise o Risk of corrupting data on the client’s system or disrupting the client’s computer operations o Expensive where advanced data manipulation by means of specialised audit software or CAAT experts is required o Risk of breach of confidentiality where the client’s data has been transferred into the auditor’s possession and computer system WWW.TAKINGNOTES.CO.ZA • A combination of the above approaches is most likely to be applied on a particular audit o However, an around the computer approach is distinct and mutually exclusive from a through the computer approach WWW.TAKINGNOTES.CO.ZA Relationship between CAATs and audit procedures • Sometimes, the application of CAATs will lead to the acquisition of direct audit evidence, but other times it does not lead to acquiring audit evidence itself but enables further audit procedures to be performed to gather audit evidence o ie: CAATs cannot physically inspect details on an invoice/bank statement for the auditor, but it can help to select a sample which then allows the auditor to manually check these underlying documents Who performs CAATs? • If CAATs entail basic computer functions, any auditor can perform them without requiring advanced computer skills o However, if complicated data analysis techniques are required, dedicated audit software and the skills of an information systems auditor (IS auditor) may be necessary § IS auditors are qualified in the auditing of computerised financial systems, including automated controls § On larger audits, a qualified IS auditor would be required to test the client’s general and application controls (using a through the computer approach) and the analysis of a client’s financial data (using a with the computer approach) • The IS auditor will submit a report about the IT controls as well as reports about the analysis of client’s data § The audit team sends the following to the IS auditor: • Risks of material misstatement • Purpose of the audit procedure (eg: detect duplicated bank account numbers on the payroll system) • Population to which CAATs should be applied • Financial period to which the tests relate • Date by which the team requires the CAAT’s results • Format in which the results should be supplied • Specifications of the data required • SYSTEM CAATs Testing of operating effectiveness of automated controls using data input techniques and computer software • Requires auditor to audit through the computer in a combined audit approach • Different methods that can be used: • Auditor inputs dummy/fictitious data into an entity’s system to evaluate the output against predetermined expectations in order to assess whether particular controls are operating effectively • Example: if the auditor expects the application to have an automated control that prevents a user from entering a negative inventory quantity, the auditor can attempt to process a quantity of -5 for example o If the test data is accepted by the system, the auditor Test data knows that the automated control is not operating effectively • Example: if a dummy credit note is simply accepted by the computer and processed to the GL without any automated control requiring initial approval of the transaction, auditor will note a deficiency in internal control • Test data is effective for testing an application’s input and processing controls WWW.TAKINGNOTES.CO.ZA • • • • • Integrated test facility (ITF) • • • • Parallel simulation • System control audit review file (SCARF) • • When designing the information, the auditor has to test all transactions that could possibly be affected by the control in order to test the operating effectiveness in all instances Risk of using test data: o Same programme/version of the programme must be used throughout the year o Element of surprise must not be lost o Corruption of live data (and risk of viruses) must be limited o System may crash o Unauthorised changes/overrides of system identified o All possible situations and programmed controls need to be tested o May be difficult to remove data from the system Should normally include: valid and invalid account numbers/codes (creditors, debtors, inventory), positive, negative and zero values, exceptionally high or low values Creation, with the client’s permission, of dummy accounts in the live financial system of a client which becomes a test facility for audit purposes o This can be incorporated into an application during the design and programming phase of a system, or during setup of financial information A human operator does not necessarily know of the existence of the dummy account Example: a dummy creditor account is included in the system o Whenever actual transactions are recorded to the creditor’s ledger, simulated transactions would be created at the same time and posted to the dummy account o The auditor then has this account at their disposal to test the effectiveness of automated controls that impact the test and corresponding live data concurrently, without having to interrogate the entity’s system to the extent of possibly corrupting live data An ITF can automatically identify deficiencies in a live computer system Audit resources must allow for the use of an ITF Auditor processes the same set of data on the client’s computer system and on their own which mirrors that of the client o The auditor has the assurance that their own system operates effectively and contains the necessary preprogrammed controls o If the results of the processing differ between the systems, the auditor can conclude that the client’s system is functioning ineffectively Objective: test the operating effectiveness of automated controls (TOC) and not the correctness of amounts (SP) Embedding an audit module into a client’s computer application to become part of the software itself Reports of errors, exceptions or deviations from expectations are written to the SCAR file which can be reviewed and followed up by the auditor WWW.TAKINGNOTES.CO.ZA • • • Code analysis • Suitable in large client computer systems with numerous automated controls o Can focus audit attention on important transactions and events where risks of material misstatement are most likely o Suitable in certain areas of systems which are particularly prone to inappropriate activity by users Auditor analyses the coding of the client’s software application to determine the effectiveness of the programmed automated controls Requires specific knowledge of computer coding language by the auditor Auditor will be concerned with the effectiveness of general controls that were in place during the design phase of the application o Therefore suitable when an audit client makes use of customised software • There is a risk that the client’s system may be corrupted during system CAATs or the test data may become incorporated with live data, distorting the actual financial information • • Performance of data analysis in a substantive audit approach Data is analysed by the auditor directly without consideration of automated controls which may have affected the data Data analysis: examination of electronic information previously generated by and stored on a client’s system o Auditor first has to extract data from client’s system and import it to the auditor’s own data analysis software (auditing with the computer) o The auditor then can manipulate the data using procedures: 1. Selection: organise data by discarding irrelevant data fields 2. Sorting and stratifying: sorting data in alphabetical or numerical order and stratifying (separating, grouping and listing) it by nature, category and type 3. Interrogating: audit software can examine the data to identify potential misstatements by searching for unusual items or anomalies a. Selecting and generating samples b. Reperforming calculations on amounts Instructions to carry out the above functions include having the audit software: o Recalculate and cast data for mathematical accuracy o Identify all items exceeding specified limit o Isolate items in terms of the criteria set by the auditor o Scan for missing fields or gaps in sequential numbering o Compare sets of data to identify inconsistencies o Perform statistical or ratio analysis • DATA CAATs • WWW.TAKINGNOTES.CO.ZA • • • Tests of controls THROUGH General controls must be tested before internal controls SYSTEM CAATs to test computerised controls • • • Substantive procedures AROUND Analytical procedures, detail tests DATA CAATs to download data from a CIS to perform substantive procedures Reasons for the use of CAATs in the audit process Necessity Volume of electronic data: significant quantity is electronic, might have no choice but to perform CAATs as manual approach would be too time consuming Nature of audit trail: transactions may only be evidenced in electronic form without a supporting paper trail Extent of computerisation: client is dependent on computer system, might have no other choice Complexity of computerised system: Very complex, more necessary to use CAATs – complexity affected by complexity of applications and whether there are complicated interactions between financial subsystems Possibility Desirability Cost implications Could be too expensive Availability of IS skills and resources Time considerations CAATs can offer time savings Availability of client data: Client and auditor’s system may be incompatible Electronic data could be lost or deleted Security implications and attitude of client towards CAATs: Clients may not be in favour of CAATs due to confidential information being in possession of auditor or potential data corruption and concerns of integrity Steps in planning and performing CAATs (1) Planning steps: (a) Formulate objective of CAATs and the control or detection risks to be addressed (b) Define population to be tested (c) Specify CAATs procedures that have to be performed (sort, stratify and recalculate) (d) Define format of data required (2) Performance steps: (a) Obtain data from client (b) Agree CAATs data with information subject to audit - ensure data received agrees with client’s data (c) Organize data (d) Execute CAATs demands according to programmatic instructions (e) Reporting WWW.TAKINGNOTES.CO.ZA a Answering questions: Test data: Steps to take during the development and utilisation of test data: • • • • • • • • • (1) Define the objective of the test that would be performed and (1.2) specify the controls which are to be tested o (1) For example: All sales are recorded and calculated accurately. All sales are made to authorised customers and the account details submitted are valid o (2) For example: Validation controls: Alphanumeric test, field length test etc (2) Develop the test data, containing the following: o The test data should include valid and invalid data using for example the following fields: customer number, inventory numbers et cetera o The test data should include all types of data and possible transactions for example an order should be entered twice o The test data should be processed independently of the clients’ system, as to obtain a pre-determined correct processing result, which will be used to evaluate the results of the test data against (3) Process the test data on the client’s system (4) Compare the results from the test data ran on the client’s system with that of the pre-determined results. o For example, control totals of invoices, calculated totals on invoices (5) Remove the test data from the clients system Note that the test data would either be processed correctly or either rejected or be reflected on exception reports (i.o.w. evaluate the outcome of the tests) o For example, transaction logs of every sales order entry, breakdowns of backorders, order suspense accounts (6) Conclude on whether the controls within the client’s system operated effectively (7) Evaluate the general controls to ensure that the system you have tested functioned within a controlled environment and functioned without unauthorised amendment throughout the period under review (8) Report on the effective operations of the controls Data CAATs • Data CAATs are used to assist in the performance of substantive procedures o For almost every substantive procedure there is an equivalent data CAAT o Example where this does not apply: excel cannot inspect invoices but can be used to select a sample of invoices which must be manually checked by the auditor § Excel cannot physically inspect inventory but can make a sample of items for the auditor to inspect • When formulating data CAATs, do not write “use vlookup and…”, use layman’s terms rather and say “compare (using vlookup)…” Manual substantive procedures General procedures Data CAATs Extract standard reports Recalculate, compare, exception reports Analytical procedures Prepare graphs and ratios on excel Specific tests Recalculate totals Driven by the substantive procedures you would have performed Analytical procedures Tests of details WWW.TAKINGNOTES.CO.ZA so (1) Determine input fields on screen/variables in calculations from various sources (2) Identify nature of field: transaction/Masterfile (3) Prepare accounting entries and assertions (4) Plan audit/substantive procedures (normal) (5) Formulate equivalent CAATs for each procedure: a. List CAATs techniques b. List fields available c. Document procedures: GP, SAP, ToD d. Add detail • Techniques which can be used: S C O R E Technique Excel Example Select sample (S) Filter Summarization/stratification/sorting Data table Per category (ie. age of information analysis), stratification of balances • Summarise within the criteria in the data set • Stratify- make the data set Compare information (incl. analytical If, vlookup Transaction date with procedures) (C) current date, data in various files (CP vs NRV) Calculations Formula and Depreciation, analytical graphs procedure Recalculation of totals (R) Formula Totals or cross calculations Exception report (E) Filter, conditional Look for unusual items: format negative, zero values, duplicate values, unusually high and low, blank fields, round amounts • Formulate the data CAATs as follows (example of TOD on inventory): Assistance to the audit procedure Recalculate the addition of the inventory schedule Test the cut-off of purchases Test the cut-off of sales Test the valuation of inventory costs Technique Have to include this – 1 mark Recalculate the total inventory value and compare (reconcile) it with Extract a report of selected inventory items according to the following criteria Select a sample of items with Select a sample of WWW.TAKINGNOTES.CO.ZA Field (excel column) Have to include this – 1 mark By multiplying the costs per unit and amount on hand The total value per item GRN number after the cutoff point (last GRN per year) Last date of purchases around year end (before and after) High value items or costs per items in order to test the purchase price by comparing the price to the underlying documentation with the price list and after doing the above, state what the auditor has to do thereafter (manually) • Example for creditors: o By using audit software, inspect the creditor master file for any entries with GRN numbers or cheque numbers after the cut-off numbers o Purchase transactions: Select by using audit software, a sample of GRNs that have been recorded in the inventory master file 3 or 4 days before and after year-end § Then, inspect the related delivery note (from supplier) and GRN documents to verify when the goods have been received § Trace this through to the creditor master file to check that it has been recorded in the correct financial period o Payment transactions: Select, using audit software, a sample of cheque payments that have been recorded in the cash book 3 or 4 days before and after year-end § Then, inspect the related cheque returned from bank and all its supporting documentation (for example cheque requisition) and § trace it to the creditor master file to check that it has been recorded in the correct financial period o Inspect using of audit software, the different suspense files for longoutstanding items that might indicate unrecorded transactions § Orders awaiting GRNs § GRNs awaiting an invoice Considerations and process prior to making use of CAATS: 1. 2. 3. 4. Determine if it is necessary possible and desirable Address a request to computer audit team to explain objectives Agreement reached regarding method of reporting Computer audit team will do the following: a. Define objectives, transactions and necessary audit procedures b. Prepare budget of time and costs and have it approved by auditor c. Obtain clients approval to use data for CAATS d. Determine availability of client’s data needed for CAATS e. Contact client and arrange for download of data f. Reconcile data received with live production environment and information of financial statements g. Execute CAATS h. Report accordingly to audit team Information to appear on working papers: • GENERAL INFORMATION: o Name of client o Year-end of client o Working paper reference o Explanation of audit marks o Name and date of preparer and reviewer • OBJECTIVE OF PROCEDURES PERFORMED (CAATS) AND TECHNICAL PROCEDURES TO USE CAATS • LAYOUT OF INVENTORY MASTERFILE OF CLIENT WWW.TAKINGNOTES.CO.ZA • • RESULTS OF CAATS (eg: number of exceptions identified and further procedures which were executed) CONCLUSION IN RESPECT OF PROCEDURES Tips to answer data CAATS questions: • General procedures, analytical procedures and test of details • Extract report of invalid items (specify) and investigate • Inventory: o High low value items – confirm price to price list o CP > SP – consider write down o Recalculate total value per item o Stratify according to locations – use in count o Report of sample items to confirm in count § Repost of inventory items according to ‘last date of sales” to identify slow moving/ obsolete inventory for write off o Compare current year and prior year o Check cut-off of transactions o Recalculate totals and compare o Compare to underlying documents o Debtors: § Recreate age analysis (used in evaluating appropriateness of provision for doubtful debt) § Sequence check on debtor number or names (investigate errors which indicate incomplete recording) e WWW.TAKINGNOTES.CO.ZA INTRODUCTION TO COMPUTER CONTROLS Computer Information System Environment (CIS)/(IS) - Exists where there is a computer – no matter what type or size Plays a part in or impacts processing of financial information of the entity Irrespective of whether computer is operated by entity or third party - Uses of a computer have an impact on o Generation of transactions o Processing thereof o Storage and/or o Communication of information Impacts on accounting and system of internal control – factors specific to CIS - Electronic accounting systems = can increase/decrease company’s risk profile Management implements controls to address/mitigate risks Computerised systems introduce risks: Input: - Lack of input documentation – contributes to lack of visual audit trail Lack of visual proof of authorisation Processing: - Multiple functions = performed by single program: lack of segregation of duty - Where systems are integrated – individual errors might affect different systems - Uniform processing decreases risk of clerical errors – but where error exists within program à risk exists of creating a constant error - As a result of high speed of processing – errors and volume of transactions might not get detected in time - System generated transactions (less control & controls) - Data may be wasted during processing and completeness of data is affected - Unauthorised changes to transaction/master files Unauthorised access = result in input of unauthorised/fictitious transactions Uncontrolled access to programs might result in unauthorised changes to programs (affects processing) Wrong programs/reproductions are used during processing which might resuly in errors Other risks - Concentration of functions & information – risk of errors and irregularities Initiation & processing of transactions with/without CIS Internal controls are dependent on CIS Potential for increased management supervision Key components of CIS ISA 315 describes an information system as consisting of à infrastructure (physical & hardware), software, people, procedures, data Hardware Software People Procedures Data - All physical electronic equipment & parts that make up a CIS – from input devices to output & storage devices Eg. Keyboards, printers, hard drives, flash discs, network infrastructure, ATM All programs that reside on any or all components of hardware Eg. Android software, programming of ATM Those who interact with processing of transactions = considered part of CIS Includes procedures that govern behaviour of people Eg. Customer who uses ATM Instructions used to collect, process and store data about the organisation’s activities throughout the four stages of the accounting system à initiate, record, process & report Eg. Strategies, policies & methods & rules to use the CIS Includes all forms of data stored on the hardware Eg. Log of recent calls, transactions of an ATM Underlying principles in ISA 315 n n n n n n n n System of internal control (IC) - system designed, & implemented by those charged with governance to provide reasonable assurance about the achievement of an entity’s objectives iro (i) reliability of financial reporting, (ii) effectiveness and efficiency of operations, and (iii) compliance with Laws & Reg. Control activity - policies and procedures established to achieve the control objectives of those charged with government. IT environment - IT applications and supporting infrastructure, + processes and personnel, that support operations and strategies. • IT processes - processes to manage access, manage program or other changes and manage operations. • IT infrastructure - comprises the network, operating systems, databases and related hardware and software. • IT application - set of programs that is used in initiation, processing, recording and reporting (incl data WH & report writers). General Information Technology Controls (GITC) - controls over IT processes that support the continued operations, including the effective functioning of information processing controls and ensuring the integrity (i.e. VAC) of information Information processing controls – controls relating to the processing of information in IT applications or manual information processes that ensures integrity (i.e. VAC) of information Direct controls - controls that can address risks of material misstatement at the assertion level (Control activities + Information system). Indirect controls - controls that support direct controls (Control environment, Risks assessment process & Monitoring controls). General controls – provides a framework of overriding control of IS-activities § Control environment, security policy & organisational controls § System development- and program change controls § Access controls § Business continuity § Operating and System maintenance controls Application controls – Manual controls & automated controls over transactions § To initiate, record à input § To process and à processing § To report à output § As well as to change information à master file changes How does a computerised system operate The flow of transactions can be divided into 4 stages: Input: Flow commences with data of a transaction being recorded onto source documents designed with a specific business cycle Source documents can the ne input – manually or by means of a computerised reading device (eg. Barcode scanner) Processing: Transaction data is processed into a computer readable format Computer system ensures integrity of data – performs checks, calculations and comparisons Data is stored until requested Master File changes: Standing data in a master file can be changed by means of a master file amendment Output When data is distributed (eg. Can be viewed on a screen, emailed, stored on a memory stick (electronic output) or printed and distributed (manual output). Controls in computer information system Accounting system Computerised Environment Manual environment General Controls Application controls GENERAL CONTROLS • Policies and procedures that relate to many applications • Framework for overall control • To ensure that CIS is developed, implemented, maintained and operated adequately. • Control environment, security policy & organised controls • System development and program change controls • Access controls • Business continuity • Operating & system maintenance controls APPLICATION CONTROLS • Control over a specific transaction/cycle • Can be preventative, detective or corrective • To ensure the validity, accuracy and completeness of transactions and data, incl. the maintenance of MF data - Initiate, record à input - Process à processing - Report à output - Change information à master file changes QUESTION Factors that Increase the risk for errors & irregularities in a computerised information system as opposed to a manual system. § § § § § § § There is a lack of a decent audit trail or significant limitation thereon It is more difficult to ensure there is a segregation of duties, seeing that tasks that previously performed by more than one person is now performed by on person computer environment The personnel that is available might not have the necessary skills that is required in a computer environment and mistakes can in this type of environment have far more serious consequences than in a hand system Persons may gain unauthorised access and make changes without there being evidence showing it A decrease in human involvement decreases the possibility that errors and irregularities be located/identified Errors in design of system may go undetected for a long period because users do not understand the system and it can be misused by people that know the system well. As a result of the standard design of the computer system it will cause errors that exists the system will be repeated in all transactions. QUESTION Explain in your own words how computer controls fit into the general framework of internal control and what the difference is between general controls and application controls § § § § § § Computer controls form part of the overall framework of internal controls and serve as an addition to the controls of the manual system The controls of a manual system and a computer system all work together to achieve the same control objectives (validation, completeness and accuracy). General controls are controls that are applicable to the overall computer environment. Application controls are applicable to specific transactions. Application controls are only sufficient if good general controls are also in place. IT GENERAL CONTROLS FRAMEWORK OF GENERAL CONTROLS Organisational controls and personnel practices 1. Responsibility levels, corporate structure and reporting lines 2. Segregation of duties a. Between departments b. Within IT department 3. Staff practices 4. Supervision & review System development controls/change controls 1. Request needs assessment and authorisation 2. Project management 3. Planning and design 4. Developing and testing 5. Implementation 6. Post-implementation Controls around how the CIS department is structured. How changes are made to CIS & the acquisition/development of a new CIS Business continuity Preventative controls: 1. Operating controls - Physical dangers, eg. Water, fire, power interruptions, wear and tear. - Non-physical dangers, eg. Unauthorised access/changes. Detective and corrective controls 2. Repair after disaster using - Backups - Disaster recovery plan Should something happen to the system, a process needs to be in place to ensure that the company can resume operations in the shortest possible time. Access Control Preventative controls 1. Security management and policy 2. Physical access controls § Facilities § System § Data § Terminal/computer 3. Logical access controls § Username and password § Firewalls 4. Library controls Detective and corrective controls 5. Logs and reviews (monitoring) 6. Library controls (data communication) To prevent/detect unauthorised access to an organisation’s data or performing unauthorised actives. 1. 2. 3. 4. 