[SECOND EDITION]
AUDITING FUNDAMENTALS
in a South African Context
Frans Prinsloo (editor) Pieter Von Wielligh (editor)
Gerrit Penning | Rika Butler | Dana Nathan (Josset)
Graeme O’Reilly | Rolien Kunz | Vincent Motholo
Riaan Rudman | Henriette Scholtz
[SECOND EDITION]
AUDITING FUNDAMENTALS
in a South African Context
Oxford University Press is a department of the University of Oxford. It
furthers the University’s objective of excellence in research, scholarship, and
education by publishing worldwide. Oxford is a registered trade mark of
Oxford University Press in the UK and in certain other countries.
Published in South Africa by
Oxford University Press Southern Africa (Pty) Limited
Vasco Boulevard, Goodwood, N1 City, Cape Town, South Africa, 7460
PO Box 12119, N1 City, Cape Town, South Africa, 7463
© Oxford University Press Southern Africa (Pty) Ltd 2018
e moral rights of the author have been asserted.
First published 2014
Second edition published in 2018
All rights reserved. No part of this publication may be reproduced, stored in
a retrieval system, or transmitted, in any form or by any means, without the
prior permission in writing of Oxford University Press Southern Africa
(Pty) Ltd, or as expressly permitted by law, by licence, or under terms agreed
with the appropriate reprographic rights organisation, DALRO, e
Dramatic, Artistic and Literary Rights Organisation at dalro@dalro.co.za.
Enquiries concerning reproduction outside the scope of the above should be
sent to the Rights Department, Oxford University Press Southern Africa
(Pty) Ltd, at the above address.
You must not circulate this work in any other form and you must impose
this same condition on any acquirer.
Auditing Fundamentals in a South African Context (second edition)
ISBN 978 0 19 074904 0
eBook ISBN 978 0 19 075422 8
Typeset in Utopia Std Regular 10.5pt on 13pt
Acknowledgements
Publisher: Penny Lane
Development editor: Edward Ndiloseph
Project manager: Lindsay-Jane Lücks
Copy editor: Allison Lamb
Proofreader: Patricia Myers Smith
Indexer: Michel Cozien
Designer: Yaseen Baker
Typesetter: Mark Standley Design (Pty) Ltd
Reproduction by: Name Surname
Cover reproduction by: Judith Cross
XYZ Printing Company
e authors and publisher gratefully acknowledge permission to reproduce
copyright material in this book. Every effort has been made to trace
copyright holders, but if any copyright infringements have been made, the
publisher would be grateful for information that would enable any
omissions or errors to be corrected in subsequent impressions.
Links to third party websites are provided by Oxford in good faith and for
information only. Oxford disclaims any responsibility for the materials
contained in any third party website referenced in this work.
Contents in brief
PART A:
Chapter 1
Chapter 2
Chapter 3
PART B:
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
PART C:
Chapter 11
Chapter 12
Chapter 13
THE CONTEXT WITHIN WHICH THE EXTERNAL
AUDITOR OPERATES
Introduction
Ethics
Legal responsibilities of the auditor
THE AUDITEE’S RESPONSIBILITY FOR
FINANCIAL INFORMATION
Basic concepts of governance and internal
control
Introduction to risks and internal controls in a
computerised environment
Revenue and receipts cycle
Purchases and payments cycle
Inventory and production cycle
Human resources cycle
Investment and nancing cycle
THE EXTERNAL AUDIT PROCESS
Overview of the audit process
Pre-engagement and planning activities
Audit procedures: Essential concepts
Chapter 14
Chapter 15
Chapter 16
Audit procedures: Speci c considerations
Completion of the audit
e independent review
Appendix: Examples of cycle documentation related to the
business cycles
Bibliography
Index
Contents
Acknowledgements
Preface
List of authors
About the book
Ntsimbi Piping (Pty) Ltd Company Pro le
PART A:
THE CONTEXT WITHIN WHICH THE EXTERNAL
AUDITOR OPERATES
CHAPTER 1 Introduction
Learning outcomes
Reference list
1.1
Background
1.2
What is the purpose of and need for accounting records?
1.2.1 Purpose of accounting records
1.2.2 Examples of accounting records
1.3
What is the objective of and need for nancial
statements?
1.3.1 e objective of nancial statements
1.3.2 Responsibility for accounting records and
nancial statements
1.3.3 e assertions made by the preparers of the
nancial statements
Companies Act requirements for accounting
1.3.4 records and nancial statements
1.4
Why are external auditors needed and what is the
purpose of an external audit?
1.4.1 e need for external auditors
1.4.2 e history of auditing
1.4.3 e history of the external auditing profession in
South Africa
1.4.4 e purpose of an external ( nancial statement)
audit
1.4.5 Providing assurance
1.4.6 e de nition of an external audit
1.4.7 Auditing postulates
1.4.8 Types of auditors
1.5
What are examples of major corporate accounting
scandals in recent years?
1.5.1 International corporate accounting scandals
1.5.2 South African corporate accounting standards
1.6
What are the structures of the accounting and auditing
professions?
1.6.1 Professional bodies
1.6.2 International accounting bodies
1.6.3 Structure of the accounting and auditing
professions in South Africa
Assessment questions
CHAPTER 2 Ethics
Learning outcomes
Reference list
2.1
What is the nature of ethics?
2.2
Why do professions have codes of ethics?
2.2.1 Background to codes of ethics of professions
2.2.2 Rules-based versus principles-based codes of
ethics
2.2.3 Examples of ethical misconduct by auditors
2.3
What are the ethical codes and rules applicable to
external auditors in South Africa?
2.4
What constitutes prohibited actions for the external
auditor?
2.4.1 IRBA Rules Regarding Improper Conduct
2.4.2 SAICA’s punishable offences
2.5
How do the SAICA and IRBA disciplinary processes
work?
2.5.1 SAICA disciplinary process
2.5.2 IRBA disciplinary process
2.5.3 Examples of SAICA and IRBA disciplinary
processes
2.6
What is the content of the SAICA and IRBA Codes of
Professional Conduct?
2.6.1 Background to the SAICA and IRBA Codes of
Professional Conduct
2.6.2 Differences between SAICA and IRBA Codes of
Professional Conduct
2.6.3 e SAICA Code of Professional Conduct (CPC)
2.6.4 Part 1: Complying with the code: Conceptual
framework approach
2.6.5 Part 2: Professional accountants in business
2.6.6 Part 3: Professional accountants in public
practice
2.6.7 International Independence Standards (Part 4)
2.7
How does ethics t into the audit process?
Assessment questions
CHAPTER 3 Legal responsibilities of the auditor
Learning outcomes
Reference list
3.1
Introduction
3.1.1 Legislation and regulations governing the audit
function
3.1.2 Legislation and regulations with which the
auditor has to be familiar
3.2
What are the statutory and regulatory requirements for
an audit?
3.2.1 Companies that have to be audited
3.2.2 What if a company does not have to be audited?
3.3
How does the statutory appointment, removal and
rotation of the auditor work and what are his or her
rights?
3.3.1 Requirements to be met by the auditor in order to
be appointed
3.3.2 Appointment of the auditor
3.3.3 Resignation of the auditor
3.3.4 Dismissal of the auditor
3.3.5 Appointment of a replacement auditor
3.3.6 Rotation of auditors
3.3.7 Statutory rights of the auditor
3.4
What are the statutory requirements to practise as an
auditor?
3.4.1 e requirements to become a Registered Auditor
3.4.2 Firms as Registered Auditors
3.4.3 Limitations on what an auditor may do
3.4.4 Statutory duties of auditors
3.4.5 Inspections of auditors
3.4.6 Liability of auditors for losses suffered by the
client and/or third parties
3.5
What does the auditor’s statutory responsibility to
identify and respond to Reportable Irregularities entail?
3.5.1 De nition of a Reportable Irregularity
3.5.2 e auditor’s reporting duties with regard to
Reportable Irregularities
3.5.3 e implications of a Reportable Irregularity for
the auditee
3.6
How is auditing in the public sector different from
auditing in the private sector?
3.6.1 Background to auditing in the public sector
3.6.2 Who performs public sector audits?
3.6.3 To what standards are these public sector audits
conducted?
3.7
What other legislation or regulations may impact on the
scope of the audit function?
3.7.1 e JSE Listings Requirements
3.7.2 What special quali cations are required to audit a
company listed on the JSE?
3.7.3 What are the speci c responsibilities of auditing
rms and individual auditors conducting audits
of companies listed on the JSE?
3.7.4 e Sarbanes–Oxley Act of 2002
3.8
What role can the auditor play to aid good corporate
governance?
3.8.1 e combined assurance model
3.8.2 e concept of combined assurance
3.8.3 e role of the audit committee with regard to the
external audit function
Assessment questions
PART B:
THE AUDITEE’S RESPONSIBILITY FOR
FINANCIAL INFORMATION
CHAPTER 4 Basic concepts of governance and internal control
Learning outcomes
Reference list
4.1
What is governance?
4.2
What is the relationship between governance and
internal control?
4.2.1 Risks in a business
4.2.2 Risk management
4.3
What is internal control?
4.3.1 A system of internal control
4.3.2 Components of a system of internal control
4.3.3 Inherent limitations of a system of internal
control
4.3.4 Impact when the system of internal control does
not operate as intended
4.4
How does one design a system of internal control?
4.4.1 Step 1: Identify the risks
4.4.2 Step 2: Formulate control objectives
4.4.3 Step 3: Design a system of appropriate internal
controls
Assessment questions
CHAPTER 5 Introduction to risks and internal controls in a
computerised environment
Learning outcomes
5.1
Introduction
5.2
How has information technology evolved?
5.3
How and why do companies have to govern their
computer information systems?
5.4
What is the impact of upgrading a manual accounting
system to an electronic accounting system?
5.5
What are the key components of a computer information
system?
5.6
How does a computerised accounting system operate?
5.7
How are computer controls classi ed?
5.8
How are general controls classi ed?
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.9
Organisational controls and personnel practices
System development and change controls
Access controls
Business continuity controls
Operating controls and system maintenance
controls
Which controls relate to the computerised processing of
business transactions?
5.9.1 Background
5.9.2 Manual versus computer controls
5.9.3 Overview of application controls
5.10 How are controls identi ed in advanced technologies?
5.10.1 Electronic commerce, electronic funds transfers
and other data communication
5.10.2 Service organisations, outsourcing and data
warehousing
Assessment questions
Appendix: Electronic funds transfer controls
Appendix: Accounting information systems
CHAPTER 6 Revenue and receipts cycle
Learning outcomes
Reference list
6.1
What are the nature, purpose and accounting
implications of the cycle?
6.1.1 e nature and purpose of the cycle
6.1.2 Forms of revenue from sale of goods and
rendering of services
6.1.3 e varied nature of the cycle
6.1.4 How transactions in the cycle are triggered
(initiated)
6.1.5 Major accounts affected by the cycle
6.1.6 IFRS 15 and the treatment of revenue for nancial
reporting purposes
6.2
What functional areas occur in the cycle?
6.2.1 Description of the functional areas
6.2.2 Summary of functional areas by department
6.3
What information system is used in the cycle?
6.3.1 Accounting for revenue and receipt transactions
6.3.2 Supporting documents, journals and ledgers
6.3.3 Databases and master les (computerised
systems only)
6.3.4 Reports
6.3.5 Reconciliations
6.3.6 Illustration: Transaction ow in the revenue and
receipts cycle
6.4
What could go wrong (risks) in the cycle?
6.4.1 Financial reporting risks
6.4.2 Misappropriation risks
6.5
What computer technologies are used in the cycle?
6.5.1 Point-of-sale systems and barcode scanning
6.5.2 Electronic funds transfer
6.5.3 Online sales (internet-based)
6.6
What are the control objectives in the cycle?
6.6.1 Control objectives in the cycle
6.6.2 Achievement of the control objectives in the cycle
6.6.3 Link between the control objectives in the cycle
and management’s assertions
6.7
What are the controls in the cycle (manual and
computerised)?
6.7.1 Internal control activities in the cycle
6.7.2 Internal control tables
6.8
Cycle illustration: e revenue and receipts cycle at
Ntsimbi Piping
6.8.1 Credit management
6.8.2 Receiving orders from customers
6.8.3 Authorisation of sales orders
6.8.4 Picking of goods from warehouse
6.8.5 Despatch and delivery of goods to customers
6.8.6 Invoicing
6.8.7 Recording of sales in the accounting records
6.8.8 Receipt of cash from customers
6.8.9 Recording of receipts in the accounting records
6.8.10 Processing and recording of returns and other
sales adjustments
Assessment questions
CHAPTER 7 Purchases and payments cycle
Learning outcomes
7.1
What are the nature, purpose and accounting
implications of the cycle?
7.1.1 e nature and purpose of the cycle
7.1.2 Forms of purchases
7.1.3 e varied nature of the cycle
7.1.4 How transactions in the cycle are triggered
(initiated)
7.1.5 Example of a typical transaction in the purchases
and payments cycle
7.1.6 Major accounts affected by the cycle
7.1.7 Accounting treatment of certain speci c
transactions in the cycle
7.2
What functional areas occur in the cycle?
7.2.1 Description of functional areas
7.2.2 Summary of functional areas by department
7.3
What information system is used in the cycle?
7.3.1 Accounting for purchases and payments
transactions
7.3.2 Supporting documents, journals and ledgers
7.3.3 Databases and master les (computerised
systems only)
7.3.4 Reports
7.3.5 Reconciliations
7.3.6 Illustration: Transaction ow in the purchases
and payments cycle
7.4
What could go wrong (risks) in the cycle?
7.4.1 Financial reporting risks
7.4.2 Misappropriation risks
7.5
What computer technologies are used in the cycle?
7.5.1 Electronic funds transfer (EFT)
7.5.2 Electronic data interchange (EDI)
7.6
What are the control objectives in the cycle?
7.6.1 Control objectives in the cycle
7.6.2 Achievement of the control objectives in the cycle
7.6.3 Link between the control objectives in the cycle
and management’s assertions
7.7
What are the controls in the cycle (manual and
computerised)?
7.7.1 Internal control activities in the cycle
7.7.2 Internal control tables
7.8
Cycle illustration: e purchases and payments cycle at
Ntsimbi Piping
7.8.1 Purchase requisition
7.8.2 Ordering goods from suppliers
7.8.3 Receiving goods from suppliers
7.8.4 Recording of purchases
7.8.5 Payment preparation
7.8.6 Paying the supplier
7.8.7 Recording of payment
7.8.8 Returning goods and recording a purchase return
Assessment questions
CHAPTER 8 Inventory and production cycle
Learning outcomes
Reference list
8.1
What are the nature, purpose and accounting
implications of the cycle?
8.1.1 e nature and purpose of the cycle
8.1.2 Types of inventory and production
8.1.3 e varied nature of the cycle
8.1.4 e link between this cycle and the other cycles
8.1.5 How transactions in the cycle are triggered
(initiated)
8.1.6 Example of a typical transaction in the inventory
and production cycle
8.1.7 Major accounts affected by the cycle
8.1.8 IAS 2 and the treatment of inventory for nancial
reporting purposes
8.2
What functional areas occur in the cycle?
8.2.1 Description of the functional areas
8.2.2 Summary of functional areas by department
8.3
What information system is used in the cycle?
8.3.1 Accounting for inventory and production
transactions
8.3.2 Supporting documents, journals and ledgers
8.3.3 Databases and master les (computerised
systems only)
8.3.4 Reports
8.3.5 Reconciliations
8.3.6 Illustration: Transaction ow in the inventory and
production cycle
8.4
What could go wrong (risks) in the cycle?
8.5
What computer technologies are used in the cycle?
8.6
What are the control objectives in the cycle?
8.6.1 Control objectives in the cycle
8.6.2 Achievement of the control objectives in the cycle
8.6.3 Link between the control objectives in the cycle
and management’s assertions
8.7
What are the controls in the cycle (manual and
computerised)?
8.7.1 Internal control activities in the cycle
8.7.2 Internal control tables
8.7.3 Controls relating to the conducting of inventory
counts
8.8
Cycle illustration: e inventory and production cycle at
Ntsimbi Piping
8.8.1 Background to inventory and production
8.8.2 Storage of raw material
8.8.3 Production planning
8.8.4 Transfer raw materials to production
8.8.5 Production
8.8.6 Transfer nished goods to nished goods
warehouse
8.8.7 Storage of nished goods
8.8.8 Update of costing records
8.8.9 Inventory counts
8.8.10 Maintenance of inventory records
Assessment questions
CHAPTER 9 Human resources cycle
Learning outcomes
9.1
What are the nature, purpose and accounting
implications of the cycle?
9.1.1 e nature and purpose of the cycle
9.1.2 Relationship with other cycles
9.1.3 e varied nature of the cycle
9.1.4 How transactions in the cycle are triggered
(initiated)
9.1.5 Major accounts affected by the cycle
9.1.6 Applicable accounting standards, legislation,
listings requirements and corporate governance
principles
9.1.7 Executive remuneration
9.1.8 Deductions from employees’ remuneration
9.2
What functional areas occur in the cycle?
9.2.1 Description of the functional areas in the cycle
9.2.2 Summary of functional areas by department
9.3
What information system is used in this cycle?
9.3.1 Accounting for salaries, wages and related
transactions
9.3.2 Supporting documents, journals and ledgers
9.3.3 Databases and master les (computerised
systems only)
9.3.4 Reports
9.3.5 Reconciliations
9.3.6 Illustration: Transaction ow in the human
resources cycle
9.4
What could go wrong (risks) in the cycle?
9.4.1 Financial reporting risks
9.4.2 Misappropriation risks
9.5
What computer technologies are used in the cycle?
9.5.1 Access control systems
9.5.2 Payroll software
9.5.3 Electronic funds transfer (EFT)
9.6
What are the control objectives in the cycle?
9.6.1 Control objectives in the cycle
9.6.2 Achievement of the control objectives in the cycle
9.6.3 Link between the control objectives in the cycle
and management’s assertions
9.7
What are the controls in the cycle (manual and
computerised)?
9.7.1 Internal control activities in the cycle
9.7.2 Internal control tables
9.8
Cycle illustration: e human resources cycle at Ntsimbi
Piping
9.8.1 Background to the human resources cycle of
Ntsimbi Piping
9.8.2 Appointment of employees and personnel
records
9.8.3 Time keeping – wage-earning employees
9.8.4 Calculation and recording of salaries and wages
9.8.5 Payment preparation and payment of wages and
salaries
9.8.6 Payment of deductions
9.8.7 Recording the salary and wage transactions in the
accounting records
Assessment questions
CHAPTER 10 Investment and nancing cycle
Learning outcomes
Reference list
10.1 What are the nature, purpose and accounting
implications of the cycle?
10.1.1 e nature and purpose of the cycle
10.1.2 Forms of transactions and major accounts
affected by the cycle
10.1.3 Characteristics of the investment and nancing
cycle
10.1.4 Relevant accounting standards
10.1.5 How transactions in the cycle are triggered
(initiated)
10.2 What functional areas occur in the cycle?
10.2.1 Financing
10.2.2 Investments
10.3 What information system is used in the cycle?
10.3.1 Accounting for investment and nancing
transactions
10.3.2 Supporting documents and journals
10.3.3 Illustration: Transaction ow in the investment
and nancing cycle
10.4 What could go wrong (risks) in the cycle?
10.4.1 Financial statement level risks
10.4.2 Assertion level risks
10.5 What computer technologies are used in the cycle?
10.6 What are the control objectives in the cycle?
10.6.1 Control objectives in the cycle
10.6.2 Achievement of the control objectives in the cycle
10.6.3 Link between the control objectives in the cycle
and management’s assertions
10.7 What are the controls in the cycle (manual and
computerised)?
10.8 Cycle illustration: e investment and nancing cycle at
Ntsimbi Piping
Assessment questions
PART C:
THE EXTERNAL AUDIT PROCESS
CHAPTER 11 Overview of the audit process
Learning outcomes
Reference list
11.1 Introduction
11.2 What terminology is used by the auditor when
performing an audit?
11.3 What are the objectives of an audit?
11.4 What are the International Standards on Auditing
(ISAs)?
11.5 How is the audit and audit evidence documented?
11.5.1 Characteristics of audit evidence
11.6 What are the stages in the audit process?
11.6.1 What are pre-engagement activities?
11.6.2 What are planning activities?
11.6.3 Obtaining audit evidence
11.6.4 Evaluating, concluding and reporting
11.7 How do computerised environments impact on the audit
process?
11.8 Is there a link between the stages of the audit process
and the ISAs?
Assessment questions
CHAPTER 12 Pre-engagement and planning activities
Learning outcomes
Reference list
12.1 Introduction
12.1.1 e concepts of overall audit strategy, audit plan
and audit approach
12.2 How does the auditor perform pre-engagement
activities?
12.2.1 Requirements
12.2.2 Application in practice
12.3 How are the terms of the engagement documented?
12.3.1 Importance of documenting the terms
12.3.2 Contents of the engagement letter
12.4 How does the auditor obtain an understanding of the
entity?
12.4.1 Aspects of the entity to be understood
12.4.2 Method of obtaining the understanding
12.5 How does the auditor assess the risk of material
misstatement?
12.5.1 Conceptual aspects of risk assessment
12.5.2 e need to consider risk arising from going
concern issues
12.5.3 e need to consider risk arising of fraud
12.5.4 Identi cation of risks that require special audit
consideration (signi cant risks)
12.5.5 Risks for which substantive procedures alone do
not provide sufficient audit evidence
How can the auditor respond to identi ed risks of
12.6 material misstatement?
12.6.1 Responding to detection risk at the nancial
statement level
12.6.2 What options are available to the auditor to
achieve desired changes to the level of detection
risk at the nancial statement level?
12.6.3 Responding to detection risk at the account
balance/class of transactions/disclosure level
12.6.4 e implications of combined testing versus
substantive testing
12.6.5 Updating the audit approach and plan
throughout the audit 523
12.7 What is materiality and how is it calculated?
12.7.1 De nition
12.7.2 Calculating materiality
12.8 Attending to the logistics of the audit
Assessment questions
CHAPTER 13 Audit procedures: Essential concepts
Learning outcomes
Reference list
13.1 Where do audit procedures t into the audit process?
13.2 What are audit objectives?
13.3 What is the nature of further audit procedures?
13.3.1 Determinants of the nature of the further audit
procedures
13.3.2 Tests of controls
13.3.3 Substantive procedures
13.3.4 Dual purpose audit procedures
13.3.5 Revision
13.4 What is the timing of further audit procedures?
13.4.1 Determinants of the timing of further audit
procedures
13.4.2 Interim tests of controls
13.4.3 Interim substantive procedures
13.4.4 Relying on audit evidence obtained in prior
audits
13.5 What is the extent of further audit procedures?
13.5.1 Audit sampling
Assessment questions
Appendix
CHAPTER 14 Audit procedures: Speci c considerations
Learning outcomes
Reference list
14.1 Introduction
14.2 How do we formulate the nature of further audit
procedures for speci c classes of transactions or account
balances?
14.2.1 Wages: Attendance of a wage payout
14.2.2 Cash and bank
14.2.3 Inventory: Attendance of inventory counts
14.2.4 Creditors reconciliations
14.3 What are the requirements of International Standards on
Auditing for dealing with speci c complexities that may
be encountered when performing audit procedures?
14.3.1 External con rmations
14.3.2 Management’s written representations
14.3.3 Accounting estimates
14.3.4 Use of other parties in the audit
14.4 What are computer-assisted audit techniques (CAATs)?
14.4.1 e basics of CAATs
14.4.2 e auditor’s use of computer software to assist in
the audit
14.4.3 Reasons for the use of CAATs in the audit process
14.4.4 Application of CAATs in the audit process
14.4.5 Steps in planning and performing CAATs
Assessment questions
Appendix: CAATs example
CHAPTER 15 Completion of the audit
Learning outcomes
Reference list
15.1 Introduction
15.2 What is the auditor’s responsibility regarding
subsequent events?
15.2.1 Introduction
15.2.2 Various periods pertaining to subsequent events
15.2.3 Auditor’s responsibility
15.3 What is the auditor’s responsibility regarding the going
concern basis of accounting?
15.3.1 Introduction
15.3.2 Management’s responsibility
15.3.3 Auditor’s responsibility
15.3.4 Business rescue and its impact on the audit
15.4 How does the auditor deal with uncorrected
misstatements in the nancial statements?
15.4.1 Misstatements identi ed during the audit
15.4.2 Final materiality
15.4.3 Evaluating the materiality of uncorrected
misstatements
15.4.4 Impact of uncorrected misstatements on the
nancial statements and auditor’s report
15.5 How does the auditor draft the auditor’s report?
15.5.1 Introduction
15.5.2 Contents of the auditor’s report
15.5.3 Types of audit opinions
15.5.4 Other sections in the auditor’s report
15.5.5 Impact of the auditee’s going concern ability on
the auditor’s report
Assessment questions
CHAPTER 16 The independent review
Learning outcomes
Reference list
16.1 What is an independent review?
16.1.1 e nature of an independent review
16.1.2 Differences between independent reviews and
audits
16.2 What are the statutory and regulatory requirements
surrounding an independent review?
16.2.1 Applicability of independent reviews
16.2.2 Persons eligible to perform independent reviews
16.2.3 Reportable Irregularities discovered during an
independent review
16.2.4 e scope of an independent review
16.3 How does one conduct an independent review?
16.3.1 Activities prior to, and during, the acceptance of
the engagement
16.3.2 Planning the engagement
16.3.3 Performing the engagement
16.3.4 Finalising the engagement
16.3.5 Reporting on the engagement
16.3.6 Documenting the engagement
Assessment questions
Appendix: Examples of cycle documentation related to the
business cycles
Bibliography
Index
Acknowledgements
e publisher, editors and authors appreciate the valuable
collaboration and support kindly provided by the auditing, forensics,
advisory and tax rm Nolands, during the process of developing and
updating this text.
In addition, the publisher and editors express sincere appreciation
to Gretha Steenkamp, MAcc (Computer Auditing), CA(SA) for her
valued support in updating the annual nancial statements of Ntsimbi
Piping Proprietary Limited used within this text.
Preface
roughout the development of this text, from conceptualisation to
nalisation, the focus of the author-team was on meeting the learning
needs of undergraduate auditing students at South African universities
who are introduced to the subject for the rst time. e many decades
of collective experience of the editors and authors (who have lectured
auditing at both undergraduate and postgraduate levels at a number of
South African universities, and who have gained an in-depth
understanding of the difficulties that students experience with auditing
as a subject) was used to develop a text speci cally tailored to
undergraduate auditing students, recognising the unique South African
context. Every attempt has been made to keep the language used in the
text as straightforward as possible and to ‘tell auditing as a story’.
e text follows a conceptual, principles-based approach
throughout. is approach has been designed to encourage a proper
understanding of the subject matter and to discourage memorisation or
‘rote-learning’, which is often the result of a lack of understanding.
In order to address the confusion that students often experience in
relation to the roles of management and the external auditor, the text is
organised into three distinct parts, namely:
1. e context within which the external auditor operates (Chapters
1 to 3);
2. e auditee’s responsibility for nancial information (Chapters 4
to 10); and
3. e external audit process (Chapters 11 to 15).
e nal chapter (Chapter 16) deals with a very topical type of
assurance engagement in the South African context, namely the
independent review, which is explained and contrasted with the
external audit.
Each chapter identi es detailed learning outcomes that the reader
should achieve through engagement with the chapter. e assessment
questions at the end of each chapter are linked directly to the learning
outcomes and allow the reader to assess the extent to which the
learning outcomes have been achieved. Various features, such as ‘what
if’, ‘why’ and ‘critical thinking’ features, are used to entice readers to
engage further with the learning material and to ‘make it their own’,
instead of merely memorising it.
Other key features used in the text are:
• e running case study: e reader is introduced to the Ntsimbi
Piping case study at the start of the text.
is case study was inspired by an actual company (although the
names used are ctitious). Every key aspect covered in the text is
thoroughly illustrated by this case study to assist the reader in
understanding the practical consequences of the topic.
• e Audit Process Overview diagram: In the third part of the text
(which covers the external audit process), the Audit Process
Overview diagram is referred to throughout to assist the reader to
understand what aspect of the audit process is covered and how it
links to the rest of the process.
• Use of real-life examples: Each chapter is introduced with recent
relevant media coverage to contextualise its content and ‘make it
real’. For the business cycle chapters (Chapters 6 to 10),
comprehensive ‘real-life’ examples of all documentation used by
Ntsimbi Piping are available to the reader (in an Appendix at the end
of the text).
• e use of control tables: e chapters on business cycles include
comprehensive control tables that directly link risks, control
objectives and the related controls in both manual and
computerised environments, and also link these to assertions. ese
are included also to assist the reader to maintain
a ‘big picture’ focus.
In contrast to many other texts, the chapters on audit procedures
(Chapters 13 and 14) do not include multiple ‘lists’ of typical
substantive procedures for various classes of transactions and events
and account balances. e approach taken to these procedures is rather
entirely a conceptual one, which encourages students to formulate
audit procedures using the approaches outlined in Chapter 13, and
constitutes another novel feature of this text. However, in this second
edition, one comprehensive worked example of substantive procedures
has been included to complement the conceptual approach taken in
the text.
Although the text is comprehensive, it is not designed to be used in
isolation. Rather, it should be read with the relevant reference materials
that include legislation, auditing and other assurance-related standards
and other pronouncements. To facilitate this, each chapter includes a
reference list of the most relevant pronouncements.
e second edition has also been updated to incorporate the
requirements of relevant legislation, standards and codes in issue at the
date of publication. Major revisions from the rst edition include a
discussion of the new SAICA/IRBA Code of Professional Conduct
(based on the revised IFAC International Code of Ethics for Professional
Accountants), and the updating of the terminology for the nancial
statement assertions. While these were addressed in later impressions
of the rst edition, the second edition gives due coverage to the recently
issued auditor reporting standards and the King IVTM Report on
Corporate Governance.
All names of people, places and business entities in the text are
entirely ctitious unless indicated otherwise, and any resemblance to
real people, places or business entities is purely coincidental.
e editors welcome any constructive comments, particularly from
students using the text, to improve future editions.
We trust that this text will serve to make auditing as an
undergraduate university course less daunting and more interesting to
its readers.
Frans Prinsloo
Pieter von Wielligh
July 2018
List of authors
Pieter von Wielligh (Editor) BAcc Honours (cum laude), MAcc, PhD
(Accounting) (Stellenbosch), CA(SA)
Pieter von Wielligh is Professor and Division Head of Auditing and
Deputy Director of Learning and Teaching in the School of
Accountancy at Stellenbosch University. He spent many years in
practice as a Chartered Accountant, specialising in nancial services
and, in particular, the audits of long-term insurers. ereafter, he moved
into academia, where he lectured auditing at undergraduate and
postgraduate levels. He has published various articles in accredited and
popular journals and has delivered a number of papers at conferences
on various aspects of auditing and auditing education. He also
supervises master’s and doctoral students in the eld of auditing. Pieter
also serves on the editorial panel of an accredited journal, as well as on
the central Finance Committee of the Stellenbosch University.
Frans Prinsloo (Editor) BCom (Accounting) (cum laude), BCom
Honours (Accounting) (cum laude),
MCom (Accounting) (cum laude) (Port Elizabeth), CA(SA)
Frans Prinsloo is Professor and Division Head of Auditing in the School
of Accounting at the Nelson Mandela University in Port Elizabeth, and
served as the Director of this School from 2007 to 2016. He is the key
CTA Auditing lecturer at Nelson Mandela University, and is further
responsible for postgraduate research supervision. Frans was a member
of the Independent Regulatory Board for Auditors’ (IRBA’s) Committee
for Auditing Standards from 1999 to 2012. Over the last two decades, he
has further actively participated in the professional education activities
of the South African Institute of Chartered Accountants (SAICA) and the
IRBA, and is currently a member of SAICA’s APC Examination
Committee. Frans is part of the panel of experts who developed and
updates the Competency Framework for entry-level Chartered
Accountants of SAICA. Frans has been chairperson of a number of audit
committees in the public sector, and currently serves as a member of
the governing bodies of two NGOs.
Rika Butler BCom Honours (Accounting) (Pretoria), CTA (Pretoria),
MAcc (Computer Auditing) (Stellenbosch), CA(SA)
Rika Butler is an Associate Professor in Auditing at the School of
Accountancy at Stellenbosch University. After qualifying as a Chartered
Accountant, Rika started her academic career at the University of
Pretoria. When her family moved to Stellenbosch, she joined
Stellenbosch University. She has extensive experience in lecturing
auditing at both undergraduate and postgraduate level. Rika has written
and published articles in various academic accredited journals, both
local and international, mostly on matters relating to information
technology (IT), internal control, IT governance (ITG) and the auditing
of computer systems. Her research has also been presented at
conferences. Rika has served on the question-setting team for the
Public Practice Examination (PPE) of the IRBA and serves as an ad hoc
reviewer for various accredited professional journals. She also provides
supervision to students studying towards a master’s degree in
Computer Auditing at Stellenbosch University.
Rolien Kunz BCompt (UNISA), BCompt Honours (UNISA),
Postgraduate Certi cate in Higher Education (cum laude) (Pretoria),
MCom (Auditing) (Pretoria), CA(SA)
Rolien Kunz is a Senior Lecturer in the Department of Auditing at the
University of Pretoria where she lectures at both undergraduate and
postgraduate levels. Her research area of interest is accounting
education and her master’s degree dealt with the work readiness of rstyear trainee accountants. Rolien has presented numerous research
papers at local and international conferences and published peerreviewed articles in a number of accredited journals. In addition, she
has been actively involved in the professional education activities of
SAICA and the Regulatory Board for Auditors for many years and is
currently part of the CA 2025 project team, developing revised
competency frameworks for both SAICA and the IRBA.
Vincent Motholo BCom (Accounting Sciences) (Pretoria), BCom
Honours (Accounting) & CTA (Natal), CA(SA)
Vincent Motholo is a Director in the Assurance Division of SNG Grant
ornton. His role as a Director includes amongst others, heading the
Learning and Development Centre of SNG Grant ornton, leading and
servicing an audit client portfolio and the mentoring and development
of middle-management staff. Prior to joining SNG Grant ornton,
Vincent was a Senior Lecturer at the University of South Africa (UNISA)
and lectured auditing at a postgraduate level. Whilst at UNISA, he was
recognised with a number of awards for his contribution to excellence
in teaching, student support and quality control. He has served on a
number of audit committees. Vincent actively participates in the
professional education activities of SAICA and is the deputy
chairperson of SAICA’s Pretoria district region.
Dana Nathan (Josset) BCom (Wits), BAcc (Wits), MCom (Accounting)
(Wits), CA(SA)
Dana Nathan is the Subject Coordinator for Auditing at the Institute of
Accounting Science, a private provider of postgraduate accountancy
studies. Dana also runs a private academic support programme
providing additional assistance to undergraduate and postgraduate
students and SAICA candidates seeking to become Chartered
Accountants. Prior to this, she spent 12 years in academia, in the School
of Accountancy at the University of the Witwatersrand, as a Senior
Lecturer in Auditing. Dana has a keen interest in the education
assessment activities of the South African Chartered Accountancy
profession and has, for over a decade, actively participated in the
qualifying assessment activities of the SAICA and IRBA professional
bodies, and currently the SAICA ITC and APC examinations. Dana has
published, and reviewed for accredited professional journals, in the
eld of professional ethics.
Graeme O’Reilly BCom (Natal, Durban), HDipp Acc (Natal, Durban),
CA(SA)
Graeme O’Reilly is a Director of NSOA Learning (Pty) Ltd. He has been
lecturing auditing to both UKZN and UNISA students at a postgraduate
level since 1997 and currently runs several academic support
programmes assisting postgraduate UNISA CTA students seeking to
become Chartered Accountants. He also presents workshops that teach
practical auditing to trainee accountants, helping them bridge the gap
between the theory of auditing and its more practical application in the
workplace. Graeme is currently chairman of the Accreditation and
Monitoring Sub-committee of SAICA’s Training Requirements
Committee, of which he is currently vice-chairman.
Gerrit Penning BAcc Honours & CTA (Free State), (Accounting
Sciences) (Pretoria), CA(SA)
Gerrit Penning is a Senior Lecturer in the Department of Auditing at the
University of Pretoria and teaches auditing to postgraduate students. He
has served for two years on the question-setting team of the Public
Practice Examination (PPE) of the IRBA. His past audit experience
focused on private sector audits in South Africa and abroad, and on
audits of local and provincial-level entities in the South African
government sphere. He serves as a subcommittee representative on the
Pretoria District Association of SAICA. Gerrit is currently studying
towards a doctoral degree in auditing and has a keen interest in
research relating to professional ethics for accountants, and especially
how organisational culture within audit rms in uences the ethical
behaviour and decision making of audit professionals.
Riaan J Rudman BBusSc Honours (Cape Town), PGDA (Cape Town),
MBusSc (Cape Town), MAcc (cum laude) (Stellenbosch), CA(SA)
Riaan Rudman is an Associate Professor at Stellenbosch University. He
lectures auditing as well as information systems at an undergraduate
and postgraduate level and specialised in nancial institutions before
joining academia. He serves on various committees and is very involved
in the accounting profession, as well as with professional training. He is
a well-published author and presents on a wide variety of topics both
locally and internationally. His areas of interest lie in business
management and acceptable corporate behaviour in an electronic
environment and new technologies.
Henriëtte Scholtz BCom Honours (RAU), MCom & Adv tax cert
(UNISA), CA(SA)
Henriëtte Scholtz is a Senior Lecturer at Stellenbosch University and
lectures auditing at undergraduate and postgraduate levels. She worked
as a general manager in the internal auditing division of a big banking
group before joining academia. Henriëtte publishes articles and
presents papers at international conferences. Her areas of interest lie in
corporate governance and ethics. She is a member of the SAICA ethics
committee.
About the book
Auditing Fundamentals in a South African Context is a practical, applied
and engaging introductory textbook that supports students throughout
the undergraduate level of the Auditing curriculum. e text is designed
to enhance learning by supporting holistic understanding: theory is
presented within the framework of the real-world business
environment, assisting students to apply principles and standards with
an understanding of their context. Auditing Fundamentals in a South
African Context is designed to complement the structure and approach
of the online question bank Auditing Fundamentals: Graded Questions,
making these ideal companions.
Brief description of features
Audit Process Overview diagram: A diagrammatic representation of
the audit process, contained at the beginning of Chapters 1, 11, 12, 13,
14 and 15. is diagram is designed to orientate students by providing a
clear and visual overview of the audit process. It is incorporated to
maintain the orientation of the reader, and to answer the question,
‘Where does this t into the audit process?’
Learning outcomes: e learning outcomes serve as a guide to the
content and are practical, clear and contextualised.
Running case study: e book starts with an introduction to, and an
annual report of, a medium-sized manufacturing company called
Ntsimbi Piping (Pty) Ltd. Each chapter contains references to this case
study, and integrates its elements into the chapter content. e case
study provides students with hands-on experience, and allows them to
gain a better understanding of how the audit client’s business and the
audit process are integrated in the audit.
News articles: Many of the chapters include news articles, audit
working papers, and company documents. is feature shows the
relevance, practical application, and real-life nature of the concepts in
the chapter. It also creates context, provides insights and interest, and
builds a broader understanding and awareness of the dynamic business
environment.
‘Why?’ feature: is feature introduces reasons and rationales
underlying concepts. e purpose of this feature is to go behind the
auditing standards and other pronouncements and discover/provide
context, relevance, a big-picture understanding, and an understanding
of the underlying philosophy of auditing.
‘What if?’ feature: is feature is used to encourage students to think
independently, so that they can see beyond the text and contemplate
alternative scenarios, thereby applying the theory to a variety of
practical scenarios.
Source documents: An appendix to the text provides examples of
actual company records and documents, reports, letters, and other
documents stemming from the running case study. ese source
documents assist students to visualise and understand their real
function, their interrelationship, and their use within the audit process.
Source documents are cross-referenced to their relevant chapters in the
book.
De nitions: e most important terms and concepts particular to the
eld of auditing, essential to understanding the subject matter, are
identi ed and explained in each chapter. is assists students to
comprehend the material clearly and effectively. Students are also
referred to the standards and the IAASB Glossary of Terms to familiarise
themselves with unfamiliar words/terms/concepts.
Diagrams, pictures and tables: ese are included throughout for
visual representation of concepts.
Assessment questions: Each chapter concludes with questions
enabling readers to test their understanding of the key concepts. ese
questions incorporate a mixture of question types, including multiplechoice questions; true/false questions; and open-ended questions. All
questions are referenced to the learning outcomes stated at the
beginning of each chapter. ey test understanding and insight.
Ntsimbi Piping (Pty) Ltd Company Pro le
1. Company history and principal business
Ntsimbi Piping (Pty) Ltd is an unlisted South African company that was incorporated in 2000. It is one
of South Africa’s leading manufacturers of polyvinyl chloride (PVC) (plastic) products. Ntsimbi Piping
manufactures a wide range of products of which the principal products are PVC pipes and mouldings.
Ntsimbi Piping operates primarily in South Africa, but it also has standing arrangements with
various business partners to which it sells its products to on-sell to markets throughout Africa. In this
way, the company strives to meet the pipe and moulding needs of a wide range of customers drawn
from the complete spectrum of industry sectors, including the mining, civil engineering, irrigation,
industrial, telecommunications and building sectors.
Approximately 70% of the raw materials for the production process are sourced from various
overseas countries (predominantly Australia and New Zealand), with the remainder sourced locally.
An extract from the Ntsimbi Piping’s product brochure appears below.
2. The PVC product market in South Africa
Although demand from the construction industry has declined in recent years, the overall market for
PVC products is still maintaining growth.
e market is also affected by government spending and will therefore be positively in uenced by
the adoption of the National Infrastructure Plan by the South African government.
e market is not very competitive as it is capital intensive. In order to operate pro tably,
companies in this market have to be large to achieve economies of scale.
All products that enter the market are monitored by the South African Bureau of Standards.
In terms of exports, South African plastic pipe manufacturers export their products mainly into the
rest of Africa for use in the mining sector.
3. Company details
Ntsimbi Piping’s head office and manufacturing plant are on adjacent premises in Cape Town and the
company employs approximately 80 staff.
Ntsimbi Piping is one of a number of subsidiaries in the Ntsimbi Piping Investments Proprietary
Limited Group. Seventy per cent of the issued shares of Ntsimbi Piping is held by Ntsimbi Piping
Investments Proprietary Limited, and each of the three executive directors (refer to section 6 below)
holds 10% of the issued shares. In addition to providing equity funding to Ntsimbi Piping, the parent
also provides funding in the form of a shareholder loan.
Nolands Inc. has held the appointment as registered auditor of Ntsimbi Piping since the
incorporation of the company.
4. Ntsimbi Piping’s strategies
Ntsimbi Piping’s goal is to be the pre-eminent supplier of PVC products to the South African market.
In pursuit of this goal, the company’s strategies include the following:
• Producing the highest quality PVC products in the most cost-effective and sustainable way;
• Making the best possible use of the latest technology in the production process;
• Procuring the best quality raw materials from well-established, sustainable suppliers at the best
prices;
• Pricing products competitively; and
• Providing excellent after-sales support to customers.
5. Company structure
Ntsimbi Piping has the following main operating divisions, all based at its premises in Cape Town:
1. Marketing and Sales;
2. Purchasing; and
3. Manufacturing.
e above-mentioned operating divisions are supported by the following support divisions, all based
at the head office:
1. Accounting and Finance;
2. Information technology; and
3. Human resources.
A diagram of the company structure is presented in Figure 1.
Figure 1:
Company structure of Ntsimbi Piping
6. Management and staff
Seven directors serve on Ntsimbi Piping’s board of directors. e names of these directors appear in
note 6 on page 5 of the directors’ report in Ntsimbi Piping’s nancial statements. e details of the
three executive directors are set out in Table 1.
Table 1:
Executive directors
Name
Directorship
Quali cations
Age
Shareholding
Bongani Arnott
Managing
director
PhD
50
10%
Lee-Ann Losper
Financial director
MCom; CA(SA)
38
10%
Saul Mkhize
Operations
director
BEng; PrIng
35
10%
e board of directors meets every two months.
You will also be introduced to the following staff members of Ntsimbi Piping in this text:
Figure 2:
Ntsimbi Piping organogram
7. The manufacturing process
Ntsimbi Piping buys raw materials, such as PVC resin (which is supplied in powder form) and various
additives and pigments, from its suppliers, and stores these in the raw materials warehouse until they
are required in the manufacturing process. Once they are required in the manufacturing process, they
are transferred to the manufacturing plant.
e PVC product manufacturing process is demonstrated in Figure 3.
Figure 3:
PVC product manufacturing process
Finished products are transferred from the manufacturing plant to the nished goods warehouse
located on the same property.
8. Accounting systems
All accounting processes (recording, processing and reporting of transactions) take place centrally at
Ntsimbi Piping’s head office.
Ntsimbi Piping has been using the PVCACC off-the-shelf accounting package since the company’s
incorporation. PVCACC was properly implemented and all teething problems that were experienced
shortly after implementation have been resolved. Users of PVCACC receive proper training in the use
of the system and any changes thereto.
Ntsimbi Piping uses, among other things, the following modules of the PVCACC system:
• General ledger;
• Sales, debtors and receipts (all sales take place on credit);
• Purchases, creditors and payments;
• Inventory (a process costing system is used for the costing of inventory);
• Payroll; and
• Fixed assets.
All computers in the head office and manufacturing plant are connected by means of a local area
network. As Ntsimbi Piping has no branch network, no off-site access to the accounting system is
required. e PVCACC package runs on a local server securely located in the head office building and
connected to the local area network.
Ntsimbi Piping pays its suppliers, other creditors and all staff by means of electronic funds
transfers. You will learn much more about the business cycles of Ntsimbi Piping, including the
embedded accounting processes and controls, when you read Chapters 6 to 10.
Figure 4:
Ntsimbi Piping factory oor plan
9. Operational overview
9.1 e 20X1 nancial year
Sales volumes in the PVC consumables market, which are traditionally linked to demand in the
construction industry, continued to be under pressure. Nevertheless, Ntsimbi Piping managed to
achieve a 31% growth in sales during 20X1, resulting in sales revenue of R128 million – a record for
Ntsimbi Piping. is growth is backed not only by the demand arising from infrastructure and civil
construction, but also a regional population that is characterised by the rapid growth of a middle
class. is has created a demand for all products offered by Ntsimbi Piping.
However, notwithstanding the strong growth in sales revenue, both operating pro t and pro t
before tax only increased marginally from 20X0, primarily as a direct result of increased pressure on
cost prices, resulting in a reduced gross pro t margin.
Ntsimbi Piping continued its programme to invest in manufacturing plant modernisation,
additional capacity and efficiency enhancements and in 20X1 invested in plant and machinery assets
costing R7,2 million (20X0: R1,3 million).
In real terms, the 20X1 nancial year presented Ntsimbi Piping with major challenges arising from a
broad base of economic and operational conditions. At the foundation of these lay depressed global
and local economic conditions. ese challenges are the following:
• Growth prospects for the South African economy remain uncertain and sales volumes are therefore
likely to remain at their 20X1 levels for the foreseeable future;
• Increased competitor threats from new entrants into the market (although the market is still not
very competitive);
• Increasing demands from customers for improved customer service levels;
• Industrial action;
• Operating in ever-changing emerging markets; and
• Health and safety of the workforce (toxic by-products are unavoidably created and additives are
added in the PVC manufacturing process).
Management maintains a risk register in which all risks facing Ntsimbi Piping are described and
classi ed on the basis of their potential impact on the business. e register also indicates the policies,
procedures, controls and actions that management have in place to address each risk. An extract from
this register appears in Figure 4.1 of Chapter 4.
9.2 Outlook
Many of the internal factors that restrained growth during 20X1 have been resolved, clearing the way
for an incremental return to operational and nancial strength, barring unforeseen events. Continued
low economic growth, which impacts on manufacturing and civil construction spend in South Africa,
remains a real concern and, as a result, the directors’ outlook remains cautiously optimistic. e
directors are actively pursuing opportunities to expand into Africa and other international markets.
10. Financial statements
Refer to the pages 1 to 24 of the nancial statements that follow (on pages xxxii to lv).
The reports and statements set out below comprise the annual nancial statements
presented to the shareholders:
Index
Report of the Independent Auditors
Directors’ Responsibilities and Approval
Directors’ Report
Statement of Financial Position
Statement of Comprehensive Income
Statement of Changes in Equity
Statement of Cash Flows
Notes to the Annual Financial Statements
The following supplementary information does not form part of the annual nancial
statements and is unaudited:
Detailed Income Statement
The annual nancial statements for the year ended 31 December 20X1 have been
prepared under the supervision of Ms L Losper, the nancial director of the
company.
The annual nancial statements of Ntsimbi Piping Proprietary Limited have been
audited in compliance with S30 of the Companies Act.
Page 1
Noland House | River Park
River Lane | Mowbray
Cape Town 7700 | South
Africa
T (+27) 21 658 6600
F (+27) 86 532 2556
www.nolands.co.za
P O Box 2881 | Cape Town |
8000
South Africa
INDEPENDENT AUDITOR’S REPORT
To the shareholders of Ntsimbi Piping Proprietary Limited
Opinion
We have audited the nancial statements of Ntsimbi Piping Proprietary Limited set
out on pages 7 to 24, which comprise the Statement of Financial Position as at 31
December 20X1, and the Statement of Comprehensive Income, Statement of
Changes in Equity and Statement of Cash Flows for the year then ended, and notes
to the nancial statements, including a summary of signi cant accounting policies.
In our opinion, the accompanying nancial statements present fairly, in all material
respects, the nancial position of Ntsimbi Piping Proprietary Limited as at 31
December 20X1, and its nancial performance and its cash ows for the year then
ended in accordance with International Financial Reporting Standards (IFRSs) and
the requirements of the Companies Act of South Africa.
Basis for Opinion
We conducted our audit in accordance with International Standards on Auditing
(ISAs). Our responsibilities under those standards are further described in the
Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the company in accordance with the Independent
Regulatory Board for Auditors Code of Professional Conduct for Registered Auditors
(IRBA Code), together with the ethical requirements that are relevant to our audit of
the nancial statements in South Africa. We have ful lled our other ethical
responsibilities in accordance with these requirements and the IRBA Code. The
IRBA Code is consistent with the International Ethics Standards Board for
Accountants Code of Ethics for Professional Accountants (Parts A and B). We
believe that the audit evidence we have obtained is suf cient and appropriate to
provide a basis for our opinion.
Other Information
The directors are responsible for the other information. The other information
comprises the Directors’ Responsibilities and Approval on page 4, the Directors’
Report as required by the Companies Act of South Africa on pages 5–6, and the
Detailed Income Statement on pages 25 to 26. The other information does not
include the nancial statements and our auditor’s report thereon.
Our opinion on the nancial statements does not cover the other information and
we do not express an audit opinion or any form of assurance conclusion thereon.
In connection with our audit of the nancial statements, our responsibility is to read
the other information and, in doing so, consider whether the other information is
materially inconsistent with the nancial statements or our knowledge obtained in
the audit or otherwise appears to be materially misstated. If, based on the work we
have performed, we conclude that there is a material misstatement of this other
information, we are required to report the fact. We have nothing to report in this
regard.
Responsibilities of the Directors for the Financial
Statements
The company’s directors are responsible for the preparation and fair presentation of
the nancial statements in accordance with IFRSs and the requirements of the
Companies Act of South Africa, and for such internal control as the directors
determine is necessary to enable the preparation of nancial statements that are
free from material misstatement, whether due to fraud or error.
In preparing the nancial statements, the directors are responsible for assessing
the company’s ability to continue as a going concern, disclosing, as applicable,
matters related to going concern and using the going concern basis of accounting
unless the directors either intend to liquidate the company or to cease operations,
or have no realistic alternative but to do so.
Page 2
Auditor’s Responsibilities for the Audit of the Financial
Statements
Our objectives are to obtain reasonable assurance about whether the nancial
statements as a whole are free from material misstatement, whether due to fraud
or error, and to issue an auditor’s report that includes our opinion. Reasonable
assurance is a high level of assurance, but is not a guarantee that an audit
conducted in accordance with ISAs will always detect a material misstatement when
it exists. Misstatements can arise from fraud or error and are considered material
if, individually or in the aggregate, they could reasonably be expected to in uence
the economic decisions of users taken on the basis of these nancial statements.
As part of an audit in accordance with ISAs, we exercise professional judgement
and maintain professional scepticism throughout the audit. We also:
• Identify and assess the risks of material misstatement of the nancial
statements, whether due to fraud or error, design and perform audit procedures
responsive to those risks, and obtain audit evidence that is suf cient and
appropriate to provide a basis for our opinion. The risk of not detecting a
material misstatement resulting from fraud is higher than for one resulting from
error, as fraud may involve collusion, forgery, intentional omissions,
misrepresentations, or the override of internal control.
• Obtain an understanding of internal control relevant to the audit in order to
design audit procedures that are appropriate in the circumstances, but not for
the purpose of expressing an opinion on the effectiveness of the company’s
internal control.
• Evaluate the appropriateness of accounting policies used and the
reasonableness of accounting estimates and related disclosures made by
management.
• Conclude on the appropriateness of directors’ use of the going concern basis of
accounting and, based on the audit evidence obtained, whether a material
uncertainty exists related to events or conditions that may cast signi cant doubt
on the company’s ability to continue as a going concern. If we conclude that a
material uncertainty exists, we are required to draw attention in our auditor’s
report to the related disclosures in the nancial statements or, if such
disclosures are inadequate, to modify our opinion. Our conclusions are based on
the audit evidence obtained up to the date of our auditor’s report. However,
future events or conditions may cause the company to cease to continue as a
going concern.
• Evaluate the overall presentation, structure and content of the nancial
statements, including the disclosures, and whether the nancial statements
represent the underlying transactions and events in a manner that achieves fair
presentation.
We communicate with the directors, among other matters, the planned scope and
timing of the audit and signi cant audit ndings, including any signi cant
de ciencies in internal control that we identify during our audit.
We also provide the directors with a statement that we have complied with relevant
ethical requirements regarding independence, and to communicate with them all
relationships and other matters that may reasonably be thought to bear on our
independence, and where applicable, related safeguards.
The engagement partner on the audit resulting in this independent auditor’s report
is Craig Stans eld.
Nolands Inc.
Practice number 900583e
Craig Stans eld CA(SA), RA Director
26 June 20X2 Cape Town
Page 3
Director’s Responsibilities and Approval
The directors are required by the Companies Act of South Africa to maintain
adequate accounting records and are responsible for the content and integrity of the
annual nancial statements and related nancial information included in this report.
It is their responsibility to ensure that the annual nancial statements fairly present
the state of affairs of the company as at the end of the nancial year and the
results of its operations and cash ows for the period then ended, in conformity
with International Financial Reporting Standards and the Companies Act of South
Africa. The external auditors are engaged to express an independent opinion on the
annual nancial statements.
The annual nancial statements are prepared in accordance with International
Financial Reporting Standards and the Companies Act of South Africa and are
based upon appropriate accounting policies consistently applied and supported by
reasonable and prudent judgements and estimates.
The directors acknowledge that they are ultimately responsible for the system of
internal nancial control established by the company and place considerable
importance on maintaining a strong control environment. To enable the directors to
meet these responsibilities, the directors set standards for internal control aimed at
reducing the risk of error or loss in a cost-effective manner. Those standards include
the proper delegation of responsibilities within a clearly de ned framework, effective
accounting procedures and adequate segregation of duties to ensure an acceptable
level of risk. These controls are monitored throughout the company and all
employees are required to maintain the highest ethical standards in ensuring the
company’s business is conducted in a manner that in all reasonable circumstances
is above reproach. The focus of risk management in the company is on identifying,
assessing, managing and monitoring all known forms of risk across the company.
While operating risk cannot be fully eliminated, the company endeavours to
minimise it by ensuring that the appropriate infrastructure, controls, systems and
ethical behaviour are applied and managed within predetermined procedures and
constraints.
The directors are of the opinion, based on the information and explanations given by
management, that the system of internal control provides reasonable assurance
that the nancial records may be relied on for the preparation of the annual nancial
statements. However, any system of internal nancial control can provide only
reasonable, and not absolute, assurance against material misstatement or loss.
The external auditors are responsible for independently auditing and reporting on
the company’s annual nancial statements. The annual nancial statements have
been examined by the company’s external auditors and their report is presented on
pages 2 and 3.
The annual nancial statements set out on pages 5 to 24, which have been
prepared on the going concern basis, were approved by the directors and were
signed on their behalf by:
B Arnott
Managing Director
Cape Town
26 June 20X2
Page 4
NTSIMBI PIPING PROPRIETARY LIMITED
ANNUAL FINANCIAL STATEMENTS FOR THE YEAR ENDED 31
DECEMBER 20X1
DIRECTORS’ REPORT
The directors submit their report for the year ended 31 December 20X1.
1. Main business and operations
The company is engaged in the manufacturing of PVC products of all descriptions.
The operating results and state of affairs of the company are fully set out in the
attached annual nancial statements and do not in the directors’ opinion require
any further comment.
2. Going concern
The annual nancial statements have been prepared on the basis of accounting
policies applicable to a going concern. This basis presumes that funds will be
available to nance future operations and that the realisation of assets and
settlement of liabilities, contingent obligations and commitments will occur in the
ordinary course of business.
3. Events subsequent to the reporting date
The directors are not aware of any matter or circumstance of a material nature
arising since the end of the nancial year.
4. Authorised and issued share capital
There were no changes in the authorised or issued share capital of the company
during the year under review.
5. Dividends
No dividends were declared or paid to the shareholders during the year.
6. Directors
The directors of the company during the year and at the date of this report are as
follows:
Name
B Arnott CA(SA) (executive)
M McDonald CA(SA)
K Khaudi
L Losper (executive)
S Mkhize (executive)
A Mehra
D Gcina
7. Auditors
Nolands Inc. will continue in of ce in accordance with section 90 of the Companies
Act.
8. Parent
The company’s parent is Ntsimbi Piping Investments Proprietary Limited, which is
incorporated in South Africa.
9. Property, plant and equipment
There have been no major changes in the property, plant and equipment of the
company during the year under review, other than those re ected in the attached
annual nancial statements.
Page 5
10. Domicile and registered address
Ntsimbi Piping Proprietary Limited is a company domiciled and incorporated in
South Africa. The company’s registered address is 14 Acacia Way, Epping Industria,
Cape Town, 7400.
Page 6
NTSIMBI PIPING PROPRIETARY LIMITED
ANNUAL FINANCIAL STATEMENTS FOR THE YEAR ENDED 31
DECEMBER 20X1
STATEMENT OF FINANCIAL POSITION AT 31 DECEMBER 20X1
Figures in Rand
Note(s)
20X1
20X0
ASSETS
NON-CURRENT ASSETS
Property, plant and equipment
2
43,169,987
38,095,119
Intangible assets
3
28,608
48,768
43,198,595
38,143,887
TOTAL NON-CURRENT ASSETS
CURRENT ASSETS
Inventories
4
9,326,597
9,806,864
Trade and other receivables
5
17,241,701
14,862,673
Loans receivable
6
31,439
31,439
Cash and cash equivalents
7
21,583
1,549,097
TOTAL CURRENT ASSETS
26,621,320
26,250,073
TOTAL ASSETS
69,819,915
64,393,960
100
100
Retained earnings
37,157,694
35,017,452
TOTAL EQUITY
37,157,794
35,017,552
EQUITY AND LIABILITIES
EQUITY
Share capital
8
LIABILITIES
NON-CURRENT LIABILITIES
Lease liabilities
9
1,395,944
428,876
Deferred taxation
10
3,924,488
3,343,928
5,320,432
3,772,804
13,381,893
7,610,462
48,741
–
TOTAL NON-CURRENT
LIABILITIES
CURRENT LIABILITIES
Trade and other payables
11
Current tax payable
Amounts owing to parent
12
9,888,715
17,918,445
Bank overdraft
7
4,022,340
74,697
TOTAL CURRENT LIABILITIES
27,341,689
25,603,604
TOTAL LIABILITIES
32,662,121
29,376,408
TOTAL EQUITY AND LIABILITIES
69,819,915
64,393,960
Page 7
NTSIMBI PIPING PROPRIETARY LIMITED
ANNUAL FINANCIAL STATEMENTS FOR THE YEAR ENDED 31
DECEMBER 20X1
STATEMENT OF COMPREHENSIVE INCOME FOR THE YEAR ENDED 31 DECEMBER 20X1
Figures in Rand
Revenue
Cost of sales
Gross pro t
Note(s)
13
20X1
20X0
128,320,126
97,802,148
(105,274,615)
(76,863,054)
23,045,511
20,939,094
Other income
Operating expenses
500,395
279,079
(20,333,439)
(17,735,073)
Operating pro t
14
3,212,467
3,483,100
Investment income
15
214,580
16,358
Finance costs
16
(505,737)
(509,033)
2,921,310
2,990,425
(781,068)
(949,171)
2,140,242
2,041,254
Other comprehensive income
–
–
Total comprehensive income
for the year
2,140,242
2,041,254
Pro t before taxation
Taxation
17
Pro t for the year
Page 8
NTSIMBI PIPING PROPRIETARY LIMITED
ANNUAL FINANCIAL STATEMENTS FOR THE YEAR ENDED 31
DECEMBER 20X1
STATEMENT OF CHANGES IN EQUITY FOR THE YEAR ENDED 31 DECEMBER 20X1
Figures in Rand
Share
capital
Retained
earnings
Total equity
Balance at 01 January 20X0
100
32,976,198
32,976,298
Pro t or loss
–
2,041,254
2,041,254
Other comprehensive income
–
–
–
Balance at 01 January 20X1
100
35,017,452
35,017,552
Pro t or loss
–
2,140,242
2,140,242
Other comprehensive income
–
–
–
Balance at 31 December 20X1
100
37,157,694
37,157,794
Total comprehensive income for the
year
Total comprehensive income for the
year
Page 9
NTSIMBI PIPING PROPRIETARY LIMITED
ANNUAL FINANCIAL STATEMENTS FOR THE YEAR ENDED 31
DECEMBER 20X1
STATEMENT OF CASH FLOWS FOR THE YEAR ENDED 31 DECEMBER 20X1
Figures in Rand
Note(s)
20X1
20X0
Cash receipts from customers
125,892,357
95,802,148
Cash paid to suppliers and
employees
(116,937,468)
(96,947,175)
8,954,889
(1,145,027)
Interest income received
214,580
16,358
Finance costs paid
(505,737)
(509,033)
Taxation paid
(151,767)
–
Net cash from operating
activities
8,511,965
(1,637,702)
Cash ows from operating
activities
Cash generated from/(used in)
operations
Cash ows from investing
activities
Additions to property, plant
and equipment
2
(4,398,237)
(1,553,810)
Proceeds on disposal of
property, plant and equipment
2
23,059
–
Additions to intangible assets
3
–
(60,478)
(4,375,178)
(1,614,288)
Repayment of lease liabilities
(1,582,214)
(901,635)
Net movement in amounts
owing to parent
(8,029,730)
4,730,935
Net cash from nancing
activities
(9,611,944)
3,829,300
Net cash movement for the
year
(5,475,157)
577,310
Net cash from investing
activities
Cash ows from nancing
activities
Cash and cash equivalents at
the beginning of the year
Total cash and cash
equivalents at the end of the
year
7
1,474,400
897 090
(4,000,757)
1,474,400
Page 10
NTSIMBI PIPING PROPRIETARY LIMITED
ANNUAL FINANCIAL STATEMENTS FOR THE YEAR ENDED 31
DECEMBER 20X1
NOTES TO THE ANNUAL FINANCIAL STATEMENTS FOR THE YEAR ENDED 31 DECEMBER 20X1
1. Presentation of Annual Financial Statements and Accounting Policies
The annual nancial statements have been prepared in accordance with
International Financial Reporting Standards and the Companies Act of South Africa.
The functional and presentation currency of the company is RSA Rands. The annual
nancial statements have been prepared on the historical cost basis and
incorporate the principal accounting policies set out below. These accounting
policies are consistent with the previous period.
1.1 Signi cant judgements and sources of estimation uncertainty
The key assumptions concerning the future and other key sources of information
uncertainty at the reporting date that have signi cant risk of causing a material
adjustment to the carrying amount of assets and liabilities within the next nancial
period are set out as follows:
Useful lives of property, plant and equipment
As detailed in accounting policy note 1.3, the useful lives of property, plant and
equipment are reviewed on an annual basis. During the current year, the useful lives
of certain assets were revised as they are to be in active use for a period
longer/shorter than originally estimated. The nancial effect of this reassessment
is immaterial.
Recognition of deferred tax assets
As detailed in accounting policy note 1.6, deferred tax assets are only recognised to
the extent that it is probable that taxable pro t will be available against which the
deductible temporary difference can be used. At both 31 December 20X0 and
20X1, based on projections done, it was estimated that future taxable pro t will be
available and therefore all deferred tax assets were recognised.
Contingent liabilities
As detailed in note 23, a contingent liability exists at year-end. Uncertainty as to
whether a present obligation exists was taking into account in its accounting
treatment.
Net realisable value of inventory
As detailed in note 4, the net realisable value of inventory was management’s best
estimate of this amount, and was based on historic sales trends, as well as the
quality and volume of inventory at hand at year-end.
Impairment of nancial assets
As detailed in accounting policy note 1.5, nancial assets carried at amortised cost
are reviewed for possible impairment using the expected loss model in IFRS 9. This
entails signi cant judgements and uncertainties regarding whether there has been a
signi cant increase in credit risk, and the expected future cash ows to be received.
The company bases its estimates in this regard on historic trends and forwardlooking information.
1.2 Adoption of new Standards
Standards and Interpretations affecting amounts reported in the current
period and/or prior periods
The following Standards and Interpretations were applied for the rst time in the
annual nancial statements for the year ended 31 December 20X1:
IFRS X (Company provides description of IFRS and its effect on current annual
nancial statements)
Standards and Interpretations in issue but not yet effective
The following Standards and Interpretations have been issued but are not yet
effective as at 31 December 20X1:
IFRS X (Company provides description of IFRS and its expected effect on future
annual nancial statements).
Page 11
1.3 Property, plant and equipment
Property, plant and equipment is initially measured at cost.
Cost include costs incurred initially to acquire or construct an item of property,
plant and equipment and costs incurred subsequently to add to, replace part of, or
service it. If a replacement cost is recognised in the carrying amount of an item of
property, plant and equipment, the carrying amount of the replaced part is
derecognised.
Apart from land, property, plant and equipment are depreciated on the straightline basis over their expected useful lives to their estimated residual value. Land is
not depreciated. Each part of an item of property, plant and equipment with a cost
that is signi cant in relation to the total cost of the item is depreciated separately.
The depreciation charge for each period is recognised in pro t or loss unless it is
included in the carrying amount of another asset.
Property, plant and equipment are carried at cost less accumulated depreciation
and any impairment losses.
The useful lives of items of property, plant and equipment have been assessed
as follows:
Item
Average useful life
Land
Inde nite
Buildings
20–50 years
Plant and machinery
5–20 years
Furniture and ttings
6 years
Motor vehicles
3–5 years
Of ce equipment
5 years
Computer equipment
3 years
The residual value, useful life and depreciation method of each asset are reviewed
at the end of each reporting period. If the expectations differ from previous
estimates, the change is accounted for as a change in accounting estimate.
The gain or loss arising from the derecognition of an item of property, plant and
equipment is included in pro t or loss when the item is derecognised. The gain or
loss arising from the derecognition of an item of property, plant and equipment is
determined as the difference between the net disposal proceeds, if any, and the
carrying amount of the item.
1.4 Intangible assets
Intangible assets are initially recognised at cost.
Intangible assets are carried at cost less any accumulated amortisation and any
impairment losses.
An intangible asset is regarded as having an inde nite useful life when, based on all
relevant factors, there is no foreseeable limit to the period over which the asset is
expected to generate net cash in ows. Amortisation is not provided for these
intangible assets. For all other intangible assets, amortisation is provided on a
straight-line basis over their useful life.
The amortisation period and the amortisation method for intangible assets are
reviewed every period-end.
Amortisation is provided to write down the intangible assets, on a straight-line
basis, to their residual values as follows:
Item
Useful life
Computer software
3 years
Page 12
1.5 Financial instruments
Initial recognition
The company classi es nancial instruments, or their component parts, on initial
recognition as a nancial asset, a nancial liability or an equity instrument in
accordance with the substance of the contractual arrangement.
Financial assets and nancial liabilities are recognised on the company’s
Statement of Financial Position when the company becomes party to the contractual
provisions of the instrument. All nancial assets and liabilities are initially
recognised at fair value (with transaction costs capitalised if the instrument is
subsequently carried at amortised cost). All nancial assets and liabilities in the
books of Ntsimbi Piping are subsequently carried at amortised cost.
Financial assets carried at amortised cost
Financial assets held within a business model to collect the contractual cash ows
associated with them, and of which the contractual cash ows are only interest and
capital repayments, are carried at amortised cost. Such assets include trade and
other receivables, loans receivable as well as cash and cash equivalents (if assets).
Loans that are interest-free and have no xed date of repayment are seen as
repayable on demand as thus measured subsequently at the amount repayable on
demand (undiscounted).
All nancial assets carried at amortised cost are tested for impairment annually
using the expected loss model in IFRS 9. The company provides an allowance for
credit losses equal to the present value of the lifetime expected credit losses when
an asset has experienced a signi cant increase in credit risk since initial
recognition, or equal to only the next 12 months’ expected credit losses when there
has not been a signi cant increase in credit risk. Trade receivables, which generally
have 30-day settlement terms, are subject to a simpli ed method of calculating the
allowance, and the company thus always provides for lifetime expected credit
losses. The carrying amount of the asset is reduced through the use of an
allowance account, and the net movement in the account is recognised in pro t or
loss for the period.
Bad debts are written off in the pro t or loss when it is considered that the
company will be unable to recover the debt. Subsequent recoveries of amounts
previously written off are credited to a bad debts recovered account.
Financial liabilities carried at amortised cost
Such items include lease liabilities, trade and other payables and amounts owing to
the parent. Trade payables are primarily settled on 30-day terms. Liabilities that are
interest-free and have no xed date of repayment are seen as repayable on demand
as thus measured subsequently at the amount repayable on demand
(undiscounted).
1.6 Taxation
Current tax assets and liabilities
Current tax for current and prior periods is, to the extent unpaid, recognised as a
liability. If the amount already paid in respect of current and prior periods exceeds
the amount due for those periods, the excess is recognised as an asset.
Current tax liabilities and assets for the current and prior periods are measured
at the amount expected to be paid to or recovered from the tax authorities, using
the taxation rates that have been enacted or substantively enacted by the reporting
date.
Deferred tax assets and liabilities
A deferred taxation asset/liability is recognised for all taxable temporary
differences, except to the extent that the deferred tax asset/liability arises from the
initial recognition of an asset or liability in a transaction that at the time of the
transaction affects neither accounting pro t nor taxable pro t/loss.
Page 13
A deferred tax asset is recognised for all deductible temporary differences to the
extent that it is probable that taxable pro t will be available and against which the
deductible temporary difference can be used.
Deferred tax assets and liabilities are measured at the tax rates that are
expected to apply to the period when the asset is realised or the liability is settled,
based on tax rates that have been enacted or substantively enacted by the
reporting date.
Tax expenses
Current and deferred taxes are recognised as income or an expense and included in
pro t or loss for the period, except to the extent that the tax arises from:
• A transaction or event that is recognised in the same or different period from
other comprehensive income;
• A transaction or event that is recognised, in the same or a different period,
directly in equity; or
• A business combination.
1.7 Leases
A lease (in which the company is the lessee) is accounted for under the general
approach speci ed in IFRS 16. The right-of-use asset is capitalised with an
accompanying lease liability being recognised. The right-of-use asset is disclosed
and accounted for together with the class of property, plant and equipment to which
it pertains (refer note 1.3), while the lease liability is carried at amortised cost.
1.8 Inventories
Inventories are measured at the lower of average cost and net realisable value.
Net realisable value is the estimated selling price in the ordinary course of
business less the estimated costs of completion and the estimated costs
necessary to make the sale.
The cost of inventories comprises all costs of purchase, costs of conversion and
other costs incurred in bringing the inventories to their present location and
condition.
When inventories are sold, the carrying amount of those inventories is
recognised as an expense in the period in which the related revenue is recognised.
The amount of any write-down of inventories to net realisable value and all losses of
inventories are recognised as an expense in the period in which the write-down or
loss occurs.
1.9 Impairment of assets
At each reporting date an assessment is made whether there is any indication that
a non- nancial asset may be impaired. If any such indication exists, the company
estimates the recoverable amount of the asset.
If there is any indication that an asset may be impaired, the recoverable amount
is estimated for the individual asset. If it is not possible to estimate the recoverable
amount of the individual asset, the recoverable amount of the cash-generating unit
to which the asset belongs is determined.
The recoverable amount of an asset or a cash-generating unit is the higher of its
fair value less costs to sell and its value in use. If the recoverable amount of an
asset is less than its carrying amount, the carrying amount of the asset is reduced
to its recoverable amount. Such reduction is recognised as an impairment loss.
1.10 Share capital and equity
An equity instrument is any contract that evidences a residual interest in the assets
of an entity after deducting all of its liabilities.
Page 14
1.11 Revenue
Revenue from the sale of goods is recognised (under IFRS 15) when the
performance obligations relating to the sale (i.e. delivery and accompanying
transferral of control of the goods) have been satis ed. Revenue is measured at the
fair value of the consideration received or receivable and represents the amounts
receivable for goods and services provided in the normal course of business, net of
trade discounts and volume rebates, and value-added tax.
1.12 Borrowing costs
Borrowing costs are recognised as an expense in the period in which they are
incurred.
Figures in Rand
2. Property, plant and equipment
20X1
Cost
Land and
buildings
20X0
Accumulated
depreciation
Carrying
value
Cost
Accumulated
depreciation
Carrying
value
22,440,000
(960,000) 21,480,000 22,440,000
(710,000) 21,730,0
Plant and
22,046,529
machinery:
Owned
(6,423,354) 15,623,175 17,994,280
(5,335,606) 12,658,6
Plant and
machinery:
Right-ofuse
assets
7,350,000
(2,492,037)
4,857,963
4,464,011
(2,066,202)
2,397,8
Furniture
and
ttings
124,761
(78,532)
46,229
99,758
(63,965)
35,7
Motor
vehicles
1,752,284
(685,325)
1,066,959
1,752,284
(598,658)
1,153,6
Of ce
equipment
125,550
(99,069)
26,481
125,550
(82,167)
43,3
Computer
equipment
316,174
(246,994)
69,180
249,928
(174,094)
75,8
54,155,298 (10,985,311)
43,169,987
47,125,811
(9,030,692)
38,095,1
Total
Reconciliation of property, plant and equipment – 20X1
Opening
balance
Land and
buildings
21,730,000
Additions
Disposals
–
–
Depreciation
Closing
balance
(250,000) 21,480,000
Plant and
machinery:
Owned
12,658,674
4,306,989
Plant and
machinery:
Right-of-use
assets
2,397,809
2,885,989
–
(425,835)
4,857,963
Furniture
and ttings
35,793
25,002
–
(14,566)
46,229
1,153,626
–
–
(86,667)
1,066,959
Of ce
equipment
43,383
–
–
(16,902)
26,481
Computer
equipment
75,834
66,246
–
(72,900)
69,180
38,095,119
7,284,226
(64,985)
(2,144,373)
43,169,987
Motor
vehicles
(64,985) (1,277,503) 15,623,175
Page 15
Reconciliation of property, plant and equipment – 20X0
Opening
balance
Additions
Depreciation
Closing
balance
Land and buildings
21,980,000
–
(250,000) 21,730,000
Plant and machinery:
Owned
12,317,854
1,311,065
(970,245) 12,658,674
Plant and machinery:
Right-of-use assets
2,559,516
–
(161,707)
2,397,809
Furniture and ttings
39,312
8,524
(12,043)
35,793
1,095,378
196,591
(138,343)
1,153,626
Of ce equipment
33,547
26,695
(16,859)
43,383
Computer equipment
127,676
10,935
(62,777)
75,834
38,153,283
1,553,810
(1,611,974)
38,095,119
Motor vehicles
Carrying value of assets pledged as security
(refer to note 9):
20X1
20X0
Plant and machinery
4,857,963
2,397,809
3. Intangible assets
20X1
20X0
Cost
Computer
software
Accumulated Carrying
amortisation
value
76,249
(47,641)
Cost
28,608
Accumulated Carrying
amortisation
value
76,249
(27,481)
48,768
Reconciliation of intangible assets – 20X1
Opening
balance
Amortisation
Total
Computer software
48,768
(20,160)
28,608
Reconciliation of intangible assets Opening Additions Amortisation
– 20X0
balance
Total
Computer software
48,768
7,885
60,478
(19,595)
4. Inventories
20X1
20X0
Raw materials
1,479,780
4,972,000
Finished goods
7,846,817
4,834,864
9,326,597
9,806,864
Page 16
5. Trade and other receivables
Trade receivables (after allowance for credit losses)
Other receivables (no allowance for credit losses)
20X1
20X0
17,203,023 14,855,273
38,678
7,400
17,241,701
14,862,673
Trade receivables
Gross trade receivables
18,722,865 15,264,073
Allowance for credit losses
(1,519,842)
Net trade receivables
17,203,023 14,855,273
(408,800)
Movement in the allowance for credit losses: lifetime expected credit losses for
trade receivables without signi cant nancing components
Opening balance
408,800
253,359
Net movement in allowance for credit losses
1,111,042
155,441
Closing balance
1,519,842
408,800
Interest is charged on outstanding accounts at the South African prime lending
rate. Interest on outstanding accounts is waived at the discretion of the directors.
Analysis of the credit rating grades of the trade receivables, showing their ageing
(based on gross carrying values)
20X1
Total
Not yet due
Between 0
and 30
days
overdue
Between 31
and 90
days
overdue
More than
90 days
overdue
AA-rated
16,622,851 12,420,663
3,494,256
552,959
154,973
BB-rated
2,100,014
850,879
520,562
420,570
308,003
18,722,865 13,271,542
4,014,818
973,529
462,976
Not yet due
Between 0
and 30
days
overdue
Between 30
and 90
days
overdue
More than
90 days
overdue
AA-rated
13,278,255 10,576,877
2,500,714
171,664
29,000
BB-rated
1,985,818
1,143,702
511,000
171,665
159,451
15,264,073 11,720,579
3,011,714
343,329
188,451
20X0
Total
6. Loans receivable
Unsecured loan
20X1
31,439
20X0
31,439
The loan is interest free and has no xed date of repayment. It is therefore
treated as repayable on demand. No allowance for credit losses was created.
Page 17
7. Cash and cash equivalents
20X1
20X0
Cash and cash equivalents consist of:
Cash on hand
10,216
5,862
Bank balances
11,367
1,543,235
Bank overdraft
(4,022,340)
(74,697)
(4,000,757)
1,474,400
21,583
1,549,097
(4,022,340)
(74,697)
(4,000,757)
1,474,400
Current assets
Current liabilities
The banking facilities of the company are secured as follows:
• Limited letter of suretyship amounting to R4,500,000 by the parent.
• Cession of the company’s book debts.
• Cession of certain of the company’s debtor insurance policies.
8. Share capital
20X1
20X0
Authorised
1,000 Ordinary shares
1,000
1,000
100
100
Issued
100 Ordinary shares
All the unissued shares are under the control of the directors until the
forthcoming annual general meeting. Each of the three executive directors
(Bongani Arnott, Lee-Ann Losper and Saul Mkhize) hold 10 of the issued ordinary
shares.
9. Lease liabilities
20X1
20X0
Lease liabilities under instalment sale
agreements bear interest at varying rates and
are repayable in monthly instalments of
R187,851 (20X0: R94,833), inclusive of
interest. Secured by the right-of-use assets
disclosed in note 2. The interest expense
relating to the lease liabilities is disclosed in
note 16.
3,478,157
2,174,382
Less: Current portion included in trade and
other payables
(2,082,213)
(1,745,506)
1,395,944
428,876
Maturity analysis of undiscounted cash ows due relating to the instalment sale
agreements
Payable within one year
2,112,225
1,885,621
Payable between one and ve years
1,859,326
568,741
Total amounts payable in future (undiscounted)
3,971,551
2,454,362
1,582,214
901,635
Cash ows associated with leases
Presented under nancing activities
Cash payments for capital portion of lease
liability
Presented under operating activities
Cash payments for interest portion of lease
liability
306,814
237,257
Page 18
10. Deferred taxation
20X1
20X0
Deferred tax asset/(liability) related to the following temporary differences:
Trade and other receivables
Property, plant and equipment
356,525
30,290
(4,281,013)
(3,584,845)
–
210,627
(3,924,488)
(3,343,928)
(3,343,928)
(2,394,757)
(580,560)
(949,171)
(3,924,488)
(3,343,928)
20X1
20X0
Tax losses
Net deferred tax liability shown on statement of
nancial position
Reconciliation of deferred tax liability
Opening balance
Recognised in pro t or loss
Closing balance
11. Trade and other payables
Trade payables
10,108,207
4,767,293
Current portion of lease liabilities
2,082,213
1,745,506
Other payables
1,191,473
1,097,663
13,381,893
7,610,462
12. Amounts owing to parent
20X1
20X0
Amount owed to parent on loan account
4,309,058
3,290,319
Amounts owed to parent on current account
5,579,657
14,628,126
9,888,715
17,918,445
The loan is unsecured, bears interest at varying rates and has no xed date of
repayment (it is deemed to be repayable on demand). The current account is
interest free and is repayable on demand.
13. Revenue
20X1
20X0
Sale of PVC goods: wholesale in South Africa
108,120,100
80,800,108
Sale of PVC goods: through business partners
to African market
20,200,026
17,002,040
14. Operating pro t
128,320,126
97,802,148
20X1
20X0
Operating pro t for the year is stated after accounting for the following:
Administration fees paid
416,979
189,141
Amortisation of intangible assets
20,160
19,595
Depreciation on property, plant and equipment
2,144,373
1,611,974
Electricity and water
2,671,303
1,874,252
Employee costs
7,392,144
6,672,819
Increase in allowance for credit losses
1,111,042
155,441
Inventory write-downs
1,210,557
792,317
Legal expenses
196,780
403,640
Loss on disposal of property, plant and
equipment
41,926
–
Motor vehicle and travelling expenses
700,106
624,262
1,766,620
2,268,055
Repairs and maintenance
Page 19
15. Investment income
20X1
20X0
Interest received
Bank balances
11,357
1,881
Trade receivables
191,476
–
Other
11,747
14,477
214,580
16,358
16. Finance costs
20X1
20X0
Bank overdraft
198,495
261,976
Lease liabilities
306,814
237,257
428
9,800
505,737
509,033
20X1
20X0
Other
17. Taxation
Major components of the tax expense
Current
Local income tax - current period
200,508
–
580,560
949,171
781,068
949,171
Deferred
Movement in pro t or loss
Reconciliation between applicable tax rate and average effective tax rate
Applicable statutory tax rate
28.00%
28.00%
–
3.74%
Exempt income
(1.26)%
–
Effective tax rate
26.74%
31.74%
Non-deductible expenses
18. Auditors’ remuneration
20X1
20X0
Audit fees
117,700
100,000
Underprovision – prior years
23,950
90,250
141,650
190,250
19. Commitments
The company has provided a limited letter of suretyship amounting to R6,000,000
in favour of First National Bank for the obligations of its parent.
Page 20
20. Directors’ emoluments
Short-term bene ts
Salary
Contribution to
pension fund
Total
20X1
Bongani Arnott
500,000
50,000
550,000
Lee-Ann Losper
450,000
45,000
495,000
Saul Mkhize
420,000
42,000
462,000
1,370,000
137,000
1,507,000
Bongani Arnott
480,000
48,000
528,000
Lee-Ann Losper
430,000
43,000
473,000
Saul Mkhize
400,000
40,000
440,000
Total
20X0
Total
1,310,000
131,000
21. Related parties
20X1
1,441,000
20X0
The following are the transactions with related parties:
Administration fees paid
Parent
48,000
48,000
Parent
46,815,311
29,660,359
Fellow subsidiaries
3,121,592
23,622
Parent
7,382,846
6,469,229
Fellow subsidiaries
26,087,482
4,971,278
Purchases of goods and services
Sales of goods and services
Further related party details are as follows: Amounts owing to parent – refer note
12. The only key management personnel are the executive directors. For their
directors’ emoluments – refer note 20.
22. Risk management
Liquidity risk
The directors constantly monitor the liquidity of the company and actively manage
the company’s cash resources so as to maintain suf cient working capital
requirements. Liquidity risk is managed through the ongoing review of future
commitments, credit facilities and cash resources.
The table on the following page analyses the company’s nancial liabilities into
relevant maturity groupings based on the remaining period at the reporting date to
the contractual maturity date. The trade and other payables, current tax payable as
well as bank overdraft are short-term and shown at their carrying amount, as the
impact of discounting is not material. The lease liabilities are shown at their
undiscounted (future cash ow) amounts. The amounts owing to parent are
repayable on demand, and therefore shown as short-term, and at their carrying
amount, as the impact of discounting is not material.
Page 21
At 31 December 20X1
Trade and other payables
(excluding current portion of
lease liabilities)
Current tax payable
Lease liabilities
Less than 1 year
Greater than 1 year but
less than 5 years
11,299,680
–
48,741
–
2,112,225
1,859,326
Bank overdraft
4,022,340
–
Amounts owing to parent
9,888,715
–
At 31 December 20X0
Less than 1 year
Greater than 1 year
Trade and other payables
(excluding current portion of
lease liabilities)
5,864,956
–
Lease liabilities
1,885,621
568,741
Bank overdraft
74,697
–
17,918,445
–
Amounts owing to parent
Capital risk management
The company objective of capital management is to maximise shareholder value and
maintain healthy capital ratios in order to sustain its business.
There were no changes made in the objectives, policies or processes from the prior
year.
The company is not subject to any externally imposed capital requirements.
Interest rate risk
The company’s interest rate risk arises primarily from cash and cash equivalents
and lease liabilities, which bear interest at variable rates and expose the company
to cash ow interest rate risk.
The company’s cash and cash equivalents are reviewed on a periodic basis to
ensure that the best possible return is being obtained.
If interest rates had been 1% lower/higher during the year under review, and all
other variables remained constant, the company’s pre-tax pro t for the year would
have been R32,351 (20X0: R78,301) lower/higher.
Foreign exchange risk
The company imports some of its raw materials, which are invoiced in Australian
dollar and New Zealand dollar. All purchases in foreign currency are settled
immediately to minimise exposure to changes in exchange rates. (All sales are
invoiced in South African Rands.) The company monitors the Rand/Dollar exchange
rates and hedges itself by taking out over-the-counter forward contracts if necessary.
No such contracts were entered into during the current or prior nancial year.
If exchange rates had been 10% lower/higher during the year under review, and all
other variables remained constant, the company’s pre-tax pro t for the year would
have been R182,351 (20X0: R201,301) lower/higher.
Credit risk
Credit risk is concentrated principally in trade receivables as well as cash and cash
equivalents.
Page 22
Trade receivables
Managing credit risk on trade receivables: Before accepting any new credit
customer, the company uses an external party to assess the potential customer’s
credit quality (only AA- and BB-rated clients are accepted) and de nes credit limits
for each customer. Limits are reviewed periodically in accordance with the
requirements of the National Credit Act and upon request by a customer. Overall
credit limits are approved by the board of directors. This process minimises the
exposure to credit losses and affects the calculation of expected credit losses.
Certain trade receivables are insured through an external party depending on the
level of exposure to the company. The maximum exposure in respect of trade
debtors is the balances (carrying amounts) disclosed in note 5.
Accounting policies regarding the impairment testing and calculation of expected
credit losses are provided in note 1.5. A trade receivable is deemed to be credit
impaired, once it is more than 90 days overdue. To estimate the expected credit
losses, historical information is used and adjusted for forward-looking information
(such as the current depressed state of the local economy, which has caused an
increase in the allowance compared to the prior nancial year).
Cash and cash equivalents
The company deposits short-term cash surpluses only with major banks of high
quality credit standing. The maximum exposure in respect of cash and cash
equivalents is the debit-balances (carrying amounts) disclosed in note 7.
23. Contingent liability
Litigation is in process against the company relating to a dispute with the
Competition Commission, which alleges that the company has been involved in
price xing in the industry. The information usually required by IAS 37 Provisions,
Contingent Liabilities and Contingent Assets is not disclosed on the grounds that it
can be perceived to be prejudicial to the outcome of the litigation. The directors are
of the opinion that the claim can be successfully defended by the company.
24. Financial assets by category
The accounting policies for nancial instruments have been applied to the line items
below:
20X1
Trade and other receivables
Amortised cost
Total
17,241,701
17,241,701
Loans receivable
31,439
31,439
Cash and cash equivalents
21,583
21,583
17,294,723
17,294,723
20X0
Trade and other receivables
Loans receivable
Cash and cash equivalents
Amortised cost
Total
14,862,673
14,862,673
31,439
31,439
1,549,097
1,549,097
16,443,209
16,443,209
Page 23
25. Financial liabilities by category
The accounting policies for nancial instruments have been applied to the line items
below:
20X1
Amortised cost
Total
Lease liabilities
1,395,944
1,395,944
Amounts owing to parent
9,888,715
9,888,715
Trade and other payables
13,381,893
13,381,893
Bank overdraft
4,022,340
4,022,340
28,688,892
28,688,892
20X0
Amortised cost
Lease liabilities
Total
428,876
428,876
Amounts owing to parent
17,918,445
17,918,445
Trade and other payables
7,610,462
7,610,462
74,697
74,697
26,032,480
26,032,480
Bank overdraft
Page 24
DETAILED INCOME STATEMENT
Figures in Rand
Note(s)
20X1
20X0
Revenue
Sale of goods
128,320,126
97,802,148
(9,806,864)
(9,998,626)
Cost of sales
Opening inventory
Purchases
Closing inventory
Gross pro t
(104,794,348) (76,671,292)
9,326,597
9,806,864
(105,274,615)
(76,863,054)
23,045,511
20,939,094
10,000
–
Other income
Bad debts recovered
Discount received
Interest received
15
Sundry income
Expenses (Refer to page
26)
339,198
127,027
214,580
16,358
151,197
152,052
714,975
295,437
(20,333,439)
(17,735,073)
Operating pro t
14
3,427,047
3,499,458
Finance costs
16
(505,737)
(509,033)
2,921,310
2,990,425
(781,068)
(949,171)
2,140,242
2,041,254
Pro t before taxation
Taxation
17
Pro t for the year
Page 25
Operating expenses
Administration fees paid
416,979
189,141
Advertising, entertainment
and sales promotion
81,839
95,469
141,650
190,250
Bad debts
5,406
516,830
Bank charges
29,017
40,140
Computer expenses
144,505
205,606
Consulting and
professional fees
206,470
117,115
Consumables
321,333
370,246
Credit checks
212,060
140,017
Depreciation and
amortisation
2,164,533
1,631,569
Discount allowed
1,507,935
1,188,091
Electricity and water
2,671,303
1,874,252
Employee costs
7,392,144
6,672,819
Auditors’ remuneration
18
General expenses
424,424
341,497
1,111,042
155,441
Insurance
250,615
244,011
Legal expenses
196,780
403,640
Loss on disposal of
property, plant and
equipment
41,926
–
Motor vehicle and
travelling expenses
700,106
624,262
Printing and stationery
105,631
58,558
Repairs and maintenance
1,766,620
2,268,055
Subscriptions
208,151
147,409
Telephone and fax
232,970
196,567
Travel – overseas
–
64,088
Increase in allowance for
credit losses
20,333,439 17,735,073
Page 26
Extracts from Ntsimbi Piping Trial Balance and
Lead Schedules Final Trial Balance at 31 December
20X1
NTSIMBI PIPING PROPRIETARY LIMITED
FINAL TRIAL BALANCE AT 31 DECEMBER 20X1
ACCOUNT
10101-COFR - “Sales - Covers &
Frames”
10151-DRAI - “Sales - Drainage Pipe”
20X1
(58,567.00)
(1,698,070.13)
10201-DROP - “Sales - Droppers”
(478,143.60)
10251-DUCT - “Sales - Ducting Pipe
A”
(746,282.20)
10301-DUCT - “Sales - Ducting Pipe
B”
(1,200,839.79)
10351-ELEC - “Sales - Electrical
Fittings”
(533,798.10)
10401-FABF - “Sales - Fabricated
Fittings A”
(75,761.00)
10451-FABF - “Sales - Fabricated
Fittings B”
(188,979.48)
10501-GUTF - “Sales - Gutter
Fittings”
(1,264,086.10)
10551-HDPE - “Sales - HDPE Pipe”
(9,169.95)
10601-LDPE - “Sales - LDPE Pipe”
(2,552,385.30)
10651-NYLN - “Sales - Nylon Fittings”
(4,792,770.34)
10701-PLUM - “Sales - Plumb Pipe”
(9,037,423.00)
10751-PRES - “Sales - Pressure
Pipe”
(75,718,198.38)
10851-RAWM - “Sales - Raw Material
A”
(3,211,859.55)
10901-RAWM - “Sales - Raw Material
B”
(28,000.00)
10951-RIGR - “Sales - Rigid Risers”
(64,039.81)
10955-ADMN - “Sales - Price
Queries”
4,357.83
11001-SVFI - “Sales - S/V Fittings”
(2,601,882.18)
11051-SVPI - “Sales - S/V Pipe”
(5,003,717.62)
11101-SEWF - “Sales - Sewer
Fittings”
(5,733,858.70)
11151-SEWP - “Sales - Sewer Pipe”
(14,223,441.20)
11201-SPSA - “Sales - Sewer Pipe
non SABS”
57,001.75
19000-ADMN - “Sales Buyouts/Other Stock Purchases”
839,787.94
30006-INCO - “Income - Pro t/Loss
on Disposal of Assets”
41,925.68
40071-EXPS - “Expense Depreciation on Motor Vehicles”
86,666.64
40072-EXPS - “Expense Depreciation on Equipment”
16,901.79
40073-EXPS - “Expense Depreciation on Furniture & Fittings”
14,567.24
40074-EXPS - “Expense -
1,668,311.75
Depreciation on Plant & Machinery”
40076-EXPS - “Expense Depreciation on Computer
equipment”
72,899.53
40077-EXPS - “Expense Depreciation on Factory setup cost”
35,026.12
40078-EXPS - “Expense Depreciation on Buildings”
250,000.00
60011-PPAE - “Motor Vehicles @
Cost”
1,752,284.10
60012-PPAE - “Motor Vehicles
Accumulated Depreciation”
(685,324.56)
60017-PPAE - “Plant & Machinery @
Cost”
28,976,012.79
60018-PPAE - “Plant & Machinery
Accumulated Depreciation”
(8,530,318.17)
60019-PPAE - “Furniture & Fittings Accumulated Depreciation”
(78,532.46)
60020-PPAE - “Furniture & Fittings @
Cost”
124,761.20
60021-PPAE - “Of ce Equipment Accumulated Depreciation”
(99,069.19)
60022-PPAE - “Of ce Equipment @
Cost”
125,549.98
60023-PPAE - “Computer Equipment Accumulated Depreciation”
(246,993.55)
60024-PPAE - “Computer Equipment
@ Cost”
316,173.93
60025-PPAE - “Factory Setup @ Cost”
420,516.19
60026-PPAE - “Factory Setup Accumulated Depreciation”
(385,073.21)
60027-PPAE - “Land & Buildings @
Cost”
60028-PPAE - “Buildings Accumulated Depreciation”
22,440,000.00
(960,000.00)
Property, Plant and Equipment Lead Schedule
NTSIMBI PIPING PROPRIETARY LIMITED
PROPERTY, PLANT AND EQUIPMENT AT 31 DECEMBER 20X1
Prepared by
Reviewed by
IB
CS
20X2/03/06
20X2/03/30
ACCOUNT
20X1
20.20.10.001 Property, plant and
equipment
54,155,298.19
60011-PPAE - Motor Vehicles @ Cost
1,752,284.10
60017-PPAE - Plant & Machinery @
Cost
28,976,012.79
60020-PPAE - Furniture & Fittings @
Cost
124,761.20
60022-PPAE - Of ce Equipment @
Cost
125,549.98
60024-PPAE - Computer Equipment @
Cost
316,173.93
60025-PPAE - Factory Setup Cost @
Cost
420,516.19
60027-PPAE - Land & Buildings Cost
@ Cost
22,440,000.00
20.20.10.005 Property, plant and
equipment: Accumulated depreciation
(10,985,311.14)
60012-PPAE - Motor Vehicles Accumulated Depreciation
(685,324.56)
60018-PPAE - Plant & Machinery Accumulated Depreciation
(8,530,318.17)
60019-PPAE - Furniture & Fittings Accumulated Depreciation
(78,532.46)
60021-PPAE - Of ce Equipment Accumulated Depreciation
(99,069.19)
60023-PPAE - Computer Equipment Accumulated Depreciation
(246,993.55)
60026-PPAE - Factory Setup Accumulated Depreciation
(385,073.21)
60028-PPAE - Buildings - Accumulated
Depreciation
(960,000.00)
43,169,987.05
Depreciation and Impairment Lead Schedule
NTSIMBI PIPING PROPRIETARY LIMITED
DEPRECIATION AND IMPAIRMENTS: PROPERTY, PLANT AND EQUIPMENT FOR THE YEAR ENDED
31 DECEMBER 20X1
Prepared by
Reviewed by
IB
CS
20X2/03/06
20X2/03/30
ACCOUNT
20.35.00.00 Depreciation and amortisation: PPE
20X1
2,144,373.07
40071-EXPS - Expense - Depreciation on Motor Vehicles
86,666.64
40072-EXPS - Expense - Depreciation on Equipment
16,901.79
40073-EXPS - Expense - Depreciation on Furniture &
Fittings
14,567.24
40074-EXPS - Expense - Depreciation on Plant &
Machinery
1,668,311.75
40076-EXPS - Expense - Depreciation on Computer
equipment
72,899.53
40077-EXPS - Expense - Depreciation Factory setup cost
35,026.12
40078-EXPS - Expense - Depreciation on Buildings
250,000.00
2,144,373.07
Pro t and Loss on Disposal of Property, Plant and
Equipment Lead Schedule
NTSIMBI PIPING PROPRIETARY LIMITED
PROFIT AND LOSS ON DISPOSAL OF PROPERTY, PLANT AND EQUIPMENT LEAD SCHEDULE
Prepared by
Reviewed by
IB
CS
20X2/03/06
20X2/03/30
ACCOUNT
20X1
20.36 P&L: PPE
41,925.68
30006-INCO - Income - Pro t/Loss on
Disposal of Assets
41,925.68
41,925.68
THE CONTEXT WITHIN
WHICH THE EXTERNAL
AUDITOR OPERATES
PART
A
CHAPTER 1
Introduction
CHAPTER 2
Ethics
CHAPTER 3
Legal responsibilities of the
auditor
Introduction
CHAPTER 1
Henriëtte Scholtz
CHAPTER CONTENTS
Learning outcomes
Reference list
1.1 Background
1.2 What is the purpose of and need for accounting records?
1.3 What is the objective of and need for nancial statements?
1.4 Why are external auditors needed and what is the purpose of
an external audit?
1.5 What are examples of major corporate accounting scandals in
recent years?
1.6 What are the structures of the accounting and auditing
professions?
Assessment questions
LEARNING OUTCOMES
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Describe the purpose of and requirements for accounting
records.
Describe the Companies Act requirements relating to accounting
records and nancial statements.
Describe the assertions contained in nancial statements.
Identify and formulate the assertions applicable to the account
balances, classes of transactions and disclosures contained in
nancial statements.
De ne an external audit.
Explain the need for an external audit.
Contrast the external auditor’s responsibility in relation to the
nancial statements with that of a company’s directors.
Provide an overview of the steps in the audit process.
Describe the inherent limitations of an audit.
Differentiate between the types of assurance and non-assurance
engagements and types of auditors.
Understand the history of auditing and major events in its history.
State and describe the postulates in auditing.
Brie y describe the structure of the auditing profession locally
and internationally.
REFERENCE LIST
Companies Act 71 of 2008, sections 24, 28–31.
Companies Regulations 2011, regulation 25.
International Auditing and Assurance Standards Board (IAASB) (April
2007) International Standard on Auditing (ISA) 200 Overall Objective
of the Independent Auditor and the Conduct of an Audit in
Accordance with International Standards on Auditing, para A45–A52.
International Auditing and Assurance Standards Board (IAASB) (Dec
2013) International Standard on Auditing (ISA) 315 (Revised)
Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment, para A123–A124.
IN THE NEWS
Audits could be perfect – but that would come at a cost1
There is no conceptual reason why audits should not be perfect.
Auditors could check every transaction from third-party
documentation, and mirror every aspect of the company’s
accounting and governance all the way from bookkeeper to board
level, in a separate independent structure, paid for by an
independent body. It would, of course, be ridiculously expensive.
So there needs to be a trade-off in society between risk and
reward. There also has to be a suf cient risk/reward for the audit
rms – if the risk is too great for the rewards they simply will not
undertake audits and certainly will not be willing to increase their
work to cover society’s expanding obligations.
No more cooked blocks – mainstream auditors enter the fray2
Auditing rms have long kept businesses and nancial
institutions in check with thorough investigations of company
accounts. The process ensures that everyone plays by the rules,
which protects both employees, investors and customers from
being burned by dodgy accounting practices. There is a distinct
difference between blockchain and an accounting ledger,
according to Cointelegraph contributor and international tax
attorney Selva Ozelli:
Blockchain is a ledger system that keeps track of
cryptocurrency or other digitally transferred information. But
Blockchain technology is not an accounting system and there is a
distinction between the two. Auditors have the knowledge to verify
nancial information prepared by a computer system, and
Blockchain is a ledger system. However, auditors will need to come
up to speed on the nuances of each Blockchain design, to be able
to properly audit and verify the information it produces. In the
future, as Blockchain is widely adopted and laws regarding
auditing nancial statements prepared using information produced
by Blockchain systems are amended, the function of auditors vis-avis verifying nancial information prepared by Blockchains may
change.
1.1 Background
During the Industrial Revolution, businesses grew from entities owned
and managed by the same person into large corporations in which the
owners (shareholders) and management (executive directors) were
separate parties. As can be seen in Figure 1.1, the shareholders appoint
the directors of the company to manage their investment in the
company. is is known as the principal-agent theory, where the
shareholders are the principals and the directors are the agents.
e agency theory implies that if the principals do not trust the
agents to provide them with reliable and relevant information, they will
appoint external experts (called auditors), who are independent of the
agents, to review the credibility of the information presented to them.
Today this manifests as follows: e board of directors of a company
is responsible for, among other things, the preparation of nancial
statements (and other reports) for external users (including
shareholders) to account for their stewardship of the company. An
external audit of nancial statements is performed in order to enhance
the credibility of the nancial statements from the users’ perspective
and to reduce the risks that incorrect or misleading information is
conveyed in the nancial statements – as this may lead to incorrect
economic decision making by the users of the nancial statements.
What enhances the credibility of audited nancial statements is the
auditor’s report that accompanies the nancial statements (refer to
page 2 of Ntsimbi Piping’s nancial statements). is is prepared and
issued by the external auditor after the audit team has completed a
process known as the audit process (refer to section 1.4.5.3.1 of this
chapter and to Chapter 11 for more details). In this auditor’s report, the
auditor expresses a high level of assurance (comfort) on whether the
nancial statements fairly present the nancial position, performance
and cash ows of the company.3
CRITICAL THINKING
What can shareholders do if they are not satis ed with the way
in which directors are using the company’s assets and
resources in which their funds are invested?
Shareholders appoint the directors and they can vote at a
shareholders’ meeting to remove the directors.
Figure 1.1: Shareholders – directors – auditor relationship
1.2 What is the purpose of and need for
accounting records?
1.2.1 e purpose of accounting records
1.2.1.1
e nature of accounting records
Accounting records are an entity’s manual or computerised records of
its assets and liabilities, revenues and expenses, equity and other
monetary transactions. ese records consist of various journals (books
of prime entry), general and subsidiary ledgers, and supporting
documents (such as agreements, invoices, expense vouchers), which an
entity is required to retain for a certain number of years.4
1.2.1.2
e need for accounting records
Accounting records are needed for an effective nancial management
system in an entity. ey are used by management to:
• Record and keep track of transactions and other economic activities;
• Obtain relevant information in a timely fashion so management can
make decisions such as the pricing of the entity’s products, the
funding requirements and the strategic direction of the entity;
• Measure results and evaluate the performance of the business
against the goals and targets set by them; and
• Enable them to prepare nancial statements for reporting to external
parties, including shareholders.
Businesses as well as individuals should have accounting records.
Individuals need accounting records when submitting income tax
returns, as they may, for example, be asked to provide evidence of the
income declared and expenses claimed on income tax returns.
CRITICAL THINKING
Why do sole proprietors need accounting records?
Sole proprietors need accounting records when they apply for
nance, for completing tax returns, and to enable a potential
buyer or investor to look at the records if a sole proprietor is
selling or expanding the business.
In South Africa, legislation requires companies keep proper accounting
records. Refer to section 1.3.4 of this chapter for the Companies Act 71
of 2008 requirements relating to accounting records.
1.2.2 Examples of accounting records
e following are examples of accounting records that may be used to
keep track of sales transactions entered into by Ntsimbi Piping with its
customers (refer to documents in section 1 of the appendix at the end of
the book):
• An internal sales order is issued to keep track of an order received
from a customer;
• A delivery note is issued when pipes are delivered to the customer
as proof of delivery;
• A sales invoice is issued to inform the customer of the amount that
is due for the goods supplied;
• e transaction is recorded in the sales journal and debtors ledger
from the sales invoice;
• e total of all the sales invoices recorded in the sales journal is
posted (or transferred) to the general ledger;
• e general ledger balances and totals are transferred to the trial
balance; and
• e trial balance is used as a basis to prepare the company’s
nancial statements.
Figure 1.2: Sales transaction
CRITICAL THINKING
What documentation would be created for a purchases
transaction?
For a purchases transaction the following documentation would
be present:
• Purchase order
• Supplier delivery note
• Goods received note
• Supplier purchase invoice
• Purchases journal and creditors ledger
• Supplier statement
• General ledger
• Trial balance
• Financial statements
Refer to Chapters 6 to 10 for many more examples of accounting records
that are used by Ntsimbi Piping.
1.3 What is the objective of and need for
nancial statements?
Turn to the nancial statements of Ntsimbi Piping at the beginning of
the book and scan all 24 pages of these statements. Consider the various
notes that provide additional information about various line items on
the Statement of Financial Position, Statement of Comprehensive
Income and Statement of Cash Flows. As you are looking through the
nancial statements, think about how readers of Ntsimbi Piping’s
nancial statements may use the various types of information
disclosed.
1.3.1 e objective of nancial statements
According to the Conceptual Framework for the Financial Statements
(IFRS standards), the objective of nancial statements is to provide
nancial information about the reporting entity that is useful to a wide
range of users in making economic decisions. e economic decisions
involve buying, selling or holding equity and debt instruments, and
providing or requiring the settling of loans and other forms of credit.5
Financial statements prepared for this purpose meet the common
needs of most users. However, nancial statements do not provide all
the information users may need to make economic decisions, since
they largely portray the nancial effects of past events and contain
limited forward-looking information.
As was discussed in section 1.1 of this chapter, according to the
principal-agent theory, it is necessary that there is a communication
line between owners and managers. e nancial statements of Ntsimbi
Piping create this line and provide the management of Ntsimbi Piping
with the opportunity to show the results of their stewardship of the
money entrusted to them (the accountability of management for
resources entrusted to them) by the owners of the business.
1.3.2 Responsibility for accounting records
and nancial statements
e board of directors of a company (i.e. those charged with the
governance of the company) has the responsibility to ensure that
proper accounting records are kept and to prepare and approve
nancial statements before publication. e day-to-day responsibility
of the nance function of the company can be delegated to the
accounting function of the company but the board of directors remain
ultimately responsible for the accounting records and nancial
statements.
According to International Accounting Standard (IAS) 1, the nancial
statements of a company consist of:
• A statement of nancial position as at the end of a period;
• A statement of pro t and loss and other comprehensive income for
the period;
• A statement of changes in equity for the period;
• A statement of cash ows for the period;
• Notes consisting of a summary of signi cant accounting policies and
other explanatory information;
• Comparative information in respect of the preceding period; and
• A statement of nancial position as at the beginning of the preceding
period when an entity applies an accounting policy retrospectively
or makes a retrospective restatement of items in its nancial
statements or when it reclassi es items in its nancial statements.6
e chief nancial officer (CFO) (sometimes referred to as the nancial
director) is normally responsible for overseeing the compilation and
nalisation of the nancial statements which have to be considered and
approved by the board of directors before publication.
e board of directors is responsible for ensuring that transactions
and events that took place during the year are fairly presented in the
nancial statements. Directors who knowingly misrepresent
information in nancial statements are in contravention of section 29 of
the Companies Act and are guilty of a criminal offence. e audit
committee, if it exists, (refer to Chapter 4 for details) is a subcommittee
of the board of directors and has, among other things, an oversight
function over the nancial statements, thereby assisting the board in
discharging its responsibilities.
CRITICAL THINKING
Who is ultimately responsible for nancial statements?
According to the Conceptual Framework for the Financial
Statements, management (in South Africa for companies, this is
the board of directors as per the Companies Act) is ultimately
responsible for the preparation and presentation of nancial
statements.
1.3.3 e assertions made by the preparers of
the nancial statements
When issuing nancial statements, the preparers of these statements
(management/directors) are effectively making many representations
(statements) about, among other things, the nancial position, nancial
performance and cash ows of the entity. ese representations made
by management are called assertions (refer to the IAASB Glossary of
Terms).
ISA 315.A129 classi es the assertions as follows:
• Assertions relating to classes of transactions, events and related
disclosures; and
• Assertions relating to account balances and related disclosures.
To understand the assertions, we rst have to understand the concepts
of classes of transactions, account balances and disclosures. e trade
receivables control account of Ntsimbi Piping (Pty) Ltd is set out below:
TRADE RECEIVABLES CONTROL ACCOUNT
Opening
balance
(1/1/20X1)
13,587,696 Bank (receipts
from debtors)
xxx xxx xxx
Credit sales
xxx xxx xxx Sales returns
x xxx
Allowance for
credit losses
adjustment
x xxx
Closing
balance
(31/12/20X1)
16,584,187
You will notice that the account consists of the following elements:
• An opening balance;
• Various types of debit and credit entries; and
• A closing balance.
Note the types of debit and credit entries that appear in the account,
such as credit sales entries on the debit side and sales returns entries on
the credit side. Each of these types of debit and credit entries represents
a class of transactions impacting the account. e closing balance is
the account balance, whereas the note to the nancial statements
where additional information about trade receivables is provided (note
5 on page 17 of the Ntsimbi Piping (Pty) Ltd nancial statements) is the
disclosure.
Now look at Table 1.1 that provides descriptions of the various
assertions and also indicates which assertions apply to which of the
three elements explained above.
Table 1.1: Assertions
ASSERTIONS
Existence:
Assets, liabilities
and equity that
appear in the
nancial statements
exist at the date of
the nancial
statements.
CLASSES OF
TRANSACTIONS,
EVENTS AND
RELATED
DISCLOSURES
ACCOUNT
BALANCES AND
RELATED
DISCLOSURES
X
ASSERTIONS
Occurrence:
Transactions and
events that have
been recorded in the
nancial statements
have actually
occurred during the
nancial period and
relate to the entity.
Accuracy, valuation
and allocation:
Assets, liabilities
and equity are
included in the
nancial statements
at the correct
amounts and any
adjustments to the
valuation or
allocation have been
appropriately
recorded and
disclosures have
been appropriately
measured and
described.
CLASSES OF
TRANSACTIONS,
EVENTS AND
RELATED
DISCLOSURES
ACCOUNT
BALANCES AND
RELATED
DISCLOSURES
X
X
ASSERTIONS
Accuracy:
Amounts and other
data relating to
recorded
transactions have
been recorded
appropriately (e.g. in
the correct amounts)
and appropriate
disclosures have
been appropriately
measured and
described.
Rights and
obligations:
The entity holds or
controls the rights to
the assets re ected
in the nancial
statements, and
liabilities re ected
are the obligations
of the company.
CLASSES OF
TRANSACTIONS,
EVENTS AND
RELATED
DISCLOSURES
ACCOUNT
BALANCES AND
RELATED
DISCLOSURES
X
X
ASSERTIONS
CLASSES OF
TRANSACTIONS,
EVENTS AND
RELATED
DISCLOSURES
ACCOUNT
BALANCES AND
RELATED
DISCLOSURES
Cut-off:
Transactions and
events have been
recorded in the
correct accounting
period.
X
Completeness:
All transactions,
events, assets,
liabilities, equity and
disclosures that
should have been
recorded and
included in the
nancial statements
have been recorded
and included.
X
X
Classi cation:
Assets, liabilities,
equity, transactions
and events have
been recorded in the
proper accounts.
X
X
ASSERTIONS
Presentation:
Financial information
is appropriately
presented and
described, and
disclosures are
clearly expressed.
CLASSES OF
TRANSACTIONS,
EVENTS AND
RELATED
DISCLOSURES
X
ACCOUNT
BALANCES AND
RELATED
DISCLOSURES
X
Ntsimbi Piping
Example: Property Plant and Equipment (PPE) with a carrying amount
of R43,169,987 in the Statement of Financial Position of Ntsimbi Piping
at 31 December 20X1
e directors of Ntsimbi Piping have made the following assertions by
re ecting the PPE balance on page 7 of the Statement of Financial
Position:
Existence: PPE of R43,169,987 actually exists at 31 December 20X1;
Accuracy, valuation and allocation: e PPE re ected in the
Statement of Financial Position at R43,169,987 is measured at the
appropriate carrying amount (meaning the assets were appropriately
measured at recognition; as well as continue to be appropriately
measured after recognition – i.e. taking into account adjustments for
impairments, depreciation, etc.) and disclosures have been
appropriately made (e.g. gross carrying amount and accumulated
depreciation at the beginning and end of the year);
Rights: Ntsimbi Piping holds the rights to the PPE of R43,169,987 at 31
December 20X1;
Completeness: All PPE assets of Ntsimbi Piping that should have been
recorded are recorded in the account balance re ected in the Statement
of Financial Position at 31 December 20X1;
Classi cation: All PPE assets of Ntsimbi Piping have been recorded in
the proper accounts (e.g. the PPE assets have been recorded as PPE and
not as intangible assets); and
Presentation: All PPE assets of Ntsimbi Piping have been appropriately
presented and disclosures are clearly expressed (e.g. the depreciation
method, depreciation rate and useful lives have been disclosed, as well
as reconciliation of carrying amount from beginning of the year to the
end of the year, showing additions to PPE, disposals of PPE,
revaluations of PPE, depreciation and any other movements).
WHY?
Why is the ‘obligations’ assertion not an applicable
assertion for PPE?
PPE are assets and a company normally holds or
controls the rights to these assets. Liabilities are
obligations of the company.
CRITICAL THINKING
How should cryptocurrency be accounted for?7
There are no current existing accounting requirements to account
for cryptocurrency. Accounting at fair value with movements
re ected in pro t or loss would provide the most useful
information to investors.8
1.3.4 Companies Act requirements for
accounting records and nancial
statements
e Companies Act 71 of 2008 (hereinafter referred to as the
‘Companies Act’) requires every South African company to keep
accurate and complete accounting records in one of the official
languages at the company’s registered office (section 28).
e accounting records have to be sufficient to enable the company
to prepare nancial statements and, if applicable, to enable the auditors
of the company to audit the nancial statements.
Regulation 25(3) of the Companies Regulations 2011 sets out what is
required to be included in the accounting records of a company.
Examples of this include:
• A record of the company’s assets and liabilities;
• Records of any property held by the company in a duciary capacity;
• A record of inventory to enable the valuation of inventory at yearend (if the company trades in goods); and
• Records of the company’s revenue and expenditure, including daily
records of all money received or paid out and daily records of goods
purchased and sold on credit.
Section 24 of the Companies Act requires a company to keep all
documents, accounts, books, writing or other information in written
format, or electronic or other form, for a minimum period of seven
years. Section 28 of the Companies Act states that it is an offence for a
company to fail to keep accounting records or to keep accounting
records in a format other than the prescribed format.
Look up the Companies Regulations to nd the complete list of
accounting records that companies have to keep.
e Companies Act has a number of requirements with regard to
nancial statements. Section 29(1) requires that any nancial
statements prepared and issued by a company must:
• Satisfy any prescribed nancial reporting standards applicable to the
company (e.g. International Financial Reporting Standards (IFRS)
(for details of the applicable nancial reporting frameworks refer to
•
•
•
•
Chapter 2 and the discussion of regulation 27) as to the format and
content of the nancial statements);
Fairly present the affairs of the company and explain the nancial
position of the company;
Show the company’s assets, liabilities, equity, income and expenses
and any other prescribed information;
Set out the date on which the nancial statements were produced
and the accounting period to which they relate; and
On the rst page of the nancial statements, contain a note stating
whether the nancial statements have been audited or
independently reviewed. e name and professional designation of
the person who prepared or supervised the preparation of the
nancial statements must also be included.
Section 29(2) requires that if a company provides any nancial
statements to any person for any reason, these nancial statements may
not be false or misleading in any material respect, or incomplete.
Section 29(6) adds that it is an offence for any person to prepare,
approve, disseminate or publish any nancial statements knowing that
these nancial statements are false, incomplete, misleading or if they do
not comply with the requirements of section 29(1) above.
Section 30 of the Companies Act requires a company to prepare
nancial statements within six months after the year-end of the
company. e nancial statements must:
• Include an auditor’s report;
• Include a director’s report;
• Be approved by the board and signed by an authorised director; and
• Be presented at the rst shareholders’ meeting after the nancial
statements have been approved.
Disclosures about directors’ remuneration must be included in the
nancial statements for companies that have to be audited (for details
refer to section 30 of the Companies Act covered in Chapter 2).
Section 31 provides that shareholders are entitled to receive a copy
of the nancial statements. Judgement creditors and trade unions can
apply to the company or to the Commissioner of Companies to receive
a copy of the nancial statements. It is an offence for a company to
refuse access to the nancial statements to any of these parties.
1.4 Why are external auditors needed and
what is the purpose of an external
audit?
1.4.1 e need for external auditors
A perception may exist that external auditors are needed because
legislation requires companies’ nancial statements to be audited
(these audits are sometimes referred to as statutory audits, as they are
required by statute). However, the need for external auditors arose long
before company audits became a legal requirement in certain countries.
As was discussed in section 1.1 of this chapter, according to the
principal-agent theory, the ownership and management of a company
is split. e owners (or shareholders) in such situations delegate some
decision-making powers relating to the functioning of the company to
the board of directors, thereby entrusting the directors to act in the best
interests of the company. e owners and directors could have different
motives and there could also be a lack of trust that the agents will act in
the best interests of the principals. e agents are normally in uenced
by factors such as nancial rewards (salaries and bonuses), labour
market opportunities and relationships with other parties not relevant
to the principals and may therefore misrepresent their entity’s nancial
statements.
Certain mechanisms are therefore put in place to reinforce the trust
that the shareholders place in directors. One of these mechanisms is the
audit of the nancial statements of a company. On the basis of the
audit, an independent party (the auditor) reports to the owners on
whether the directors have fairly presented the nancial effects of their
activities to the owners in the nancial statements.
1.4.1.1
e external audit can add value
1.4.1.1.1 It encourages good corporate governance in a company
e external auditor provides a check on the information aspects of the
corporate governance system. e external auditor’s primary role in
corporate governance is to ensure that the nancial information given
to the shareholders (i.e. users of the nancial statements) is fairly
presented (i.e. free from material misstatements). Refer to Chapter 4 for
detailed information about the governance of companies.9
1.4.1.1.2
It makes it easier and safer to invest in wealth-creating
businesses
As part of the audit, the auditor collects audit evidence to express an
opinion whether or not the nancial statements are free of material
misstatement. e auditor also evaluates management’s view on
whether the company will be able to continue as a going concern in the
foreseeable future. rough the audit process, the auditor adds
credibility to the nancial statements prepared by management. is
allows investors and providers of credit nance to use the nancial
statements with greater con dence in making equity investments and
loan advances.10
1.4.1.1.3
It improves legitimate tax collection, thereby reducing
taxes for all
Government agencies (such as SARS) are able to take comfort from the
fact that an independent, external auditor has examined the nancial
records of a company. is reduces the need for speci c and detailed
inspections by government employees or agents. is, in turn, means
that the cost of compliance is borne by all those required to comply,
rather than adding to the tax burden of taxpayers generally. As a result,
an audit adds value for all taxpayers by ensuring that companies carry
their proper share of the burden of taxation.
It improves the accuracy of the information contained in
nancial statements
Even if the auditor’s report indicates that the nancial statements
‘present fairly’, it does not mean that this would have been the case
without the audit. During the course of the audit, a number of material
misstatements may be detected by the audit team and reported to
management. If corrected by management (which is often the case), the
audit will therefore improve the integrity of the data contained in the
nancial statements.11
1.4.1.1.4
1.4.2 e history of auditing
Auditors have been around since the early times of accounting. With the
development of economies, it came about that one person was
entrusted with the property of another person (the agency principle
introduced in section 1.1 of this chapter). is created the need for
accounting and for some sort of checking on whether the property was
managed properly.
e rst recorded auditors were the spies of King Darius of Persia
(552 to 486 BC). ese auditors acted as the king’s ears, checking on the
governors of the provinces in Persia. e word ‘auditor’ originates from
the Latin word ‘audire’ which means ‘to hear’. In ancient times, auditors
used to listen to oral reports from the officials (or stewards) to the
owners. e auditors needed to con rm the accuracy of these reports.
In time, the role of the auditor evolved from verifying oral reports to
checking the accuracy of written reports.
Prior to 1500 AD, nearly all accounting systems were concerned with
accounting for the activities of government and the only form of
auditing or checking was that separate records had to be kept by two
different scribes. e purpose of these records was mainly to detect
fraud, to minimise errors and to ensure that the custodians of resources
were honest. Internal controls did not exist (refer to Chapter 4 for
details of internal control systems).
In 1494, Luca Pacioli, a Franciscan friar, rst codi ed the doubleentry system in his mathematics textbook Summa de arithmetica,
geometria, proportioni et proportionalità. e debit/credit system,
explained in this text, forms the basis for all modern accounting
systems.
e Industrial Revolution (1750–1850) was a period of economic
growth. One feature of this era was that the management of the business
passed from owners to professional managers. e demand for
auditors, independent from management, increased during the period
1850 to 1905. e demand for auditors was not only in relation to the
need to detect clerical errors, but also to manage fraud. During this
period, auditors began to report to the owners of an entity on the work
they performed, and the independent auditor’s report emerged. e
British Parliament passed the Joint Stock Companies Act in 1844. is
Act required that the directors should report to the shareholders on the
nancial affairs of the company by way of an audited balance sheet. In
1900, the rst statutory requirement for an independent audit was
written into the British Companies Act.
During the late 1800s, the concept of selective testing was
developed, whereby the auditors selected only a sample of transactions
where it was not economically feasible to examine all transactions. By
1940, the use of testing was the rule and detailed checking the
exception. During this period, it was also recognised that the adequacy
of internal controls could reduce the extent of substantive testing
required from auditors. e relevance of effective internal controls is
today recognised by auditors as an important factor in determining the
timing, nature and extent of audit procedures.
In the period 1905 to 1950, the objective of an audit in the United
States of America (USA) changed from detecting fraud to reporting on
the reported nancial condition of the company. During the period
1933–1940, the wording of the auditor’s report in the USA changed from
‘present a true and fair view’ to ‘present fairly’ the state of affairs of a
company. Today, ISA 700 allows both of these alternative wordings to be
used in the auditor’s report.12
1.4.3 e history of the external auditing
profession in South Africa
e British colonial services performed elementary audit functions in
South Africa from the late 18th century. Mr Barlow was appointed as the
rst auditor-general of the Cape Colony in 1788.
e discovery of minerals in South Africa led to booming
economies. e need for information about companies and reliable
accounting services increased. e rst stock exchange law in South
Africa was passed in 1864, namely the Natal Joint Stock Exchange
Limited Liability Law, followed by the Cape Companies’ and
Associations’ Trustee Act in 1873 and the Cape Companies’ Act in 1892.
is led to the statutory recognition of auditors in South Africa. Soon,
British accountants ocked to the Zuid-Afrikaanse Republiek (ZAR) and
established professional accounting associations. e rst Institute of
Accountants and Auditors in South Africa was formed in 1894 in the
then Transvaal province (with 65 members), followed by the Institute of
Accountants in Natal. e Free State and the Cape Societies were
voluntarily formed. In 1904 the Cape Colony’s Legislative Council
passed an ordinance incorporating the Transvaal Society of
Accountants. It was the rst law to regulate the accounting profession
and required a register of all public accountants to be kept. Members
could use the designation ‘Registered Public Accountant (Transvaal)’.
With the formation of the Union in 1911, the four bodies attempted to
amalgamate but it was not until 1945 that the Joint Council of Chartered
Accountants was created.
In 1921, the provincial bodies established the South African
Accountants Societies General Examination Board (GEB) which
provided uniform conditions for admission, examinations and
regulation of articles. e Joint Council of Chartered Accountants
played a critical role in the drafting and approval of the Public
Accountants and Auditors Act of 1951. is Act provided for the
establishment of a register of public accountants and auditors who
engaged in public practice and who called themselves ‘Registered
Accountants and Auditors’. e Act provided for the establishment of
the Public Accountants and Auditors Board (PAAB), the registration and
control of articled clerks and the conduct of examinations. e
Chartered Accountants Designation (Private) Act was passed in 1927
and allowed members the right to the use of the designation ‘Chartered
Accountant (SA)’.
International and local corporate failures increased the need for the
regulation of auditors to be tightened worldwide, and for governments
to play a role in this. e Auditing Profession Act 26 of 2005 was
promulgated and became effective in April 2006, replacing the PAAB
with the Independent Regulatory Board for Auditors (IRBA). e latter,
a public entity in terms of the Public Finance Management Act 1 of
1999, for the rst time saw the external auditing profession in South
Africa regulated by a board of whom the majority of members are nonauditors.13
1.4.4 e purpose of an external ( nancial
statement) audit
Financial statements are used for a variety of purposes and decisions.
Some of the uses of the nancial statements include: the shareholders
of a company use them to evaluate management’s stewardship;
investors use them to decide whether to invest in a company or to sell
their investment; and banks use them to decide whether or not to grant
a loan to the company.
As discussed in section 1.3.3 of this chapter, nancial statements are
representations made by management about the entity. e user of the
nancial statements must recognise that the preparation of the
nancial statements requires management to make signi cant
accounting estimates and judgements and to determine which of the
accounting principles and methods are most appropriate to apply to the
entity.
On the other hand, the auditor’s responsibility is to express an
opinion on whether management has fairly presented the information
in terms of the stated nancial reporting framework (e.g. IFRS). In an
audit, the nancial information is evaluated by the auditor who is
knowledgeable about auditing, accounting and nancial reporting
matters. is enhances the degree of con dence of intended users in
the nancial statements.
During the audit, the auditor collects evidence to obtain reasonable
assurance that the amounts and disclosures in the nancial statements
are free from material misstatement. Refer to section 1.4.5.2 for the
reasons why the auditor can only provide reasonable assurance and
cannot identify every error or irregularity in the company being
audited.
e term reasonable assurance refers to a high level of assurance. It
is achieved when the auditor has obtained sufficient and appropriate
audit evidence to reduce the risk of expressing an incorrect opinion on
the nancial statements (we call this risk, audit risk) to an acceptably
low level. Audit risk is discussed in more detail in Chapter 11.
e auditor also evaluates whether the audit evidence obtained
provides evidence that the company will be able to carry on its business
(continue as a going concern) in the foreseeable future. However,
neither the auditor nor management can guarantee the future success
of the business, as the future is uncertain.
When auditing the nancial statements, the auditor follows a
process that is called the audit process (refer to Chapter 11 in this
regard). e audit process has to comply with International Standards
on Auditing (ISAs).14
Now read through the auditor’s report on page 2 of the Ntsimbi Piping
nancial statements again. Note in particular the wording of the opinion
of the auditor.
WHAT
IF?
What if the nancial statements are not prepared in
accordance with the relevant nancial reporting
framework?
Then a modi ed auditor’s report will be issued (Refer to
ISA 705).
The opinion paragraph may look like this:
In our opinion, because of the signi cance of the
matter discussed in the basis for adverse opinion
paragraph, the nancial statements do not present
fairly the nancial position of Ntsimbi Piping (Pty)
Ltd as at 31 December 20X1 and its nancial
performance and cash ows for the year ended then
in accordance with the International Financial
Reporting Standards, and the requirements of the
Companies Act of South Africa.
Note: In addition to the external ( nancial statement) audit, other types
of audits also exist. ese are described in section 1.4.5.3 of this chapter.
1.4.5 Providing assurance
1.4.5.1
Assurance provided by an external audit
By expressing an audit opinion on the nancial statements, the
independent auditor provides assurance to the users of the nancial
statements.
e auditor cannot provide absolute assurance that the nancial
statements are free from material misstatement due to fraud and error.
An audit can only provide reasonable assurance on the nancial
statements for a number of important reasons as explained in the next
section. ere is thus an unavoidable risk that some material
misstatements may not be detected when performing an audit. is is
due to the inherent limitations of an audit.
1.4.5.2
Inherent limitations of an external audit (ISA
200.A45–A52)
1.4.5.2.1 e nature of nancial reporting
Judgement is used by management when preparing nancial
statements. Management has to apply judgement when applying the
requirements of the relevant nancial reporting framework (e.g. IFRS or
IFRS for SMEs – refer to Companies Regulations, 2011, speci cally
regulation 27) to the speci c facts and circumstances of the entity.
Moreover, management has to make many estimates in preparing the
nancial statements, among other things, about the useful lives of
property, plant and equipment, the allowance for credit losses
(impairment of debtors) and allowance for obsolete inventory (writedowns to net realisable value).
1.4.5.2.2 e nature of audit procedures
ere are practical and legal limitations on the auditor’s ability to obtain
audit evidence supporting management’s assertions in the nancial
statements:
• During the audit, the directors of the company provide
documentation and explanations to the auditor. e auditor uses
these to come to conclusions about the transactions, balances and
disclosures being audited. erefore, this information persuades the
auditor to draw a conclusion on whether the nancial statements are
indeed a fair presentation. However, the information supplied by
directors could be (intentionally or unintentionally) incorrect or
incomplete and could also be misrepresented to the auditor.
• Fraud committed by management may involve clever schemes to
hide the fraud. e auditor is not expected to be an expert in the
authentication of supporting documents if fraud is involved.
1.4.5.2.3
Timeliness of nancial reporting and balance between
bene t and cost
• ere is an expectation by the users of the nancial statements that
the auditor will complete the audit within a reasonable time frame
and at a reasonable cost. It is not only impractical to audit all the
information available, but the relevance of the audit opinion to users
of nancial statements is diminished if an extended period of time
elapses between the entity’s year-end and the date on which the
auditor’s report is issued. is time pressure impacts on the amount
of audit work that can be performed by the auditor.
• In planning an audit, the reliability of audit evidence and the cost
involved in obtaining it should be balanced. e reliability of audit
evidence is in uenced by its source and by its nature and is
dependent on the individual circumstances under which it is
obtained. e auditor needs to consider what it will cost to obtain
the audit evidence compared to the bene t the auditor will derive
from it. For example, if the auditor is unable to reach a debtor when
attempting to obtain a written con rmation of the debtor’s balance
outstanding (the debtor may reside in a rural area), the auditor has
to consider whether there are other ways to con rm the existence of
the debtor.
• Due to constraints on time and resources available to perform the
audit and also the cost involved, the auditor cannot verify every
single transaction that occurred in the company being audited.
erefore, the auditor selects a sample of transactions and events
that occurred during the nancial year and conducts audit
procedures on the selected sample. e fact that the entire
population is not investigated by the auditor creates the risk that
fraud or errors could go undetected.
CRITICAL THINKING
Can an auditor guarantee that the nancial statements are
100% accurate?
No, an audit can only provide reasonable assurance for reasons
listed in 1.4.5.2 above.
1.4.5.3
1.4.5.3.1
Assurance and non-assurance engagements
Assurance engagements (International Framework for
Assurance Engagements)
An assurance engagement is an engagement in which the auditor
expresses a conclusion designed to enhance the degree of con dence of
intended users (other than the party responsible for preparing the
information being evaluated) about the outcome of the evaluation or
measurement of the information against predetermined criteria. (e
IAASB Glossary of Terms contains a more comprehensive de nition.)
According to the International Framework for Assurance Engagements,
the following ve elements have to be present for an assurance
engagement to exist:
1. ree-party relationship
• A practitioner appointed by the shareholders (refer to Figure
1.1) who could be a practitioner performing audits (e.g. the
external auditor) or a practitioner performing review
engagements;
• A responsible party, such as management responsible for the
preparation of the nancial
• statements; and
• Intended users, such as shareholders and investors.
2. Appropriate subject matter, examples of which include:
• Financial performance or conditions (e.g. nancial statements);
• Non- nancial performance or conditions (e.g. number of units
sold/manufactured);
• Physical characteristics (e.g. capacity of a facility);
• Systems and processes (e.g. internal control); and
• Behaviour (e.g. corporate governance).
3. Suitable criteria
• Benchmarks used to evaluate or measure the subject matter
against, for example, IFRS or internal control frameworks.
4. Evidence
• An assurance engagement has to be planned and performed to
obtain sufficient appropriate evidence to support the opinion
that the practitioner expresses.
5. Assurance report
• e practitioner has to provide a written report containing a
conclusion that conveys the assurance obtained.
e International Framework for Assurance Engagements identi es two
types of assurance engagements a practitioner is permitted to perform,
namely reasonable assurance engagements and limited assurance
engagements. Assurance engagements include, among other things,
nancial statement audits (an example of a reasonable assurance
engagement) and review engagements (an example of a limited
assurance engagement).15
Reasonable assurance engagements
As mentioned above, an example of a reasonable assurance
engagement is a nancial statement audit. Management ful ls its
obligations to the shareholders of a company by reporting the
company’s nancial performance, nancial position and cash ow
position in the form of nancial statements compliant with IFRS. In the
nancial statements, the assets, liabilities, equity and classes of
transactions and events are recognised, measured, presented and
disclosed according to the requirements of IFRS. e external auditor is
appointed by the shareholders of the company to express an opinion on
the fair presentation of management’s nancial statements in terms of
the requirements of, say, IFRS.
Figure 1.3 illustrates how the audit process links to nancial
statements and the auditor’s opinion. In order to form an opinion that
conveys reasonable assurance on the client’s nancial statements, the
auditor applies a process (a series of activities and procedures) that is
prescribed by the ISAs. is process is called the audit process and is
discussed in Chapter 11.
e audit process involves the following four phases:
1. Pre-engagement activities, which aim to establish whether the
auditor can and wants to accept the engagement as auditor of the
client, and if so, includes establishing the terms of the engagement.
2. Audit planning, during which the auditor determines how the
audit should be performed in an efficient and effective manner.
Planning includes the design of speci c audit procedures to be
performed by the auditor, taking into account an understanding of
the engagement circumstances and risks.
3. Performing the planned audit procedures in order to obtain
sufficient appropriate audit evidence to determine (and then
support) the auditor’s conclusion and opinion on the nancial
statements.
4. Evaluating the audit evidence gathered, forming the audit
opinion on the basis thereof and expressing this opinion in the
auditor’s report.
Limited assurance engagements
Limited assurance engagements are also engagements in which the
auditor draws a conclusion and expresses an opinion in terms of
suitable criteria, for example, a nancial reporting framework (like
IFRS). However, the procedures performed by the practitioner in this
type of engagement, and consequently the assurance provided, are
more limited than in the case of a reasonable assurance engagement.
An example of a limited assurance engagement includes the
independent review required by the Companies Act for certain types of
companies (refer to Chapter 3). e practitioner applies a process that is
prescribed by the International Standards on Review Engagements
(ISREs) in order to form an opinion, which conveys only limited
assurance, on the subject matter being reviewed (such as nancial
statements or internal controls). e process to perform an
independent review of nancial information is discussed more fully in
Chapter 16.
Figure 1.3: Audit process link to nancial statements and the auditor’s opinion
1.4.5.3.2
Non-assurance engagements
Practitioners sometimes perform engagements where no opinion is
expressed and consequently no assurance is provided. ese
engagements are sometimes referred to as non-assurance
engagements. Examples are compiling (preparing)
nancial
statements, consulting, business advisory services and estate planning
services.
CRITICAL THINKING
What kind of engagement (assurance or non-assurance) is the
preparation of an income tax return by a practitioner?
And expressing an opinion on the fair presentation of a SARS
creditor balance in the Statement of Financial Position?
Preparation of the tax return is a non-assurance engagement,
whereas expressing an opinion on the fair presentation of the
SARS creditor balance is an assurance engagement.
1.4.6 e de nition of an external audit
External auditing is a systematic process of obtaining and considering
evidence and information objectively regarding assertions about
economic actions and events (contained in the auditee’s nancial
statements) to evaluate the degree of correlation between those
assertions and prede ned criteria and to communicate the results in
writing to the users of the nancial statements.16
Some of the elements of this de nition are elaborated on below:
• Systematic process
An audit entails the auditor following an organised and logical
process. is process is referred to as ‘the audit process’ and is
prescribed by the ISAs. Refer to Chapter 11 for more details on this.
• Obtaining and considering evidence and information
e auditor has to gather sufficient and appropriate audit evidence
about management’s assertions on the account balances, classes of
transactions and disclosures in the nancial statements and
consider this evidence to determine the nature of the audit opinion
to be expressed.
• Objectively
‘Objectively’ implies that the auditor has no signi cant personal
interest in or ties with the entity that is being audited. is allows an
objective, professional approach to the work to be performed and to
formulating the opinion to be expressed.
• Evidence regarding the assertions about economic actions and
events
e auditor has to obtain sufficient appropriate audit evidence about
the assertions that management made in the nancial statements
(refer to 1.3.3 in this chapter) to ensure that these assertions are free
from material misstatement (whether due to fraud or error). is is
achieved by performing audit procedures. Using Ntsimbi Piping’s
PPE as an example, the applicable assertions are valuation and
allocation, existence, completeness and rights. (e presentation
and disclosure assertions have been omitted in this example.) e
auditor has to evaluate whether he or she has gathered sufficient
appropriate audit evidence to ensure that R43,169,987 of PPE
actually exist (to support the existence assertion) as at 31 December
20X1, that the appropriate carrying amount of the PPE is actually
R43,169,987 (to support the valuation assertion), that all the PPE
have been included in the R43,169,987 shown on the Statement of
Financial Position (to support the completeness assertion) and that
Ntsimbi Piping has the right of use of the PPE (to support the rights
assertion).
• Evaluate correlation [of assertions] with prede ned criteria
e auditor has to evaluate whether the nancial statements comply
with predetermined criteria. An example of the predetermined
criteria for nancial statements is the IFRS. e auditor has to ensure
that, for instance, the PPE as recognised, measured, presented and
disclosed in the nancial statements is consistent with the IFRS
requirements relating to property, plant and equipment (as
contained in IAS 16 on Property, Plant and Equipment).
• Communicate results
e auditor has to communicate the results of the audit process. e
results are reported, in writing, in the auditor’s report (refer to page 2
of the nancial statements of Ntsimbi Piping). e ISAs prescribe
various types of auditor’s reports to be issued in various
circumstances. ese are discussed in Chapter 15.