5. Operating Controls Scheduling and production runs/processing Operating activities and use of assets Library controls Logs and registers Business continuity controls Controls that must be implemented around the day-to-day running of the system/maintenance This is the base of the perfect IT general controls – refer to the framework when doing questions. GENERAL CONTROLS – WEAKNESSES These frequently come up!! SWITCHBOARDS MUSICAL PARK S Lack of segregation of duties: programming and systems analysis: the programmer is responsible for systems analysis functions, namely the preparation of system specifications, writing and updating manuals and program documentation. Lack of segregation of duties: Control of data and documentation and programming: The librarian also acts as assistant programmer. W I T C H B O A Must be written authorisation for requests for program changes (cannot occur over whatsapp or telephone) Independent investigation into necessity, impact and cost of the changes before conversion commenced Adequate testing of the new system where all parties are involved, must take place before the implementation of the new system. Changes are made directly on the live system (no test copy) and there is no control over the conversion process from the old to the new system to ensure proper conversion. Insufficient housekeeping controls in the computer room. Regular back-up copies are made and kept safe. Sustained segregation between the programming function and operation of the computer. Admission to the EDP section is not appropriately controlled. The controls which are in place are not functioning effectively. R The control clerk is not running procedures / tests / controls on the data received for import, processing process itself and the results of processing (export documentation). D S No clear distinction between system and application programming. M Multi-level involvement in the system development and change process where all parties can give inputs or submit needs or specifications. Detail specifications must prepared. The program amendment or system development is performed by unqualified programmers. U S System specifications must be formally approved before development of the new system takes place. Lack of a formal system development methodology with separated duties and responsibilities. The programmer cannot both design and test new systems and perform programming changes I C A L The company does not use internal file labels. P Project management including a project team who prepare the project plan of duties and responsibilities, deadlines & budgets to monitor the project process A It appears that the library function occurs informally the librarian walked through the entire section and collect all discs. There is a lack of formal authority and control over the issuing and receiving back of data files. There is no formal recovery plan and procedures. R K No control exist over the magnetic tapes for example by keeping them safe in a library. No formal approval takes place before implementation of the system/changes. Lack of formal and proper appointment procedures. It seems that keep the librarian only keeps data files and not the other software (application and system software) and system documentation 1 ORGANISATIONAL CONTROLS & PERSONNEL PRACTICES RESPONSIBILITY LEVELS CSC (Computer Steering Committee) ◦ Consists of IS manager and representatives of all user groups Librarian (independent person) ◦ Safe custody of data files / documents ◦ Limit access to authorised personnel ◦ Monitor & control programme changes ◦ Version control ◦ Back-ups & recovery SEGREGATION OF DUTIES Separation between IS & user department: IS department may not authorise transactions IS department may not authorise master file’s IS department may not correct users’ errors Users’ department checks and reviews MF’s Financial manager must not be involved in the user department Separate IS department Organisationally independent of users Report directly to top management Separation within computer environment Segregation between initiation, authorisation, custody and the reporting functions The operating and development functions must be segregated Separation within CIS department Minimum segregation of duties required - development/programming AND - operations Within: Initiation, authorisation, custody and reporting functions Ideal: Systems development - Systems analyst - Programmers Operations - Librarian - Data control - Data control clerk - Databasea dministrator Minimum segregation: Development/programming; and Operations SUPERVISION & REVIEW Regularly done - by IS manager - after all changes have been made NB Review every activity // change = compare it to document GOOD STAFF PRACTICES T– staff training - continuously A– appointment: ◦ CV à interview à appointment D– duties: rotation & segregation ◦ avoid fraud, collusion / boredom P– employment policy in place & documented O– policy outline: ◦ Interviews, aptitude, education, experience & references L– forced leave at least once per year E– evaluation of performance S– schedule specific tasks ◦ which employee does what 2 SYSTEM DEVELOPMENT / CHANGE CONTROLS Example: implementing new accounting/sales/debtors’ management software Note that the users of the systems need drive the whole process and is NB: should be considered at every phase. If not = weakness in system NEW SYSTEM DEVELOPMENT request • Request must be made on a pre-printed, pre-numbered written request form • Feasibility study must be conducted ◦ the impact, cost and necessity of the proposed change ◦ timeline ◦ budget ◦ cost vs benefit analysis ◦ available hardware / software • Multi-level approval from all users • • • There is no pre-numbered, pre-printed and written request of program changes. And therefore no sequence check is performed and no documented approval can be made by management No register or log is maintained for all request forms. Therefore no follow up on program changes or investigations of unusual requests. • Approval by ALL users: Program change requests are only evaluated and approved by the accountant and not also by (e.g.) the users department, IS manager and internal audit or CSC There is no formal approval from the users or management for the programme change No formal initialling (or signing) as proof of authorisation and approval of program changes (by users, IS staff etc). IMPORTANT RISKS • • • • • • • • No optimal segregation of duties if estimated costs >R10,000 – since the financial director submits and approves the request The segregation of duties in this process is insufficient and there is no multi-level involvement in each stage of purchasing. Only the accountant is involved in each step of the implementation. The accountant is responsible for the decision and there is no strategic involvement of management The cost of program change requests plays an important role in the authorisation process while no investigation into the necessity and impact of the changes are done /is the most important consideration), while no need-assessment is performed There is no feasibility study performed for material changes to assess the user requirements, necessity, the costs, implications of the change etc. The competence of the service provider was not evaluated at all planning Project management • Project teams: ◦ consisting of IS manager, representatives of all user departments & auditors ◦ must be a project plan with time and cost budgets • Project plan: ◦ time and cost budgets ◦ tasks to be performed clearly defined ◦ tasks assigned to those responsible ◦ deadlines & time schedules for each task ◦ regular monitoring of progress to identify delay as early as possible User needs: Must be documented and defined determined by systems analyst consider any ISA standards requirements • Multi-level approval before conversion commences ◦ Preliminary system design – • Preliminary system design: ◦ System specifications ◦ Multilevel involvement ◦ Compliance with set procedures ◦ must be reviewed and approved by the heads of all user departments before programming can commence IMPORTANT RISKS • • • • • • • No program change standards are in place. No procedures to monitor the compliance thereof. The conversion was not planned beforehand and there is no timetable for when which departments will do the conversion. It was done on a weekend Only the accountant drafts the requirement specifications (possibly may not have all the necessary technical knowledge) There is no multiple-level approval of the provisional design of the system/program change (in other words, before the development thereof). No project plan, which sets out the process of how and when the new package will be implemented, was compiled and approved There is no investigation made to obtain the needs of all the users relating to the program changes Development & testing Programming Development Area • Programmers à write the software ◦ No access to live data ◦ Users not involved in programming • Review & system testing ◦ Use test data / simulated data ◦ Test entire system • Types of tests Test area Program test Test the processing logic of a single program to verify whether all situations/scenarios are treated correctly String/series test Test related program e.g. transfer data correctly from one program to another System test Test all programs if used together as a single system Tension Test Test performance and capacity when subjected high pressure and demand on resources • Acceptance testing: ◦ Controls: internal / external audit ◦ Functionality: users • Make adjustments – as required before implementation • Final Approval ◦ Requirements: testing and correction of errors ◦ All results should be reviewed to ensure that errors and production problems are identified and sorted out area ◦ By management, users, IS personnel Production Area IMPORTANT RISKS • • • No testing is done on a test version of the program to ensure that the program changes can be implemented. Proper system testing does not take place, only the processing logic of the program is tested after the program changes. There is no reconciliation between program changes authorised and program changes made. • • Insufficient documentation of program changes is maintained. No copies of test data, data definitions, specifications, etc are kept. It is necessary for the operation of the system and any future changes. There is no back-up made before implementation of the updated program. • • There is no written approval of the program after changes before implementation. There is no multi-level formal approval of changes before implementation • • There is no independent person which supervises as librarian and no-one keeps record of the issue of programs and the copying thereof. Testing of the program changes are not performed by all parties involved / concerned, but only by the accountant and the programmer. (Increases risk that not all errors will be identified before implementation.) • • There are no pre-determined standards when performing program changes. By using the accountant’s password, the programmer gains access to all files on the server. (risk of unauthorised access to confidential information and changes to files high). • • There are no access controls to ensure that program changes are made to a copy of the program and do not affect the live data or live program. The programmer makes the changes to a copy of the relevant program placed in the production area – thus not to a copy of the program stored in the test area (or development area) of the library. (risks: wrong version of program is changed / changes are not made to the ‘current’ version) Programmer also works after-hours (with full access) without supervision.. • implementation o Planning Implementation must be scheduled Conversion must be planned with timetables for when the tasks must be completed Must not take place after-hours / on weekends Must be communicated to all users o Before commences Controls must be implemented to ensure the data on the old system remains complete, accurate & valid à this can be done by performing reconciliations & re-calculations Staff training of the new system User manuals created and widely available Control over data conversion Data control group is made responsible Supervision by: senior competent person o different methods of conversion o direct shut down of old system and start up new system parallel run 2 systems simultaneously for period of time modular phase in new system while phase out old system according to a time frame DO NOT USE à most risky as data is easily lost Risky, time consuming and expensive BEST METHOD TO USE o Post conversion (data): Reconcile Old & new file balance Number of records Control totals Examine exception reports Followed with approval by the users o Training Train user and IT staff how to use the new system Compile user manuals: guide users with new system à communicate to all users o Update system documentation With the librarian Flowcharts, operator manuals, etc. o Review Review by users, auditors, IS personnel Assess performance o Consider if system achieves its aims Review documentation and ensure everything is up to date Staff are notified of changes, and trained to fully utilise improvements IMPORTANT RISKS Risks if controls are not in place (Consequences) Excessive costs Insufficient controls and non-compliance with standards Errors occur during the transfer of information System not understandable, unhappy users • • Users did not approve the package before implementation thereof. No formalised procedures to ensure back-up copies of the different versions of software are filed in the program library. • There are no procedures according to which the program changes that are made – according to the version control list – are reviewed with the program request forms. No formal procedures to ensure all system and users documentation are properly updated. The system documentation is not updated to include the changes made to the existing program and no documentation is prepared to document the changes made. • • • • • • A unique password was not allocated to each programmer. By the use of CIS’s password the programmers gain access to all the files Changes are not put into effect by programmers or the IT division but by the users of the system who have access to be able to make changes to the system. There is no training of system users after program changes have been implemented. No testing was done on Pastel after the conversion to ensure that the package: functions correctly, as expected and meets the needs of the users. • • Only direct implementation is carried out (because previous version of program is stopped immediately) which may not in all situations be the best implementation choice. Implementation is not planned and coordinated with the user departments. • The program changes are implemented at a time when normal operations of the business could be disrupted. • There are no controls in place to ensure that the manual balances were closed off properly. No controls were performed on the data of the manual system to ensure that the data is complete, accurate and valid before the conversion was done There is no proper control over the conversion of data from a manual system to Pastel. The accountant simply transferred the balances from the manual system to Pastel with no supervision during the conversion. • Recommend additional controls or procedures that to follow during the conversion to the new computerised cost management system SYSTEM CONVERSION The conversion must be planned, with time tables for dates and times by which different task must be performed. Data conversion: the standing data of the previous manual system must be prepared in electronic files for the computerised costing system. The data control group from the information system division must take control of the conversion. A senior member of management must also be appointed to supervise the data conversion project. Before data conversion starts, controls must be performed to ensure that the data on the old system is complete, accurate and valid, e.g. by reconciliations and recalculations. Training users: ◦ Sufficient training must be provided to all users in order to ensure that everyone is familiar with the use of the new system. ◦ User manuals must also be prepared. Documentation: System documentation, e.g. flow charts, descriptions, operator manuals, must be prepared or updated. Implementation: ◦ Implementation must take place under the supervision of a senior responsible person. Implementation of the new system must be executed in an appropriate manner- for example, parallel testing where the old and new systems run simultaneously and comparing the results reconciliation and review § Post implementation review performed by users, auditors, IS personnel o Assess performance of system o Consider if the system compiles with needs § Review documentation – system documentation and training material Controls to ensure appropriate system development process CONTROLS TO ENSURE AN APPROPRIATE SYSTEM DEVELOPMENT PROCESS • There must be written standard procedures set out within the system development methodology to cover the procedures concerning the planning, development and implementation of the systems. • Project management must be implemented. A project team must be appointed to prepare a project plan. The project plan must inter alia contain the size of the project, the jobs and responsibilities of specific persons and a time budget. The project team is responsible to control and manage the project and to monitor the progress of the project • Agreement must be reached regarding the standards of programming, for example the terminology, abbreviations, symbols etc that will be utilised during the system development process. • Multi-level involvement of the users of the system, the CIS staff, management and the auditor in the system development process is necessary. Each of these parties has different and unique needs concerning the system and must draft the specifications for the system. • The specifications for the system as mentioned above must before development be reviewed and approved by all parties concerned. • After the development of the system but before implementation, the system must be properly tested in a test environment. It should be determined whether the system contains sufficient controls and complies with all the pre-determined specifications. There are 5 levels of testing, namely: program test: string/series test: system test/joint existence tests: pilot test: parallel test: where the processing logic of each program is tested separately and is tested whether the program will handle all situations correctly; where the series related programs are tested to ensure whether data is correctly transferred from the one program to next test whether all the programs in the system are working jointly together by using simulated data where the actual transactions are processed through the new system and the results compared with those of the present system where the old and the new computer system are used for a period in parallel and when the results after this period are compared with one anothe After testing the system properly but before implementing it, all parties involved with the development process, must approve the system finally in writing. Proper documentation concerning the proper operation of the system must be maintained. Risks to consider with the development of a new system • • • • • • • • • The cost of the development may become out of control. The new design of the system might not meet the needs & requirements of the users of the system. There may be errors (not compatible) in the new system that could make the day to day use of the system very difficult. Important accounting principles and calculations may be wrongly integrated into the new computer system. The new system could possibly not have enough controls in place to ensure the integrity of the data at all times Risk exists that the new system could be difficult to understand and not user friendly and can lead to errors. Problems can arise with the integration between the new and the existing system. The risk exist that transfer of information between systems may result in data being lost, incorrectly transferred or duplicated. The risk exists that it will be difficult to understand for its users and not user friendly. Advantages to purchasing software off the shelf compared to one developed in house • • • • • • • • When a package is purchased and installed the process normally progresses more quickly, since the system itself needs not be written (which could be a time- consuming process). Packages normally have predetermined prices and costs, which means that the process can be less expensive. A company can consider different packages and decide which one would suit the company's needs best. Packages are normally properly tested and probably error free in respect of functioning. The supplier of the package normally builds all the necessary controls into to package. System documentation normally forms part of the package and the company therefore does not need to write it themselves. The supplier of the package usually provides the necessary training and support services in respect of the package. The supplier of the package generally provides updates and new versions of the package, as it becomes available. SYSTEM CHANGE / MAINTENANCE Change in an existing system: Example: Change in interest rate for debtors, changing salary payment scale. request o Written request is required Pre-numbered, pre-printed, standard form Record in request register (log) in order to ensure all requests are followed up on o Inspect request and approve Run the idea past users, auditors, IS personnel: sign as initial proof of authorisation of program chances Only written authorised changes are implemented (programmers receive instructions from CSC only) o Perform feasibility study for material changes Investigate necessity, cost and impact Maintain register (log) of program changes planning / design o Provisional system is approved Follow coding standards o Segregation of duties: define programmers, system analysts: independent person determines program specifications for requested program and another person makes changes o Programmers Give programmer a project plan, costing budget and a time budget Design a test version Library: no access to live data (the risk is that the wrong Version of the program is changed). Obtain all the users’ approval Change test version Must only work during operational hours so that supervision of his work takes place Independent person must supervise as librarian and keep record of the use of programs and copying thereof Program change documentation must be maintained: copies of data/ test data etc Development & testing Appropriate testing by Information System personnel Users Auditors Final written approval by Information System personnel Users Auditors management o o Implementation o Librarian responsible for version change, and implementation of live data. Program changes must be implemented during operational hours in order to be properly supervised Register of changes Record Review Reconcile with request forms • Back up old versions (formalised procedures must exist to ensure that backup copies of the different versions of software are filed in the program library). These must be stored off-site (away from the company’s premises) • Update system documentation with changes made Post – Implementation & Training o System is reviewed by users, auditors, IS personnel Assess performance Consider if system achieves its aims Review documentation and ensure everything is up to date Staff are notified of changes, and trained to fully utilise improvements 3 BUSINESS CONTINUITY PREVENTATIVE PHYSICAL DANGERS o Fire • Fire extinguishers • Safe located close to fire extinguishers • Smoke detectors • Fire alarms o Water • Cable protection implemented to protect equipment from water damage • Do not use water fire extinguishers – use C02 o Electricty • Un-interrupted power supply (UPS) • Back-up generators for emergencies o Construction • Building should be well-built and solid • Long-lasting fireproof walls o Alternative facility • • An alternative processing facility should be considered in the event of a disaster so that operations can continue (an agreement could be entered into with a service provider.) Provide alternative processing facilities (back-up facilities), for example service organizations, trade partners etc. NON-PHYSICAL DANGERS o Wear & tear Machinery maintenance Replacement policy Regular inspection Continues to meet needs of users o Unauthorised access à Physical access controls Anti-virus software/white hat hacker team o Unauthorised changes by personnel Avoid over-reliance on personnel Training of backup staff Documentation of duties Rotation of staff Security policy (which employees must sign) Specify use of hardware Ban on illegal software Internet usage policy o • • Insurance Contact insurer to revise and update insurance coverage and to update so it covers the following risks: fire, water, loss of production, et cetera. Have insurance to mitigate the impact of the loss – profits and physical and logical assets DETECTIVE o Emergency Plan & Recovery Procedures Must be a written business continuity plan communicated to all users Must state Which documents need to be recovered in any emergency • • • PLAN DISASTER PLAN ALTERNATIVE FACILITY o • Plan and document an emergency recovery plan, with set procedures relating to the functions and responsibilities in case of disasters, including break-ins. • • Test the emergency recovery plan to identify weaknesses and to set out responsibilities of persons involved (or to set). Provision should be made to test the plan on a regular basis to identify weaknesses and ensure employees are aware of their responsibilities. • • A written business continuity/disaster recovery plan needs to be developed Widely spread between employees which specifically sets out: List of data and program files that are key to operations that must be recovered. A list of documents to be removed from the premises in the event of a disaster. • An alternative processing facility should be considered in the event of a disaster so that operations can continue (an agreement could be entered into with a service provider.) • Provide alternative processing facilities (back-up facilities), for example service organizations, trade partners etc. Backups Regular back-ups must be made and stored safely on a different site • • • A formalised backup program must be in place place to state how and when backups are to be made Regular backups must be made frequently (daily) At least three generations of backups should be maintained • • The backup copies must be tested frequently The back-up copies should be regularly tested to identify any weaknesses and to ensure that the back-up responsibilities are allocated to the correct people. • A manual back-up register must be maintained. This register must clearly state who needs to make back-up copies and where it must be saved. (Or an automated backup register must be maintained that links to the timing of the cloud back-ups) Regular back-up copies must be scheduled (i.e. a fixed schedule should be setup) and made OR backups should be automatically done. • 4 ACCESS CONTROLS Risks that access controls address: (Consequences if not in place) o Damage or theft of hardware o Unauthorised viewing or editing of files and data o Unauthorised transactions o Users that are not security conscious PREVENTATIVE Security management & policy ▪ Identify risks ▪ Allocate responsibilities o Written policy (NB) Preparation and distribution of security policy Confidentiality clause Repercussions for breach of policy Physical Logical Premises and facilities • Security guards after hours, alarms • Controlled arrangements for visitors • CCTV • Access card doors • Maintain registers, logs, review * security of a computer User’s Terminal /computer • Control access to office • Lockable terminal room or very open area • Supervision over CCTV • Activity register • Computer must be safeguarded Usernames • unique to each employee • allocated by the employer • de-authorised on termination of employment Other assets (physical documents) • Store in a safe • File protection: ◦ Internal and external file labels ◦ Read-only permissions • • Register for insurance Logs and registers Identify users • ID number / name • Physical à access card / fingerprint / facial recognition Firewall Passwords: • not shown on screen • activity register of log-ins • policy à keep it confidential • sign out after inactivity • lock-out after 3 failed attempts • changed regularly • at least 5 characters • not a previously used password • contain uppercase letters and numbers Authorisation matrix • user à username and passwords • function rights à permissions eg: read-only QUESTION: Explain how ‘authorisation matrixes’ could have been used to ensure that only valid and authorised change could be made to the information on the main frame computer and consequently could have prevented Ms Possible from removing and changing information. An access control matrix (programmed authorisation) can contribute in the following manners to ensure only valid changes to the information in the system are made: • By way of a terminal code, only a specific terminal is permitted access to the program’s module that makes information changes possible. Thereby restricting changes to a specific terminal. • by means of log-in with user ID, authenticated by password, restricts • the access rights each user has to change information on the system (e.g. display, write); • possibility that an unauthorised person can make changes to the information on any computers, because they do not have the necessary rights to make the changes; • in accordance with the allocated authorisation level, changes should only be allowed to be made on a predetermined day of the month; QUESTION: Controls to ensure authorised use of salary master file on the mainframe computer only PHYSICAL CONTROLS A formal, written security policy should be distributed to all users stipulating: that only authorised persons may use the mainframe computer and That strong action will be taken against its unauthorised usage. Physical access control that should be active at mainframe room: ◦ Access to room should be restricted by keys/magnetic card readers ◦ Only authorised users must have access to keys for room and/or should have proper control over registration of magnetic cards ◦ Doors should be closed at all times when computer is not in use, ◦ Also when IS personnel leave the room; • • Daily run schedules should be prepared for the use of the mainframe computer. The mainframe computer should also provide a daily activity register of the activities performed, which should be compared by a senior person with the run schedule to identify any unauthorised activities. • • Registration on the mainframe computer should only take place within fixed hours (or office hours) and Access outside these hours should be managed by the use of alarms, closed-circuit TV cameras and/or security guards supervising the use of this computer LOGICAL CONTROLS Authorisation tables must be used which ensure that: ◦ Access and right (writing, reading, changing, deleting etc) to certain files and programs should be restricted by linkage to usernames (and in doing so to the user’s job description); ◦ Access to certain programs and files may only be acquired from the mainframe computer and not from terminals as well. Password control must be adjusted by requiring correct passwords to acquire access to the mainframe computer and the master file: ◦ Passwords should be unique. ◦ Persons should have passwords that are alphanumerical containing at least five characters. ◦ Persons should change passwords regularly. ◦ Password should not appear on the screen. ◦ The choice of passwords is important – it should not be obvious and linked to the user. ◦ The password of persons who resign should be removed from the file. ◦ Secrecy of passwords is essential. • • • The terminal should disconnect after three unsuccessful attempts to access. (input of wrong password) In the case of a security break the system should disconnect automatically. When the system has not been in use for quite a time user should be deregistered and access to the system should require the re-enter of the password. DETECTIVE • Exception reports must be generated for all unauthorised users logging on / failed attempts Logs & reviews Monitor audit trail and activity register and processing Sensitive transactions/activity Reviewed by senior personnel o Mention a log: There must be a log Give example of data that should be in the log Must be reviewed Unusual entries must be followed up on QUESTION: Describe the controls with which unauthorised changes to information on the main frame computer can be detected • • • • • The back-up copy must be recovered and the information must be reconciled with the information on the system. Any difference could highlight missing information. The input documents must be reconciled with the system. Balance the control totals (e.g. hash totals, record counts) with the recovered control totals. Obtain exception reports/audit trails/registers form the system to indentify any information which was omitted or changed. The reports could, for example, contain the following: ◦ Audit trial of any changes; ◦ Empty fields in the information data basis; ◦ keep record of all attempts to gain access to the main frame computer system (successful and unsuccessful); and ◦ keep activity registers. Exception reports/audit trails/registers must be reviewed by a senior staff member to identify any unauthorised access or attempt to gain access, which must be investigated immediately. CONTROLS TO PREVENT AND DETECT UNAUTHORISED ACCESS PREVENTATIVE • A formal, written policy that only authorized persons may use terminals and that strict action will be taken against unauthorized users of terminals. This policy should be given to all staff. • • • There must be special security measures in place at the EDP department , and specifically Mr Westwood 's office: ◦ the doors should always be closed when the computer is not in use and when Mr. Westwood leaves his office; ◦ only authorized users have access to keys to the offices; ◦ computer terminal itself must be closed when not in use (physical terminal locks); the terminal should be placed in a visible, conspicuous places where it is not hidden, so that an unauthorized person working on a computer can be easily spotted. There may only access to the system within business hours. After-hours access must be limited by the use of alarms and/or security guards. • Authorisation tables should be used to ensure that: ◦ data can only be imported from certain terminal; ◦ certain files can only be read, while others may be edited; ◦ no access to certain programs and files may be obtained from certain terminal • Password Control should be applied when access to a terminal and the system is obtained : ◦ the terminal should only be used if the correct password is used; ◦ there should be proper control over passwords: staff must be informed of the importance of secrecy of passwords; ◦ passwords should be chosen with care and not for the ease with which it can be remembered: for example, dates of birth and identity numbers may not be used; ◦ passwords may not be printed, written or pasted where unauthorized users can see; ◦ passwords should be changed regularly, especially after a change in personnel. DETECTIVE • • • • The computers must keep a record of unsuccessful attempts to gain access to the terminal. Such lists should be printed daily and very carefully investigated by Mr. West Word and followed up. The system must automatically sign out if a user has not been at a terminal for a while. When the system used for a certain time, have gained access to the system by the reinsertion of the password. At the end of every day, every computer should have a list / log / register pressure of daily activities. This should be checked by an independent person for any unauthorized use or changes. Any evidence of unauthorized activities must be investigated and followed up immediately. 