• To users
e users of the nancial statements are any stakeholders that would
use the auditor’s report, and may include the shareholders,
employees, investors and providers of debt nance. For audits of
South African companies, the users speci cally identi ed in the
auditor’s report are the company’s shareholders.
1.4.7 Auditing postulates
To postulate is de ned by the Webster online dictionary as:
To assume or claim as true, existent, or necessary.17
Mautz and Sharaf documented the auditing postulates in the
Philosophy of Auditing, which was published by the American
Accounting Association in 1961. ese postulates provide the outline for
the theory of auditing. ey also form the basis of the IFAC
International Code of Ethics for Professional Accountants, which was
adopted (with a few modi cations) by e South African Institute of
Chartered Accountants and in part by the Independent Regulatory
Board for Auditors in South Africa. (ese bodies are discussed in
section 1.6 of this chapter, whereas the codes of professional conduct
are discussed in Chapter 2). e postulates (‘assumed truths’) can be
summarised as follows:
• Truth and fairness
• Financial statements and nancial data are veri able.
• is postulate refers to the fact that it is possible to verify the
client’s nancial statements. is is necessary to make it
possible to perform an audit, as the auditor veri es whether
the nancial statements are true and fair or not.
• e nancial statements and other information submitted for
veri cation are free from collusive and other irregularities.
• When starting the audit, the auditor can assume that
management has taken the necessary steps to ensure that
there has been no deliberate attempt to misstate the nancial
statements.
• Consistent application of generally accepted accounting
principles results in the fair presentation of nancial position and
the results of operations.
• is assumes that if the client applies one of the nancial
accounting frameworks (e.g. IFRS), fair nancial presentation
will occur.
• In the absence of clear evidence to the contrary, what has held
true in the past for the enterprise under examination will hold
true in the future.
• If no evidence is found to the contrary, the auditor assumes
that the integrity of the management of the company will stay
the same in future years.
• Independence
• ere is no con ict of interest between the auditors and the
management of the enterprise under audit.
• is assumes that the management of the company and the
auditor of the company share the same goal, namely that the
nancial statements provide a fair presentation.
• e professional status of the independent auditor imposes
commensurate professional obligations.
• e professional status of the auditor brings the responsibility
of professional behaviour, professional competence and due
care, objectivity, con dentiality and integrity. is also
assumes that he or she has the knowledge and capabilities to
perform the audit.
• When examining nancial data for the purpose of expressing an
independent opinion thereon, the auditors act exclusively in the
capacity of auditor.
• In order for the audit opinion to be reliable, the auditor needs
to be, and be seen to be, objective. e focus of the auditor
should be to express an opinion on the nancial statements
and not on other services he or she can provide to the audit
client.18
1.4.8 Types of auditors
1.4.8.1
External auditor
is type of auditor works for an external auditing rm and is not an
employee of the entity under audit. ese auditors express an
independent opinion on the fair presentation of the nancial
statements of the auditee. e external audit therefore provides third
parties with assurance about the auditee’s nancial statements. is
increases the level of con dence of third-party users in the reliability of
the nancial statements, and increases their willingness to use them as
a basis for taking economic decisions.
Refer to Chapter 3 for the Companies Act requirements relating to
external auditors.
1.4.8.2
Internal auditor
e internal auditor is an employee (or outsourced provider) who
provides to the employer independent, objective assurance and
consulting services designed to add value to and improve the
employer’s operations. is assists the management of an organisation
to accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk
management, internal control and governance processes. It includes a
review of the adequacy and effectiveness of the internal controls of the
organisation. To ensure the independence of the internal auditor, the
internal audit department reports to the audit committee, which
comprises exclusively independent non-executive directors.19
1.4.8.3
Government auditor
e government auditor is an auditor who objectively performs
investigations of local and national government departments and issues
reports to the government. ese audits aim to increase the con dence
of stakeholders (including the public) in government departments’
functioning and reporting. e government auditor in South Africa is
called the Auditor-General.
1.4.8.4
Forensic auditor
e forensic auditor performs an independent investigation into fraud
or fraudulent activities. On completion of the engagement, the forensic
auditor usually issues a report to the party that appointed him or her
and this report is often used in a court of law.
1.5 What are examples of major
corporate accounting scandals
in recent years?
A corporate accounting scandal usually involves unethical behaviour by
people relating to a company’s nancial statements. A few examples of
well-known recent international and local corporate accounting
scandals are summarised below.
1.5.1 International corporate accounting
scandals
Enron
Why is the Enron scandal important?
• Enron was one of the largest energy companies in the USA, and at
one time was the seventh-largest Fortune 500 Company and the
sixth-largest energy company in the world.
• Enron was considered to be one of the top ten admired companies in
the USA and one of the most desired places to work for.
• At the time the Enron scandal occurred, it was one of the largest
bankruptcies in the history of the USA. Shareholders lost nearly $11
billion when the share price plummeted from a high of $90 to $1 by
the end of November 2001. Nearly 5 600 Enron employees lost their
jobs.
• e Enron employees suffered signi cant losses, as about 63% of
their assets were held in Enron shares.
• e Enron directors, including Kenneth Lay, Jeffery Skilling and
Andrew Fastow, earned enormous sums of money from salaries and
share options. Many believe that this was done at the expense of
other employees and investors.
• Few people foresaw the collapse. A week before the Enron collapse,
share analysts rated the share as a share to consider investing in.
What went wrong at Enron?
• e Enron management team did not comply with some of the
cornerstones of sound corporate governance practices, namely
transparency and accountability.
• e Enron executive management employed special purpose
entities, accounting loopholes and poor nancial reporting practices
to hide billions of dollars of debt from failed projects (i.e., the debt
was housed in special purpose entities which were not re ected in
the consolidated nancial statements).
• e executive management misled the audit committee,
shareholders and other stakeholders with these fraudulent
accounting practices.
• ey also pressured the auditing rm responsible for the external
audit of Enron, Arthur Andersen, to overlook these inappropriate
accounting issues.
How was the fraud discovered at Enron?
• On 15 August 2001, Sherron Watkins, the vice president for corporate
development at Enron, wrote a letter to Kenneth Lay, the chief
•
•
•
•
executive officer (CEO) of Enron. In the letter, she expressed her
concerns about Enron’s accounting practices utilised in preparing
the nancial statements.
On 16 October 2001, Enron announced that restatements of the
nancial statements for the 1997 to 2000 nancial years were
necessary to correct inappropriate accounting practices. e
restatements reduced the earnings of Enron by $613 million,
increased liabilities by $628 million and reduced equity by
$1,2 billion.
On 22 October 2001, the Securities and Exchange Commission (SEC)
in the USA began an investigation into the accounting practices of
Enron.
On 2 December 2001, Enron Corporation applied for bankruptcy.
A number of Enron executives were subsequently found guilty on a
variety of charges and were sentenced to imprisonment.
What did the auditing rm (Arthur Andersen) do?
• Arthur Andersen had con icts of interest with Enron because the
rm received excessive consulting fees from Enron, creating threats
to its independence as Enron’s external auditor. During 2000, Arthur
Andersen earned $25 million in audit fees and $27 million in
consulting fees from Enron. is also represented 27% of the audit
fees for public clients of Arthur Andersen’s Houston office.
• Many of Andersen and Enron’s management went on annual golf
holidays together, accompanied each other to ski outings and lunch,
and played games against each other, which clearly could in uence
the perceived independence of Andersen. is resulted in the
following:
• Arthur Andersen accepting Enron’s accounting policies and the
deferral of the recognition of expenses from special purpose
entities in the group.
• e lead audit partner assigned to the Enron audit knew of the
irregularities that existed at Enron and brought it to the attention
of Arthur Andersen’s professional standards board, yet decided
not to qualify the auditor’s report.
On 12 October 2001, Arthur Andersen’s partner in charge of the
• Enron audit informed the audit managers to comply with the
Andersen’s document retention policy by only keeping
documentation for a certain period. is partner felt that if
documents were destroyed in the course of normal business policy
and litigation was led the next day, then it could be argued that the
policy had been followed. He observed
the audit team members shredding documents and deleting
computer les related to the Enron audit.
On 29 November 2001, the SEC started investigating Arthur
Andersen.
• On 31 August 2002, Arthur Andersen voluntarily surrendered its
licences to practise as Certi ed Public Accountants (the equivalent
of the Registered Auditor quali cation in South Africa), after being
found guilty of criminal charges relating to the rm’s audit of Enron.
e verdict was later overturned by the Supreme Court, but the
damage done to Andersen’s reputation made it difficult for it to
return as a viable business. Today, Arthur Andersen no longer
exists.20
WorldCom
Why is the WorldCom scandal important?
• WorldCom was the second-largest long-distance
telecommunications and data-services provider company in the
USA.
• WorldCom was once the fth most widely held company in the USA
and was rated rst for the best return to shareholders over a ten-year
period.
• Scott Sullivan, the CFO of WorldCom, was once the highest-paid
CFO in the USA and was well regarded by Wall Street. In the late
1990s, he received the CFO Excellence Award from the CFO
Magazine for work done in regard to mergers and acquisitions.
• WorldCom made corporate history when it acquired MCI, a
company three times its own size. e acquisition was nanced by
debt.
e WorldCom bankruptcy was the largest bankruptcy in the history
• of the USA at the time (21 July 2002). It was twice as large as Enron’s
record-setting bankruptcy led in December 2001.
What went wrong at WorldCom?
Abuse of power 1: Company loans granted to CEO
• e CEO of WorldCom, Bernard Ebbers, owned WorldCom shares
and became wealthy because of the rising share price of WorldCom
shares.
• In 2000, the telecommunications industry experienced losses and
WorldCom’s share price began to drop.
• Bernard Ebbers nanced personal investments in farms and
plantations with loans secured by his WorldCom shares. When the
loan balances exceeded the value of the security provided (in the
form of WorldCom shares) because of the drop in the share price, the
banks forced Ebbers to pay back the loans.
• Bernard Ebbers convinced the board of directors to provide him with
loans and guarantees in excess of $400 million to cover these loans.
ese loans were provided to Ebbers at a very low interest rate.
Abuse of power 2: Inappropriate accounting practices
Under the direction of Bernard Ebbers, Scott Sullivan (CFO) and senior
accounting staff used fraudulent accounting practices to conceal
WorldCom’s declining earnings in order to stabilise or increase the
share price. Simplistically, the fraudulent accounting practices involved
the classi cation of expenses in the amount of $3,8 billion as capital
expenditures (assets) contrary to the requirements of Generally
Accepted Accounting Principles (GAAP). is concealed WorldCom’s
losses because capital expenditures reduce pro t (in the form of
depreciation/amortisation) over a long period of time, whereas
expenses must be deducted from pro ts in the period when incurred.
How was the fraud discovered at WorldCom?
In 2002, the WorldCom internal audit division received an anonymous
tip-off about the fraud. A small team of WorldCom internal auditors
worked together, often at night and in secret, to investigate. ey
discovered $3,8 billion worth of fraud.
• WorldCom’s audit committee and board of directors were noti ed of
the fraud.
• Scott Sullivan (CFO) was red and David Myers, the comptroller
(chief accountant), resigned.
• Arthur Andersen withdrew its audit opinion expressed on the 2001
nancial statements.
• e SEC launched an investigation into these matters on 26 June
2002.
• On 21 July 2002, WorldCom applied for bankruptcy. By the end of
2003, it was estimated that the company’s total assets had been
in ated by around $11 billion.
What were the effects of the WorldCom scandal?
• e WorldCom scandal had the following effects:
• WorldCom shares become worthless.
• Lenders suffered losses on their loans.
• Some 17 000 employees lost their jobs at WorldCom.
• Bernard Ebbers and other WorldCom directors and accounting
officers were arrested for accounting manipulations. On 15 March
2005, Ebbers was found guilty of fraud, conspiracy and submitting
false documents to the regulators. He was sentenced to 25 years’
imprisonment. e other former WorldCom officials were ned with
criminal penalties for the nancial misstatements.
What went wrong with the WorldCom audit?
e external auditor of WorldCom was also Arthur Andersen. e SEC
in their investigations found that there were the following aws in the
way Arthur Andersen conducted the audit:
• e audit focused on identifying risks and assessing whether
adequate internal controls were in place to address these risks.
Arthur Andersen, however, failed to identify signi cant risks and
relied too heavily on the company’s controls, without establishing
whether they were reliable.
e WorldCom accounting personnel processed huge round gure
journal entries and reversals of entries without any supporting
documentation. In performing their audit, Arthur Andersen relied
heavily on WorldCom’s senior management for explanations of these
entries.
• Arthur Andersen conducted analytical procedures and found only
small variances in the nancial statements, while the business
environment was highly volatile. As a result, Arthur Andersen
conducted very limited audit procedures in the area where
accounting irregularities existed.
• e WorldCom personnel also refused Arthur Andersen access to
certain accounting information or senior management altered
certain information before it was provided to Andersen. ese
limitations were never reported to the audit committee.21
•
Parmalat
Why is the Parmalat scandal important?
• In the wake of the Enron and WorldCom scandals, Europe’s CFOs
insisted that a nancial statement fraud of this magnitude could not
occur in Europe.
• Parmalat was the largest Italian food company and the fourth-largest
food company in Europe.
• When it occurred, Parmalat was the largest bankruptcy case in
European history, representing 1.5% of Italy’s gross national product
– proportionally larger than the ratio of the combined Enron and
WorldCom bankruptcies to the US gross national product.
What went wrong at Parmalat?
• In 1997, Parmalat nanced several acquisitions using debt. Parmalat
borrowed money from global banks and justi ed those loans by
in ating revenues through ctitious sales to retailers.
• By 2001, many of the new acquisitions showed losses and the
company nancing shifted to the use of derivatives.
• Parmalat’s top management, an outside lawyer and two auditors
from Grant ornton in Italy, Mr Penca and Mr Bianchi, designed an
illegal vehicle to hide Parmalat’s debt and thereby transferred debt to
offshore shell companies.
• A ctitious supplier in Singapore was created and supposedly
supplied 300 000 tons of milk powder to Bonlat, a Cayman Island
subsidiary of Parmalat.
• Fictitious assets of $4,9 billion were shown on the nancial
statements of Parmalat as being held at the Bank of America in the
Cayman Islands, while no such bank account in fact existed.
How was the fraud discovered at Parmalat?
• In February 2003, the then CFO of Parmalat, Fausto Tonna,
announced a new bond issue of €500 million. is came as a surprise
to the markets and the CEO, Calisto Tanzi. Tonna was forced to
resign and was replaced by Alberto Ferraris. Ferraris was surprised
that he did not have access to some of Parmalat’s accounting
records. He got suspicious and started an enquiry as he suspected
that the company’s debt amounted to more than double that showed
on the company’s nancial statements. e plans for the funding
were dropped in September 2003 and company’s shares depreciated
signi cantly after publicly raised concerns about certain
transactions.
• ere was a change in Italian legislation requiring companies to
rotate auditing rms every nine years. Deloitte & Touche replaced
Grant ornton as auditors.
• Deloitte & Touche inquired about the Cayman Island bank account
in December 2002. In March 2003, the auditing rm received a letter
on a Bank of America letterhead con rming the existence of the
account. e letter was later found to be a forgery by someone in
Parmalat’s head office.
• On 19 December 2003, the Bank of America con rmed that the bank
con rmation was a forgery.
• On 20 December 2003, the Italian Prime Minister, Silvio Berlusconi,
started a fraud investigation.
What happened to Parmalat?
• On 24 December 2003, Parmalat led for bankruptcy.
• During the bankruptcy investigations in 2004, Parmalat’s debts were
reported to be €14,3 billion, eight times what the company had
admitted. After initial denials, Luca Sala, Bank of America’s former
chief of corporate nances in Italy, admitted to participating in a
kickback scheme with Parmalat. In October 2004 Parmalat’s
creditors sued the former bankers, Bank of America Citigroup, and
former auditors, Deloitte & Touche and Grant ornton, for $10
billion in damages each.
• Two years after the accounting scandal, in 2005, Parmalat was ready
to return with a streamlined global structure, a focus on core brands
and a range of new products on supermarket shelves. Tighter
internal controls were introduced.
• e founder and former CEO of Parmalat was sentenced to eight
years’ imprisonment and was ordered with the other convicted
managers of Parmalat to pay €2 billion to the new Parmalat.
What went wrong with the Parmalat audit?
• Grant ornton served as the external auditors for Parmalat
Finanziaria Spa, the parent company of the Parmalat group, from
1990 to 1998. is was a long time and gave rise to the following:
• Contrary to the spirit of the law, Grant ornton, through Mr Penca
and Mr Bianchi, remained the auditors of the Cayman Island-based
Bonlat Financing Corporation (‘Bonlat’), a wholly owned subsidiary
of Parmalat. e ctitious Bank of America account was held in this
subsidiary. Grant ornton established Bonlat and it is alleged that
the Grant ornton partners knew about the fraud and were
concerned about Deloitte & Touche taking over the external audit.
• Mr Penca and Mr Bianchi, the two Grant ornton partners, assisted
Parmalat’s management in setting up ctitious companies and
structuring fake transactions. ey were later arrested for fraud.
Deloitte & Touche, responsible for the audit of the Parmalat parent
company, was accused of not performing sufficient audit procedures
earlier and agreed to pay Parmalat compensation amounting to $149
million.22
1.5.2 South African corporate accounting
scandals
Steinhoff International Holdings N.V. (Steinhoff)
Why is the Steinhoff scandal important?23
• Steinhoff is the holding company of a furniture and household goods
group and operates in Europe, Africa, Asia and the United States.
Steinhoff was originally founded in Germany and later acquired 35%
of the South African based company Gomma-Gomma, after which it
moved its headquarters to South Africa. It listed on the
Johannesburg Stock Exchange (JSE). In December 2015, Steinhoff
International moved its primary listing to the Frankfurt Stock
exchange, but remained dual listed on the JSE. e group founded a
new Dutch holding company based in Amsterdam. e group
seemingly went from strength to strength. Market analysts
encouraged investors to invest in the group.
• Shares in Steinhoff International have lost over 85% of their value
since the announcement of the scandal described below. Investors
lost billions of rands as the market capitalisation of the company
decreased from R200bn at the start of December 2017 to R20bn on 5
December 2017. Many South African civil servants, whose pensions
were invested in Steinhoff, have lost billions of rands. Ahead of the
crisis, Steinhoff was one of the 15 largest companies listed on the
JSE. 24
What went wrong at Steinhoff?
Allegations against Steinhoff suggest that it used off-balance-sheet
vehicles to in ate accounting earnings. ese allegations include the
following:25
• Steinhoff issued loans for the purchase of loss-making subsidiaries.
ey recognised interest revenue on these loans as part of income
from subsidiaries.
• Loans were issued to companies in which current and previous
board members of Steinhoff had interests and these were not
accounted for as related party transactions.
• Two loss-making subsidiaries, JD Consumer Finance and Cap n,
were moved to off-balance-sheet entities. Steinhoff recently only
purchased the pro table portions of these two companies to enable
them to recognise revenue and keep the non-performing loans off
the nancial statements.
It should be noted that at the time of writing, these allegations have not
yet been proven – as the forensic investigation (undertaken by PwC) is
still in progress. However, what is known is that there are material
misstatements in the 2015 and 2016 annual nancial statements, as the
company has publicly announced that these can ‘no longer be relied
upon’. 26
How was the fraud discovered at Steinhoff?27
• In 2015, German authorities launched an investigation into possible
accounting fraud. Rumours of accounting fraud and nancial
irregularities had been made for years, but many investors dismissed
these allegations. An article published in August 2017 by Manager, a
German magazine, suggested that CEO Markus Jooste, amongst
others, was suspected of nancial irregularities. In reaction to this
article the directors issued a statement that they were con dent that
they would be able to defend the actions successfully.
• e Steinhoff auditors, Deloitte, raised issues in September 2017 for
management to resolve.
On 5 December 2017, con rmation of accounting irregularities was
received by Steve Booysen, the chairman of the audit committee,
from Marcus Jooste. Deloitte refused to sign off on the 2017 audit.
Steinhoff’s board requested the then CEO Markus Jooste to explain
the accounting entries and cash ows of certain transactions, but he
never arrived and then resigned the same evening, followed by the
resignation of the company’s CFO, Ben la Grange.28
What happened to Steinhoff?
Following the public announcement of the CEO’s resignation, and the
surrounding circumstances, the company’s share price immediately
dropped more than 60% (from a closing price on the JSE of R45,65 on 5
December 2017 to a closing price of R17,61 on 6 December 2017). On 7
December 2017, the credit rating agency Moody’s downgraded
Steinhoff’s credit rating from an investment grade blue-chip share to
junk status. On 8 December 2017, the share plummeted a further 41% to
R5,83 per share: a total plunge of 90% in a few days.
At the time of writing, Steinhoff continues to trade in more than 30
countries.29 But what is evident, is that the company is facing signi cant
liquidity problems, and has had to sell some of its investments (e.g. in
JSE-listed company, PSG) in order to support the group’s liquidity
position.
e professional services rm PWC was also appointed by the board
of directors to undertake an investigation into the accounting
irregularities, and at the time of writing this investigation is still in
progress.
e Financial Services Board further con rmed that it is
investigating cases of possible insider trading in Steinhoff shares
between August 2017 and December 2017.
What did the auditing rm do?
At the time of writing, the Independent Regulatory Board for Auditors
(IRBA) is in the process of reviewing the conduct of Deloitte South
Africa in relation to the audit of Steinhoff’s (and its subsidiaries’)
nancial statements.
e former CEO of Steinhoff, Marcus Jooste, insisted that the audits
of the European operations were conducted by a number of smaller
German and Austrian auditing rms and the European operation’s
gures were then consolidated by Commercial Treuhand, a German
consultant company, a huge responsibility for a rm of its size and
possibly easy to convince to not consolidate some of the operations.30
e Dutch Authority for Financial Markets is also investigating the
Dutch branch of Deloitte in relation to the alleged accounting
irregularities at Steinhoff. is branch of Deloitte audited Steinhoff’s
nancial statements from 2016 onwards and issued unmodi ed audit
opinions on both the 2015 and 2016 nancial statements. After
Steinhoff’s announcement that the 2016 nancial statements need to be
restated, Deloitte withdrew its approval to use their audit opinion.31
Since Steinhoff’s holding company is registered in the Netherlands,
the Dutch law rm BarentsKrans instituted legal proceedings against
Steinhoff and Deloitte on behalf of shareholders of Steinhoff. e legal
proceedings will be conducted in the Netherlands, but Steinhoff’s
shareholders from across the world are eligible to participate.32
1.6 What are the structures of the
accounting and auditing professions?
1.6.1 Professional bodies
A profession can be de ned as an occupation that involves the
attainment and the application of specialised training and education
and which also has a set of strict ethical standards that need to be
complied with.
Each profession has a coordinating body called a professional
body, which performs a number of functions, including the following:
• Sets and assesses professional examinations in order to determine
who may become a member of the professional body;
• Provides support for continuing professional development through
learning opportunities and tools for recording and planning;
• Publishes professional journals or magazines;
• Provides networks for professionals to meet and discuss their eld of
expertise;
• Issues a code of conduct to guide professional and ethical behaviour;
and
• Deals with complaints against professionals and implements
disciplinary procedures.33
CRITICAL THINKING
What professions are you aware of?
Professions include the following:
• Doctors
• Lawyers
• Auditors
• Engineers
• Accountants
• Nurses
1.6.2 International accounting bodies
1.6.2.1
International Federation of Accountants (IFAC)
IFAC is the global organisation for the accountancy profession and its
mission is to serve the public by strengthening the worldwide
accountancy profession and contributing to the development of strong
international economies by:
• Establishing and promoting adherence to high-quality professional
standards;
• Furthering the international convergence of such standards; and
• Speaking out on public interest issues where the profession’s voice is
most relevant.
High-quality international accounting and auditing standards enable
investors and others to compare enterprises in a transparent way and,
therefore, make more informed investing decisions, while also
increasing investor con dence.
is in turn strengthens global markets and trade by:
• Promoting more efficient markets;
• Reducing economic uncertainty;
• Enhancing international nancial stability;
• Strengthening economic growth and development in emerging
economies;
• Increasing foreign direct investment; and
• Promoting the growth and development of small and medium-sized
entities, which are key drivers of economic growth.
IFAC’s standard-setting committees have been established to develop
international standards and guidance and to focus on speci c sectors of
the profession. ese committees include the following:
• International Auditing and Assurance Standards Board (IAASB)
e IAASB is an independent standard-setting body that aims to set
high-quality international standards for auditing, assurance and
related services and facilitates the convergence of international and
national auditing and assurance standards. In doing so, the IAASB
enhances the quality and consistency of audit and assurance
practices throughout the world and strengthens public con dence in
the global auditing and assurance profession.
• International Ethics Standards Board for Accountants (IESBA)
e IESBA sets high-quality ethical standards for professional
accountants and facilitates the convergence of international and
national ethical standards, including auditor independence
requirements, through the development of a robust, internationally
appropriate code of ethics.
• International Accounting Education Standards Board (IAESB)
e IAESB is an independent standard-setting body that serves the
public interest by strengthening the worldwide accountancy
profession through the development and enhancement of
accountancy education, which encompasses professional
knowledge, skills, values, ethics and attitudes. rough its activities
the IAESB enhances education by developing and implementing
International Education Standards, which aims to ensure certain
minimum competence requirements for the global accountancy
profession.34
1.6.2.2
e International Accounting Standards Board
(IASB)
e IASB is the independent standard-setting body of the International
Financial Reporting Standards (IFRS) Foundation. Its members
(currently 15 full-time members) are responsible for the development
and publication of IFRS (including the IFRS for small and mediumsized enterprises) and for approving Interpretations of IFRS as
developed by the IFRS Interpretations Committee (formerly called the
IFRIC). e IASB believes in transparency in the standard-setting
process. To ensure that this happens, all meetings of the IASB are held
in public and are webcast. In ful lling its standard-setting duties, the
IASB follows a thorough, open and transparent due process of which
the publication of consultative documents, such as discussion papers
and exposure drafts, for public comment is an important component.
e IASB engages closely with stakeholders around the world, including
investors, analysts, regulators, business leaders, accounting standardsetters and the accountancy profession.35
1.6.3 Structure of the accounting and auditing
professions in South Africa
1.6.3.1
Professional bodies related to the accounting
profession in South Africa
A number of professional accountancy bodies operate in South Africa.
ese include the following:
e South African Institute of Chartered Accountants (SAICA)
• SAICA, established in 1980, is a body registered with IFAC and
protects the interests of its members (i.e. Chartered Accountants
(SA)). SAICA is a non-pro t, voluntary body that provides a wide
range of services to its members and associates. SAICA’s mission is to
serve the interests of the chartered accountancy profession and
society by upholding professional standards and integrity, and the
pre-eminence of South African chartered accountants nationally and
internationally.36
Certi ed Institute of Management Accountants (CIMA)
• CIMA is a United Kingdom-based professional body that offers
training and quali cation in management accountancy and related
subjects, focused on accounting for business. CIMA is the largest
management accounting body in the world. CIMA is also a member
of IFAC. CIMA’s purpose is to develop the management accounting
profession worldwide. CIMA has established a position as a leading
professional body in areas of, among other things, product costing,
budgeting, management accounting, investment appraisal and
business decision making.37
Association of Chartered Certi ed Accountants (ACCA)
• ACCA is the global body for professional accountants offering the
Chartered Certi ed Accountant quali cation. ACCA’s aim is to
provide a professional quali cation in areas of accountancy, nance
and management. ACCA is a member of IFAC.38
South African Institute for Professional Accountants (SAIPA)
• SAIPA was formerly known as the Institute of Certi ed Public
Accountants of South Africa. Members of this body, known as
Professional Accountants (SA), ordinarily perform accounting and
tax work, but may not perform audit engagements. e quali cation
provides valuable services to small- and medium-sized companies,
for example, by making sure that there is proper record keeping and
compliance with legislation (including tax legislation). SAIPA is also
a member of IFAC.39
Institute of Internal Auditors (IIA)
• Established in 1941, the Institute of Internal Auditors (IIA) performs
the following roles for the internal audit profession:
• Acts as the internal audit profession’s global voice;
• Researches and disseminates knowledge concerning internal
auditing and its role in control, risk management, and
governance;
Visit the websites of these bodies to learn more about them.
• Advocates and promotes the value that internal audit
professionals add to their organisations; and
Provides educational and development opportunities to its
• members.
• e professional body’s global membership of more than 180 000
works primarily in internal auditing, risk management, governance,
internal control, information technology audit, education, and
security.40
Southern African Institute of Government Auditors (SAIGA)
• Founded in 1988, this professional body aims to promote and
advance accountability and auditing, not only in the public
(government) sector, but also in the private sector. e Institute
further speci cally administers a public register of its members who
are entitled to the designation ‘Registered Government Auditor
(RGA)’. (e RGA is recognised as the highest quali cation in public
sector auditing in
Southern Africa.) 41
1.6.3.2
Regulator of the auditing profession in South Africa
In South Africa, registration with the Independent Regulatory Board for
Auditors (IRBA) is required to be able to practise as a Registered Auditor
(e.g. to perform external audits of company nancial statements). To
register with the IRBA as a Registered Auditor, one must comply with
the prescribed education, training, competency and continuous
professional development requirements of the IRBA.
e IRBA is the statutory body regulating the auditing profession in
South Africa. e IRBA is established by the Auditing Profession Act 26
of 2005. e mission of the IRBA is to protect the nancial interests of
the South African public and international investors in South Africa
through the effective regulation of audits conducted by Registered
Auditors, and in accordance with internationally recognised standards
and processes.
e IRBA oversees the registration of Registered Auditors in South
Africa and ensures that services are delivered in accordance with the
ISAs and ethical standards. e IRBA:
• Sets and applies the education, training and professional
development requirements for registration as a Registered Auditor;
• Is involved in the setting and maintaining of auditing and ethics
standards, based on international standards;
• Performs inspections of the audit work undertaken by Registered
Auditors in South Africa to ensure that they comply with standards;
and
• Provides procedures for disciplinary processes against Registered
Auditors in respect of improper conduct.42
Assessment questions
For questions 1 to 4, select the correct answer:
1. e purpose of accounting records is/are: (More than one option is
possible.) (LO 1)
a) To ensure that records of transactions are kept
b)
To ensure an effective nancial management system
c)
To ensure that management has evidence of transactions and
balances
d)
2.
3.
To ensure that nancial statements can be audited
Who is responsible for the nancial statements that are published
by a company? (Only one option is possible.) (LO 1 & 7)
a) e auditors of the company
b)
e directors of the company
c)
e shareholders of the company
d)
e directors and the auditors of the company
e setting of auditing standards in South Africa is the
responsibility of the: (LO 13)
a) International Auditing and Assurance Standards Board
b)
International Ethics Standards Board for Accountants
4.
c)
International Accounting Standards Board
d)
Institute of Chartered Accountants
e)
Independent Regulatory Board for Auditors
IASB is the abbreviation for: (LO 13)
a) Internal Accounting Standards Board
b)
Internal Auditing Standards Board
c)
International Auditing Standards Board
d)
International Accounting Standards Board
5.
Describe the assertions contained in the nancial statements. (LO
3)
6.
What assertions does management make in relation to sales
revenue? (LO 4)
7.
What requirements are prescribed by the Companies Act for
nancial statements prepared and issued by companies in South
Africa? (LO 2)
8.
Explain the need for external auditors. (LO 6)
9.
What were the driving forces that led to the establishment of
company audits in South Africa? (LO 11)
10. What is the main purpose of an audit? (LO 5 & 6)
11. Explain the difference between assurance and non-assurance
engagements. (LO 10)
12. What types of services can an auditor provide? (LO 10)
13. Explain why an auditor can only provide reasonable assurance and
not absolute assurance. (LO 9)
14. What is the de nition of an audit? (LO 5)
15. What are the postulates of auditing? (LO 12)
16. Name four types of auditors. (LO 10)
17. Discuss one major event that affected the auditing profession (i)
locally and (ii) internationally and give a reason why you think it
affected the auditing profession. (LO 11)
18. What is a profession? (LO 11)
19. List the four major stages in the audit process. (LO 8)
For questions 20 to 24, indicate whether the statement is true or
false:
20. e IRBA is the regulator responsible for the auditing profession in
South Africa. (LO 13)
21. Con icts of interest can occur between the shareholders of a
company and the management of a company. (LO 11)
22. e auditor has to test all the transactions that occurred during a
reporting period of the auditee and thereby provide reasonable
assurance to users. (LO 5)
23. e objective of nancial statements is to provide all information
about the reporting entity. (LO 5 & 9)
24. e external audit can add value by encouraging good corporate
governance in a company. (LO 6)
1
Bacchus, M. [Online]. Available: https://www.ft.com/content/235e3dc2-2c31-11e8-9b4bbc4b9f08f381 [Accessed 23 March 2018].
2 Jenkinson, G. [Online]. Available: https://cointelegraph.com/news/no-more-cookedblocks-mainstream-auditors-enter-the-fray [Accessed 23 March 2018].
3 IACEW [Online]. Available: http://www.icaew.com/~/media/Files/Technical/Audit-andassurance/audit-quality/audit-quality-forum/agency-theory-and-the-role-of-audit.pdf
[Accessed 14 February 2013].
[Online]. Available: http://www.businessdictionary.com/de nition/accountingrecords.html#ixzz1yKiqUi7m
5 IACEW. [Online]. Available: http://www.icaew.com/~/media/Files/Technical/Audit-andassurance/audit-quality/audit-quality-forum/agency-theory-and-the-role-of-audit.pdf
[Accessed 14 February 2013].
6 IFRS. [Online]. Available: http://www.ifrs.org/Current-Projects/IASB-Projects/FinancialStatement-Presentation/Phase-B-OCI/IAS-1-Presentation-of-FinancialStatements/Pages/IAS-1-Presentation-of-Financial-Statements.aspx [Accessed 14 February
2013].
7 A cryptocurrency is a medium of exchange much like the US dollar. Like the US dollar,
cryptocurrency has no intrinsic value in that it is not redeemable for another commodity,
such as gold. Unlike the US dollar, however, cryptocurrency has no physical form, is not legal
tender, and is not currently backed by any government or legal entity.
8 PWC. Accounting for cryptocurrency. [Online]. Available at:
http://pwc.blogs.com/ifrs/2017/11/accounting-for-cryptocurrency.html [Accessed 23
March 2018].
9 [Online]. Available: http://www.oecd.org/corporate/ca/corporategovernanceofstateownedenterprises/37178451.pdf [Accessed 19 February 2013].
10 [Online]. Available:
www.charteredaccountants.com.au.%2F~%2Fmedia%2FFiles%2FStudents%2FEducators%2
Fe%2520role%2520and%2520function%2520of%2520external%2520auditors.ashx&ei=eB
MjUbjTK8yb1AWi3oCwBw&usg=AFQjCNGL86jSGUdvW4M0jB38Ucnn8Z8v5g&sig2=7VmV
OhzWnipJHBNCdzmB_g [Accessed 19 February 2013].
11 SAICA’s guide on the value of an audit, available from SAICA.
12 Arjarquah YK. [Online]. Available:
http://repository.regentghana.net:8080/jspui/bitstream/123456789/86/1/yaw%20takyi%20a
rjarquah.pdf [Accessed 21 February 2013].
13 Verhoef G. Economic integration through knowledge integration. e impact of IFRS on the
globalisation of accounting rms and corporate business in South Africa. [Online].
Available: http://apebh2012. les.wordpress.com/2011/05/verhoef-economic-integrationthrough-knowledge-integration.pdf [Accessed 3 September 2012]. SAICA, SAICA History.
[Online]. Available: https://www.saica.co.za/About/SAICAHistory/tabid/70/language/enZA/Default.aspx [Accessed 3 September 2012]. Hoosain, K. 2006. Accountancy SA. [Online].
Available: http://www.accountancysa.org.za/resources/ShowItemArticle.asp?
Article=e+end+marks+the+beginning&ArticleId=784&Issue=543 [Accessed 3 September
2012].
14 Institute of Chartered Accountants in Australia. [Online]. Available:
www.charteredaccountants.com.au%2F~%2Fmedia%2FFiles%2FStudents%2FEducators%2
Fe%2520role%2520and%2520function%2520of%2520external%2520auditors.ashx&ei=Fx
wnUfOVD8a_0QWKtYD4Ag&usg=AFQjCNGL86jSGUdvW4M0jB38Ucnn8Z8v5g&sig2=Ww6
MneRZr8MaIMMrLkZErg [Accessed 22 February 2013].
15 SAICA Handbook, International Framework for Assurance Engagements, LexisNexis,
Framework: 1–16.
16 [Online]. Available: http://www.accountingconcern.com/accounting-dictionary/auditing/
4
17 By permission. From Merriam-Webster.com (c) 2018 by Merriam-Webster, Inc. MerriamWebster dictionary. [Online]. Available: http://www.merriamwebster.com/dictionary/postulate [Accessed June 2018].
18 What is auditing? [Online]. Available:
http://www.goldsmithibs.com/freedownloads/Auditing/WhatisAuditing.pdf [Accessed May
2012].
19 Institute of Internal Audit. [Online]. Available: http://www.iiasa.org.za/about-us/about-theprofession/role-of-internal-audit.html [Accessed 28 February 2013].
20 [Online]. Available: http://writ.news. ndlaw.com/aronson/20020124.html,
http://faculty.mckendree.edu/scholars/2004/stinson.htm,
http://www.sec.gov/rules/proposed/s71903/rwisethesis.pdf; Brennan, D.M. 2003. Enron
and Failed Futures: Policy and Corporate Governance in the Wake of Enron’s Collapse,
Social text 77, Vol 21 nr 4: 35–50. [Online]. Available: http://muse.jhu.edu/login?
auth=0&type=summary&url=/journals/social_text/v021/21.4brennan.html [Accessed 10
September 2012]; SSRN. [Online]. Available: http://papers.ssrn.com/sol3/papers.cfm?
abstract_id=303181; Accountancy SA. [Online]. Available:
http://www.accountancysa.org.za/archives/2004/2004Apr/features/02_Ethics.htm
[Accessed April 2012]; Chicago Tribune, Ties to Enron blinded Andersen, 2002. [Online].
Available: http://www.chicagotribune.com/news/chi-0209030210sep03,0,7490166.stor
[Accessed 11 September 2012].
21 SEC. [Online]. Available: ethics/dialogue/candc/cases/worldcom-update.html [Accessed 12
April 2012]; [Online]. Available:
http://www.sec.gov/rules/proposed/s71903/rwisethesis.pdf,
http://www.scu.edu/ethics/dialogue/candc/cases/worldcom-update.html; University of
Mexico, 2011, WorldCom’s bankruptcy crises. 22[Online]. Available:
http://danielsethics.mgt.unm.edu/pdf/WorldCom%20Case.pdf [Accessed 10 September
2012].
22 WSWS. [Online]. Available: http://www.wsws.org/articles/2004/jan2004/parm-j06.shtml;
Larouchepub. [Online]. Available:
http://www.larouchepub.com/other/2004/3102parmalat_invest.html [Accessed April 2012];
Ferrarini, G., Giudici, P. Financial scandals and the role of private enforcement: e
Parmalat case. [Online]. Available:
http://web.efzg.hr/dok/pra/hhorak/Ferrarini,Guidici%20e%20Parmalat%20case.pdf
[Accessed 10 September 2012]; WSWS. [Online]. Available:
http://www.wsws.org/articles/2004/jan2004/parm-j06.shtml; Larouchepub. [Online].
Available: http://www.larouchepub.com/other/2004/3102parmalat_invest.html [Accessed
April 2012].
23 Cronje, J. [Online]. Available: https://www. n24.com/Companies/Retail/a-steinhoff-guidefor-dummies-20171208 [Accessed May 2018].
24 Cowan, K & Crotty A. [Online]. Available:
https://www.businesslive.co.za/rdm/business/2017-12-08-how-did-markus-jooste-losehis-billions/
25 Viceroy Research. [Online]. Available:
https://viceroyresearch. les.wordpress.com/2017/12/steinhoff-article-viceroy2.pdf
[Accessed March 2018].
Business Report. [Online]. Available: https://www.iol.co.za/business-report/steinhoff-sayswill-have-to-restate-2015- nancial-statements-12607365 [Accessed May 2018].
27 Daehee & Co. [Online]. Available: https://daehee.com/steinhoff-scandal [Accessed March
2018].
28 Ensor, L. [Online] Available: https://www.businesslive.co.za/bd/companies/retail-andconsumer/2018-01-31-steinhoff-director-spills-the-beans-about-accounting-irregularitiesand-joostes-disappearing-act/ [Accessed March 2018].
29 Steinhoff Quarterly update. [Online]. Available:
http://www.steinhoffinternational.com/downloads/2018/latestresults/Steinhoff%20trading%20update%20Q1%202018.pdf [Accessed March 2018].
30 Hogg, A. [Online] Available: https://www.biznews.com/undictated/2018/03/01/deloitte-sasteinhoff-worms-german-auditors [Accessed May 2018].
31 Ensor L. [Online]. Available: https://www.businesslive.co.za/bd/world/2017-12-22-dutchnancial-authority-to-investigate-deloittes-audits-of-steinhoff [Accessed March 2018].
32 AccountancyAge. [Online]. Available:
https://www.accountancyage.com/2018/02/02/shareholders-bring-lawsuit-againststeinhoff-and-deloitte [Accessed March 2018].
33 Total professions. [Online]. Available: http://www.totalprofessions.com/more-aboutprofessions/role-of-professional-bodies [Accessed April 2012].
34 IFAC. [Online]. Available: http://www.ifac.org [Accessed May 2012].
35 IFRS. [Online]. Available: http://www.ifrs.org/e+organisation/IASCF+and+IASB.htm
[Accessed May 2012].
36 SAICA. [Online]. Available: https://www.saica.co.za [Accessed April 2012].
37 CIMA. [Online]. Available: http://www.cimaglobal.com [Accessed 7 March 2013].
38 CIMA. [Online]. Available: http://www.cimaglobal.com [Accessed 7 March 2013].
39 SAIPA. [Online]. Available: http://www.saipa.co.za [Accessed 7 March 2013].
40 IIA. [Online]. Available: https://na.theiia.org/about-us/Pages/About-e-Institute-ofInternal-Auditors.aspx [Accessed 25 January 2014].
41 SAIGA. [Online]. Available: http://www.saiga.co.za/mission.htm [Accessed 25 January
2014].
42 IRBA. [Online]. Available: http://www.irba.co.za [Accessed April 2012].
26
Ethics
CHAPTER 2
Henriëtte Scholtz
CHAPTER CONTENTS
Learning outcomes
Reference list
2.1 What is the nature of ethics?
2.2 Why do professions have codes of ethics?
2.3 What are the ethical codes and rules applicable to external auditors in South
Africa?
2.4 What constitutes prohibited actions for the external auditor?
2.5 How do the SAICA and IRBA disciplinary processes work?
2.6 What is the content of the SAICA and IRBA Codes of Professional Conduct?
2.7 How does ethics t into the audit process?
Assessment questions
LEARNING OUTCOMES
1.
2.
3.
Explain what ethics are and why professions have codes of ethics.
Explain where in the audit process ethical requirements are considered.
Contrast the principles-based approach to ethics with a rules-based approach.
4.
Explain which ethical codes and rules are applicable to Registered Auditors in South
Africa and what constitutes prohibited actions.
Brie y outline the disciplinary processes of the IRBA and SAICA.
5.
6.
Describe and apply the conceptual approach to ethics adopted in the
IFAC/SAICA/IRBA Codes of Professional Conduct.
7.
8.
Describe the guidance contained in the Codes of Professional Conduct and apply
this to practical situations.
Describe what constitutes improper conduct in terms of the IRBA’s Rules Regarding
Improper Conduct and apply these Rules to practical situations.
REFERENCE LIST
South African Institute of Chartered Accountants (2018) (Revised) Code of Professional
Conduct for Chartered Accountants.
South African Institute of Chartered Accountants (Sept 2016) By-law 34 Punishable
Offences.
Independent Regulatory Board for Auditors (IRBA) (2018) (Revised) Rules Regarding
Improper Conduct and Code of Professional Conduct for Registered Auditors.
International Ethics Standards Board for Accountants (IFAC) (April 2018) (Revised)
International Code of Ethics for Professional Accountants including International
Independence Standards).
IN THE NEWS
EY ned $9m for improper auditor relationships
The U.S. Securities and Exchange Commission (SEC) said one member of the audit
team maintained an ‘improperly close’ friendship with the CFO of a New York-based
public company. The relationship between the audit member and the CEO
comprised personal emails, voice and text messages, sport events tickets and
gifts. On another audit, a member of the engagement team auditing the rm had a
romantic relationship with the chief accounting of cer of the company being
audited. The supervisor on the audit ‘became aware of facts suggesting the
improper relationship yet failed to perform a reasonable inquiry or raise concerns
internally.’ SEC rules forbid auditors from misrepresenting they are independent.
‘The individuals at the centre of these matters violated multiple EY policies, hid
their conduct and behaved in a way that was antithetical to EY’s Global Code of
Conduct, culture, values, policies, and training.’1
Registration of KPMG auditors at risk over Gupta audit
The KPMG partners, responsible for the audit of Gupta-owned Linkway Trading
(‘Linkway’) risk losing their designation as registered auditors if an investigation by
the profession’s regulator nds improper conduct on their part. The Independent
Regulatory Board for Auditors may, in terms of the Auditing Profession Act and
following a disciplinary hearing, impose a warning, or ne, or cancel an audit
practitioner’s registration where improper conduct is found. The board is now
investigating KPMG’s 2014 audit of Linkway, which paid for the R30m Gupta
wedding at Sun City in 2013, using money meant to develop Free State farmers.
The amaBhungane Centre for Investigative Journalism, reported that leaked Gupta
emails revealed how money from the Free State provincial government had owed
via the Estina company to the Gupta-owned company Accurate Investments in Dubai
and then on to Linkway.2 Linkway, supposedly a project management company in the
Gupta-owned Oakbay Group, used the money to pay for a Gupta family wedding. By
classifying it as a business expense, it paid no tax on the income. KPMG, which
resigned as Oakbay auditor in April 2016, said it was standard procedure for
entities such as Linkway to ‘receive and disburse funds against a speci c event’.
KPMG said it was not auditors of any offshore entities and therefore could not
comment on the ow of funds from the Free State dairy project. ‘We have acted with
integrity in our dealing with the Oakbay Group’, Moses Kgosana, previous CEO at
KPMG commented. Yet, during the time of the audit of Linkway he attended the
Gupta wedding and has since elected to withdraw as future chairman of Alexander
Forbes. Kgosana, who served on the company’s board for two years, was due to
become chairman of Alexander Forbes on 31 August 2017. He felt that time spent
dealing with these allegations would compromise what he was able to deliver as
chairman. The South African Institute of Chartered Accountants (SAICA) said it
would await the outcome of the audit regulator’s investigation before deciding
whether to take any disciplinary action in terms of its own code of conduct.2
Inside IRBA’s Deloitte disciplinary hearings
A lot is at stake for the Independent Regulatory Board for Auditors (IRBA), as the
audit regulator is leading the disciplinary hearing of Deloitte – the biggest case it
has handled since its 2006 inception. The disciplinary hearing could either entrench
perceptions that the IRBA has neither bark nor bite at a time when audit rms are
caught in accounting scandals, or prove sceptics wrong. The IRBA charge sheet
against two senior executives of Deloitte contains ten charges of misconduct. In
these hearings Deloitte have to explain why unquali ed auditor’s reports were
issued and why questions were not raised about the going concern status of African
Bank, and its then-parent company African Bank Investments Limited (Abil).
According to the IRBA, African Bank failed to comply with the international
accounting standards on the recognition of nancial instruments. The audited
nancial statements of African Bank for the year ended September 2014 showed a
restatement relating to differences between impairment models and the impairment
provisions recognised in the 2013 nancial statements. The impact of this
restatement on September 2013 was a R656 million downward adjustment of
African Bank’s income pre-tax. African bank’s management at the time identi ed
loan collection initiatives that could collect but Deloitte’s Jordan allegedly accepted
this without considering its validity. Jordan faces charges relating to African Bank’s
misstatement of loan impairments, which resulted in impairments that were
understated by R1.1 billion.3
Reserve Bank continues to meet with KPMG following VBS scandal
Since VBS was placed into curatorship and its nancial records investigated it has
emerged that some R900 million of its supposed deposits could not be traced.
There is seems to be extensive evidence that the VBS nancial statements –
signed off by its auditors – were in a terrible state, possibly a case of the auditors
not applying suf cient professional competence and due care while performing the
audit. It turned out that VBS had accidentally paid that money out ‘due to internal
control failures in a branch’. There had been ‘inept risk management functions and
practices’ the Reserve Bank said.4 The Reserve Bank says its interest in KPMG
stems from a public policy perspective arising from its mandate to ensure the
soundness and stability of South Africa’s nancial system. In a statement, the
Reserve Bank said: ‘Auditors play an important role in fostering market con dence
in the nancial statements of nancial institutions. The robustness and integrity of
audits depend to a large extent on the strength of governance and the depth of an
ethical culture within a nancial institution. These are issues that we monitor
constantly.’5
2.1 What is the nature of ethics?
Ethics can be de ned as a set of principles of right conduct and a theory or a system of
moral values such as not to steal, not to commit fraud and not to murder. e word ‘ethics’
is derived from the Greek word ‘ethos’, which means custom, habit or character.
A general assumption about being ethical is that it is linked to how a person feels about
something (i.e. does it feel right or wrong?). But being ethical is not just about following
someone’s feelings. Feelings often differ from what is ethical or morally correct. What is
ethical for one person may not be ethical for the next. For example, someone may feel that
it is unethical to use poison on plants, as it can harm birds and insects, while for the next
person it will not be unethical to use the poison.
Being ethical is also not just about following regulations. Regulations often incorporate
ethical standards, but regulations can sometimes deviate from what is ethical. An example
of something that might be legal but unethical is companies in certain countries using
child labour to manufacture goods. is may not be illegal in these countries, but many
would consider this to be unethical in terms of their value systems.
e difference between morality and ethics is that morality de nes personal character
and is the differentiation of intentions, decisions, and actions between those that are ‘good’
(or right) and those that are ‘bad’ (or wrong), whereas ethics refer to the social system in
which these morals are applied. Ethics are therefore the rules of conduct recognised for a
particular class of human actions or a particular group or culture that is expected from the
society in which the individual lives.6
2.2 Why do professions have codes of ethics?
2.2.1 Background to codes of ethics of professions
One of the distinguishing characteristics of a profession is the existence of a code of ethics
for its members. e rst code of professional ethics may be traced back to the duties of the
physician as contained in the Oath of Hippocrates. Codes of ethics for professional bodies
become the terms of reference for ethical conduct and are often the founding documents
for professions.7
A code of ethics is important for a profession as it establishes the ethical expectations from
existing members for those joining the profession. A code of ethics is intended to be:
• A central guide and reference for members in support of day-to-day decision making;
• A tool to encourage discussions of ethics and to improve how members deal with the
ethical dilemmas, prejudices and grey areas that are encountered in everyday work; and
• Complementary to relevant standards, policies and rules – not a substitute for them.8
e difference between a code of ethics and a code of conduct is that a code of ethics
expresses fundamental principles that provide guidance in cases where no speci c rule is
in place or where matters are genuinely unclear. A well-drafted code of conduct will be
consistent with the primary code of ethics; however, it will provide much more speci c
guidance in dealing with ethical challenges. e SAICA and IRBA codes of conduct expand
the IFAC code somewhat by providing a local application of some sections of the code. An
example of this is the de nition of the fundamental principle of professional behaviour,
which, in the SAICA code of conduct, contains additional guidelines for multiple rms, and
signing convention for reports or certi cates.9
It is important to note that a code of conduct establishes the minimum ethical
requirements that are expected from the profession’s membership, and does not represent
an unattainable dream.
CRITICAL THINKING
To what risks and challenges would a profession be exposed without a code of
ethics?
The risks a profession could be faced with include, among other things:
• No communication of ethical expectations of the members of a profession would
exist. Ethical decision making by professionals would be dif cult which would
lead to varying standards of behaviour;
• It will be dif cult to hold the profession accountable for actions if no ethical
principles exist; and
• The public trust and the profession’s reputation could be damaged if members
act unethically and if no disciplinary process exists to correct the unethical
behaviour.
2.2.2 Rules-based versus principles-based codes of ethics
Ethical codes may take different forms, ranging from detailed rules and emphasis on
compliance with those rules, to broad positively stated principles with an emphasis on
‘doing the right thing’. Simply stated, principles-based ethics provide a conceptual basis to
follow instead of a list of detailed rules. Under a principles-based approach, key objectives
of sound ethical values are set out, followed by guidance explaining the objectives and
reference to some common examples. Professionals often face ethical dilemmas while
carrying out their professional duties. It is difficult to anticipate all situations that might
result in unethical behaviour in a code of ethics – hence a principles-based approach is
often preferred.
e IFAC International Code of Ethics for Professional Accountants moved from
containing detailed rules and emphasis on compliance with those rules, to broad positively
stated principles with an emphasis on ‘doing the right thing’, and is a principles-based
code. e IFAC International Code of Ethics for Professional Accountants has been
accepted as its ethical code by SAICA (fully accepted with minor differences) and the IRBA
(accepted Parts 1, 3 and 4 of the IFAC code).
Upon being granted membership of SAICA, a member has to sign a declaration that he
or she will act ethically and assumes an obligation of self-discipline.
2.2.3 Examples of ethical misconduct by auditors
International examples
Enron
e Enron case is discussed in more detail in Chapter 1. Arthur Anderson earned $25
million in audit fees and another $27 million in fees for non-audit services from Enron in
2000. Arthur Andersen had been Enron’s auditor for 16 years and also performed internal
audit and consulting services, clearly causing ethical independence threats.10
SMSF Auditors
Australia requires a registered auditor to conduct a nancial and compliance audit on selfmanaged super funds, which is an annuity trust structure that provides bene ts to its
members on retirement. Several cases of breaches of independence of the code of ethics by
auditors were reported. In two of these cases, the auditors were found guilty of auditing
funds in which they and close family members were invested and of funds where they were
directors or trustees.11
KPMG using con dential information
Six former KPMG employees in the USA have been arrested and charged with the misuse of
con dential information. ese charges stem from Public Company Accounting Oversight
Board (PCAOB) inspection information that was leaked by a former employee of the
PCAOB, who started working for KPMG. is individual disclosed the con dential details
of the KPMG clients that the PCAOB was planning to inspect to his new employer (KPMG).
Using this information (which the rm would otherwise not have had access to), the KPMG
national partner for audit quality, the national partner for inspections, along with a
banking and capital markets partner, worked together to review the audit work papers for
at least seven banks that they had learnt the PCAOB would inspect (in anticipation of the
PCAOB inspection).12
South African examples
KPMG and Gupta-linked companies
During the provision of services to the Gupta-linked companies, KPMG staff received
potentially questionable invitations to events hosted by the Gupta family. ese included
offers of tickets to 2010 soccer world cup matches, and invitations to the launch of the New
Age newspaper and to family weddings and celebrations. In some cases, communication
between KPMG staff and the Gupta family and their representatives appear to have gone
beyond the provision of professional services. ese instances suggest signi cant
familiarity threats to objectivity and independence. KPMG also provided extensive
advisory services to the Gupta group of companies, which could amount to further threats
to objectivity and independence. SAICA announced that it will look into the audit les of
KPMG to ensure that the conclusions arrived at are consistent with the evidence contained
in the les.13 e IRBA also said it is looking into reporting irregularities that were not
reported (in accordance with the requirements of the Auditing Profession Act 26 of 2005),
such as blatant money laundering.14
KPMG and SARS rogue unit report
In 2014, newly appointed SARS Commissioner, Tom Moyane, hired KPMG South Africa to
conduct a forensic investigation into an intelligence unit within the revenue service that
between 2010 and 2014 had started investigating high-pro le tax offenders, including
prominent politicians and politically-connected business people.
e report KPMG produced suggested that the unit was breaking the law by using
illegal methods and was therefore ‘rogue in nature’. It also suggested that Mr Pravin
Gordhan, as SARS commissioner at the time, was aware of the unit’s alleged illegal
activities. en deputy commissioner of SARS, Ivan Pillay, head of investigations, Johann
van Loggerenberg, and others were suspended as a result, and criminal charges were
eventually also laid against Gordhan. e report was instrumental in removing Mr
Gordhan from his position as nance minister.15 On 15 September 2017, KPMG
International made an unexpected and far-reaching announcement that it was
withdrawing the ndings and conclusions of the report KPMG SA Forensic had completed
for SARS at a cost of R23-million. KPMG International in a statement said that ‘quality
controls associated with the version of the report [SARS] dated 3 September 2015 were not
performed to the standard we expect. Speci cally, in this instance, our standards require a
second partner to review the work done; however, the nal deliverable of this work was not
subjected to second partner review’. KPMG International also stated that ‘the SARS report
refers to legal opinions and legal conclusions as if they are opinions of KPMG South Africa.
However, providing legal advice and expressing legal opinions was outside the mandate of
KPMG South Africa and outside the professional expertise of those working on the
engagement.’16
KPMG and VBS bank
KPMG announced that two partners tendered their resignations with immediate effect
when faced with disciplinary charges against them. KPMG issued the following media
statement: ‘Both cases are conduct charges connected to VBS [Mutual] Bank and include,
but are not limited to, failure by the partners to comply with the rm’s policies and
procedures regarding the disclosure of relevant nancial interests,’ it said.17 KPMG South
Africa further announced what is referred to as an ‘unprecedented’ review of all the work
done by its partners in the past 18 months. Chairperson of KPMG, Wiseman Nkuhlu, told a
media brie ng on Sunday that the review was part of reforms instituted by the rm to help
regain public trust and improve the quality of its work.18
Nkonki Inc
Sindi Zilwa, born Nkonki, was the second black woman in South Africa to qualify as a
Chartered Accountant (SA), in 1990. Two years later she started her own accounting rm, a
precursor to Nkonki Inc. In 1996, a merger took place to form Nkonki Sizwe Ntsaluba, the
rst national black accounting rm in South Africa. In 2013, Transnet outsourced its
internal audit function to three rms including Nkonki. Income from the transport utility
soon dwarfed that from Nkonki’s other clients. In 2015, Transnet accounted for 45% of
Nkonki’s R161m revenue internal records show, which could impose a self-interest threat
to independence. But in 2016, income from Transnet fell sharply. In the cash- ow crunch
that followed, millions of rands in employee tax deductions were not paid over to the South
African Revenue Service, exposing Nkonki to penalties and reputational risk. Mitesh Patel
offered a way out of Nkonki’s nancial troubles. Eric Wood, the CEO of Trillian Capital, a
Gupta-linked company, approached Patel with an offer to buy Nkonki on behalf of a black
CA. e deal was funded by a loan from Trillion Capital, which Patel claimed he did not
know about. After the buy-out, Nkonki instantly landed new work from Eskom, the state
utility whose board and executive were allegedly under Gupta in uence. Nkonki was
potentially also going to earn hundreds of millions in consulting fees from Eskom.19 Mitesh
Patel, the CEO of Nkonki, resigned in April 2018. e Auditor General terminated its
contract with Nkonki, due to concerns about the independence and adequacy of risk
management practices of Nkonki and also whether all shareholders were registered
auditors. ‘One of the key elements of independence for auditors is embedded in the
Auditor Professions Act, which stipulates that the only rms that may be registered
auditors are partnerships where all individuals are registered auditors, sole proprietorship
where the owner is a registered auditor, or companies which are registered by the
Independent Regulatory Board of Auditors (IRBA)’ Auditor General Kimi Makwetu said.20 A
week after the Auditor General announced the termination of public auditing contracts
with KMPG and Nkonki Inc., the latter rm announced it has taken the ‘very painful and
difficult’ decision to be placed in voluntary liquidation.21
Masterbond
In the early 1990s, following the liquidation of the group of companies, the name
‘Masterbond’ was associated in South Africa with pensioners who invested in the group
struggling for survival on dog food and the kindness of others after losing their life savings.
e Nel Commission’s report on its investigation of the Masterbond case provided proof of
auditor dishonesty, collusion of auditors with management, and lack of auditor
independence because of non-audit services provided to auditees.
e then-Public Accountants and Auditors Board (the predecessor of the IRBA) found
the auditor involved guilty of improper conduct (as discussed in section 2.4.1 of this
chapter). e auditor was sanctioned by a ne of R10 000 (being the maximum ne at the
time) and suspension from practice for two years, suspended for three years on condition
that the accused was not found guilty of contravening the Disciplinary Rules (the
predecessor of the Rules Regarding Improper Conduct) during that period.22
2.3 What are the ethical codes and rules applicable
to external auditors in South Africa?
Ethics in the external auditing profession are of the utmost importance to the profession
and for the people relying on the services of Registered Auditors (RAs). e users of the
services of RAs, especially decision makers using nancial statements, expect RAs to be
highly competent, honest, reliable and objective. If the RA rendering the external audit
does not exhibit these qualities, the external audit would serve no value to the user of the
auditor’s report. A profession’s good reputation, which is dependent on the ethical conduct
of its members, is indeed one of its most important assets.
Many RAs in South Africa are also members of SAICA (i.e. Chartered Accountants
(SA)). Both these bodies have codes of professional conduct to which members must
adhere. ese codes are principles-based, are largely based on the IFAC International Code
of Ethics for Professional Accountants, and provide general guidelines that RAs or
professional accountants should follow. In addition, the IRBA has Rules Regarding
Improper Conduct and SAICA has Punishable Offences which (together with the Code of
Professional Conduct) serve as a basis for evaluating whether speci c allegations made
against RAs or professional accountants are such that disciplinary action must be taken.
Figure 2.1 illustrates the differences between the nature of these bodies, their missions,
to whom their respective ethical codes are applicable, and the respective ethical codes and
rules that are applicable.
Figure 2.1: Differences between the IRBA and SAICA
2.4 What constitutes prohibited actions for the
external auditor?
2.4.1 IRBA Rules Regarding Improper Conduct
Actions that RAs are prohibited from taking are set out in the IRBA’s Rules Regarding
Improper Conduct. Refer to Figure 2.2 on the next page.
EXAMPLE
Manufacture Limited, a client of the rm of registered auditors, Nel and Associates
(Nel), wants to take over another business and requires a loan from the bank to
nance the takeover. The bank requires a pro t forecast in order to approve the
loan. Manufacture Limited completes the pro t forecast and engages Nel and
Associates, the company’s external auditors for the past year, to review and sign
the pro t forecast as being ‘correct’. Mr Nel, the partner in charge of the audit of
Manufacture Limited, signs the pro t forecast.
By signing the pro t forecast, Mr Nel, has contravened the Rules Regarding
Improper Conduct by allowing his name to be used in connection with an estimate
of earnings that is dependent on future transactions. It may be perceived by the
bank that he vouches for the accuracy of the pro t forecast.
2.4.2 SAICA’s punishable offences
e SAICA punishable offences are contained in the SAICA by-laws. e punishable
offences applicable to professional accountants and trainee accountants are set out in Part
B paragraph 34 of the by-laws. ere are also punishable offences applicable to associate
general accountants (AGAs) and accounting technicians (AATs) and students who are
associated with SAICA in Parts C, D and E respectively of the by-laws. Only the punishable
offences applicable to professional accountants are discussed in this text. Refer to Figure
2.3 opposite.
EXAMPLE
Remind yourself of the facts regarding the example involving Mr Nel in section
2.4.1. Now assuming Mr Nel is also a Chartered Accountant (SA). Can he be
found guilty of a punishable offence by SAICA?
In by-law 34 of SAICA, there is no equivalent to Rule 2.9 of IRBA. However, given
that one cannot guarantee the reasonableness of a pro t forecast, Mr Nel clearly
also acted without professional competence. Accordingly, he can be found guilty by
SAICA of a punishable offence in terms of the following by-laws: by-law 34.1; 34.2;
34.3; and/or 34.10 (as professional competence and due care is a fundamental
principle of the SAICA Code).
Figure 2.2: Summary of the IRBA Rules Regarding Improper Conduct applicable to RAs
Figure 2.3: Summary of SAICA punishable offences (by-law 34)
2.5 How do the SAICA and IRBA disciplinary
processes work?
2.5.1 SAICA disciplinary process
e disciplinary process of SAICA applies to any person registered or previously registered
with SAICA, whether as a CA [CA(SA) (member)], or Associate General Accountant
[AGA(SA) (Associate)].
In terms of the SAICA by-laws, the SAICA Board annually appoints a Professional
Conduct Committee and a Disciplinary Committee.
e process followed when a complaint is received is as follows:
• If the accused is registered with the IRBA, the complaint is referred to the IRBA.
• If the accused is not registered with the IRBA, the following process is followed:
• Upon receipt of a complaint, the Professional Conduct Committee may, where there
is a prima facie case for improper conduct on the part of the accused (based on the
evidence presented by the complainant), advise the accused in writing of the details
of the complaint and ask the accused to provide a written answer within 21 days of
the issue of the notice.
• e Professional Conduct Committee can call for a meeting to discuss the matter at a
speci ed date and time, with no representation present.
• If the Professional Conduct Committee is satis ed that the accused has provided a
reasonable explanation or that the act did not constitute improper conduct, the
Professional Conduct Committee may decide that it is not going to proceed further
with the matter. e Professional Conduct Committee shall then advise the
complainant and accused in writing of the decision.
• If the Professional Conduct Committee is not satis ed with the explanation or no
explanation is received, the Professional Conduct Committee has the power to
caution or reprimand the accused, or to impose a ne that is not more than half the
maximum amount that the Disciplinary Committee may impose, or to lodge a formal
complaint against the accused and refer the case to the Disciplinary Committee.
• If the accused has been cautioned or reprimanded by the Professional Conduct
Committee, the accused can within 21 days demand that the matter be referred to
the Disciplinary Committee.
e following steps are followed by the Disciplinary Committee:
• Written notice is given to the accused of the Committee’s intention to consider the
complaint and of the time and place of the enquiry. e accused is allowed
representation.
• If the accused fails to attend the enquiry, the Disciplinary Committee may proceed with
the matter without the accused present.
• e Disciplinary Committee may inspect any books or documents and may call
witnesses.
• If the accused is found guilty, the accused may be:
• Cautioned;
• Reprimanded;
• Fined up to a maximum amount to be determined by the SAICA Board from time to
time;
• Suspended from membership, associateship or registration as a trainee accountant
for a period not exceeding ve years;
• Excluded from membership, associateship, or from registration as a trainee
accountant; or
• Disquali ed from applying for SAICA membership permanently or for such period
as the Disciplinary Committee may determine.
• If the accused is found guilty, the Disciplinary Committee can order that the name of
the accused be published.
• If the accused is found not guilty, the name of the accused is not published, unless the
accused has requested otherwise.23
2.5.2 IRBA disciplinary process
e IRBA’s disciplinary process applies to RAs registered with the IRBA. Any member of the
public, an association or organisation may lodge a complaint against an RA if they believe
that the RA is guilty of improper conduct. e IRBA will then investigate the alleged
improper conduct.
A member of the public who wishes to submit a complaint should do so by submitting
an affidavit (a sworn statement signed in the presence of a Commissioner of Oaths).
According to section 48 of the Auditing Profession Act, the Board must refer the complaint
to an investigation committee if it believes it to be justi ed.
• e investigation committee investigates the matter and obtains evidence.
• e RA has the right to be assisted or represented by another person.
• e investigation committee can require the RA to provide any working papers,
statements, books or other documentation and inspect these documents.
• After concluding its investigation, the investigation committee must submit a report to
the Board of the IRBA stating its recommendations.
• If the Board believes that sufficient grounds exist for the RA to be charged with
improper conduct, it then issues a charge sheet to the RA by hand or registered mail.
e RA may then submit a written explanation regarding the improper conduct within a
reasonable time not exceeding 60 days.
• e charge sheet and any written explanation received from the RA are then referred to
the disciplinary committee.
• e disciplinary committee will hold a meeting according to the procedures set out in
section 50 of the Auditing Profession Act.
• If the disciplinary committee nds the RA guilty or the RA has admitted guilt (in which
case the RA is considered to be found guilty as charged) the disciplinary committee
must:
• Caution or reprimand the RA; or
• Impose a ne not exceeding a speci ed amount; or
• Suspend the right to practise as an RA for a speci c period; or
• Cancel the registration and remove the RA’s name from the register of auditors.
• e Board may publish the nding and sanction imposed on the RA.24
2.5.3 Examples of SAICA and IRBA disciplinary processes
EXAMPLE
Outcome of SAICA disciplinary process
An Associate General Accountant (registered as an AGA with SAICA) was found
guilty as he sent out a misleading letter to a client pretending to be an RA. He
failed to respond to correspondence and did not attend the hearing. He was
permanently excluded from associate membership, a previous suspended ne of
R25 000 became payable and he had to contribute to the legal costs of R20
000.25
Outcome of IRBA disciplinary process
The respondents’ audit rm prepared the annual nancial statements or performed
accounting services for clients where the respondents were the audit engagement
partners. In so doing, the respondents contravened section 90(2) of the
Companies Act. The respondents were each sentenced to a ne of R80 000, of
which R40 000 has been suspended for three years (on condition that the
respondents are not found guilty of unprofessional conduct committed during the
period of suspension), a cost order of R5 000, and publication by the IRBA of the
details of the case in general terms.26
Outcome of IRBA disciplinary process
The respondent was appointed as executor of a deceased estate. Despite the
client making numerous requests for various copies of documentation, the
respondent failed to provide the client with the documentation. The respondent
was sentenced to a ne of R50 000, of which R20 000 was suspended for three
years (on condition that the respondent is not found guilty of unprofessional
conduct committed during the period of suspension), no costs order and
publication of the details of the case by the IRBA in general terms.27
Outcome of IRBA disciplinary process
An audit team member was a bene ciary in a trust that held a signi cant interest
in an audit client. The respondent failed to identify and respond to this
independence threat for which no safeguards exist. The respondent was
sentenced to a ne of R80 000, of which R40 000 has been suspended for three
years (on condition that the respondent is not found guilty of unprofessional
conduct committed during the period of suspension), no costs order and
publication by the IRBA of the details of the case in general terms.28
IN THE NEWS
Auditor ethics
Enron, Parmalat, WorldCom and Steinhoff – these corporate reporting and
accounting scandals have shaken the foundations of investor con dence in the
transparency, integrity and accountability of corporations and capital markets. There
has also been public disquiet about the role professional auditors and auditing
rms have played in these corporate scandals.