5 OPERATING CONTROLS Objective: to control the operations of the system; and ensure that programmed procedures are applied correctly and consistently; set up standards for hardware/software so that communication and cooperation is possible o Scheduling of jobs & processing tasks that should take place Validation tests (refer to processing notes) Error handling (refer to input notes) Operating activities, maintenance & use of assets Maintenance of hardware: proper maintenance program must exist whereby hardware components are replaced timeously Librarian controls (Refers to the data library as a place and the librarian as a person) o Procedure manual Data,file and program protection Person has to supervise and keep record of programs issued in order to ensure they are issued to authorised personnel and the correct versions are issued. o Logs & registers Activity registers are reviewed and investigated on a day to day or weekly basis Policy relating to personnel habits and neatness o Disaster recovery plan & backup Perform tests/ procedures concerning the processing and output by the system, in order to ensure that it is complete and accurate IT APPLICATION CONTROLS Relate to input controls For a specific transaction - To prevent, detect and correct errors arising in a transaction, throughout the various stages of the application control Control objectives do not change, the basic principles and methods (SCRAMM) are still applicable Application controls consist of: 1. Independent user controls à no dependence on a CIS eg. Authorising a hardcopy purchase order 2. IT dependent manual controls à user controls dependent on computerised information (eg. Review of access log) 3. Programmed controls (automated controls) à dependent on CIS output and can operate without human interaction (eg. Validation controls) Applications can be subdivided into o User controls ◦ Independent of computer, or ◦ Dependent on computer o Programmed controls o Computer only Capturing & documentation (Prevention) MENTION: • General controls (training, access controls, SOD) specific to capture • Users should be trained to ensure they understand the importance of the data they must enter and how it should be inputted • Manuals should be freely available to all persons responsible for data input. Source document controls (Prevention) Pre-numbering (with sequence check) Efficient design TYPES OF DATA ENTRY & PROCESSING § Batch entry and batch processing o Transactions (source doc) are collected into bundles, o Entered and processed in bundles o Masterfile is updated at a later stage § On-line entry, batch processing o Data is entered directly onto the system via a terminal o Authorise and process to transaction file o Master file is updated later § On-line entry, real-time processing o Data is entered directly, linked to accounting system o Immediate processing to the Masterfile o (MF always up to date) INPUT CONTROLS: Review: Documentation and general controls Screen - Identification Computer or logical controls - Investigation - Correction of errors PREVENTION General controls (training, access controls, SoD) that is specific to the system Source documents: efficient design, pre-numbered Check sequential numbering • • • • • DETECTION Computer of logical controls Validation tests (VAC) CORRECTION • Identification • Investigation • Correction (Immediate/delayed) ANSWERING AN INPUT CONTROL QUESTION: Start with anything that isn’t a validation test Mention the validation tests according to accuracy / validity / completeness PREVENTION: Screen: • • • • • • • Standard, user-friendly Looks like source document Minimum data entered by user (use drop-down lists) to prevent human error Prompting Compulsory fields à Prompt the user to complete all the fields: shouldn’t be able to proceed if all the fields are not completed Descriptive data echo tests (“Are you sure?”) Visual verification GENERAL (USER RELATED CONTROLS) Trustworthy employees must be trained as capturing specialists All employees must be properly trained on the functionality Keep track of who is capturing the data by allocating responsibility Access profiles Each employee must have a username, password and profile indicating the user’s access rights and functionalities they are capable to perform Segregation of duties Allocate override rights to senior manager or using an approval matrix which requires specific users to approve the transaction before it is processed SOURCE DOCUMENTS The validity, accuracy and completeness of data on hard-copy documents is a prerequisite for the validity, accuracy and completeness of the computer input Document standards To reduce errors, manual documentation must comply with the required standards and easy to understand Check sequential numbering There must be controls over the custody of assets Training - SCREEN AIDS Features and procedures built into the program in order to assist the user to capture data with minimal effort and error Screen Design Must resemble the source document or hard-copy layout Must be standard and user friendly (only enough space for required information) Capturing of Done by data control group (from source document) for user to view on-line (on the system) transactions (use of Ensure minimum data entered – if possible extract information from other sources Masterfile) Computer - To ensure minimum data is physically captured, use drop-down menus or lookup functions Must ensure that no data can be left out by using compulsory fields The information recalled by the system must then be confirmed by the user known as data echo test or closed-loop verification Visual verification DETECTION: Data input: Validation tests: (Detection) Which test to use? ACCURACY ALPHA-NUMERIC CHECKS FIELD LENGTH TEST SIGN TEST REASONABILITY TEST DATA-ECHO TEST RELATED DATA TEST COMPLETENESS COMPLETENESS TEST COMPULSORY FIELDS CONTROL TOTALS VALIDITY VALIDITY TEST LIMIT TEST DROP DOWN MENU TEST Explanation of different tests When answering a question, must provide: 1. name of the test. 2. what the test does; and 3. an example from scenario NB VALIDATION TESTS included in program code –in other words performed by computer (if in an exam question, they don’t exclude validation tests in the required parts, leave space open under each test and complete it by applying it to the scenario given in the question) Validity and authorisation Validity tests: Test that the information entered is valid e.g. debtor account number vs. master-file data Limit test: If pre-determined maximum and minimum limits are exceeded, then additional authorisation is required Eg: limit on the number of items you can order / limit on the price range Alphabetic/ alphanumeric/ numeric character tests: Accuracy Alphabetic test – only alphabetic letters should be accepted Alpha-numeric test – only a mix of numerical and alphanumeric characters should be accepted. Numeric test – only numerical characters should be accepted. Sign test (+ or -): Related data / matching tests All amounts The system automatically generates related data e.g., won’t allow negative inventory to be entered e.g. enter an employee number and the employee’s id number is generated by the system Field length test / field size tests The correct number of characters in the field e.g. cell phone number only has 10 characters Reasonability test The entry is reasonable in the context i.e. email address has @ or reasonable number of items ordered. Field length test / field size tests Completeness The correct number of characters in the field Completeness test All input fields are completed and filled in. User not allowed to proceed unless all the required fields are filled in. e.g. ID no Review, investigate (Correction) Identify and isolate errors: o Error messages o Register of rejected transactions o Error register/log Audit trail Computer generated o List of (1) accepted transactions and (2) rejected transactions (and relevant control/s) o Transaction files and suspense files(rejected) Manual (by hand) o Control register o Error “log” of rejected transactions sent back o Review, investigate errors ▪ Input error Immediate rejection: and correction: As soon as programmed validation tests detect errors/missing data the transaction should be rejected by the computer and an error message should immediately appear on the screen. These should immediately be corrected – in other words further inputs will not be allowed until the error has been corrected (accuracy). A register should be kept of errors not corrected and followed up by management. Delayed correction, transfer to suspense file, keep record of errors Source document error o Rejected to/ transfer to suspense file o (i) error report/ register/ log and (ii) documentation is sent to user for correction and authorisation o Investigate the cause and management follows up on the error o Correct error o Perform validation tests o Return to transaction file for processing Risks if input controls don’t work: Consequences o Unauthoriseddataentry. o Data may be added or amended. o Errors during the creation of data. o Errors during capturing/entering of data. o Errors during correction or re-entry of previously rejected data. o Data can be lost during capturing INPUT CONTROLS IN RESPECT OF ACCURACY M A P P E R Manuals must be available in order to provide users with the necessary information, which can specifically be consulted by the users when they experience problems or have made errors. The computer screen should contain required fields without accurate completion of which further processing cannot take place (i.e. force the user to fill in certain fields). As much as possible information on the screen should be echoed in order for the user to confirm the information. Appropriate error handling procedures must exist, for example the system must not allow the input or processing to continue until the error has been corrected The computer system must display an error message as soon as the system detects an input error, and After input the input should be displayed on the screen and the user must review the information captured by means of visual verification D The staff must be guided through the input process by means of a computer dialog (prompting). U The screen layout of the input screens must be user-friendly, properly designed and similar to that of the contract from which information is captured The minimum information must be entered by for example using relevant selection lists, selection boxes etc I T Staff must receive proper training for the tasks they will perform CORRECTION: Error messages, extract logs, audit trails and registers Investigate causes of errors Input error - IDENTIFICATION A senior member must extract these documents from the system and unusual items must be investigated Identify error messages and registers of rejected transactions and suspense files NB: compare details of items vs invoice Can also be detective: exception reports, registers & logs Error register (log) There must be an audit trail to show the flow of transactions Computer generated: • Logs and registers of all rejected and accepted transactions • Exception reports of unusual transaction • Transaction and suspense files Manually generated • Control reports show total amount invoiced in period • Error reports or logs of rejected transactions sent back INVESTIGATION Input errors Errors on source documents CORRECTION OF ERRORS Management must determine whether the error exceeds the job authorisation of the employee to determine whether it was unethical beahviour An error correction must require a high-level password level Adding new information Immediate rejection: The transaction and related data must be rejected An error message must appear No further inputting must be allowed until the error is corrected Error on the original source document (return to source) Delayed Correction: If immediate correction is not possible, the transaction must be transferred to the suspense file A register of unattended to errors must be made The register must be investigated by management Correction during input of during later processing: The system must delete the rejected transaction and send it to an error suspense file An electronic report/register/log of the rejected transactions and all documentation must be generated The data capturer must then: Investigate the transactions and send the source document back to the preparer for correction and authorisation Ensure the documents are recorded in the error register Consider rejected transaction for reconciliations of control totals Once the documents are corrected by the preparer and returned, the data capturer must: Correct the transactions in the error suspense file Re-enter the data (correct error) Perform validation tests during correction Error suspense file must be revied on a regular basis by management ERROR HANDLING PROCEDURES: CAPTURE ERRORS 1. 2. 3. 4. As soon as a capture error has been made during capturing, the transaction must be rejected by the computer by immediately showing an error message on the screen. Immediate correction of enter errors must be required- in other words, no further entries are allow until the error is corrected. A register of errors that was not immediately been corrected must be maintained and discussed with management. Certain errors relating to the exceeding of limits or job level should require a high-level password before any correction can take place. INCORRECT SOURCE DATA If a capture error cannot be corrected as a result of incorrect source data (e.g. the product code on the order form is incorrect): 1. The system must delete the rejected transaction and transfer it to a error suspense file. 2. An electronic report of all rejected transactions (together with the control report) must be generated by the computer. 3. After investigation of computer generated reports, the person who capturers the entries: Must investigate all rejected transactions and the send the order form back to the individual who prepared it for correction of the error. Ensure that the returned documents are recorded in the error register, and Take the rejected transactions into consideration for reconciliation of control totals. 4. After the source document is corrected by the user, it is returned to the person who captures the entries. The capturer makes the necessary corrections on the order present on the error-suspense file. 5. The corrected document is then re-entered. and must again be subjected to relevant input and validation controls. 6. The error-suspense file must be reviewed by management on a regular basis, to ensure that errors are investigated and corrected on a timely basis. THE PERFECT SYSTEM – INPUT CONTROLS - Before input the responsible input official should check each input form for approval by the head of the salary department who signed the form The input official needs to be trained properly Input forms need to be properly developed and pre-numbered Screen format Standard format – and layout, the screen format should agree with the format of the input form The screen must be user-friendly to simplify the input process and to reduce the risk of errors When a personnel number is entered it should appear on the screen together with the information already in the master file so that the input official can compare the existing information and changes entered (descriptive echo test/visual verification) Minimum data must be captured and drop down menus are used Compulsory fields to be completed before capturing can continue Computer dialog (prompting) Computer guides user through the input process Sequential numbers Programme computer to check sequential numbering and identify missing numbers and record it on error log Data control group must also frequently review the numerical sequence of order form numbers as part of their review of transaction lists Programmed validation tests: Sign test: some fields may only be positive and not contain negative values (eg. Quantity entered must be positive) Alpha numeric/alphabetic: to determine whether input field contain the correct combination of alphabetic and/or numeric characters eg. The supplier code may only contain alphabetical characters and the inventory code, only numeric characters Field size text (field length): To test whether each field consist of the correct number of characters Limit test: Eg. A general/specific upper limit can be placed on the quality field and therefore order size is only allowed between predetermined limits Related data/matching test: Eg. When a product code is entered the system compares it with the reorder report to confirm that it did appear on it Validity test: eg. The inventory code entered, is compared with a pre-programmed list of inventory codes and approved suppliers Reasonableness test: eg the reasonability of the quantity inventory order should be confirmed by the computer doing a calculation based on the sales in the past and comparing it with the quantity that was entered. Only a predetermined percentage variance is allowed Completeness test (compulsory fields): Eg. A test must be performed to ensure that all characters and fields are entered Descriptive data-echo tests (visual verification) The information that is entered by the input operator is used by the system to retrieve descriptive information from the master file and to echo it back to the operator (display on screen) so that the accuracy of input field can be confirmed Eg. When a supplier – and inventory code is entered the details of the supplier and description of inventory appears on the screen An exception report of inventory items less than reorder level with no orders in a pending file must be pulled to identify any orders not entered PROCESSING CONTROLS: General controls Access controls: authorisation through passwords and usernames Segregation of Duties Backup copies prior to processing Correct versions of program & file Librarian: program (authority and responsibility) File labelling: internal & external Job scheduling ◦ Run-to-run checks: i.e. the closing of one column is opening balance of the next column Control total reconciliation Control reports: computer: these are totals calculated after processing a range of data to ensure the total before processing took place agrees with the total after processing took place. The control totals calculated within the preparation of xxx register/ document, should be reconciled to control totals calculated after the processing thereof inter alia: Batch processing [NB!] [completeness]: • Financial fields: the total of the financial field summed (give example based on scenario e.g., gross salaries) Hash totals: this is the total of (give example based on scenario e.g. bank account number) Record counts (give example based on scenario e.g. number of employees) Calculate the input and compare with processed totals File balancing (shadow balances) [completeness] Balance (number of items) on captured, amended and stored in an independent file A control total of the master file should be maintained on an independent file and updated with the transaction data. After the processing cycle, it should be compared to the master file total. Controls during processing Identification of data errors ▪ Sequence test: sequential numbering of documents ▪ Comparisons: invoice will not be processed until a goods received note is received Identification of processing errors Validation tests: refer to validation tests above: use one or two examples: ensure they are relevant to the scenario Mathematical accuracy tests Duplicate calculation Reversed multiplication and division Cross casting Reasonability tests (i.e. the limit test for items on hand) Log, review, investigate Control reports Error and exception reports Possible errors (incl. unusual items) ▪ Data controls – review of reports Batch processing controls: (Controls to process a batch of documents i.e. Invoices) APPLICATION CONTROLS RELATING TO THE PROCESSING WHEN THE PDF INVOICES ARE GENERATED The control totals (batch register totals) calculated while preparation of the batch register should be reconciled to control totals calculated after processing thereof, inter alia: ◦ Financial fields, such total amount invoiced; ◦ ‘Hash totals’, such as debtors account numbers, reference numbers, cellphone numbers; and ◦ Record counts, such as number of debtors. File balancing (shadow balances): A control total of the debtors’ master file should be maintained on an independent file and updated with the transaction data. After the processing cycle it should be compared to the debtors’ master file’s total. Run-to-run totals must be calculated and reviewed by the system. Programmed edit/validation tests must be recorded by the system to: detect data errors (e.g. sequence tests, paring tests or record comparison tests). detect processing errors (e.g. any valid examples of validation tests, mathematical accuracy tests or reasonableness test). The software should detect any missing invoices by: A file sequence investigation: where they investigate whether the invoice reference numbers of one transaction file follows on the previous file; and perform a completeness tests during the processing of information to identify missing invoice reference numbers. The console log should regularly be checked by the data control group (e.g. after each run) to identify any processing disruptions and should investigate it. The reports and logs listed below, should timeously be reviewed and followed up by data control (e.g. for unusual or duplicated items). Control reports (e.g. control register, total amount invoiced). Exception reports (e.g. large fluctuations or declines in debtors balances, payments in excess of a predetermined amount) and Error reports (e.g. debtors’ with credit balances, missing cellphone numbers, unusually cellphone numbers) generated by the system to identify any possible errors. BATCH INPUT CONTROLS TABLE The batch relates to a specified period (I.e. one week) Fixed batch size Unique batch number (For each period) Control totals (see explanation above) à Financial total, Hash totals, Record count Batch transmittal ticket (pre- printed, pre-numbered document, signed x2 – requesting that the batch be processed) Batch register (Relevant details: Batch number; time period batch relates to ; person who processed batch→Fill in every batch processed on the register = Audit trail) Batch header record Different methods of Batch processing Batch entry and batch processing ▪ Transactions (source doc) are collected into bundles, ▪ Entered and processed in bundles ▪ Master-file is updated at a later stage On-line entry,batch processing ▪ Data is entered directly onto the system via a terminal ▪ Authorise and process to transaction file ▪ Master file is updated later On-line entry, real-time processing ▪ Data is entered directly, linked to accounting system ADDITIONAL BATCH INPUT CONTROLS If a batch system is used while capturing data, the input controls discussed above apply but must be supplemented with additional controls over the batching process Input controls After a period (eg. A day) all the transactions recorded on hardcopy must be placed into manageable batches Each batch must have a unique number The sequential numbers must be reviewed and control total must be calculated The batch can then be captured (input controls apply) Control tables - Once grouped into batches, specific control tables must be calculated Financial totals: Eg. Total value of all sales Hash totals: Eg. Total of all documents included in batch Record counts: Eg. Number of documents in the batch These calculated totals will be compared to the totals generated by the system The transaction will only be authorised if totals agree Batch control sheets - - After preparing a batch and control tables a batch control sheet is prepared This contains a unique batch number, control totals and descriptions of all transactions A second staff member must: • Review the batch • Recalculate the control total • Ensure all transactions occur in the period • Sign as proof After capturing the batch, a batch control report is printed as proof that all totals were compared - Contains information on the batch and tracks the movement of batch documents being processed The preparer then gives the batches to the data capturer A batch register is kept and initialled by person taking responsibility for the batch A batch error report generated must be reviewed and corrected Batch register THE PERFECT SYSTEM – BATCH CONTROLS The debtor’s clerk should review the sequential numbers (unique batch numbers) of the delivery notes before creating a batch. The batch should be reviewed to ensure that it only contains the two days’ transactions and no other days. The debtor’s clerk should perform the following procedure with preparation of the batch: › Calculate control totals, e.g. the total of all sales. › Calculate hash totals, e.g. total of all the document numbers added. › Calculate the amount of documents which are included in the batch. There should be a batch control sheet attached to the batch, which contains all the above mentioned information as well as a batch name/number. A batch register should be kept up to date which contains all the information of the batch, as shown on the control sheet. The debtors clerk should sign the batch control sheet and register as proof that the reconciliation has been done. An independent person should often review and recalculate the totals and sign the as proof that the control was indeed performed. The control totals should be entered, in order for the computer to compare the totals that was entered with the totals it calculated. The computer should then print out a batch control report as proof that the totals were compared; this is then filed with the batch control sheet. If the totals do not agree, the entries should be reviewed for accuracy. The system may only authorise the transaction file for processing if the control totals agree. A report with rejected transactions / errors should be generated and reviewed in order to correct errors. Test data to test application controls in “sales order system” TEST DATA USED IN THE AUDIT OF THE SALES SYSTEM STEPS TO TAKE DURING THE DEVELOPMENT AND UTILISATION OF TEST DATA Define the objective of the test that would be performed. and specify the controls which are to be tested. For example: All sales are recorded and calculated accurately. All sales are made to authorised customers and the account details submitted are valid Alternatively, a understanding of the system must be obtained or the system must be documented For example: Validation controls: Alphanumeric test, field length test et cetera 1 Develop the test data, containing the following: • The test data should include valid and invalid data using 2 • • The test data should include all types of data and possible transactions The test data should be processed independently of the clients’ system, as to obtain a pre-determined correct processing result, which will be used to evaluate the results of the test data against. Process the test data on the client’s system. 3 for example the following fields: customer number, inventory numbers et cetera. for example an order should be entered twice. For example, control totals of invoices, calculated totals on invoices. Compare the results from the test data ran on the client’s system with that of the predetermined results. Remove the test data from the clients system. 4 For example, transaction logs of every sales order entry, breakdowns of back-orders, order suspense accounts à Note that the test data would either be processed correctly or either rejected or be reflected on exception reports (i.o.w. evaluate the outcome of the tests). Conclude on whether the controls within the client’s system operated effectively. 