For the audit profession, these highlighted the gaps between public expectations
and the reality of the role of the auditor. The biggest challenges for auditors ahead
is to identify how ethical behaviour can be – and be seen to be – restored, as it is
this that will be the basis for the reconstruction of public trust in the profession and
in the practice of auditing.
The revised IFAC International Code of Ethics for Professional Accountants,
issued in 2018, strengthened independence provisions contained in the Code to
raise public trust in the accounting profession.29
2.6 What is the content of the SAICA and IRBA
Codes of Professional Conduct?
2.6.1 Background to the SAICA and IRBA Codes of
Professional Conduct
Global corporate nancial reporting scandals, such as those involving Enron, WorldCom
and Steinhoff, negatively affected the standing of the auditing profession and questions
arose about auditor ethics (e.g. auditors not avoiding situations where their independence
is compromised).
Due to the nature of the work carried out by auditors, ethics are of the utmost
importance – auditors should be ethical at all times and in all circumstances. Various
stakeholders rely on the outcome of the work performed by the auditor as conveyed in the
opinion section of the auditor’s report. Owing to the nature of the auditor’s report, it is very
difficult to gauge the exact nature of the work performed by the auditor. Hence the
stakeholder has to rely on the auditor to do a proper job. Any de ciency in the auditor’s
professional conduct or any improper conduct in their personal life places the integrity of
the auditor in question, and may raise doubts about the reliability of the auditor’s report
(and speci cally the audit opinion). e adoption and application of a code of ethics for
auditors promotes stakeholders’ trust and con dence in auditors and their work.30
As discussed in Chapter 1, IFAC is responsible for the establishment and promotion of
standards, including ethical codes. IFAC’s International Ethics Standards Board for
Accountants (IESBA) maintains the International Code of Ethics for Professional
Accountants to serve as a model for all codes of ethics developed and used by national
accountancy organisations (including SAICA). In 2001, IFAC for the rst time adopted a
conceptual framework approach for a section of the code of ethics dealing with
independence. In 2003, the IFAC ethics committee issued a revised code of ethics in order
to restore the standing of the auditing profession after the global corporate collapses. is
2003 code contained a conceptual framework for the entire code whereby threats to the
fundamental principles had to be identi ed, their signi cance evaluated and safeguards
implemented. Most recently in 2018, the IESBA completed a restructuring of its code of
professional ethics to make the code more understandable and easier to use, but also to be
more robust with substantial improvements in many areas, including auditor
independence.
SAICA formally adopted the 2003 version of the IFAC International Code of Ethics for
Professional Accountants with effect from 30 June 2006, but added an additional part
(called Part D or section 400), which speci cally focused on professional accountants in
South Africa. e adoption of the IFAC Code was done to improve con dence in the local
accounting profession. From November 2010, the Board of SAICA resolved to accept the
IFAC Code issued on 1 April 2006 in its entirety, but added limited additional guidance in
Part A to assist with the local application of certain requirements applicable to all
professional accountants in SA. Part D (or section 400) of the SAICA Code was removed in
the 2010 version of the SAICA Code. At the time of writing, all indications are that the IFAC
restructured code issued in 2018 will also be accepted by SAICA, with certain South African
amendments, and will be applicable from 15 June 2019. A South African work group is
adapting the IFAC Code for South African circumstances.
After careful consideration and a mapping exercise between the IRBA Code of
Professional Conduct in issue at the time and the IFAC International Code of Ethics for
Professional Accountants, the IRBA decided to adopt Parts A and B of the IFAC
International Code of Ethics for Professional Accountants (issued 1 April 2006). e thenIRBA Code of Professional Conduct was repealed and replaced by a new IRBA Code of
Professional Conduct based on the IFAC International Code of Ethics for Professional
Accountants with effect from 1 January 2011. At the time of writing, all indications are that
the IFAC restructured code issued in 2018 will also be accepted by IRBA, with some South
African amendments, which will be effective from 15 June 2019.
2.6.2 Differences between SAICA and IRBA Codes of
Professional Conduct
At the time of writing, all indications are that SAICA will adopt the IFAC International Code
of Ethics for Professional Accountants (issued on 1 April 2018) in its entirety (i.e. Parts 1, 2,
3 and 4), with a few changes to accommodate matters for South African circumstances. All
the modi cations to the IFAC Code are indicated via underlined and italicised text in the
SAICA Code of Professional Conduct.
At the time of writing all indications are also that IRBA will adopt Parts 1, 3 and 4 of the
IFAC International Code of Ethics for Professional Accountants (issued on 1 April 2018),
and all adaptations are indicated by way of underlined and italicised text. e IRBA
proposes to modify this code for the South African environment by, for example, replacing
the IFAC term ‘professional accountant’ with the more relevant term ‘registered auditor’.
Part 2 of the IFAC Code applies to professional accountants working in business
(commerce) and is also now applicable to individual professional accountants in public
practice when performing professional activities pursuant to their relationship with the
rm. is Part will, however, only be contained in the SAICA Code of Professional Conduct
and not in the IRBA version.
From the foregoing, it can rightly be concluded that there is little difference between
the SAICA Code of Professional Conduct (CPC) and the IRBA Code of Professional
Conduct. In the next section, the SAICA CPC is explained as it is applicable to ‘professional
accountants’ – i.e. Chartered Accountants (SA), and Associate General Accountants
(AGAs). However, given the similarity of the content of these two pronouncements, in
virtually all instances the content is equally applicable to RAs. Accordingly, the chapter
does not contain a detailed exposition of the IRBA Code of Professional Conduct.
Table 2.1: Differences between the IFAC International Code of Ethics for Professional
Accountants, the IRBA Code of Professional Conduct and the SAICA Code of
Professional Conduct
IFAC
IRBA31
SAICA32
Refers to Professional
Accountants
Refers to Registered Auditors
Refers to Professional
Accountants (which includes
CAs, AGA’s and trainee
accountants)
Contains:
• Part 1 General
application of the code;
• Part 2 Professional
Accountants in
business;
• Part 3 Professional
Accountants in public
practice;
• Part 4A Independence
for audit and review
engagements;
• Part 4B Independence
for assurance
engagements other
than audit and review
engagements.
Contains:
• Part 1 Complying with
the code, fundamental
principles and
conceptual framework;
• Part 3 Registered
auditors performing
professional services;
• Part 4A Independence
for audit and review
engagements;
• Part 4B Independence
for assurance
engagements other
than audit and review
engagements.
Contains:
• Part 1 Complying with
the code, fundamental
principles and
conceptual framework;
• Part 2 Professional
Accountants in
business;
• Part 3 Professional
Accountants in public
practice;
• Part 4A Independence
for audit and review
engagements;
• Part 4B Independence
for assurance
engagements other than
audit and review
engagements.
Section 115: Fundamental
principle of professional
behaviour
Section 115: The
fundamental principle of
professional behaviour
was expanded to include
additional guidance for the
local application of the
code. The following
additional matters were
included in Part 1 under
‘professional behaviour’:
• Multiple rms and
assisted holding out
Section 115: The
fundamental principle of
professional behaviour was
expanded to include the
following additional matters
in Part 1 under professional
behaviour:
• Multiple rms and
assisted holding out
• Signing convention for
reports and certi cates
IFAC
IRBA31
SAICA32
Section 320: Professional
appointment
Section 320 provides additional guidance regarding
communication from a proposed, existing or predecessor
accountant including con dential information as well as
when the client refuses to give permission to contact the
existing accountant.
Section 330 Fees and
other types of
remuneration
Section 330 provides additional guidance regarding the
charging of contingent fees when preparing tax returns.
Additional safeguards, i.e. obtaining advance agreement
upfront and in writing from the client for commission or
referral arrangements, were also added.
Section 350: Custody of
client assets
Section 350: Custody of client assets was expanded to
include additional guidance for the local application of
the code.
The following additional matters were included:
• Section 350.4a SA: Guidance on what to do when it
is believed that money was received from illegal
activities.
• Section 350.6 SA: Speci c instructions regarding
what to do with client monies received.
• Section 350.7a SA: Speci c instructions regarding
what to do with client assets other than monies
received.
• Section 350.8A1 SA: Speci c instructions regarding
possible measures of protection (of client assets).
• Section 350.9 SA: Speci c instructions regarding
custody of client assets for audit or other assurance
clients.
Section 400.8: Public
interest entities
Section 400.8 was updated to expand the de nition of
public interest entities in a South African context.
Section 540.5: Long
association
Section 540.5a SA was added to include guidance that
the professional accountant might need to consider
threats relating to non-assurance services when
considering the association with clients.
2.6.3 e SAICA Code of Professional Conduct (CPC)
2.6.3.1
Guide to the code
A non-authoritative guide precedes the code to explain the purpose of the code, how the
code is structured, and how the code is to be used. e guide sets out that the purpose of
the code is to set out the fundamental principles to the code, which re ects the public
interest responsibility of the accounting profession. e guide also explains that the code
provides a conceptual framework that needs to be applied to identify, evaluate and address
threats to the fundamental principles. Before working through the code, it is useful to work
through this guide.
roughout the code, reference is made to the fact that it applies to ‘professional
accountants’. According to the de nitions contained in the code, this term means (for
purposes of the SAICA code):
Serves as a generic term in this Code to refer to a chartered accountant … or an
associate … as required by the context of its use in a requirement or application
material of this Code, and taking into account that this Code is applicable to all
chartered accountants and associates in terms of the SAICA By-laws.
2.6.3.2
Part 1: Complying with the code (section 100): Fundamental
principles
A characteristic of the accountancy profession is its acceptance of the responsibility to act
in the public interest. erefore, the professional accountant has a responsibility not only
to satisfy the needs of the individual client or employer. In doing so, professional
accountants shall comply with the SAICA CPC.
e code contains requirements marked with an ‘R’ (which are obligations that need to
be complied with) as well as application material marked with an ‘A’ (which provides
context, explanations and suggestions for action) to enable professional accountants to
meet their responsibility to act in public interest. If a professional accountant is prohibited
by law or regulation from complying with certain parts of the code, the professional
accountant shall comply with all other parts of the code. e principle of professional
behaviour requires that professional accountants comply with relevant laws and
regulations. Some jurisdictions may have provisions that differ from or go beyond the code.
Professional accountants in those jurisdictions need to be aware of the differences and
comply with the more stringent provisions.
If a professional accountant identi es a breach to the code, the professional accountant
should evaluate its signi cance, take steps to address the consequences of the breach and
report it to relevant parties if necessary.
Part 1 of the CPC contains fundamental principles applicable to all professional
accountants and provides a conceptual framework for applying these principles.
e ve fundamental principles, applicable to all professional accountants, contained
in Part 1 of the Code are discussed in this section.
Integrity (section 111)
Integrity has to do with honesty and truthfulness.
A professional accountant may not knowingly be associated with any statement, account or
return that:
• Contains a materially false or misleading statement;
• Is issued recklessly; or
• Omits or obscures information.
Objectivity (section 112)
Professional accountants may not compromise their professional or business judgement
because of bias, con ict of interest or undue in uences.
Professional competence and due care (section 113)
• e professional accountant should maintain sufficient professional knowledge and
skill to ensure that clients receive competent professional service. is includes any new
technical and business developments. SAICA (and the IRBA) have speci c continuing
professional development requirements that require their members to spend a
minimum number of hours per year on professional development activities aimed at
maintaining professional competence.
• e professional accountant should apply technical and professional standards and act
diligently when providing professional services to a client.
• e professional accountant should ensure that those working under his or her
authority have received the appropriate training and supervision.
• Professional accountants should not undertake any professional work for which they
are not competent, unless they obtain the necessary advice and assistance from other
parties and make clients aware of any limitations.
Con dentiality (section 114)
• Con dentiality of an existing, prospective or previous client or employer’s information
should be maintained at all times in order to serve the public interest.
• e professional accountant should ensure that information acquired in a professional
capacity is kept con dential in:
• A social environment;
• Amongst business associates;
• Amongst immediate family; and
• Within a rm or organisation.
• e professional accountant and his or her staff should speci cally refrain from:
• Disclosing con dential information without speci c authority, unless:
• Permitted by law and authorised by the client or employer; or
• Required by law for legal proceedings or disclosure of infringements of law; or
• A professional duty or right to disclose exists (when not prohibited by law), for
example, (1) to comply with the quality review of IRBA or SAICA, (2) to respond
to an enquiry or investigation by IRBA or SAICA or (3) to protect professional
interests in legal proceedings, or (4) to comply with technical and professional
standards, including ethics requirements such as non-compliance with rules and
regulations (NOCLAR) as discussed later in this chapter.
• Using con dential information for own personal advantage or the advantage of third
parties.
• In deciding whether to disclose con dential information, the professional accountant
should consider:
• If the interest of all parties (including third parties) could be harmed if the client
consents to the disclosure of information;
• If all information is known and can be substantiated; and
• e type of communication, to whom it will be addressed, and if they are appropriate
recipients.
EXAMPLE
Susan Smith, a registered auditor, is the audit partner assigned to the audit of
Seagull Limited, a listed company. Susan advises her friend to purchase shares
in Seagull as the company will take over another company after the release of its
nancial results and it is expected that the share price will increase
substantially. Did Susan Smith act unethically?
Yes, con dential information may not be used for personal advantage or advantage
of third parties. (Note: Susan Smith is also likely to be guilty of an insider trading
offence in terms of the Financial Markets Act 19 of 2012 – and as such in breach
of the principle of professional behaviour).
WHAT
IF?
What if a member of the audit team becomes aware of fraud in which
the directors of an auditee are involved? Can this be disclosed?
This fraud can (and has to) be disclosed to the IRBA if the requirements
of section 45 of the Auditing Profession Act are met – as the auditor will
have a professional duty to report this information (refer to Chapter 3 for
a detailed discussion of the relevant requirements of this Act). If the fraud
has an impact on the fair presentation of the nancial statements, this
will also be disclosed in the auditor’s report.
Professional behaviour (section 115)
• e professional accountant should comply with relevant rules and regulations.
• e professional accountant should avoid actions that may bring the profession into
discredit, which a reasonable informed third party would be likely to conclude
adversely affects the good reputation of the profession.
• e professional accountant should not knowingly engage in any business, occupation
or activity that may impair integrity, objectivity or good reputation of the profession.
Multiple rms and assisted holding out
• A professional accountant may be associated with more than one auditing or
professional services rm. Such association shall not cause confusion and a clear
distinction between different rms is needed.
• A professional accountant may practise under different rm names for different offices,
but this must not be misleading.
• A clear distinction should be made if rms have members who are not registered
auditors, in order not to contravene section 41(2) of the Auditing Profession Act. Refer to
Chapter 3 for a detailed discussion of the relevant requirements of this Act.
Signing convention for reports or certi cates
• A professional accountant shall not delegate the power to sign audit, review or other
assurance reports or certi cates to any person who is not a partner or fellow director.
• is prohibition may be relaxed when emergencies of sufficient gravity arise, in
which case, the full circumstances for the need to delegate should be reported to the
client and the IRBA.
• Any audit, review or other assurance report or certi cate should contain:
• e individual professional accountant’s full name;
• e capacity in which the person is signing if not as sole proprietor (for example,
partner or director);
• e designation, for example ‘Chartered Accountant (SA),’ underneath the
professional’s name;
• e name of the professional accountant’s rm if the report is not issued on the
letterhead of the rm.
Figure 2.4: Conceptual framework
2.6.4 Part 1: Complying with the code: Conceptual
framework approach
As illustrated in Figure 2.4, this conceptual approach requires the professional accountant
to (paragraphs 120.1–120.13A2.):
• Identify threats to the ve fundamental principles;
• Evaluate the threats identi ed; and
• Address the threats by eliminating or reducing them to an acceptable level.
e professional accountant shall consider the context in which the issue has arisen.
2.6.4.1
When applying the conceptual framework the professional
accountant shall:
• Exercise professional judgement
is involves the application of relevant training, professional knowledge, skill and
experience applied to the facts to make informed decisions about the courses of action
to take.
e professional accountant should consider the following:
• Whether relevant information might be missing from the facts;
• Whether there are inconsistencies between the facts and circumstances;
• Whether experience and expertise are sufficient in reaching a conclusion;
• e need to consult with others;
• Whether information provides a reasonable basis to reach a conclusion;
• e professional accountant’s own perception or bias; and
• Other reasonable conclusions from available information.
• Remain alert for new information and changes to facts and circumstances
• Use the reasonable informed third-party test
is involves:
• e consideration of whether the same conclusion will be reached by another
person who possesses the relevant knowledge and experience to understand;
• An evaluation of the professional accountant’s conclusions; and
• e weighing up all the relevant facts and circumstances that the professional
accountant knows or is expected to know.
2.6.4.2
Identifying threats (paragraph 120.6)
When a relationship or circumstances may compromise, or could be perceived by third
parties to compromise, a professional accountant’s compliance with the fundamental
principles, a threat(s) is/are created. reats fall into one of the following categories:
• Self-interest threat
reat arises from nancial or other interests of the professional accountant that could
inappropriately in uence his or her judgement or behaviour.
• Intimidation threat
reat arises when the professional accountant is deterred from acting objectively by
pressures, actual or perceived.
• Self-review threat
reat arises when a previous judgement needs to be re-evaluated by the professional
accountant responsible for making the judgement and that this may therefore not be
appropriately evaluated.
• Advocacy threat
reat arises when a position or opinion is promoted by the professional accountant to
the point that subsequent objectivity is compromised.
• Familiarity threat
reat arises because of a close relationship with the client when the professional
accountant becomes too sympathetic to the client’s interests.
2.6.4.3
Evaluating threats (paragraph 120.7)
• When the professional accountant identi es threats to fundamental principles, he or
she needs to evaluate whether the threats are at an acceptable level using the
reasonable informed third-party test (as referred to above) to conclude that he or she
complies with fundamental principles.
• Factors relevant in evaluating the level of threats:
• Qualitative and quantitative factors need to be considered; and
• Available policies and procedures, e.g.:
• corporate governance requirements;
• educational, training and experience requirements;
• effective compliance systems which enable the professional accountant and the
general public to draw attention to unethical behaviour (such as SAICA and IRBA
disciplinary processes);
• an explicit duty to report breaches; and
• professional or regulatory monitoring.
• e professional accountant needs to remain alert throughout the professional activity
to determine whether new information has emerged, or existing information has
changed, which leads to the identi cation of a new threat or impacts the level of the
threat or affects the accountant’s conclusions about the safeguards applied.
2.6.4.4
Addressing threats (paragraph 120.10)
If the professional accountant determines that the identi ed threats to fundamental
principles are not an acceptable level the professional accountant shall address the threat
by:
• Eliminating circumstances, interests or relationships creating the threats;
• Applying safeguards (actions or measures) to reduce the threat to an acceptable level;
• Declining or ending the professional activity.
2.6.4.4.1
Considerations of signi cant judgements made and overall conclusions
reached (paragraphs 120.11-12)
e professional accountant shall form an overall conclusion whether the actions to
address the threats will eliminate or reduce threats to an acceptable level by reviewing
signi cant judgements made or conclusions reached and by using the reasonable and
informed third-party test.
2.6.4.4.2
Considerations for audits, reviews and other assurance engagements:
2.6.4.4.2.1 Independence
e professional accountant in public practice is required by International Independence
Standards to be independent when conducting these engagements. Independence is
linked to fundamental principles of objectivity and integrity, and includes independence
in mind and in appearance.
e IAASB Glossary of Terms de nes these terms as follows (SAICA Handbook Vol 2):
• Independence in mind: A state of mind that permits the provision of an opinion without
being affected by in uences that compromise professional judgement, allowing an
individual to act with integrity and exercise objectivity and professional scepticism.
• Independence in appearance: e avoidance of facts and circumstances that are so
signi cant that a reasonable informed third party, having knowledge of all relevant
information, including safeguards applied, would reasonably conclude that a rm’s or a
member of the assurance team’s integrity, objectivity or professional scepticism has
been compromised.
2.6.4.4.2.2 Professional scepticism
Professional accountants in public practice are required to apply professional scepticism
when planning, and performing audits, reviews and other assurance engagements.
Professional scepticism is inter-related with these fundamental principles:
• Integrity
Being straightforward and honest in raising concerns at a client and pursuing enquiries
about inconsistent information and seeking further audit evidence about false or
misleading statements.
• Objectivity
Recognising relationships such as familiarity that may compromise professional
judgement and considering the impact of such circumstances on the accountant’s
judgement when evaluating the sufficiency and appropriateness of audit evidence.
• Professional competence and due care
Applying knowledge to the client’s industry, designing and performing appropriate
audit procedures, and applying relevant knowledge when assessing whether audit
evidence is sufficient and appropriate.
2.6.5 Part 2: Professional accountants in business
is section is applicable to professional accountants who are employees, contractors,
partners, or directors and who are salaried employees or directors in an employing
organisation and who may be involved in preparing nancial statements. An individual
who is a professional accountant in public practice, when performing professional
activities relating to his or her relationship with the accounting rm now also falls under
section 200. Investors, creditors and employing organisations might rely on the work of
professional accountants in business. As discussed in Chapter 1, the nancial statements
form the basis for the audit and it is therefore important that if professional accountants
are involved in the preparation of nancial statements, they also comply with the CPC.
Part 2 of the CPC contains examples of situations that may create threats for
professional accountants in business – refer to Figure 2.5 and Table 2.2. Note that the
examples are not intended to be a complete list of all circumstances that may exist for the
professional accountant in business.
In order to reduce threats to an acceptable level, the professional accountant in
business can apply certain safeguards. Examples of safeguards are included in Figure 2.6.
Figure 2.5: Examples of situations for professional accountants in business
Table 2.2: Examples of threats for professional accountants in business
SELF-INTEREST
THREAT
SELF-REVIEW
THREAT
ADVOCACY
THREAT
INTIMIDATION
THREAT
FAMILIARITY
THREAT
SELF-INTEREST
THREAT
SELF-REVIEW
THREAT
ADVOCACY
THREAT
INTIMIDATION
THREAT
FAMILIARITY
THREAT
• Holding
• Determining • Opportunity • Dominant
• Responsible
shares in the
the
to
personality
for nancial
employing
accounting
manipulate
who tries to
reporting if
company;
treatment
information
in uence
family
after
in a
decisionmember is
• Loans from
performing
prospectus
making
responsible
the employing
the
in order to
process (e.g.
for
company;
feasibility
obtain
awarding of
decisions
Guarantees
study
(e.g.
favourable
contracts);
regarding
from the
performing
nancing.
the nancial
• Professional
employer;
the
reporting
•
accountant or
• Participating
feasibility
(e.g.
immediate or
in incentive
study on a
nancial
close family
compensation
new joint
director is
member
arrangements;
venture and
married to
facing threat
• Inappropriate
then
the nancial
of dismissal
personal use
deciding on
manager);
or
of corporate
the
replacement • Long
assets;
accounting
arising from
association
• Gifts or
treatment
a
with
special
of the joint
disagreement
business
treatment
venture).
about the
contacts
from
application of
in uencing
suppliers.
an
business
accounting
decisions.
principle or
how nancial
information
is reported
(e.g. threat of
dismissal
when a
disagreement
exists about
when
revenue is to
be
recognised).
Figure 2.6: Examples of safeguards in the business environment
2.6.5.1
Con icts of interest (section 210)
Con icts may exist between the professional accountant and the parties to whom the
professional accountant is providing professional services. ese parties may include the
employee organisation, vendors, customers, lenders, shareholders and others. Professional
accountants shall not allow con icts of interests to compromise their professional or
business judgement. A professional accountant should remain alert to changes over time
that might create con icts.
Examples of circumstances that might create con ict of interest include:
• Serving in a management or governance position for two companies and acquiring
con dential information from one company that might be used by the professional
accountant for the advantage or disadvantage of the other company;
• Assisting both partners in a partnership to dissolve the partnership;
• Preparing nancial information for management of an employer who are seeking a
management buy-out;
• Selecting a vendor for an employer where a family member of the professional
accountant might gain nancially from the transaction; and
• Serving in a governance capacity at an employer that is responsible for approving
investments which will increase the investment portfolio of the professional accountant
or an immediate family member.
Steps to identify con icts:
• Identifying the nature of the interests and relationships between the involved parties;
and
• Identifying the activity and its implications for relevant parties.
Steps to address the con icts:
• Withdrawing from the decision making process;
• Restructuring or segregating certain responsibilities;
• Obtaining appropriate oversight, e.g. a non-executive director oversees the process;
• Disclosing the nature of the con ict and threats created to all relevant parties, and
obtaining consent from the relevant parties;
• Documenting the nature of circumstances, safeguards applied and consent obtained;
and
• Obtaining guidance from within the employing organisation, or from the professional
body, legal counsel or another professional accountant.
2.6.5.2
Preparation and presentation of information (section 220)
Preparing and presenting information (including recording, maintaining and approving
information) could create self-interest or intimidation threats to compliance with the
fundamental principles. Professional accountants at all levels are involved in the
preparation and presentation of information for management, those charged with
governance, investors, lenders or other creditors and regulatory bodies. is information
(e.g. operating and performance reports, budgets and forecasts, tax returns, general and
special purpose nancial statements) might assist shareholders in understanding and
evaluating the employers’ state of affairs and include nancial and non- nancial
information.
When preparing or presenting information a professional accountant shall prepare and
present information:
• In accordance with the applicable nancial reporting framework (e.g. IFRS);
• In a manner that is not intended to mislead or in uence contractual or regulatory
outcomes inappropriately;
• Exercising professional judgement to:
• Represent facts accurately and completely in all material respects;
• Describe clearly the true nature of transactions; and
• Classify and record information timely and in a proper manner;
• Not omit anything to mislead information or in uence outcomes inappropriately; and
• Exercise discretion in making professional judgements in:
• Determining estimates (e.g. fair value estimates);
• Selecting or changing accounting policies;
• Determining the timing of transactions (e.g. timing of the sale of an asset near the
nancial year-end);
• Determining the structuring of transactions; and
• Selecting disclosures.
A professional accountant shall exercise professional judgement to identify and consider:
• e purpose of the information;
• e context within which it is given; and
• e audience to whom it is addressed.
A professional accountant who intends to rely on the work of others (whether internal or
external from the employer) shall take steps to ensure that he or she complies with the
requirements of preparation and presentation of information and consider:
• e reputation, expertise and resources available to the other individual; and
• Whether the other individual is subject to professional and ethical standards.
When a professional accountant knows or has reason to believe that the information that
the professional accountant is associated with is misleading, the professional accountant
shall take appropriate actions such as:
• Discussing these concerns with a superior, management or those charged with
governance of the employer and request that appropriate action is taken such as:
• Having the information corrected;
• Informing users and correcting information if already disclosed to users; and
• Consulting the policies and procedures within the employer (such as ethics and
whistle-blowing policies).
If appropriate actions have not been taken by the employer, and the professional
accountant believes that the information is misleading, the professional accountant, while
remaining cognisant of the principle of con dentiality, might consider:
• Consulting with a relevant professional body;
• Consulting with the internal and external auditor;
• Legal counsel;
• Determining whether any requirements exist to communicate with:
• ird parties including users;
• Regulatory or oversight bodies; and
• If after exhausting all feasible options, the professional accountant shall refuse to be
associated with the information in which case it might be appropriate to resign.
e professional accountant is encouraged to document the facts, the accounting
principles or standards involved, the communications with parties, the courses of actions
considered, and how the professional accountant attempted to address the matter.
EXAMPLE
Viwe Khumalo CA(SA) is the nancial manager of Furniture Limited (‘Furniture’).
She is responsible for the preparation of the nancial statements of Furniture.
The chief executive of cer (CEO) of Furniture expects Viwe to not consolidate
all subsidiaries and only include those that are pro t-making (and not those that
are loss-making) – in order to make earnings appear better than they actually
are.
Discuss this with reference to the CPC.
If Viwe only includes pro t-making subsidiaries, and not those that are lossmaking, self-interest and intimidation threats to integrity, objectivity, professional
competence and due care, and professional behaviour will be created.
The threats will be signi cant, as she is expected to act contrary to the
Companies Act and IFRS by fraudulently misrepresenting information and not
consolidating subsidiaries fully.
Safeguards include the following:
• Refuse to selectively consolidate the subsidiaries nancial information, and
explain the reasons why she cannot do so. If the CEO still insists that this be
done, she should obtain advice from the audit committee or independent
directors of Furniture (if any), or seek advice from an independent professional
or SAICA;
• Use the formal dispute resolution process or whistle-blowing process in
operation in Furniture (if applicable); and/or
• Seek legal advice.
If these safeguards fail to yield a satisfactory outcome, she should resign and
provide her reasons to the board of directors of Furniture.
2.6.5.3
Acting with sufficient expertise (section 230)
e employing organisation shall not be intentionally misled concerning the level of
expertise or experience that the professional accountant possesses. e principle of
professional competence and due care requires that the professional accountant to only
undertake signi cant services for which the professional accountant has or can obtain
sufficient training or expertise.
For example, accepting a position as tax consultant without sufficient expertise and
training could create a self-interest threat to professional competence and due care.
A self-interest threat to professional competence and due care could be created when the
professional accountant has:
• Insufficient time for performing or completing tasks;
• Incomplete, restricted or inadequate information when performing duties;
• Insufficient expertise, training or education; or
• Inadequate resources for performance of duties.
Factors that are relevant in evaluating the level of such a threat will depend on the:
• Extent of working with others (e.g. whether there are superiors or peers available to ask
advice or help);
• Seniority of the individual; and
• Level of supervision and review.
Potential actions that might be safeguards include:
• Obtaining appropriate training and assistance from someone with the necessary
expertise;
• Ensuring that sufficient time is available to complete the relevant duties; and
• If the threat cannot be addressed at an appropriate level, a professional accountant shall
consider declining to perform the duties and communicate the reasons.
EXAMPLE
Isak Tenene recently quali ed as a CA(SA). He has been offered a position as a
nancial manager at Goto Bank (‘Goto’). Isak has never worked in the nancial
services industry before. Discuss this with reference to the CPC.
A self-interest threat to professional competence and due care could arise if Isak
Tenene accepts this appointment.
The threat will be signi cant, as Isak has never been employed in the nancial
services industry before and thus has no knowledge of the laws and regulations,
nancial management practices, and nancial reporting standards applicable to
this industry.
Safeguards that can be implemented are:
• Obtaining appropriate training in the laws and regulations, nancial
management practices, and nancial reporting standards applicable to the
nancial services industry;
• Obtaining advice and assistance when preparing the nancial statements from
superiors within Goto;
• Ensuring that suf cient time is available to complete tasks, including the
nancial statements; and
• Consultation with independent experts with nancial services industry
experience or SAICA.
2.6.5.4
Financial interests, compensation and incentives linked to nancial
reporting and decision making (section 240)
If the professional accountant in business or his or her close family members hold nancial
interests (e.g. shares) in the employing company, self-interest threats to objectivity and
con dentiality may arise, as the knowledge he or she possesses regarding, for example, the
company’s poor nancial performance (which is not public knowledge) could lead to the
decision to sell his or her shares in the company based on this ‘inside information’. is
could also amount to insider trading, a contravention of the Financial Markets Act 19 of
2012.
reats may also be created by:
• Explicit or implicit pressure from superiors or colleagues to manipulate nancial
information on which bonuses or share rights are based; and
• e professional accountant having a motive or opportunity to manipulate price
sensitive information (e.g. due to pro t-related bonuses, share rights or share options
and compensation arrangements providing incentives to achieve targets), in order to
gain nancially.
Factors relevant in evaluating the level of the threat include:
• Magnitude of the nancial interest taking into account personal circumstances and
materiality of the interest;
• Policies and procedures for a committee independent of management (e.g. a
remuneration committee) to determine the level and form of management
remuneration;
• Disclosure to those charged with governance of all relevant interests and the employee’s
plans to trade in the entity’s shares; and
• Internal and external audit procedures (e.g. where internal auditors audit the awarding
of performance-related elements of remuneration and external auditors audit the
nancial statements that re ect the pro t gure used to compute the performancerelated bonuses).
EXAMPLE
Karin Booth CA(SA), the nancial manager of Zeelight Limited (‘Zeelight’), is
responsible for the preparation of the nancial statements of Zeelight. She will
receive an incentive bonus based on the company’s reported pro t after tax for
the 20X1 nancial year. She therefore wants to present the best possible
nancial results for Zeelight.
Discuss this matter with reference to the CPC.
If Karin Booth receives a performance-related bonus, it will create a self-interest
threat for objectivity.
The threat will be signi cant as the incentive bonus is based on the pro t after
tax gure.
Safeguards that could be implemented are internal and external audit
procedures on the appropriateness of the pro t after tax gure for the 20X1
nancial year and the awarding of bonuses.
2.6.5.5
Inducements including gifts and hospitality (section 250)
A professional accountant in business, or his or her close family members could be offered
an inducement (such as a bribe not to disclose information). Refer to Figure 2.7 for the
de nition of an inducement. A professional accountant in business may also be in a
situation where he or she is expected or is under pressure to offer an inducement. is
could create self-interest, familiarity or intimidation threats to integrity, objectivity,
professional behaviour and possibly con dentiality. A professional accountant shall not
offer or accept or encourage others to offer or accept any inducement from which the
professional accountant or an informed third party would be likely to conclude that it is
made to improperly in uence the behaviour of the recipient or other individual. e
professional accountant shall obtain an understanding of relevant laws and regulations
prohibiting the offering and acceptance of inducements and comply with them when
necessary. e factors contained in Figure 2.8 have to be considered to determine the
actual or perceived intent behind the inducement. Figure 2.9 includes actions that might
be regarded as safeguards.
Figure 2.7: De nition and examples of inducements
Figure 2.8: Factors to consider when determining whether there is an actual or perceived intent to in uence
behaviour
Figure 2.9: Examples of actions that might be safeguards
Inducements made with no intent to improperly in uence behaviour can still create threats
to the fundamental principles. Self-interest threats can be created where the professional
accountant is offered part-time employment by a vendor. Familiarity threats may be
created if a professional accountant regularly takes a vendor or a supplier to sporting
events. Intimidation threats may be created if the professional accountant accepts
hospitality which could be perceived to be inappropriate were it to be publicly disclosed.
If the inducement is trivial and inconsequential the threats will be at an acceptable
level.
EXAMPLE
Mr Ricardo is a professional accountant working as an internal auditor at Nala
Limited (‘Nala’). During the performance of an internal audit of the sales division
of Nala, he detected fraud committed by the sales clerk. The sales clerk offered
to pay a substantial amount into Mr Ricardo’s bank account in return for not
disclosing this fraud.
Discuss this matter with reference to the CPC.
A self-interest threat and an intimidation threat to integrity, objectivity and
professional behaviour will be created if the amount is accepted.
The threat will be signi cant, as it is an amount offered not to disclose fraud,
which is an illegal act.
The safeguards will be:
• Not to accept the amount offered; and
• Informing higher levels of management of Nala Limited or those charged with
governance (e.g. the audit committee chairman) about the offer.
2.6.5.6
Responding to non-compliance with laws and regulations
(NOCLAR) (section 260)
Refer to Figure 2.10 for the de nition of NOCLAR.
Figure 2.10: NOCLAR de nition
NOCLAR is applicable to:
• Laws and regulations generally recognised to have an effect on the determination of
material amounts and disclosures in the employer’s nancial statements; and
• Other laws and regulations that may be fundamental to the operating aspects of the
employer’s business or its ability to continue in business or to avoid material penalties.
Non-compliance might result in nes, litigation or other consequences for the employing
organisation, potentially materially affecting its nancial statements, and may have wider
public interest implications of potential harm to investors, creditors, employees or the
general public (e.g. breaches of environmental laws and regulations endangering health
and safety of employees or the public). NOCLAR can be committed by the employing
organisation, those charged with governance, management or other individuals working
for or under the direction of the employing organisation.
If a professional accountant becomes aware of NOCLAR in the course of carrying out
professional activities, a self-interest or intimidation threat is created to integrity and
professional behaviour. Refer to Figure 2.11 for examples of laws and regulations that could
be transgressed which will trigger NOCLAR responsibilities for the professional
accountant. Refer to Figure 2.12 for actions required. In exceptional circumstances,
immediate disclosure to the appropriate authority may be required.
A distinguishing mark of the accounting profession is the acceptance of the
responsibility to act in the public interest. When responding to NOCLAR the objectives of
the professional accountant are:
• To comply with the principles of integrity and professional behaviour;
• By alerting management or those charged with governance to seek to:
• Enable them to rectify, remediate or mitigate the consequences of NOCLAR; or
• Deter the NOCLAR if it has not yet occurred.
• To take such further action as appropriate in the public interest.
e code distinguishes between responsibilities of senior professional accountants and
other professional accountants. Senior professional accountants in business follow the
process as indicated in Figure 2.12. Other accountants in business follow points 1–3 in
Figure 2.12 and then inform an immediate superior or higher level of authority if the
immediate superior is involved. In exceptional circumstances, the other professional
accountant may disclose it to an appropriate authority. e other professional accountant
should also document the process as indicated in point 9 in Figure 2.12.
Figure 2.11: Examples of laws and regulations that could be transgressed for NOCLAR
Figure 2.12: Actions required for NOCLAR
EXAMPLE
Ricardo January is a CA(SA) working as the head of internal audit at Siesa
Proprietary Limited (‘Siesa’), a waste water management facility. During the
performance of an internal audit, Ricardo detected that Siesa released polluted
water into the Vaal River which exceeded the permitted pollution levels by 50
times.
Discuss whether there are any actions that Ricardo January should take with
reference to the CPC.
• If a NOCLAR exists, a self-interest or intimidation threat is created to integrity
and professional behaviour.
• Ricardo January must consider whether the pollution constitutes a possible
NOCLAR:
• It is an action;
• By the management of Siesa; and
• It is contradictory with Health and Safety Acts (e.g. Waste Act 59 of 2008).
Therefore, it does constitute a possible NOCLAR.
• Ricardo January must investigate the matter further to obtain a better
understanding thereof.
• Ricardo January must discuss the matter with management and those charged
with governance of Siesa.
• If the pollution has taken place, Ricardo January must inform management that
it constitutes a NOCLAR and that the matter should be recti ed and reported.
• If pollution has taken place and management does not do anything about it:
• Ricardo January should discuss the matter with the external audit rm’s
engagement partner.
• Ricardo January could consider getting legal advice;
• Ricardo January should consider reporting the matter to the relevant
authority (in this case the Department of Water Affairs and Sanitation); and
• Ricardo January could consider resigning.
• Ricardo January must document the following:
• The NOCLAR matter;
• Signi cant judgement and conclusions made;
• Discussions with management and how they reacted; and
• Further actions to consider and decisions made by Ricardo January.
2.6.5.7
Pressure to breach fundamental principles
Pressure to breach the fundamental principles in the CPC from a colleague, superior,
vendor, customer, lender or targets might create an intimidation threat or other threats to
the fundamental principles. A professional accountant shall not allow pressure from others
to result in a breach of compliance with fundamental principles or place pressure on
others to breach the code.
Factors that should be considered in evaluating the level of threats include:
• e intent of the individual who is exerting the pressure;
• e application of laws, regulations and professional standards;
• e culture and leadership of the employing organisation which emphasise ethical
behaviour; and
• Policies and procedures that the employing organisation has established to address
pressures.
Steps that could be taken by the professional accountant:
• Discussing the circumstances creating the pressure and consulting with others to
evaluate the level of the threat:
• Discussing with the individual who is exerting the pressure;
• Discussing with the professional accountant’s superior;
• Escalating the matter, when appropriate, to:
• Higher levels of management;
• Internal or external auditors; and
• ose charged with governance.
• Disclosing the matter in line with policies;
• Consulting with:
• A colleague, a superior, HR personnel or another professional accountant;
• Relevant professional body (e.g. SAICA); or
• Legal counsel; and
• Documenting the facts, communications with parties with whom it was discussed, the
courses of action and how the matter was addressed.
2.6.6 Part 3: Professional accountants in public practice
Public practice is de ned in the CPC as: ‘the practice of a professional accountant who
places professional services at the disposal of the public for reward.’ e de nition of a
professional accountant in public practice includes a professional accountant who
provides any professional service, including accounting, auditing, taxation, management
consulting and nancial management services. erefore, a professional accountant
registered with the IRBA as an RA will also fall within this de nition, as these professional
accountants provide auditing services.
Figure 2.13: Examples of situations for professional accountants in public practice
Part 3 of the CPC contains examples of situations that may create threats to ethical
behaviour for the professional accountant in public practice – refer to Figure 2.13 and to
Table 2.3. Note that the examples are not intended to be a complete list of all circumstances
that may arise for the professional accountant in public practice.
In order to reduce these threats to an acceptable level, the professional accountant can
apply certain safeguards – refer to Figure 2.14 for factors which may in uence the
evaluation of threats, and to Figure 2.15 for safeguards that can be applied. To determine if
safeguards are still appropriate consideration should be given to changes at the client
(expansion of scope of professional service or if the client becomes a listed entity) or new
information that comes to the attention of the professional accountant.
Some of the safeguards are incorporated into the quality control system implemented
in the professional services (auditing) rm. For example, International Standard on Quality
Control 1 (ISQC 1) paragraph 20 requires the rm to abide by ethical principles for all
professional services it renders to the public, including the external audit. In order to
ensure that this is achieved, the rm will have to establish policies and procedures to
ensure that the rm and its staff adhere to the fundamental principles contained in the
Codes of Professional Conduct. Such policies and procedures (e.g. requiring staff training
to ensure that they know the requirements of, say, the SAICA/IRBA CPC and implementing
structures to monitor staff’s adherence to the fundamental ethical principles) will create an
environment in which these principles are adhered to, thereby mitigating the signi cance
of threats.
Table 2.3: Examples of ethical threats to professional accountants in public practice
SELFINTEREST
THREAT
INTIMIDATION
THREAT
SELF-REVIEW
THREAT
ADVOCACY
THREAT
FAMILIARITY
THREAT
• Direct
• Being
• Reporting on
• Promoting • Member of
nancial
threatened
the operation
shares in
assurance
interest in
with
of nancial
a listed
team has a
client (e.g.
dismissal or
systems after
entity
close or
shares in a
replacement
being involved
when
immediate
client);
(e.g. the
in
entity is
family
client
implementation
an audit
member
• Quoting a
threatens
to
of
the
system
client
who is a
low fee to
replace
(e.g. IT division
(e.g.
director or
obtain a
auditor
if
he
of
the
auditing
selling
of cer at
new
or she does
rm was
shares on
the client
engagement
not issue an
responsible for
behalf of
(e.g. the
(e.g. so low
unmodi
ed
the
design
and
a
client);
audit
that it is
auditor’s
implementation • Acting as
senior’s
dif cult to
report);
of
client’s
new
wife is the
perform the
advocate
accounting
nancial
professional • Feeling
on behalf
system;
the
IT
director
at
service in
pressured to
of
division must
the client);
accordance
agree with
assurance
now provide a
with
judgement of
clients in • A director or
report
on
the
professional
the client,
litigation
of cer or an
working of this
standards);
because
or
employee in
system
to
a
client has
disputes
a position
• Close
supplier);
and
more
with third
to exert
business
expertise;
•
Reporting
on
parties
direct or
relationship
records when
(e.g.
signi cant
with a
• Being
responsible
for
testi
es
in uence
client;
informed
the preparation
on behalf
over the
Having
SELFINTIMIDATION
SELF-REVIEW
ADVOCACY
FAMILIARITY
access
to
INTEREST
THREAT
THREAT
THREAT
THREAT
con dential
THREAT
information
that planned
of the original
of a client
subject
that might
•
promotion
data used to
in a court
matter of
be used for
will
not
occur
generate
case);
the
personal
unless the
records (e.g.
and
engagement
gain; and
professional
senior audit
have served
• Lobbying
• Discovering
accountant
trainee was
as the
in favour
a signi cant
agrees with
responsible for
engagement
of
error when
inappropriate
the preparation
partner
legislation
evaluating
accounting
of the
(e.g. the
on behalf
the results
treatment;
accounting
previous
of the
of a
and
records and
audit
client.
previous
she
is
now
on
engagement
professional • Having
the audit team
partner is
accepted a
service
auditing these
now the
signi cant
performed.
records).
nancial
gift from a
director at
client and
the client);
being
and
threatened
that the
• Long
acceptance
association
of the gift
of senior
will be made
personnel
public.
with client
(e.g. the
audit
partner has
been the
partner
assigned to
the audit for
the past 10
years).
Figure 2.14: Factors which may in uence the evaluation of the threats: (paragraphs 300.7A1-300.7A5)
Figure 2.15: Examples of safeguards (paragraph 300.8A2)
2.6.6.1
Con icts of interest (section 310)
Con icts of interest could create threats to objectivity and other fundamental principles
and can arise:
• Where the professional accountant’s interest and the client’s interest in a matter are in
con ict (e.g. advising a client to invest in a business where the spouse of the
professional accountant has a nancial interest or advising a client on acquiring a
business in which the rm is also interested in acquiring); and
• From the provision of services to clients whose interests are in con ict (e.g. acting for
two clients who operate as competitors in the same industry or providing services to a
seller and a buyer in the same transaction).
Before accepting a new client, an engagement or a business relationship, the professional
accountant shall take reasonable steps to identify con icts of interest. e nature of
interests and relationships as well as the service and its implications for relevant parties
need to be identi ed. Factors such as the nature of service provided, size and structure of
the rm and size and nature of client base need to be taken into account when identifying
con icts of interests. e professional accountant should also remain alert for changes in
circumstances that may create con icts of interests.
e level of the threats should be evaluated. Relevant factors include measures in place to
prevent unauthorised disclosure of con dential information such as:
• Separate practice areas within a professional services rm;
• Implementing procedures to prevent one engagement team from gaining access to the
working papers of the other engagement team in the rm;
• Entering into con dentiality agreements with the engagement teams; and
• Separation of con dential information physically (e.g. by keeping client les separate).
Appropriate safeguards include:
• Using different engagement teams for the clients whose interests are in con ict; and
• A senior individual not involved in the engagement reviewing the key judgements and
conclusions reached to ensure that they are appropriate.
A professional accountant should evaluate whether it is necessary to disclose the con ict of
interest, and obtain explicit consent in order to address the resulting threat. Factors such as
the circumstances creating the con ict, the parties involved and the nature of the con ict
of interest should be evaluated.
Disclosure and consent may take different forms such as:
• General disclosure to clients that a professional accountant cannot provide professional
services exclusively for one client;
• Speci c disclosure to affected clients of the con ict of interest and how threats will be
addressed – thereby enabling the client to make an informed decision; and
• Implied consent by the client’s conduct after a detailed presentation of the
circumstances has been made to the client and if they do not raise an objection to the
existence of the con ict.
If the client refuses to give consent, the professional accountant shall end or decline to
perform the speci c engagement, or terminate con icting relationships or dispose of
interests.
e professional accountant shall remain alert to the fundamental principle of
con dentiality when making disclosures to clients.
When making disclosures for obtaining speci c consent from the client and this would
breach the fundamental principle of con dentiality, and such consent cannot be obtained,
the rm shall only accept or continue the engagement if:
• e rm does not act in an advocacy role for one client against another client in the
same matter;
• Speci c measures are in place to prevent disclosure of information between
engagement teams of two clients; and
• e rm applies the reasonable and informed third-party test, and concludes that it is
appropriate to accept or continue with the engagement.
e professional accountant should document the nature of the con ict of interest, the
safeguards applied, consent obtained, speci c measures in place to prevent disclosure of
information, if applicable, and why it is appropriate to accept the engagement.
EXAMPLE
Books Limited, a publishing company, is a major external audit client of Henn
and Associates. Publish Limited, another publishing company, also approached
Henn and Associates with the request to act as its external auditors.
Can Henn and Associates accept the external audit of Publish Limited?
A self-interest threat for objectivity and con dentiality could be created if Henn and
Associates acts as external auditors for Books Limited and Publish Limited.
The threat will be signi cant, as important con dential information could ‘leak’
between the audit teams of Books Limited and Publish Limited, both of which are
in the same industry.
Additional steps that Henn and Associates could implement to mitigate these
threats are:
• Preventing access to information of the two companies through, for example,
physical separation of teams and secure ling of client information;
• Providing policies and procedures to members of the engagement teams about
security and con dentiality;
• Entering into con dentiality agreements with the engagement team members;
• Notifying Books Limited that Henn and Associates has been approached by
Publish Limited to act as its external auditor;
• Notifying Publish Limited that Henn and Associates already acts as external
auditor of Books Limited;
• Notifying Books Limited and Publish Limited that a professional accountant
cannot act exclusively for one client;
• Obtaining consent from Books Limited and Publish Limited;
• Using separate engagement teams to conduct the audits of the two companies
in the same sector; and
• Reviewing the key judgements and conclusions to ensure that they are
appropriate by a senior individual not involved in the engagement.
Unless the threat can be eliminated or reduced suf ciently, Henn and Associates
should not accept the engagement of performing the external audit for Publish
Limited.
Note: In all the examples in section 2.6.6, it is assumed that the persons rendering external
audit services are not only RAs, but also professional accountants. As such, the SAICA Code
of Professional Conduct will apply to them (in addition to the IRBA Code of Professional
Conduct).
2.6.6.2
Professional appointment: Client and engagement acceptance
(section 320, paragraphs 320.3A1–320. 3A5)
In addition to carefully evaluating whether a new client can be accepted (i.e. whether this
creates threats to the fundamental principles), existing clients should be reviewed at least
annually to determine whether the relationship should be continued. Whether a client or
potential client is involved in, for example, illegal activities, dishonesty or questionable
reporting practices (identi ed by a professional accountant during a client evaluation), this
could create threats with the professional accountant’s compliance with the fundamental
principles of professional behaviour and integrity.
Factors relevant in evaluating the level of the threat include:
• Normal pre-engagement activities, including obtaining/updating knowledge and
understanding of the potential client (refer to Chapter 12); and
• Securing the client’s commitment to improve corporate governance practices and
internal controls within the entity (refer to Chapter 4).
EXAMPLE
Coffee Limited (‘Coffee’) contacted Temba and Associates (‘Temba’) with a
request to act as its external auditors. As part of the pre-engagement activities,
Temba obtained the following information about Coffee:
• The Competition Tribunal is currently investigating a price- xing charge in
relation to one of the divisions of Coffee. The charge has to do with the
application of a pricing formula and the exchange of information relating to
the pricing of a product with a competitor.
• Coffee is currently involved in court cases with the SA Revenue Service.
• In addition, there are allegations that Coffee is involved in illegal activities.
Will threats to the fundamental principles arise if this client is accepted?
If the allegations about the illegal activities, as well as the other investigations and
court cases, are true and the client is accepted, this will create self-interest
threats in respect of the integrity and professional competence and due care
principles. The threat to integrity arises because the auditor could be associated
with false information. The threat to professional competence and due care arises
because the auditor may nd it very dif cult, if not impossible, to comply with the
requirements of the auditing standards (e.g. should management lack integrity).
The signi cance of these threats must therefore be evaluated (e.g. are the staff
who were involved in alleged price- xing still in the employ of the company, and
what is their role in the management of the company?).
Safeguards that could be implemented are:
• Obtain a more detailed knowledge and understanding of Coffee’s business to
ascertain if the allegations are true;
• Obtain the management of Coffee’s commitment to implementing effective
corporate governance and sound internal controls; and
• Decline the audit engagement if it is found that the allegations are true or if the
probability is high that the allegations are true.
Having accepted the client, a self-interest threat to professional competence and due care
could arise when a professional accountant is not competent or experienced enough to
provide the service contracted or does not have enough time or resources to complete the
engagement timeously.
Factors relevant to evaluate the level of the threat include:
• Acquiring knowledge and understanding of the client’s business complexity of
operations and the requirements of the engagement (i.e. the purpose, nature and scope
of the work to be performed);
• Knowledge of relevant industries and experience of relevant regulatory or reporting
requirements;
• e existence of quality control policies and procedures when accepting engagements.
Safeguards that might be implemented:
• Assigning sufficient staff with the necessary competencies;
• Using experts (particularly relevant in today’s increasingly complex environment); and
• Agreeing on a realistic time frame for completing the engagement.
EXAMPLE
Media Proprietary Limited approached Sandiswa and Associates (‘Sandiswa’) to
provide a review engagement (refer to Chapter 16 for a detailed description of
this type of engagement). No one in Sandiswa is up-to-date on the requirements
of this type of engagement.
Discuss whether Sandiswa can accept the engagement.
The acceptance of an engagement without the necessary knowledge creates a
self-interest threat to professional competence and due care.
The threat will be signi cant, since nobody in the rm is aware of what a review
engagement entails – the risk of it being performed inadequately is high.
Safeguards that can be implemented to bring the threat to an acceptable level are:
• Inform Media Proprietary Limited that Sandiswa does not have knowledge to
perform the engagement and decline the engagement;
• Use an expert from outside of the rm who has the knowledge of how to
conduct review engagements; and
• Assign one or more staff time to gain an understanding of the requirements for
a review engagement.
2.6.6.3
Professional appointment: Changes in professional appointment
(section 320, paragraphs 320.4–320.8)
A professional accountant shall determine whether there are any reasons, professional or
otherwise, not to accept the engagement when he or she:
• has been asked to replace an existing (current) professional accountant;
• considers tendering for an engagement; or
• considers providing complementary work.
If a professional accountant were to accept an engagement before contacting the current
professional accountant and obtaining all the pertinent facts, this could create a selfinterest threat to professional competence and due care.
Examples of actions that might be safeguards include:
• Discussions with the current professional accountant to evaluate the signi cance of any
threat(s) and also identify suitable safeguards; and
• Obtaining information from other sources, such as inquiries of third parties and
background investigations of senior management.
e fundamental principle of con dentiality should, however, still be honoured when
changes in appointments occur and any information provided should be treated in the
strictest con dence. e incoming professional accountant will need the client’s
permission, preferably in writing, to initiate discussions with the current professional
accountant. All legal and other regulations should be complied with when communicating
with the current professional accountant. Also, the professional accountant who receives
requests to communicate information to the incoming professional accountant should
consider whether the client’s permission has been obtained and the legal and ethical
requirements related to such communication have been met. If the client refuses
permission for the incoming professional accountant to contact the current professional
accountant, the incoming professional accountant should decline the appointment, unless
there are exceptional circumstances. When providing information, this should be done
honestly and unambiguously.
If it is not possible to contact the current professional accountant, information can also
be obtained by other means, including enquiries from third parties and performing
background checks on the proposed client. However, the CPC stipulates that if the
professional accountant cannot reduce the threats to professional competence and due
care to an acceptable level, the engagement shall be declined.
When a professional accountant replies to the request of an entity to submit a tender
relating to services to be rendered by the professional accountant, permission to contact
the existing professional accountant should be requested from the entity.
For recurring client engagements, the professional accountant shall periodically review
whether to continue with the engagement.
When a professional accountant intends to use the work of an expert, the professional
accountant shall determine whether the use is warranted and needs to consider reputation
and experience of the expert, resources available to the expert and professional and ethical
standards applicable to the expert. is information may be gained from prior association
or by consulting with others.
EXAMPLE
Health Limited (‘Health’) had a disagreement with its current external auditors,
Stan and Associates, over the accounting treatment relating to the purchase of
a new subsidiary. Health asked Sisulu and Associates to take over the audit of
Health and not to contact Stan and Associates.
Can Sisulu and Associates accept the engagement?
A self-interest threat to professional competence and due care may be created if
Stan and Associates are not contacted.
The threat will be signi cant, as Health asked Sisulu and Associates not to
contact Stan and Associates and it will therefore be impossible to obtain all the
important information needed to make the decision about accepting the
engagement.
Safeguards that can be implemented are:
• Sisulu and Associates should obtain Health’s permission, preferably in writing,
to contact Stan and Associates;
• Stan and Associates should obtain Health’s permission, preferably in writing, to
provide relevant information to Sisulu and Associates;
• If Health gives permission, Sisulu and Associates have to enquire from Stan
and Associates whether there are any reasons, professional or otherwise, why
the rm should not accept the engagement; and
• If Health does not want to give permission to contact Stan and Associates, then
Sisulu and Associates should decline the engagement.
2.6.6.4
Second opinions (section 321)
A professional accountant could be asked to provide a second opinion on the application
of accounting, auditing, reporting or other standards or principles to a speci c set of
circumstances or transactions for an entity that is not an existing client. e professional
accountant should evaluate whether it is appropriate to provide the second opinion given
that this engagement could create a self-interest threat to professional competence and
due care and to professional behaviour.
When evaluating the level of the threat the circumstances surrounding the request and
the available facts and assumptions relevant to the expression of professional judgement
need to be considered.
Examples of actions that may be safeguards to address threats include:
• Contacting the existing professional accountant (with the client’s permission) to obtain
material information on the area on which the second opinion is to be provided;
• Informing the client of the limitations under which this second opinion is given; and
• Providing the existing professional accountant with a copy of the opinion.
If the professional accountant who is to provide the second opinion is not granted
permission by the client to contact the current professional accountant, the possibility of
providing the second opinion should the carefully considered.
EXAMPLE
Furnishings Group Limited (‘FG’) approached Kunene and Associates to provide a
second opinion on whether a material subsidiary should be consolidated or not.
The current external auditors of FG are of the opinion that the subsidiary should
be consolidated, whereas FG feels that consolidation is not necessary. May
Kunene and Associates accept this engagement and are there any steps they
can implement if they decide to accept the engagement?
The provision of a second opinion about the need to consolidate the subsidiary
can create a self-interest threat to professional competence and due care if it is
not based on the same facts as available to the current auditor in arriving at his or
her opinion.
The threat will be signi cant since a second opinion on the consolidation of a
material subsidiary is requested, which could possibly not be based on the same
facts as the rst opinion. This could result in the second opinion being factually
incorrect.
Steps that could be taken are:
• Obtain consent from FG to contact the current auditor to obtain material
information about the subsidiary;
• Contact the current auditor of FG and discuss all material information regarding
the subsidiary;
• Provide a copy of the second opinion to the current auditor of FG;
• Discuss any limitations regarding the opinion with the management team of FG;
and
• If FG refuses to allow its current auditor to be contacted, consider whether it is
appropriate to provide a second opinion on the consolidation of the subsidiary.
2.6.6.5
Fees and other types of remuneration (section 330)
e level and nature of fees and other remuneration arrangements might create a selfinterest threat to one or more fundamental principles.
2.6.6.5.1 Level of fees (section 330.3)
e level of fees quoted may impact the professional accountant’s ability to perform the
professional services in accordance to professional standards. e fact that a professional
accountant quotes a lower fee than another professional accountant is not in itself
unethical. However, the level of quoted fees creates a self-interest threat to professional
competence and due care if it would be difficult to perform the engagement at the
appropriate technical and professional standards given the available budget.
Factors relevant in evaluating the level of such threat include:
• Whether the client is aware of the terms of the engagement and the basis on which the
fees are charged and which services are covered; and
• Whether the level of the fee is set by a third party as a regulatory body.
Examples of actions that might be safeguards to address the self-interest threat include:
• Adjusting the level of the fees or scope of the engagement; and
• Having an appropriate reviewer to review the work performed.
EXAMPLE
The auditing rm, Anton and Associates, was recently founded. In order to
obtain audit clients, Anton and Associates quotes fees that are 50% lower than
those charged by other auditing rms. Is this permissible and, if not, can any
steps be taken to ensure the permissibility?
A self-interest threat for professional competence and due care will be created if
the quote is so low that it will be dif cult to perform the audit according to the
requirements of the International Standards on Auditing.
The threat will be signi cant, as a fee that is 50% lower than other auditing
rm’s fees is markedly lower, which may make it dif cult to perform the audit in
accordance with auditing standards.
Safeguards that can be implemented are:
• Making the client aware of the terms of the engagement, the basis on which
fees are calculated and which services are covered;
• Adjusting the level of the fees; and
• Having an appropriate reviewer to review the work performed.
If the above-mentioned safeguards cannot be implemented, the engagement
should not be accepted.
2.6.6.5.2 Contingent fees (paragraphs 330.4; 410.9 A1-410.12 A3)
Contingent fees are widely used for certain non-assurance engagements. Self-interest
threats to objectivity may be created in certain circumstances.
Factors relevant in evaluating the level of the threats may depend on:
• e nature of the engagement;
• e range of possible fee amounts;
• e basis for determining fees;
• Disclosure to intended users of the work performed by the professional accountant and
basis of remuneration;
• Quality control procedures;
• Whether the outcome of the transaction is to be reviewed by an independent third
party; and
• Whether the level of the fee is set by an independent third party.
Examples of actions that might be safeguards to address the self-interest threat:
• Having an independent third party review the work performed; and
• Obtaining advance written agreement with the client on the basis of remuneration.
Under no circumstances may contingent fees be charged for the preparation of an original
or amended tax return, owing to the unacceptable self-interest threat to objectivity that
arise in such situations.
EXAMPLE
Alwyn and Associates, a rm of professional accountants, provides a wide range
of services to its clients. Auditing services are provided to ve clients. The audit
fees are calculated as 5% of the clients’ pro t before tax for the year.
This basis is applicable to all clients.
Is the basis on which these fees are determined allowed?
• This type of fee is not allowed for assurance clients as it creates a self-interest
threat to objectivity.
• The threat will be signi cant, since the contingent fees are levied for assurance
engagements (audits).
• The threat is so signi cant that no safeguards will reduce the threat to an
acceptable level.
• The fee that is levied for the audit services must be calculated taking into
account, among other things, the time and experience of the persons working
on the audit.
2.6.6.5.3 Referral fees or commissions (paragraph 330.5)
If a professional accountant receives or pays a commission or a referral fee relating to
services offered to clients, this may give rise to self-interest threats to objectivity and
professional competence and due care. Such referral fees may include a fee paid to another
professional accountant for obtaining a new client, a fee received for referring a client to
another professional accountant or other expert, or a commission received from a third
party (e.g. software vendor) for the sale of goods or services to the client.
Examples of actions that might be safeguards to address such self-interest threat include:
• Obtaining prior agreement in writing from the client for the commission arrangements;
and
• Disclosing any referral fees or commission arrangements paid to or received from
another professional accountant or third party to the client and obtaining written
approval in advance.
2.6.6.5.4 Purchase or sale of a rm (paragraph 330.6)
A professional accountant may purchase all or part of another rm on the basis that
payments will be made to the individuals formerly owning the rm. Such payments are not
considered to be referral fees or commission.
EXAMPLE
Gumede and Associates (‘Gumede’) does not provide taxation services. Gumede
refers its clients requiring taxation services to Tiaan and Associates (‘Tiaan’).
For this referral, Tiaan pays 7.5% commission of the total fees charged for
taxation services provided for Gumede’s clients to Gumede.
Is this allowed according to the CPC?
The payment of commission to Gumede for taxation services provided creates a
self-interest threat to objectivity, professional competence and due care.
The threat will be signi cant, as it is a signi cant amount of remuneration
(commission) that will be received for the work referred.
The safeguards that can be implemented are:
• Obtaining advance agreement from the client for the commission arrangement;
and
• Disclosing to the client in advance, in writing, any arrangements to pay
commission for the work referred.
2.6.6.6
Inducements including gifts and hospitality (section 340)
Where a professional accountant in public practice (or his or her immediate family) is
offered gifts or hospitality by a client, a self-interest or familiarity threat to integrity,
objectivity and professional behaviour is created. An intimidation threat to objectivity is
created when the client threatens to make these offers public. A professional accountant
shall not offer or accept or encourage others to offer or accept any inducement from which
the professional accountant or an informed third party would be likely to conclude that it is
made to improperly in uence the behaviour of the recipient or other individual. e
professional accountant shall obtain an understanding of relevant laws and regulations
prohibiting the offering and acceptance of inducements and comply with them when
necessary. Refer to Figure 2.8 for the de nition of an inducement. e factors contained in
Figure 2.9 have to be considered to determine the actual or perceived intent behind the
inducement.
Inducements made with no intent to improperly in uence behaviour can still create
threats to the fundamental principles. Self-interest threats can be created where the
professional accountant is offered hospitality from a prospective acquirer of a client, while
providing corporate nance advisory services. Familiarity threats may be created if a
professional accountant regularly takes an existing or prospective client to sporting events.
Intimidation threats may be created if the professional accountant accepts hospitality
which could be perceived to be inappropriate were it to be publicly disclosed.
If the inducement is trivial and inconsequential the threats will be at an acceptable
level.
EXAMPLE
The nancial director of KL Limited (‘KL’) invited the lead engagement partner
on the external audit of KL and his wife to his exclusive game farm in Botswana
for a week-long stay. The nancial director also mentioned that the audit partner
would be allowed to hunt free of charge on the farm.
May the lead engagement partner accept this offer?
No, he may not accept the offer.
A self-interest threat and familiarity threat to independence will be created if
the offer is accepted.
The threat will be signi cant, as it will be a gift of signi cant value.
Safeguards that can be implemented include that the partner should tactfully
decline the offer.
2.6.6.7
Custody of client assets (section 350)
A self-interest threat to professional behaviour and objectivity may arise from holding
clients’ assets, while providing other professional services.
A professional accountant should only accept custody of clients’ assets if this is in terms
of applicable laws, such as the Financial Intelligence Centre Act 38 of 2001 (FICA), which
may require the client to provide proof of residence and identi cation before client assets
are accepted into custody of the rm. If the source of the asset is unknown, appropriate
enquiries should be made about the source of such assets. Inquiries about the source of the
assets might reveal that the assets were derived from illegal activities such as money
laundering. e professional accountant shall not accept or hold the asset and the
provisions of section 360 would apply.
2.6.6.7.1 Before taking custody
A professional accountant should not assume custody of client monies or other assets,
unless permitted to do so by law and, if so, should comply with any additional legal duties
imposed on him or her.
As part of client engagement acceptance procedures to take custody of a client’s assets the
professional accountant shall:
• Make inquiries into the source of the assets; and
• Consider related legal and regulatory requirements such as the Financial Intelligence
Centre Act 38 of 2001 (FICA), which may require the client to provide proof of residence
and identi cation before client assets are accepted into custody of the rm.
2.6.6.7.2 After taking custody
A professional accountant entrusted with money or other assets shall:
• Comply with the laws and regulations relevant to holding and accounting on assets (e.g.
FICA);
• Keep the assets separate from personal and rm assets;
• Use the assets only for the purpose intended; and
Be ready at all times to account for the assets and any income, dividends or gains
• generated to any entity or individuals entitled to that information.
For all client monies which the professional accountant controls or is liable to account for:
• e professional accountant shall not refer to such monies as being ‘in trust’ or in a
‘trust account’ as this could be misleading;
• Separate bank accounts have to be opened at an institution that is registered in terms of
the Banks Act 74 of 1990;
• e accounts have to be appropriately named to distinguish them from the rm’s
normal business accounts or a speci c account named and operated per relevant client
(e.g. ABC’s Client Account or John Smith account);
• e client’s monies have to be deposited into the appropriate bank account without
delay;
• e professional accountant shall maintain such records to ensure that the money can
be readily identi ed as the property of the client (e.g. detailed bookkeeping to supply
client with analysis of the account);
• e professional accountant shall perform a reconciliation between the designated
bank account and the client’s monies ledger accounts; and
• Client monies should not be held inde nitely unless speci cally allowed by regulations.
For property other than money in his or her custody the professional accountant should:
• Not refer to such assets as being ‘in trust’ or in a ‘trust account’ as this could be
misleading.
• Maintain such records to ensure that the client’s assets can be readily identi ed as the
property of the client; and
• For documents of title, the professional accountant should make arrangements to
safeguard the documents against unauthorised use.
e professional accountant should take appropriate measures to protect the client’s
assets. Examples of such measures include:
• Utilising umbrella accounts with sub-accounts for each client;
• Opening separate accounts with power of attorney if client monies are kept for a long
period;
• Consider if the rm’s indemnity and delity insurance is sufficient; and
• Where a formal engagement letter is entered into, the risks and responsibilities should
be addressed in the engagement letter.
For audit or assurance clients, a professional accountant may not accept custody of these
client’s assets, unless the threat to independence can be eliminated or reduced to an
acceptable level.
EXAMPLE
Opera Limited (‘Opera’) handed a cheque in the amount of R500 000 to Xolani
and Associates (‘Xolani’), a rm of professional accountants, to purchase a
property on Opera’s behalf. Xolani deposited the money into Xolani’s moneymarket account.
Is the way the money was treated acceptable according to the CPC? If not, list
any steps that could be taken to make it appropriate.
No it is not appropriate, as a self-interest threat to objectivity and professional
behaviour will be created if the client’s cheque is accepted and deposited into the
money-market account of Xolani.
The threat will be signi cant, as the cheque is not treated in the manner
required by the CPC.
Safeguards that can be implemented:
• The cheque must be deposited without delay:
• In an account that is recognised in terms of the Banks Act;
• The account must be separate from Xolani’s business account; and
• The account must be appropriately named (e.g. Opera Limited Account).
• Xolani must be ready to account for the income earned on the account at any
time;
• All laws and regulations must be met in terms of the money received; and
• The money must always be used only for the purpose for which it was intended
(the purchase of a property).