5 6 Evaluate the general controls to ensure that the system you have tested functioned within a controlled environment and functioned without unauthorised amendment throughout the period under review 7 Report on the effective operations of the controls. Risks associated with using test data RISKS • • • • • • • The same program or version of the program must be used throughout the year. The element of surprise must not be lost. Corruption of live data (and risk of viruses) must be limited. System may “crash”. Unauthorised changes to or overrides of the system must be identified. As so far possible, all possible situations and programmed controls need to be tested. It may be difficult to remove the data from the system. Examples of specific types of test data to run on the client’s system. Include orders for the following customer account numbers: Include orders with the following quantities: alpha and numeric characters numeric data < 6 digits numeric data > 6 digits blank valid (correct and incorrect) account numbers Include orders with the following inventory codes: alpha and numeric characters negative quantities excessive quantities exceeding a predetermined amount quantities where there is no inventory on hand Include orders where: alpha and numeric characters numeric data < 5 digits numeric data > 5 digits numeric data of 5 digits > 69999 and < 10000 blank inventory numbers valid inventory numbers the extension = R 10 000 the extension is < R 10 000 the extension is > R 10 000 and the release code is valid, negative, contains too few or too many digits, is inside and outside of the valid range. Masterfile Changes Stores standing information and balance totals With master file amendments ensure only valid changes are mad and that processing is complete and accurate Additional controls are required for validity, accuracy and completeness as these changes are outside the normal process The balancing of the master file must agree to the general ledger (file balancing) NB The difference between Masterfile Changes and Program Changes: - A program change falls under general controls and Masterfile changes fall under application controls - Program change: a change within a specific program - Master File change: a change to standing information that is part of the transaction cycle i.e. inventory prices, credit limits Master File change: has NO effect on the IT system or the program. Example: Interest is levied on debtors outstanding for longer than 30 days à The Program must change to automatically levy interest on any debtor outstanding for longer than 30 days: Program Change Early settlement discount for debtors who pay early àYou would only know a debtor qualifies for early settlement discount once they pay early: therefore, the debtor’s master file must change once they paid. Masterfile Change TRANSACTION FILE vs MASTERFILE Transaction file • A transaction file is used to store data in a batch processing system • until such time that the system processes the data and then the information is used to update the masterfile. Masterfile • Is used to store permanent information (e.g. Name and address, codes, etc.) • Masterfile also stores the information and cumulative totals of all transactions as it was entered and processed by the system from the transaction file. TRANSACTION FILE Information on individual transactions Used to update master file MASTERFILE Store: standing information and balance totals Eg. Inventory list – code, supplier, cost price, quantities… UPDATING (ADDITION) Updating transaction data from transaction files (sales, payments, bad debts, credit notes) Updating controls under processing CHANGES (AMENDMENT) Changes to existing data (new inventory items, addresses, telephone numbers) Mostly changes to non-financial data but can also include financial date (cedit limit) Recommendations of controls to address the weakness regarding the updating of the creditors master file of Jambo (Pty) Ltd UPDATING MASTER FILE To detect errors during the update of the master file we recommend the following controls: The control totals calculated after the update of the transaction data must be reconciled with control totals recalculated (by hand or by computer). The control total of the master file, which must be updated with the transaction data on an independent file, must be compared with the updated total of the (actual) master file. Differences must be investigated (file balancing). The console log of processing (automatically updated by system) must be reviewed on a regular basis to identify any errors. The user or operator must inspect the output and control reports for any errors or duplicated items. Errors must be reported on an automatically generated exception report. All the above-mentioned computer generated reports must be reviewed and investigated by a responsible person. General controls • • • • • • • Access controls: NB logical (username and password) and physical (only one person can access terminal to make changes) Levels of authorisation: only authorised person can make changes SOD: the person requesting the change is not the same person making the change Backup before processing (Relevant back-up controls) Written request by users List of requests must be kept Written authorisation by senior staff • NB A Master File Amendment (MFA) form should be filled: Details on the document: Pre-printed, pre-numbered User must clearly request the Masterfile change and sign Once Masterfile has been amended: the person who processed the change should indicate it has been performed on the MFA form Input controls • Validation tests: Refer to validation tests under input - Important that validation tests relate to the scenario: name test; explain and give an example Log, review, investigate • Clear audit trail Register of changes Sequential numbers (sequence check) Limited access to amend (read-only rights) Review regularly Control report: summary of changes Exception report: unusual changes (NB the same rules that apply to a log applies to an exception report Management controls MF changes reconcile with MFA forms MF regularly reviewed Reconciliations: MF and general ledger balances Independent confirmation Corrections Always mention these for a Masterfile change: REQUESTS P Any amendment to the master file information must be requested in writing on a pre-numbered form. A Any amendment (existing or additions) to the master file information must first be approved in writing by a manager N The number sequence of the scan’s must be checked A manual register of all changes should be maintained I The amendments may only be made by a designated responsible person (who is independent of daily transactions such as for example the manager) The amendments may only be made by an independent responsible person such as for example the shift manager C The input of amendments must be restricted to one/ a specific computer that is safeguarded on a designated PC with a unique IP address ACCESS S P A REVIEW R The one/specific computer used for the changes should be stored securely at the home of the individual concerned. A password/PIN must be required before master file information may be amended. Otherwise an authorisation matrix may be used to restrict access to the module Control reports (or a summary of changes to the master file) must be reviewed regularly by the manager or owner in order to identify any unusual or unauthorised adjustments which must be investigated The report must be reviewed by the manager or owner in order to identify any unauthorised adjustments. Any unusual or unauthorised changes must be investigated E Exception reports of any unusual changes (e.g. changes to products in categories of inventory that are not considered essential) must be reviewed by the manager and investigated if necessary P The manager should print a report of all amendments on a regular basis (or automatically by computer). RECONCILIATION C The report of changes to the master file (above) should also be compared with the authorised supporting amendments’ documentation (prenumbered form or manual register). DEBTORS MASTER FILE CHANGES QUESTION FORMAT • FORM: Master file change request forms must be used for all changes (new debtors, deletion of debtors, changes to debtor data Be pre-numbered Must be approved and initialled by senior person (for example credit checker) • SOD: Person inputting master file changes must be independent of the debtor department (users). • ACCESS: Logical access controls must be used to restrict input of master file changes to authorised staff. ú To combine authorising matrixes restricting rights by usernames, passwords and terminal IDs • INPUT: Input controls, such as programmed validation tests and user-friendly screen format must be in use to prevent input errors. • SYSTEM LOGS: System must automatically keep up a pre-numbered register of amendments made, including: Details of changes Username of person inputted data Date and time • SYSTEM LOGS: Read only rights must be granted to the master file changes register and the rights must be restricted to management and senior staff • SYSTEM LOGS: The register of changes must be reviewed on a regular basis by a senior responsible person, to ensure that: All changes are supported by an authorised request form; Changes entered agree with the request form Authorised individuals only entered the master file changes. • MANAGEMENT REVIEW: To identify any obvious errors made during capturing, or any unauthorised changes made, the following must be performed on a regular basis: Senior staff (eg. Credit manager) should review the debtor master file The debtor master file total should (monthly) be reconciled to the balance of the debtor control account in general ledger • Exception reports: (for example unusual changes or exceeding limits) should be generated and reviewed by senior staff member timely • Backup copies of master files must be made before updating the change requests OUTPUT CONTROLS: • • Output refers to the distribution of data from where it is stored to where it is viewed or restored into an electronic format to be viewed Output must be prepared accurately and completely, in a appropriate format and only be distributed to specific individuals General controls • • • Allocate responsibility Access controls à On-screen viewing rights Policies must be written Distribution schedule: which outputs must be printed, when, how often? Distribution list: who is authorised to receive reports? Receipt/distribution • Data control group Sign distribution ledger for receipt User reviews output on receipt • Log, review, investigate Brief review before distribution Reconcile output controls totals with input Sequential report numbers Series test of page numbers Messages such as “end of report”, “not applicable” There should be no blank pages Reconcile: distribution list and schedule Allocate responsibility to someone in data control group • Corrections Error registers maintained Risks: • • • Distribution to unauthorised persons output incomplete or inaccurate does not agree with resulting processing Relevant to all application controls Input controls o Manual controls (e.g., stationary), access controls o V – Access ctrl, authorisation, SOD & staffing matters o A – Validation, key checks & edit checks o A – Screen & document design o A – automatic processing & generated transactions o C – Recons, sequence checks, audit trials, hash totals & error correction Processing controls o V – Access ctrl, file labels, version control o A – Validation & edit checks, ctrl totals, audit trials & break points o C – Breakpoints, run-to-run totals, limited process runs & recons Master file controls o Input (above), librarian (NB) & conversion ctrl Output controls o VAC – Distribution, stationary & review THE PERFECT SYSTEM – OUTPUT CONTROLS Controls to ensure that printouts do not end up with unauthorised persons } There should be clear written procedures within the entity on how all printouts should be handled, for example which may be printed and how often. } A person should be appointed by head office to accept responsibility for the distribution of printouts. } A written distribution list must be prepared to outline clearly who is authorised to receive printouts. } The data control group must responsible for the distribution of the reports and printouts. } A distribution/dispatch register, outlining each person who receives a printout must be maintained and must be signed as evidence of receipt. } A senior person should regularly review and compare the signed distribution register and distribution list to detect any unauthorised distribution of printouts. } Restricted or controlled access must be implemented over printers where the printouts are produced. } There should be fixed procedures to prevent unauthorised persons obtaining the reports and other printouts after use. } Management should for example lock it away in a cupboard or shred it after use. THEORY QUESTIONS Explain in your own words how computer controls fit into the general framework of internal control and what the difference is between general controls and application controls ◦ ◦ ◦ ◦ ◦ Computer controls form part of the overall framework of internal controls and serve as an addition to the controls of the manual system The controls of a manual system and a computer system all work together to achieve the same control objectives (validation, completeness and accuracy). General controls are controls that are applicable to the overall computer environment. Application controls are applicable to specific transactions. Application controls are only sufficient if good general controls are also in place. additional organisational controls, as well as good staff practices that Tannie Rosi Ltd should implement within the CIS-department. ORGANISATIONAL CONTROLS TO BE IMPLEMENTED • There should be a Computer Steering Committee (CSC) that, amongst others, consists of CIS-manager and representatives of all user divisions (managers). The CSC must serve as communication channel between the CIS- department and users. • The CSC is responsible for ◦ long-term planning of CIS-department; ◦ setting system development and operating standards; and approval of requests. • • • • The CIS-department (management) should directly report to top management and the CSC. A CIS-director must be appointed who is solely responsible for the CIS, with no other responsibilities. The CIS-manager (in conjunction with the CSC) should compile written personnel practices and manuals. Manuals should be freely available and practices should be reviewed regularly. • Manuals must provide detailed guidelines, including: ◦ formal job description for all IS staff; and ◦ clear organisational structure and reporting guidelines. • The CIS-department must be divided into 'areas and functions’, with clear differentiation between the two, e.g. Development, Operation, Data control, Security. Each subsection ('area) must only perform the function assigned to them. • • • • • • • There must be clear segregation between the user-department and CIS-department. Duties must be rotated frequently in order to allow for cross training and to prevent boredom, but segregation of duties and knowledge must however be kept in mind when rotation of duties take place. Scheduling of personnel must take place. Persons must be allocated to specific tasks/projects. Continuous monitoring of compliance with prescribed procedures and scheduling by CIS personnel must be performed frequently and performed by persons independent from the CIS-department (e.g. internal audit). Continuous evaluation of work performed by personnel, must take place, e.g. the volume and quality of work performed, etc. Ongoing training should be provided to personnel. They must attend appropriate courses, seminars, etc. RISKS ARISING FROM LACK OF ORGANISATIONAL CONTROLS • • • • • There is an increased risk of unauthorised transactions being initiated by unauthorised employees. Lack of segregation of duties may lead to unauthorised transactions be initiated and executed. Collusion between employees could lead to possible fraud and theft. Errors may go undetected due lack of sufficient independent review. Incompetent employees may be employed or as a result of lack of training employees may be unequipped to do their job leading to fraud or errors. FACTORS: increase the risk for errors & irregularities in a computer information system compared to manual system • There is a lack of a decent audit trail or a significant limitation thereon. • It is more difficult to ensure that there is segregation of duties, seeing that tasks that was previously performed by more than one person is now performed by only one person in a computer environment. • The personnel that is available might not have the necessary skills that is required in a computer environment and mistakes can in this type of environment have far more serious consequences than in a hand system. • Persons may gain unauthorised access and make changes, without there being any evidence showing it. • A decrease in human involvement decreases the possibility that errors and irregularities can be located/ identified. • Errors in the design of the system may go undetected for a long period because users does not understand the system and it can also be misused by people that know the system well. • As a result of the standard design of the computer system it will cause errors that exists in the system will be repeated in all transactions. Difference between transaction file vs Masterfile Transaction file • A transaction file is used to store data in a batch processing system • until such time that the system processes the data and then the information is used to update the masterfile. Masterfile • Is used to store permanent information (e.g. Name and address, codes, etc.) • Masterfile also stores the information and cumulative totals of all transactions as it was entered and processed by the system from the transaction file. GENERAL CONTROLS GENERAL CONTROLS – WEAKNESSES WEAKNESSES MOTIVATION ACCESS TO EDP SECTION Admission to the EDP section is not appropriately controlled. The controls which are in place are not functioning effectively. • • • The tea lady is free enter and leave the EDP section. She also allows other persons (myself) to enter; or During a weekend David and friends are allowed entrance into the EDP section and the system without Maxwell’s knowledge; and Maxwell makes his password available to others by means of a note on his door. In addition to conducting interviews by the EDP manager, it would appear that there is a lack of formal and proper appointment procedures. CHANGES TO SYSTEM The necessity, impact and cost of the changes to the current system have not been investigated before the conversion commenced. The program amendment or system development is performed by unqualified programmers. It appears that no project managing which includes a project team preparing the project plan of duties and responsibilities, deadlines and budgets, etc takes place. Project progress is neither monitored. • Charles decides on his own that a new system must be implemented and commences with the process. • David who is currently busy studying is responsible for the development of the new system. • David is solely responsible for the development of the new system and Maxwell is not allowed to interfere and to let David to do his thing. Requests for program changes occur telephonically - there is no written authorization or an independent investigation into the need, cost, etc. of such changes. • SYSTEM DEVELOPMENT No multi-level involvement in the system development and change process where all parties can give inputs or submit needs or specifications. Detail specifications are not prepared. • • • Charles decided on his own that a new inventory system must be designed and David only consults with Charles and a couple of members of the data-processing staff before he proceeds with the development of the new system, and David only makes short notes of the system requirements following his discussions. The programmer design and test new systems and programming changes. There is clearly a lack of a formal system development methodology which pinned separated duties and responsibilities. System specifications are not formally approved before development of the new system takes place. • David prepares the specifications and immediately commences with the design of the system. There is no sustained segregation between the programming function and operation of the computer. • David is involved in both programming and the operation of the computer, during the holidays. It appears that adequate testing of the new system where all parties have been involved, did not take place before the implementation of the new system. The control clerk is not running procedures / tests / controls on the data received for import, processing process itself and the results of processing (export documentation). No formal approval takes place before implementation of the system/changes. • David designs and implements a system that clearly does not work – information is lost and staff has no access to information. • David decides, on his own, that the system is ready for implementation and implements the new system over a weekend without Maxwell’s knowledge. Changes are made directly on the live system (no test copy) and there is no control over the conversion process from the old to the new system to ensure proper conversion. • A large amount of data on the inventory files are lost during the conversion process and will have to be reconstructed and users can not obtain access to the inventory information. • PHYSICAL CONTROLS No control exist over the magnetic tapes for example by keeping them safe in a library. • • During a weekend, David and friends unknowingly obtained admission to it; or Magnetic tapes lie around in the computer room. It appears that the library function occurs informally the librarian walked through the entire section and collect all discs. There is a lack of formal authority and control over the issuing and receiving back of data files Insufficient housekeeping controls in the computer room. • Magnetic tapes, tomato sauce, chips and bottles lie around in the computer room. The company does not use internal file labels. • There is no formal recovery plan and procedures. • External file labels have been taken away and problems arise when tapes have to be identified – a long and slow process is expected. System problems are experienced and staff members “have no idea what to do”. BACK-UPS It does not appear that regular back-up copies are made and kept safe. • Maxwell feels that the reconstruction of lost data might take months and might even be impossible. SEPARATION OF FUNCTIONS Programming and systems analysis: Bud Spender, the programmer is responsible for systems analysis functions, namely the preparation of system specifications, writing and updating manuals and program documentation. There seems to be no clear distinction between system and application programming. Control of data and documentation and programming: The librarian also acts as assistant programmer. It seems that keep the librarian only keeps data files and not the other software (application and system software) and system documentation of Cowboys and Crooks. It appears that the library function occurs informally the librarian walked through the entire section and collect all discs. There is a lack of formal authority and control over the issuing and receiving back of data files. weakness Program and data file security No controls to ensure that only tested and approved versions of programs are executed against ‘live’ data files Backup and Recovery controls Lack of formalised backup procedures • • • • • • • • • • • recommendation An independent staff member must play the role of librarian and manage version control, e.g. numbering different versions. A register / logbook should be maintained by the librarian and all programs issued should also be recorded (with details) in it. (manual control) The librarian should be responsible to monitor the correct issuance and use of programs versions. External and internal file labels should be made use of. The internal file label should be checked by the program (or the program should force operator to check it visually) to ensure that the correct version is running. Backup procedures should be formalised and clearly documented; including a schedule of backups to be made, by whom and how often etc.. Overall responsibility should be assigned to a responsible and competent individual (e.g. the librarian). The backup copies should be kept in safe custody, preferably off site. Recovery from backup copy of data to be subjected to regular testing. Company should have access to alternative / backup processing facilities (hardware, power, etc) in the event of emergency. PROGRAMME CHANGE WEAKNESSES IN THE GENERAL CONTROLS SURROUNDING CHANGES TO APPLICATION SOFTWARE / PROGRAMME CHANGES • Requests for program changes are not documented on pre-numbered, pre-printed change request forms. • • • WhatsApp program change requests are received. There is no pre-numbered written request of program changes. And therefore no sequence check is performed and no documented approval can be made by management There is no written request from the users of the departments or accountant for the computer package. Furthermore, there is no written evidence reviewed by management regarding the investigation. • No register or log is maintained for all request forms. Therefore no follow up on program changes or investigations of unusual requests. (therefore it is not possible to monitor that all requests are followed-up) • There is no feasibility study performed for material changes to assess the user requirements, necessity, the costs, implications of the change etc. • The cost of program change requests plays an important role in the authorisation process while no investigation into the necessity and impact of the changes are done /is the most important consideration), while no needassessment is performed • Program change requests are only evaluated and approved by the accountant and not also by (e.g.) the users department, IS manager and internal audit or CSC • • • The accountant is responsible for the decision and there is no strategic involvement of management There is no formal approval from the users or management for the purchasing of the new computer package. No formal initialling (or signing) as proof of authorisation and approval of program changes (by users, IS staff etc). • No optimal segregation of duties if estimated costs >R10,000 – since the financial director submits and approves the request • The segregation of duties in this process is insufficient and there is no multi-level involvement in each stage of purchasing. Only the accountant is involved in each step of the implementation. • The competence of the service provider was not evaluated at all No project plan, which sets out the process of how and when the new package will be implemented, was compiled and approved The conversion was not planned beforehand and there is no timetable for when which departments will do the conversion. It was done on a weekend No program change standards are in place. Request for authorisation • Planning • • • • • No procedures to monitor the compliance thereof. Only the accountant drafts the requirement specifications (possibly may not have all the necessary technical knowledge) and there is no investigation made to obtain the needs of all the users relating to the program changes There is no multiple-level approval of the provisional design of the system/program change (in other words, before the development thereof). • • There is no written approval of the program after changes before implementation. • There are no access controls to ensure that program changes are made to a copy of the program and do not affect the live data or live program. • The programmer makes the changes to a copy of the relevant program placed in the production area – thus not to a copy of the program stored in the test (or development) area of the library. (risks: wrong version of program is changed / changes are not made to the ‘current’ version) • There is no independent person which supervises as librarian and no-one keeps record of the issue of programs and the copying thereof. • By using the accountant’s password, the programmer gains access to all files on the server. (risk of unauthorised access to confidential information and changes to files high). • Programmer also works after-hours (with full access) without supervision. Development • Insufficient program change documentation is maintained. No copies of test data, data definitions, specifications, etc are kept. It is necessary for the operation of the system and any future changes. • Proper system testing does not take place, only the processing logic of the program is tested after the program changes. • No testing is done on a test version of the program to ensure that the program changes can be implemented. • Testing of the program changes are not performed by all parties involved / concerned, but only by the accountant and the programmer. (Increases risk that not all errors will be identified before implementation.) • There is no multi-level formal approval of changes before implementation thereof.(users, independent IS staff and internal audit also do not give approval) • There is no multi-level involvement or formal approval of the program changes. Before development, based on feasibility study. After testing, but before implementing the changes. There is no reconciliation between program changes authorised and program changes made. There are no pre-determined standards when performing program changes. There is no back-up made before implementation of the updated program. • Only direct implementation is carried out (because previous version of program is stopped immediately) which may not in all situations be the best implementation choice. • Implementation is not planned and coordinated with the user departments. • The program changes are implemented at a time when normal operations of the business could be disrupted. • There is no training of system users after program changes have been implemented. • The system documentation is not updated to include the changes made to the existing program and no documentation is prepared to document the changes made. • No formalised procedures to ensure back-up copies of the different versions of software are filed in the program library. No formal procedures to ensure all system and users documentation are properly updated. • Implementation • There are no procedures according to which the program changes that are made – according to the version control list – are reviewed with the program request forms. • A unique password was not allocated to each programmer. By the use of CIS’s password the programmers gain access to all the files There are no formalised procedures to ensure that copy of the different versions of software is kept in the program library. Changes are not put into effect by programmers or the IT division but by the users of the system who have access to be able to make changes to the system. • • There is no proper control over the conversion of data from a manual system to Pastel. The accountant simply transferred the balances from the manual system to Pastel with no supervision during the conversion. There are no controls in place to ensure that the manual balances were closed off properly. No controls were performed on the data of the manual system to ensure that the data is complete, accurate and valid before the conversion was done: ◦ Financial transactions were not closed off, e.g. the recording of cost of sales in a periodic inventory system ◦ A stock take was not done to ensure that the value of the inventory according to the manual system was correct ◦ The number of records in the manual system (accounts, inventory and debtors’ codes, etc.) was not counted ◦ Data of various departments in the manual system was not signed off as accurate and complete • • • • The package was implemented directly (the manual system was stopped immediately) which was possibly not the correct method of conversion No testing was done on Pastel after the conversion to ensure that the package: ◦ functions correctly, as expected and ◦ meets the needs of the users. Users did not approve the package before implementation thereof. Reconciliation after conversion After the conversion the processing continued on Pastel, without performing any of the following reconciliations between the manual system and the accounts on Pastel: ◦ Reconciliation of balances were not done to ensure that they correspond ◦ Reconciliation of number of records (accounts, inventory and debtors’ codes, etc.) was not done to ensure that all the balances was brought forward from the manual system to Pastel • Reconciliation of balances and data on Pastel was not compared with external sources, e.g. the bank balance or the stock take • Exception reports (e.g. incorrect balances, number of records, negative amounts) were not reviewed to solve and resolve problems picked up during reconciliation and testing. Postimplementation reviews • No post-implementation review is performed e.g. over the processing of the changed system to ensure that, all users requirements and needs are met and the program is operating as required. Training • Staff were not trained to use Pastel Recommend additional controls or procedures that to follow during the conversion to the new computerised cost management system SYSTEM CONVERSION The conversion must be planned, with time tables for dates and times by which different task must be performed. Data conversion: the standing data of the previous manual system must be prepared in electronic files for the computerised costing system. The data control group from the information system division must take control of the conversion. A senior member of management must also be appointed to supervise the data conversion project. Before data conversion starts, controls must be performed to ensure that the data on the old system is complete, accurate and valid, e.g. by reconciliations and recalculations. Training users: ◦ Sufficient training must be provided to all users in order to ensure that everyone is familiar with the use of the new system. ◦ User manuals must also be prepared. Documentation: System documentation, e.g. flow charts, descriptions, operator manuals, must be prepared or updated. Implementation: ◦ Implementation must take place under the supervision of a senior responsible person. Implementation of the new system must be executed in an appropriate manner- for example, parallel testing where the old and new systems run simultaneously and comparing the results Controls to ensure appropriate system development process CONTROLS TO ENSURE AN APPROPRIATE SYSTEM DEVELOPMENT PROCESS • There must be written standard procedures set out within the system development methodology to cover the procedures concerning the planning, development and implementation of the systems. • Project management must be implemented. A project team must be appointed to prepare a project plan. The project plan must inter alia contain the size of the project, the jobs and responsibilities of specific persons and a time budget. The project team is responsible to control and manage the project and to monitor the progress of the project • Agreement must be reached regarding the standards of programming, for example the terminology, abbreviations, symbols etc that will be utilised during the system development process. • Multi-level involvement of the users of the system, the CIS staff, management and the auditor in the system development process is necessary. Each of these parties has different and unique needs concerning the system and must draft the specifications for the system. • The specifications for the system as mentioned above must before development be reviewed and approved by all parties concerned. • After the development of the system but before implementation, the system must be properly tested in a test environment. It should be determined whether the system contains sufficient controls and complies with all the pre-determined specifications. There are 5 levels of testing, namely: program test: string/series test: system test/joint existence tests: pilot test: parallel test: where the processing logic of each program is tested separately and is tested whether the program will handle all situations correctly; where the series related programs are tested to ensure whether data is correctly transferred from the one program to next test whether all the programs in the system are working jointly together by using simulated data where the actual transactions are processed through the new system and the results compared with those of the present system where the old and the new computer system are used for a period in parallel and when the results after this period are compared with one anothe After testing the system properly but before implementing it, all parties involved with the development process, must approve the system finally in writing. Proper documentation concerning the proper operation of the system must be maintained. Risks to consider with the development of a new system • • • • • • • • • The cost of the development may become out of control. The new design of the system might not meet the needs & requirements of the users of the system. There may be errors (not compatible) in the new system that could make the day to day use of the system very difficult. Important accounting principles and calculations may be wrongly integrated into the new computer system. The new system could possibly not have enough controls in place to ensure the integrity of the data at all times Risk exists that the new system could be difficult to understand and not user friendly and can lead to errors. Problems can arise with the integration between the new and the existing system. The risk exist that transfer of information between systems may result in data being lost, incorrectly transferred or duplicated. The risk exists that it will be difficult to understand for its users and not user friendly. Advantages to purchasing software off the shelf compared to one developed in house • • • • • • • • When a package is purchased and installed the process normally progresses more quickly, since the system itself needs not be written (which could be a time- consuming process). Packages normally have predetermined prices and costs, which means that the process can be less expensive. A company can consider different packages and decide which one would suit the company's needs best. Packages are normally properly tested and probably error free in respect of functioning. The supplier of the package normally builds all the necessary controls into to package. System documentation normally forms part of the package and the company therefore does not need to write it themselves. The supplier of the package usually provides the necessary training and support services in respect of the package. The supplier of the package generally provides updates and new versions of the package, as it becomes available. Additional access controls that should have been implemented to prevent the break-in and to ensure that the main frame computer of ISpy can only be used for authorised purposes. Your answer must not address personnel matters, nor logical and monitoring controls. ACCESS CONTROLS (EXCLUDING LOGICAL CONTROLS) • • • • • • • • • • • • • • • • • There must be a formal documented security policy, distributed to all users, which determines that only authorised staff may have access and utilise the main frame computer; and that actions will be take against unauthorised use or access. This policy should be communicated to all staff members. Physical access controls that should be in place at the building and the mainframe computer room: access to room must be restricted through keys/ magnetic card readers/ security guard with a register; a security guard must be present at the entrance of the building to accompany visitors (iow unauthorised people) through the building. doors to the venue must always be locked if the computer is not in use, as well as when staff leaves the computer room; only authorised users must have access to keys for the room and/or should have proper control over registration of magnetic cards; additional security gates must be installed at the computer room’s entrance; an alarm with motion sensors must be installed; and the hardware must be locked when it is not in use (in, for example, a server case) and there must be no place to insert media devices (such as memory sticks or DVD’s). The terminal should be located in a highly visible area, where it can not hidden so that unauthorised people, who come close to the servers, are seen. All staff should have uniforms and identification cards in order to be clearly identifiable when entering non-public areas (such as the server room). Staff should only be allowed to use the computer during operating hours and sign into the main frame computer; otherwise the area must be locked. Alternatively, a daily work schedule must be prepared. Every computer must have a terminal code. Access to the computer room must only be possible during business hours. Access outside of business hours must be managed by the use of: ◦ alarms; ◦ security cameras and/or ◦ security guards who supervise the use of computers; and ◦ received consent beforehand. ADDITIONAL PREVENTATIVE AND DETECTIVE BUSINESS CONTINUITY CONTROLS TO ENSURE CONTINUITY OF THE IT OPERATION BUSINESS CONTINUITY FIRE, WATER, ELECTRICITY AND LOSS OF PRODUCTIVITY Physical environments: Protection against elements: Fire: • • Construction: • Electricity: • • Water: • Fire alarms, fire extinguishers, smoke detectors, etc. Fire alarms, extinguishes (CO2 - not water) and smoke detectors should be installed in the office and close to the safe Building’s construction must be solid and it must have long-lasting fireproof walls and floors (limit fires from spreading). continuous power supply and emergency generators (stand-by battery). There should be an uninterrupted power supply (UPS) installed Cable protection must be implemented, so that cable and equipment can be protected from water damage. CO2 fire extinguishers must be used. Emergency plan and emergency recovery procedures PLAN • Plan and document an emergency recovery plan, with set procedures relating to the functions and responsibilities in case of disasters, including break-ins. • Test the emergency recovery plan to identify weaknesses and to set out responsibilities of persons involved (or to set). Provision should be made to test the plan on a regular basis to identify weaknesses and ensure employees are aware of their responsibilities. • DISASTER PLAN • • A written business continuity/disaster recovery plan needs to be developed Widely spread between employees which specifically sets out: List of data and program files that are key to operations that must be recovered. A list of documents to be removed from the premises in the event of a disaster. ALTERNATIVE FACILITY • An alternative processing facility should be considered in the event of a disaster so that operations can continue (an agreement could be entered into with a service provider.) • Provide alternative processing facilities (back-up facilities), for example service organizations, trade partners etc. Backup copies ◦ A formalised backup program must be in place place to state how and when backups are to be made ◦ ◦ The backup copies must be tested frequently The back-up copies should be regularly tested to identify any weaknesses and to ensure that the back-up responsibilities are allocated to the correct people. ◦ ◦ ◦ ◦ ◦ ◦ Regular backups must be made. A manual back-up register must be maintained. This register must clearly state who needs to make back-up copies and where it must be saved. (Or an automated backup register must be maintained that links to the timing of the cloud back-ups) Regular back-up copies must be scheduled (i.e. a fixed schedule should be setup) and made OR backups should be automatically done. At least three generations of backups should be maintained Back-ups in this online business should be made more frequently that every 8 weeks, rather daily Other controls Sufficient insurance: • Wear & Tear • • Monitoring • Contact insurer to revise and update insurance coverage and to update so it covers the following risks: fire, water, loss of production, et cetera. Have insurance to mitigate the impact of the loss – profits and physical and logical assets Regular inspections and maintenance should take place on the computer system to reduce the risk of failure over time due to wear and tear Remote monitoring should be implemented. APPLICATION CONTROLS Validation tests Input of goods received VALIDITY & AUTHORISATION Validity test Limit test Check digit ACCURACY Alphabetic/ alphanumeric test Numeric character tests the Purchase order number must be validated with reference to the approved orders in the system the order form number must be validated with reference to the suspense life Quantities received (as recorded) may only differ within predetermined limits, for example 0% or 5% with ordered amounts (to ensure majority of the approved order has been delivered) on the order form number to check validity (on the Purchase order number and inventory code field) – only a combination of numerical and alphanumeric characters should be accepted only a mix of numerical and alpha-numeric characters should be accepted (on the order-form field) test (on the quantity received field) - only numerical characters should be accepted Sign test COMPLETENESS Field length test / field size tests (eg. ID no) negative amounts should not be accepted Completeness test (all input fields are completed) computer should require that the Purchase order number, Inventory code and counted amount be inputted each time when goods received are recorded. computer should require that the order-form number and counted amount be inputted each time when goods received are recorded on purchase order number and the inventory item (code), certain numbers of characters must be inputted on order form number, certain numbers of characters must be inputted Input of inventory orders VALIDITY & AUTHORISATION Validity test Limit test ACCURACY Alphabetic/ alphanumeric test Numeric character tests Sign test Related data / matching tests (e.g. GRN no) Field length test / field size tests (# characters, e.g. date) Reasonability test Descriptive data echo tests: COMPLETENESS Completeness test (all input fields are completed) Expectation tests the inventory code entered, is compared with a pre-programmed list of inventory codes and approved suppliers validity tests: ◦ valid code test: by testing whether the code of the book ordered and captured is valid; valid character test: by testing whether the membership number captured consists of valid characters. Eg: a general/specific upper limit can be placed on the quantity-field and therefore order size is only allowed between predetermined limits. to determine whether input fields contain the correct combination of alphabetic and/or numeric characters ,e.g. the supplier code may only contain alphabetical characters and the inventory code, only numeric characters. on the quantity of books ordered to ensure that a numerical number is inputted; on the membership number to test whether the number consists only of numerical figures some fields may only be positive and not contain negative values, e.g. quantity entered must have positive values This test must be performed on the quantity of books to ensure that the quantity is not negative when the product code is entered, the system compares it with the reorder report to confirm that it did appear on it. to test whether each field consist of the correct number of character, e.g. the supplier code must consist of six characters and inventory of only five on the membership number and THE code of the book ordered to ensure both consist of the correct number of characters; g. the reasonability of the quantity inventory order should be confirmed by the computer doing a calculation based on the sales in the past and comparing it with the quantity that was entered. Only a predetermined percentage variance is allowed. a member’s details is displayed on the screen as soon as a membership number is inputted; the name of a book is displayed on the screen as soon as the code of the book is inputted a test must be performed to ensure that all characters and fields are entered, e.g. Inventory codes, etc if the system expects the inputting of a quantity of books or a specific code after the code of the book was inputted. Input of bookings VALIDITY & AUTHORISATION Validity test All inputs, for example video codes must be compared with the master file by the computer Limit test ACCURACY Alphabetic/ alphanumeric test Numeric character tests Sign test Related data / matching tests (e.g. GRN no) The computer should place a limit on certain fields, for example on the number of videos a member is allowed to take out per day; or the number of videos booked on the number of videos booked to ensure that a numerical number is captured; on a membership number to ensure that it is made up of numbers and letters; on video code. the number of videos booked should not be a negative number Field length test / field size tests (# characters, e.g. date) on the membership number; on other personal information such as ID number telephone etc.; the code of the video must both include the correct number of characters. Reasonability test The reasonableness of the person’s age, by determining the member’s age from the id number and to compare it with the age restriction on an captured video; input of the person’s id number, address etc; on the membership number, video code etc. a member’s details appear on the screen the moment when a membership number is entered; the name of the video appears on the screen when a video’s code is inputted. Descriptive data echo tests: COMPLETENESS Field length test / field size tests (eg. ID no) Completeness test (all input fields are completed) A test must be performed to ensure that all fields have been entered for example the member’s address, id number, contact information etc Expectation tests Input into salary masterfile VALIDITY & AUTHORISATION Validity test Valid code test - all codes, e.g. post level code (or personnel number) must agree with a list of valid codes for the salary application Limit test pre-defined bottom and top limits can be specified for the value fields in general (gross salary and over-time tariff) in order to support validity. If limits are exceeded, a personnel manager needs to authorise it. ACCURACY Alphabetic/ alphanumeric certain fields must consist of only a certain combination of alphabetical and numerical characters, e.g. all test deduction codes consist of numerical characters only. Sign test Field length test / field size tests (# characters, e.g. date) COMPLETENESS Completeness test (all input fields are completed) value fields must either be positive or negative. In this case both gross salary and over-time tariff must be positive certain input fields must consist of a certain number of characters, e.g. all deduction codes must include 3 characters All input fields needs to be captured, this all fields on the master file needs to be captured OTHER INPUT CONTROLS: Screen format Standard design and –layout for all inventory orders (and other transactions). Design must be user-friendly to simplify the input of information relating to the orders in order to reduce the risk of errors. Limit the amount of information that is entered to a minimum by making use of ‘drop-down menu’s’, ‘look-up’ functions. Computer dialog (prompting): Computer guides user through input process of orders. The responsible input officer must review each input form/order for approval before inputting. After the order is entered, captured information is shown on the screen for the user to review to confirm the accuracy against the hard copy order form (visual verification). Programme computer to check sequential numbering and identify missing numbers and record it on error log. Data control group must also frequently review the numerical sequnce of order form-numbers, as part of their review of the transaction lists. Sequential numbers Descriptive data-echo tests: The information that is entered by the input operator, is used by the system to retrieve descriptive information from the master file and to echo it back to the operator (display on the screen), so that the accuracy of input field can be confirmed, E.g. when the supplier- and inventory code is entered, the details of the supplier and description of inventory appears on the screen. There are certain fields that must be entered as compulsory fields. A exception report of inventory items less than reorder level with no orders in a pending file, must be pulled to identify any orders that have not been entered. INPUT CONTROLS: Accuracy Always include these ones M A P P E R Manuals must be available in order to provide users with the necessary information, which can specifically be consulted by the users when they experience problems or have made errors. The computer screen should contain required fields without accurate completion of which further processing cannot take place (i.e. force the user to fill in certain fields). As much as possible information on the screen should be echoed in order for the user to confirm the information. Appropriate error handling procedures must exist, for example the system must not allow the input or processing to continue until the error has been corrected The computer system must display an error message as soon as the system detects an input error, and After input the input should be displayed on the screen and the user must review the information captured by means of visual verification D The staff must be guided through the input process by means of a computer dialog (prompting). U The screen layout of the input screens must be user-friendly, properly designed and similar to that of the contract from which information is captured The minimum information must be entered by for example using relevant selection lists, selection boxes etc Staff must receive proper training for the tasks they will perform I T PART 1: INPUT CONTROLS IRO ACCURACY • • • • • • • • • • • • • • Partial orders or orders without a ‘purchase order number’ should automatically be rejected by the system and not be accepted. A policy should be implemented that the supplier documentation must contain the companies ‘purchase order number’ and “Inventory code”. Where the supplier does not use the company ‘purchase order number’ and “Inventory code”, the receiving staff member should compare the details on the supplier documentation to that of the order information before the information can be captured. Manuals must be available in order to provide users with the necessary information, which can specifically be consulted by the users when they experience problems or have made errors. Staff must receive proper training for the tasks they will perform. The staff must be guided through the input process by means of a computer dialog (prompting), for example when moving to the next inventory item. The screen layout should be standardised and user friendly, and in this case the colours and text colour need to be more distinguishable to read the inputs. The computer screen should contain required/compulsory fields without accurate completion of which further processing cannot take place (i.e. force the user to fill in certain fields). The minimum information must be entered by for example using relevant selection lists, selection boxes etc. As much as possible information on the screen should be echoed in order for the user to confirm the information (in a different more legible colour). The receiving person must also be required to tick a box that he compared the details on the screen to the physical inventory in the receiving area. The computer system must display an error message as soon as the system detects an input error (e.g. unmatched items), and appropriate error handling procedures must exist, for example the system must not allow the input or processing to continue until the error has been corrected After input, all the data captured should be displayed on the screen and the user must review the information captured by means of visual verification. A photo of the supplier documentation could be taken and saved for later review. Debtors captured onto system after contract signed • • • • • • • • • • • • • • Manuals must be available in order to provide users with the necessary information, which can specifically be consulted by the users when they experience problems or have made errors. (1) Staff must receive proper training for the tasks they will perform. (1) A designated person should be made responsible for the input of information. (1) The screen layout of the input screens must be user-friendly, properly designed and similar to that of the contract from which information is captured. (1) The staff must be guided through the input process by means of a computer dialog (prompting). The computer screen should contain required fields without accurate completion of which further processing cannot take place (i.e. force the user to fill in certain fields). The minimum information must be entered by for example using relevant selection lists, selection boxes etc. As much as possible information on the screen should be echoed in order for the user to confirm the information. The computer system must display an error message as soon as the system detects an input error, and Appropriate error handling procedures must exist, for example the system must not allow the input or processing to continue until the error has been corrected. (1) After input the input should be displayed on the screen and the user must review the information captured by means of visual verification. (1) Reports or registers of the specific input must be printed on a regular basis and reviewed by an independent person. (1) Any exceptions must be investigated and followed-up on immediately. (1) Increased management supervision and review must be applied. (1) internal controls should be in place to ensure the validity, completeness and accuracy of the input on the salary master file Input on the salary master file Before input the responsible input official should check each input form for approval by the head of the salary department who signed the form. The input official needs to be trained properly. Input forms need to be properly developed and pre-numbered. Screen format Standard format – and layout, the screen format should agree with the format of the input form. The screen must be user-friendly to simplify the input process and to reduce the risk of errors. When a personnel number is entered it should appear on the screen together with information already in the master file, so that the input official can compare the existing information and changes entered (descriptive echo test/Visual verification). Minimum data must be captured and drop down menu’s can be used for this. Compulsory fields need to be completed before capturing can continue. The following logical tests must be performed on all input fields as applicable: Valid-code test Alphanumerical test Sign test Field size test Completeness test Limit test all codes, e.g. post level code (or personnel number) must agree with a list of valid codes for the salary application certain fields must consist of only a certain combination of alphabetical and numerical characters, e.g. all deduction codes consist of numerical characters only value fields must either be positive or negative. In this case both gross salary and over-time tariff must be positive certain input fields must consist of a certain number of characters, e.g. all deduction codes must include 3 characters All input fields needs to be captured, this all fields on the master file needs to be captured pre-defined bottom and top limits can be specified for the value fields in general (gross salary and over-time tariff) in order to support validity. If limits are exceeded, a personnel manager needs to authorise it. Any other valid test A control figure must be attached to each input field at point of input, which, at its receipt at the salary master file, is recalculated and compared with the control figure originally attached to each field. Programmed data combination tests and data approval tests that should be present: • The number of the input field must logically follow on the number of the previous input form entered within the relevant series and should not be repeated Fields actually entered (that change) should not precisely agree with those that initially were in the master file record; • Changes to the post level code may not indicate a lower post level than the previous one (or an employee can’t receive a lower gross salary); • The changed gross salary must, within definite limits, be in accordance with the employee’s post level code and also in the limits of the previous gross salary; • The over-time tariff must be valid in accordance with the employee’s post level code; • Deduction codes should also be logically related to defined post level codes, e.g. union codes for certain post level employees. Any error identified by above tests must immediately be indicated by means of an error message. Handling errors: • Errors must immediately be corrected or the relevant input must be cancelled. The system should not allow any further input until it’s been corrected. • A register should be kept of errors not corrected and followed up by management. • Certain errors relating to the exceeding of limits or post level should require a high-level