2.6.6.8
Responding to non-compliance with laws and regulations
(NOCLAR) (section 360)
Refer to Figure 2.10 for the de nition of NOCLAR. If a professional accountant becomes
aware of NOCLAR when providing professional services, a self-interest or intimidation
threat is created to integrity and professional behaviour. NOCLAR is applicable to laws and
regulations generally recognised to have an effect on the determination of material
amounts and disclosures in the client’s nancial statements, as well as other laws and
regulations which may be fundamental to the operating aspects of the employer’s business,
its ability to continue business or to avoid material penalties. NOCLAR can be committed
by a client, those charged with governance at the client, management of the client or other
individuals working for or under the direction of the client. Refer to Figure 2.11 for
examples of laws and regulations that could be transgressed. Non-compliance might result
in nes, litigation or other consequences for the client, could potentially material affect its
nancial statements, and may have wider public interest implications of potential harm to
investors, creditors, employees or the general public. Examples include fraud resulting in
substantial nancial losses, breaches of environmental laws and regulations endangering
health and safety of employees or the public. Refer to Figure 2.12 for actions required. In
exceptional circumstances immediate disclosure to the appropriate authority may be
required.
A distinguishing mark of the accounting profession is the acceptance of the responsibility
to act in the public interest. When responding to NOCLAR the objectives of the
professional accountant are:
• To comply with the principles of integrity and professional behaviour;
• By alerting management or those charged with governance of the client to seek to:
• Enable them to rectify, remediate or mitigate the consequences of NOCLAR; or
• Deter the NOCLAR if it has not yet occurred; and
• To take such further action as appropriate in the public interest.
EXAMPLE
Riaan Ernst is a professional accountant (SA) working as a tax practitioner. He
was approached by Fil Proprietary Limited (‘Fil’) to help to get their tax affairs in
order. While performing his duties, he noted that certain of the tax returns led
with the SA Revenue Service (SARS) were incorrectly completed (resulting in an
understatement of the company’s tax liabilities). This resulted in Fil still owing
SARS more than R2 million (additional to the taxes already paid).
Discuss whether there are any actions that Riaan Ernst should take with
reference to the CPC.
• Riaan Ernst must consider whether the inaccurate tax returns constitute a
possible NOCLAR.
• It is an action
• By the management of Fil
• It is contradictory with the Income Tax Act 58 of 1962
• It does constitute a possible NOCLAR.
• Riaan Ernst must investigate the matter further to obtain a better
understanding of the matter.
• Riaan Ernst must discuss the matter with management and those charged with
governance of Fil.
• If the tax act transgressions have taken place, Riaan Ernst must inform
management that it constitutes a NOCLAR and that the matter should be
recti ed and reported.
• If a NOCLAR exists, a self-interest or intimidation threat is created to integrity
and professional behaviour.
• If tax act transgressions have taken place and management does not do
anything about it:
• Riaan Ernst should discuss the matter with the audit rm’s engagement
partner;
• Riaan Ernst could consider getting legal advice;
• Riaan Ernst should consider reporting the matter to the relevant authority (in
this case the SA Revenue Service); and
• Riaan Ernst could consider resigning.
• Riaan Ernst must document the following:
• The NOCLAR matter;
• Signi cant judgement and conclusions made;
• Discussions with management and how they reacted; and
• Further actions to consider and decisions made by Riaan Ernst.
2.6.7 International Independence Standards (Part 4)
When providing professional services, the professional accountant in public practice must
determine whether there are any threats to the accountant’s independence. Independence
is linked to the principles of objectivity and integrity, and comprises independence in
mind and independence in appearance.
2.6.7.1
Independence
e section on independence in the CPC is divided into two areas:
• Section 4A: Independence – Audit and Review Engagements; and
• Section 4B: Independence: Other Assurance Engagements.
Both independence sections are divided into various subsections and there are certain
considerations that the professional accountant has to take into account when determining
the signi cance of threats.
Note that this text includes only selected examples from section 4A of the CPC. Readers are
encouraged to read these thoroughly themselves to gain an understanding of the whole
range of examples included in the CPC.
e CPC also imposes additional requirements for audit clients that are public interest
entities (e.g. listed companies), which result in even stricter independence requirements
for the audits of such entities. is approach is followed in the CPC because the audited
nancial statements of public interest entities have a greater public interest, and because of
the greater adverse repercussions if the audit opinion expressed on a public interest entity’s
nancial statements is inappropriate. For more on this, read paragraphs 400.8 of the CPC,
as well as all those paragraphs in section 4A headed by ‘Audit Clients that are Public
Interest Entities’.
2.6.7.2
Breaches of independence
Breaches relate to breaches to the code that have already occurred as opposed to
implementing safeguards to prevent the breach from occurring. An example of this is when
a professional accountant has already accepted a signi cant gift from the client. Refer to
Figure 2.16 for actions required when breaches of independence occur.
Figure 2.16: Actions required for breaches of independence
2.6.7.3
Relative size of fees (paragraph 410.3)
Self-interest and intimidation threats to independence are created if the fees from an audit
client represent a large portion of the revenues of the auditing rm or the individual
partner or one office. When determining the signi cance of the threats, the following
should be considered:
• e operating structure of the rm, for example the number of partners or directors in
the auditing rm;
• Whether the rm is new or established; and
• e signi cance and extent of the client’s fees in relation to the rm’s total revenues.
Examples of actions that might be safeguards include:
• Reducing the dependency on the particular audit client by increasing the client base;
and
• Engagement quality control reviews on audit work. e reviews should be undertaken
by a rm that is not performing the audit.
EXAMPLE
Mnunu Auditors (‘Mnunu’) is a medium-sized auditing rm. The audit fee of one
of the rm’s clients, Loophole Proprietary Limited (‘Loophole’), constitutes a
large portion of the current year’s fees generated by one of the partners of
Mnunu.
Discuss the resulting threats in terms of the CPC.
If the audit fee of one of the audit clients constitutes a material part of the audit
fees earned by one partner, it will create a self-interest and intimidation threat to
independence (paragraph 410.3A4).
The threat will be signi cant as the partner could be over-reliant on the fees of
that client.
Actions to take as safeguards to implement include:
• Reducing the dependency on the fees of Loophole by accepting more audit
clients; and
• Performing an engagement quality control review on the audit work undertaken
for Loophole.
2.6.7.4
Overdue fees (paragraph 410.7)
Self-interest threats to independence could be created if fees that are due by an audit client
are not settled before the auditor’s report for the following year is issued. e auditing rm
should determine whether the overdue fees should not be regarded as a loan to the client
(refer to section 2.6.7.8 of this chapter, where loans between auditors and clients are
discussed).
Examples of actions that might be safeguards are:
• Obtaining partial payment of overdue fees; and
• Having an additional professional accountant who was not on the audit team review the
audit work performed.
2.6.7.5
Gifts and hospitality (section 420)
Accepting gifts and hospitality from an audit client might create a self-interest, familiarity
or intimidation threat.
A rm, network rm or audit team member shall not accept gifts and hospitality from
an audit client, unless the value is trivial and inconsequential.
2.6.7.6
Actual or threatened litigation (section 430)
Self-interest and intimidation threats to independence could be created if litigation takes
place between the auditing rm or a member of the audit team and the audit client.
Factors that are relevant in evaluating the level of such threat include:
• e materiality of the litigation; and
• Whether the litigation relates to a prior audit engagement.
An example of an action that might be a safeguard is having a quality control review on the
audit work performed.
2.6.7.7
Financial interests in clients (section 510)
Financial interests may include direct or material indirect nancial interest in the client
held by a member of the audit team, immediate family members of audit team members,
or the auditing rm. Financial interests include the owning of shares and collective
investments (e.g. unit trusts) invested in audit clients. e holding of nancial interests in
clients may create a self-interest threat to independence.
When determining the level of the threats, the professional accountant should consider:
• e role of the person holding the interest;
• Whether it is a direct or indirect interest; and
• e materiality of the interest.
Examples of actions that might eliminate the threat are:
• Selling of the direct nancial interest or selling a sufficient portion of the material
indirect nancial interest to make it immaterial to the professional accountant or his or
her close or immediate family members;
• Having another professional accountant review the work performed by the professional
accountant with the interest; and
• Removing the individual who is faced with self-interest threats from the audit team.
EXAMPLE
Ria Limited (‘Ria’) appointed Funeka and Associates as its external auditor. The
audit engagement partner assigned is Ms Funeka. She has a material
shareholding in Ria Limited. Is it appropriate that Ms Funeka is the audit
engagement partner?
The direct nancial interest in Ria creates a self-interest threat to independence.
The threat is signi cant, as the holding is material.
Actions that could be taken to eliminate the threat are the following:
• Ms Funeka will only be allowed to be the audit engagement partner if she sells
her shareholding in Ria; or
• Ms Funeka must be removed from the audit of Ria and another engagement
partner appointed.
2.6.7.8
Loans and guarantees (section 511)
No threat to independence arises from a loan or a guarantee that is made to a member of
the assurance team under the normal lending terms and conditions from an audit client
that is a nancial institution.
A loan from an audit client that is a nancial institution to an auditing rm that is made
under the normal lending terms and conditions, but which is material to either the audit
client or the auditing rm, will create a threat, but it will be possible to apply safeguards.
e following will create signi cant self-interest threats to independence for which no
safeguards will be able to reduce the threat to an acceptable level:
• When an auditing rm, or member of the audit team or his or her immediate family
member, accepts a loan or a borrowing guarantee from an audit client that is not a
nancial institution.
• When the auditing rm, or member of the audit team or his or her immediate family
member, makes or guarantees a loan to an audit client or any director or officer of the
audit client.
An auditing rm, or member of the audit team or his or her immediate family member,
may only accept (make) a loan or guarantee by (to) an audit client that is not a bank if the
loan or guarantee is immaterial to the auditing rm or to the client.
EXAMPLE
Best Bank (‘Best’) is an external audit client of Sarah and Associates. Mrs
Sarah, the engagement partner assigned to the audit of Best, obtained a home
loan from Best under the normal lending terms offered to all of the bank’s
clients.
Will the loan provided create a threat to Mrs Sarah’s independence?
No threat will be created as the loan is made under the normal lending terms
offered to all clients of Best, which is a nancial institution.
EXAMPLE
Marketing Limited (‘Marketing’) is an external audit client of Jonono and
Associates (‘Jonono’). Jonono agreed to provide a sizeable loan to Marketing to
nance the company’s expansion. Interest at market-related rates will be
charged on this loan.
Is Jonono allowed to provide this loan?
Jonono cannot provide this loan, as it will create a self-interest threat to the rm’s
independence. The threat will be signi cant, because the auditing rm is providing
a material loan to an audit client. The threat will be so signi cant that no
safeguards will reduce the threat to an acceptable level.
The way forward: The loan should not be provided to Marketing, or Jonono
should resign as Marketing’s external auditors.
2.6.7.9
Business relationships with clients (section 520)
Unless a business relationship is insigni cant to the rm and the client, the self-interest
and intimidation threats to independence created will be signi cant. e relationship
should not be entered into or should be reduced to an insigni cant level. If this cannot be
achieved, it should be terminated or the audit team member involved should be removed
from the audit team.
EXAMPLE
Mr Peter is an audit partner at Peter & Smit and Associates (‘Peter & Smit’). Mr
Peter wants to start marketing the accounting software package developed by
Up Proprietary Limited, one of the rm’s audit clients, to the rm’s other clients
in exchange for a fee.
Will Mr Peter be allowed to start to market the accounting software?
No, Mr Peter will not be allowed to market the accounting software to other clients.
If Mr Peter markets the products of the audit client of Peter & Smit, a signi cant
self-interest threat to independence will be created.
The threat will be so signi cant that no safeguard will reduce the threat to an
acceptable level. Therefore, this marketing initiative should not be undertaken.
2.6.7.10 Family or personal relationships with clients (section 521)
Family and personal relationships between a member of the audit team and a director,
officer or certain employees at the client may create self-interest, familiarity and
intimidation threats to independence.
Factors that are relevant in evaluating the level of the threat include:
• Position of person at client; and
• Role of the member in the audit team.
Examples of actions that might be safeguards that can be implemented include:
• Removing the individual with the relationship from the audit team; or
• Structuring the responsibilities of the audit team such that the member of the team with
the relationship does not deal with matters that are the responsibility of the related staff
member at the client.
EXAMPLE
Darnell and Associates (‘Darnell’) is the external auditor of Malik Proprietary
Limited (‘Malik’). Mr Tyron is a rst-year trainee accountant at Darnell. Mr
Tyron’s father is the nancial director of Malik.
Can Mr Tyron be assigned as a member of the external audit team of Malik?
No, Mr Tyron cannot be on the external audit team of Malik. If he is on the audit
team, it will create self-interest and familiarity threats to independence. The
threats will be signi cant, as Malik is an audit client of Darnell and Mr Tyron’s
father is the client’s nancial director responsible for the preparation of the
nancial statements subject to audit by the audit team.
2.6.7.11 Recent service with an audit client (section 522)
Self-interest, self-review and familiarity threats to independence could arise if a member of
the audit team recently worked as a director, officer or employee of an audit client and
exerted signi cant in uence in areas related to the nancial statements.
When determining the signi cance of the threat, the following should be considered:
• e position that the person held at the client;
• e length of time that has elapsed since the person left the employ of the client; and
• e role of the person in the audit team.
Actions that may be regarded as safeguards include:
• Removing the individual from the audit team; and
• Reviewing the work performed by that individual as a member of the audit team.
EXAMPLE
Ms Lindelwa joined the auditing rm Natasha and Associates (‘Natasha’) four
months ago. Natasha wants to assign Ms Lindelwa as the audit engagement
partner of Reya Limited (‘Reya’). Ms Lindelwa is highly competent and very
knowledgeable of Reya’s affairs, as she was the nancial manager at Reya
before joining Natasha.
Discuss whether the assignment of Ms Lindelwa will be in accordance with the
CPC.
Self-interest, self-review and familiarity threats to independence will arise if Ms
Lindelwa is allowed to be the engagement partner on Natasha’s audit.
The threat will be signi cant, as she was the nancial manager at Natasha
previously (until joining Natasha four months ago) and will now be the engagement
partner on the audit of Natasha, in which position she may have to review
information that she prepared as nancial manager.
A safeguard that could be implemented is to not assign Ms Lindelwa as the
engagement partner responsible for the audit of Natasha.
2.6.7.12 Serving as director or officer of an audit client (section 523)
Serving as a director or officer of an audit client creates self-interest and self-review threats.
e Code forbids an employee or partner of an auditing rm from acting as an officer or
director of an audit client. An employee or partner of an auditing rm shall not serve as
company secretary for an audit client of the rm, unless management makes all the
decisions and duties are limited to routine and administrative tasks.
2.6.7.13 Employment with an audit client (section 524)
Former partner or member of the audit team joins an audit client
Familiarity and intimidation threats to independence could be created if a member of the
audit team or a partner at the rm joins the client as a director, officer or employee who
can exert signi cant in uence over the nancial statements.
When determining the signi cance of the threats, the following factors should be
considered:
• e position of the former audit rm employee at the client;
• e former position of the employee on the audit team;
• e involvement of the former audit rm employee with the audit team; and
• e length of time that has elapsed since the former audit rm employee left the employ
of the rm.
Examples of actions that might be safeguards include:
• Modifying the audit plan for the audit;
• Assigning individuals with sufficient expertise to the audit team; and
• Having an appropriate reviewer review the work of the former member of the auditing
team.
EXAMPLE
Maurice and Associates (‘Maurice’) is the external auditor of Xavier Limited
(‘Xavier’). Mrs Alexus, previously a partner of Maurice, accepted a position as
nancial director of Xavier six months ago.
Will Maurice be still be allowed to be the external auditor of Xavier?
If Maurice were to continue as the external auditor of Xavier, it would create
familiarity and possible intimidation threats to independence.
The threats will be signi cant, as a former partner of Maurice is the nancial
director at Xavier and will be involved in the audit process of Xavier. It has only
been six months since she joined Xavier.
Safeguards that can be implemented are having an engagement quality control
review performed on the audit and assigning individuals to the team with suf cient
expertise. Moreover, Mrs Alexus should also no longer be involved with any
activities of Maurice.
An audit team member enters into employment negotiations with audit client
A self-interest threat to independence could be created if a member of the audit team
participates in the audit engagement while knowing that he or she might join the client in
the foreseeable future. Firm policies should be implemented that require the member of
the audit team to notify the rm when he or she enters into employment negotiations with
an audit client.
An action that might be a safeguard is removing the individual from the audit team.
EXAMPLE
Ms Jasmin is a third-year trainee accountant working at the auditing rm of
Allison and Associates (‘Allison’). She is currently assigned to the audit of
Precious Proprietary Limited (‘Precious’). Precious approached Ms Jasmin to
become the nancial manager at Precious after completion of the audit.
What steps must Ms Jasmin and Allison take?
A self-interest threat to independence would be created. The threat will be
signi cant, as Ms Jasmin, a member of the audit team, is being offered a position
as the nancial manager at Precious and would therefore be under pressure not to
act in a way that could jeopardise the offer.
Ms Jasmin should inform Allison when entering serious employment
negotiations.
Allison, upon being noti ed of this, should remove Ms Jasmin from the audit
team.
2.6.7.14 Temporary staff assignments (section 525)
e secondment of staff by an auditing rm to an audit client may create self-review,
advocacy or familiarity threats to independence. It may be acceptable if the secondment is
only for a short period of time and if the staff of the auditing rm is not involved in
management activities or non-assurance services to the audit client that would be
otherwise prohibited. Circumstances may arise in such secondments that the rm
becomes too closely aligned with the audit client, and it would be preferable not to provide
the secondment at all.
Examples of actions that might be safeguards include:
• Additional review of the work performed by the seconded staff;
• Not giving the seconded staff member audit responsibility for any function performed
by him or her during the secondment; and
• Not including the seconded staff on the audit team.
EXAMPLE
Mr Scott is a third-year trainee accountant at Bradley and Associates
(‘Bradley’). He assisted George Proprietary Limited (‘George’), an external audit
client of Bradley, for one month of the current nancial year by standing in for
the nancial manager while she was in hospital.
Can Mr Scott be assigned to the team to audit George? What safeguards must
be implemented by Bradley while Mr Scott is seconded to George?
No, Mr Scott cannot be on the audit team of George. This will create self-review,
familiarity and possible advocacy threats to independence. Additional safeguards
will be that Mr Scott during his assignment cannot be involved in any management
activities and must not take any management decisions at George.
2.6.7.15 Long association of senior personnel with an audit client (section
540)
A familiarity threat to independence could be created if the same person has been on the
audit team of a client for a long period of time, thereby becoming too familiar with senior
management of the client or with the nancial statements on which the rm will express
an opinion, or the nancial information forming the basis of the nancial statements. A
self-interest threat may be created as a result of the audit team member’s concern about
losing the longstanding client or the team member’s interest in maintaining a close
relationship with a member of senior management at the client. Such a threat might
in uence the judgement of the audit team member unduly.
e factors that are relevant in evaluating the level of the threats include:
• e length of time that the individual has been on the team;
• e role of the individual on the team;
• e extent to which the individual’s work is directed, reviewed or supervised;
• e extent to which the individual can in uence the outcome of the audit;
• e closeness and nature, frequency and extent of the personal relationship with senior
management;
• e nature of complexity of the client’s accounting and nancial reporting issues; and
• Any recent changes in senior management or structure at the client.
Actions that might be safeguards are:
• To rotate senior staff off the engagement team (the Companies Act (section 92) requires
that the engagement partner rotates off after ve years);
• Changing the role of the individual on the audit team;
• Having a professional accountant who is not on the engagement team review the work
of the senior personnel; and
• Regular independent internal or external quality reviews of the engagement.
For audits of public interest entities an individual may not act in the following roles for
more than seven cumulative years:
• Engagement partner;
• Individual responsible for quality control on the engagement; and
• Any other key audit partner role.
EXAMPLE
Mr Eon has worked as an audit partner at Ananas and Associates, a small
auditing rm, for the past 20 years. He has been the lead engagement partner
on the audits of some of his clients for more than 10 years.
Discuss this in terms of the CPC.
Since Mr Eon has been the lead engagement partner on the audits of some clients
for a signi cant period of time (longer than 10 years), the threat would be
signi cant. A familiarity threat to independence may result in Mr Eon being loath to
engage with the management of clients about issues identi ed during their audit
for fear of jeopardising the friendships that have developed over the years.
Moreover, he may have become too close to the clients to be able to view
misstatements in the nancial statements objectively (i.e. with an open-minded
perspective).
The following safeguards can be considered to reduce the threats to an acceptable
level:
• The audit of those clients must be rotated to another engagement partner; and
• Regular independent internal or external quality reviews should be performed.
2.6.7.16 Provision of non-assurance services to audit clients (section 600)
reats to independence could be created when non-assurance services are provided to
audit clients. ere is a wide range of non-assurance services that could be provided to
audit clients. While sections 601–610 of the CPC provide a detailed discussion of these, this
text only deals with the general (overall) provisions. Readers should thus consult the
sections of the CPC identi ed above for the details of the threats and safeguards regarding
speci c non-assurance services.
e factors that are relevant to assessing the level of the threats created include:
• Type of client (whether it is an audit client or not and whether the client is a public
interest entity);
• Type of non-assurance service to be provided to the client (e.g. taxation services);
• Who provides the non-assurance service (whether the person is on the audit team or
not);
• e extent to which the non-assurance service impacts on the accounting system,
internal control system or nancial statements (e.g. valuation services will have a direct
in uence on the gures re ected in the nancial statements); and
• e level of expertise of the client’s employees with respect to the service provided (e.g.
the client’s staff may have no expertise in relation to IT systems and IT consulting
services are provided).
If an auditing rm provides non-assurance services that involve assuming management
responsibilities at an audit client, the self-interest and self-review threats to independence
created would be so signi cant that no safeguards can reduce them to an acceptable level
and only one of the engagements (i.e. the audit or the non-assurance service) should be
accepted (or continued) by the auditing rm.
Actions that might be considered as safeguards include:
• Excluding the person performing the non-assurance services from the audit team; and
• If the person is on the audit team, a senior staff member with appropriate experience
and who is not on the audit team should review the work of that person.
In considering the acceptability of rendering non-assurance services concurrently with the
audit, it is important to note the requirements of section 90(2) of the Companies Act, which
prohibits certain non-assurance services (e.g. bookkeeping and certain company
secretarial services) being rendered if the audit is required by statute (i.e. in terms of the
Companies Act, Companies Regulations or the company’s Memorandum of
Incorporation).
REFLECTION
After reading section 90(2) of the Companies Act, answer the following question:
Are any other non-assurance services prohibited for statutory audit clients?
In determining the acceptability of rendering non-assurance services with the audit,
especially for public interest entities that have an audit committee, the requirements of
section 94 of the Companies Act must also be taken into account.
e audit committee (if it exists) must:
• Determine the nature and extent of any non-audit services that the auditor may or must
provide to the company; and
• Pre-approve any proposed agreement with the auditor for the provision of non-audit
services.
is means that even though it may be legal to provide a particular non-assurance service
to a client, and the auditor does not identify any unacceptable threats to independence, the
rendering of this service may still be disallowed by the audit committee as the independent
directors serving on this committee believe that it will jeopardise the independence of the
auditor in fact or in appearance.
EXAMPLE
Small auditing rms are often in the situation where they provide a
comprehensive range of accounting and auditing services to sole proprietors and
partnerships. Are they allowed to render these services?
Rendering a comprehensive range of accounting and auditing services to these
audit clients will create a self-review and threat, threat to independence (section
601).
Rendering accounting services to these audit clients will create a signi cant
threat, as accounting information that is vital to the audit is being prepared by the
rm auditing this information.
Since the audit clients are not companies, safeguards can be implemented to
reduce the threats to an acceptable level. (Had they been companies, section
90(2)(b) of the Companies Act would prohibit the rendering of the accounting
service concurrently with the audit – unless the audits were undertaken voluntarily,
i.e. undertaken in terms of a resolution of the shareholders or directors.)
Safeguards include:
• Staff members who render the accounting services must not be assigned to the
audit team;
• Having policies and procedures in the rm that prohibit such staff members
from making management decisions on behalf of the client; and
• The client should approve journal entries or any changes made to the nancial
statements by the auditing rm staff.
2.7 How does ethics t into the audit process?
According to ISA 200.14, when conducting an audit of nancial statements, the auditor
shall comply with relevant ethical requirements, including those relating to independence.
is means that ethical requirements, such as those embodied in the CPC, have to be
adhered to by the audit team throughout the audit process.
e Audit Process Overview Diagram was introduced in Chapter 1. During the preengagement activities stage, for instance, the auditor has to identify and evaluate threats to
objectivity (independence) in deciding whether or not to accept the client and audit
engagement. roughout the audit process, any information that could create threats to
the fundamental ethical principles has to be taken into consideration and acted upon. is
is as ISA 220.9 speci cally imposes an obligation on the audit engagement partner to
remain alert for evidence of non-compliance with the ethical requirements by the
members of the audit team. If such actions are identi ed, the engagement partner must
ensure that appropriate action is taken. Refer to Figure 2.17.
Figure 2.17: Ethics in the audit process
Assessment questions
1.
De ne and explain the concept of ethics. (LO 1)
2.
State where in the audit process the ethical requirements have to be considered. (LO 2)
3.
Explain why professions have codes of ethics. (LO 1)
4.
What is the difference between a principles-based approach to ethics and a rulesbased approach to ethics? Which is preferable, and why? (LO 3)
5.
What ethical codes and rules are applicable to external auditors in South Africa? (LO 4)
6.
Which actions constitute prohibited actions for an external auditor in South Africa?
(LO 4)
7.
Brie y describe the disciplinary processes of the IRBA and SAICA. (LO 5)
8.
Identify and describe the steps to be followed in the conceptual framework approach
to ethics. (LO 6)
9.
List the ve fundamental principles of the SAICA Code of Professional Conduct that
should be adhered to by professional accountants. (LO 6)
10. Explain the fundamental principle of con dentiality. (LO 6)
11. Below are three columns that contain information regarding situations the
professional accountant may encounter. e situations are listed in column A. e
threats that these situations may cause are listed in column B. e fundamental
principles that could be threatened are listed in column C. Link the three columns
with each other by writing for each situation in column A, the letter of the
corresponding threat from column B and the number of the relevant fundamental
principle from column C. (LO 6 & 7)
COLUMN A
COLUMN B
11.1 Susan Human is the nancial
a)
manager of Cumalu Limited. She
has resigned after being offered a
position as audit manager at Botha
Inc., an auditing rm. Botha Inc.
has recently been appointed as
the external auditor of Cumalu
Limited. Susan will be assigned to
this audit owing to her knowledge
of Cumalu Limited.
Self-interest
threat
COLUMN C
1.
Professional
competence
and due care
COLUMN A
COLUMN B
COLUMN C
11.2 Smit and Goosen, an auditing rm, b)
has recently been appointed as
the external auditor of Bealer Steel
Limited. The nancial director of
Bealer Steel Limited is very
aggressive and dismissive of the
auditing function.
Familiarity
threat
2.
Objectivity
11.3 Shani King, a partner in an
c)
auditing rm, has recently been
appointed as the partner
responsible for the external audit
of Accuracy Limited. Shani’s
husband, Joseph, owns 20% of the
shares of Accuracy Limited.
Intimidation
threat
3.
Con dentiality
11.4 The nancial manager of Peer
d)
Limited was so impressed with the
speed with which the external
audit was conducted that he
offered an all-expenses paid trip to
the Kruger National Park for all
audit team members and their
spouses.
Self-review
threat
4.
Professional
behaviour
11.5 Autotel Limited, an external audit
client of Le Roux and Jordaan,
offered Sebastiaan Joubert a job
after the conclusion of the current
year’s audit. Sebastiaan is the
audit manager on the Autotel
Limited audit.
Advocacy threat 5.
e)
Integrity
11.6 Zolani Xulu, a senior trainee
accountant at Audit Inc., prepared
the 20X1 nancial statements for
OPP Limited. Zalani Xulu will be the
senior on the audit team during
the 20X1 audit of OPP Limited.
For questions 12 to 14, select the correct answer:
12. A professional accountant who fails to perform professional duties in accordance with
relevant standards is acting contrary to which one of the following fundamental
principles? (LO 6)
a)
b)
Professional competence and due care
Integrity
c)
Objectivity
d)
e)
Con dentiality
Professional behaviour
13. Which of the following will create a threat to integrity: (LO 7)
a) Performing both assurance and non-assurance services at a client
b) Disclosing information which was obtained from a client to a third party
c)
Completing a tax return knowing that the information used to complete the tax
form contains false information
d)
Receiving a fully paid holiday from a client
14. Which of the following will create a familiarity threat? (Only one option is possible.)
(LO 7)
a) Owning shares in the audit client
b)
Receiving sporting event tickets from a client
c)
d)
Having a family member working at the client
Performing auditing and accounting work for a client
For questions 15 to 19, indicate whether the statement is true or false:
15. e following would all create threats to independence: (LO 7)
a) Establishing a business relationship with an audit client
b) Accepting a fully paid holiday from an audit client
c)
d)
Owning shares in an audit client
Receiving a loan from an audit client, which is a bank, at an interest rate lower
than that offered to the general public
16. e following would all create a self-review threat: (LO 7)
a) Testifying in a court case on behalf of an audit client
b)
Selling shares on behalf of an audit client
c)
d)
An audit client threatens you with litigation
Implementing a new accounting system for a client and performing the audit of
the client
17. Mr Wilson is the audit manager in charge of the audit of Tuscany Limited and his wife
is a material shareholder of Tuscany Limited. Mr Wilson will be allowed to be the audit
manager on Tuscany Limited if his wife sells her shares in Tuscany Limited. (LO 7)
18. e IRBA has its own Code of Professional Conduct. (LO 8)
19. e SAICA Code of Professional Conduct promotes a conceptual framework to which
professional accountants must adhere. (LO 6)
1 CFO.com 20/09/2016 [Online]. Available: http://ww2.cfo.com/regulation/2016/09/ey- ned-9m-auditor-intimacyclients [Accessed July 2018].
2 Business Day. 04/07/2017. [Online]. Available: https://www.businesslive.co.za/bd/national/2017-07-04-registrationof-kpmg-at-risk-over-gupta-audit. [Accessed 27 March 2018]. Copyright Tiso Blackstar Group Limited All rights
reserved.
3 Moneyweb. 13/04/2018. [Online]. Available: https://www.moneyweb.co.za/news/south-africa/inside-irbas-deloittedisciplinary-hearings/ [Accessed August 2018]. Printed with permission of Moneyweb.
4 Business Insider 16/4/2018. [Online]. Available: https://www.businessinsider.co.za/sipho-malaba-and-dumitshuma-quit-kpmg-amid-the-vbs-investigation-2018-4. [Accessed April 2018]. Copyright © 2018 Business Insider Inc.
Part of Media24.
5 Eyewitness News 19/04/2018. [Online]. Available at: http://ewn.co.za/2018/04/19/reserve-bank-says-continues-tomeet-with-kpmg-following-vbs-bank-scandal. [Accessed April 2018].
6 Velasquez, M., Andre, C., Shanks, T., Meyer, SJ., Meyer, MJ. What is ethics. [Online]. Available:
http://www.scu.edu/ethics/practicing/decision/whatisethics.html; Dictionary reference. [Online]. Available:
http://dictionary.reference.com/browse/ethics [Accessed 19 March 2013].
7 [Online.] Available: http://dusk2.geo.orst.edu/ethics/papers/Davis_ rst_code_of_ethics.pdf
8 Ethics. [Online]. Available: http://www.ethics.org/resource/why-have-code-conduce [Accessed May 2012].
9 [Online]. Available: http://www.ethics.org.au/faq/whats-difference-between-code-ethics-and-code-conduct
10 News hour. [Online]. Available: http://www.pbs.org/newshour/bb/business/enron/player6.2.html [Accessed May
2012].
11 SolePurposeTest. [Online]. Available: https://www.solepurposetest.com/news/two-smsf-auditors-disquali edindependence [Accessed July 2018].
12 Accounting Weekly. [Online]. Available: https://accountingweekly.com/former-kpmg-partners-arrested-leakingcon dential-information-regulator [Accessed July 2018].
13 Quintal, G., Hosken, G. KPMG’s ngerprints all over the Gupta empire. Sunday Times. 10/09/2017. [Online]. Available:
https://www.timeslive.co.za/sunday-times/business/2017-09-10-kpmgs- ngerprints-all-over-the-gupta-empire
[Accessed 27 March 2018].
14 Ziady, H. Gears turn slowly in audit probes. Business Day. 22/03/2018. [Online]. Available:
https://www.businesslive.co.za/bd/business-and-economy/2018-03-22-gears-turn-slowly-in-audit-probes [Accessed
March 2018].
15 News 24. 18/09/2018. [Online]. Available: https://www.news24.com/Analysis/rogue-unit-retraction-5-questionsanswered-20170918 [Accessed March 2018].
16 amm, M. SARS wars: KPMG report- the rm, the lawyers, the auditor and the blame game. Daily Maverick.
[Online]. Available: https://www.dailymaverick.co.za/article/2017-10-03-sars-wars-kpmg-report-the- rm-thelawyers-the-auditor-and-the-blame-game/#.Wrn-Jy5ubX4 [Accessed March 2018].
17 SABC. [Online]. Available: http://www.sabcnews.com/sabcnews/two-kpmg-partners-resign-wake-vbs-mutal-bankissue [Accessed April 2018].
18 amm, M. SARS wars: KPMG report - the rm the lawyers the auditor and the blame game. Daily Maverick. [Online].
Available: https://www.dailymaverick.co.za/article/2017-10-03-sars-wars-kpmg-report-the- rm-the-lawyers-theauditor-and-the-blame-game/#.Wrn-Jy5ubX4. [Accessed March 2018].
19 SABC. [Online]. Available: http://www.sabcnews.com/sabcnews/two-kpmg-partners-resign-wake-vbs-mutal-bankissue [Accessed April 2018].
20 Khumalo, S. [Online]: https://www. n24.com/Companies/Financial-Services/ex-kpmg-partners-in-vbs-saga-failedto-disclose-links-with-the-bank-20180415. [Accessed April 2018].
21 Fin24. [Online]. Available: https://www. n24.com/Economy/the-nkonki-pact-part-1-how-the-guptas-boughtthemselves-an-auditor-20180328. [Accessed July 2018].
22 Fin 24. [Online]. Available: https://www. n24.com/Economy/steer-clear-of-nkonki-inc-until-you-know-whoowners-are-mps-tell-ag-20180506. [Accessed July 2018].
23 SAICA. [Online]. Available:
https://www.saica.co.za/TechnicalInformation/Discipline/Disciplinaryprocess/tabid/778/language/enZA/Default.aspx
24 IRBA. [Online]. Available: https://www.irba.co.za/upload/APA%2026%20of%202005%20Amended%202015.pdf
25 Accountancy SA. [Online]. Available: http://www.accountancysa.org.za/documents/ASAApril08-pgs1-6.pdf
[Accessed May 2012].
26 IRBA. [Online]. Available: https://www.irba.co.za/upload/IRBA%20newsletter%2039%20b.pdf [Accessed March
2018].
27 IRBA. [Online]. Available https://www.irba.co.za/upload/IRBA%20News%20%2337.pdf [Accessed March 2018].
28 IFAC. [Online]. Available: https://www.ifac.org/news-events/2018-04/global-ethics-board-releases-revamped-codeethics-professional-accountants. [Accessed July 2018].
29 Campbell, T. & Houghton, K. Ethics and auditing. [Online]. Available: www.epress.anv.av/wpcontent/upload/2011/05/ethics_auditing.pdf [Accessed 13 April 2013].
30 e challenge forum. [Online]. Available: http://www.chforum.org/methods/xc417.html [Accessed May 2012].
31 is overview is based on the exposure draft that was issued by IRBA – as the nal publication was not available at the
time of writing.
32 is overview is based on the exposure draft that was issued by SAICA – as the nal publication was not available at
the time of writing.
Legal
responsibilities
of the auditor
CHAPTER 3
Graeme O’Reilly
CHAPTER CONTENTS
Learning outcomes
Reference list
3.1 Introduction
3.2 What are the statutory and regulatory requirements for an
audit?
3.3 How does the statutory appointment, removal and rotation of
the auditor work and what are his or her rights?
3.4 What are the statutory requirements to practise as an auditor?
3.5 What does the auditor’s statutory responsibility to identify and
respond to Reportable Irregularities entail?
3.6 How is auditing in the public sector different from auditing in
the private sector?
3.7 What other legislation and regulations may impact on the
scope of the audit function?
3.8
What role can the auditor play to aid good corporate
governance?
Assessment questions
LEARNING OUTCOMES
1.
5.
6.
Identify the legislation that governs the appointment, duties, and
regulation of auditors.
Describe, and be able to identify, the conditions that give rise to
the statutory requirements for an audit.
Describe the alternatives for a company that does not speci cally
have to be audited in terms of the legislation (voluntary audits,
independent reviews, or neither of these).
Describe the conditions that need to be met in order for a person,
or rm, to be eligible for appointment as the auditor of a
company.
Describe how a company appoints or replaces its auditor.
Describe the statutory rights and functions of a company’s
7.
auditor.
Describe how the conduct of auditors is regulated and to what
2.
3.
4.
8.
9.
extent auditors can be held accountable for their actions.
Describe the auditor’s reporting responsibilities regarding
Reportable Irregularities and identify the circumstances leading
to a Reportable Irregularity.
Describe the unique requirements that govern auditing in the
public sector.
10. Describe the additional requirements that apply speci cally to
the audit of JSE listed entities.
Describe the impact of the Sarbanes-Oxley Act on the audit of a
11. South African subsidiary of an American holding company.
12. Describe the King IV™ recommendations relating to the external
audit function and explain the need for combined assurance.
REFERENCE LIST
Companies Act 71 of 2008, sections 30, and 90 to 94.
Companies Regulations 2011, regulations 26, 28 and 29.
Auditing Profession Act 26 of 2005.
Institute of Directors Southern Africa (2016) King IV™ Report on
Corporate Governance for South Africa 2016.
IN THE NEWS
2001 Accounting scandal
In 2001, after a series of revelations involving irregular
accounting procedures bordering on fraud perpetrated throughout
the 1990s involving Enron and its accounting rm Arthur
Andersen, Enron suffered the largest Chapter 11 bankruptcy in
history (since surpassed by those of WorldCom in 2002 and
Lehman Brothers in 2008).
As the scandal unravelled, Enron shares dropped from over
$90.00 in the summer of 2000 to just cents. Enron had been
considered a blue chip stock, so this was an unprecedented
event in the nancial world. Enron’s plunge occurred after the
revelation that much of its pro t and revenue were the result of
deals with special purpose entities (limited partnerships which it
controlled). This meant that many of Enron’s debts and the
losses that it suffered were not reported in its nancial
statements. Enron led for bankruptcy on 2 December 2001.
In addition, the scandal caused the dissolution of Arthur
Andersen, which at the time was one of the world’s top
accounting rms. The rm was found guilty of obstruction of
justice in 2002 for destroying documents related to the Enron
audit. Since the Securities and Exchange Commission (SEC) is
not allowed to accept audits from convicted felons, Andersen was
forced to stop auditing public companies. Although the conviction
was thrown out in 2005 by the Supreme Court, the damage to
the Andersen name prevented it from returning as a viable
business even on a limited scale.
Oakbay/SARS scandals
KPMG (one of the ‘big four’ audit rms in South Africa – along
with Deloitte, Ernst & Young and PwC) has a heritage in South
Africa dating back to 1895, and the rm has been part of the
international KPMG organisation since its formation in 1979.
During 2017, KPMG South Africa became embroiled in scandals
involving the notorious Gupta family, which has led to the closure
of several of its of ces and resulting (at the time of writing) in
considerable uncertainty about its continued operations in South
Africa.
In June 2017, the amaBhungane Centre for Investigative
Journalism revealed some fascinating correspondence between
KPMG and Oakbay Resources and Energy (a Gupta-owned entity
in the mining sector). KPMG had been the auditors of the Oakbay
group for 15 years prior to the revelations of corruption and
collusion, at which point KPMG then resigned. One of the more
controversial transactions to emerge was the nancing of a
R30m wedding for one of the Gupta daughters, allegedly using
funding earmarked by the Free State government to a dairy farm.
It appears that funds were redirected from this project via related
party entities (Linkway Trading and Accurate Investments) to
nance the wedding. KPMG’s chief executive and KPMG’s lead
engagement partner for the audit of Oakbay were both guests at
the wedding.
To make matters even worse for KPMG, they also issued a
controversial report in 2015 implicating former Finance Minister
Pravin Gordhan in the creation of an illegal rogue intelligence
gathering unit of the South African Revenue Service (SARS). This
report was seen by many to be part of a wider Gupta-linked state
capture conspiracy, with the aim of forcing Gordhan out of his
post. The report was withdrawn by KPMG in September 2017
creating large-scale public backlash.
These scandals ultimately resulted in the resignation of
several partners within KPMG’s senior leadership in South Africa,
including its chairman, its chief executive of cer and its chief
operating of cer.
Numerous large South African companies dismissed KPMG as
their auditors in the immediate aftermath of the scandal,
including the Auditor General of South Africa and ABSA Group
Limited. Many of their other clients will no-doubt be seriously reconsidering their continued relationship with KPMG.
At the time of writing, KPMG is still under investigation by the
IRBA in relation to their conduct.
3.1 Introduction
Given the vital role that auditors play in providing assurance to people
and organisations that rely on nancial statement information to make
economic decisions, it is not surprising to see the signi cant extent to
which the profession is regulated.
e Enron and KPMG scandals referred to in the newspaper articles
above paint a clear picture of what can happen when auditors do not
ful l their responsibilities properly or are perceived not to have done so.
Despite their knowledge of the serious aws in the nancial statements
of Enron, the auditors (Arthur Andersen) continued to issue an
unmodi ed (or ‘clean’) opinion on the nancial statements. is
resulted ultimately in both investors and lenders suffering huge losses,
and led to a lawsuit against the auditor from which it could not recover.
It is worth noting from the Enron article that the SEC (to an extent
the equivalent of South Africa’s JSE) has a regulation prohibiting
auditing rms that have been found guilty of performing audits in
contravention of legislation from continuing to audit publicly listed
companies. e loss of credibility associated with a conviction of this
nature would no doubt have a large impact on the level of assurance
third parties can take from an audit opinion issued by the convicted
auditor.
is event (along with several others around the same time) led to a
widespread loss of public con dence in the opinions being expressed
by auditors on nancial statements.
CRITICAL THINKING
Just how prevalent are scandals that involve auditing rms?
Do an internet search for ‘scandals involving audit rms’ and see
what comes up …
In order for the public to retain high levels of con dence in the opinions
expressed by auditors on nancial statements, it is vital that the
auditing profession be properly monitored and regulated. In South
Africa, the Independent Regulatory Board for Auditors (IRBA) was
created in 2005 to do just that. (Note that its predecessor was the Public
Accountants and Auditors Board – refer to Chapter 1 for the history of
the auditing profession.)
DID YOU KNOW?
Prior to its 2017/2018 Global Competitiveness Report, the
World Economic Forum Survey placed South Africa, for the
previous seven reports, as the world leader in terms of strength
of auditing and reporting standards regarding company nancial
performance. In the 2017/18 report, South Africa dropped to
30th place! This was largely due to a signi cant deterioration in
the level of global con dence in South Africa’s nancial markets
as a result of levels of corruption, crime, downgrades, and
perceptions about nancial institutions. The decline in ranking
was also in uenced by a change in the manner in which the
survey was conducted.
The full survey can be downloaded at
https://www.weforum.org/reports/.
Regulation of the auditing profession means that there are numerous
statutory requirements that need to be met regarding the appointment
and conduct of an auditor. is chapter examines these requirements in
detail.
Given the technical nature of this chapter and the ease with which one
can become disoriented, it is appropriate to start with a high-level
overview of this chapter’s overall structure and ow:
• We start with an introduction in section 3.1 of this chapter to the two
pieces of legislation that form the basis for the bulk of the content of
this chapter – the Companies Act 71 of 2008 and the Auditing
Profession Act 26 of 2005.
• In section 3.2, we turn our attention to the statutory requirements for
an audit as established by the Companies Act. Not all companies
need to be audited. Consequently, before considering the legislation
governing the auditor, you need rst to be clear as to when auditors
are required. Section 3.2 also explains what happens if a company
does not have to be audited.
• Having established when the need for an audit arises, section 3.3
then considers the requirements that need to be met by companies
when appointing their auditor and what they need to do should they
wish to reappoint, or even remove, the auditor.
• Section 3.4 considers who is able to act as an auditor, as well as the
regulations that govern the scope, duties and conduct of the auditor.
• Section 3.5 discusses Reportable Irregularities, including what they
are and what the auditor’s responsibilities are with regard to them.
• Sections 3.6 and 3.7 contain a brief look at some of the other
environments in which audits might take place and the related
additional requirements that may arise. ese environments include
auditing in the public sector, auditing companies listed on the JSE,
and auditing South African subsidiaries of American holding
companies.
• e nal section considers the impact of good corporate governance
on the audit function. (Corporate governance is covered in detail in
Chapter 4.)
3.1.1 Legislation and regulations governing
the audit function
ere are two pieces of legislation that govern the audit function
directly – the Companies Act, to be read together with the related
Companies Regulations of 2011, and the Auditing Profession Act.
e Companies Act provides for the incorporation, registration,
organisation and management of South African companies. It contains
speci c sections dealing with, among other things, when an audit is
required, who may perform an audit and a company’s relationship with
its auditors.
In addition to the Companies Act, the Companies Regulations
contain several regulations relating to the administration of companies.
ese regulations took effect at the same time as the Companies Act,
and supplement the Companies Act.
e Auditing Profession Act (‘APA’) provides for the establishment of
the IRBA and for the education, registration and regulation of
Registered Auditors (RAs).
A summary of the major sections and/or regulations in each Act that
speci cally govern the audit function follows in Table 3.1. is chapter
explores many of these sections and regulations in more detail.
3.1.2 Legislation and regulations with which
the auditor has to be familiar
In addition to being familiar with the laws and regulations that
speci cally govern the audit function, the RA also has to be familiar
with other laws and regulations affecting the auditee.
ISA 250 Consideration of Laws and Regulations in an Audit of
Financial Statements requires that an auditor understands and gathers
sufficient appropriate audit evidence about the auditee’s compliance
with laws and regulations that directly affect the nancial statements.
Examples of such laws and regulations include:
• e Companies Act (which governs the actions and decision-making
processes of companies, the consequences of which are re ected in
the nancial statements);
• e Income Tax Act 58 of 1962 (which governs the determination
and payment of income taxes that have to be recognised and
measured in the nancial statements);
• e Value-Added Tax Act 89 of 1991 (which governs the
determination and payment of VAT for almost every transaction that
is entered into and which has to be appropriately recognised and
measured in the auditee’s nancial records);
• e National Credit Act 34 of 2005 (which will be particularly
important, for example, to auditees who provide credit facilities to
consumers);
• e Financial Intelligence Centre Act 38 of 2011 and the Financial
Intelligence Centre Amendment Act 1 of 2017 (which governs money
laundering and terrorism nancing); and
• e Protection of Personal Information Act 4 of 2013 (which governs
the protection of personal information by public and private bodies).
ere may well be several more, depending on the nature of the
company being audited and the industry in which it operates.
CRITICAL THINKING
What other legislation may directly affect the nancial
statements of Ntsimbi Piping?
Ntsimbi Piping distributes its products throughout Africa and
imports approximately 70% of its raw materials, predominantly
from Australia and New Zealand. It would therefore be important
for the auditor to have an understanding of export and import
regulations, and exchange control regulations to the extent that
these affect the revenue, purchases, and inventory gures
contained in the nancial statements.
Table 3.1: Summary of Acts and Regulations governing the audit
function
LEGISLATION
GOVERNING
THE AUDIT
FUNCTION
Companies Act
SPECIFIC ASPECTS
RELATING TO THE
AUDIT FUNCTION
SECTION/REGULATION
THAT ARE
REFERENCE
GOVERNED BY THIS
LEGISLATION
• The requirement
for certain
companies to be
audited.
Section 30
LEGISLATION
GOVERNING
THE AUDIT
FUNCTION
SPECIFIC ASPECTS
RELATING TO THE
AUDIT FUNCTION
SECTION/REGULATION
THAT ARE
REFERENCE
GOVERNED BY THIS
LEGISLATION
• The requirement
Section 90
that certain
companies
appoint an
auditor and the
conditions which
have to be met to
ll this position.
• The requirements Section 91
relating to the
resignation of an
auditor and the
resulting vacancy
that arises.
• The requirement
to rotate auditors
every ve
consecutive
nancial years.
Section 92
• The rights and
restricted
functions of
auditors.
Section 93
LEGISLATION
GOVERNING
THE AUDIT
FUNCTION
Companies
Regulations
SPECIFIC ASPECTS
RELATING TO THE
AUDIT FUNCTION
SECTION/REGULATION
THAT ARE
REFERENCE
GOVERNED BY THIS
LEGISLATION
• The requirement
for every
company to
calculate its
public interest
score at the end
of each nancial
year (which
determines
whether that
company needs
to be audited or
not).
Regulation 26(2)
• The categories of Regulation 28
companies that
are required to
be audited (read
in conjunction
with section 30
of the Companies
Act and
regulation 26(2)
above).
LEGISLATION
GOVERNING
THE AUDIT
FUNCTION
SPECIFIC ASPECTS
RELATING TO THE
AUDIT FUNCTION
SECTION/REGULATION
THAT ARE
REFERENCE
GOVERNED BY THIS
LEGISLATION
• The requirements Regulation 29
relating to the
independent
review (for
companies that
do not need to be
audited).
Auditing
Profession Act
• The
establishment,
functions,
powers,
governance,
committees,
nancial
management and
national
government
oversight of the
IRBA.
• The accreditation
of professional
bodies to
educate and train
RAs.
• The registration
of individual
Sections 3–31
Sections 32–36
Sections 37–40
Section 44
Section 45
Section 46
Sections 47–51
Sections 52–54
LEGISLATION
GOVERNING
THE AUDIT
FUNCTION
SPECIFIC ASPECTS
RELATING TO THE
AUDIT FUNCTION
SECTION/REGULATION
THAT ARE
REFERENCE
GOVERNED BY THIS
LEGISLATION
auditors and
rms as RAs.
• The conduct by,
and liability of,
RAs including:
• Duties in
relation to the
audit;
• Duty to report
on
irregularities;
and
• The limitation
of the auditor’s
liability.
• Improper conduct
and disciplinary
procedures.
• Offences
(including those
associated with
Reportable
Irregularities).
3.2 What are the statutory and regulatory
requirements for an audit?
Having become acquainted with the legislation governing the audit
function, we turn our attention to understanding when an audit is
required in terms of this legislation. It is important to note that not all
companies need to be audited and therefore not all companies need to
be concerned with the appointment of auditors.
3.2.1 Companies that have to be audited
e Companies Act (section 30(2)) requires that the following
companies must be audited (i.e. they have no choice in the matter):
1. Any public company; or
2. In the case of any other pro t or non-pro t company:
a) If so required by the Companies Regulations; or
b)
If so chosen by that company, and the requirement is
incorporated in its Memorandum of Incorporation.
Section 1 of the Companies Act de nes a public company as being ‘a
pro t company that is not a state-owned company, a private company,
or a personal liability company’. To understand this de nition, it is
necessary to ‘unpack’ it:
EXAMPLE
Pro t company (section 1)
A company incorporated for the purpose of nancial gain for its
shareholders.
State-owned company (section 1)
An enterprise that is registered in terms of the Companies Act
as a company and is either listed as a public entity in the Public
Finance Management Act 1 of 1999 (PFMA), or is owned by a
municipality (as contemplated in the Local Government:
Municipal Systems Act 32 of 2000) and is otherwise similar to
the enterprises listed in the PFMA.
Private company (sections 1 and 8)
A pro t company that is not a state-owned company and in
terms of its Memorandum of Incorporation is prohibited from
offering any of its securities to the public and is restricted when
it comes to the transferability of its securities.
Personal liability company (sections 1 and 8)
A private company where its Memorandum of Incorporation
speci cally states that it is a personal liability company. Section
19 then provides that where a company is a personal liability
company, the directors and past directors are jointly and
severally liable, together with the company, for any debts and
liabilities of the company.
e text above has unpacked the de nition of a public company; any
company meeting this de nition is required to be audited in terms of
the Companies Act. To understand which of the other categories of
companies are required to be audited, section 30(7) of the Companies
Act directs one to the Companies Regulations.
Regulation 28 requires that the following categories of companies must
be audited:
1. Public companies (repeating the Companies Act requirements);
2. State-owned companies (de ned in section 1 of the Companies
Act); and
3. Pro t or non-pro t companies (de ned in section 1 of the
Companies Act) that, in the ordinary course of their primary
activities, hold assets in a duciary capacity for persons who are
not related to the company and if at any time during the nancial
year the aggregate value of these assets exceeded R5 million.
CRITICAL THINKING
Think of examples of companies that might fall into this third
category.
1.
2.
3.
4.
Estate agent companies that hold deposits in trust.
Investment companies that hold investor funds in trust.
Incorporated attorney practices that via their trust accounts
hold client monies.
Non-pro t companies:
a) Incorporated directly or indirectly by the State, an
international entity, a foreign state entity, or a foreign
company;
b)
Incorporated primarily to perform a statutory or regulatory
function in terms of any legislation;
c)
Incorporated to carry out a public function at the direct or
indirect initiation or direction of the State, an international
entity, a foreign state entity, or a foreign company; and
d)
Incorporated for a purpose ancillary to items b) or c) above.
CRITICAL THINKING
Does the IRBA need to be audited?
Yes it does. It is incorporated primarily to perform a regulatory
function in terms of the Auditing Profession Act of 2005.
5.
Any other company (pro t or non-pro t) whose public interest
score in that nancial year:
a) Is equal to, or exceeds, 350; or
b)
Falls in the range of 100 to 349 if its annual nancial
statements were internally compiled (i.e. compiled by staff of
the company without the use of an independent professional
accountant).
WHAT
IF?
What if a private company that does not hold assets
in a duciary capacity as its main business and has a
public interest score of greater than 100 (but less
than 350) has its nancial statements independently
compiled and reported on (as opposed to internally
compiled as referred to in point 5 above). Will this
company’s nancial statements have to be audited?
No, the company’s nancial statements will not have to
be audited because it does not meet any of the
requirements listed previously.
Have a look at the de nitions in regulation 26 to
understand what it means to have a set of nancial
statements independently compiled and reported on.
Also, refer to section 3.2.2 below to ascertain
whether any form of assurance on the company’s
nancial statements is required.
Clearly, a non-public and non-state-owned company’s public interest
score is an important determinant as to whether it will be required to be
audited or not. Logic dictates that a company in whose activities and
nancial statements the public has a greater degree of interest will have
a higher public interest score. Because of the greater levels of public
interest in such a company (and given the purpose of the audit to
provide reasonable assurance), there will then be a greater need to have
that company’s nancial statements audited.
Table 3.2 illustrates how to calculate a public interest score in
accordance with regulation 26(2).
Table 3.2: Calculating a public interest score
COMPONENT OF
PUBLIC INTEREST
CALCULATION
Employment
This component takes
into account the size of
the workforce.
‘a number of points equal to the average
number of employees of the company
during the nancial year.’
This includes both salaried employees
and wage earners and may include
certain temporary staff in addition to the
permanent staff complement.
Third-party liability
This component takes
the creditors of the
company into account.
‘one point for every R1 million (or portion
thereof) in third-party liability of the
company, at the nancial year-end.’
Third-party liability is regarded as
amounts owing to parties external to the
entity. This would therefore include
amounts owing in respect of trade
creditors or bank overdrafts and loans
but would exclude amounts owing to
employees or shareholders.
COMPONENT OF
PUBLIC INTEREST
CALCULATION
Turnover
This component takes
into account the extent
to which the company
has an effect in the
market place.
‘one point for every R1 million (or portion
thereof) in turnover during the nancial
year.’
Shareholders/Members
This component takes
into account the
interest of the investors
or members of the
company.
‘in the case of a pro t company, one
point for every individual who at the end
of the nancial year is known by the
company to have, directly or indirectly, a
bene cial interest in any of the
company’s issued securities.’
‘in the case of a non-pro t company, one
point for every individual who at the end
of the nancial year is known by the
company to be a member of the
company or a member of an association
that is a member of the company.’
Take note of the reference to individuals
and the reference to both direct and
indirect holdings. A subsidiary would
therefore need to look to the number of
individuals holding securities in the
company’s holding company to determine
its public interest score (i.e. take into
account the indirect bene cial interest
holders). Based on this, any company
with more than 350 individual
shareholders (directly or indirectly) will
have to be audited.
COMPONENT OF
PUBLIC INTEREST
CALCULATION
Note: There is an alternative school of
thought that the individual shareholders
of the holding company should not be
taken into account in the calculation as
these shareholders do not have an
entitlement/right to the distributions of
the subsidiary or to direct the voting at
the subsidiary’s shareholder meetings. As
such, the individual shareholders of the
holding company cannot be seen as the
holders of the bene cial interest in the
subsidiary company. But, for purposes of
this text, this alternative school of thought
will not be explored further.
WHY?
Why did regulation 26 include these four components
of public interest in the calculation of a public
interest score?
Employment
Employees receive payments and other bene ts from
their employers. They have a signi cant interest in the
ability of their employer to be able to continue to
employ them.
Liability
Organisations or individuals that are owed money by
the company want to know that the company is
nancially sound enough to be able to repay what is
due to them.
Turnover
A company’s turnover provides an indication of the
relative size of the company and the degree to which it
interacts with its investors, funders, customers and
suppliers. The larger the volume of trading is, the wider
the impact of that company is and the greater the
degree of interest is in that company’s sustainability.
Shareholders/Members
Shareholders or members have a direct nancial
interest in the company in which they have invested
their money. They want to know the degree to which
their investment remains secure and/or viable. The
more investors there are, the greater the interest is in
the company’s performance.
EXAMPLE
A practical example of the calculation of a company’s public
interest score
Consider the following information about Stratus (Pty) Ltd, a
pro t company with a June nancial year-end that is involved in
the manufacture and retail of designer gumboots:
• 51% of the shares in Stratus are held by another company,
Big Brother (Pty) Ltd; 25% are held by Mr Smith, and the
remaining 24% are held by Mrs Doe.
• Big Brother has 12 shareholders, all of whom are individuals.
• Mr Smith and Mrs Doe are both directors of Stratus (Pty) Ltd.
• The company’s annual turnover for the current nancial year
is R37,439,021.
• Liabilities as at year-end comprised the following amounts
owing:
• Trade Payables (to non-related companies) – R 2,367,210
• Loan owing to Mr Smith – R1,239,000
• Loan owing to Big Brother (Pty) Ltd – R 4,367,996
• The company had 15 salaried employees and 36 wageearning employees on its payroll at the end of their nancial
year. During the year, four new wage-earning employees were
appointed. There were no resignations or dismissals.
• The company prepares its own annual nancial statements.
Calculate Stratus (Pty) Ltd’s public interest score and decide
whether it needs to be audited or not. Attempt the calculation
on your own before reviewing your attempt against the
suggested solution in Table 3.3.
Table 3.3: Suggested solution to the calculation of Stratus (Pty) Ltd’s
public interest score
PIS
COMPONENT
Employment
CALCULATION JUSTIFICATION
49
The total number of employees at
the end of the year was 51 (15
salaried and 36 wage-earning).
There were 4 new wage-earning
employees appointed during the
year. Therefore, the number of
employees at the beginning of the
year was 47 (51 less the 4 new
employees). The average number
of employees was therefore (47 +
51) / 2 = 49 and therefore 49
points will be allocated to
employment.
PIS
COMPONENT
CALCULATION JUSTIFICATION
Third-party
liability
3
Third-party debt relates to the
creditors of the company – it is
money owing to persons or
companies external to the
company. The loans to Mr Smith
and Big Brother (Pty) Ltd are both
loans to shareholders and are
thus not external to the company.
It is therefore only the trade
payables of R2,367,210 that will
count in the determination of
public interest and the score is 1
point per R1m or part thereof and
therefore 3 points will be
allocated for third-party liability.
Turnover
38
1 point for every R1m or part
thereof – turnover is R37,4m and
therefore 38 points will be
allocated for turnover.
PIS
COMPONENT
Shareholders/
Members
CALCULATION JUSTIFICATION
14
1 point is awarded for every
individual who has a direct or
indirect bene cial interest in the
company’s issued securities.
Direct interest: There are only 2
individuals with a direct interest
(Mr Smith and Mrs Doe) –
therefore 2 points. Indirect
interest: Big Brother (Pty) Ltd has
a direct interest but is not an
individual. The shareholders of
Big Brother have an indirect
interest in Stratus by virtue of
their company’s interest in
Stratus. Big Brother has 12
shareholders – all of whom are
individuals – and therefore a
further 12 public interest points
will be allocated for this
component. Total score for this
component is therefore 2 + 12 =
14.
Total score:
104
Stratus (Pty) Ltd is clearly not a public or state-owned company, nor is it
a non-pro t company. Moreover, it does not hold assets in a duciary
capacity as a main part of its business. e only determinant in terms of
whether it would need to be audited or not would therefore come from
its public interest score.
To be audited, its PIS must either be above 350 (regardless of who
prepares its nancial statements) – which is not the case here – or its PIS
must be from 100 to 349 and it must prepare its own nancial
statements – which is the case. Because Stratus (Pty) Ltd prepares its
own nancial statements, its nancial statements must therefore be
audited.
CRITICAL THINKING
Do the nancial statements of Ntsimbi Piping have to be
audited?
Given that Ntsimbi Piping prepares its own nancial statements,
like Stratus (Pty) Ltd in the example above, it would need a PIS
of greater than 100 for it to have to be audited.
Given that Ntsimbi Piping employs approximately 80 staff and
its revenue for the current year is R128,3 million, its PIS already
exceeds 200 before even considering the other public interest
components. Therefore, its nancial statements will have to be
audited.
3.2.2 What if a company does not have to be
audited?
If a company does not meet any of the preceding requirements for it to
be audited, then in terms of section 30(2) of the Companies Act, it must
be either:
1. Voluntarily audited, applicable where this is required by the
Memorandum of Incorporation, or a shareholders resolution, or a
resolution of the board of directors; or
2. Independently reviewed, in terms of the requirements contained in
the Companies Regulations; except when every person who is a
holder of (or who has a bene cial interest in) any securities issued
by the company is also a director of that company (section 30(2A)
of the Companies Act), in other words, a company that is managed
by all its owners. In this case, legislation does not require the
company to be independently reviewed or audited.
is exception for owner-managed entities is present because of the
limited extent of public interest in these entities. However, should this
type of company have external parties with an interest in the company
(banks or potential investors, for example), its directors would be wise
to consider voluntarily electing to be audited, or at least independently
reviewed, so as to provide some assurance to these parties that are likely
to place reliance on the nancial statements in making their decisions.
e independent review is covered in more depth in Chapter 16.
3.3 How does the statutory appointment,
removal and rotation of the auditor
work and what are his or her rights?
Having understood which companies have to be audited, let us now
turn our attention to the appointment of the auditor and any
subsequent changes to the status of that appointment, whether through
resignation or dismissal.
We will rst consider who can be appointed as an auditor and will
then work through the appointment process itself.
3.3.1 Requirements to be met by the auditor in
order to be appointed
Section 90(2) of the Companies Act sets out a number of requirements
that must be met by a person or rm in order to be appointed as auditor
to a company. (If a rm of auditors is appointed, as opposed to an
individual person, then the person in that rm who will be in charge of
the audit also has to meet these requirements.)
It is worth noting that the requirements of section 90(2) only apply
to mandatory audits (i.e. where the company has no choice in whether
it will be audited or not) or where this decision is the result of a
requirement in the company’s MOI. A company that elects to be
audited voluntarily by way of a resolution of the shareholders or board
of directors, however, does not need to comply with the requirements of
section 90(2).
e requirements can be summarised as follows:
1. ey must be RAs. is requires that they are registered with the
IRBA which is the only way to obtain the designation of RA. e
IRBA requirements that must be met to become an RA are
discussed in section 3.4.1 of this chapter.
2. ey must not be directors or prescribed officers of the company.
Auditors have to be independent of the company that they are
auditing. A person who is responsible for a senior management
role in a company cannot be seen to be suitably independent, and
therefore suitably objective, when it comes to expressing an
opinion on that company’s nancial statements.
CRITICAL THINKING
Who is a prescribed of cer?
In terms of regulation 38 of the Companies Regulations, a
prescribed of cer is de ned as being a person who, despite not
being a director, nonetheless exercises, or regularly participates
to a material degree in the exercising of, general executive
control over the management of the business.
A person cannot therefore avoid statutory responsibilities just
by not being a director in a formal capacity.
3.
ey must not be an employee or consultant of the company who
has been engaged by that company for more than one year in
4.
maintaining or preparing any of the company’s nancial records or
statements. Similar to point 2, this is required in order to ensure
that the auditor remains suitably independent, in fact and in
appearance.
ey must not be directors, officers or employees of a person
appointed as company secretary in terms of the Companies Act
(refer to sections 86–89 of the Companies Act for details of the
company secretary). Note that company secretaries can be either
individual persons or juristic bodies (e.g. companies).
CRITICAL THINKING
Can a person who has been the company secretary of a
company be appointed as their auditor?
Strictly speaking, point 4 above refers only to directors, of cers
or employees of a person appointed as company secretary and
not the actual person themselves.
Now have a look at the next prohibition!
5.
6.
ey must not be persons who, alone or with a partner or
employees, habitually or regularly perform the duties of
accountant or bookkeeper, or perform related secretarial work, for
the company. So, in response to the previous critical thinking
question, here is our answer. e company secretary performs
related secretarial work for the company and therefore cannot
become the auditor of the company.
ey must not be persons who at any time during the ve nancial
years immediately preceding the date of appointment (as auditor),
were persons contemplated in points 2 to 5 above.
CRITICAL THINKING
Why is it necessary to include point number 6?
If you are, for example, a current director (or employee, of cer,
etc.) of a company, then you could have resigned from that
position and immediately become its auditor were it not for point
number 6. This section now sets a time period (a ‘cooling off
period’, if you like) during which you must not have been
engaged in any of the capacities referred to in the previous four
points should you wish to be considered for appointment as that
company’s auditor. This ensures that the auditor will be
suf ciently independent.
7.
Where a company has an audit committee (either because the
company has to have one or because it has chosen to do so), the
proposed auditor must be acceptable to the company’s audit
committee as being sufficiently independent of the company,
having regard to the matters set out in section 94(8) of the
Companies Act. ese matters require that the audit committee
considers:
a) at the proposed auditor does not receive any remuneration
for services rendered to the company other than the fee for the
audit or fees for non-audit services that were previously
approved by the audit committee;
b)
e degree to which the proposed auditor’s independence
may have been compromised as a result of any prior
appointments as auditor or any consulting work done by the
c)
proposed auditor for the company; and
e degree to which the proposed auditor complies with any
other criterion related to independence as prescribed by the
IRBA (which effectively therefore includes compliance with
the IRBA Code of Professional Conduct (CPC)).
3.3.2 Appointment of the auditor
Having considered the requirements to act as auditor, let us now have a
look at how companies should go about appointing an auditor.
Every company that must be audited (in terms of section 30 of the
Companies Act and/or regulation 28 of the Companies Regulations) or
that has voluntarily elected to be audited (section 30(2) of the
Companies Act) must appoint an auditor in terms of section 90 of the
Companies Act.
e statutory deadlines for the appointment of the auditor are as
follows:
1. If an auditor is not appointed by the company on incorporation,
the directors have 40 business days from the date of incorporation
to appoint the rst auditor.
2. e rst auditor always holds office until the conclusion of the rst
annual general meeting of the company.
3. An auditor is automatically reappointed at an annual general
meeting without any speci c resolution needing to be passed,
unless:
a) e auditor no longer quali es to act as auditor (refer to
section 3.3.1 of this chapter);
b)
e auditor no longer wishes to act as auditor (refer to section
3.3.3 of this chapter);
c)
e auditor is no longer allowed to serve as auditor because of
the requirements for rotation of the auditor every ve years
(refer to section 3.3.6 of this chapter);
d)
e audit committee objects to the reappointment of the
auditor; or
e)
e shareholders at the annual general meeting have chosen
to appoint another auditor.
CRITICAL THINKING
With reference to the news item at the beginning of this
chapter, what would have been the processes followed by
those companies who wished to terminate their relationship
with KPMG?
The board of directors would have recommended the
appointment of another auditor in the place of KPMG (or the
audit committee may have objected to the re-appointment of
KPMG) and this would then have needed to be approved by
shareholders at the annual general meeting. Refer to section
3.3.4 below.
4.
If an auditor is not appointed or reappointed at the annual general
meeting, the directors have 40 business days after the date of the
meeting to appoint an auditor.
3.3.3 Resignation of the auditor
Auditors may choose to resign from their position of auditor of a
company at any time. Once they are appointed as auditors, there is no
statutory requirement that they serve out any term of office with the
company.
Resignation of an auditor is effective from the date that notice of the
resignation is led with the Companies and Intellectual Property
Commission (the ‘Commission’), as established by section 185 of the
Companies Act.
CRITICAL THINKING
Why might an auditor choose to resign from an audit
appointment?
1. The auditor no longer has the required knowledge, skills or
capacity to audit the company.
2. The auditor no longer wants to be associated with the
company or with the individuals who manage or own the
company.
3. The audit is not economically viable (the audit fee does not
recover the amount of time required for performing the audit).
4. An ethical con ict has arisen that creates a situation where
the auditor can no longer maintain the required level of
objectivity.
If a rm is appointed as auditor of a company and there is a change in
the composition of that rm whereby fewer than 50% of the original
members remain, then this is to be regarded as a resignation of that rm
and a vacancy arises.
3.3.4 Dismissal of the auditor
A company is perfectly entitled to dismiss (or remove from office) its
auditor if it so wishes. In this case, the directors are required to give
notice of their intention to dismiss and replace the auditor for
consideration and resolution by the shareholders at the annual general
meeting. In other words, the dismissal cannot happen at any time,
thereby affording the auditor a measure of protection in the
performance of his or her duties.