password, before any correction can take place. PREVENTATIVE & DETECTIVE LOGICAL ACCESS CONTROLS ADDITIONAL PREVENTATIVE AND DETECTIVE LOGICAL ACCESS CONTROLS LOGICAL CONTROLS – PREVENTATIVE Employees can only gain access to the server by using dedicated communication lines set up physically or via the Virtual Private Network or other encrypted method of communication (such as SSL; Trust services). In order to authenticate the users access, JoCo can rely on authentication dongles. Or limited access so that only computers with IP addresses issued and registered by J-Co can gain access to the server. Antivirus and Malware should be updated. Firewalls should be implemented and tested. A staff member who is allowed to access the server should have his/her own username, linked to their password or pin. Alternatively, a user is required to enter both the password and the username. To authenticate the user that logs onto the PC, they could rely on thumb prints or two factor authentication via a log on SMS. Authorisation tables should be used to ensure that: ◦ data can only be imported of accessed from company issued computers; ◦ certain files can only be read, while others may be edited based on the bi-weekly rotation level responsibilities; ◦ no access to certain programs and files may be obtained from certain company computers based on the bi-weekly rotation level responsibilities Passwords should confirm with the following criteria. ◦ Persons should have alphanumeric passwords with a minimum amount of characters ◦ Persons should regularly change their passwords ◦ The password should not be shown on the screen ◦ Secrecy of the password is imperative. The access to the server should lock the user out after three unsuccessful attempts to access the server. This may only be reactivated by the IT manager after an investigation. The server should log the user out after a period of inactivity and require that the password be resubmitted. The server should only allow specific processes between 8am and 8pm as set up in the bi-weekly rotation schedule If a user wishes to run an unusual process additional authorisation is required by the IT manager (based on his username and profile in the authorisation matrix.) Registers and logs – Detective The registers, logs and report listed below should be reviewed by the IT manager and he should investigate and obtain reasons for unusual items. The system should keep an activity log as a record of who logged on, when and for how long (giving particular consideration to after hour activity linked to the bi-weely rotation schedule). The server should keep an activity log of who did what activity, as particular staff members are only authorised to perform specific functions per the bi-weekly rotation schedule. The server should keep an activity log of all authorised abnormal processes approved by the IT manager (giving particular attention to the type of activity that required additional authorisation). An exception report should be created of all unsuccessful attempts to log on to the server or attempts to access non-permitted functions (Failed access attempts). Discuss the controls which could be introduced to prevent and detect unauthorised access to the computers, software and data CONTROLS TO PREVENT AND DETECT UNAUTHORISED ACCESS PREVENTATIVE • A formal, written policy that only authorized persons may use terminals and that strict action will be taken against unauthorized users of terminals. This policy should be given to all staff. • • There must be special security measures in place at the EDP department , and specifically Mr Westwood 's office: ◦ the doors should always be closed when the computer is not in use and when Mr. Westwood leaves his office; ◦ only authorized users have access to keys to the offices; ◦ computer terminal itself must be closed when not in use (physical terminal locks); the terminal should be placed in a visible, conspicuous places where it is not hidden, so that an unauthorized person working on a computer can be easily spotted. • There may only access to the system within business hours. After-hours access must be limited by the use of alarms and/or security guards. • Authorisation tables should be used to ensure that: ◦ data can only be imported from certain terminal; ◦ certain files can only be read, while others may be edited; ◦ no access to certain programs and files may be obtained from certain terminal • Password Control should be applied when access to a terminal and the system is obtained : ◦ the terminal should only be used if the correct password is used; ◦ there should be proper control over passwords: staff must be informed of the importance of secrecy of passwords; ◦ passwords should be chosen with care and not for the ease with which it can be remembered: for example, dates of birth and identity numbers may not be used; ◦ passwords may not be printed, written or pasted where unauthorized users can see; ◦ passwords should be changed regularly, especially after a change in personnel. DETECTIVE • The computers must keep a record of unsuccessful attempts to gain access to the terminal. Such lists should be printed daily and very carefully investigated by Mr. West Word and followed up. • The system must automatically sign out if a user has not been at a terminal for a while. • When the system used for a certain time, have gained access to the system by the reinsertion of the password. • At the end of every day, every computer should have a list / log / register pressure of daily activities. This should be checked by an independent person for any unauthorized use or changes. Any evidence of unauthorized activities must be investigated and followed up immediately. Controls to ensure authorised use of salary master file on the mainframe computer only PHYSICAL CONTROLS A formal, written security policy should be distributed to all users stipulating: that only authorised persons may use the mainframe computer and That strong action will be taken against its unauthorised usage. Physical access control that should be active at mainframe room: ◦ Access to room should be restricted by keys/magnetic card readers ◦ Only authorised users must have access to keys for room and/or should have proper control over registration of magnetic cards ◦ Doors should be closed at all times when computer is not in use, ◦ Also when IS personnel leave the room; • • Daily run schedules should be prepared for the use of the mainframe computer. The mainframe computer should also provide a daily activity register of the activities performed, which should be compared by a senior person with the run schedule to identify any unauthorised activities. • • Registration on the mainframe computer should only take place within fixed hours (or office hours) and Access outside these hours should be managed by the use of alarms, closed-circuit TV cameras and/or security guards supervising the use of this computer LOGICAL CONTROLS Authorisation tables must be used which ensure that: ◦ Access and right (writing, reading, changing, deleting etc) to certain files and programs should be restricted by linkage to usernames (and in doing so to the user’s job description); ◦ Access to certain programs and files may only be acquired from the mainframe computer and not from terminals as well. Password control must be adjusted by requiring correct passwords to acquire access to the mainframe computer and the master file: ◦ Passwords should be unique. ◦ Persons should have passwords that are alphanumerical containing at least five characters. ◦ Persons should change passwords regularly. ◦ Password should not appear on the screen. ◦ The choice of passwords is important – it should not be obvious and linked to the user. ◦ The password of persons who resign should be removed from the file. ◦ Secrecy of passwords is essential. • • • The terminal should disconnect after three unsuccessful attempts to access. (input of wrong password) In the case of a security break the system should disconnect automatically. When the system has not been in use for quite a time user should be deregistered and access to the system should require the reenter of the password. Preventative & detective controls: inputting of bookings of video’s or DVD’s The membership number quoted by the member when a booking is made, must be confirmed: ◦ the shop assistant must confirm the client’s personal information (for example, name, address, telephone number etc) on the basis of computer dialogue particularly when booked via telephone. ◦ by inspecting the video card. ◦ a computer password must be used. The shop assistant enters the answers and the computer compares the answers automatically with the appropriate master file information. If not, the system should reject the booking – an error message should be displayed on the screen and the system should not allow any further input on the particular order. The assistant must confirm the video information (e.g. name etc.) on the screen with the client or against the video. The system should automatically check the following: whether any amounts or videos/DVD’s or fines are outstanding; ◦ whether the video is available. ◦ whether the person has sufficient prepaid credit (or units) available. If not, the system should display an error message on the screen. The screen format must be standard and contain all necessary fields in order to simplify the input process and must have a simplify design for input. (Alternatively the screen must be user-friendly). Where possible, the computer must lookup the information from the masterfile, for example person’s address, video’s name etc. (Alternatively “drop down” menu’s). The computer must guide the assistant by computer dialogue (“prompting”). The data, for example video name, client’s address should be echoed back to the user Sign check: the number of videos booked should not be a negative number. Alpha-numeric tests: on the number of videos booked to ensure that a numerical number is captured; on a membership number to ensure that it is made up of numbers and letters; on video code. Field length tests: on the membership number; on other personal information such as ID number telephone etc.; the code of the video must both include the correct number of characters. Descriptive data echo tests: a member’s details appear on the screen the moment when a membership number is entered; the name of the video appears on the screen when a video’s code is inputted. Limit test: The computer should place a limit on certain fields, for example on the number of videos a member is allowed to take out per day; or the number of videos booked Reasonableness test: The reasonableness of the person’s age, by determining the member’s age from the id number and to compare it with the age restriction on an captured video; input of the person’s id number, address etc; on the membership number, video code etc. Completeness test (required fields): A test must be performed to ensure that all fields have been entered for example the member’s address, id number, contact information etc Validation test All inputs, for example video codes must be compared with the master file by the computer • • • • • • • • The system should only allow the input of the fields once the previous field or transaction has been entered in full and has been accepted by the system (Alternatively compulsory fields). Exception report, register, logs relating to, for example, persons that attempts to hire videos with fines outstanding, customer passwords that have been entered incorrectly must be generated daily. Audit trail of accounting information Any examples of valid inputs. and reviewed and investigated by a shop manager. The details of the videos can be compared with the invoices as prepared by the computer. Describe the controls with which unauthorised changes to information on the main frame computer by Ms Possible can be detected. DETECTIVE MEASURES • • • • • The back-up copy must be recovered and the information must be reconciled with the information on the system. Any difference could highlight missing information. The input documents must be reconciled with the system. Balance the control totals (e.g. hash totals, record counts) with the recovered control totals. Obtain exception reports/audit trails/registers form the system to indentify any information which was omitted or changed. The reports could, for example, contain the following: ◦ Audit trial of any changes; ◦ Empty fields in the information data basis; ◦ keep record of all attempts to gain access to the main frame computer system (successful and unsuccessful); and ◦ keep activity registers. Exception reports/audit trails/registers must be reviewed by a senior staff member to identify any unauthorised access or attempt to gain access, which must be investigated immediately. Explain how ‘authorisation matrixes’ could have been used to ensure that only valid and authorised change could be made to the information on the main frame computer and consequently could have prevented Ms Possible from removing and changing information. An access control matrix (programmed authorisation) can contribute in the following manners to ensure only valid changes to the information in the system are made: • By way of a terminal code, only a specific terminal is permitted access to the program’s module that makes information changes possible. Thereby restricting changes to a specific terminal. • by means of log-in with user ID, authenticated by password, restricts • the access rights each user has to change information on the system (e.g. display, write); • possibility that an unauthorised person can make changes to the information on any computers, because they do not have the necessary rights to make the changes; • in accordance with the allocated authorisation level, changes should only be allowed to be made on a predetermined day of the month; • Ad hoc changes require two authorising passwords. preventative and detective application controls that will ensure completeness regarding the processing of salaries. APPLICATION CONTROLS to ensure COMPLETENESS of PROCESSING The control totals calculated with preparation of the payroll register, should be reconciled to control totals calculated after processing thereof, inter alia: Financial totals, such as gross salaries, medical fund deductions, etc; Hash totals, such as bank account numbers, reference numbers; and Record counts, such as number of employees. File balancing (shadow balances): A control total of the payroll master file should be maintained on a independent file and updated with the transaction data. After the processing cycle it should be compared to the payroll master file’s total. The software should detect any missing salaries by: Follow-up testing, whereby it checks whether the salary reference numbers of one transaction file continues from the previous; and A number order test during processing of information to identify any missing salary reference numbers. The console log should regularly be checked by the data control group (e.g. after each run) to identify any processing disruptions and should investigate it. Control reports, exception reports (e.g. large fluctuations in salaries) and error reports (e.g. negative salary amounts, lack of bank account number) should be generated by the system to notify of any possible errors. The reports should timeously be reviewed and followed up by data control (e.g. for strange or duplicated items). preventative and detective application controls that you would implement to ensure the completeness, validity and accuracy of the processing of credit notes PART 1: PROCESSING CONTROLS OF CREDIT NOTES • There should be segregation of duties between the initiation, execution and authorisation of the processing of the credit notes OR logical access controls must be implemented to restrict access to the functions on the accounting system for input of credit notes by the receiving clerk and authorisation of the processing of the credit note to a senior person such as the store manager. (1) • This can be done by means of unique user names and passwords, or a unique employee card or biometric access and an authorisation matrix. • The internal file label should be checked by the program (or the program should force operator to check it visually) to ensure that the latest version of the transaction files are being accessed to process the credit notes and to ensure that correct program version is running. (1) • Run-to-run totals of inventory masterfile and sales ledger must be calculated and reviewed by the system. (1) • Shadow/file balancing should be performed where an independent file is used to update the masterfile balances with the transaction data and the balances compared to the balance of the masterfiles after processing. (1) • Programmed mathematical, reasonability and validation tests must be performed by the system: • To detect data errors (e.g. invoice number validity tests, related data test between the invoice and the credit note or a matching test). (1) • To detect mathematical accuracy tests (e.g. any negative values, incorrectly calculated return values, credit note amount exceeds invoice amount). (1) • To detect reasonability errors (e.g. the amount of returns for any one customer exceeds a set limit). (1) • The software should detect any missing credit notes by: • A file sequence test: where the system ensures that the credit note number of transaction file being processed follows on from the previous file; and (1) • A completeness test: during the processing of information to identify missing credit note numbers. (1) • The system should generate the following reports to be reviewed and followed up by store management. • A control report indicating the total amount sales returns and list of all credit notes processed. • An error report indicating any missing fields which would have effected correct calculation of the sales returns OR any credit notes not linked to a sales invoice etc. • An exception report indicating any sessions which expired, any large fluctuations of returns or number of returns for a specific customer. • • A console log of processing including any disruptions to processing of the returns. (max 3) (For completeness, the following manual control): The customer should sign a copy of the credit note to be filed together with a copy of the invoice by the returns counter as evidence of the return which can be compared to the control report. BATCH CONTROLS The debtors clerk should review the sequential numbering of the delivery notes. The batch should be reviewed to ensure that it only contains two days’ transactions and not transaction from other days. The debtors clerk should perform the following procedure when preparing the batch: Calculate financial control totals, e.g. the total of all sales. Calculate hash totals, e.g. total of all the document numbers added together. Calculate the number of documents which are included in the batch. There should be a batch control sheet attached to the batch, which contains all the relevant information, such as a unique batch number. A batch register should be maintained up to date, which contains all the information of the batch as shown on the control sheet, as well as the signature of the relevant person. The debtors clerk should sign the batch control sheet and register as proof that the reconciliation has been performed. An independent person should review and recalculate the totals (on a frequent basis) and sign it as proof that it has been reviewed. The control totals should be entered, in order for the computer to compare the totals that were captured with the totals calculated by the system. The computer should then print out a batch control report as proof that the totals were compared. This must then filed with the batch control sheet. If the totals do not agree, the entries should be reviewed for accuracy. The system may only authorise the transaction file for processing if the control totals agree. A report with rejected transactions / errors should be generated and reviewed in order to correct the errors. Good staff practice The staff practices must be in writing and be included in a formal manual, which is freely available. A formal employment policy must exist (and related implementation process) in order to ensure that only honest and competent staff are appointed. Proper dismissal procedures must be in place, such as for example, access to computer system must be cancelled when employee leaves the service of the company. Proper scheduling of staff must take place. Staff must be allocated to specific tasks/projects. Staff must take leave on a regular basis. If staff take leave (irrespective of the nature) special arrangements should be made to ensure that the staff member’s work can continue. Duties should regularly be rotated to allow for cross-training and to prevent boredom. Segregation of duties and knowledge must however be kept in mind when rotation of duties takes place. There should be career planning for staff. Recognition must be given for good work. Staff must always feel motivated and successful. Staff should be promoted based on their performance. Continuous evaluation of work performed by staff should be performed, e.g. the volume and quality of work done, et cetera. Continuous training should be provided to staff. Management must cultivate a positive attitude towards internal control and governance, by: implementing controls and training staff; implementing management policies consistently; and monitoring the functioning of controls. Rules on private use of computer facilities and use of private programs and equipment must be a part of the staff’s employment contract. MASTERFILE CHANGE CONTROLS Always mention these REQUESTS Any amendment to the master file information must be requested in writing on a prenumbered form. (The responsible person will have to compete the manual form and scan and send it to the appropriate person). The number sequence of the scan’s must be checked. Alternatively, a manual register of all changes should be maintained Any amendment (existing or additions) to the master file information must first be approved in writing by a manager The amendments may only be made by a designated responsible person (who is independent of daily transactions such as for example the manager) The amendments may only be made by an independent responsible person such as for example the shift manager The input of amendments must be restricted to one/ a specific computer that is safeguarded on a designated PC with a unique IP address ACCESS The one/specific computer used for the changes should be stored securely at the home of the individual concerned. A password/PIN must be required before master file information may be amended. Otherwise an authorisation matrix may be used to restrict access to the module REVIEW Control reports (or a summary of changes to the master file) must be reviewed regularly by the manager or owner in order to identify any unusual or unauthorised adjustments which must be investigated The report must be reviewed by the manager or owner in order to identify any unauthorised adjustments. Any unusual or unauthorised changes must be investigated Exception reports of any unusual changes (e.g. changes to products in categories of inventory that are not considered essential) must be reviewed by the manager and investigated if necessary The manager should print a report of all amendments on a regular basis (or automatically by computer). RECONCILIATION The report of changes to the master file (above) should also be compared with the authorised supporting amendments’ documentation (prenumbered form or manual register). MASTERFILE CHANGE CONTROLS FOR THE INVENTORY MASTER FILE FIELD ADDITIONAL COMPUTER CONTROLS à VALIDITY, ACCURACY & COMPLETENESS Any requests for amendments to the master file information have to be done in writing on a pre-printed, pre-numbered master file amendment form. (The responsible person will have to compete the manual form and scan and send it to the appropriate person). The number sequence of the scan’s must be checked. Alternatively, a manual register of all changes should be maintained Request Any amendment (changes to existing data or additions to the list of inventory items) to the master file information must first be approved in writing by a manager after having compared the inventory item to that all the list of acceptable products issued by the government Any amendments to the “delivery allowed” field of an inventory item must be extracted from the Masterfile and agreed to the list approved by the inventory manager. (Or the system can generate an email of any changes that are made to the inventory Masterfile that are emailed directly to the responsible person to perform this review) The amendments may only be made by a designated responsible person (who is independent of daily transactions such as for example the manager) The input of amendments must be restricted to one/ a specific computer on a designated PC with a unique IP address Access The one/specific computer used for the changes should be stored securely at the home of the individual concerned. A password/PIN must be required before master file information may be amended. Otherwise an authorisation matrix may be used to restrict access to the module Back-up The inventory master file must be backed up before any changes are made to the master file Review Control reports (or a summary of changes to the master file) must be reviewed by the manager or owner in order to identify any unusual or unauthorised adjustments which must be investigated Exception reports of any unusual changes (e.g. changes to products in categories of inventory that are not considered essential) must be reviewed by the manager and investigated if necessary The inventory master file (including the description and “delivery allowed”) should be reviewed by the manger (responsible person) and unusual items should be investigated Reconciliation The report of changes to the master file (above) should also be compared with the authorised supporting amendments’ documentation that were scanned and sent to the responsible manager (pre-numbered forms). INTERNAL CONTROLS FOR THE CHANGES TO SUPPLIER & PRODUCT INFORMATION MASTER FILE AMENDMENT CONTROLS Any amendment to the master file information must be requested in writing on a prenumbered form. (The responsible person will have to compete the manual form and scan and send it to the appropriate person). The number sequence of the scan’s must be checked. Alternatively, a manual register of all changes should be maintained Any amendment (existing or additions) to the master file information must first be approved in writing by a manager Before a supplier can be added to the system, the quality of the supplier’s equipment and prices must be evaluated Request The amendments may only be made by a designated responsible person (who is independent of daily transactions such as for example the manager) The amendments may only be made by an independent responsible person such as for example the shift manager The input of amendments must be restricted to one/ a specific computer that is safeguarded on a designated PC with a unique IP address Suppliers’ information may not be removed from the system if the supplier has an outstanding balance irrespective of whether approval has been given If a supplier has not been used for a long period of time (e.g. six months) the system should indicate it as inactive Supplier information may not be removed from the system without the authorisation of the manager, possibly by using a password Access The one/specific computer used for the changes should be stored securely at the home of the individual concerned. A password/PIN must be required before master file information may be amended. Otherwise an authorisation matrix may be used to restrict access to the module Back-up The inventory master file must be backed up before any changes are made to the master file The following logs, exception reports or activity registers must be maintained or generated Control reports (or a summary of changes to the master file) must be reviewed regularly by the manager or owner in order to identify any unusual or unauthorised adjustments which must be investigated The report must be reviewed by the manager or owner in order to identify any unauthorised adjustments. Any unusual or unauthorised changes must be investigated. A report must be printed of, for example, all price adjustments of more than 5%. Review The person responsible for the changes to the master file must have a personal identification code. The code must be added to a register (log) by the computer The manager should print a report of all amendments on a regular basis (or automatically by computer). Exception reports of any unusual changes (e.g. changes to products in categories of inventory that are not considered essential) must be reviewed by the manager and investigated if necessary The report of changes to the master file (above) should also be compared with the authorised supporting amendments’ documentation (prenumbered form or manual register). Reconciliation The price and product list must be reconciled with the published price list and menu above the counter. Recommendations of controls to address the weakness regarding the updating of the creditors master file of Jambo (Pty) Ltd UPDATING MASTER FILE To detect errors during the update of the master file we recommend the following controls: The control totals calculated after the update of the transaction data must be reconciled with control totals recalculated (by hand or by computer). The control total of the master file, which must be updated with the transaction data on an independent file, must be compared with the updated total of the (actual) master file. Differences must be investigated (file balancing). The console log of processing (automatically updated by system) must be reviewed on a regular basis to identify any errors. The user or operator must inspect the output and control reports for any errors or duplicated items. Errors must be reported on an automatically generated exception report. All the above-mentioned computer generated reports must be reviewed and investigated by a responsible person. APPLICATION CONTROLS: completeness, accuracy and validity For amendments to DEBTORS MASTERFILE DEBTOR MASTER FILE CHANGES: APPLICATION CONTROLS Prenumbered master file changes forms must be used for all changes (new debtors, removal of debtors, changes to debtor data) The request form must be approved by senior person (for example credit controller) by initialling. Person making the master file changes input should be independent of the debtor department (users). Any amendment (existing or additions) to the master file information must first be approved in writing by a manager