In addition, in terms of section 89, which applies to both the
removal of the company secretary and the auditor through section
91(6), if an auditor is removed from office by the board of directors, the
auditor may require the directors to include a statement in the annual
nancial statements in the directors’ report setting out the auditor’s
contentions surrounding the circumstances resulting in the dismissal.
In order to exercise this right, the auditor has to give the appropriate
notice to the company.
3.3.5 Appointment of a replacement auditor
Should a vacancy arise, the directors need to appoint a replacement
auditor within 40 business days of the effective date of resignation of the
previous auditor.
If the company has an audit committee, the board of directors has to
provide this committee with the name of at least one registered auditor
to replace the outgoing auditor within 15 business days of the vacancy
arising. e board may then appoint a registered auditor from the
names it has provided to the audit committee unless it receives written
notice from the audit committee rejecting the proposed auditor within
ve business days of having received the name of the proposed
replacement.
If the company does not have an audit committee, it falls to the
board of directors alone to appoint the replacement auditor.
3.3.6 Rotation of auditors
Section 92 requires that the same individual may not serve as auditor of
a company for a period longer than ve years. is section has been
introduced to contribute to the need for auditors to remain objective
during their appointment. e judgement of an auditor who has been
appointed in this capacity by the same company for too many years
may become clouded as he or she becomes more and more familiar
with the management team of that company. e longer the time
period together, the bigger the risk is that the relationship between
auditor and management starts to swing from an independent
professional relationship to a friendship that lacks objectivity.
Other considerations include:
1. If an individual auditor has been the RA of a company for two or
more consecutive years and then ceases to be the RA of the
company, that individual may not be reappointed as auditor of that
company for at least a further two consecutive nancial years; and
2. If a company has joint auditors, the company must manage the
rotation so that both auditors never end their rotation at the same
time so that they both need to be replaced in the same nancial
year.
It is important to note that section 92 of the Companies Act requires
that only the individual auditor (the individual ultimately responsible
for the audit) rotates and not the auditing rm as a whole. It is therefore
quite possible that the same auditing rm may continue to audit a
company for many years provided that the lead partner/director
responsible for the particular audit engagement rotates at least every
ve years.
DID YOU KNOW?
On 5 June 2017, the IRBA’s ‘Rule on Mandatory Audit Firm
Rotation’ (MAFR) was gazetted. This rule effectively prohibits an
audit rm from acting as auditors to a public interest entity (as
de ned in the IRBA Code of Professional Conduct for Registered
Auditors) for more than 10 consecutive years. A period of ve
years would need to pass before that audit rm could again be
considered for appointment as auditor of that entity. This rule
becomes effective as of 1 April 2023 – i.e. for nancial years
commencing after 1 April 2023, the auditor of that public
interest entity must not have been the auditor for the preceding
10, or more, years.
3.3.7 Statutory rights of the auditor
Auditors have certain statutory rights of access to information to obtain
the necessary evidence to express an opinion on the fair presentation of
the auditee’s nancial statements. Section 93(1) of the Companies Act
provides auditors with the following statutory rights:
1. e right of access at all times to the accounting records and all
books and documents of the company;
2.
3.
e right to require any information and explanations necessary
for the performance of their duties from the directors or prescribed
officers of the company;
In the case of an auditor of a holding company:
a) e right of access is to all current and former nancial
statements of any subsidiary of that company; and
b)
e right to require any information and explanations
necessary for the performance of their duties from the
directors or prescribed officers of the company or of the
subsidiary;
REFLECTION
Did you notice the following point?
Auditors of the holding company do not have immediate right of
access to the subsidiary’s accounting records and need to direct
any information requirements through the directors or prescribed
of cers of the holding company or subsidiary.
c)
e right to attend any general shareholders’ meeting;
d)
e right to receive all notices of and communications relating
to any general shareholders’ meeting; and
e)
e right to be heard at any general shareholders’ meeting on
any part of the business of that meeting that might concern
the auditor’s duties or functions.
WHAT
What happens if a company refuses to co-operate
with their auditors in terms of granting them access
IF?
to their records or providing them with the necessary
information or documents in response to their
enquiries?
Section 93(2) of the Companies Act enables an auditor
to apply to the courts if necessary to enforce their
rights of access as described above. Companies may
not restrict their auditors in terms of exercising any of
these rights and auditors can apply to have any
restrictions removed.
It is also an offence for a director wilfully and
knowingly to frustrate, or attempt to frustrate, the
performance of the auditor’s functions.
CRITICAL THINKING
Are there any services (other than the audit) that an auditor is
not permitted to perform for the auditee in terms of the
Companies Act?
We have already seen that in terms of section 90(2) the auditors
may not also act as bookkeeper, accountant or company
secretary to the company.
In addition to this, section 93(3) states that an auditor may not
perform any services for a company if:
1. The performance of those services would create a con ict of
interest for the auditors (this is supported by section 44(6) of
the Auditing Profession Act whereby an auditor may not
conduct an audit of an entity if they have, or had, a con ict of
interest); or
2. The audit committee (if the company has one) has
determined that the auditors may not perform those services.
3.4 What are the statutory requirements
to practise as an auditor?
Having become familiar with the Companies Act requirements
pertaining to the appointment, dismissal, replacement and rotation of
auditors as well as their statutory rights, let us now have a look at the
Auditing Profession Act (APA) requirements that pertain to RAs.
3.4.1 e requirements to become a Registered
Auditor
We have already seen that the Companies Act requires that a person
needs to be an RA to be appointed as the auditor of a company.
Section 37 of the APA prescribes the conditions that must be met for
a person to apply to the IRBA for registration.
CRITICAL THINKING
Why does the IRBA have to be satis ed regarding an auditor’s
eligibility to practise? Why not simply let companies evaluate
the auditors they wish to appoint?
Companies do not always have the resources or ability to
evaluate for themselves the credibility or competence of a
potential auditor.
Having a regulatory board consider the suitability of an
auditor establishes a common benchmark for the evaluation of
all auditors in terms of suitable criteria.
It is the role of the IRBA to protect the public interest in
nancial statements of companies. This must necessitate a
quality check on the auditors who are expressing opinions on the
nancial information on which the public is then placing their
reliance.
e IRBA must be satis ed as to the following before they will register
an applicant:
1. e applicant must have complied with the prescribed education,
training and competency requirements for RAs (i.e. he or she
should possess the requisite competence to practise as an auditor).
CRITICAL THINKING
What are the prescribed education, training and competency
requirements?
Currently, the only professional quali cation that meets the IRBA
education, training and competency requirements is the
Chartered Accountant (SA). So, generally, you cannot become an
RA unless you have met the requirements to be a CA(SA).
Note that this does not mean you have to be a member of
SAICA but only that you must have met their requirements for
quali cation, in other words that you are eligible to become a
CA(SA).
In addition to the requirement to be a CA(SA), the IRBA
introduced an additional requirement from 1 January 2015 that
quali ed CAs will also need to complete at least an 18-month
post-quali cation period of ‘apprenticeship’ – known as the
‘Audit Development Programme’ (ADP) – under the guidance and
supervision of an RA, who will serve as their mentor. During this
‘apprenticeship’, a prescribed number of hours on audit-related
matters will have to be completed at a level more senior than
that experienced during the three-year SAICA training contract. In
so doing, the CA(SA) will effectively become a specialist in
auditing.
2.
e applicant must have arranged for his or her continuing
professional development (CPD) if he or she is not a member of an
3.
4.
5.
accredited professional body. Currently, SAICA is the only
accredited professional body that can train RAs on behalf of the
IRBA. SAICA already has an established CPD policy and members
are monitored against this policy. erefore, for members of SAICA
(and therefore CAs), SAICA will effectively arrange their CPD and
will ensure that they meet their IRBA CPD requirements. However,
those applicants who have chosen not to be members of SAICA will
be required to arrange for their own CPD.
e applicant must be resident in South Africa.
e applicant must be seen to be a t and proper person to practise
in the profession (i.e. he or she should possess integrity and other
related characteristics to practise).
e applicant must meet any additional requirements for
registration (if any) that may be prescribed by the IRBA.
In addition to the above requirements having to be met, section 37 also
includes reference to certain circumstances under which the IRBA may
not register an individual (even if the above-mentioned conditions have
been met). ese circumstances include the following:
1. If the applicant has been removed from an office of trust because of
misconduct related to a discharge of their duties in respect of that
office;
2. If the applicant has been convicted (whether in South Africa or
elsewhere although, if committed elsewhere, the IRBA is entitled to
consider the prevailing circumstances in the foreign country) of:
• eft;
• Fraud;
• Forgery;
• Uttering a forged document;
• Perjury;
• An offence under the Prevention and Combating of Corrupt
Activities Act 12 of 2004 (PRECCA); or
• Any offence involving dishonesty (other than theft, fraud or
forgery committed prior to 27 April 1994 associated with
political objectives); and
3.
4.
• has been sentenced to imprisonment without the option of a
ne; or
• has been ned an amount that exceeds that which has been
prescribed by the Minister of Finance;
If the applicant has been declared by a court to be of unsound
mind, or unable to manage his or her own affairs; and
If the applicant is disquali ed from being registered under a
sanction imposed under the APA.
CRITICAL THINKING
What about unrehabilitated insolvents?
Section 37(5) directs that the IRBA may (not must, like the four
points before) decline to register an individual who:
• Is an unrehabilitated insolvent;
• Has entered into a compromise arrangement with their
creditors; or
• Has been provisionally sequestrated.
3.4.2 Firms as Registered Auditors
A rm can register to become an RA. Section 38 of the APA regulates the
circumstances under which a rm can apply for registration with the
IRBA.
e only rms that may register are the following:
1. Partnerships of which all partners are themselves RAs in their
individual capacities;
2. Sole proprietors where the proprietor is an RA;
3. Companies with the following characteristics:
a) ey are personal liability companies as de ned by sections 1,
8 and 19 of the Companies Act. Remember that this means
that all directors (past and current) are, together with the
company, jointly liable for any debts and liabilities contracted
during their period of office;
b)
All shareholders are individuals who are RAs; and
c)
Every shareholder of the company is also a director and every
director is a shareholder.
3.4.3 Limitations on what an auditor may do
In addition to the need to act in accordance with the IRBA’s CPC and its
Rules Regarding Improper Conduct (which are covered in Chapter 2,
section 2.4), section 41(6) of the APA speci cally prohibits auditors from
doing any of the following:
1. ey may not practise under a rm name or title unless on every
letterhead bearing the rm name or title appears:
a) e RA’s name and surname; or
b)
In the case of a partnership, at least the name(s) and
surname(s) of the managing or active partners; or
2.
c) In the case of a company, the names of the directors.
ey may not sign any account, statement, report or other
document that purports to represent an audit performed by them
unless:
a) e audit was performed by them, or under their supervision
and direction; and
b)
3.
4.
e audit was performed in accordance with the prescribed
auditing standards (i.e. the ISAs).
ey may not perform audits unless adequate risk management
practices and procedures are in place.
ey may not engage in public practice (i.e. perform audits) during
any period in which they have been suspended from public
practice.
5.
ey may not share any pro ts derived from performing an audit
with any person who is not also an RA.
3.4.4 Statutory duties of auditors
Section 44 of the APA requires that the auditor must be satis ed that
certain criteria relating to the audit have been met prior to expressing
an opinion (without quali cation) that the company’s nancial
statements fairly present the nancial position and results of its
operations and cash ows in accordance with the applicable nancial
reporting framework.
ese criteria include the following:
1. at the audit has been conducted free of any restrictions
whatsoever and in compliance with auditing pronouncements
(which include the ISAs);
2. at the auditor is satis ed as to the existence of all assets and
liabilities shown on the nancial statements;
3. at proper accounting records have been maintained in at least
one of the official languages of South Africa and that these re ect
and explain all transactions and record all assets and liabilities
correctly and adequately;
4. at the auditor has obtained all information, vouchers and other
documentation which in his or her opinion were necessary to
properly perform his or her duties;
5. at the auditor has not had cause to report to the IRBA in terms of
section 45 of the APA (Reportable Irregularities), or, if he or she did
have cause so to report, that a second report has subsequently
been sent to the IRBA indicating that there was in fact no
Reportable Irregularity (refer to section 3.5 of this chapter for a
discussion of Reportable Irregularities);
6. at the auditor has complied with all laws relating to the audit of
that company; and
7. at the auditor is satis ed as far as is reasonably practicable as to
the fairness of the nancial statements.
(It is worth noting that a number of the above criteria are super uous,
as compliance with the ISAs (required by criterion 1) automatically
ensures that criteria 2, 4, 6, and 7 are met.)
3.4.5 Inspections of auditors
In terms of section 47 of the APA, the IRBA may at any time inspect or
review the practice of an RA. e purpose of these inspections is to
establish that audits are being conducted in accordance with relevant
auditing standards and within relevant accounting frameworks.
As a minimum, auditors of public companies (given the degree of
public interest in these entities) must be inspected or reviewed by the
IRBA at least once every three years.
In addition to the inspection or review of an audit practice by the
IRBA, the IRBA must also investigate any matter referred to it where it
appears justi ed that an RA may be guilty of improper conduct (refer to
Chapter 2 of this book).
3.4.6 Liability of auditors for losses suffered by
the client and/or third parties
Now that we have worked through the statutory and regulatory aspects
relating to the auditor’s appointment and duties, let us turn our
attention to what happens if the auditor expresses the wrong opinion on
the client’s nancial statements! It might be a good idea to turn back to
the newspaper feature at the beginning of this chapter to revisit the
Enron collapse and the auditor’s role therein. Was it appropriate that
the auditors were found liable for the loss suffered by parties who had
placed reliance on their audit opinion?
e mere fact that the auditor expressed the wrong opinion on a
client’s nancial statements does not mean that the auditor did not do
his or her job properly. e wrong opinion could be a function of the
inherent limitations of the audit – refer to section 1.4.5.2 in Chapter 1.
In Chapter 1, it was also explained that the auditor expresses
reasonable, not absolute, assurance on whether the nancial statement
presents fairly. Hence, there is always a risk that the audit opinion will
be wrong even if the auditor performed the work with professional
competence and due care.
However, if the wrong opinion was the result of the auditor not
performing the audit properly (i.e. not adhering to the applicable audit
and ethical standards), then the auditor must be prepared to face the
consequences.
Section 46 of the APA sets out the conditions under which an
auditor may be found liable for loss suffered by clients or by third
parties who relied on an inappropriate audit opinion.
Section 46(1)(b) makes it quite clear that this section, dealing with
the liability of auditors, applies equally to the individual RA (appointed
by the rm to lead the audit) and the rm itself. ere is therefore no
distance between the individual auditor and the rm. If the individual is
found to be liable, the rm immediately becomes liable too.
DID YOU KNOW?
Most auditing rms are insured for public liability. This public
indemnity cover, in most cases, enables partners in an auditing
rm to settle claims arising from legal action taken against the
rm for issuing an inappropriate opinion.
In terms of section 46(2), no loss will be suffered by the auditor (i.e. they
cannot be held liable for any loss suffered by clients or by third parties)
unless it is proved that the opinion was expressed:
• Maliciously (done with the intent to cause harm);
• Fraudulently (done with the intent to deceive); or
• Negligently (done unintentionally through human error or oversight,
but nonetheless arising as a result of not having exercised due care in
performing the audit).
ere are some additional aspects that have to be considered that are
speci c to the auditor’s liability toward their client and toward third
parties (who rely on the opinion expressed by the auditor about their
client’s nancial statements).
3.4.6.1
Aspects of auditor liability relating speci cally to
engagement clients
By virtue of having signed an engagement letter, the auditor and
company have entered into a contractual arrangement regarding each
party’s responsibilities. If an auditor fails to meet these responsibilities
through negligence on his or her part and the company suffers loss as a
result, the auditor can be sued by the company for breach of contract
(contractual liability).
An example of this is where an auditor, by performing audit
procedures required in terms of the ISAs, detected fraudulent activity in
preparing the company’s nancial statements that resulted in nancial
losses for the company. Should an auditor have been negligent in terms
of conducting these audit procedures and thus have failed to detect the
fraud, the company may argue that it suffered nancial loss as a result
of the auditor not conducting the audit in the manner he or she should
have.
In addition to any contractual liability that may arise, the South
African law of delict may also apply to a situation where the auditor has,
through his or her actions or omissions, caused loss to the client. e
law of delict is part of common law in South Africa and applies where
one party suffers loss because of another party’s actions or omissions,
regardless of whether there are any contractual arrangements between
the parties or not.
3.4.6.2
Aspects of auditor liability relating speci cally to
third parties
Further to the requirements of section 46(2), section 46(3) goes on to
require that for an auditor who has been found to be negligent (note that
this only applies to negligence and not to malice or fraud), to be held
liable by a third party:
e auditor must have known (or have been expected to know,
• within reason) at the time that the negligence occurred that the
opinion would either be used by the client to induce a third party
• to act (or refrain from acting) or would be relied on by a third
party for purposes of a decision made in relation to the client’s
nancial statements; or
• e auditor represented to a third party, after expressing their
opinion, that the opinion was correct, while at the time knowing (or
being expected to know, within reason) that the third party would
rely on the opinion.
Since it is unlikely that audit opinions will be expressed maliciously or
fraudulently, the most common occasions leading to auditors being
found liable are those where it can be proved that the auditors have
been negligent in the performance of their duties while knowing (or
reasonably being expected to know) that third parties would place
reliance on the auditors’ opinions.
CRITICAL THINKING
How can it be proved that an auditor was negligent?
Audits are required to be conducted in terms of the ISAs. These
standards prescribe how auditors must conduct their audits and
will be the rst things that are looked at to establish negligence.
‘Did the auditors conduct the audit in terms of the
requirements laid out in the ISAs?’ If not, the auditors are likely
to be found to have been negligent in the performance of their
duties.
Although not directly relevant to auditor liability to clients and third
parties, it is worth remembering that an RA may also be investigated by
the IRBA for improper conduct (e.g. failing to adhere to the
requirements of the ISAs) and, if found guilty, sanctioned.
Details of the disciplinary process of the IRBA appear in section
2.5.2 of Chapter 2.
FURTHER READING
The following constitutes important case law regarding an
auditor’s legal liabilities for work performed:
• Cape Empowerment Trust Ltd v Fisher Hoffman Sithole1
• International Shipping Co (Pty) Ltd v Bentley2
• Thoroughbred Breeders Association of South Africa v Price
Waterhouse3
• Caparo Industries plc v Dickman4
• Scott Group Ltd v McFarlane5
3.5 What does the auditor’s statutory
responsibility to identify and respond
to Reportable Irregularities entail?
ere is much literature to support the argument that whistle-blowing
plays an important role in enhancing transparency and accountability.
In addition to the duties imposed by the IRBA’s Code of Professional
Conduct regarding the reporting of instances of non-compliance with
laws and regulations (see section 2.6.5.6 in Chapter 2), the APA
recognises that the external auditors of a company play a unique role
and can serve the public interest by blowing the whistle on wrongdoings perpetrated by those in the governance structures of companies.
is is because they are independent from the companies that they
audit, and are, for example, not dependent on any one auditee for their
livelihood. e duty of external auditors to report wrongdoings or
‘Reportable Irregularities’ is contained in section 45 of the APA.
3.5.1 De nition of a Reportable Irregularity
In terms of section 45 of the APA, an auditor has a duty to send a written
report to the IRBA containing details about any Reportable
Irregularities that he or she is satis ed, or has reason to believe, have
happened or are happening.
Section 1 of the APA de nes a Reportable Irregularity. e de nition
has to be explored in a fair amount of detail to appreciate fully all the
conditions that need to be present for something to be regarded as a
Reportable Irregularity.
FURTHER READING
If you want to explore Reportable Irregularities in more depth:
Given the limited guidance in the APA on Reportable
Irregularities and the auditor’s statutory duty to report them, the
IRBA published a guideline document on Reportable
Irregularities in 2006. This document contains detailed guidance
on the determination of Reportable Irregularities, together with
practical examples to aid with understanding. This guide was
then revised in May 2015.
e de nition of a Reportable Irregularity as described in section 1 of
the Act is analysed in Table 3.4.
Table 3.4: Reportable Irregularities as de ned in section 1 of the
APA
DEFINITION
EXPLANATION
Any unlawful act or omission …
The starting point is that there
must have been a contravention
of an act of legislation or
accepted common-law principle
(either through doing something
that should not have been done
– an ‘unlawful act’ – or by
omitting to do something that
should have been done – an
‘unlawful omission’).
This contravention can be of any
act, including the Companies
Act and the Income Tax Act, for
example.
DEFINITION
EXPLANATION
… committed by any person
responsible for the management
of an entity …
Persons responsible for the
management of an entity are
typically persons who make
decisions affecting strategic
matters relating to the entity
and typically comprise the board
of directors and other
prescribed of cers.
This part of the de nition
excludes the nancial
accountant or any other junior
management or other employee
positions unless they are
committing the unlawful act or
omission with the consent or
knowledge of persons
responsible for management of
the entity. In this case, persons
responsible for management are
deemed to have committed the
unlawful act or omission
themselves.
DEFINITION
EXPLANATION
… which …
The de nition then goes on to
state three possible
consequences of this unlawful
act or omission that has been
committed by those responsible
for managing the company.
Any one of these three
consequences will result in a
Reportable Irregularity – it is not
necessary that they all be
present for a Reportable
Irregularity to arise.
a)
has caused, or is likely to
cause, material nancial
loss to the entity or to any
partner, member,
shareholder, creditor, or
investor of the entity; OR
Notice that there is no reference
to the concept of materiality in
this part of the de nition. This
suggests that the nature of the
act itself, and not the value
involved, is the concern that
triggers the need to report.
Also note that the materiality of
the loss is not a reference to
audit materiality, but rather a
reference to what would be
regarded as material by the
party suffering the loss.
DEFINITION
EXPLANATION
b)
Fraud concerns acts committed
with the intent to deceive
another person and theft
concerns the unlawful taking of
something that belongs to
another.
Is fraudulent or amounts to
theft; OR
Notice that there is no reference
to the concept of materiality in
this part of the de nition. This
suggests that the nature of the
act itself, and not the value
involved, is the concern that
triggers the need to report.
c)
Represents a material
breach of duciary duty owed
by such person to the entity
or any partner, member,
shareholder, creditor, or
investor of the entity.
Fiduciary duty refers to the need
to act with the best interests of
the entity and its stakeholders
at heart. Actions (or inactions)
of the directors should not
result in compromising the
entity and its stakeholders in
any way.
Note that reference is again
made here to the concept of
materiality suggesting that some
minor and inconsequential
breaches of duciary duty may
not be reportable.
3.5.2 e auditor’s reporting duties with
regard to Reportable Irregularities
Section 45 of the APA spells out the duties of the auditor when it comes
to reporting Reportable Irregularities to the IRBA.
ese duties can best be summarised as a series of steps in a process:
Step 1:
When an auditor is satis ed or has reason to believe that a Reportable
Irregularity has taken place, or is taking place, they are required to send
a written report to the IRBA advising the regulatory body of this without
delay.
Note the following:
• e duty to report arises even where the auditor only has ‘reason to
believe’. It is not necessary that the auditor become ‘satis ed’ before
reporting.
• e report needs to be sent ‘without delay’. Auditors cannot therefore
spend excessive time corroborating their ndings or suspicions
before reporting. While it is reasonable to expect that auditors will
take care to ensure that there is as reasonable a basis for their belief
as possible, this cannot result in any signi cant delay in the
reporting process.
• e report should contain sufficient detail regarding the particulars
of the Reportable Irregularity and must include any additional
information regarding the matter that the auditor feels is necessary.
• When determining whether a Reportable Irregularity has taken place
or not, the auditor is required to take into consideration information
from any source.
• e auditor reports the irregularity to the IRBA only and not to any
other party, such as the CIPC, the police, or SARS. e IRBA will then
decide whether it should report the matter to any other parties (refer
to section 3.5.3 for details).
Step 2:
Within three days of sending the report to the IRBA, the auditor must
notify the members of the management board of the entity, in writing,
of the fact that the report has been submitted.
is notice should include a copy of the report and must make
reference to section 45 of the APA and the auditor’s resultant duties in
respect of the reporting of possible Reportable Irregularities to the
IRBA.
Step 3:
As soon as is reasonably possible (but no later than 30 days from the
date that the report was sent to the IRBA), the auditor must take all
reasonable measures to discuss the report with management, including
providing management with an opportunity to make their own
representations regarding the contents of the report.
e purpose of this third step is to afford management an
opportunity to put across their perspective of the Reportable
Irregularity and thus potentially provide the auditors with further
information or evidence regarding the irregularity.
As a result of these discussions and any further information
provided by management, the auditor will then need to reach one of
three possible conclusions regarding the matter that has already been
reported to the IRBA:
1. No Reportable Irregularity had taken place or is taking place (i.e.
the auditor was wrong to have thought that the matter was a
Reportable Irregularity); or
2. e suspected Reportable Irregularity is no longer taking place and
management have taken adequate steps to prevent any further loss
and/or recover any possible loss that may have arisen from the
matter, if relevant (i.e. the auditor was correct to have reported the
matter but, having discussed it with management, management
saw where they were wrong and have taken adequate steps to
remedy the situation); or
3. e suspected Reportable Irregularity is continuing (i.e. the auditor
was correct to have reported the matter and, having discussed it
with management, management have done nothing, or have taken
inadequate steps, to remedy the situation).
Following their discussion with management in step 3 and having
determined which of the three possibilities mentioned above represents
the true state of affairs, the auditor will move into the nal step in the
reporting process.
Step 4:
Having discussed the report with management, the auditor will now
send a second report to the IRBA advising it of the results of the
discussion and the status of the Reportable Irregularity (i.e. which of the
three possibilities mentioned previously represents the current
position).
e auditors will provide the IRBA with any additional supporting
information to back up their statement regarding the current status of
the Reportable Irregularity.
On receipt of this second report, the IRBA will consider the evidence
presented by the auditor and, in the event that the matter was in fact a
Reportable Irregularity, will take any action that it believes may be
necessary in terms of advising (in writing) the appropriate regulator of
the Act that has been contravened, as well as providing full particulars
of the matter.
3.5.3 e implications of a Reportable
Irregularity for the auditee
e primary responsibility for the preparation of the nancial
statements rests with persons responsible for management of the entity
(e.g. the board of directors). Where a company is being mismanaged,
this casts doubt over the reliability of the nancial statement
information.
ird-party users of the nancial statement information presented
by a company have a right to be informed in situations where the entity
in which they have a nancial interest is being mismanaged. Section
44(2) and (3)(e) of the APA speci cally prohibits the auditor from
indicating in their auditor’s report, without any appropriate
quali cation, that the annual nancial statements are fairly presented if
a Reportable Irregularity has been identi ed and reported to the IRBA.
(Auditor’s reports and opinions are discussed in section 15.5 of Chapter
15.)
Given the prevalence of corruption and the role of the independent
auditor, it is not difficult to understand why auditors are given this
additional responsibility to assist further with the protection of the
public interest.
In addition to this, the APA’s requirement that the auditor
communicate irregularities perpetrated by the management of the
auditee to the IRBA ensures that management’s actions will not go
unnoticed. e IRBA is entitled to communicate any Reportable
Irregularity that it is informed about to any appropriate
statutory/regulatory body. So, if management evades tax, for example,
and this is detected by the auditor and reported to the IRBA, the IRBA
has the right to inform the SA Revenue Service of the contravention. In
this way, the appropriate regulatory authority or the SA Police Services
can become aware of the irregularities being perpetrated and take the
appropriate action (including holding those involved to account).
CRITICAL THINKING
What happens if the auditor does not detect a Reportable
Irregularity that did actually exist?
There is no requirement that auditors design speci c procedures
to identify possible Reportable Irregularities. Rather, should the
auditor become aware of them or have reason to believe that
they exist, the duty to report them arises.
Having said that, if an auditor does not detect a Reportable
Irregularity that they should have become aware of through the
normal course of their audit procedures, section 46(7) of the
APA holds that auditor potentially liable to any party suffering
loss as a result of the auditor’s non-reporting of the irregularity.
Should an auditor be found guilty of improper conduct in this
respect, in addition to the settlement of any loss incurred by a
party arising from the auditor’s failure to detect and report the
irregularity (through a civil claim against the auditor), the IRBA
might also take the following action in terms of section 51 of the
APA:
1. Issue a caution or reprimand to the auditing rm; and/or
2. Fine the auditor an amount not exceeding the equivalent of a
ve-year jail term; and/or
3. Suspend the right of that auditor to practise for a speci ed
period of time; and/or
4. Cancel the registration of that auditor, which would prevent
the auditor from conducting audits.
In addition to the above, section 52 speci cally states that
should an auditor fail to report an irregularity in terms of section
45, the auditor is regarded as being guilty of committing an
offence and, should he or she be convicted in a court of law
under this section, the auditor may be liable to a ne or to
imprisonment for a term not exceeding 10 years or to both a ne
and such imprisonment.
3.6 How is auditing in the public sector
different from auditing in the private
sector?
3.6.1 Background to auditing in the public
sector
Chapter 9 of the Constitution of the Republic of South Africa, 1996,
establishes the Auditor-General of South Africa as one of the state
institutions supporting constitutional democracy. e Constitution
recognises the importance of the Auditor-General and guarantees its
independence, stating that the Auditor-General must be impartial and
must exercise its powers and perform its functions without fear, favour
or prejudice.
e functions of the Auditor-General are described in the
Constitution and are further regulated in the Public Audit Act 25 of 2004
(PAA), which mandates the Auditor-General to perform constitutional
and other functions.
Constitutional functions are those that the Auditor-General performs to
comply with the broader mandate described in the Constitution and
include the mandatory audit of:
• All national and provincial state departments and administrations;
• All constitutional institutions;
• e administration of Parliament and of each provisional legislature;
• All municipalities and municipal entities; and
• Any other entity required by legislation to be audited by the AuditorGeneral.
DID YOU KNOW?
The IRBA’s external auditors are the Auditor-General of South
Africa.
In addition to these functions, the Auditor-General is also required to
audit and report on the consolidated nancial statements of:
• National and provincial government in terms of the Public Finance
Management Act 1 of 1999 (PFMA); and
• Parent municipalities in terms of the Municipal Finance
Management Act 56 of 2003.
e Auditor-General may also audit and report on public entities listed
in the PFMA such as Eskom, SAA, and the SABC.
3.6.2 Who performs public sector audits?
Section 12 of the PAA requires that these audits be performed by either:
• A member of the staff of the Office of the Auditor-General; or
• A private practitioner who is an RA or someone who has the
requisite quali cations, competence and experience.
Where auditors in private practice are engaged to perform public sector
audits, their engagement and discharge is regulated through the PAA
with the Auditor-General assuming primary responsibility for the
appointment and dismissal of these auditors.
3.6.3 To what standards are these public sector
audits conducted?
In terms of sections 12 and 13 of the PAA, the Auditor-General is
responsible for determining the standards, nature and scope of public
sector audits. is needs to be done taking into account best auditing
practices both locally and internationally. As a result, these audits are
conducted largely in accordance with the International Standards on
Auditing. ere are, however, adaptations made to these standards,
where necessary, to tailor the procedures to meet the Auditor-General’s
reporting requirements in terms of the various legislation that guides
the scope of the work they need to perform.
FURTHER READING
The Auditor-General in collaboration with the IRBA issued a guide
in 2012 entitled ‘Guidance for auditing in the public sector’. This
guide provides an overview of the public sector environment
within which public sector audits are conducted, and is essential
reading for anyone wishing to gain insights into the nature of
auditing in the public sector. The guide can be accessed on the
website of the IRBA as follows:
https://www.irba.co.za/guidance-to-ras/technical-guidance-forauditors/public-sector
In addition to this, the IRBA published two further guidelines in
August 2015 that may also be of interest. They can also be
found at the link above.
3.7 What other legislation or regulations
may impact on the scope of the audit
function?
3.7.1 e JSE Listings Requirements
Section 22 of the JSE Listings Requirements stipulates certain
requirements that need to be met by auditors of companies listed on the
JSE in order to help the JSE uphold the integrity of the markets in which
the JSE operates.
3.7.2 What special quali cations are required
to audit a company listed on the JSE?
e JSE requires the following from auditors of listed companies:
• e auditing rm and at least three individual auditors from that
rm must be accredited on the ‘JSE list of auditors and their
advisors’;
• Where these auditors are registered with the IRBA, at least three
individual auditors must have had a le review/inspection done by
the IRBA and must only be subject to their next inspection in the
next IRBA inspection cycle; and
• e auditing rm must have at least one IFRS advisor (either internal
or external to the rm) that is accredited on the ‘JSE list of auditors
and their advisors’.
3.7.3 What are the speci c responsibilities of
auditing rms and individual auditors
conducting audits of companies listed on
the JSE?
Section 22.5 of the JSE ‘Listings Requirements’ contains a number of
speci c responsibilities for auditors of JSE-listed companies. ese
responsibilities result in audits of JSE-listed entities being signi cantly
more onerous that those of unlisted entities. is is, however, because
of the much greater degree of public interest in these entities and the
consequent need for greater protection for those placing reliance on
nancial statements from these entities.
3.7.4 e Sarbanes–Oxley Act of 2002
e Sarbanes-Oxley Act (SOX) is a United States federal law that
established new or enhanced standards for all USA public companies’
boards, management and public accounting rms. e bill was enacted
in response to a number of major corporate and accounting scandals
including those involving Enron (refer the news article at the beginning
of this chapter).
is Act has implications for South African auditors where they are
engaged to perform audits of South African companies that are
subsidiaries of public companies incorporated in the USA (and
therefore need to comply with SOX).
SOX contains 11 sections (or titles), ranging from additional
corporate board responsibilities to criminal penalties. It also facilitates
the establishment of a new, quasi-public agency, the Public Company
Accounting Oversight Board (PCAOB) charged with overseeing,
regulating, inspecting and disciplining accounting rms in their
capacity as auditors of public companies. Doesn’t this sound similar to
our South African IRBA established as part of the APA?
SOX also covers issues, for example auditor independence,
corporate governance, internal control assessment, and enhanced
nancial disclosure.
A few of the more relevant titles to South African auditors are
discussed below.
3.7.4.1
Title II – Auditor independence
Title II consists of nine sections and establishes standards for external
auditor independence to limit con icts of interest. It also addresses
auditor approval requirements, audit partner rotation requirements,
and auditor reporting requirements. It limits auditing rms from
providing non-audit services (e.g. consulting) to audit clients.
Notice the close similarity to what is addressed in South Africa
through our Companies Act and King IV™ (the latter is addressed in
more detail in Chapter 4).
3.7.4.2
Title III – Corporate responsibility
Title III consists of eight sections and mandates that senior executives of
companies take individual responsibility for the accuracy and
completeness of their corporate nancial reports. It de nes the
interaction of external auditors and corporate audit committees, and
speci es the responsibility of corporate officers for the accuracy and
validity of corporate nancial reports.
Again, a lot of this content is addressed by our own Companies Act
and King IV™ (the latter is addressed in more detail in Chapter 4).
3.7.4.3
Title IV – Enhanced nancial disclosures
Section 404 of SOX requires that companies le with the SEC annual
reports that report on management’s responsibilities to establish and
maintain adequate internal control over the company’s nancial
reporting process, as well as management’s assessment of the
effectiveness of those controls. In addition, the company’s external
auditors are required to report on management’s assessment, as well as
on the effectiveness of the company’s controls.
So, while SOX might create additional considerations for South
African auditors of American subsidiaries, in essence many of these
requirements, with the notable exception of the additional external
audit requirements imposed by section 404, have been incorporated
into South African company law and corporate governance principles
in recent years.
3.8 What role can the auditor play to aid
good corporate governance?
e King IV™ Report on Corporate Governance for South Africa 2016
(King IV™) was published on 1 November 2016. King IV™ is effective in
respect of nancial years starting on or after 1 April 2017 but immediate
transition was encouraged. King IV™ makes recommendations
regarding good governance practices for all South African
organisations. e recommended practices in King IV™ are not
mandatory but organisations should adopt an ‘apply and explain’
approach to their implementation of these recommendations.
Given the responsibilities of auditors to report on the fair
presentation of nancial statements, which enhances the integrity of
external reporting (and facilitates holding the governing body/directors
accountable for their actions), it is not surprising to
nd
recommendations in King IV™ concerning the role of the auditor (both
external and internal) in assisting an organisation to establish good
governance practices.
King IV™ comprises 17 core principles of good corporate
governance, each of which then incorporates recommended practices
to assist in achieving the principle. Principle 15 deals speci cally with
‘assurance’ and requires that ‘[t]he governing body should ensure that
assurance services and functions enable an effective control
environment, and that these support the integrity of information for
internal decision-making and of the organisation’s external reports’.
With external auditors providing external assurance services to the
organisation, this principle includes recommended practices with
regard to the external audit function.
3.8.1 e combined assurance model
Recommended practice 41 of principle 15 of King IV™ states that ‘the
governing body should satisfy itself that a combined assurance model is
applied which incorporates and optimises the various assurance
services and functions so that, taken as a whole, these support the
objectives for assurance’.
Recommended practice 42 goes on to describe the various assurance
service providers and functions that should be combined to achieve this
combined assurance model. ey include:
• e organisation’s internal line functions that own and manage risks;
• e organisation’s specialist functions that facilitate and oversee risk
management and compliance;
• Internal auditors, internal forensic investigators and auditors, safety
and process assessors, and statutory actuaries;
• Independent external assurance providers such as external auditors;
• Other external assurance providers such as sustainability and
environmental auditors, external actuaries, and external forensic
fraud examiners and auditors; and
• Regulatory inspectors.
All of these different providers and functions should be co-ordinated in
a manner whereby they work together towards achieving the objectives
of the principle of assurance.
3.8.2 e concept of combined assurance
So, rather than have these various assurance providers and internal
functions all working at cross purposes, this concept has them all
working together toward the same common goal. is would reduce
inefficiencies and would provide stronger levels of overall comfort (or
assurance) for the company.
3.8.3 e role of the audit committee with
regard to the external audit function
Principle 8 of King IV™ provides recommended practices in respect of
the organisation’s committees of its governing body. One of these
committees is the Audit Committee and recommended practices 51 to
59 provide speci c guidance about the composition and functioning of
this committee.
Recommended practice 51 recommends that the audit committee
plays a pivotal role in the organisation’s management of its assurance
functions and services, with a particular focus on its combined
assurance arrangements, which will include its dealings with its
external auditors. Moreover, recommended practice 54 states that the
audit committee’s role is to oversee how nancial and other risks that
affect external reports issued by the organisation (such as nancial
statements and integrated reports) are managed.
As the audit committee should only comprise independent nonexecutive members (in the case of a company, these members will be its
directors) and have an independent non-executive chair, there is a vital
‘distance’ between management of the entity and the external auditors.
As such, the committee, in the execution of its roles/duties, can play an
important role in ensuring that the external auditor is objective, is
independent, and renders a competent service in providing reasonable
assurance on the fair presentation of the organisation’s nancial
statements.
WHAT
IF?
What if an entity has no audit committee (remember
that only public and state-owned companies are
mandated to have audit committees)?
Will management appoint, remove and negotiate the
fee with their external auditors? Is this desirable
when it comes to preserving the auditor’s
independence? What about the possibility of
management dismissing the auditors if they do
anything contrary to management’s wishes? Might
this have a negative in uence on the auditor’s
independence?
What about a situation where management refuses to
pay the full audit fee or disputes the fees charged?
How likely is it that the auditors will oppose this,
given that it may lead to their not being reappointed
in the following year?
In the absence of an audit committee to oversee these
aspects, there are a few mitigating factors that should
help to retain the appropriate levels of auditor
objectivity and independence:
1. The appointment of the auditor still needs to be
approved at the annual general meeting by the
shareholders of the company (and auditors are
entitled to make representation to these
shareholders if they are inappropriately or unfairly
dismissed by management).
2. The auditor is required to adhere to the IRBA’s Code
of Professional Conduct, which requires the auditor
to continuously identify and adequately safeguard
any signi cant threats to his or her objectivity and
independence.
King IV™ (recommended practice 58) recommends that the audit
committee should meet annually with the external auditors, without
management being present, to facilitate an exchange of views and
concerns that may not be appropriate for discussion in an open forum.
Furthermore, King IV™ (recommended practice 59) recommends that
the following matters in respect of the audit committee’s role, with
regard to the external auditor speci cally, be disclosed:
1.
Whether the audit committee is satis ed that the external auditor is
independent of the organisation, including reference to:
a) Policies and controls over the provision of non-audit services
by the external auditor;
b)
e tenure of the external audit rm (the length of the
relationship between the external auditor and the
organisation);
c)
e rotation of the designated external audit partner; and
d)
Whether signi cant changes in the management of the
organisation may mitigate the risk of familiarity between the
2.
3.
4.
external auditor and management.
Signi cant matters that the committee has considered in relation
to the annual nancial statements, and how these were addressed.
e committee’s views on the quality of the external audit, with
reference to ndings contained in any inspection reports issued by
the external audit regulators on the external auditor.
e arrangements put in place for combined assurance and their
view on how effective these are.
Assessment questions
For questions 1 to 6, indicate whether the statement is true or false:
1. e Companies Act 71 of 2008, together with the Auditing
Profession Act 26 of 2005, prescribes and governs the appointment
of an external auditor for a public company. (LO 1)
2.
A person who was the prescribed officer of the company four years
ago cannot be appointed as the auditor of that company. (LO 4)
3.
Unrehabilitated insolvents can never become Registered Auditors.
(LO 4)
4.
e external auditor of a holding company, who is not also the
external auditor of the subsidiaries, has the right of access to all
accounting records, books and documents of all companies in the
group. (LO 6)
5.
An auditor can be sued by the company he or she audits for breach
of contract if the auditor is negligent in the performance of his or
her duties. (LO 7)
6.
After having reported a matter to the IRBA as a Reportable
Irregularity, the auditors have to inform management of the
auditee of the contents of the report as soon as is reasonably
possible but not later than 30 days from the date of the report. (LO
8)
For questions 7 to 14, select the correct answer/s. More than one
answer is possible:
7. Which of the following statements is/are true for a company that
does not have a statutory requirement to be audited? (LO 3)
a) ey might have to be independently reviewed as a statutory
requirement.
b)
eir directors might voluntarily choose to have the company
audited even if it does not need to be.
c)
e company’s Memorandum of Incorporation might require
it to be audited even if it does not need to be.
d)
e company might not even have to be independently
reviewed.
8.
Which of the following statements is/are false? (LO 5)
a) Auditors cannot resign themselves. ey can only be removed
by the shareholders.
b)
Auditors are allowed to resign if their audit fees are
outstanding and overdue.
c)
d)
An auditor should consider resigning if a signi cant ethical
con ict arises in their appointment.
In terms of the Companies Act 71 of 2008, a company should
change its auditing rm every ve years.
e)
A company’s auditor has the right to attend any general
shareholders’ meeting of the company.
9.
Which of the following courses of action might the IRBA take
should a Registered Auditor be found guilty of improper conduct
following a disciplinary hearing? (LO 7)
a) ey can deregister the auditor from the IRBA.
b)
ey can suspend the auditor’s right to practise as an auditor
for a speci ed time period.
c)
ey can ne the auditor.
d)
ey can imprison the auditor for a period of up to ve years.
10. Which of the following conditions are not likely to result in a matter
being regarded as a Reportable Irregularity? (LO 8)
a) An unlawful omission has taken place (i.e. the directors have
neglected to do something that they should have done in
terms of a statutory requirement).
b)
An unlawful act was committed by a sales representative of the
company.
c)
An unlawful act is only likely to cause potential loss (i.e. no
actual loss suffered yet).
d)
An unlawful act amounts to theft but is an immaterial amount.
e)
An unlawful act that constitutes a breach of duciary duty
through a relatively minor single infringement of the
Companies Act.
11. Which of the following options might be communicated by an
auditor to the IRBA in their second (follow-up) report? (LO 8)
a) e matter has been discussed with management and no
Reportable Irregularity has actually taken place.
b)
e matter has not yet been discussed with management
despite reasonable attempts on the part of the auditor to do
so.
c)
e matter has been discussed with management who have
subsequently taken steps to recover any loss and/or prevent
any further or future loss.
d)
Although the matter has been discussed with management,
they have not yet taken steps to address the matter.
12. Which of the following statements is/are false? (LO 9, 10 & 11)
a) e audits of municipalities are regulated by the Public Audit
Act 25 of 2004 and not by the Auditing Profession Act 26 of
2005.
b)
e Auditor-General is required to audit entities listed in the
Public Finance Management Act (such as Eskom or the SABC,
for example).
c)
e Auditor-General is accountable to the IRBA and is subject
to the same IRBA disciplinary process as any registered
auditing rm.
d)
Mandatory audits conducted by the Auditor-General in terms
of the Public Audit Act may only be carried out by staff who
are registered with the IRBA as Registered Auditors.
e)
South African subsidiaries of American publicly listed
companies need to comply with the requirements of the
Sarbanes-Oxley Act, even though these subsidiaries are not
registered in the USA.
f)
e JSE Listings Requirements create additional
responsibilities for auditors of companies listed on the JSE.
13. Which of the following responsibilities does the audit committee
have with regard to the external audit function in terms of the
recommendations in King IV™? (LO 12)
a) ey review the quality of the external audit.
b)
ey consider the degree to which the external auditor is
sufficiently independent of the organisation.
c)
ey consider the degree to which the external auditor can
provide non-audit related services to the company.
d)
ey review the overall effectiveness of the external audit
process as a part of combined assurance for the organisation.
14. Which of the following entities do not need to be audited? (LO 2)
a) State-owned companies
b)
Non-pro t companies incorporated by an international entity
c)
Pro t companies that do not hold assets in a duciary
capacity on behalf of third parties but that have a public
interest score of at least 100 (but less than 350) and have their
nancial statements independently compiled and reported on
d)
Close corporations with a public interest score of more than
350.
15. Why is it acceptable that a pro t company (that does not hold
assets in a duciary capacity for third parties) with a public interest
score of less than 100 is not required to be audited? (LO 2)
16. What does a company need to do if it wants to replace its auditors?
(LO 5)
17. Describe the combined assurance model as recommended by King
IV™. (LO 12)
1
2
3
4
5
(200/11) [2013] ZASCA 16 (20 March 2013).
(138/89) [1989] ZASCA 138; [1990] 1 All SA 498 (A) (10 October 1989).
(416/99) [2001] ZASCA 82 (1 June 2001).
[1990] 1 UKHL 2 (08 February 1990).
[1978] 1 NZLR 553.
THE AUDITEE’S
PART
RESPONSIBILITY FOR
B
FINANCIAL INFORMATION
CHAPTER 4
Basic concepts of governance
and internal control
CHAPTER 5
Introduction to risks and internal
controls in a computerised
environment
CHAPTER 6
Revenue and receipts cycle
CHAPTER 7
Purchases and payments cycle
CHAPTER 8
Inventory and production cycle
CHAPTER 9
Human resources cycle
CHAPTER 10 Investment and nancing cycle
Basic concepts of
governance and
internal control
CHAPTER 4
Rika Butler
CHAPTER CONTENTS
Learning outcomes
Reference list
4.1 What is governance?
4.2 What is the relationship between governance and internal
control?
4.3 What is internal control?
4.4 How does one design a system of internal control?
Assessment questions
LEARNING OUTCOMES
1.
Describe the need for and the purpose of governance and
internal control.
2.
Explain who is responsible for governance and the
implementation of a sound system of internal control.
List and brie y explain the components of a system of internal
3. control.
4. Describe the process that should be followed to ensure that
proper risk management takes place.
5. List and brie y explain the various risk responses available to
management to address risk.
6. Describe the various control activities (internal control measures)
that can be implemented to ensure that risk is mitigated
appropriately.
7. Explain why a system of internal control can only provide
reasonable assurance about the achievement of the entity’s
control objectives.
8. List and explain the generic control objectives.
9. Describe the relationship between control objectives and
assertions.
10. Brie y explain the process that should be followed to design a
proper system of internal control.
11. Link risks to control objectives.
12. Describe the relationship between control objectives and internal
control.
13. Explain the need for both preventative and detective and
corrective controls in a system of internal control.
14. Distinguish key controls from compensating controls.
15. Name and brie y describe the various business cycles within an
entity.
REFERENCE LIST
Institute of Directors Southern Africa (2016) King IV™ Report on
Corporate Governance for South Africa 2016.
International Auditing and Assurance Standards Board (IAASB) (Dec
2013) International Standard on Auditing (ISA) 315 (Revised)
Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment. Appendix 1.
4.1 What is governance?
In Chapter 1, we learnt that when the rst businesses were formed, the
owners of the businesses also acted as the managers of these
businesses. However, as businesses grew larger, it became increasingly
more common that the owners (shareholders) of businesses no longer
necessarily acted as the directors or managers of the businesses. is
situation necessitated that the shareholders obtain an independent
opinion from the external auditor on the fair presentation of nancial
statements prepared by the directors. It also became necessary to
develop guidelines for how the directors and managers of a company
(or the governing body of an organisation, if not a company) should act
to protect and manage (govern) the interests of the shareholders and
other stakeholders appropriately.
is led to the introduction of the concept of corporate governance
worldwide. Various countries began developing such guidelines for
directors. Internationally, the Treadway Report was issued in the United
States of America (USA) and the Cadbury Report in the United Kingdom
(UK). Ultimately, this led to the appointment of the King Committee in
South Africa in 1992, which issued the rst King Report on Corporate
Governance (King I) in South Africa in November 1994. Since then,
three more reports have been issued by the King Committee, namely,
the second King Report on Corporate Governance (King II) in 2002, the
third King Report on Corporate Governance (King III) in September
2009, and the fourth King Report on Corporate Governance (King IV™) in
November 2016.
According to King I, corporate governance is ‘the system by which
companies are directed and controlled’ to ensure transparency,
accountability, responsibility and fairness to all the stakeholders of the
company. e board of directors (or governing body) should take
responsibility for sound corporate governance and create the necessary
structures and processes to ensure that the entity complies with the
principles of King IV™. King IV™ also supports the delegation of certain
functions to well-structured committees that assist the board of
directors (or governing body) in the execution of its responsibilities in
respect of governance.
4.2 What is the relationship between
governance and internal control?
4.2.1 Risks in a business
Risks are an integral part of any business striving to achieve its
objectives. King IV™ de nes risk as:
… uncertain events, including the likelihood of such events
occurring and their effect, that could in uence, both in a negative
and a positive manner, the achievement of the company’s
objectives. It includes uncertain events with a potential positive
effect on the organisation (i.e. an opportunity) not being captured
or not materializing.
Risk can, for example, arise from the type of business or industry in
which an entity operates, the appointment of new employees, changes
in business models, changes to processes and product ranges, complex
transactions and complicated calculations. e level of involvement
and the sophistication of a computerised system used by an entity may
also affect risk.
Anything that threatens the achievement of the objectives of the
entity is regarded as a business risk. According to ISA 315.04(b), a
business risk is ‘(a) risk resulting from signi cant conditions, events,
circumstances, actions or inactions that could adversely affect the
entity’s ability to achieve its objectives and execute its strategies, or from
the setting of inappropriate objectives and strategies’. ISA 315.A38 states
that business risk may be attributed to change or complexity, or failure
to adapt to change.
According to King IV™, risk includes a combination of the probability
(likelihood) of an event occurring and its consequences (impact on an
entity’s ability to achieve its objectives). e event that gives rise to the
risk may be the occurrence of a particular set of circumstances, which
may be certain or uncertain, and may be a single event or a series of
occurrences. e consequence(s) of a risk refers to either the positive or
negative impact of the risk, and the magnitude thereof, for the entity.
Examples of negative consequences include theft of goods,
irrecoverable debts, fraud, nancial loss, dissatis ed customers,
inaccurate or incomplete nancial recording and reporting, and nes
for not complying with relevant legislation. Positive consequences
include additional revenue and improved customer satisfaction.
4.2.2 Risk management
It is essential that the risks that an entity faces be managed (governed).
Principle 11 of King IV™ deals with the governance of risk, which is
called risk management. Risk management includes the identi cation
and evaluation of actual and potential risk areas as they pertain to the
company as a total entity, followed by a process of responding
adequately to the risks identi ed and evaluated.
Risk identi cation refers to the process of identifying the risks to
which the entity is exposed. It is essential that all types of risks to which
the entity is exposed be identi ed. King IV™ suggests that, in order to
achieve proper risk management, the risks and opportunities
emanating from the triple context in which the entity operates (the
economy, society and environment) as well as the capitals that the
entity uses and affects ( nancial, manufactured, intellectual, human,
social and relationship and natural capital) should be considered.
e process to determine the signi cance of a risk is known as risk
evaluation. It involves considering the potential impact of the risk on
the entity and the likelihood that the particular risk may materialise,
and then quantifying (if possible), ranking and prioritising the
identi ed risks.
After the processes of risk identi cation and risk evaluation, the
entity should decide on an appropriate risk response for each of the
identi ed risks. e appropriate risk response will depend on the risk
evaluation, in other words, the probability that the risk will materialise,
the consequences if the risk materialises, as well as the risk tolerance
levels determined by the board and the risk appetite of the entity. An
entity’s risk appetite refers to the entity’s propensity to accept risk in
the achievement of its objectives (e.g. how much and what types of risks
the entity is willing to accept). e levels of risk tolerance are the
speci c quanti ed limits of the risk that the entity is able to tolerate in
its endeavours to achieve its objectives. Risks exceeding the risk
tolerance levels would be unacceptable, whereas risks below the risk
tolerance levels would be acceptable. e risk that remains after
treating the risk with the most appropriate risk response is known as
residual risk.
REFLECTION
When would an entity regard a particular risk as ‘unacceptable’?
Risk responses available to management include the following:
• Tolerance or acceptance of the risk: A risk is tolerated or accepted
because the combination of the probability of the risk being realised
and its possible impact is lower than the risk tolerance levels that
were set by the board. Choosing this response means that an entity
•
•
•
•
•
will only react to a particular risk when and if it occurs. is will most
likely be the response to insigni cant risks, or risks where the cost to
recover from negative consequences is less than the cost associated
with investigating and planning for the risk.
Transferring the risk to a third party: is means that the risk is not
eliminated but that the entity merely moves the responsibility for the
risk to someone else outside the entity (a third party). Acquiring
adequate insurance is one way in which to transfer the negative
consequences associated with a particular risk to a third party. e
insurance premium paid to the insurer is usually much lower than
the cost that would be incurred if the risk did materialise, which
makes transferring the risk a viable risk response.
Mitigation (treatment or reduction) of identi ed risks: is type of
response means that the entity implements some kind of treatment
or measure that will reduce the probability and/or impact of an
unacceptable risk (i.e. a risk that exceeds the risk tolerance levels) to
a level that falls below the maximum risk tolerance levels of the
entity. Designing, implementing and maintaining a suitable system
of internal control represents one way in which risks can be
mitigated. is type of response is discussed in section 4.3 of this
chapter.
Avoidance or termination of the activity or process that creates
the risk: is means that the possibility of the risk occurring is
eliminated altogether by, for example, adding more resources or
time, avoiding unfamiliar and high-risk conditions or activities, or
acquiring the assistance of an expert.
Exploitation of the opportunity created by the risk: When the risk
presents an opportunity that an entity can exploit for its own bene t,
the entity can take the necessary action to ensure that the event that
gives rise to the risk does occur, thereby eliminating the uncertainty
associated with risk events.
A combination or integration of any of the above-mentioned risk
responses.
According to Principle 11 of King IV™, the overall responsibility to
ensure that proper risk governance takes place lies with the board of
directors of a company, which may be assisted by board committees
(such as the risk governance committee). e risk appetite and risk
tolerance levels for the entity are determined by the board.
e board of directors should delegate to management the
responsibility to implement and execute effective risk management. A
documented risk management policy and plan should be compiled by
management for approval by the board. e operational level of
management is responsible for the risk assessment, as well as for
implementing the systems and processes necessary to execute the risk
management plan of the entity in its day-to-day activities.
A risk register, documenting relevant information about the
identi ed risks, should be compiled and regularly updated. Aspects to
be documented in the risk register include the key risks to which the
entity is exposed, the likelihood that these risks may materialise, the
potential impact on the business should the risks materialise, as well as
management’s responses to each of these risks.
Figure 4.1: Risk register
e extract from the risk register of Ntsimbi Piping above is merely an
extract from a much larger document that contains all the risks to which
Ntsimbi Piping is exposed. e extract above shows only four risks
taken from one speci c type of risk, namely the ‘Operational risk’
section of the risk register. Note that the probability and impact of each
risk is noted, and then a risk score is calculated for each risk as a way in
which to rank and prioritise the risks before the implementation of the
risk responses. Appropriate risk responses should be determined for
each of the risks noted in the risk register. In the extract in Figure 4.1
only the risk response for risk number 1 is provided as an example. e
responses implemented should be sufficient to reduce the residual risk
to within the board’s risk tolerance level.
REFLECTION
On which of the risks contained in the extract of the risk register
of Ntsimbi Piping in Figure 4.1 should the management focus
rst?
e board should perform ongoing oversight of the risk management
process applied within the entity. Internal audit also has a role to play in
risk management in that it provides assurance to the board, by way of a
written assessment, on the effectiveness of risk management systems
and related controls in the entity (i.e. monitoring the effectiveness of
the risk management systems and controls in the entity).
Furthermore, the board should ensure that adequate processes are
in place to enable complete, timely, relevant, accurate and accessible
risk disclosure to all stakeholders of the entity. e board should
disclose in the integrated report aspects such as the entity’s risk
tolerance levels, the key risks the entity faces as well as any unexpected
or unusual risks that the entity was confronted with during the
reporting period.
Refer to note 22 in the notes to the annual nancial statements of
Ntsimbi Piping for risk management disclosure (although these are
limited to nancial risks – disclosure of which is required by the
International Financial Reporting Standards). Most JSE-listed
companies today report on their risk management practices more
holistically in their integrated reports.
4.3 What is internal control?
4.3.1 A system of internal control
As explained in the previous section, mitigating risk through the
implementation of the necessary measures, such as systems, policies
and procedures, is one of the risk responses that may be implemented
to ensure that the risks to which an entity is exposed are properly
addressed. ese systems, policies and procedures are referred to as the
system of internal control of the entity.
Internal control is de ned in the IAASB Glossary of Terms as:
e process designed, implemented and maintained by those
charged with governance, management and other personnel to
provide reasonable assurance about the achievement of the
entity’s objectives with regard to the reliability of nancial
reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations.
e following important aspects emerge from the de nition of internal
control above:
• Internal control is a process that is designed, implemented and
maintained to achieve the entity’s objectives. is necessitates a
system of internal control that involves a combination of the
necessary systems, policies and procedures. A system of internal
control consists of ve components. ese components are
discussed in section 4.3.2 of this chapter.
• e responsibility for designing, implementing and maintaining the
system of internal control resides with those charged with
governance of the company (i.e. the board of directors),
management and other personnel. Internal controls are executed by
people, or, to a certain extent, by computers in computerised
environments. e board should acknowledge its responsibility in
respect of internal control in the integrated report. Refer to page 4 of
the annual nancial statements of Ntsimbi Piping where the board
clearly sets out its responsibilities in this regard.
• As recommended in Principle 11 of King IV™ the board is required to
evaluate the need for them to receive periodic independent
assurance regarding the effectiveness of risk management and to
report to the shareholders on the effectiveness of the entity’s system
of internal control. In meeting these responsibilities, the board
would take assurance from written assurance reports prepared by
the internal audit function, which assesses the effectiveness of the
entity’s system of internal control (refer to Chapter 1 section 1.4.8.2).
In addition, internal audit should also provide a written assessment
of the internal nancial controls to the audit committee, one of the
subcommittees of the board.
• e system of internal control has to be suitably designed,
implemented and maintained to achieve the particular objectives of
the entity (ISA 315.A52). e appropriate internal control measures
that need to be implemented in a particular situation are
determined based on the risks that the particular entity faces and
which threaten the achievement of the entity’s objectives in respect
of the following areas:
• e reliability of the entity’s nancial reporting;
• e effectiveness and efficiency of its operations; and
• Compliance with applicable laws and regulations.
One could therefore say that internal controls can have three types of
objectives, namely, nancial reporting objectives, operational
objectives and compliance objectives. As the nancial reporting
objectives and the controls necessary to ensure reliable nancial
reporting are the responsibility of the accounting department and
the nancial director, and are closely related to the audit process,
this constitutes the focus of this text.
• e system of internal control can only provide reasonable
assurance that the numerous risks that threaten the entity’s
objectives are addressed. is is due to the inherent limitations of
any system of internal control. ese limitations are discussed in
section 4.3.3 of this chapter.
REFLECTION
Does this mean that the same system of internal control will be
appropriate and adequate for different entities?
e way in which the system of internal control is designed,
implemented and maintained varies with the size and complexity of the
entity concerned, as well as with the risks faced by the particular entity.
In addition, computers may form part of a system of internal control to
varying degrees, depending on the nature and extent of
computerisation of the entity’s nancial system. Computer controls are
discussed in Chapter 5.
4.3.2 Components of a system of internal
control
e previous section explained that the system of internal control
consists of a process that involves a combination of the necessary
systems, policies and procedures. A system of internal control consists
of ve components. Management will use a combination of these
components to design a suitable system of internal control for a
particular entity in order to mitigate appropriately the risks faced by
that particular entity. It is important to note that although the risks to
which an entity is exposed may differ from entity to entity, all ve of the
components discussed below have to be present in order to have a
sound system of internal control.
e ve components of internal control are (refer to ISA 315.A59):
1. Control environment;
2. Entity’s risk assessment process;
3. Information system, including the business processes relevant to
nancial reporting, and communication;
4. Control activities; and
5. Monitoring of controls.
Each of the components is discussed in the sections that follow.
4.3.2.1
Control environment (refer to ISA 315.A77–A78 and
ISA 315 Appendix 1 paragraph 2)
e control environment encompasses the attitude of management
(including the board and senior management) towards internal control.
If management does not feel positive towards internal control and does
not design, implement and maintain a sound system of internal control,
the employees who are supposed to execute the internal control
measures will not realise the importance of internal control and may
tend not to apply the internal control measures properly, as they know
that management is not control-conscious. Management’s attitude and
the example that they set provide the control environment in which the
other components of a proper system of internal control can function.
For this reason, the control environment is one of the most important
components of an internal control system.
According to ISA 315, management can create and foster a positive
attitude towards internal control by doing the following:
• Communicate and enforce integrity and ethical values throughout
the entity to all employees who are involved in the development,
application and monitoring of internal control. is may be
accomplished by preparing and enforcing a code of ethical conduct
(e.g. as recommended by King IV™).
• Be committed to competence. Management must ensure that all
employees have the necessary skills, knowledge and competence to
perform their duties properly. Proper human resources policies and
practices should be enforced to ensure that employees are
competent to perform their duties (including performing internal
control procedures). To achieve this, activities such as following a
proper hiring and appointment process, providing proper training
and evaluation, performing personnel assessments, and offering
promotion opportunities and adequate remuneration for employees
may be required.
• Ensure that those people charged with governance (e.g. the audit
committee) participate and that they act appropriately and support
management in their internal control efforts.
• Support their commitment to effective risk management and
internal control as well as adherence to the ethical values for which
the entity strives through its philosophy and operating style.
• Demonstrate good leadership and judgement.
• Develop and put in place an organisational structure that clearly
assigns authority and responsibility and sets out clear reporting lines
within the entity.
4.3.2.2
Entity’s risk assessment process (refer to ISA
315.A88 and ISA 315 Appendix 1 paragraphs 3–4)
An entity’s risk assessment process refers to the way in which the entity
deals with the governance of risk as set out in Principle 11 of King IV™.
e process of risk management was discussed in section 4.2.2 of this
chapter.
Risk assessment is referred to as the overall process of risk
identi cation, risk quanti cation and risk evaluation in order to identify
potential opportunities and minimise loss. It is important that
management identi es and responds appropriately to all relevant risks
that threaten the achievement of the business objectives, including
(and speci cally important for this section) the risks that relate to
nancial reporting that could affect the fair presentation of the nancial
statements. Although a systematic, documented, formal risk assessment
should be conducted at least once a year, risk assessments should
continually be reviewed, updated and applied.
4.3.2.3
Information system, including the business
processes relevant to nancial reporting, and
communication (refer to ISA 315.A90–A91, A93–
A95, A97 and ISA 315 Appendix 1 paragraphs 5–8)
e information system relevant to nancial reporting creates the audit
trail of each transaction and event to which the entity is party, and
includes all the processes and activities of the entity involved in
preparing the nancial information. e information system may be
computerised to varying degrees and, if so, will consist of the hardware,
software, people, procedures and data necessary to produce the
nancial information.
e information system relevant to nancial reporting includes the
accounting system and consists of the procedures and records
created as a transaction ows through the accounting system, as well as
the business processes of the entity that relate to the particular
transaction.
Information and reports generated by the information system
relevant to nancial reporting have to be communicated internally to
relevant employees and management, as well as to relevant external
parties such as the shareholders. To enable this, nancial reporting
roles and responsibilities in the entity have to be clearly determined
and communicated. e personnel involved in nancial reporting also
have to understand how internal control over nancial reporting relates
to their individual roles and responsibilities and how it affects the work
of others. Any exception found must be reported to a responsible
person to ensure it is addressed appropriately. To enable proper
nancial reporting, adequate communication relating to all aspects of
the information system is essential.
4.3.2.3.1 e information system relevant to nancial reporting
Each day numerous transactions with nancial implications occur and
are processed by an entity, for example, transactions when the entity
sells goods, buys raw materials to use in the manufacturing process, and
pays salaries and wages to employees. Various procedures and records
keep track of the transaction as it is processed by the entity and its staff.
According to ISA 315.A90 the information system relevant to nancial
reporting includes the procedures and records designed and
established to:
• Initiate, record, process and report the transactions (as well as events
and conditions) of the entity and to maintain accountability for the
related assets, liabilities and equity;
• Process both standard journal entries and non-standard journal
entries to record non-recurring, unusual transactions or adjustments
(e.g. consolidation adjustments and estimates for the impairment of
assets);
• Resolve incorrect processing of transactions on a timely basis;
• Process and account for system overrides or bypasses of controls;
• Transfer information from transaction processing systems to the
general ledger;
• Capture information relevant to nancial reporting for events and
conditions other than transactions; and
• Ensure the information required to be disclosed by the applicable
nancial reporting framework is accumulated, recorded, processed,
summarised and appropriately reported in the nancial statements.
e accounting system documents the path that each transaction
follows in the entity from where the transaction is initiated to its
ultimate inclusion in an amount or disclosure that appears in the
nancial statements. e accounting system includes the procedures
and records relevant to nancial reporting, which is the third
component of the system of internal control. It provides a system
whereby the information relating to nancial transactions is collected,
recorded, classi ed, summarised, analysed and interpreted.
Although the accounting system through which a transaction ows
differs according to the class of transaction, every transaction typically
goes through the following four stages in the accounting system:
1. Initiate or execute: is stage pertains to the physical activities
relating to where the transaction is initiated (e.g. when a customer
places an order) or the performing of activities to complete the
initiated transaction (e.g. picking the goods to ll approved orders
or delivering goods to customers).
2. Record: is stage is where the information applicable to each
activity is recorded. is stage may include recording the
transaction on a hard-copy source document, such as preparing an
order form when receiving an order from a customer, or preparing
an electronic source document in a computerised system. In
certain computerised systems, such as real-time systems, no
source documents may be prepared, as transactions are captured
(and processed) immediately by the computer system.
3. Process: During this stage, the transaction is processed and
corresponding entries are made in the accounting records of the
entity. For example, a delivery note and invoice are prepared and
4.
the sales transaction is recorded in the sales journal and posted to
the general ledger and debtors ledger.
e IAASB Glossary of Terms de nes accounting records as the
records of initial accounting entries and supporting records. It
includes the general and subsidiary ledgers, journal entries, and
records such as work sheets and spreadsheets supporting cost
allocations, computations, reconciliations and disclosures. e
Companies Act requirements in respect of these accounting
records were discussed in Chapter 1 section 1.3.4.
Report: is stage is where the transaction is included in the
nancial statements. e transactions that ow through the
accounting system all eventually end up in the nancial
statements, either included in an amount that appears in the
nancial statements or otherwise disclosed in the notes to the
nancial statements. e nancial statements embody the
representations made by management, explicitly or otherwise,
regarding the entity (also known as assertions). Refer to Chapter 1
section 1.3.3 for a discussion of assertions.
REFLECTION
How will the use of a computerised system by an entity in uence
the above-mentioned stages that a transaction goes through?
Figure 4.2 presents the accounting system in a diagram.
Figure 4.2: The accounting system
Various people and procedures are involved in the ow of a transaction
through the accounting system at different levels in the entity. In
addition, computers may be involved in the accounting system of an
entity to a greater or lesser extent.
4.3.2.3.2 e business processes
From their initiation to their inclusion in the nancial statements,
transactions ow through various business processes in the entity.
According to ISA 315.A95, an entity’s business processes are the
activities in the entity designed to:
• Develop, purchase, produce, sell and distribute the entity’s products
and/or services;
• Ensure compliance with applicable laws and regulations; and
• Record information, including accounting and nancial reporting
information.
From the above, it is clear that the business processes of an entity
should be designed to support the entity’s objectives (i.e. the
operational objectives, compliance objectives, and nancial reporting
objectives identi ed in section 4.3.1). Although the business processes
should support all three of these objectives, the focus of this text is
mainly on the nancial reporting objectives and the business processes
and controls necessary to ensure reliable nancial reporting.
Transactions with nancial implications are initiated, recorded,
processed and reported by the information system within these
business processes. As discussed in the previous section, the
accounting system that different classes of transactions follow from
their initiation to their inclusion in the nancial statements will differ
for different classes of transactions. However, each class of transactions
is likely to follow the same or a similar path and can be grouped
together into various business cycles in the entity.
e following business cycles can be identi ed:
• Revenue and receipts cycle: is cycle deals with selling the entity’s
goods or rendering services to customers as well as the collection
and receipt of payment for the goods delivered or services rendered
(refer to Chapter 6).