Request Input controls must be used to prevent input errors, such as for example: ◦ programmed validation tests; and user-friendly screen format, computer dialogue (prompting), data-echo tests etc. System should automatically maintain a prenumbered register of changes made, including: ◦ Details of changes ◦ User name of person who did the input ◦ Date and time Access Logical access controls must be implemented to restrict the input of master file changes to authorised personnel Authorisation matrix, restricting rights by combining user names, passwords and terminal IDs Read-only rights must be granted to the master file changes register and the rights must be restricted to management and senior staff. Back-up Back-up copies of master files must be made BEFORE updating the change requests Exception reports (for example unusual changes or exceeding limits) should be generated and reviewed by senior staff member timely. The register of changes must be reviewed by a responsible senior person on a regular basis to ensure that: ◦ All changes are supported by an authorised request form; ◦ Changes inputted agree with the request form ◦ Only authorised individuals capture the master file changes. ◦ There are no long-outstanding requests not dealt with to date. To identify any obvious errors made during the capturing, or any unauthorised changes made, the following must be performed on a regular basis: ◦ senior staff (for example credit manager) should review the debtor master file; ◦ the debtor master file total should (for example monthly) be reconciled to the balance of the debtor control account in general ledger. ANOTHER EXAMPLE FOR DEBTORS MASTERFILE: Prenumbered master file changes forms must be used for all changes (new debtors, removal of debtors, changes to debtor data) The request form must be approved by senior person (for example credit controller) by initialling. Person making the master file changes input should be independent of the debtor department (users). Request Any amendment (existing or additions) to the master file information must first be approved in writing by a manager Input controls must be used to prevent input errors, such as for example: ◦ programmed validation tests; and user-friendly screen format, computer dialogue (prompting), data-echo tests etc. System should automatically maintain a prenumbered register of changes made, including: ◦ Details of changes ◦ User name of person who did the input ◦ Date and time Access Logical access controls must be implemented to restrict the input of master file changes to authorised personnel Authorisation matrix, restricting rights by combining user names, passwords and terminal IDs Read-only rights must be granted to the master file changes register and the rights must be restricted to management and senior staff. Back-up Back-up copies of master files must be made BEFORE updating the change requests Review Reconciliation Exception reports (for example unusual changes or exceeding limits) should be generated and reviewed by senior staff member timely. The register of changes must be reviewed by a responsible senior person on a regular basis to ensure that: ◦ All changes are supported by an authorised request form; ◦ Changes inputted agree with the request form ◦ Only authorised individuals capture the master file changes. ◦ There are no long-outstanding requests not dealt with to date. To identify any obvious errors made during the capturing, or any unauthorised changes made, the following must be performed on a regular basis: ◦ senior staff (for example credit manager) should review the debtor master file; ◦ the debtor master file total should (for example monthly) be reconciled to the balance of the debtor control account in general ledger. Controls for the ordering system of to ensure the validity, accuracy and completeness of the orders that are captured VALIDITY When placing an order, the member states the membership number that must be confirmed in the following manner: ◦ ◦ the order clerk confirms certain personal questions to the member based on computer dialogue for example. name, address, telephone number etc. the order clerk inputs the answers on the abovementioned questions in on the terminal and the computer compares the answers automatically with the appropriate masterfile information. If the abovementioned information agrees, the order is accepted and processed further. If not, system must reject the order – an error message must appear on the screen and system must not allow any further input for this specific order. The system must validate the validity of data input by performing the following validity tests: valid code test: valid character test by testing whether the code of the book ordered and captured is valid by testing whether the membership number captured consists of valid characters When an order is placed, the system must conduct data approval tests by controlling the following: ◦ if the previous invoice has been paid; ◦ if the specific book is in stock; and ◦ if the date of the order compares with the term’s date of deadline. If the previous invoice has not yet been paid or the date of the order is after the deadline, the order must be rejected. If the specific book is not in stock, the order must be placed on waiting list. If the deadline has passed, the system must automatically reconcile the orders placed with the list of members and the particular term’s prime book send to all members whom have not yet placed orders and their accounts must be invoiced. ACCURACY The screen format must be standardized for all orders and designed to facilitate the inputting of information and decrease the possibility of errors. The computer must prompt the operator by means of prompting through every step of the input process. As the orders are inputted, the system must echo the details of the order back to the ordering clerk to control the accuracy of the inputted information. After the order has been fully completed, all information must be read back to the member to verify the accuracy of the information. When capturing, the system must execute the following validation and logical tests to ensure the accuracy of the input sign test: alpha numerical tests: field size check descriptive data echo tests This test must be performed on the quantity of books to ensure that the quantity is not negative; ◦ on the quantity of books ordered to ensure that a numerical number is inputted; ◦ on the membership number to test whether the number consists only of numerical figures; on the membership number and THE code of the book ordered to ensure both consist of the correct number of characters ◦ a member’s details is displayed on the screen as soon as a membership number is inputted; ◦ the name of a book is displayed on the screen as soon as the code of the book is inputted COMPLETENESS The screen format must be standard for all orders. All fields which are inputted, must appear on the screen. The system must only allow the inputting of a next field (or a new transaction) if the previous field or transaction is completely inputted and accepted by the system. The system must not allow the further inputting of order transactions to proceed if invalid data is captured in a field. During the inputting process, the following validation tests must be performed to ensure that the clerks input the orders completely. expectation tests: the system expects the inputting of a quantity of books or a specific code after the code of the book was inputted. APPLICATION CONTROLS RELATING TO THE PROCESSING WHEN THE PDF INVOICES ARE GENERATED The control totals (batch register totals) calculated while preparation of the batch register should be reconciled to control totals calculated after processing thereof, inter alia: ◦ Financial fields, such total amount invoiced; ◦ ‘Hash totals’, such as debtors account numbers, reference numbers, cellphone numbers; and ◦ Record counts, such as number of debtors. File balancing (shadow balances): A control total of the debtors’ master file should be maintained on an independent file and updated with the transaction data. After the processing cycle it should be compared to the debtors’ master file’s total. Run-to-run totals must be calculated and reviewed by the system. Programmed edit/validation tests must be recorded by the system to: detect data errors (e.g. sequence tests, paring tests or record comparison tests). detect processing errors (e.g. any valid examples of validation tests, mathematical accuracy tests or reasonableness test). The software should detect any missing invoices by: A file sequence investigation: where they investigate whether the invoice reference numbers of one transaction file follows on the previous file; and perform a completeness tests during the processing of information to identify missing invoice reference numbers. The console log should regularly be checked by the data control group (e.g. after each run) to identify any processing disruptions and should investigate it. The reports and logs listed below, should timeously be reviewed and followed up by data control (e.g. for unusual or duplicated items). Control reports (e.g. control register, total amount invoiced). Exception reports (e.g. large fluctuations or declines in debtors balances, payments in excess of a predetermined amount) and Error reports (e.g. debtors’ with credit balances, missing cellphone numbers, unusually cellphone numbers) generated by the system to identify any possible errors. TEST DATA Test data to test application controls in sales order system The steps taken when developing and using the test data to test the controls. TEST DATA USED IN THE AUDIT OF THE SALES SYSTEM STEPS TO TAKE DURING THE DEVELOPMENT AND UTILISATION OF TEST DATA Define the objective of the test that would be performed. and specify the controls which are to be tested. For example: All sales are recorded and calculated accurately. All sales are made to authorised customers and the account details submitted are valid Alternatively, a understanding of the system must be obtained or the system must be documented For example: Validation controls: Alphanumeric test, field length test et cetera 1 Develop the test data, containing the following: • The test data should include valid and invalid data using 2 • • The test data should include all types of data and possible transactions The test data should be processed independently of the clients’ system, as to obtain a pre-determined correct processing result, which will be used to evaluate the results of the test data against. Process the test data on the client’s system. 3 For example, control totals of invoices, calculated totals on invoices. Compare the results from the test data ran on the client’s system with that of the pre-determined results. Remove the test data from the clients system. 4 à Note that the test data would either be processed correctly or either rejected or be reflected on exception reports (i.o.w. evaluate the outcome of the tests). Conclude on whether the controls within the client’s system operated effectively. 5 6 Evaluate the general controls to ensure that the system you have tested functioned within a controlled environment and functioned without unauthorised amendment throughout the period under review 7 Report on the effective operations of the controls. Risks associated with using test data RISKS • • • • • • • for example the following fields: customer number, inventory numbers et cetera. for example an order should be entered twice. The same program or version of the program must be used throughout the year. The element of surprise must not be lost. Corruption of live data (and risk of viruses) must be limited. System may “crash”. Unauthorised changes to or overrides of the system must be identified. As so far possible, all possible situations and programmed controls need to be tested. It may be difficult to remove the data from the system. For example, transaction logs of every sales order entry, breakdowns of back-orders, order suspense accounts Examples of specific types of test data to run on the client’s system. EXAMPLES OF TEST DATA Note: Marks are allocated for giving the criteria which would be used to set the test data. Marks are also given for providing an example. Criteria, which should be used, in creating the test data. Include orders for the following customer account numbers: Include orders with the following inventory codes: Include orders with the following quantities: Include orders where: alpha and numeric characters numeric data < 6 digits numeric data > 6 digits blank valid (correct and incorrect) account numbers alpha and numeric characters numeric data < 5 digits numeric data > 5 digits numeric data of 5 digits > 69999 and < 10000 blank inventory numbers valid inventory numbers alpha and numeric characters negative quantities excessive quantities exceeding a predetermined amount quantities where there is no inventory on hand the extension = R 10 000 the extension is < R 10 000 the extension is > R 10 000 and the release code is valid, negative, contains too few or too many digits, is inside and outside of the valid range. USING CAATS SYSTEM VS DATA COMPUTER ASSISTED AUDIT TECHNIQUES System CAATs Data-CAATs are used to test computerised controls. are therefore used for perform tests of control. are used to withdraw data from a computerised information system and the performance of substantive procedures. CONSIDERATIONS AND PROCESS OF USING CAATS Consider the following factors: ◦ ◦ ◦ ◦ ◦ ◦ availability of computer knowledge weighing the cost of CAATS against the benefit derived by its use the availability of the necessary facilities (hardware, software, time) in order to use CAATS the availability of client’s data compatibility / adaptability of the auditor’s system with that of the client whether there are any suitable CAATS that will satisfy the objectives of the auditor The auditor considers the following factors: • availability of the necessary computer skills; • weight the cost of the CAATs against the benefit derived from using it and prepare a cost budget that the client must approve; • the availability of the necessary facilities (hardware, software) in order to use CAATs; • Also obtain the clients permission to use their data in the CAATS and arrange to download the data; • the compatibility of the auditors software with the clients system; If there is any appropriate CAAT that can be used to achieve the objectives of the auditor. Address a request to the computer audit team to clearly explain the objectives of the process Agreement must be reached regarding the method of reporting The computer audit team will then do the following: ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Define the objectives, transactions and the necessary audit procedures required Prepare a budget of the time and costs and have it approved by the auditor Obtain the clients approval to use their data for the CAATS Determine the availability of the client’s data necessary for CAATS; Contact the client and arrange for a download of the data Reconcile the data received with the live production environment and the information of the financial statement Execute CAATS Report accordingly to the audit team general information that should be present on the audit working papers, with reference to the CAAT you have performed WORK PAPER The following general information must appear on the work paper: ▫ Name of the client; ▫ Year-end of the client; ▫ Work paper reference; ▫ Explanation of audit marks ▫ Name of the person who prepared the work paper and the date on which it was prepared; ▫ Name of the reviewer of the work paper and the date on which is was reviewed. • • • The objective of the procedures performed (CAATS) and the technical procedures written to use CAATS; The layout of the inventory masterfile of the client; The results of CAATS for example the number of exceptions identified as well as which further procedures thereof were executed. • The conclusion that was made because of the procedures that were performed. DATA CAATS: income received in advance Print the following exception reports from the system for revenue received in advance accounts: • Empty fields – containing for example no period, zero balance, missing fields • Duplicate membership numbers or identity numbers. • Identity numbers of people over the age of 100 or invalid identity numbers (unborn persons). • Expiry dates prior to year-end. • Date of payment exceeding 12 months prior to year-end. • Unusually high outstanding balances (more than 12 months fees) or unusually high amounts of sessions. • Period of membership not equal to 12 or 1 months. • All amount (outstanding/still in advance) fields which are debit/negative balances (classification). Recalculate the casting and cross casting of the revenue received in advance general ledger account and compare it to the balance in the trail balance and financial statements Select a statistical sample of any membership numbers (on a random basis) from the income received in advanced account. Use CAATs to extract the information of date of payment and amount received to be traced to the bank statement for receipt of payment. (occurrence and accuracy) Use CAATs to extract the details of the terms of the revenue such as membership type, period of membership or number of sessions to be traced to the contract with the client. (occurrence and accuracy) Stratify the account by membership type and date of payment and for each membership type For monthly and annual members: Use the date of payment, the outstanding balance and the year-end date, recalculate the income received in advance balance at year-end. (accuracy) For type 3 members: Use the date of payment, expiry date and number of sessions available to recalculate the income received in advance at year end. (accuracy) Select a sample of members based on date of payment surrounding year end to be traced to the bank statement to ensure that the income received in advance was recorded in the correct period. (cut-off) DATA CAATS: valuation, accuracy & allocation of inventory The following can be performed by using CAATS: ◦ Recalculate the total value per inventory item by multiplying the quantities with the cost per item and compare it with the total value per item on the inventory masterfile and print a report of any differences existing between the two values. ◦ Extract a report from the system which recalculates the total value of inventory per category. ◦ Compare the total value of inventory according to the inventory masterfile with that shown in the trial balance and financial statements. Recalculate the following ratios to identify any unusual deviations which may indicate errors in valuation, accuracy and allocation: ◦ Inventory turnover days ◦ Current ratio ◦ Total asset turnover ratio ◦ Return on assets ratio Selecting a sample of inventory purchases on a random basis for price testing to be agreed to supporting documentation such as purchase invoices. Select a sample of inventory items on a random basis using the available quantity field and branch field for each of the branches for: inspection of the inventory items at the stock count to test the quantity (existence) and condition of a sample of inventory items. Compare cost price per item with sales price per item and print a report of all cases where the costs exceed the sales price (for net realisable value testing). Stratify the inventory items according to the last date of sale and select the items which have not been sold recently (for inventory aging testing) OR recalculate the aging of inventory based on date of purchase in order to identify slow moving stock Recalculate slow moving inventory provision according to company policy and compare to the slow moving inventory provision. DATA CAATS: confirmation of inventory balance The following can be performed by using CAATS and any exceptions on the reports must be further investigated: Exception reports for example: ◦ on missing field on the inventory masterfile ◦ report on items with negative quantities ◦ report on items with negative costs per unit ◦ report on items with negative total values ◦ compare costs per unit with sales price and print a report of all cases where the costs exceed the sales price ◦ recalculate the total value per item by multiplying the quantities with the cost per item and compare it with the total value per item on the inventory masterfile and print a report of any differences existing between the two values Compare the total value according to the inventory masterfile with that shown in the financial statements Sort the items in order of total values to determine which items make up the largest value of the inventory – these items may be specifically confirmed in the inventory count Print a list of items according to the latest sales date and review the quantity at hand for which there has not recently been a sales transaction - It could indicate outdated inventory that might have to be written-off. Select a sample of items for test count during inventory count – the report could specify the inventory code, description of item, quantity at hand, store room and position indicated therein. DATA CAATS: debtor’s master file PERFORM CAATs ON THE DEBTOR MASTER FILE AND USE THE RESULTS AS FOLLOWS Analyse the master data for exceptions such as debtors with: ◦ nil balances ◦ negative balances ◦ equal monthly payments; ◦ duplicate debtor numbers/and/or names ◦ no credit terms; or ◦ exceeding credit terms etc. Analyse for numbers of debtors or invoices not found while performing the sequence test OR any empty name/debtor number field where an amount is due in the total column recreating age analysis of debtors Stratification of debtor balances according to monetary value of age of unpaid invoices Re-perform the additions and cross-casting of debtor master file and debtor control Use CAATs to perform analytical review procedures: ◦ Compare total debtors with previous periods; ◦ compare the number of debtor accounts with previous periods ◦ compare the debtor payment period with previous periods. SAMPLING • When designing audit procedures, the auditor should determine appropriate means for selecting items for testing so as to gather sufficient appropriate audit evidence to meet the objectives of the audit procedures • Audit sampling • • Error • Anomalous error Tolerable error Population Sampling unit • • • • Sampling risk • Non-sampling risk (Sampling) involves the application of audit procedures to less than 100% of items within a class of transactions or account balance such that all sampling units have a chance of selection This will enable the auditor to obtain and evaluate audit evidence about some characteristic of the items selected in order to form or assist in forming a conclusion concerning the population from which the sample is drawn Means either control deviations, when performing tests of controls, or misstatements, when performing tests of details Means an error that arises from an isolated event that has not recurred other than on specifically identifiable occasions and is therefore not representative of errors in the population Means the maximum error in a population that the auditor is willing to accept Means the entire set of data from which a sample is selected and about which the auditor wishes to draw conclusions Means the individual items constituting a population Arises from the possibility that the auditor’s conclusion, based on a sample may be different from the conclusion reached if the entire population were subjected to the same audit procedure Arises from factors that cause the auditor to reach an erroneous conclusion for any reason not related to the size of the sample BENEFITS OF SAMPLING: • More cost-effective audit • Time saving when performing audit • More representative being performed • More focused test being performed STEP 1) DESIGN OF THE SAMPLE • (1) When designing an audit sample, the auditor should consider the objectives of the audit procedure and the attributes of the population from which the sample will be drawn o For example, in a test of details relating to the existence of accounts receivable, such as confirmation, payments made by the customer before the confirmation date but received shortly after that date by the client are not considered an error o When performing tests of controls, the auditor generally makes an assessment of the rate of error the auditor expects to find in the population to be tested so WWW.TAKINGNOTES.CO.ZA § Similarly, for tests of details, the auditor generally makes an assessment of the expected amount of error in the population o Judgement used: § Determine sampling unit method § Acceptable error percentage § Expected error § Definition of the error § Confidence level § Systematic sampling: first selection + interval; • (2) POPULATION o It is important for the auditor to ensure that the population is § Appropriate to the objective of the audit procedure, which will include consideration of the direction of testing • For example, if the auditor’s objective is to test for overstatement of accounts payable, the population could be defined as the accounts payable listing § Complete • For example, if the auditor intends to select payment vouchers from a file, conclusions cannot be drawn about all vouchers for the period unless the auditor is satisfied that all vouchers have in fact been filed • (3) SAMPLING UNIT o Means the individual items constituting a population • (4) ERROR o “Error” means either control deviations, when performing tests of controls, or misstatements, when performing tests of details • (5) STRATIFICATION o Audit efficiency may be improved if the auditor stratifies a population by dividing it into discrete sub-populations which have an identifying characteristic • (6) VALUE WEIGHTED SELECTION o It will often be efficient in performing tests of details, particularly when testing for overstatements, to identify the sampling unit as the individual monetary units (for example, dollars) that make up a class of transactions or account balance § All items in the population have a chance of selection see WWW.TAKINGNOTES.CO.ZA CLASS QUESTION • Use monetary unit sampling to calculate the sample size for the debtors circularisation if the maximum tolerable error is R73 600 Debtor Balance Cumulative balance A 50 000 50 000 B 85 000 135 000 C 35 000 170 000 D 11 000 181 000 E 17 000 198 000 F 35 000 233 000 G 25 000 258 000 H 25000 283 000 I 60000 343 000 J 25000 368 000 Total 368 000 § § § § § (1) Need a population • That is divided into monetary units (2) Sampling unit “R” (3) Audit procedure (4) Cumulative balance (5) Sample size, is 5 = Total population / Maximum tolerable error = 368 000 / 73 600 Monetary unit sampling: • Population divided into monetary units (rand units the total account balance consists of) • A sample unit is identified as an individual monetary unit (a rand) • After the rand value has been selected, it is traced to the physical item (invoice/ account) that contains the particular monetary unit. • By means of a column with accumulated values of the relevant individual account balances/ transactions o Focuses on high value items: bigger probability of material misstatements à smaller sample sizes and increased effectiveness. WWW.TAKINGNOTES.CO.ZA CLASS QUESTION • Want to select 5 debtors o USING, for example, systematic selection § In which the number of sampling units in the population is divided by the sample size to give a sampling interval, for example 50, and having determined a starting point within the first 50, each 50th sampling unit thereafter is selected Debtor Balance Cumulative balance A 50 000 50 000 B 85 000 135 000 C 35 000 170 000 D 11 000 181 000 E 17 000 198 000 F 35 000 233 000 G 25 000 258 000 H 25000 283 000 I 60000 343 000 J 25000 368 000 Total 368 000 o (1) Determine interval § Total population / 5 • = 368 000 / 5 • = 73 600 o (2) Make use of professional judgement to determine a starting point § Start at 0 • But the auditor does not have to start at 0, but if the auditor chooses not to start at 0 o The auditor needs to explain why they are not starting at 0 o (3) Select a debtor § (1) Starting point is 0 + 73 600 (interval) = 73 600 • Therefore, select B o As the cumulative balance of A is 50 000 which is less than the interval of 73 600 § (2) For the next interval, the starting point is 73 600 + 73 600 = 147 200 to WWW.TAKINGNOTES.CO.ZA § § § • Therefore, select C (3) For the next interval, the starting point is 147 200 + 73 600 = 220 800 • Therefore, select F (4) For the next interval, the starting point is 220 800 + 73 600 = 294 400 • Therefore, select I (5) For the next interval, the starting point is 294 400 + 73 600 = 368 000 • Therefore, select J WWW.TAKINGNOTES.CO.ZA as • (7) SAMPLE SIZE Examples of Factors Influencing Sample Size for Tests of Controls (Appendix 2) EFFECT ON FACTOR SAMPLE SIZE Increase • An increase in the extent to which the risk of material misstatement is reduced by the operating effectiveness of controls o The more assurance the auditor intends to obtain from the operating effectiveness of controls, o The lower the auditor’s assessment of the risk of material misstatement will be, § And the larger the sample size will need to be Decrease • An increase in the rate of deviation from the prescribed control activity that the auditor is willing to accept Tolerable (tolerable error) error should o The lower the rate of deviation that the auditor is be more than willing to accept, the rate of § The larger the sample size needs to be deviation the Increase • An increase in the rate of deviation from the prescribed auditor expects control activity that the auditor expects to find in the population o The higher the rate of deviation that the auditor expects, § The larger the sample size needs to be Increase • An increase in the auditor’s required confidence level (or conversely, a decrease in the risk that the auditor will conclude that the risk of material misstatement is lower than the actual risk of material misstatement in the population) o The greater the degree of confidence that the auditor requires that the results of the sample are in fact indicative of the actual incidence of error in the population, § The larger the sample size needs to be Negligible effect • An increase in the number of sampling units in the population o For large populations, the actual size of the population has little, if any, effect on sample size o For small populations however, audit sampling is often not as efficient as alternative means of obtaining sufficient appropriate audit evidence Decrease • Decrease in control risk o Place more reliance on internal control à higher detection risk or there can place less reliance on substantive procedures and can a smaller sample. WWW.TAKINGNOTES.CO.ZA Examples of Factors Influencing