• Purchases and payments cycle: is cycle deals with the entity
ordering and receiving goods or services from suppliers and making
payments for the goods or services received (refer to Chapter 7).
• Inventory and production cycle: is cycle deals with the
manufacturing of goods and the safekeeping of inventory, including
the recording of costs associated with the manufacturing process
(refer to Chapter 8).
• Human resources cycle: is cycle deals with the appointment and
dismissal of employees, keeping records of the hours they work, and
the remuneration of these employees for the work done by means of
either salaries or wages (refer to Chapter 9).
• Investment and nancing cycle: is cycle deals with the entity’s
acquisition of non-current assets, as well as the raising of funds
(through owner’s equity and long-term debt), and the subsequent
repayment thereof. It also includes accounting for related
investment income and nancing expenditure (refer to Chapter 10).
e typical business cycles in an entity and their interaction are
represented in Figure 4.3.
Figure 4.3: Business cycles
4.3.2.4
Control activities (refer to ISA 315.A99, A107–A109
and ISA 315 Appendix 1 paragraphs 9–10)
Control activities refer to those internal control measures, policies and
procedures that management designs and implements to ensure that
their objectives are achieved. In other words, control activities ensure
that the identi ed risks do not materialise (in other words, are
prevented) or, should they materialise, that they are timeously detected
and appropriately addressed. Various categories of control activities or
internal controls exist that management may apply in combination at
various organisational and functional levels in the entity to respond
adequately to the risk associated with a particular transaction or class of
transactions.
Various control activities that are available to management to
address risks relating to transactions that ow through the information
system relevant to nancial reporting are discussed below. ese
control activities form the building blocks that management can use
when designing speci c control activities to be applied to mitigate
speci c risks in the business cycles. Refer to Chapters 6 to 10 for the
control activities as they are applied in the various business cycles.
a) Documentation and records
ree controls that are important in respect of the stationery,
documents and records used in the entity’s accounting system are
document design, stationery control and the use of a chart of accounts.
i) Document design
Documents used in the accounting system for the recording and
processing of transactions (such as orders, goods received notes and
invoices) should be preprinted and designed in a way to assist in the
process of using them and to minimise the chances of making mistakes
in the completion and use thereof. In this manner, the design of the
documents will assist in ensuring the accurate and complete recording
of the relevant information relating to the transaction.
Examples of controls that assist in achieving this include:
• Having multi-copied source documents that are distributed to the
various departments or persons within or outside the entity who
need them for processing the particular transaction further along in
the accounting process;
• e use of different coloured documents to distinguish between the
types of document and/or the purpose of the particular copy of the
document; and
• e design of the document facilitating the complete and accurate
completion thereof by, for example, having certain information
preprinted on the document, the use of dotted lines, columns, and
spaces where information has to be inserted.
ii) Stationery controls
Proper stationery controls include the sequential prenumbering of
documents to facilitate the checking of the number sequence later on to
ensure completeness of recording; and the cancellation of documents
after use to prevent them from being reused by accident or deliberately
for fraudulent purposes. Also refer to d) below where the use of a
stationery register to keep track of the issue and use of stationery is
addressed.
iii) Chart of accounts
To ensure proper control over the accounting records in which
transactions are recorded, a chart of accounts is necessary. A chart of
accounts provides a list and description of all the general ledger
accounts used by an entity and can be useful for accounting staff to
identify the account to which a particular transaction should be posted.
b) Authorisation and approval
Depending on the class of transaction and/or the value of the
transaction involved, management should set different levels of
authorisation and should assign responsibility for the approval of
transactions to suitable employees whose duties are not incompatible
(refer to c) below).
Before authorising a particular transaction, the approver should
review the supporting documents and records to determine whether
the transaction is allowed in terms of the entity’s approval policy and
whether the transaction should be authorised. Evidence of approval of
transactions should be added to the document or records by way of the
signature of the approver. Having the responsible employee sign the
relevant documents and records serves as both evidence of the approval
of the transaction and evidence that a particular process or activity of
control (for example, comparison with supporting documentation) has
been performed. In addition, the signature also pinpoints a particular
employee which means that he or she can be held accountable.
Additional computerised controls can be used to facilitate proper
authorisation and approval in a computerised environment – refer to
Chapter 5 section 5.8.3.1.3 relating to logical access controls.
c) Segregation of duties
Transactions go through various stages in the accounting process, each
with its own activities and procedures that employees must perform.
Certain transactions are more susceptible to fraud and error when one
employee is responsible for handling the particular transaction from
beginning to end. If this were allowed to happen, it would be possible
for an employee to make mistakes and/or conceal errors or
irregularities without anybody detecting them.
Incompatible duties are regarded as those duties that would put a
person in a position to commit fraud or make mistakes without
anybody noticing. In such instances, it is necessary to have more than
one employee involved in the execution of the transaction, where each
employee is responsible only for certain duties associated with the
transaction. Having two or more employees performing these
incompatible duties is referred to as segregation of duties.
Critical duties regarding any transaction that should be segregated by
having different employees perform these functions are:
• Initiation of the transaction;
• Authorising the transaction;
• Executing the transaction;
• Recording the transaction; and
• Control over (safeguarding of ) the assets involved, where applicable.
Note: ere are additional duties that should be segregated in a
computerised environment – refer to Chapter 5 section 5.9.2.
For example, when one employee is responsible for ordering and
receiving goods, and making the payment for the purchase, these
incompatible functions might lead to this employee being in a position
to order, receive and pay for goods for his or her private use. Using this
example, adequate segregation of duties would involve having one
employee (such as the storeman) identifying the need for goods and
preparing an order, the purchasing manager authorising the order, a
receiving clerk receiving the goods, and the accounting department
making the payment once all the relevant documentation is received
and matched. In this way, none of these employees can misappropriate
the goods for fraudulent purposes.
REFLECTION
Think of other examples of incompatible duties in an entity that
should be divided by having two or more employees involved in
the execution of that particular transaction.
WHAT
IF?
What should happen in entities where there is an
insuf cient number of employees to segregate
adequately the duties referred to above?
Determine what the minimum segregation of duties is
that is required in the particular situation. Make sure
that at least those duties are segregated. If this is still
not possible, consider implementing suitable
compensating controls (e.g. independent checks
and/or monitoring controls). Refer to section 4.4.3.2
for more details about key controls and compensating
controls.
d) Access control
Where assets such as inventory and cash are involved in the execution
of a transaction, it is necessary to control access to the assets properly.
However, properly protecting assets involves more than merely
restricting physical access to assets. Proper access control includes
controls to protect the entity’s assets, stationery (documents and
records, including the entity’s nancial records) and information that
might be sensitive against, among other things, loss, damage, theft and
unauthorised access or use.
Keeping these assets behind locked doors (e.g. keeping inventory in
a warehouse), locking assets (such as cash) away in a safe and using
security guards to control access to and protect the assets are examples
of access controls. e issue and use of documentation and records can
be controlled through the use of a stationery register.
Additional computerised controls can be used to facilitate proper
access control in a computerised environment – refer to Chapter 5
section 5.8.3.
e) Independent checks and reconciliations
Especially in a non-computerised environment, it is necessary that the
work of a person be independently checked or reviewed by a second
person. For example, a second employee checks the clerical accuracy of
an invoice prepared by another employee, or the foreman checks the
hours computed and recorded on the clock card by the factory
administrative clerk. In addition, it is important that a second
independent employee review all reconciliations performed in the
entity.
Performance of the review should be evidenced by a signature of the
reviewer. Having the reviewer sign or at least initial documents or
records after the review or reconciliation was performed serves as both
evidence that the particular process or activity of review was performed
and pinpoints responsibility.
Regular reconciliations between physical and recorded assets, as
well as between two different sets of recorded information, have to be
performed to identify any differences for investigation and resolution.
Examples of reconciliations include comparing the physical inventory
counts with the theoretical inventory recorded in the accounting
records after an inventory count, performing a bank reconciliation
where the cash book is compared to bank statements, and performing a
debtors reconciliation by comparing the debtors ledger to the debtors
control account in the general ledger.
4.3.2.5
Monitoring of controls (refer to ISA 315.A110–A111
and ISA 315 Appendix 1 paragraphs 11–13)
Although a system of internal control might have been properly
designed, it is the actual implementation and application of the internal
control measures that will ultimately determine whether the system of
internal control is effective in preventing risks from materialising, or
detecting and correcting the effects thereof. It is therefore important
that management assesses the effectiveness of the design and operation
of internal control measures on an ongoing and timely basis, and takes
the necessary corrective actions where applicable. Monitoring may be
done by supervisors, by management or any other party charged with
governance, depending on the circumstances.
As mentioned in section 4.3.1, the internal audit function is
responsible for performing assessments of the effectiveness of the
system of internal control and internal nancial controls, and for
providing assurance reports to the board and the audit committee.
Other examples of monitoring controls designed to assess the
effectiveness of controls include management monitoring the amount
of bad debts written off over time, to assess whether the internal
controls to address the risk of bad debts being incurred are effective, or
monitoring the number of customer complaints about mistakes on their
statements to monitor the effectiveness of controls surrounding sales
invoicing and recording.
4.3.2.6
Diagrammatic representation of the system of
internal control
Figure 4.4 represents the ve components of internal control described
above. e ve components of internal control are interlinked. It is
important to note that all ve of these components must be present in
order to present a sound system of internal control that adequately
addresses the risks to which an entity’s nancial reporting is exposed.
It is also important to notice that the control environment extends
right around the whole system, which implies that, without a sound
control environment, a proper system of internal control cannot exist.
Figure 4.4: The system of internal control
4.3.3 Inherent limitations of a system of
internal control (refer to ISA 315.A54–
A56)
Despite the best intentions about the design and implementation of a
proper system of internal control, even the best system of internal
control can provide only reasonable assurance that the control
objectives set by management are achieved and that all the risks that
were identi ed are being addressed. is is due to the inherent
limitations of systems of internal control.
e inherent limitations of any system of internal control are the
following:
• Management can and will only implement internal controls that are
cost-effective for the entity as a whole (and based on their
•
•
•
•
•
•
assessment of the related risks). In other words, they will not
implement all the internal controls that might be available.
e internal controls that are implemented are usually directed at
routine transactions and not at out-of-the-ordinary transactions
(exceptions). e exceptions are therefore more susceptible to error
and fraud.
As internal controls are executed by the employees of an entity, there
is always the risk of mistakes being made through human error or
the fact that the employee misunderstood a certain internal control
measure or did not fully comprehend the purpose of the internal
control measure. For controls that are fully computerised (i.e. no
human involvement), this would not be the case.
e judgement that has to be exercised by an employee in applying
an internal control measure may be incorrect for a number of
reasons, including time constraints and insufficient information
being available.
Despite the fact that a system of internal control may have been
designed with the intention of proper segregation of duties, two or
more employees, or an employee and a person outside the entity
(such as a supplier) may collude to override the internal control
measures.
A member of management or employee in charge of executing an
internal control measure may abuse his or her responsibility and
override internal control measures for his or her own bene t.
Internal control measures may become inadequate over time owing
to changes within the entity or changes in the risks to which the
entity is exposed, without the required amendment of the internal
control system to address properly the changes in risks.
ese inherent limitations can never be eliminated. ese limitations
give rise to an ever-present risk that management’s control objectives
will not be achieved.
4.3.4 Impact when the system of internal
control does not operate as intended
When an inadequate system of internal control is designed, or a system
of internal control that was properly designed is operating ineffectively,
or in situations where internal controls fail due to the inherent
limitations of internal control discussed in section 4.3.3, there is a high
probability that the risk that the internal control measures was
originally designed to prevent, or detect and correct, could materialise.
erefore, it is essential that the system of internal control be monitored
continuously to ensure that weaknesses in internal control are
identi ed and addressed timeously. e consequences of weaknesses
in internal control could include unauthorised transactions, fraud,
inaccurate nancial information, incorrect decisions and sizeable
nancial losses to the entity.
WHAT
IF?
What should management do when a weakness in
internal control is identi ed?
Effective risk management is a continuous process and
the system of internal control should continuously be
monitored and maintained. When weaknesses in
internal control are detected, management should take
immediate action to address the matter, as such
weaknesses could result in fraud and error.
Management should investigate the weakness(es) (e.g.
determine why and where the weakness occurred, for
how long it has been happening and what
consequences have been suffered as a result of the
weaknesses) and make sure that the necessary steps
are taken to prevent it from happening again. Refer to
section 4.4 for the steps that management should
follow to ensure that a suitable system of internal
control is in place.
4.4 How does one design a system of
internal control?
Sections 4.2 and 4.3 of this chapter explained that, in order to ensure
that risks in an entity are adequately addressed, a system of internal
control has to be designed, implemented and maintained by the
management of the entity as part of an effective risk management
process.
In order to design a suitable system of internal control, management
should go through three steps, namely:
Step 1: Identify the risks associated with a particular transaction or
class of transactions (things that could go wrong), from where it
is initiated to its ultimate inclusion as an amount or disclosure
in the nancial statements.
Step 2: Formulate the control objectives for the particular transaction
or class of transactions (what the system is required to ensure
or achieve in respect of the particular transaction).
Step 3: Use the ve components of a system of internal control (refer to
section 4.3.2) to design a proper system of internal control to
address the risks (and achieve the control objectives) for that
particular transaction or class of transactions. e system of
internal control as designed should then be implemented,
maintained, and monitored.
4.4.1 Step 1: Identify the risks
As discussed in section 4.2.1, every entity is faced with various risks to
which it should respond in order to prevent the consequences
associated with the risk being realised. In addition, every business
transaction that an entity enters into has certain risks associated with it,
from where it is initiated to its ultimate inclusion as an amount or
disclosure in the nancial statements. Sections 4.2.2 and 4.3.2.2
explained that in order to ensure that management responds
adequately to these risks, a proper risk assessment and risk
management system should be in place.
e rst step in the process of designing a suitable system of internal
control would therefore be to determine the risks associated with each
class of transactions that ows through the accounting system, in other
words things that could go wrong in the execution of the particular
transaction or class of transactions along the path that it follows in the
accounting system.
REFLECTION
Think of the risks associated with a credit sales transaction. If
you struggle to identify risks, ask yourself: What could go wrong?
In order to formulate a properly described risk, both the indicator and
the consequence of the risk for the entity should be included. For
example, when entering into a credit sales transaction, there is a risk
that a credit sale is made to a customer who is not creditworthy
(indicator), resulting in irrecoverable debts and losses to the entity
(consequence).
Examples of risks relating to a credit sales transaction are listed
below (note that this is not intended to be a complete list).
ere is a risk that:
• Sales are made to customers who are not creditworthy and cannot
pay their debt, resulting in irrecoverable debts and nancial losses;
• Orders placed and authorised are not all executed and the goods not
all delivered to the customer, leading to dissatis ed customers and
potentially lost revenue;
• e goods delivered to the customer do not agree with what was
originally ordered by the customer (quantity and/or type of goods),
resulting in dissatis ed customers, problems with invoicing,
unsettled debts and nancial losses to the entity;
• Goods leave the premises although no authorised order was received
(goods are stolen/theft of goods), resulting in nancial losses to the
entity;
• e goods leaving the premises do not actually reach (are not
delivered to) the customer (theft of goods on the way to the
customer), resulting in nancial losses to the entity and dissatis ed
customers;
• e customer is not invoiced for the goods delivered to him or her,
resulting in unrecorded sales and nancial losses to the entity;
• e details of the invoice do not agree with the goods that were
delivered to the customer (quantity and/or type of goods), resulting
in nancial losses to the entity (if under-invoiced) or dissatis ed
customers (if over-invoiced);
• Goods are invoiced although they were not ordered by and delivered
to the customer.
• e prices at which goods are invoiced do not agree with the
authorised price list, resulting in nancial losses to the entity (if
under-invoiced) or dissatis ed customers (if over-invoiced);
• e calculations on the invoice (quantity x price and VAT) are
incorrect, resulting in nancial losses to the entity (if underinvoiced) or dissatis ed customers (if over-invoiced);
• e customer denies having received the goods and does not want to
pay for the goods delivered, resulting in nancial losses to the entity;
• e goods delivered and invoiced are not all paid for by the
customers, resulting in nancial losses to the entity;
• All sales transactions are not recorded in the accounting records
(omission), resulting in an understatement of sales (and debtors) in
the nancial statements;
• A sales transaction is recorded although a sales transaction did not
actually take place, resulting in an overstatement of sales (and
debtors) in the nancial statements; and
• Sales transactions are not recorded accurately, resulting in sales (and
debtors) not being accurately re ected in the nancial statements.
REFLECTION
List the risks (things that could go wrong) when an entity orders
goods from suppliers, receives the goods and pays for the goods
received.
Formulate a proper risk by:
• Including both the indicator and the consequence of the risk;
and
• Starting your sentence with: ‘There is a risk that/of ...’
e use of a computerised accounting system by an entity may also
introduce additional risks for the entity (e.g. the risk of unauthorised
access to the computer system which may result in access to
information that may be sensitive or unauthorised changes to
information) that would need to be addressed. Risks in a computerised
environment are addressed in Chapter 5. e risks that arise for each of
the different classes of transactions that occur in the various business
cycles are discussed in more detail in Chapters 6 to 10.
4.4.2 Step 2: Formulate control objectives
4.4.2.1
Introduction
As was discussed in the previous section, each class of transactions that
ows through the accounting system of an entity carries with it certain
risks, in other words things that could go wrong in the execution of that
particular class of transactions. In order to address these risks,
management and those charged with governance should formulate
objectives that they want to achieve for each class of transactions. is
will prevent the risks associated with that particular class of
transactions from materialising, and, if they do materialise, will detect
them and initiate corrective action to mitigate the resulting negative
consequences. ese objectives are called control objectives.
4.4.2.2
e generic control objectives
In order to ensure the reliability of nancial reporting, the generic
control objectives listed in Table 4.1 must be achieved for every class of
transactions that ows through the accounting system.
Table 4.1: Generic control objectives
CONTROL OBJECTIVE
Validity
GENERIC DEFINITION OR
MEANING
• All transactions and events
that are executed were
properly authorised in
accordance with
management’s policy; and
• All transactions and events
that are recorded:
• Occurred (i.e. are not
ctitious);
• During the period; and
• Are supported by suf cient
and appropriate
documentation.
CONTROL OBJECTIVE
Completeness
GENERIC DEFINITION OR
MEANING
• All transactions and events
that occurred during the
period:
• Are recorded;
• In a timely manner; and
No transactions or events
are omitted.
•
Accuracy
• Transactions and events:
• Are recorded at the correct
amounts (correct quantity,
prices and calculations);
• Are correctly classi ed in
terms of the entity’s chart
of accounts; and
• Are correctly summarised
and posted to the entity’s
accounting records.
REFLECTION
Are all the control objectives equally important for every
transaction, or are certain control objectives more important for
certain classes of transactions?
e control objectives are the objectives to be achieved in order to
address the risks associated with a particular class of transactions.
However, not all classes of transactions are susceptible to the same
risks. erefore, it follows that although all the control objectives are
relevant and should be achieved for every class of transaction, certain
control objectives are of greater (or lesser) signi cance when there is a
higher (or lower) intrinsic risk associated with that particular class of
transactions.
For example, purchasing transactions are more susceptible to
unauthorised purchases and purchases made by employees for private
use. As a result, the validity control objective would be more important
for purchases transactions than, say, for cash sales transactions.
However, when dealing with a credit sales transaction, validity would, in
fact, also be an important objective as it would be essential to ensure
that credit sales are made only to customers who are creditworthy,
therefore preventing irrecoverable debts and losses to the entity.
In order to ensure that these control objectives are met for every
class of transactions that ows through the entity’s accounting system,
management must design, implement and maintain a suitable system
of internal control.
4.4.2.3
Formulating control objectives
When designing a system of internal control, the rst step is to
formulate control objectives (what the entity wants the system to
achieve or ensure) for each class of transactions or part of the
accounting system, from where the classes of transactions are initiated,
through to where they are recorded and processed, and to where they
are included in the accounting records and nancial statements.
Using the risks associated with a credit sales transaction identi ed
in section 4.4.1, Table 4.2 sets out the control objectives that can be
formulated for a credit sales transaction. e generic control objective
being applied appears in brackets after the properly described control
objective relating to a credit sales transaction. Note that in certain
instances more than one control objective is applicable to ensure that a
speci c risk does not materialise or its effects are detected and
corrected in case it has materialised. Also note the proper formulation
of the control objectives: ‘Management’s objective is to ensure that … .’
Table 4.2: Risks and control objectives for the credit sales
transaction
CREDIT SALES TRANSACTION
Risks
(Things that could go wrong)
Control objective
(What management wants the
system to achieve/ensure)
Sales are made to customers
who are not creditworthy and
cannot pay their debt, resulting
in irrecoverable debts and
nancial losses.
To ensure that credit sales are
Orders placed and authorised
are not all executed and the
goods not all delivered to the
customer, leading to dissatis ed
customers and potential lost
revenue.
To ensure that all authorised
The goods delivered to the
customer do not agree with what
was originally ordered by the
customer (quantity and/or type
of goods), resulting in
dissatis ed customers,
problems with invoicing,
unsettled debts and nancial
losses to the entity.
To ensure that the goods
made only to customers who are
creditworthy (validity).
orders are executed and the
goods are delivered to the
customer in a timely manner
(completeness).
delivered to a customer agree
with what was originally ordered
(quantity and/or type of goods)
(accuracy).
CREDIT SALES TRANSACTION
Goods leave the premises
although no authorised order
was received (goods are
stolen/theft of goods), resulting
in nancial losses to the entity.
To ensure that goods are only
The goods leaving the premises
do not actually reach (are not
delivered to) the customer (theft
of goods on the way to the
customer), resulting in nancial
losses to the entity and
dissatis ed customers.
To ensure that all goods that
The details of the invoice do not
agree with the goods that were
delivered to the customer
(quantity and/or type of goods),
resulting in nancial losses to
the entity (if under-invoiced) or
dissatis ed customers (if overinvoiced).
To ensure that the invoice
Goods are invoiced although
they were not ordered by and
delivered to the customer.
To ensure that goods are only
The prices at which goods are
invoiced do not agree with the
authorised price list, resulting in
nancial losses to the entity (if
under-invoiced) or dissatis ed
customers (if over-invoiced).
To ensure that goods are
despatched when an authorised
order has been received (no
theft of goods) (validity).
leave the premises are delivered
to the customer (no theft of
goods) (completeness and
validity).
details agree with the goods
that are delivered (quantity
and/or type of goods)
(accuracy).
invoiced if they were ordered by
and delivered to the customer
(validity).
invoiced at the correct prices
(accuracy).
CREDIT SALES TRANSACTION
The calculations on the invoice
(quantity x price and VAT) are
incorrect, resulting in nancial
losses to the entity (if underinvoiced) or dissatis ed
customers (if over-invoiced).
To ensure that calculations on
The customer denies having
received the goods and does not
want to pay for the goods
delivered, resulting in nancial
losses to the entity.
To ensure that customers
The goods delivered and
invoiced are not all paid for by
the customers, resulting in
nancial losses to the entity.
To ensure that all orders
All sales transactions are not
recorded in the accounting
records (omission), resulting in
an understatement of sales (and
debtors) in the nancial
statements.
To ensure that all sales
A sales transaction is recorded
although a sales transaction did
not actually take place, resulting
in an overstatement of sales
(and debtors) in the nancial
statements.
To ensure that only sales
invoices are correct (accuracy).
acknowledge the receipt of
goods and cannot deny having
received the goods (validity).
delivered and invoiced are paid
for (completeness).
transactions are recorded in the
accounting records
(completeness).
transactions that actually took
place are recorded (validity).
CREDIT SALES TRANSACTION
Sales transactions are not
recorded accurately, resulting in
sales (and debtors) not being
accurately re ected in the
nancial statements.
To ensure that sales
transactions are recorded
accurately (accuracy).
It is clear from the formulation of the control objectives in the table that
a control objective (what management wants to achieve or ensure) is
simply a different formulation of the risk (things that could go wrong).
It is also important to note that a particular control objective may be
relevant to more than one risk. In the example above the validity control
objective (identi ed in column 2) related to more than one of the risks
(identi ed in column 1). In the table, the validity control objective
relates to the risks of selling to customers who are not creditworthy,
goods leaving the premises and being delivered when no order was
placed, goods being stolen and as a result not reaching the customer,
the customer being invoiced although no goods were delivered, and the
customer denying placing an order/receiving goods.
REFLECTION
List management’s control objectives for goods ordered from
suppliers, received and paid for by the company.
When formulating control objectives, ask yourself: What does
management want the system to achieve/ensure in respect of
the particular class of transactions?
4.4.2.4
Relationship between control objectives and
assertions
e transactions that ow through the accounting system are all
eventually included in the nancial statements as totals (for classes of
transactions), account balances and/or disclosures. e nancial
statements are the board’s report of the company’s nancial position at
the reporting date, and the results of its operations and cash ows for
the period then ending. e representations that the board makes,
implicitly or explicitly, in the nancial statements are referred to as
assertions.
e IAASB Glossary of Terms de nes assertions as the
representations made by the board of directors in the nancial
statements to the users of the nancial statements about the company’s
classes of transactions and events, and assets, liabilities and equity,
including presentation and disclosure. ISA 315 identi es three
categories of assertions, namely assertions about classes of transactions
and events for the period under review, assertions about account
balances at year-end, and assertions about presentation and disclosure.
Refer to Chapter 1 section 1.3.3 for a discussion of the assertions.
To enable the board to make the assertions about the classes of
transactions and events, balances and disclosures that appear in the
nancial statements, the board needs to ensure that there is a proper
system of internal control in place to ensure that they can rely on the
information regarding nancial transactions that are produced by the
accounting system and used to prepare the nancial statements.
is means that there is a relationship between the control
objectives (that management wants the accounting system to achieve)
and the assertions (representations) that the board makes in the
nancial statements, which are in relation to information generated by
the accounting and internal control system. For example, if adequate
access controls are not in place to ensure that the validity control
objective is achieved, this may result in theft of assets. As a result, the
board will have problems making representations regarding the
‘existence of assets’ assertion in the nancial statements, as there will be
a high risk that the assets included in the nancial statements are not
on hand and available to the company.
e board of directors would therefore often not be able to make
their representations (or assertions) in the nancial statements if a
sound system of internal control for all the classes of transactions that
owed through the accounting system were not in place. It also means
that if proper controls are in place and the control objectives are
achieved, the board should be in a position to make the related
assertions in the nancial statements.
REFLECTION
Which assertion will be affected if controls to ensure that
calculations on invoices are correct, are not in place?
4.4.3 Step 3: Design a system of appropriate
internal controls
Once the risks have been identi ed and the control objectives for every
class of transactions have been formulated, the next step is to design a
system of appropriate policies and procedures – a system of internal
control – to ensure that each control objective is achieved and the
related risk associated with the transaction is addressed. While the
control objective indicates what management wants to achieve in
order to address the risk, the internal control is how management
intends to achieve the control objective.
Management will use the ve components of internal control
discussed in section 4.3.2 to design a system of internal control that will
suit the unique situation of the entity – in other words address the risks
and achieve the control objectives formulated by the management of
that particular entity. Besides establishing and fostering a positive
control environment (refer to section 4.3.2.1), a proper risk assessment
process should be in place (refer to section 4.3.2.2). A combination of
the control activities (or internal control measures) discussed in section
4.3.2.4 will be used to design a suitable system of internal control that
will address the risks, while also taking into account the entity’s
information system, accounting system, business processes, procedures
and records (refer to section 4.3.2.3). In addition, continuous
monitoring of the system of internal control should take place (refer to
section 4.3.2.5).
Referring to the risks and related control objectives formulated
regarding a credit sales transaction as an example, the following
internal controls in Table 4.3 would be appropriate to address the rst
risk identi ed earlier.
Table 4.3: Internal controls to address a risk in a credit sales
transaction
CREDIT SALES TRANSACTION
Risks (Things that
could go wrong)
Control objective
(What management
wants the system to
achieve/ensure)
Internal controls (How
management would address
the risk or achieve the
control objective)
Sales are made to
customers who
are not
creditworthy (i.e.
who cannot pay
their incurred debt
in the future).
o ensure that
credit sales are
made only to
customers who
are creditworthy
and would
therefore be able
to settle the debts
they incur.
(Validity)
Customer completes a
credit application form
and submits trade
references.
Credit controller performs
background checks on
customer’s trade
references and con rms
credit status with credit
bureaus.
Credit controller sets a
credit limit on the amount
of debt a customer may
incur and records it on
the credit application
form.
CREDIT SALES TRANSACTION
The nancial manager
authorises, if
appropriate, the credit
limit – having reviewed
the supporting
documentation submitted
by the credit controller.
Before an order is
authorised, the
customer’s available
credit is checked.
Debtors ledger is
reviewed by nancial
director on regular basis
to identify long
outstanding debts for
follow-up (this could point
to de ciencies in the
credit review and
approval system).
REFLECTION
Identify which of the control activities in section 4.3.2.4 have
been utilised to design the internal controls to respond to the
risk identi ed.
It is important to note that in order to provide reasonable assurance that
one risk (or one control objective) is addressed sufficiently, more than
one internal control measure (or type of control activity as discussed in
section 4.3.2.4) may be necessary to work in combination with one
another. In the example above, a combination of documentation and
records procedures, authorisation, segregation of duties and
independent checks is used to address the risk of selling to customers
who are not creditworthy (or to achieve the control objective of
ensuring that credit sales are only made to customers who are
creditworthy).
Although the principles of the system of internal control, and in
particular the control activities discussed in section 4.3.2.4, are all also
applicable in a computerised environment, the use of a computerised
system by an entity may in uence the type of control measures
necessary, as well as the way in which the internal control measures are
applied in the entity. As the level of computerisation of the information
system differs from entity to entity, so would the degree to which
internal control activities are computerised. Controls in a computerised
environment are addressed in Chapter 5.
4.4.3.1
Preventative versus detective and corrective
controls
Controls fall into one of two categories: preventative controls that aim
to prevent the undesirable effects of a risk from materialising, and
detective and corrective controls, which aim to detect the effects of a
risk that has materialised and ensure that the necessary corrective
action is taken to x these undesirable effects.
A combination of both types of controls (preventative as well as
detective and corrective controls) is essential for an effective system of
internal control that will ensure that risk is adequately addressed. While
it is better to prevent risks from materialising (as the resources required
to recover from the undesirable effects of a risk that did materialise
often exceed the effort needed to prevent the risk from materialising),
any errors detected should be corrected. Detection controls on their
own are of little value if adequate controls to ensure correction of these
errors are not in place.
REFLECTION
Identify which of the control activities listed in section 4.3.2.4
are preventative and which are detective and corrective controls.
REFLECTION
Consider whether the internal controls listed in Table 4.3 to
address the risk of selling to new customers who are not
creditworthy are preventative, or detective and corrective
controls.
4.4.3.2
Key controls, operational controls and
compensating controls
Some of the internal control measures that an entity implements will be
more important from a nancial reporting perspective than others. e
reason for this is that management has to achieve control objectives far
broader than only those relating to the accounting system and nancial
reporting (even though this has been the focus of this chapter). As
discussed in section 4.3.1, the objectives of a system of internal control
include ensuring reliable nancial reporting ( nancial reporting
objectives), effective and efficient operations (operational objectives)
and compliance with applicable laws and regulations (compliance
objectives).
Key controls for the purpose of this text are those strong internal
controls that provide reasonable assurance that material misstatements
in the nancial statements (whether due to fraud or error) will be
prevented, or detected and corrected, before the nalisation of the
entity’s nancial statements. It follows from this de nition that key
controls are those that respond to risks that could result in material
misstatements in the nancial statements. In other words, these key
controls address the nancial reporting objectives of internal control.
is means that if a key control fails, there is a reasonable likelihood
that material misstatement (due to error or fraud) may be present in the
nancial statements.
REFLECTION
What is the relationship between control objectives, key controls
and assertions?
Because entities operate in different business environments and use
different systems and procedures, it is not possible to provide a
complete list of key controls. Controls such as the credit controller
setting credit limits and performing credit checks to con rm the
continued creditworthiness of customers, and having an independent
employee at senior management level authorising payments (signing
cheques, for example) after comparing the details of the payment to
supporting documentation, would be regarded as key controls. is is
because they affect the nancial statements and directly contribute to
addressing a speci c control objective (the validity control objective in
this case) and reduce the risk of material misstatement in the nancial
statements.
REFLECTION
Can you think of internal controls that would generally not be
regarded as key controls?
In addition to the key controls that entities implement to ensure that the
nancial statements are free from material misstatements (these
controls have nancial reporting objectives), they also implement
internal controls that have operational objectives. ese operational
controls control the operations of the entity, such as the efficiency of
the cleaning of its office space, the effectiveness of the production
process in the factory (to ensure good quality, saleable products), but
have no direct impact on the nancial statements. erefore,
operational controls would never be regarded as key controls – they do
not prevent, or detect and correct, material misstatements in the
nancial statements.
Certain nancial controls that are not regarded as the key controls to
address a speci c control objective, but nonetheless still mitigate risk to
some extent, are known as compensating controls. ese controls
must be considered where a key control that should otherwise have
been implemented to address the risk is not cost-effective, or where the
key control, for whatever reason, did not function for a period of time.
Although compensating controls are less desirable than key
controls, there are instances where, owing to, for example, a lack of the
necessary resources, entities are unable to implement the proper key
control to address a particular risk. In such instances, entities are forced
to implement control measures to compensate for the lack of the key
control. For example, where an entity does not have a sufficient number
of employees to ensure adequate segregation of duties, its management
may implement other control measures to compensate for the risk
involved. Controls to compensate for the lack of segregation of duties
may involve periodic independent checks of the work performed by the
employee with incompatible functions to ensure that no fraud or error
has occurred.
Compensating controls are less desirable than the key control (in
this example segregation of duties) because they generally occur after
the transaction is complete. Also, it takes more resources to investigate
and correct errors and to recover losses than it does to prevent the
errors in the rst place.
However, in some circumstances, entities do not have the staff
resources to establish adequate segregation of duties. In these
instances, it is important for management to implement internal
controls that compensate for the increased risk.
Refer to Chapters 6 to 10 for internal controls in each of the business
cycles.
Assessment questions
Questions 1 to 5 are multiple-choice questions. Select the
appropriate answer(s). (More than one answer is possible):
1. e system that documents the procedures and records that a
transaction follows from where it is initiated to where it is included
in the nancial statements is known as the: (LO 3)
a) Internal control system
2.
3.
b)
Corporate governance system
c)
Accounting system
d)
Risk management system
e)
Control environment
e purpose of the system of internal control is to ensure that: (LO
1)
a) Operations take place effectively and efficiently
b)
All transactions follow the accounting system
c)
Employees know how the system works
d)
Financial statements are reliable
e)
Applicable laws and regulations are complied with
Which of the following aspects would a company’s board of
directors take into account when deciding on an appropriate risk
response? (LO 4)
a) e assertions made by the board of directors in the nancial
statements
b)
e level of risk the company is willing to tolerate
c)
e consequences should the risk materialise
4.
d)
e ow of the transactions through the accounting system of
e)
e likelihood that the risk may materialise
the company
e various business cycles that can be identi ed in an entity: (LO
15)
a) Are used to describe the records and documents that are
associated with a class of transactions
b)
Must be de ned in order to address risk properly
c)
Include validity, completeness and accuracy
d)
Are one of the ve components of a proper system of internal
control
e)
Include purchase and payments, sales and receipts, inventory
and production, human resources and investment and
nancing
5.
6.
It is essential that the following be present in order to ensure a
suitable system of internal control: (LO 13 & 14)
a) Only key controls
b)
All the components of a system of internal control
c)
Only preventative controls
d)
Only detective and corrective controls
e)
Only compensating controls
Indicate whether each of the following statements is true or false.
a) Management is responsible for implementing an effective
system of internal control. (LO 2)
b)
e objective of corporate governance guidelines is to protect
the management of an entity. (LO 1)
c)
e most likely risk response for insigni cant risks is to
mitigate the risk through the implementation of a system of
internal control. (LO 5)
d)
e board of directors can only make assertions in a
company’s nancial statements if the control objectives for the
various classes of transactions are achieved. (LO 9)
e)
e assertions are used as a guideline to determine which
objectives the system of internal control should achieve. (LO 9
& 12)
f)
It is essential that management implements both key controls
and compensating controls in order to achieve a proper
system of internal control. (LO 14)
7.
Properly formulate the control objective(s) relating to each of the
following risks: (LO 8 & 11)
a) Selling goods to a customer who is not creditworthy
b)
A sales transaction is omitted from (not recorded in) the sales
journal
c)
A sales transaction that did not actually take place ( ctitious)
is recorded in the sales journal
d)
An addition (casting) error occurred on an invoice
e)
e goods delivered to the customer do not agree with the
order placed by the customer
8.
List and brie y explain the risk response options that management
has available to address appropriately the risks they identi ed. (LO
5)
9.
List the ve components of a system of internal control and brie y
describe each component. (LO 3)
Below is a table that contains descriptions of internal controls
10. within a system of internal control (Column A) and the control
activities that can be used to design internal controls (Column B).
Link each control activity in Column B to the internal control in
Column A where the activity was applied. (LO 6)
Column A
Column B
10.1 Using preprinted and
prenumbered stationery
a) Adequate segregation of
duties
10.2 Keeping inventory in a
locked warehouse
b) Properly authorised
transactions
10.3 Having one person
placing an order and
another person receiving
the goods
c) Proper documentation and
record procedures
10.4 The debtors manager
signs the order after
determining whether the
customer has suf cient
credit available
d) Access control
11. Explain the relationship between the control objectives and
management’s assertions. (LO 9)
12. Describe the three steps that an entity should follow in order to
design a suitable system of internal control. (LO 10)
Explain why a system of internal control can only provide
13. reasonable assurance that the entity’s control objectives are
achieved. (LO 7)
14. Distinguish between key controls and compensating controls. (LO
14)
Introduction to risks
and internal
CHAPTER 5
controls in a
computerised
environment
Riaan Rudman
CHAPTER CONTENTS
Learning outcomes
5.1 Introduction
5.2 How has information technology evolved?
5.3 How and why do companies have to govern their computer
information systems?
5.4 What is the impact of upgrading a manual accounting system
to an electronic accounting system?
5.5 What are the key components of a computer information
system?
5.6 How does a computerised accounting system operate?
5.7 How are computer controls classi ed?
5.8 How are general controls classi ed?
5.9
Which controls relate to the computerised processing of
business transactions?
5.10 How are controls identi ed in advanced technologies?
Assessment questions
Appendix: Electronic funds transfer controls
Appendix: Accounting information systems
LEARNING OUTCOMES
1.
5.
Brie y explain the concept of information technology
governance.
Explain the concepts of a nancial information system, and the
differences between a computerised information system and a
manual system.
Identify and describe the risks in a computerised environment.
Explain the need for controls in a computerised information
system.
Describe the consequences of weaknesses in internal control in a
6.
computerised environment.
Identify and describe the general and application computer
2.
3.
4.
7.
controls contained in a computerised system.
Identify and describe the computer controls appropriate to
address the risks in a computerised system.
5.1 Introduction
Information and communication technology (ICT) has become an
integral part of modern business. Hardly any business enterprise
operates in the modern business world without using at least some
elements of information technology (IT) and communication
technology (CT). IT is no longer seen as simply a mechanism for
processing information, but rather as a strategic resource. It impacts on
how companies do business, how they interact with clients, and how
businesses control their operations and nancial reporting processes, to
list but a few examples. It also has an impact on various aspects of the
audit process that was brie y introduced in Chapter 1. e IT
infrastructure may take many forms, from a desktop connected to a
cash register to an integrated enterprise resource planning (ERP)
system, and it changes with the needs of a business.
Irrespective of the nature of the system, the general risks, related
internal controls and principles outlined in this chapter remain
applicable and must be implemented by all companies that use IT. e
following sections provide a basic background to IT and the key aspects
underlying IT used in a nancial information system. IT is a specialist
subject area. erefore, this chapter focuses only on entry-level
technology and the principles that every manager and owner should be
aware of. e application of these controls is illustrated using the
business cycles of Ntsimbi Piping in Chapters 6 to 10.
To make the most of the topics covered in this chapter, you should
rst revise a couple of key concepts from your Information Systems
courses or from a detailed text that explains basic IT concepts. ese
concepts are highlighted in bold print and discussed in the paragraphs
that follow.
FURTHER READING
Google the terms and technologies in this chapter that are
unknown to you or visit the following website:
www.howstuffworks.com.
Two or more computers can be connected to form a network in either
one location or multiple locations. When computers are connected in
one location, they form a local area network (LAN). ey can also be
connected between different geographical locations to form a wide
area network (WAN). Networks are formed by means of, for example,
cabling, wireless connections, or over the internet. A virtual private
network, which uses telecommunication infrastructure to form a
network between various locations, can be set up.
Each computer in the network consists of hardware and software.
ere are two types of software: system software and application
software. Software is the program that gives the computer the
instruction to perform tasks. Microsoft Windows and Linux are
examples of system software (i.e. operating systems) that run the
computer, whereas Pastel Accounting and Microsoft Office (including
MS Word, Outlook and Excel) are application software. System software
runs in the background of the computer and is designed to give the
hardware instructions on how to run a speci c application. Application
software performs speci c functions required by the users. e user is
not aware of the activities and operations that the system software
performs.
Accounting packages, as an example, are application software that
maintains data, les and transaction details in databases. A database
can consist of transaction details or cumulative balances stored in
transaction les or master les respectively.
Master les are used to store permanent information or standing
data such as a customer’s full name and contact details and inventory
descriptions. Master les are also used to store the information and
cumulative totals or balances of all transactions that were entered into
and processed by the system from transaction les. Transaction les
are used to record the transaction details of each individual transaction
in both real time and batch processing systems.
In a real-time system, the master le is updated with the
cumulative totals or balances of all transactions recorded as and when
the transactions occur. In contrast, in a batch processing system, the
details of each individual transaction are stored in a transaction le
until such time as the system processes the data, at which time the
information in the transaction le is used to update the master le.
Batch processing and real-time systems are discussed in section 5.6.
Each le is made up of rows and columns of data. Data stored
electronically is represented by elds, records and les stored in a
database. When data is captured, it is stored in a eld (e.g. amount,
price, quantity or date). Multiple elds that relate to a particular
transaction are stored in a record (e.g. all the elds relating to a debtor
or transaction). e records of all related transactions (e.g. debtors) are
saved in a le. A collection of les or data that relate to a similar class of
transactions or balance makes up a database. is database can be
used and shared among multiple applications. Figure 5.1 presents the
relationship between elds, records, les and databases using Ntsimbi
Piping’s debtors as an example. A more detailed discussion is contained
in an appendix to this chapter.
Figure 5.1: Data structure of debtors database
5.2 How has information technology
evolved?
Computers were initially used by companies as mainframe computers
situated in centralised computer departments. When personal
computers were rst introduced to the business world, they were used
on a standalone basis (i.e. not connected to each other) as a processing
medium. All documents were printed and controls were implemented
by the user on and around the printed documents. IT has evolved
signi cantly since then (see Figure 5.2).
Networking technology allowed computers between departments
housed within one location (LAN) or over various locations (WAN) to
be connected via a network. is meant that many of the controls
performed by the user could be replaced by fully automated controls.
For example, networking allowed users in different departments to
capture information on a terminal. e system used this information to
update its records and to perform automatic matching with information
from other departments. is reduced the need for multiple copies of
documents and manual comparison between documents from different
departments.
e internet opened up opportunities for businesses to transact
online and also to interact directly with suppliers’ and customers’
computer systems, giving rise to virtual and extended enterprises. With
the evolution of the internet, new business models arose and new
technologies and trends such as social media, cloud computing,
mobility and the convergence of IT with cellular technology
(convergent systems) have come to the forefront. e newest area of
development is around arti cial intelligence and machine learning
algorithms, which introduce an element of autonomy and independent
decision making into IT, where machines are able to make decisions
based on prior learning and experiences. More and more devices, other
than computer applications, are also being connected to the internet,
with these devices being able to produce a wide variety of data (such as
horizontal and vertical GPS location, sensor data, and temperature
data). is trend is commonly referred to as the Internet of ings.
Each stage of the evolution gave rise to new risks and required new
controls to address these risks. Advances in computerisation
decentralised the information-processing function from a centralised
computer area into the hands of individuals such as sales staff,
accountants, and directors. With standalone personal computers, the
greatest risks were physical threats. In a connected environment,
however, electronic intrusion (where unauthorised third parties, also
known as hackers, obtain virtual access to a computer or electronic
device) poses the greatest risk. Consequently, controls have also
evolved with a shift in focus from physical controls around a company’s
premises (and computer area) and access controls to limit access to
speci c computers in the network or a department, to implementing
electronic access controls and controls programmed into the computer
system (such as the use of usernames and passwords, rewalls, and
encryption – discussed in more detail in later sections). Many manual
controls, which in many instances placed signi cant reliance on
documentation and required human user interaction, have nowadays
given way to automated controls performed almost entirely by the
computer system.
Figure 5.2: Key stages in IT development
Trends that are changing the modern IT landscape include the
following:
• Distributed networks: e improvement in technology and the
increase in the processing and storage capacity of computers have
made desktop computers more powerful and cost-effective. As a
consequence, there has been a shift away from centralised computer
centres towards decentralised end-user computing over a network,
where much of the processing and storage of information are done
on the user’s computer or electronic device. e decentralised
nature of modern networks has made it more difficult to restrict
access and implement proper segregation of duties.
• Mobility: Computers and related telecommunication devices (such
as laptops, tablets and other mobile devices) have become smaller,
lighter, more exible and easier to carry around. Many of these
devices have advanced communication technology such as Wi-Fi,
Bluetooth and LTE. is mobility, combined with the concentration
of information that could potentially be stored on a mobile device,
has resulted in the risk of theft of hardware (and any con dential
information on it) gaining prominence again. Also, the risks
associated with con dential information being transmitted
electronically to unauthorised persons (e.g. competitors) have taken
on increased importance.
• Open source: Open source software is software that can be changed
and amended by any user, because the underlying computer
programming code (also known as source code) is available to
anyone to review, change and redistribute. Software that is
distributed under an open source licence has reduced the costs of
software and has improved functionality for companies that use
open source software. However, many argue that because the source
code is freely available, there is an increased risk of hackers
identifying areas to exploit. Others argue that because the source
code is available, the risk is reduced, because as soon as a weakness
in the source code is identi ed, there are many programmers around
the world who work simultaneously on a solution to the weakness.
• Image processing: Barcodes have become a universal tool to
capture information, but they have the limitation that a company
requires barcode scanners to read them. With the advancement in
image processing technology and the fact that almost all portable
devices today are sold with some form of camera device, technology
has made it possible for almost any device to become an image code
input device, ngerprint scanner and so on, thereby having the
potential to reduce data input errors.
• Convergence: Hardware devices have become more integrated and
contain various wide-ranging functionalities (for example tablets,
such as the iPad, that integrate, among other things, a computer, a
camera, a communication device (using applications such as Skype),
a data storage device and a digital scanner). It is not only hardware
that has become more integrated. Various devices today also have
integrated online and web services such as Facebook and Twitter
pre-installed. Another example includes electronic payment systems
such as the mPesa system, which allows airtime credit to be
transferred between cellphones that can be used as a method of
payment for goods or services received. e following analogy
explains it best. Not many years ago, someone would purchase a
cellphone with the main purpose of making phone calls. e phone
was selected based on its ability to make calls. e features were an
added bene t. Today, customers select a phone based on
functionality and features, such as the number of pixels the camera
has and the ability to receive Facebook updates, rather than the
ability to make phone calls. Today, the ability to make calls is the
added bonus. is multifunctionality has resulted in the blending of
numerous risks in one device. For example, an iPhone is not only
exposed to risks similar to that of any telephone, but also to risks
similar to those to which a desktop computer is exposed, such as
hacking and viruses.
• Cloud computing: is is a trend where companies store their data
online or operate applications that are situated on the internet. e
company then runs the application using an internet browser
interface or by using a lightweight application that can be
downloaded onto the device or computer with the underlying data
being stored online rather than on the device or computer. e
device contains only the user interface, while all processing and
storage takes place on the internet. Cloud computing involves a
number of risks. e following are just two examples. Storing data on
the internet could expose a company to risks such as a disruption to
operations if data is not available due to a slow internet connection.
It also increases the chances that data can be intercepted or lost
during communication.
e world is entering, what is commonly referred to as the ‘Fourth
Industrial Revolution’, which is characterised by emerging technology
breakthroughs in a number of elds, including robotics, arti cial
intelligence, nanotechnology, quantum computing, and biotechnology,
amongst others. e Fourth Industrial Revolution builds on the digital
revolution, representing new ways in which technology becomes
embedded within societies and even the human body. is Fourth
Industrial Revolution is fundamentally different from the previous
three, which were characterised mainly by advances in technology.
Examples of future technologies that are going to impact the society and
business in the years to come include the following:
• Arti cial intelligence and machine learning: Arti cial Intelligence
(also known as AI) describes computers with the ability to mimic or
duplicate the functions of a human brain able to recognise complex
patterns. Another element to consider is machine learning, where
computer hardware and software have capabilities that allow it to
change how it functions, responds and reacts based on prior
learning, past experience and patterns it identi es from past
feedback.
• Blockchain technology: e blockchain is an incorruptible digital
ledger of economic transactions that can be programmed to record
not just nancial transactions, but virtually everything of value. A
blockchain is a continuously growing list of records, called blocks,
which are linked and secured using cryptography. Each block
typically contains a cryptographic hash of the previous block, a
timestamp and transaction data and, as a result, each new block of
data is linked to the previous block. Once recorded, the data in the
block cannot be altered retrospectively without changing all
subsequent blocks. It forms a distributed ledger that can record
transactions between two parties efficiently and in a veri able and
permanent manner. e decentralised nature makes blockchain
suitable for the recording of events and other records, such as
identity management, transaction processing and documenting
origin.
• Big data and the advancement of data analytics: Big data represents
data sets that are larger and more complex than traditional data sets
and are beyond the ability of commonly used data processing
application software. Big data represents the information assets
characterised by a high volume
(i.e. quantity of generated and stored data), velocity (i.e. speed at
which the data is generated and processed) and variety (i.e. type and
nature of the data) to require speci c technology and analytical
methods to transform it into decision useful information. As a result,
big data tends to place reliance on the use of predictive analytics,
user behaviour analytics, or other advanced data analytics methods
that extract value from unstructured, semi-structured and structured
data. Big data applications are able to extract usable unstructured
data from text, images, audio, and video, while also being able to
complete missing data through data fusion. Big data requires
technologies with new forms of integration to reveal insights from
datasets that are diverse, complex and of a massive scale. Data must
be processed with advanced tools (analytics and algorithms) to
reveal meaningful information.
• Robotics and autonomous vehicles: Robotics involves developing
mechanical or computer devices that are able to perform tasks that
require a high degree of precision, are repetitive in nature or could
be hazardous to humans, in essence mechanising tasks which are
typically performed by humans. Robots can be programmed to
perform repetitive tasks, or their programming can be adaptive, with
the ability to analyse data, make decisions and respond accordingly.
Autonomous vehicles are robotic vehicles such as cars, drones, etc.
with the ability to use the data about their environment derived from
input sensors to make decisions on how to navigate without human
input.
ese technologies are not being developed in isolation, with the
development of robotics, for example, being developed in conjunction
with arti cial intelligence capabilities relying on big data datasets for
data inputs.
As technology advanced, the manner of operating a business and
processing nancial information also evolved, but this evolution did not
alter the basic need for proper governance and systems of internal
control in a company, as introduced in Chapter 4.
5.3 How and why do companies have to
govern their computer information
systems?
Technology and information governance is one of the principles in King
IV™. King IV™ takes cognisance of the advantages of IT and the profound
impact it has on businesses, with Principle 12 being designed to
strengthen processes that help to anticipate technological changes.
According to King IV™ (discussed in Chapter 4), the governing body of
an organisation (which, in the case of a company, is the board of
directors) should set the direction for how technology and information
should be approached by approving a policy which forms the
foundation for the development of an IT governance framework that
should support the effective and efficient management of IT resources –
including the implementation of a sound risk management system and
internal controls – based on the company’s speci c requirements, to
ensure that a company achieves its strategic objectives. e policy
should include the technological (i.e. human, nancial and physical)
and informational aspects of IT, this represents a change from previous
versions of King reports which simply addressed Information
Technology. King IV™ makes a clear distinction between technology and
information. e policy must integrate into the entire organisation and
must be designed to improve business processes. It is no longer
sufficient merely to rely on controls implemented in an ad hoc manner
to mitigate risks.
In today’s advanced technology environment, IT has become the centre
of any business activity and has an impact at both operational and
strategic levels in a business. e following advantages can be expected
when good IT governance practices are implemented:
• A company’s reputation is improved, and the trust of internal parties
(such as employees) and external parties (such as customers,
suppliers and investors) is enhanced.
• Strategically aligning IT with business goals and processes makes
business operations more efficient and creates a competitive
advantage.
• Non-IT executives gain a better understanding of IT, and better
decision-making processes are possible due to timely and quality
information being available.
• A greater level of compliance with laws and regulations is possible.
• Risk management procedures are maximised by implementing
sound IT controls.
Not implementing good IT governance practices increases, among
others, the following risks:
• e company may encounter problems in running its operations,
machines and production lines, which results in the company not
operating efficiently and effectively.
• ere may be a loss of con dentiality.
• Systems become less available, less reliable and function less
effectively.
• Unauthorised use, access to and changes to IT systems may take
place.
It has therefore become critical for boards of directors to familiarise
themselves with their roles and responsibilities in respect of King IV™’s
IT governance principles. ey are responsible for overseeing the
management of IT and ensuring that IT delivers proper integration of
people, technology, information, and processes in order to deliver
value, while at the same time establishing a resilient system which can
mitigate risks arising internally and at third-party service providers as
well as risks of cyber attacks. Emphasis is also placed on being
responsible leaders by ensuring ethical and responsible use and
disposal of technology, as well as compliance with legislation.
Consideration is also given to monitoring effectiveness and efficiency,
with emphasis being placed on considering the need for the board to
obtain independent assurance on the company’s IT-related
arrangements. Disclosure relating to IT governance is forward focused
and objective driven, providing an overview of governance and
management arrangements, key focus areas, the monitoring of actions
taken, as well as remedial actions taken resulting from incidents.
King IV™ recognises that IT poses a signi cant risk to modern
businesses and that it is important for a business to have a sound
system of internal control. e ve components of internal control were
introduced in Chapter 4. We shall now see that they remain relevant
when IT is introduced.
e board of directors is responsible for creating a sound control
environment and can discharge its duties for effective corporate
governance by, among other things, implementing a process of internal
control, as was introduced in Chapter 4. It is responsible for overseeing
the implementation of proper governance around the information
system and business processes used to initiate, record, process, and
report nancial information by creating an appropriate control
environment.
e introduction of computerised systems and the potential
consequences of inadequate controls to address the related risks
require that management has a high regard for, and awareness of, the
need for controls (manual and computerised). King IV™ requires that
ethical governance principles should be cultivated and promoted
within the company. e board of directors should ensure that a
company’s general ethical governance principles align with a
company’s IT governance principles, and this matter has therefore been
included in the recommendations under Principle 12.
e board of directors can assign part of its responsibility with
regard to controls to the risk governance committee and/or a computer
steering committee, part of whose responsibility it is to assess
continuously IT risks and trends. Part of this responsibility can also be
assigned to other members of the board of directors and most
frequently this responsibility is assigned to the chief information officer
(CIO). e CIO is responsible for going through a strategic evaluation
and risk assessment process, the result of which is strategies and
policies to control the information system and business processes
(relating to nancial reporting) with a speci c focus on computer
controls. IT management and staff are tasked with formulating control
activities that enforce and support these policies and strategies. ese
control activities must be implemented in and around the information
system and business process.
Two levels of control activities are considered, namely, those that
impact the entire computer system (i.e. general controls) and those
speci c to a particular application (i.e. application controls). ese
controls in combination impact the manner in which nancial
information and transactions are initiated, recorded, processed, and
reported. ese controls consist of a combination of manual controls
and computer controls. However, in a computerised environment,
manual controls can be either dependent on or independent of IT (refer
to section 5.9.2 for examples).
e board of directors also has a responsibility to assess whether
their policies, procedures and control activities meet their strategic and
nancial objectives. In order to meet all relevant objectives, the board of
directors must implement mechanisms to monitor and evaluate all
components of a system of internal control. is can be done by, for
example, the internal audit department, risk governance committee or
external consultants.
Various frameworks are available that can be used to evaluate IT
governance, such as COBIT 5 (Control Objectives for Information and
Related Technology) (available from www.ISACA.org) that was rst
recommended in King III. Although King IV™ recommends the use of an
IT governance framework, King IV™ does not recommend which
speci c framework should be used. e board of directors should select
a framework based on their requirements, business context, computer
infrastructure, and needs.
e ve components of internal control, as adapted for use on
computerised systems, are depicted in Figure 5.3 on the next page. All
these elements are in uenced by IT.
Figure 5.3: Key elements of a computerised system of internal control
5.4 What is the impact of upgrading a
manual accounting system to an
electronic accounting system?
e introduction of electronic accounting systems has had a farreaching impact on the manner in which modern companies are
operated and controlled. In some instances, it has increased a
company’s risk pro le and in others it has reduced the risk pro le. It is
not practicable to discuss all risks relating to all technologies in a text of
this nature. However, some of the risks that arise in an IT environment
are highlighted in this section.
Risks arise because of the environment in which an entity operates
and how it operates (as discussed in Chapter 4). erefore, risks exist
irrespective of whether management implements controls or not. In an
attempt to address or mitigate the risks, management may implement
controls. If controls are not implemented or the implemented controls
are only partially effective, some risk will still remain, known as residual
risk. is residual risk then has to be considered by management in
their decision either to accept it, or to further reduce or eliminate it by
means of implementing additional (or mitigating) controls.
REFLECTION
What can go wrong (i.e. which risks arise) should management
not implement controls to address each of the control objectives
of validity, accuracy and completeness?
Broadly speaking, there are three principles to remember when
identifying risks in a computer environment, namely:
1. By virtue of its nature and characteristics, IT gives rise to risks
because information technologies introduce complexities into a
system that do not exist in a manual environment (refer to ISA
315.A61–A66).
2. As was noted in section 5.3, management has various objectives.
Risks may result in management objectives not being achieved. In
identifying risks, it may therefore be useful to consider each of
management’s objectives and consider factors that may
undermine the achievement of each objective.
3. Controls are implemented in response to the risks identi ed in
order to achieve management’s control objectives. Each control
might be implemented to address one or more risks. However,
although controls are implemented, they may not always mitigate
and address all the risks, because, for example, a control is not
implemented appropriately or operating properly, or the risk was
not appropriately identi ed in the rst place.
As we noted above, once these risks have been identi ed, management
must evaluate the likelihood of occurrence and the impact thereof.
Introducing a computerised system into a business environment has
various bene ts, but also introduces risks that do not exist in a manual
environment, as well as risks that are unique to each type of computer
system. Some general bene ts and risks are contained in International
Standard on Auditing (ISA) ISA 315.A62–A63. Since computers are
programmed to follow prede ned coding derived from rules and set
parameters, they perform all calculations and processes in a consistent
and uniform manner. is uniform processing of information,
irrespective of form, ensures that timely and accurate information is
available as and when needed. Advance analytics built into computers
facilitate analysis of larger volumes of data than ever before. Availability
of timely and accurate information enhances the users’ ability to
monitor the performance of the entity’s activities and its policies and
procedures, which in turn reduces the risk that controls are breached.
e introduction of computers into a cycle gave rise to new
preventative, corrective and detective controls in a system. It also
enhanced the efficacy of traditional manual controls. For example,
since computers can be con gured in various forms and network
structures, which enables effective segregation of duties by
implementing security and other controls. is reduces the risk that
controls can be circumvented by users.
Due to the complexity of computers and the low level of
understanding required by users of computers, IT has also introduced
new risks. e overreliance by users on systems or programs that
potentially could incorrectly process data due to a aw in their
programming or process data captured inaccurately.
e ease of access to data by unauthorised users may result in
destruction or manipulation (completeness, validity and accuracy) of
data, as well as the recording of unauthorised or ctitious (valid)
transactions. Unintentional amendments to data can also occur by
accident. Unauthorised changes are not only limited to changes to data;
computers have made it easier for unauthorised changes to les,
systems or programs to go unnoticed. Authorised users also now pose a
risk, with IT personnel gaining access to data and systems beyond what
is necessary to perform their work. is could also result in loss of
privacy, with private information being access. IT personnel might also
fail to make necessary changes to systems or programs.
e most common user error occurs during the input and the
processing of transactions, with either erroneous or incomplete
information being captured and processed. Users may have
inappropriate manual intervention or override automated and other
controls.
A lack of understanding of how computers process information (i.e.
loss of data while data is being processed or transmitted) and how they
produce output may result in duplicate or incomplete information
being produced by a computer and user in decision making. is
overreliance on IT could result in incorrect decision making and the
inability to continue operating a business during an IT failure.
If these risks are not properly managed, they could have severe
consequences and have, among other things, nancial and reputational
risk implications, as has been demonstrated by cyber attacks, such as
the 2017 WannaCry ransomware attack and the recent hacking of some
social media platforms.
REFLECTION
What other bene ts and disadvantages do you think can be
derived from the introduction of computer processing facilities
into a manual system?
IN THE NEWS
Hacking in the news
WannaCry was a 2017 ransomware attack that took over infected
computers and encrypted the contents of the users’ hard drives
and demanded a payment in Bitcoin from the user in order to
decrypt the content on the computer to allow the user access to
his or her data. The malware had a severe impact on facilities
run by the United Kingdom’s National Health Services. The
nancial impact included the cost of paying the ransom, loss of
productive time during the attack, as well as, in instances where
the data was backed up, the loss of time reperforming work since
the last back-up was made.
Money is also at risk, am amount of $39,4 million in Ether, a
cryptocurrency, was stolen from the Ethereum app platform in
two instances in 2017.
At the height of the social media era, the media reported
various instances of hacking of high-pro le companies. The rst
was LinkedIn, a social media networking site that connects
business professionals. A Russian user claimed in a public news
forum to have downloaded 6.5 million LinkedIn user passwords.
Another highly published hacking incident occurred when
Facebook founder Mark Zuckerberg fell victim to a hacking attack
on his personal Facebook page. The attack highlighted the
vulnerability of many websites that use only a login and password
over HTTP connections to protect accounts. Zuckerberg was not
the only high-pro le Facebook user that was hacked. Former
French president Nicolas Sarkozy’s Facebook page displayed a
message with poor grammar stating that he would not run for reelection in 2012. The post was later removed.
Any computer system can be described by certain general
characteristics. ese characteristics are highlighted in bold in this and
the next paragraph. It is easy for a user to access data or programs
from multiple locations, even remotely. is is because the data and
functions in an IT system are concentrated around one package or
database, which also results in a breakdown in segregation of duties.
ere is often a lack of a clear documentation trail, partially attributed
to the fact that in a computer environment there are sometimes very
few hardcopy input and output documents. e computer also has
the ability to initiate and process transactions automatically without
user intervention (i.e. system-generated transactions). ese
characteristics give rise to the risk of errors, omissions and fraud
(hereafter referred to as misstatements).
However, using a computer system could also reduce the risk of
misstatements because transactions are processed in a uniform
manner, updating multiple les and programs consistently, with
minimal opportunity for user manipulation. Computers also have the
ability to analyse and present large volumes of information in various
ways and to recombine information in a useful manner for the
business. is can be used by management not only to make better
business decisions, but also to improve management monitoring and
supervision.
REFLECTION
How would the characteristics of an accounting system of a
business change with the introduction of computer processing
facilities into the manual system currently in use?
5.5 What are the key components of a
computer information system?
A computer information system (CIS) exists where any IT equipment,
irrespective of its nature or size, plays a part in or impacts on the
processing of nancial information of an entity, irrespective of whether
the IT equipment/software is operated or owned by the entity or a third
party. ISA 315 describes an information system as consisting of
infrastructure (physical and hardware components), software, people,
procedures and data.
Hardware consists of all physical electronic equipment and parts
that make up a CIS and ranges from input devices to output and storage
devices, to name but a few. ese devices include keyboards, scanners,
printers, monitors, portable hard drives and ash discs, and network
infrastructure. In modern businesses, it is difficult to group a particular
form of technology into a particular type of device. For example, a bank
automated teller machine (ATM) and a cellphone are a combination of
an input, storage, communication and output device. In recent years,
there has been a convergence of technology into this type of
multidevice.
Software includes all programs that reside on any or all components
of hardware. is includes the software used on computers in a bank,
Android software installed on a client’s cellphone, as well as the
programming on an ATM.
All people who interact with the processing of transactions are
considered part of the CIS. erefore, this includes a customer who uses
an ATM. e procedures that govern their behaviour are also included
as part of the system.
Manual and automated procedures are the instructions used to
collect, process and store data about the organisation’s activities
throughout the four stages of the accounting system (outlined in
Chapter 4 section 4.3.2.3). ey also include strategies, policies,
methods and rules for how, when and by whom the CIS is to be used.
Data includes all forms of data stored on the hardware, irrespective
of its nature. For example, the data underlying the log (or list) of recent
calls on a cellphone or recent transactions of an ATM is considered
relevant data in a system.
Organisations use CIS to computerise accounting information and
the accounting system. An accounting information system (AIS) is a
system that transforms data (by collecting, recording, storing and
processing data) to produce decision useful information that can be
used in an organisation (i.e. the user) to make business decisions.
5.6 How does a computerised accounting
system operate?
e accounting system discussed in Chapter 4 can be expanded to
include the stages in the ow of transactions in a computerised
environment as indicated in Figure 5.4. e ow of transactions can be
divided into four stages: (1) input, (2) processing, (3) output and (4)
master le changes. ese stages are further discussed in sections to
follow. It is rst necessary to discuss the process that data would
typically follow.
Figure 5.4: Accounting system in the context of a computerised environment
e ow of transactions in a computerised accounting system typically
commences with the data underlying the transactions being recorded
(or captured) onto source documents designed with a speci c business
cycle, such as sales or salaries, in mind. Manual controls should be in
place over this capturing process. ese source documents can then be
input into the computer system either manually or by means of a
computerised reading device, such as a barcode scanner (also known as
inputting). Once input, the transaction data is processed into a
computer readable format. e computer system performs
computerised checks, calculations and comparisons to ensure the
integrity of the data. e data is stored until it is used or requested by
the user or the program. e totals of the transaction data are stored in a
master le, while the underlying transaction detail is stored in a
transaction le. is is known as processing. e standing data in a
master le can be changed by means of a master le amendment
(referred to as master le changes). When the data is to be distributed,
it may be viewed on-screen, emailed, stored on a magnetic medium,
such as a DVD or memory stick (electronic output), or printed and
distributed (manual output). is is also known as output.
As mentioned earlier, in a modern business the distinction between the
various stages during which a transaction is processed is not clear cut.
Various input and processing environments exist. Some examples
include the following:
• Batch entry and batch processing: Individual hard-copy source
documents are collected for a period of time (e.g. for a day) into
bundles (batches), after which manual checks are performed on the
bundles. At a predetermined later point in time, the bundles are then
captured onto the computer system, converted to a format that the
computer system can read, check, and store in a transaction le. e
master le is then updated with the transaction data in the
transaction le at a predetermined later stage (for example, the end
of the day) when it is convenient to do so. Batching ensures that all
transactions in the batch are subject to the same activity, tasks or
controls, that they are processed accurately, that only valid
transactions are processed, that all transactions are processed and
that none are omitted.
• Online entry, batch processing: Transaction data is entered directly
onto the system from a terminal as the transaction occurs (to create
source documents). e necessary checks are performed and the
data is authorised and processed to a transaction le. At a
predetermined later stage (for example, the end of the day) when it is
convenient to do so, the master le is updated with the transaction
data in the transaction le.
• Online entry, real-time processing: Transaction data is entered
directly onto the system, which is linked to the accounting system.
e latter immediately performs the necessary programmed checks,
creates source documents, and processes the transactions to the
master le. As a consequence, the master le is always up to date, in
contrast to the above two methods where the master le is often
temporarily out of date with the latest transactions due to batching
and therefore delayed processing.
• Shadow processing: A copy of the master le is used during the day
and is updated continuously as transaction data is captured. e
system also simultaneously creates a batch le of the day’s
transactions and this le is updated to the original master le at the
end of each day. is process repeats daily. is is done to ensure
that should the system crash during the day, the original master le
is not corrupted and also acts as a backup. Furthermore, the shadow
copy of the master le allows users to have real-time information
available at any point in time (e.g. debtors balances and inventory
levels).
At each stage of the transaction, errors can occur and fraud can be
committed. As discussed in Chapter 4, management implements
controls over the accounting system to address risks (i.e. to achieve
control objectives) in both manual and IT environments. ey must
implement controls to respond to the risks (i.e. to achieve control
objectives) in both environments. It follows that when formulating the
controls, management has the same control objectives (introduced in
Chapter 4) in mind in both environments. In light of the fact that the
two environments are different, the control measures in a manual
environment will differ from those in an IT environment.
e following sections introduce controls in IT environments in
general terms.
5.7 How are computer controls
classi ed?
In a business, the accounting system consists of a manual environment
(involving activities performed without IT) and a computerised
environment (involving the use of IT). Computer controls can be
categorised in various ways according to nature and function. Two
broad categories of controls can be implemented in an IT environment,
namely:
• General controls, de ned as policies and procedures that relate to
many applications and that support the effective functioning of
application controls (see below) by helping to ensure the continued
proper operation of information systems by ensuring that the control
environment is stable and well managed. General IT controls
commonly include controls over:
• Data centre and network operations;
• System software acquisition, change and maintenance;
• Application system acquisition, development, and maintenance;
and
• Access security.
e implication of this de nition is that general controls form the
framework of overall control around the CIS. ey relate to the
overall information processing environment, as they impact on all
areas of operations and systems of the computer system, and
therefore the entire control environment. General controls support
the appropriate functioning of application controls (see below).
erefore, they are implemented before transactions can be
processed and are implemented independently of the processing of
transactions.
• Application controls, de ned as manual or automated procedures
that typically operate at a business process or application level.
Application controls can be preventative, or detective and corrective,
in nature and are designed to ensure the integrity of the accounting
records in an application, thereby ensuring the data in the system is
free from fraud or errors. Accordingly, application controls relate to
procedures that are used to initiate, record, process and report
transactions or other nancial data. is means that application
controls are the manual and/or automated controls over the process
through which transactions are initiated, recorded, processed and
reported, as well as through which changes are made to standing
data (master le data) in the computer system. Application controls
are implemented in respect of speci c types of transactions in a
business cycle, computer program or system. ey focus on the
processing of a speci c computer application, program or system, in
contrast to general controls that focus on the computer processing
environment. e application controls relating to the computer
programs used in the various business cycles (e.g. sales or
purchases) may be different for each different application.
Whereas general controls are pervasive, thus affecting the computer
environment in general, application controls are speci c to types of
transactions in an application or cycle. Due to the pervasive nature of
general controls, these controls impact on all applications. erefore, if
the general controls do not work, the application controls do not serve
much purpose, as they are overridden by the general controls. Note also
that general controls do not relate to speci c management assertions,
but will have a pervasive effect on all assertions. Application controls,
however, relate to the business transactions and, as such, will have a
direct effect on speci c assertions. Figure 5.5 highlights the interaction
between general and application controls. e general controls affect all
cycles’ application controls.
e implication of these categories of IT controls is that if, for
example, Ntsimbi Piping uses the general ledger module of PVCACC to
record all nancial transactions and the payroll module of PVCACC for
its payroll, the general controls in the company’s IT system are the same
for both modules. However, each module has its own unique
application controls. erefore, faulty general controls have an impact
on the entire computer system, whereas faulty application controls have
an impact only on a speci c type of transactions in an application and
therefore a speci c business cycle, but not on the entire system, other
applications or types of transactions. For example, the business
continuity policies and procedures (i.e. general controls) are the same
for all business areas and processes. However, the application controls
applicable to the recording of an invoice, or making of a salary payment,
are unique to the particular business cycle or program.
Certain control measures can be classi ed as either general controls
or application controls, depending on their purpose. For example,
access controls implemented to limit access to a company’s network
(e.g. Novel network username and password) impact all application
programs on the network in the same way. ese access controls are
regarded as general controls. Application programs on the network may
also have their own access controls in place to limit access to the
speci c application (e.g. each Pastel user has a unique username and
password distinct from their PeopleSoft username and password).
Access controls that limit access to the application are regarded as
application controls.
Figure 5.5: Interaction between general and application controls
Both general and application controls can be further classi ed
according to their purpose. Controls can be preventative, or detective
and corrective (also referred to as remedial) controls:
• Preventative controls are controls that prevent either the user or the
system from making errors or committing fraud (i.e. before they
happen). Examples include passwords, drop-down menus and
validation tests.
• Detective and corrective controls, however, detect errors and fraud
after a transaction has been processed, report the misstatement and
take corrective action. ese controls identify a misstatement,
correct it, investigate the cause and initiate steps to minimise the
effect of the misstatement. Examples include management review of
audit trails, transaction logs or pop-up error messages.
5.8 How are general controls classi ed?
General controls are generally categorised in groupings of related
controls in order to provide a framework that can be used to identify
controls and highlight weaknesses in a structured manner. is ensures
that when controls are implemented, they address all the signi cant risk
areas. It is inappropriate for a company to mitigate risks applicable to
only one of the risk areas and neglect other risk areas. In order to
mitigate risks to an acceptable level, a structured framework is required
and all areas need to be addressed. Various textbooks and governance
frameworks classify general controls in different ways. In this text,
general controls have been classi ed into the groupings contained in
Figure 5.6.
Note that each category of general controls is not mutually exclusive
and does not operate in isolation. When designing a system of control
for a company, it is important that only general controls that are
relevant and applicable to the nature and size of the company be
considered. e general controls implemented by, for example, a large
multinational company will therefore differ from those of a small oneperson operation.
Figure 5.6: Six categories of general controls used in this text
Each of the categories of general controls in Figure 5.6 is brie y
described below and then discussed in more detail in the following
sections.
Controls around how the CIS department is structured (in terms of
its policies, procedures and operations, as well as the staff practices
employed in the company and CIS department) are commonly referred
to as organisational controls and personnel practices.
Key areas that have to be controlled are how changes are made to
the CIS and the acquisition or development of a new CIS. Because
acquiring or developing a new system is a costly process, system
development controls need to be implemented around the various
stages of system development and implementation of a new system.
Where a feature or part of a software package is amended or added,
change controls are needed.
Controls must be implemented to protect the system against
damage from physical threats, such as re and water, and also cyber
threats, such as viruses. Should something happen to the system, a
process needs to be in place to ensure that the company can resume
operations in the shortest possible time. ese controls are commonly
referred to as business continuity controls.
Operating controls are the controls that must be implemented
around the day-to-day running of the hardware and the software of the
CIS to ensure that they are operating effectively. Operating controls
include system maintenance controls.
In order to prevent and/or detect unauthorised individuals from
obtaining access to an organisation’s data or performing unauthorised
activities, access controls should be implemented around the
company’s premises and the CIS.1
Each of the six general control categories in Figure 5.6 can be further
divided into subareas that must be addressed in the implementation of
controls, as shown in Figure 5.7. Note that the systems development
controls and the change controls have been combined because they
cover similar subareas.
Figure 5.7: Overview of the subareas of general controls
e following sections provide a high-level overview of the key types of
general controls that a business should implement.
5.8.1 Organisational controls and personnel
practices
Organisational controls deal with how the CIS department is structured
and its activities managed. It includes IT staff practices. Organisational
controls should aim to develop an organisational culture that promotes
integrity, commitment to ethical values and competence.
A company must establish an organisational framework within
which it can manage its IT function and activities. e company must
ensure that a clear organisational structure is in place and that it
delegates responsibility to the appropriate people in a manner that
facilitates the achievement of segregation of duties. Because
responsibilities are distributed among many people and departments, it
is also important to establish clear reporting lines. is necessitates a
process in which all work is supervised and reviewed by a senior staff
member. Part of establishing an organisational structure is establishing
proper staff practices in order to ensure quali ed staff are employed
and that staff remain quali ed and up to date with new trends in IT.
Should a proper organisational structure not be in place, it could result
in, for example:
• Unauthorised transactions and activities being initiated by
unauthorised persons;
• Collusion that could result in theft and fraud;
• Multiple functions that were previously performed by separate
individuals now being performed by a single application, resulting in
unauthorised transactions being initiated and executed because of a
lack of segregation of duties;
• Misstatements going undetected because there is not sufficient
supervision and review in place; and
• Untrustworthy or incompetent persons being employed because of
poor staff practices, resulting in errors and fraud, and also negatively
affecting staff morale.
When implementing new or evaluating existing organisational controls,
management should follow a top-down approach. is starts with
creating an ethical culture and control environment (as was discussed
in section 5.3). e controls discussed in the following sections should
be implemented in this regard.
5.8.1.1
Delegation of responsibility
King IV™ requires that an ethical IT governance environment be created.
e board of directors must take responsibility for IT and IT governance
in a company by its actions, leadership, management philosophy and
style, as well as by the strategic objectives that are set. It is important to
communicate the corporate culture to the company’s employees by
means of policies and procedures. All employees, including
management, should comply with the policies and procedures, and
action should be taken against any and all employees who do not
comply.
Part of the responsibility for IT governance can be assigned to a
computer steering committee, which is responsible for managing IT
and acts as a communication channel between the users of IT and the
IT department. e steering committee should consist of
knowledgeable executive management with a business and IT
background to which matters can be delegated for resolution. A
company should also appoint a chief information officer (CIO) who
takes responsibility for the direction of IT and communicates with the
board and its committees such as the computer steering committee and
the audit committee about such matters.
e day-to-day management of IT can be delegated to an IT
manager who is responsible for managing the staff in the IT
department who are responsible for individual operational tasks, such
as the programmers, database administrators and help desk operators.
e IT staff often have the technical knowledge of the operation of IT,
but limited business experience.
In delegating responsibility, it is important to establish clear
reporting lines and levels of authority through which appropriate IT
personnel can communicate with and report to the board of directors
on a regular basis, if necessary. e delegation of responsibility will give
rise to an organisational structure in the company and the IT
department.
5.8.1.2
Segregation of duties
In establishing an organisational structure, the general principle behind
segregation of duties, namely, that no one staff member should be able
to perform incompatible functions, should be kept in mind. As in the
case in any operational department in a company, initiation,
authorisation, execution, recording and asset control should be
segregated (refer to Chapter 4, section 4.3.2.4(c)).
At minimum, by segregating the authorisation, recording and
custodial functions, an organisation could mitigate the risk of:
• Staff authorising ctitious or inaccurate transactions in order to
conceal theft of assets;
• Staff adjusting records in order to cover up inaccurate or falsi ed
entries that where improperly authorised; and
• Staff falsifying records in order to conceal theft of assets.
All incompatible duties should further be segregated in the IT
department and between the IT and the user departments. e
segregation of duties between IT and user departments involves the
following:
• e IT department should be organisationally separate from user
departments.
• e IT department should report directly to executive management.
• IT personnel should not be able to initiate or authorise transactions
or change transaction or master le data.
• IT personnel should not be able to gain access to company
resources, physical assets such as physical inventory, documentation
(such as invoices and receipts) or non-physical assets such as the
debtors or creditors master le data.
IT personnel should not be able to initiate work or correct user
• errors unless this has been requested and authorised by a user
department.
• Once IT personnel have performed work, the user department
should be responsible for reviewing the work and underlying data,
records and les.
e segregation of duties in the IT department involves the following:
• Ideally, all job functions should be segregated but, at a minimum,
segregation of duties is required in IT between the development
function, the operations function and the security function.
• ere should be segregation between initiation, authorisation,
processing, executing, custody and the reporting functions in IT.
e organisational structure of a company is dependent on the nature
and size of its operations. Figure 5.8 depicts a generalised
organisational structure of a large company with the focus on the
organisational structure of its IT department. For this reason, the
operational departments have been grouped together. e gure shows
lines of delegation, segregation of duties between job functions and
departments, and reporting lines. e descriptions of the job functions
fall outside the scope of this text and should be revised from your
Information Systems courses or from a detailed text on basic IT
concepts.
Figure 5.8: Organisational structure of an IT department in a large company
Google the job titles re ected in Figure 5.8.
Note: The organisational structure presented in Figure 5.8 would
be less complex in a smaller business
such as Ntsimbi Piping.
5.8.1.3
Reporting, supervision and review
All work that is performed by IT staff must be initiated by staff in a user
department. e user department ultimately remains responsible for
the information contained in its records. Users can perform various
checks to ensure the integrity of the data. ese include:
• High-level review: where management reviews the nancial
performance of the organisation on a periodic basis, evaluating the
performance compared to an expectation derived from budgets,
forecasts, past performance or an Industry benchmark.
• Analytical reviews and ratios: where the underlying relationships
between various sets of data are analysed and any unusual
deviations are investigated.
• Reconciliation of data on the system with data from independent
or external sources: where nancial information is con rmed with
another set of data on another system (for example, a bank
reconciliation) or where information is con rmed with a physical
evidence (such as during a stock count).
• Independent review: of logs, registers and detailed transaction
trails, where any unusual transaction is identi ed for further
investigation.
Work on the computer information system may only be initiated by the
IT staff under exceptional circumstances and with special
authorisation. While the work is being performed, it should be
supervised by a suitably quali ed senior member of staff from the IT
department who is available to give guidance and advice. Once the
work, irrespective of its nature, has been completed, it must be
reviewed by a knowledgeable, experienced manager, as well as the user
from the user department responsible for initiating the request. e IT
manager should also perform frequent reviews of the CIS.
System-generated activity logs and registers should be extracted
from the system and should be reviewed by a senior member of the IT
department. Any discrepancies should be investigated and resolved.
5.8.1.4
Personnel practices
Similar to any other department in a company, written policies and
procedures should be developed to ensure that competent IT staff are
hired, that staff receive the necessary training to remain competent and
that their performance is reviewed frequently, so that corrective
measures can be taken if required. Policies and procedures should be in
place around the following:
• e process of employing staff;
• Acceptable professional and personal behaviour and use of
company resources such as utility programs;
• Leave policies relating to compulsory leave and sick leave, taking
into account the need for continuity of operations and completion of
work;
• Staff scheduling and rotation of duties;
• Ongoing training of staff;
• Continuous evaluation of staff; and
• Dismissal and resignation of staff.
ese policies, as well as all job functions and descriptions, and levels
of authority of IT staff should be documented. In developing these
policies, the principles of segregation of duties, security, continuity of
operations, overreliance on staff and staff development should be kept
in mind. For more information about acceptable personnel practices,
refer to Chapter 9.
REFLECTION
What are the risks for a business (things that could go wrong)
should each of the controls listed in sections 5.8.1.1 to 5.8.1.4
not be present?
5.8.2 System development and change controls
System development and change controls are the controls that must be
implemented when a new computer program is developed or acquired
and where a signi cant change is made to a computer program or its
functionality. It is important to make a distinction between system
development and acquisition and a program change.
System development refers to the process that is followed when a
new system is developed in-house, whereas system acquisition
refers to the process followed when a new system is acquired from a
vendor. Both system development and system acquisition imply that
the system has not been used by the company before and, therefore,
these tend to be large projects with high costs. For example, a
company may implement a new management system, or automate
its production systems by implementing a new enterprise resource
management (ERM) system. Generally, such changes do not occur
on a frequent basis. e main risks arise from the fact that it is a new
system that has not been used by the company before. To respond to
these risks, stringent controls have to be implemented around the
selection of the system and the approval of the project, and its
development and testing. Special consideration must also be given
to the changeover from the old to the new system, including the
transfer of data between systems.
• Program changes, also known as program maintenance, refer to
changes or amendments to an existing program, for example, adding
a new module to a program or updating or adding features to a
program. Generally, these occur on a more frequent basis than
system development and acquisition. For example, a company that
is using an accounting package would like to change the accounting
package to include an automatic backup system, or a debtors clerk
might require a new age analysis report of debtors per location,
which is not an existing feature of the accounting package. Program
changes may then be requested by users in order to obtain these new
features. ese program changes ordinarily can be implemented at a
low cost and within a short period of time.
•
However, irrespective of the distinction, any request for a change, or
amendment to a computer system and the development of a new
system must go through the ve stages of the system development life
cycle (SDLC), which are:
1. Request submission, needs assessment and selection;
2. Planning and design;
3. System development and testing;
4.
5.
Implementation; and
Post-implementation review and training.
REFLECTION
How is this process of system development similiar to and
different from that of building a house?
e objectives of system development and change controls are to
ensure that the new system or a change made to the system is effected
to meet users’ needs and is cost-efficient (i.e. remains within budget).
To achieve this, controls must be implemented in each of these stages in
the system development life cycle. If proper controls are not in place, it
could result in system errors, incorrect or fraudulent processing, cost
overruns and non-compliance with development and quality
standards, reporting requirements and legislation. Errors made in the
development process result in errors during the development of the
system and the transfer of information during the initiation of the
system. ese errors could also have an ongoing impact for the entire
time that the new system is in operation as they expose the entire
system to the consequences mentioned previously.
System development and acquisition controls, and program change
controls, are discussed below in sections 5.8.2.1 and 5.8.2.2,
respectively. e nature of the controls around system development
and acquisition, and program changes, are the same in principle.
However, the exact details of the controls implemented over these two
processes can differ, as the risks for system development and
acquisition are higher than for program changes. For example, with
system development and acquisition, key risk areas include risks
relating to a detailed needs assessment and program selection and
approval, whereas for a program change, these risks are not as high.
Similarly, the implementation and conversion from one system to
another system carries greater risk than adding a new functionality to
an existing package or system. e controls must be customised
according to the risks.
5.8.2.1
System development and acquisition
As noted earlier, when implementing controls, management should
follow a system development life cycle approach. A company can
decide either to develop a package or system in-house or acquire a
package or system from a vendor. Each of these two approaches has its
own advantages and disadvantages. A discussion of these falls outside
the scope of this text and should be revised from your Information
Systems courses or from a detailed text on basic IT concepts. A
combination of these approaches could also be used.
e process of developing a new system is similar in principle to the
process of purchasing a new system. However, the controls relating to
the development of the system’s requirements and the programming of
the system are not applicable to purchasing a new system. In the case of
a purchased package or system, the purchaser must use the features
that come standard with the system (assuming they cannot be changed
by the purchaser and that the features of the system meet the needs of
the users) and the programming has already been done by the software
vendor.
e controls applicable to developing a computer program in-house
are discussed in the sections below. Irrespective of whether the package
or system is developed in-house or is acquired from a third-party
vendor, the controls listed below should be implemented.
5.8.2.1.1 Request submission, needs assessment and selection
Projects should originate from either a written user request or a
genuine business need identi ed by management in order to achieve a
strategic imperative. All requests should be documented and presented
to the board of directors or delegated committee such as the computer
steering committee to investigate and approve. Depending on the size
of the project and the risks involved, a feasibility study should be
conducted including:
• A comprehensive user needs assessment;
• An investigation into the resources required for the project;
• An investigation into various alternative solutions, considering the
option to purchase an established package or system, make changes
to the existing package or system, or develop a new package or
system in-house;
• Cost-bene t analysis, detailing all the costs, as well as all nancial
and other bene ts of each option; and
• A time planner showing all the deadlines.
e purpose of the feasibility study is to produce a recommended
course of action. Once the project has been approved in principle by all
affected role-players and senior management, the planning
commences.
5.8.2.1.2 Planning and design
e computer steering committee should appoint a project team to
manage the project. e project team should include not only IT
personnel, but also appropriate personnel from the user departments
affected by the project and should include nancial, operational and
controls knowledge. e IT personnel are responsible for the system
development, whereas the other personnel act in an advisory capacity.
All work performed by this project team (including system
development, programming and documentation) should be conducted
in accordance with prede ned generally accepted programming
standards and control frameworks. Various standards can be used, for
example, components of the ISO 9000 series or PRINCE2 control
frameworks on project management. It is important that the system
development is conducted in terms of international standards in order
to ensure that the program and programming is understood and can be
updated relatively easily in later years.
e project team prepares a project plan, which contains the
timeline for the project and highlights the milestones and tasks to be
completed by certain deadlines. ese tasks are allocated to the
appropriate IT staff member. e project plan is used to monitor and
evaluate the progress of the project, which is reported back to the
computer steering committee on a regular basis. e project plan can
also be used to measure a project’s performance. Poor monitoring
could result in the costs of the project increasing uncontrollably, as was
the case in National Treasury’s Integrated Financial Management
System project (refer to the ‘In the News’ box on the next page).
Once the project plan is set, a business analyst must perform a
detailed investigation into the user needs. e analyst must undertake
an investigation to understand all affected users’ requirements,
including those of internal and external auditors. is needs assessment
forms the basis of the preliminary system speci cation, which is used
by the programmers to develop the system. e needs assessment
and/or the system speci cation must be reviewed and signed off by the
heads of all user departments before programming can commence.
IN THE NEWS
10 years of expenditure yielding no results
The National Treasury initiated the Integrated Financial
Management System (IFMS) project and spent R1 billion on the
rst phase. Another R1,2 billion was spent during the second
phase of the project. IFMS was never implemented. IFMS was
supposed to modernise the government’s IT system across
departments. The failure was due to the internal controls of
National Treasury not identifying problems in the project. Project
costing was prepared informally, with consultants monitoring
themselves and ineffective internal monitoring controls.
5.8.2.1.3 System development and testing
System development and programming should be divided into three
areas, each with its own purpose:
• Development area: e development area is used to program and
develop the system. e programmers should code/write the
software independently of the live system and data. ey work on
various versions of the program, and having a program library, a
librarian (who keeps track of the use of data, programs and
documentation) and proper version control are therefore important.
• Test area: Once the programming has been completed, the program
is tested in the test area using, for example, test data. Again, testing
should take place completely independently of the live system and
data, and the results reviewed and approved by the relevant line
manager. Various tests can be performed on the operations and
performance of the hardware and software, including a:
• Program test, which tests the processing logic of a single
program to verify whether all situations are treated correctly.
• String/series test, which tests the linking to a related program,
for example the correctness of data transfer from one program to
another.
• System test, which tests all programs when used together as a
single system, thereby ensuring the individual programs integrate
properly.
• Stress/Tension test, which tests the performance and capacity of
the system when it is subjected to a high volume of processing
and is experiencing demand on its resources.
• User acceptance testing phase, where the users, including
management, test the program’s functionality. Also, the internal
(and external, if applicable) auditors should test the
appropriateness of the controls in the system. If necessary,
adjustments should be made to the system based on the feedback
received.
• Production area: Once the testing is complete, the program should
be moved to the production area or live system. However, before the
system goes live, the system should be reviewed again by all affected
personnel for nal approval. e test results should be presented to
the computer steering committee for review.
In instances where testing is not performed properly, it could result in
performance problems that could be costly, such as with the
implementation of the eNaTIS system by South African traffic
departments, which is demonstrated in the news article following Table
5.1.
5.8.2.1.4 Implementation
When implementing the new program, controls need to be
implemented in relation to the conversion to the new program, as well
as in relation to the transfer of the data from the old program to the
new program. e implementation process is a project in its own right
and it should be run as a mini-project with its own project team and/or
data control group (i.e. a dedicated group of personnel). e process
must be placed under the supervision of senior experienced staff
members. e conversion process takes place in the three stages set out
in Table 5.1. Appropriate examples relating to an inventory system have
been included in the table.
Once the system has gone live, it is necessary to ensure the entire
development process is documented and stored in a safe location for
future use. Furthermore, documentation about the system and its
operations, including training material, should be updated.
All users should receive appropriate training on the operations of
the system that relate to their job function.
Table 5.1: Stages in the conversion process
SYSTEM CLOSE-OFF
SYSTEM
AND DATA CLEAN
CONVERSION
UP
POST-CONVERSION
REVIEW
• A changeover
date must be set
(e.g. year-end,
interim stocktake
date).
• All nancial
transactions in
the old system
have to be closed
off (e.g. record
cost of sales
• The old and new
data and les
should be
compared (e.g.
reconcile the
inventory codes
between the two
systems).
• All necessary
control totals (e.g.
hash total of
One of three
methods of
implementing the
new system can be
used:
• Parallel
processing: The
old and new
systems run
concurrently for a
SYSTEM CLOSE-OFF
SYSTEM
AND DATA CLEAN
CONVERSION
UP
•
•
•
•
entry in a periodic
inventory
system).
All data in the old
system must be
cleaned up and
corrected and
tests performed
to ensure that all
data is complete
(e.g. perform
inventory count).
All necessary
control totals and
nancial balances
should be
calculated (e.g.
total inventory on
hand, hash totals
of inventory
codes).
Record counts
should be
performed (e.g.
count number of
inventory codes).
Where possible,
all data should be
externally veri ed
(e.g. perform
inventory counts).
POST-CONVERSION
REVIEW
limited period of
inventory codes),
time.
nancial balances
(e.g. total value of
• Direct shut down:
inventory per type)
The entire old
and record counts
system is shut
on the new
down at once and
system should be
the new system
calculated.
launched
immediately
• The calculated
thereafter.
control totals,
nancial balances
• Modular (phased)
and record counts
implementation:
on the old system
The old system is
should be
phased out in
reconciled to the
sections and the
control totals,
new system takes
nancial balances
its place
and record counts
according to a set
on the new
time frame.
system.
Each of these
• The data on the
methods has its own
new system
advantages and
should be
disadvantages.
compared to the
Modular
results of the
implementation is
external
considered the least
con rmations (e.g.
risky and the most
inventory count)
cost-effective.
(where
Parallel
applicable).
implementation is
the most resource
SYSTEM CLOSE-OFF
SYSTEM
AND DATA CLEAN
CONVERSION
UP
Backup should be
made of the old
system.
Data on the old
• system must be
signed off by all
affected parties
as accurate and
complete.
POST-CONVERSION
REVIEW
intensive, although it • Exception reports
could be considered
should be
safe because of the
extracted from the
control totals that
new system on all
can be reconciled
les, noting
between the two
unusual data
systems running
elds (e.g.
concurrently.
damaged
However, in practice,
inventory
staff nd it dif cult
identi ed,
to maintain two
incorrect control
systems at the
totals, negative
same time, as it
quantities,
increases the risk of
alphabetic
misstatements.
characters in
quantity eld).
• Any discrepancies
identi ed in
performing the
above-mentioned
steps and unusual
items must be
investigated and
resolved.
• A register or
exception report
of all
discrepancies or
unusual items
identi ed should
be maintained for
SYSTEM CLOSE-OFF
SYSTEM
AND DATA CLEAN
CONVERSION
UP
POST-CONVERSION
REVIEW
investigation and
approval by the
users, once
resolved.
• Any discrepancies
must be
investigated and
resolved.
IN THE NEWS
eNaTIS and Aarto fail to impress
A good example of project failure is the Electronic National
Administration Traf c Information System (eNaTIS), South Africa’s
upgraded transport information system, used, among other
things, to issue and manage drivers’ licences. The system, which
cost R408 million, was doomed to failure before it was
introduced.
The Auditor-General stated in the nal report that he was 80%
sure that the system was going to fail. The Auditor-General’s
investigation examined 24 aspects of eNaTIS and found 19 of
them to be ‘high risk’. But despite this warning, the government
still went ahead with the implementation of the system.
There were also many errors in the Aarto driving licence
system. Prior to the launch of the system, assessment reports of
two pilot projects highlighted the nightmare it proved to be for
drivers and municipalities. The report shows that the driver
demerit system led to various problems in training traf c police in
how to implement the system, but more importantly it was found
that 60% of the addresses of motorists stored on eNaTIS were
incorrect. eNaTIS is the register for all vehicles, driving licences,
contraventions and accident data. This meant that drivers could
be unaware of the fact that they might have incurred demerit
points because the noti cation of offences would be sent to an
incorrect mailing address. Companies employing drivers
complained they would have to incur costs in monitoring the
status of their drivers. Should a driver lose his or her licence, it
would have labour law implications for a company. Municipalities
received a lot of correspondence and complaints from drivers
and incurred high costs due to the incorrect addressing of letters
of offence, as all letters had to be sent by registered mail.
5.8.2.1.5 Post-implementation review
Any errors that occur after the new system has become operational
should be corrected and a register of these maintained by IT. A couple
of months after the system has become operational, a postimplementation review of the system should be conducted by the user
department, IT personnel, internal (and external, if applicable) auditors
and members of management to determine whether:
• e system meets the respective users’ needs in terms of
performance and functionality;
• e necessary controls have been implemented;
• Misstatements that were detected have been resolved;
• e system development process was effective; and
• e system documentation and training material is sufficient.
5.8.2.2
Change controls
As mentioned earlier in this chapter, system development is viewed as a
signi cant change to the system, which requires a signi cant
investment in time and resources, hence requiring many controls
around authorisation, development, programming, implementation
and post-implementation review. As the needs of users change, it is also
necessary to make less signi cant amendments to the functionality of a
program or simply to update the program to meet users’ needs. ese
are known as program changes.
e objectives of program change controls are to ensure that all
changes are effected accurately in the most efficient manner and that
they meet user needs. Controlling the manner in which program
changes are made is just as important as controlling system
development, as a small error when making program changes could
have the same severe adverse consequences as making an error during
system development. e process that should be followed during
program changes is similar in principle to that of system development.
e ve stages of the system development life cycle (section 5.8.2)
should be followed. However, program changes are less resource
intensive in terms of work to be performed, time needed to implement
the change and levels of approval required. Also, more consideration is
given to maintaining documentation to keep track of requests for a
program change, given the high volume of requests that may be
received in any given period.
Because of the frequent nature of program change requests, users
should be required to complete written requests on prenumbered,
preprinted standard forms. Each request should be logged in a request
register for later review and investigation. If feasible and justi able, the
program change request must be approved by the relevant line
manager. Once a program change has been effected, it must be
recorded in the register. Periodically, management must follow up any
requests not completed within a reasonable time period.
Another difference with a program change request is that because it
is not an entirely new system that is implemented, there is no need to
have such stringent controls around con rming the accuracy,
completeness and validity of the data on the system before
implementing the change. However, if a request for a program change is
expected to have a signi cant impact on the system, the full suite of
system development controls should be followed in order to mitigate
the risks.
REFLECTION
What controls should be in place for a program maintenance
request?
5.8.3 Access controls
One of the areas that in recent times has probably received the greatest
media exposure is access controls and information security (or the lack
thereof ). Information has become one of a company’s greatest assets
and must therefore be protected against unauthorised access and use
by, for example, hackers. is could result in theft of or damage to
company assets, but also a loss of information, which could impact on
the integrity of the system. With the advancement of technology, the
focus has shifted from physically securing access to, for example, a
company’s premises and physical assets, to securing information and
data in the computer system. Access controls are controls, physical or
computerised, that are implemented to prevent unauthorised persons
from gaining access, and also to limit the activities of authorised
persons to authorised areas. When management implements access
controls, they should attempt to use the least privilege principle, in
terms of which personnel should be given access only to data and
systems that are necessary for them to perform their duties properly.
In today’s connected world, detecting unauthorised access has
become as important as preventing unauthorised access. In order to
protect all the company’s assets, including information, a company
should use a comprehensive strategy that follows a systematic process
that prevents and detects unauthorised access. is starts by limiting
access from the outside of the company and then works towards
controlling access on the inside of the company. A company should
therefore develop a comprehensive security management policy that
documents the process used to identify security risks, allocates
responsibility to employees to act in a security-conscious manner, and
holds them accountable for their actions.
Physical access controls should be developed to control access
from the outside into the company, using a walk-through
methodology in which you imagine yourself walking through a
company’s premises. e outside premises of the company should be
secured, with limited access points. Inside the company, movement
should be restricted between various areas within the company, and
physical access to computers should be limited. Physical security
measures should also be implemented around computers, les and any
other relevant hardware. Physical access controls include locked gates
and doors, security guards and cameras.
Should an unauthorised person nevertheless manage to gain
physical access to a computer or gain electronic access via the internet
or by other means, access should be limited by logical access controls.
ese are electronic measures such as usernames, passwords and
advanced technologies such as encryption and rewalls. Logs and audit
trails are good tools that can be used by management to identify
unauthorised access, activities and use of computer resources.
Given the signi cance of the risks posed by unauthorised access, a
company should implement a multi-level security strategy, comprising
both preventative and detective controls, to prevent and detect
unauthorised access.
5.8.3.1
Preventative controls
5.8.3.1.1 Security management policy
Management should drive a culture of security awareness. is can be
achieved by implementing a risk management process in which a
company continuously evaluates its processes in order to identify
security risks and threats and then acts accordingly.
It is necessary to develop a security management policy that is
widely distributed to all employees, who acknowledge that they have
agreed to comply with the policy (by means of, for example, including a
clause in an employee’s employment contract or having an employee
indicate in a tick box that he or she agrees to the company’s internet
policy before he or she can access the internet). e policy should be
driven by principles (rather than details) and if these principles are not
adhered to, appropriate action should be taken against guilty
employees.
DID YOU KNOW?
The Protection of Personal Information Act 4 of 2013 makes it a
legal requirement to report all incidents where personal
information is compromised, and introduces civil as well as
criminal liability for non-compliance.
5.8.3.1.2 Physical access controls
Every company’s IT department is structured differently, and, as
discussed earlier in this chapter, the speci c controls that are
implemented depend on the needs of the company. is principle also
holds true for access controls. If we use a company with a separate IT
department and a server room as an example, this type of company
should restrict physical access as follows:
• To the company’s premises;
• To the IT facilities/department;
• To any areas in the IT facilities that contain sensitive information or
high-value hardware, such as a server room or backup facilities;
• To the use of computer terminals; and
• To any sensitive information such as important les, documents or
programs.
Access to the premises and IT department
In order to limit access to its premises or within its premises, a company
can use the following physical access controls:
• Restricting physical access and movement by means of high
electri ed fences around the company’s premises;
• Installing security gates and magnetic doors, which open by means
of an electronic tag, pin pad or biometric identi cation (such as
ngerprint or retina scanning) and which close after use;
• e presence of security guards at all entrances and exits, as well as
at key security points inside the company’s premises at all times of
the day. e number of potential entry and exit points should also be
limited to a minimum;
• A process by which visitors must sign a register at reception or
security before gaining access to the premises. ey should also be
clearly identi able by displaying a visitor tag. If possible, special
arrangements should be made for visitors that they (1) should not be
able to visit the premises without a scheduled appointment, and (2)
should not be able to move around the premises unaccompanied;
• Doors should remain locked at all times and should only be opened
by a special key, magnetic card or a biometric system;
• e premises should be monitored by closed-circuit TV monitors;
• Important hardware should be locked away in a dedicated room,
cupboard or safe. is also applies to important documents, data
and programs; and
• Physical logs or registers should be maintained of all visitors to the
premises, as well as an electronic log of the movement of visitors and
personnel within the company’s premises. ese logs and registers
should be frequently reviewed and any unusual movement or
activities (such as frequent late-night access by a particular
employee) should be investigated by a senior security member or a
senior staff member of the
IT department.
REFLECTION
Go to the computer laboratory that you use at your university. As
you walk to and enter the laboratory, what physical access
controls to the premises can you identify?
Access to computer terminals
It is not always possible to limit computer terminals to a speci c
location in the company. erefore, it is important to implement
controls around terminals. In order to limit access to terminals, a
company can use the following physical access controls:
• e computer terminal should preferably be located in an office or
dedicated, lockable room with only one secure access point, or
otherwise in a highly visible area away from general access. It is also
important that all staff members should have a way of identifying
themselves as being authorised to have access to computer
resources or to move around the IT department (such as a photo
identity staff card). Levels of authorisation and access could also be
displayed.
• If practically possible, a member of management should supervise
the activities on the computers.
• Access to computers should be limited to office hours, either
physically, by locking the premises after hours, or electronically, by
means of the job scheduling function in a computer package, which
only allows an application to be opened during speci c hours of the
day. Any work performed after office hours should be authorised.
• Access to the computer can be limited using either a terminal lock or
a biometric thumbprint scanner.
• e computer or any hardware should be securely fastened to the
table or desk so that it cannot be stolen or removed. is can be done
either by a cable (such as a Kensington lock) or by encasing it in a
metal box mounted to the wall or oor.
• Logs or activity registers should be maintained of all work performed
on the computer. ese should be reviewed on a frequent basis and
any unusual activity should be investigated.
Access to other sensitive information
Access to sensitive les, programs, documentation, and hardware
devices should be limited by the implementation of the following
physical access controls:
• Safely storing the devices in a separate place, either in a separate
room or locked cupboard or safe; and
• Where sensitive les, programs, documentation and portable
hardware devices are issued for use, the company should employ a
data librarian whose job it is to keep track of the use of these items.
is can be done by maintaining a register, which must be signed
when an item is issued and returned.
5.8.3.1.3 Logical access controls
It is not always possible or practical to keep IT systems and data in
isolation and away from physical contact and threats because
computers are used in all aspects of companies’ operations and it
would hinder operations if all physical access were restricted. Moreover,
a company’s IT resources are threatened not only by physical threats,
but also from electronic sources such as hackers, viruses, malware (also
known as malicious software – software speci cally written to damage
computer systems). Another threat is authorised personnel performing
unauthorised activities (such as an IT technician attempting to access
the payroll system or a debtors clerk attempting to access bank
accounts and cash).
Logical access controls are computerised access controls that are
implemented within the system and which limit access to terminals,
networks, data and functionality (read, write, delete and change). ese
controls are not initiated by a user, but are written into the computer
system itself. Logical access controls assign proper access rights to
personnel to ensure that only authorised personnel have access to
terminals, networks, data and functionality on a least privilege basis (as
explained earlier in this chapter). Logical access controls electronically
prevent unauthorised personnel from gaining access and help to detect
unauthorised access where this has occurred. Logical access controls
assist in the identi cation, authentication and authorisation of users
and electronic devices and resources (such as computer terminals or
other systems) that might request access to the system.
Where logical access controls control access to the system as a
whole, they are classi ed as general controls. Access controls that
control access to speci c application programs are classi ed as
application controls.
Identi cation
Users requesting access to the computer system can be identi ed by
means of, among other things:
• User identi cation number or username;
• Magnetic cards; and
• Biometric techniques, such as thumbprint or retina scans.
Electronic resources and devices requesting access to the computer
system can be identi ed by means of, among other things,
identi cation numbers or tag names, such as a computer’s terminal
name, or an internet protocol (IP) address.
Authentication
For the above-mentioned identi cation mechanisms to work
effectively, they should be linked to some mechanisms to authenticate
(i.e. verify the identity of ) the user or electronic resource or device
requesting access to the system.
is is done by an access table which links each username or device
identi cation number to some method of authentication, such as:
• A unique password (for sensitive transactions such as payments in
excess of a particular amount, multiple passwords could be
required);
• A speci c question as de ned by the user to which only that user
would know the answer, such as the user’s favourite primary school
teacher’s name or his or her pet’s birthday;
• An electronic key, magnetic card or USB device (called a dongle) that
contains authentication-related information unique to the user;
• A physical attribute unique to the user such as a ngerprint or face
scan; and
• An additional password sent to the user’s cellphone or email account
to be entered once the account has activated to gain nal access.
In order to limit the risk of automated breaches of the system by bots
and to con rm that it is a human who logs into the system, an
organisation could make use of picture mapping, where the user must
either re-enter a combination of characters represented graphically or
identify blocks in an image that meet a pre-set criteria.
If the username and the authentication provided do not match, the user
is not granted access to the system. e most common form of
authentication is a password. For a password to be effective, it must
meet the following minimum criteria and controls:
1. It must be unique to each user and should not be obvious or easy
to guess.
2. It should remain con dential.
3. It should have a minimum length, for example, at least ve
characters.
4. e password should consist of a combination of letters, gures
and symbols (%$#*&) and contain both upper and lower case
letters.
5. New users should change their initial password the rst time they
log on to the system.
6. Passwords should be changed frequently, for example, once every
three months, and may not be reused.
7. e password should not be displayed on the screen, printed in a
report or maintained in a transaction log, and should rather be
re ected as: ‘*****’. Users should also be prohibited from disclosing
or sharing passwords.
8. Usernames and passwords should be disabled if someone resigns
or moves to another department.
9. Electronic les in which passwords are stored by the system should
be encrypted to prevent unauthorised access to password details.
10. e system should maintain an activity register that records the
time when staff log on and off and the nature of the activities
performed.
11. If a password is unsuccessfully entered, say three times, the user’s
access should be blocked and only reinstated by management after
a detailed investigation.
12. If the system is inactive for a predetermined period of time, the
system should either log off the user or initiate a screensaver
password.
13. If the system detects a breach in security, the system should
automatically shut down and only be reactivated once the IT
managers have investigated the breach.
REFLECTION
Have you changed your password for your Facebook or Twitter
account recently? If so, what password controls were present?
Authorisation
Once the user or device is authenticated, access to the system (or parts
thereof ) and data les, as well as the functionality (read, write, delete or
change) that the user has access to must be limited to those computer
resources that are required for the user to perform his or her work. A
package can use an access table to de ne the access rights of each staff
level at both a systems level (general control) and to a particular
application program (application control). Access rights are set up once
a new user is added onto the system. Users could be granted general
authorisation rights given to, for example, a category of staff relating to a
category of transactions or functions. A user might also require speci c
authorisation for higher risk transactions, which would require, for
example, a second staff member to authorise a transaction.
5.8.3.2
Detective and corrective controls
5.8.3.2.1 Logs, activity registers and security violation reports
Logs, activity registers and security violation reports should be
maintained in respect of, for example:
• All visitors to the premises, as well as an electronic log of the
movement of personnel within the company’s premises;
• All sign-off and sign-on details;
• Changes to usernames and passwords; and
• Work performed on the computer, as well as use of equipment.
ese logs, registers and reports should be reviewed by management on
a regular basis and any unusual movement or activities should be
investigated by a senior security member or a senior member of the IT
department.
5.8.3.3
Other important security controls
5.8.3.3.1 Library function
A library function should be created in terms of which a designated
employee, a data librarian, is made responsible for securing and
managing data, les, documentation, programs and user rights. e
data librarian maintains the library in a manner similar to the running
of a public library. is function should not only address electronic data,
les, documentation, programs and user rights, but also physical data,
les, documentation and programs. A data librarian is the custodian of
these data, les, documentation and programs and is responsible for
maintaining records of the use of these assets, and for implementing
security controls, thereby ensuring the integrity of the data, les,
documentation and programs. e data librarian also limits the rights of
and manner in which users use utility programs and gain administrator
user access.
5.8.3.3.2 Data communication
When communicating information between two sources, electronic
security measures such as the following should be in place:
• Encryption is software that converts or encodes data in code that
cannot be read unless the necessary encryption key is available.
• Firewalls are software that restricts the in ow of information to, and
out ow of information from, a computer system. A rewall is
implemented between the computer and the internet connection
and monitors the content of data transmitted between the computer
and the recipient via the internet. Data considered suspicious may
be rejected by the rewall. In most cases, the rewall is equipped
with an antivirus program, as well as an antimalware program to
detect unwanted intrusion.
• A call-back facility is an authentication mechanism. Once a valid
device (for example computer or mobile device) has been identi ed,
authenticated, authorised and connected to the computer system
(for example, network or server), the system disconnects the device
and reconnects with the device using an identi cation number (such
as a dial-up phone number) stored on the computer system.
• Antivirus and malware programs are software that blocks viruses
and malware from infecting a computer.
• Assurance logos are certi cation logos, such as ‘awte’ or
‘Webtrust’, that are displayed on a website showing that the company
uses a reliable, trustworthy and well-known encryption or security
system. is system gives a potential user assurance that he or she
can transact safely and securely with the company. Companies can
also engage independent security or IT consultants to perform tests
and procedures on the integrity of the company’s website in an
attempt to obtain credible certi cation and assurance to be
displayed on the website.
e above-mentioned electronic security measures should be evaluated
and updated on a frequent basis in order for them to remain current
and reliable (e.g. the latest patches should be loaded as they become
available). South Africa has seen an increase in cyber attacks. ese
attacks have become more frequent as increasingly data is stored online
and more devices are connected to the internet.
IN THE NEWS
Increase in cyber attacks
South Africa’s formal business sector and much of society are
already highly dependent on digital platforms, with a strong
emphasis on mobile technology, as is common in developing
economies.
According to computer forensics company Cyanre, the US
Federal Bureau of Investigation (FBI) has ranked South Africa
sixth and seventh on the cybercrime predator list in 2017, which
means that there is an increasing incidence of fraud being
perpetrated from the country. South Africa was the twenty-third
highest attacked country in terms of hacking and cybercrime. The
year 2017 was characterised by four main cyber-crime trends:
massive malware attacks, attacks against crypto-currency
exchanges, major data breaches and widespread use of hacking
tools. There have been a number of well-published cyber attacks.
One example is phishing attacks. It is estimated that one out
of 14 emails sent in South Africa is a scam, with 79% of all
online phishing victims losing money. The estimated loss per
incident in South Africa amounts to, on average, $476. While
calculating the direct cost of a breach is dif cult enough, it can
also have indirect costs.
Other examples include the WannaCry ransomware attack
that affected at least 200 000 organisations globally, and
NotPetya and Bad Rabbit. In these attacks, users access to their
own data was restricted.
Major data breaches also occurred in 2017. LinkedIn,
Dropbox and Yahoo were global victims. Locally, the personal
records of around half the South African population were found
on the Dark Web thanks to a hack of the Deeds Of ce and, in
September, the South African branch of web hosting company
Hetzner was hacked, compromising client data.
Cyber attacks, although illegal, can also facilitate social
reform. Internationally, the Panama Papers leaked emails
identi ed corrupt practices in the private and public sector,
implicating well-known public gures. In South Africa, the Gupta
email leaks disclosed public sector corruption and untoward
personal relationships between public gures.
5.8.4 Business continuity controls
Business continuity controls ensure the continuity of processing (and
operations). In other words, they either prevent system interruptions or
they limit the impact of interruptions from acts of nature or damage
caused by users. System interruptions may manifest themselves as
physical damage to the computer system, such as water or re damage,
nancial or information losses (e.g. from persons taking part in
unauthorised activities and actions), or stoppage of operations due to
faulty computer equipment. In order to limit the impact of interruptions
on the business, a process should be implemented to assist a company
to resume operations as quickly as possible, by means of the use of
backup copies and a disaster recovery plan.
5.8.4.1
Preventative controls
Controls should be implemented to protect a company against nonphysical dangers (such as unauthorised users) and physical dangers
(such as natural and environmental hazards like water, re, power
interruption and wear and tear over time).
5.8.4.1.1 Non-physical dangers
As non-physical dangers relate to access to the computer system by
(authorised or unauthorised) users, the controls to address these
dangers are physical and logical access controls (refer to section 5.8.3).
5.8.4.1.2 Physical dangers
e following controls can be implemented to protect a company
against the elements:
• Fire: Fire alarms, re extinguishers and smoke detectors should be
installed. CO2 re extinguishers rather than water extinguishers
should be used to avoid damage. If possible, air conditioning should
be used to keep temperature at a suitable level for the effective
functioning of the computer hardware (i.e. preventing overheating).
• Construction and location: Before a computer facility is planned,
consideration must be given to locating the facility away from
obvious hazards, such as rivers, high traffic areas and production
facilities. e building’s construction must be solid, also elevated if
•
•
•
•
•
possible, and it must have durable reproof walls and oors. Fire
doors with automatic locks can also be used.
Electricity: A mechanism should be installed to protect the
company against power failures (such as continuous power supply,
emergency generators and stand-by batteries), as well as power
surges (such as surge protectors on all electronic equipment).
Consideration should also be given to installing renewable energy
supplies, such as solar panels.
Water: Cables can be protected against water damage simply by
situating them away from taps and water pipes. Special cable
protection must, however, be implemented around important
cables, such as main power cables and bre optic cables.
Environment: An environment should be created in the IT
department that allows the computer hardware to operate at its
optimal level. e computer area should not have windows that can
be opened. e computer area should be climate controlled by
means of air-conditioning and temperature control. It should also be
kept neat, tidy and dust-free.
Time: It is also important that regular maintenance is performed in
order to reduce the chance of failure over time due to wear and tear.
eft: Unauthorised removal of IT infrastructure poses a signi cant
risk to the continuation of an organisation’s business. Measures must
be implemented to limit access.
5.8.4.2
Detective and corrective controls
In order to limit losses if business is interrupted, a company should
have backup copies available and an emergency plan that can be
executed during a disaster, as well as emergency recovery procedures to
help it recommence operations soon after a disaster.
5.8.4.2.1 Backups
A business should maintain suitable backups of all source documents
and records. Backups can take many forms, including having backup
staff, using redundant or duplicate systems as backup processing
facilities, saving data in multiple locations and making backup copies of
data and programs. Backup copies of data and programs should be
made frequently using the following guidelines:
• A formalised backup policy that states when and how backups are to
be made must be in place.
• e policy should state which les should be backed up and it
should include all operating and nancial information necessary for
a business to recommence operations should a disaster occur.
• Regular backups must be scheduled and made. At least three
generations of backups should be maintained. is includes weekly
backups of all data, monthly backups of all operational and nancial
les and quarterly backups of the entire system (including all
devices).
• Backups should be stored in a secure location off-site, preferably in a
reproof facility. e viability of cloud services should also be
considered.
• e backup copies must be tested frequently.
In today’s business environment, it is also possible to back up data and
resources to a third party (also known as a service organisation, which
is a company that specialises in rendering a backup service to its
clients). is can, however, be costly. For smaller businesses, there are
cost-effective backup alternatives available online, such as Dropbox.
5.8.4.2.2 Emergency recovery plan
Having backups is not sufficient if not supported by a comprehensive
plan that outlines how a business should act during and after a disaster.
is plan should have the following characteristics:
• A written emergency recovery plan/strategy document should be in
place, containing set procedures relating to the duties and
responsibilities of each employee during a disaster, including breakins. is emergency recovery plan/strategy document must be
widely distributed.
• A list of data and program les that are key to the operations of the
business and that have to be recovered in case of disaster must be
prepared. is list highlights the data and programs that should be
recovered rst by staff during a disaster, as well as all the necessary
documents that must be removed from the premises.
• An alternative processing facility should be in place at which the
company’s core operations can continue to operate. An agreement
should be concluded with, for example, a service organisation or
trade partners that have backup facilities available.
• Provision should be made for testing the emergency recovery plan to
identify weaknesses, to set out the responsibilities of the persons
involved and to test their awareness of the plan.
5.8.4.2.3 Mitigating the impact
Not all companies can afford expensive backup facilities and have a
comprehensive plan to continue operations after a disaster. erefore,
companies must ensure that they have sufficient and appropriate
insurance cover in place that covers all pertinent risks, including losses
of pro ts arising from a loss of business due to a disaster.
A company should also avoid over-reliance on staff and should
ensure that there are sufficient quali ed staff members than can act as
backup personnel. Refer to section 5.8.1.4 for a detailed discussion
about personnel practices.
5.8.5 Operating controls and system
maintenance controls
In order to ensure the smooth running of a company’s operations and
that the computer system operates in a correct and consistent manner,
it is necessary to implement operating controls and system
maintenance controls. Operating controls and system maintenance
controls deal speci cally with the technical manner in which the CIS
operates, rather than with internal controls around information. It sets
standards on how to manage the IT resources by:
• Scheduling when production runs and processing take place to
ensure IT resources are used effectively;
• Setting standards for the operating activities, maintenance and use
of assets. is includes ensuring that the necessary computer checks
and tests are in place (these are technical in nature and therefore fall
outside the scope of this text);
• Ensuring that library controls are in place to keep track of and secure
data, les, programs and documentation. e librarian is responsible
for maintaining a sound management system for data, les,
programs and documentation;
• Maintaining logs and activity registers of the use of software and
hardware, as well as related problems (e.g. attempts at unauthorised
access and virus infections), and review of these by management
with follow-up if required; and
• Implementing policies about acceptable user behaviour and best
practices to ensure the effective operations of the hardware and the
software, such as policies regarding frequency of backups, disaster
recovery procedures, personnel habits and reviews of logs and
registers. ese policies should also include the operating
procedures of the IT department.
e IT manager should be responsible for formulating, setting up and
implementing these standards. Given the technical knowledge required
to set up and operate the operating and systems software and
implement the controls, IT technicians are mainly responsible for
implementing and maintaining these controls.
5.9 Which controls relate to the
computerised processing of business
transactions?
5.9.1 Background
An application is a program that performs a task for the user of the CIS.
Application controls are the manual controls (performed by humans)
and automated controls (performed by the computer system) in a
particular application (e.g. sales and debtors) through which a
transaction is initiated, recorded, processed and reported. ere are
also application controls in the process by which changes are made to
standing data used by the application. Speci c internal application
controls are in place over the use of a particular application to provide
reasonable assurance that transactions have occurred, have been
authorised (i.e. are valid transactions) and are recorded, processed and
reported completely and accurately. ey include controls over the
maintenance of the relevant master le data. e primary objective of
application controls is to prevent, or detect and correct, misstatements
from arising when a transaction is input to, or processed by, an
application program or output is generated by the application.
Application controls are implemented in respect of a speci c
computer program or system. ese controls therefore impact on the
various types of transactions handled by a speci c computer
application, program or system (such as sales, purchases or payroll).
Application controls are implemented with respect to the capturing of
information, recording of information, processing of data in the CIS and
distributing the output. Application controls can be implemented in the
sequence in which a transaction is handled by the entity and its
computer systems as depicted in Figure 5.9.
e individual application controls in the various stages of
processing of a transaction (namely input, processing, output and,
where applicable, master le changes) are discussed in the following
sections. It is easiest to understand when imagining yourself sitting in
front of a computer processing data through the system.
e input of a transaction relates to the capturing or initiation
thereof on a speci c application such as Pastel or Peoplesoft. is input
could be through manual input of data by a user, for example, batch
inputting of hard-copy documentation (e.g. orders); or point-of-sale
data input (i.e. scanning of barcodes); or through an interface from
another application, for example electronic data interchange. e input
part of the transaction ow can be referred to as raw data.
Figure 5.9: Overview of the key components of application controls
Once the transaction has been input into the application, the
application will process the transaction to ensure that the individual
components of the transaction are recorded correctly into various les
and databases, including the accounting records. Processing also
includes calculations being performed on the transaction (e.g. where a
transaction that includes VAT is processed, the processing could
include automatically calculating the VAT). Processing therefore
includes a number of functions performed automatically by the
application based on preset commands. e complexity of the
processing that occurs behind the scenes will depend on the company’s
speci c requirements, as well as the programming of the application
being used. Once a transaction has been processed, the raw data is
converted into information that the company can use.
e output of information is the nal form in which data is used.
e output of information can occur in numerous formats, depending
on the purpose or use of the information. If the information is to be
printed, this hard-copy document will be an output. However, the
information could simply be viewed on the screen by a speci c user –
this on-screen viewing is also a form of output.
Where data of a semi-permanent nature (e.g. a debtor’s address or
sales prices of inventory items) on the system is changed, master le
changes are made.
5.9.2 Manual versus computer controls
Application controls consist of manual and computerised (automated)
controls that integrate to form an important critical component of
transaction processing. ree types of controls exist:
• Independent manual controls consist of user controls that are
performed independently of the operations of the computer system
and are in no way dependent on information produced by the
computer system. For example, authorisation of hard-copy purchase
orders and maintaining custody over assets operate independently
of the computer system.
• IT-dependent manual controls consist of user controls that are
dependent on output produced by the computer system. An
example is the review by a manager of an access log or a register
extracted from the computer system.
• Programmed controls (also known as automated controls) are
solely dependent on and performed by the computer system and
operate without any human interaction. Examples include,
authentication tables granting access to the system, validation
controls (such as sign tests and eld length tests) in which the
computer checks all data captured against preprogrammed criteria,
and computer prompting.
Table 5.2 contains some basic examples comparing the controls in a
manual environment to those in a computerised environment. Much
more detail about how the manual control environment and the
computerised environment interact appears in Chapters 6 to 10. Note
that although the nature of the control activities in an IT environment
differs from those in a manual environment, they strive to achieve the
same control objectives set by management.
5.9.3 Overview of application controls
e following section gives a high-level overview of the elements that
make up application controls. e sections take the approach of rst
highlighting the key areas that need to be addressed, followed by a more
detailed discussion of the controls. Chapters 6 to 10 illustrate in detail
the practical implementation of application controls relevant to each
stage of the various business cycles.
Before discussing input, processing, output and master le change
controls, note again that application controls cannot be viewed in
isolation from general controls, as application controls are dependent
on general controls that provide the control environment within which
they function.
5.9.3.1
Input controls
Input controls are designed to ensure that data entered and master le
amendments captured are valid, accurate and complete. Input controls
should be implemented to ensure that all transactions are recorded and
are recorded correctly, and that transactions are neither duplicated nor
ctitious/invalid transactions. Controls are also implemented to ensure
that rejected inputs are identi ed, investigated and corrected or reentered. If these objectives are not addressed, or the input process is
not effectively managed, or the controls are not implemented
effectively, it could result in, among other things:
• Unauthorised transactions being entered onto the system;
• Data already in the system being added to, deleted, or amended
without authorisation;
• Errors occurring during the creation of data on the source
document, or during the capturing of data onto the computer
application;
• Further errors being made while correcting other errors;
• Errors previously made going uncorrected; and
• Data being lost during capturing or data not being captured at all.
Table 5.2: Comparison between control activities in manual and
computerised environments
Record procedures
MANUAL
ENVIRONMENT
COMPUTERISED
ENVIRONMENT
Multiple copies of
preprinted,
prenumbered
documents are used
(to record trans‐
actions, check
details of the
transactions etc.) to
comply with
acceptable
documentation
standards.
Each manual
document is replaced
with a speci c screen
that contains the
same data and is laid
out in the same way
as the manual
document.
The program makes
the comparisons
between the data
captured and the
Manual comparisons information already
are performed to
stored in the
con rm the
computer’s memory.
correctness of the
For example, data
details on each
captured on the
document.
goods received
screen can be
MANUAL
ENVIRONMENT
COMPUTERISED
ENVIRONMENT
Manual checks,
such as number
sequence checks on
invoice numbers, are
performed.
matched to the
stored data relating
to the underlying
order form, before
allowing the user to
save the data relating
to the goods
received.
Manual checks are
replaced with
automated checks
that achieve the
same objective, such
as the computer
generating a report of
missing invoice
numbers (to be
investigated by a
staff member).
Authorisation and
approval
Approval of a
transaction is
granted by a senior
staff member
signing a document
after having reviewed
the supporting
documentation (e.g.
the nancial
manager signing a
creditor invoice for
processing after
An application is
programmed not to
proceed with a task
or function if:
• Speci c
algorithms and
conditions or
preset parameters
have not been met
(implied
authorisation). For
example, credit
MANUAL
ENVIRONMENT
COMPUTERISED
ENVIRONMENT
having reviewed the
underlying goods
received note
evidencing the
receipt of inventory
from the creditor).
This comparison is
possible because a
company uses
multiple copies of
documents that are
distributed to
various people and
departments as the
transaction
progresses.
sales cannot be
made if a
customer does
not have a
suf cient credit
balance as shown
on the debtors
master le; or
• Approval has not
been granted by a
senior staff
member by
capturing some
form of approval,
such as a
username and a
password or pin
(explicit
authorisation).
If authorisation is
dependent on other
documents or details
from another part of
the transaction, the
program can perform
matching between
the data on, for
example, the details
stored in memory
relating to the
captured goods
received note with
MANUAL
ENVIRONMENT
COMPUTERISED
ENVIRONMENT
data captured from
an invoice before
allowing the invoice
to be processed.
Segregation of duties
Incompatible
functions are
assigned to different
personnel at each
stage of the
transaction ow.
The access rights an
employee has are
controlled and the
functions limited that
he or she can
perform on the
application according
Employees only have
to the employee’s
access to
responsibilities.
documentation
necessary for them
Access controls
to perform their
should be applied to
jobs.
the data underlying a
transaction on a
Staff could also be
least-privilege basis
segregated using
physical barriers.
Isolation of
responsibility is
achieved by making
a speci c employee
responsible for a
speci c task or
function and, after
having completed
the task or function,
having the employee
sign a document
Isolation of
responsibility is
achieved by giving
each employee a
unique username or
magnetic card that
identi es the
employee. Logs,
records or audit trails
of the tasks or
functions performed
by employees are
maintained of all
Access control
(including custody over
assets)
MANUAL
ENVIRONMENT
COMPUTERISED
ENVIRONMENT
indicating that the
task has been
completed.
employee activities,
together with the
related usernames.
This is extracted and
reviewed and any
unusual activities
that are not within
normal
responsibilities of
employees are
investigated.
Access is controlled
by means of physical
barriers such as
closed doors and
safes, and keeping
assets and records
under lock and key.
In a computer
environment, physical
access barriers and
asset veri cation are
still important.
However, electronic
access rights and
logs provide
additional security to
prevent and detect
unauthorised access
to records.
Also refer to
segregation of
duties above.
Also refer to
segregation of duties
above.
Reconciliations and
independent review
MANUAL
ENVIRONMENT
COMPUTERISED
ENVIRONMENT
Staff members
perform
comparisons
between multiple
sets of data,
records, documents
and physical assets.
The computer
automatically
performs
comparisons (or
matching) between
different elds of
data sets contained
in different master
les and/or
transaction les. Any
exceptions are
recorded in a log,
which is reviewed
and investigated by
senior management.
(Performing
reconciliations is
made easier in a
computerised
environment because
of the availability and
increased
accessibility of
nancial and nonnancial data in
electronic format.)
Individual manual
records are
compared with
physical assets.
Reports of balances
per the computerised
system are compared
with physical assets.
5.9.3.1.1 Recording of data
When recording data onto a computer (inputting), controls should be
applied to the following:
• e person capturing the document or data and, if applicable, the
hard-copy document that is captured onto the system;
• e computer screen that aids the person capturing the document
(known as screen aids);
• Checking the validity, accuracy and completeness of the data that
was captured by means of controls programmed into the software
(known as logical programmed controls); and
• Management review of the data that was captured in order to identify
and correct any errors timeously.
ese input controls are explained in more detail in Table 5.3.
Table 5.3: Input controls
CONTROLS
User-related controls2
Users should receive speci c
training on the functionalities of the
programs that are necessary for
them to perform their job function to
reduce the number of errors.
Dedicated employees should perform
speci c job functions and act as
capturing specialists (i.e. using data
control groups). For example, the
debtors clerk is a specialist in
capturing debtors transactions and
the salaries clerk is a specialist
capturer of time sheets. Performing
repetitive tasks should mitigate the
risk of error.
CONTROLS
Employees responsible for capturing
data should be held accountable.
This is partly facilitated by
implementing access controls and
segregation of duties by setting up
access pro les with each user
receiving a unique username linked
to an authentication mechanism
such as a password (refer to section
5.8 for further details). In setting up
a pro le, each user’s access rights
should be set up on an access table
that contains the user’s rights to
access programs and data and the
functionalities he or she can
perform. Segregation of duties could
further be enforced by allocating
override rights to a senior employee
or through programming an approval
matrix on the application that
requires a transaction to be initiated
by certain users and approved by a
more senior user before processing
can take place.
CONTROLS
Documentation
Screen aids
In order to reduce the possibility of
misstatements, it is necessary to
ensure that the manual
documentation complies with
acceptable document standards and
is well designed and easy to
understand. Controls should also be
in place over the custody over the
documents (refer to Chapter 4,
section 4.3.2.4). (Note that the
validity, accuracy and completeness
of the data on the hard-copy
documents used as the basis for the
input into the computer system is a
prerequisite for the validity, accuracy
and completeness of the input.)
Screen aids are all the features and
procedures that are built into the
program and are re ected on the
screen to assist the user to capture
data with the least amount of effort
and lowest probability of error.
When data is captured directly onto
the application, the screen layout
should assist in ensuring that the
user inputs all data that is required.
If possible, the hard-copy document
layout should appear similar to that
of the screen. The screen layout
should be standard and user friendly
and require the minimum data to be
CONTROLS
captured by using, for example, dropdown menus or a look-up function.
The ideal situation is that the
majority of data be obtained from
underlying master les, and the input
of data should thus be restricted to
the data (such as a debtor number)
that would trigger the application to
recall the underlying data (such as
the full details of the debtor, credit
limit and available credit). These full
details would then be displayed on
the screen for the user to con rm
(also referred to as a data echo test
or closed-loop veri cation).
The computer should prompt the
user to enter data where data is
missing. Prompting or computer
dialogue could also be used to
highlight errors. A user could also be
prompted to con rm whether the
details captured on the screen are
correct after having visually veri ed
the data or having compared it to a
hard-copy document.
When capturing data, a user could
further be directed by the use of
compulsory elds, which require that
a eld must be completed before the
program allows the user to continue
capturing further data. This could
include the situation where error
messages occur should the
CONTROLS
compulsory eld not be completed,
or alternatively, the function to
complete the transaction might be
disabled until such time as these
elds are completed. Furthermore, if
a user is not authorised to perform a
function, the button or tab on the
screen triggering the function could
be shaded and made inactive.
Logical programmed controls
Logical programmed controls are
application controls that test the
input of data against predetermined
rules that are programmed into the
computer package, with the purpose
of validating the input. A short
description (including examples) of
these types of logical controls (also
known as validation tests) is as
follows:
• Validity test: Con rms the data
entered on the system against a
database or master le to ensure
the validity of data entered, e.g. a
debtor account number is entered
and is compared to the underlying
debtor master le.
• Limit test (also known as a range
check): Tests the data entered
against a threshold or
predetermined benchmark. For
example, should a transaction to
be captured cause the
CONTROLS
outstanding balance of the debtor
to exceed his or her credit limit
per the master le, a limit test
will prompt an error message that
could require further authorisation
or override to be able to process
the transaction.
• Related data test (matching): The
control operates like the validity
test. The computer matches one
set of data captured to other
related data. For example, if a
company uses goods received
notes (GRN) as well as invoices
(INV), the system could match
each INV number to a GRN
number. Matching the INV to the
open GRN would thus not require
further authorisation. Once an INV
has been matched to a GRN, no
further INV can be matched to the
same GRN.
• Field length test (also known as a
size check): Places a speci c limit
on the number of characters that
can be entered into a eld. This
ensures that the computer
identi es data that is missing a
digit or has had a digit added. For
example, a eld requiring a cell
phone number would be 10 digits
long whereas an ID number eld
would have a 13-character limit.
CONTROLS
•
•
•
•
Completeness test (also known as
a mandatory eld or missing data
test): The completeness test
requires that a eld must be
completed before being able to
continue.
Alphabetic/alphanumeric/numeric
character tests: It is possible to
set controls on a eld whereby
the type of characters entered will
be restricted or the user
prompted if incorrect characters
are entered, thus either to allow
only alphabetic characters or only
numeric characters or a
combination thereof. Examples
are an ID number eld that should
contain only numeric characters,
whereas a debtor number eld
might require a combination of
letters and numbers (unique
identi er) (for example
RUDMAN003) to be captured.
Reasonability/reasonableness
test: A program could contain a
number of logical tests against
which an input can be tested. For
example, a program can be set to
keep record of all price discounts
granted to clients that exceed 5%
of the norm.
Sign test: A sign test requires the
eld entered to be either positive
CONTROLS
or negative. For example, a
program would report an error if a
negative inventory quantity is
entered.
• Check digit veri cations: A check
digit is automatically generated by
the system and is added to the
end of the code captured or used.
The code and the check digit
combination must match the
result of an algorithm. It is used,
for example, in identifying
transposition of number errors.
CONTROLS
Review, reporting and exception
monitoring
On a periodic basis, a senior
member of staff should extract logs,
audit trails and registers from the
computer to review activities and any
unusual transactions. Any unusual
items should be investigated and
corrective action taken. Various
reports can be extracted, such as:
• Logs and registers of all computer
activity and transactions;
• Exception reports of activities that
are outside the norm or exceed a
predetermined benchmark;
• An audit trail, which shows the
ow of nancial information and
controls, including listings of
transactions and summaries;
• Control reports re ecting, for
example, total amount invoiced
for a particular period; and
• Error reports.
Examples of reports speci c to the
various business cycles are
contained in Chapters 6 to 10.
If a batch system (refer to section 5.6 regarding the differences between
real-time and batch systems) is used during the capturing of data, the
input controls discussed in Table 5.3 apply, but they have to be
supplemented with additional controls over the batching process. ese
controls are discussed in Table 5.4. (Note that the controls contained in
Table 5.4 do not necessarily follow the detailed sequence of events when
recording batch transactions.) A company such as Ntsimbi Piping would
probably use batch systems in its manufacturing operations.
Table 5.4: Additional batch input controls
CONTROLS
Input
controls
Once the class of transactions has been recorded on
hard-copy documents for a period of time (e.g. a day),
a staff member should place the documents into
manageable batches or bundles. Each batch must
receive a unique bundle number. The staff member
should review the sequential numbers of the
documents and calculate various control totals
(discussed below) before creating a batch.
Thereafter, the batch can be captured, during which
the input controls as discussed in Table 5.4 remain
relevant.
Control totals Once the documents have been grouped into
batches, the following control totals should be
calculated by the user:
• Financial totals, for example the total value of all
sales transactions;
• Hash totals, for example the total of all the
document numbers added together; and
• Record counts, for example the number of
documents included in the batch.
These control totals should be entered onto the
computer which will compare the totals that were
entered with the totals calculated by the system after
input. The program should only authorise the
transaction le for processing if the control totals
agree.
CONTROLS
Batch control Once the batch has been prepared and control totals
sheets
calculated, a batch control sheet, attached to the
batch, is prepared. It should contain at a minimum
the following data:
• A unique batch number;
• All calculated control totals; and
• A description of the transaction and related
details.
The batch control sheet should also comply with the
acceptable document standards contained in Chapter
4, section 4.3.2.4.
A second staff member should review the batch and
recalculate the totals and sign the batch control
sheet as proof that the controls have been
performed. He or she should also review the batch to
ensure that it contains transactions for only the
period speci ed on the batch control sheet.
After capturing of the batch, the computer should
print a batch control report as proof that the totals
have been compared. This is led with the batch
control sheet.
CONTROLS
Batch
register
A batch register should be maintained that contains
information on the batch (as shown on the control
sheet) and tracks the movement of the batch
documents to be processed. As the batches are
handed to the data capturer by the preparer of the
batch, they must be recorded in a batch register,
which must be initialled by the person taking
responsibility for the batch (to isolate responsibility
for the batch).
A report with rejected transactions and errors should
be generated and reviewed. If necessary, errors
should be investigated and corrected.
5.9.3.1.2 Error correction process
Should an error have occurred, a process should be in place to highlight
the error and correct it. Depending on the cause of the error, a different
process should be followed to correct the error:
• Error made while capturing data: As soon as a capturing error is
detected by the logical programmed controls, the entire transaction
and related data must be rejected by the computer and an error
message displayed on the screen. Ordinarily, immediate correction
of the errors must be required. In other words, no further inputting
must be allowed until the error has been corrected. However, if a
requirement for immediate correction is not feasible, a register of
errors that have not been corrected immediately must be
maintained and investigated by management. Capturing errors that
appear to exceed limits or job authorisation levels should require an
investigation to determine whether the error is a genuine error or
possibly indicative of fraud. Before any correction can be made, a
high-level password is required.
• Error identi ed on the original source document: When an error
is identi ed on the source document while it is being captured, the
system must delete the rejected transaction (i.e. the data relating to
the document already captured) and transfer it to an error
suspense/temporary le. An electronic report of all rejected
transactions (together with the input control report) must be
generated by the computer. After the computer-generated reports
have been investigated, the person who captures the entries must:
• Investigate all rejected transactions and send the