Sample Size for Tests of Details (Appendix 2) EFFECT ON FACTOR SAMPLE SIZE • • • • • • An increase in the auditor’s assessment of the risk of material misstatement o The higher the auditor’s assessment of the risk of material misstatement § The larger the sample size needs to be An increase in the use of other substantive procedures directed at the same assertion o The more the auditor is relying on other substantive procedures (tests of details or substantive analytical procedures) to reduce to an acceptable level the detection risk regarding a particular class of transactions or account balance § The less assurance the auditor will require from sampling and, • Therefore, the smaller the sample size can be An increase in the auditor’s required confidence level (or conversely, a decrease in the risk that the auditor will conclude that a material error does not exist, when in fact it does exist) o The greater the degree of confidence that the auditor requires § The larger the sample size needs to be An increase in the total error that the auditor is willing to accept (tolerable error) o The lower the total error that the auditor is willing to accept, § The larger the sample size needs to be An increase in the amount of error the auditor expects to find in the population § The greater the amount of error the auditor expects to find in the population, • The larger the sample size needs to be in order to make a reasonable estimate of the actual amount of error in the population Stratification of the population when appropriate o When there is a wide range (variability) in the monetary size of items in the population o Useful to group items of similar size into separate sub-populations or strata WWW.TAKINGNOTES.CO.ZA Increase Decrease Increase Decrease Increase Decrease § • The aggregate of the sample sizes from the strata generally will be less than the sample size The number of sampling units in the population o For large populations, the actual size of the population has little, if any, effect on sample size o For small populations however, audit sampling is often not as efficient as alternative means of obtaining sufficient appropriate audit evidence Negligible effect STEP 2) SAMPLE SELECTION METHODS The principal methods of selecting samples are as follows: • (a) Use of a computerised random number generator (through CAATs) or random number tables • (b) Systematic selection, o In which the number of sampling units in the population is divided by the sample size to give a sampling interval, for example 50, and having determined a starting point within the first 50, each 50th sampling unit thereafter is selected o Although the starting point may be determined haphazardly, the sample is more likely to be truly random if it is determined by use of a computerised random number generator or random number tables o When using systematic selection, the auditor would need to determine that sampling units within the population are not structured in such a way that the sampling interval corresponds with a particular pattern in the population • (c) Haphazard selection, o In which the auditor selects the sample without following a structured technique o Auditor would nonetheless avoid any conscious bias or predictability (for example, avoiding difficult to locate items, or always choosing or avoiding the first or last entries on a page) and thus attempt to ensure that all items in the population have a chance of selection o Haphazard selection is not appropriate when using statistical sampling STEP 3) EVALUATING THE SAMPLE RESULTS • In the case of TESTS OF CONTROLS, o an unexpectedly high sample error rate may lead to an increase in the assessed risk of material misstatement, unless further audit evidence substantiating the initial assessment is obtained • In the case of TESTS OF DETAILS, o an unexpectedly high error amount in a sample may cause the auditor to believe that a class of transactions or account balance is materially misstated, in the absence of further audit evidence that no material misstatement exists so WWW.TAKINGNOTES.CO.ZA CLASS QUESTION: TOC • Debtors o You can assume that final materiality was set as R 450 000 and performance materiality for debtors was R 60 000 o You have already substantiated the debtors of Suzelle with inter alia a positive debtors' circularisation o Debtors are divided into two strata, namely South Africa and Tanzania South Africa Debtors’ balance (before deducting any allowance R980 000 for credit losses) % Circulated 80% Understatement found R30 200 Tanzania TOTAL R310 000 1 290 000 70% R20 510 REQUIRED • Formulate a conclusion for the debtors' balance of Suzelle Proprietary Limited based on the sample debtors circulated • Assume a 95% confidence level and a precision interval of R1 234 • Assume performance materiality is R60 000 CONCLUSION FOR DEBTORS’ BALANCE Calculation: = (30 200 / 80%) + (20 510 / 70%) = 67 050 EXTRAPOLATE Link to CONFIDENCE PRECISION CONFIDENCE We as auditors are 95% certain that the debtors balance of R1 290 000 PRECISION Was shown with R67 050 +/- R1234 short (understated) Link to acceptable error The projected error (R67 050) is larger than the maximum acceptable error (R60 000) and therefore the population cannot be accepted Assertions The assertions relating to the existence, accuracy, valuation and allocation of debtors are, in material respects, incorrect WWW.TAKINGNOTES.CO.ZA COMPLETION OF THE AUDIT FRAMEWORK • (1) Sufficiency of audit evidence (ISA 500) o The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence o When designing and performing audit procedures, the auditor shall consider the relevance and reliability of the information to be used as audit evidence • (2) Evaluating audit differences (ISA 320) o Basic example, § Amount in financial statements (for example PPE) = R100 § Auditor performs procedures and concludes the correct valuation = R80 • Therefore, there is an audit difference = R20 (100 – 80) o DR Impairment (P/L) 20 CR PPE (SFP) 20 o Step 1) Determine final materiality § Misstatements, including omissions, are considered to be material if they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements; § If during the audit it appears as though actual financial results are likely to be substantially different from the anticipated period-end financial results that were used initially to determine materiality for the financial statements as a whole, the auditor revises that materiality (same calculation) o Step 2) Consider audit differences § The audit difference is R20 (from the above basic example) § To assist the auditor in evaluating the effect of misstatements accumulated during the audit, it may be useful to distinguish between factual misstatements, judgmental misstatements and projected misstatements • Factual misstatements are misstatements about which there is no doubt • Judgmental misstatements are differences arising from the judgments of management concerning accounting estimates that the auditor considers unreasonable, or the selection or application of accounting policies that the auditor considers inappropriate • Projected misstatements are the auditor’s best estimate of misstatements in populations, involving the projection of misstatements identified in audit samples to the entire populations from which the samples were drawn o Step 3) Consider materiality of differences § Refer to the following class example (3) § (1) Quantitative • (2) Qualitative o There is no reason to regard it as qualitatively material, if it is quantitatively material WWW.TAKINGNOTES.CO.ZA (3) CLASS EXAMPLE • • • • • • • Briefly discuss whether the audit differences as in item (a) to (c), in your opinion, individually, or cumulatively, would have a material effect on the fair presentation of the financial statements Show your workings clearly Assume final materiality is R 50 000 (quantitative) You are busy with the completion of the audit for your audit client, Alexandri (Proprietary) Limited The company has experienced a strong growth tendency for the past 5 years For the audit concerned you evaluated inherent risk as high and control risk as medium The notes below refer to notes that you have already made on your working papers for audit purposes o o o o • Net PBT Turnover PPE Current assets § Inventory § Debtors § Cash and cash equivalents 4 450 444 511 280 000 561 921 303 174 226 396 32 351 LIST OF AUDIT DIFFERENCES DETECTED DURING THE AUDIT o (a) The tax calculation of the company is incorrect, due to the fact that an inadmissible deduction of R140,534 was claimed. § o Incorrect tax calculation • The impact was R39 350 (28% x 140 534) o DR Income tax expense 39 350 CR SARS 39 350 • Which is less than R50 000 o The error is therefore not quantitatively material (b) The inventory in one of the inventory warehouses was not included in the stock take. The value of this inventory amounted to R56,223. Annual problems are experienced during the audit of the company’s inventory figure and stock take. As a result the previous year’s audit report was modified. § Inventory is not complete • The impact was R56 223 o DR Inventory 56 223 (SFP) CR COS 56 223 (P/L) • This exceeds R50 000 o The error is therefore quantitatively material § However, the error is qualitatively material WWW.TAKINGNOTES.CO.ZA o (c) No provision for credit losses was made for the current year. The accounting policy of Alexandri (Proprietary) Limited is to provide for 7,5% of the outstanding debtors as provision for credit losses every year § No provision for credit losses was made for the current year • Breaching IFRS • The impact was R16 980 (226 396 x 7.5%) o DR Allowance for credit losses movement 16 980 (P/L) CR Allowance for credit losses 16 980 (SFP) • Which is less than R50 000 o The error is therefore quantitatively material WWW.TAKINGNOTES.CO.ZA • (4) Going concern considerations (ISA 570) o Under the going concern assumption, an entity is viewed as continuing in business for the foreseeable future o Responsibilities of management § The preparation of the financial statements requires management to assess the entity’s ability to continue as a going concern even if the financial reporting framework does not include an explicit requirement to do so o Responsibilities of the auditor § The auditor’s responsibility is to obtain sufficient appropriate audit evidence about the appropriateness of management’s use of the going concern assumption in the preparation of the financial statements § To conclude whether there is a MATERIAL UNCERTAINTY about the entity’s ability to continue as a going concern o Refer to the following class example (4) Influence of going concern issue on audit report: 1. Material uncertainty regarding going concern, the auditor must consider whether the financial statement properly described this matter and also mention that material uncertainty regarding going concern exists 2. If company disclosed going concern problem, and the company’s future plans are sufficient, and auditors deem plans as reasonable, audit report 3. Since no evidence exists that the financial statements are reasonably presented as a whole 4. The auditor will state the details of the matter in the going concern paragraph in new audit report 5. If the company did not properly disclose the going concern problem, audit report qualified 6. Adverse opion expressed if the problem has a material impact on the reasonable presentation of the financial statement and the financial statement are misleading as a result 7. If the auditor came to the conclusion that the going concern basis is not appropriate then, the financial statement must be prepared according to the liquidity basis rather than going concern. If the financial statements were prepared on going concern basis, adverse opinion must be expressed as the financial statement cannot be used and are meaningless 8. If there is a constraint the audit of the going concern problem, the auditor will refrain from giving an opinion WWW.TAKINGNOTES.CO.ZA (4) CLASS EXAMPLE • Evaluate the appropriateness of the going concern assumption underlying the financial information of Voertuig Limited as at 31 October 2015 • The abridged balance sheet of Voertuig Limited as at 31 December 2015 is below: • • Fixed assets Debtors Creditors Bank overdraft 50 000 40 000 (70 000) (24 000) (4 000) Share capital Accumulated loss Shareholders loan 300 (10 000) 5 970 (4 000) Take a look at quantitative factors o Accumulated loss § Negative impact on going concern o Assets < Liabilities § Difference is actually R9 970 (4 000 + 5 970) • As there is a SHs loan o Negative impact on going concern o Current assets < Current liabilities § Cannot meet short-term liabilities • Negative impact on going concern “From the actual figures for year ended, it appears as if the company’s liabilities will exceed its assets at year-end (technical insolvency)” Take a look at qualitative factors o During the current year, Mr Zet, the engineer involved in the design of alloy wheels resigned because of differences of opinion with the rest of management. Efforts to get hold of a replacement for Mr Zet on short notice, was unsuccessful. Management was compelled to make a decision to sell the alloy-wheel segment. At year-end a plan was already in place to sell the segment as well as an active programme to find a purchaser for the segment. § Loss of key personnel that cannot be replaced • Negative impact on going concern o The alloy-wheel segment’s assets were revalued (excluding the bank account) and marketed at R20 million. § Selling a major part of my business • Negative impact on going concern o Indicate • Positive impact on going concern o Will receive R20 million § BUT, if you compare the R20 million to the bank overdraft (R24 million), it will not cover the bank overdraft WWW.TAKINGNOTES.CO.ZA o From 31 August 2015 to 31 October 2015 no new orders for airbags were received. WBM, a well-known motor manufacturer cancelled its orders for the year. WBM’s business with Voertuig Limited comprises 40% of Voertuig Limited’s annual sales. Management is concerned about the matter and marketing agents were approached to assist with the marketing of airbags § No new orders • Negative impact on going concern § Loss of key customers • Negative impact on going concern § Marketing of to assist with sales in the future • Positive impact on going concern o • THEREFORE, IN CONCLUSION!!! § BASED ON THE FOLLOWING, THERE IS A MATERIAL UNCERTAINTY OF THE COMPANY’S ABILITY TO CONTINUE AS A GOING CONCERN (5) Consider subsequent events (ISA 560) o Financial statements may be affected by certain events that occur after the date of the financial statements o The auditor shall perform the PROCEDURES required by paragraph 6 § (Ref: Para. 6) Audit procedures designed to obtain sufficient appropriate audit evidence that all events occurring between the date of the financial statements and the date of the auditor’s report that require adjustment of, or disclosure in, the financial statements have been identified so that they cover the period from the date of the financial statements to the date of the auditor’s report, or as near as practicable thereto The auditor shall take into account the auditor’s risk assessment in determining the nature and extent of such audit procedures, which shall include the following: (Ref: Para. A7–A8) § (a) Obtaining an understanding of any procedures management has established to ensure that subsequent events are identified. o o § (b) Inquiring of management and, where appropriate, those charged with governance as to whether any subsequent events have occurred which might affect the financial statements. (Ref: Para. A9) § (c) Reading minutes, if any, of the meetings of the entity’s owners, management and those charged with governance that have been held after the date of the financial statements and inquiring about matters discussed at any such meetings for which minutes are not yet available. (Ref: Para. A10) (d) Reading the entity’s latest subsequent interim financial statements, WWW.TAKINGNOTES.CO.ZA a (5.1) CLASS EXAMPLE Year end 31 July 2018 • • • • • • After year end 23 August 2018 A fire destroyed inventory in one of the warehouses The fire has occurred after the year ended Therefore, does not refer to a situation that existed at the reporting date Therefore, the AFS need not be adjusted As the fire would have a material effect on the business, it should have been brought to the attention of the users by means of a note to the financial statements It will therefore qualify as a material audit difference and the audit report will have to be qualified accordingly (‘except for’) Step 1) IAS 10 o o Adjusting § An event after the reporting period that provides further evidence of conditions that existed at the end of the reporting period, including an event that indicates that the going concern assumption in relation to the whole or part of the enterprise is not appropriate • Adjust financial statements Non-adjusting § An event after the reporting period that is indicative of a condition that arose after the end of the reporting period • Material event? o Therefore, disclose in a note to the financial statements • Step 2) What is the timing? • Step 3) Do we have to inform the users? o • If the event would have a material effect on the business, it should have been brought to the attention of the users Step 4) Effect on audit report o Qualified accordingly (‘except for’) WWW.TAKINGNOTES.CO.ZA (5.2) CLASS EXAMPLE • The following important dates in the year-end conclusion process of the audit: Financial year-end: September 2014 Date of the audit report: 2014 Handing over of the audit report to client: 2014 Auditor receives report from financial director to read: November 2014 Posting annual reports to shareholders: November 2014 30 31 October 31 October 5 15 • Final materiality is R 2 500 000 • Management has already indicated that they are not willing not adjust the financial statements for the legal claim • Legal claims o You read the following in the paper during the weekend of 26 October 2014: § Legal claim made against Jimmy Shoe Limited • Mrs. Wondershoe made a legal claim, amounting to R3 million, against Jimmy Shoe Limited after she was seriously injured when she fell down a flight of stairs on 27 September 2014. She was wearing her 15cm high-heel Jimmy Shoes and one of the heels broke Before year end 27 September 2014 Þ Legal claim made Year end 31 September 2014 After year end 26 October 2014 After year end 31 October 2014 Þ You Þ Audit read the article in the paper report After year end 5 November 2014 Þ Auditor receives report from financial director After year end 15 November 2014 Þ Posting annual reports to shareholders • Take a look at quantitative factors o The event is quantitative material since the provision of R3 000 000 exceeds the materiality figure of R2 500 000 • Take a look at qualitative factors o There is no reason to regard it as qualitatively material, if it is quantitatively material WWW.TAKINGNOTES.CO.ZA • Step 1) IAS 10 o • Step 2) What is the timing? o • The legal claim (events after reporting date), occurred between the date of the financial statements and the date of the issuing of the audit report and we must consider whether the event has an effect on our audit report Step 3) Do we have to inform the users? o o • Adjusting § The event provides information regarding a condition which existed on the reporting date and therefore an adjustment must be considered in the financial statements If it is probable that the claim will succeed, a provision must be created in the financial statements, otherwise it must be disclosed as a contingent liability in the financial statements. Management already indicated that they will make no changes Discuss the probability that the claim will succeed with management and the company’s legal advisors Step 4) Effect on audit report o o o o o It is a matter that affects the audit opinion It is a disagreement with management It can be explained briefly and easily to users in the auditors’ report (or not misleading users) It is therefore not pervasive to the financial statements The audit report must therefore contain a qualified audit opinion regarding contingent liability WWW.TAKINGNOTES.CO.ZA • (6) Conclusion and reporting o OVERALL OBJECTIVES OF THE INDEPENDENT AUDITOR (ISA 200) § In conducting an audit of financial statements, the overall objectives of the auditor are: • (a) To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and • (b) To report on the financial statements, and communicate as required by the ISAs, in accordance with the auditor’s findings o Illustrated audit reports pg 758 o Title o Address the users o Opinion § (1) Unmodified opinion • The opinion expressed by the auditor when the auditor concludes that the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework • In our opinion, the financial statements give a true and fair view in all material respects § (2) Modified opinion (ISA 705) • The auditor shall modify the opinion in the auditor’s report when: o (Q1) The auditor concludes that, based on the audit evidence obtained, the financial statements as a whole are not free from material misstatement; or o (And then Q2) The auditor is unable to obtain sufficient appropriate audit evidence to conclude that the financial statements as Determining the Type of Modification to the Auditor’s Opinion • (1) Qualified opinion (‘except for’) o The auditor shall express a qualified opinion when: § (1) The auditor, having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in the aggregate, are material, but not pervasive, to the financial statements; or • Pervasive o A term used, in the context of misstatements, to describe the effects on the financial statements of misstatements or the possible effects WWW.TAKINGNOTES.CO.ZA § on the financial statements of misstatements, if any that are undetected due to an inability to obtain sufficient appropriate audit evidence (2) The auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion, but the auditor concludes that the possible effects on the financial statements of undetected misstatements, if any, could be material but not pervasive • (2) Adverse opinion o The auditor shall express an adverse opinion when the auditor, having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in the aggregate, are both material and pervasive to the financial statements • (3) Disclaimer opinion o The auditor shall disclaim an opinion when the auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion, and the auditor concludes that the possible effects on the financial statements of undetected misstatements, if any, could be both material and pervasive LIMITATION OF SCOPE AND DIFFERENCE OF OPINION Q1) Is the matter material? • Qualified opinion (‘except for’) LIMITATION OF SCOPE Q2) Is the effect on the financial statements also pervasive? • Disclaimer opinion DIFFERENCE OF OPINION Q2) Is the effect on the financial statements also pervasive? • Adverse opinion o Effect is so material that a qualified opinion will not be enough to disclose the misstatement a WWW.TAKINGNOTES.CO.ZA Matter Opinion Provision for bad debt insufficient • Modified o Except for Qualified opinion Do not comply with IFRS but disclose it • Matter of emphasis o Unqualified opinion Do not comply with IFRS and didn’t disclose it • Modified opiniono ”Except for” No Inventory count: current year • Modified opinion o Except for qualification (if not that material& fundamental, otherwise-disclaimer of opinion Accounting system failure • Modified opinion o Disclaimer of opinion Going concern inappropriate & no disclosure of the facts • Modified opinion o Adverse opinion so WWW.TAKINGNOTES.CO.ZA Statements preparation on going concern assumption No uncertainty going concern assumption Material uncertainty, property disclosed Material uncertainty, not properly disclosed Management limits investigating Disagreement Unqualified Separate paragraph in report Qualify Disclaimer Adverse Financial statements prepared on liquidation basis No uncertainty about appropriateness of liquidation basis Difference of opinion Unmodified EoM Adverse Unqualified with emphasis of matter paragraph: • Opinion not influenced by the errors but there is a significant item that should be noted in the audit report. Qualified opinion: • Financial statement as a whole still a fair presentation “except for” certain material misrepresentations that are not pervasive/ fundamental. Disclaimer of opinion: • Not able to gather sufficient audit evidence to give an opinion about the fairness of the financial statement, because limitation on scope of work of audit procedures. Adverse opinion: • Certain that financial statement not a fair presentation of company’s results o Pervasive/ fundamental difference gives rise to such an opinion. WWW.TAKINGNOTES.CO.ZA o Basis of opinion § Simply states the auditor's opinion on the financial statements and whether they are in accordance with generally accepted accounting principles § Emphasis of matter (Page 847) • A paragraph included in the auditor’s report that refers to a matter appropriately presented or disclosed in the financial statements that, in the auditor’s judgment, is of such importance that it is fundamental to users’ understanding of the financial statements o Key audit matters (ISA 701) § Those matters that, in the auditor’s professional judgment, were of most significance in the audit of the financial statements of the current period § Key audit matters are selected from matters communicated with those charged with governance o Other matters o Other information (ISA 720) § Financial and non-financial information (other than the financial statements and the auditor’s report thereon) which is included, either by law, regulation or custom, in a document containing audited financial statements and the auditor’s report thereon o Management’s Responsibility for the Financial Statements (ISA 700) § Management is responsible for the preparation and fair presentation of these financial statements in accordance with International Financial Reporting Standards, and for such internal control as management determines is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error o Auditor’s Responsibility (ISA 700) § Our responsibility is to express an opinion on these financial statements based on our audit (6.1) CLASS EXAMPLE • Give the impact on the audit report separately in each case • Steps o (1) Disagreement with management or limitation of scope? o (2) Material or pervasive? o (2) Impact on audit report and audit opinion WWW.TAKINGNOTES.CO.ZA CASE • • • • • • • • • • • • A register of the interests of directors and officials in contracts with the company, as required by section 240 of the Companies Act in South Africa has not been maintained During the year the company granted long term credit of R15 000 to one of its clients Ezron Proprietary Limited shows the amount as a current asset and refuses to rectify it The materiality figure is R100 000 The company has not performed the physical stock count of its export raw material stock that is shown in the financial statements at R500 000 Materiality R100 000 Ezron Proprietary Limited has not recognised a liability for deferred tax In accordance with the South African Statements on Income Tax a deferred tax liability should be recognised for all taxable temporary differences, unless that Statement indicates otherwise The company is a defendant in litigation on an alleged contravention of certain patent rights and the claim for royalties and punitive damages. The company has brought a counterclaim and preliminary hearings and discovery proceedings with regard to both actions are in progress Currently the outcome of the case cannot be determined and therefore no provision for any liability that may result from the case has been made in the financial statements Note disclosure has been made of the contingent liability in the financial statements WWW.TAKINGNOTES.CO.ZA • • • • • • • OPINION No disagreement with management or limitation of scope Unmodified opinion o Legal & regulatory paragraph No disagreement with management or limitation of scope Not material Unmodified opinion Limitation of scope Material Modified opinion o Qualified opinion (‘except for’) • Modified opinion o Qualified opinion (‘except for’) • No disagreement with management or limitation of scope Unmodified opinion o With emphasis of matter paragraph • (6.2) CLASS EXAMPLE (Consider subsequent events, and then conclude and report) • The following important dates in the year-end conclusion process of the audit: Financial year-end: September 2014 Date of the audit report: 2014 Handing over of the audit report to client: 2014 Auditor receives report from financial director to read: November 2014 Posting annual reports to shareholders: November 2014 • • 30 31 October 31 October 5 15 Final materiality is R 2 500 000 Management has already indicated that they are not willing not adjust the financial statements for the legal claim • Legal claims o You read the following in the paper during the weekend of 26 October 2014: § Legal claim made against Jimmy Shoe Limited • Mrs. Wondershoe made a legal claim, amounting to R3 million, against Jimmy Shoe Limited after she was seriously injured when she fell down a flight of stairs on 27 September 2014. She was wearing her 15cm high-heel Jimmy Shoes and one of the heels broke • Take a look at quantitative factors o The event is quantitative material since the provision of R3 000 000 exceeds the materiality figure of R2 500 000 • Take a look at qualitative factors o There is no reason to regard it as qualitatively material, if it is quantitatively material • Effect on audit report (Consider subsequent events) o It is a matter that affects the audit opinion o It is a disagreement with management o It can be explained briefly and easily to users in the auditors’ report (or not misleading users) o It is therefore not pervasive to the financial statements o The audit report must therefore contain a qualified audit opinion regarding contingent liability • DISCUSS THE IMPACT ON AUDIT OPINION (Conclude and report) Affects the audit opinion? It is a matter that affects the audit opinion Why? Disagreement with Limitation It is a disagreement with management management of scope The event is quantitative material since the provision of Material? R3 000 000 exceeds the materiality figure of R2 500 000 Pervasive? It can be explained briefly and easily to users in the Affects auditor’s report (or not misleading) Easy to explain to users multiple It is therefore not pervasive to the financial statements accounts The audit report must therefore contain a qualified audit Report opinion regarding contingent liability WWW.TAKINGNOTES.CO.ZA 0

Auditing Course Material: Principles & Process

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib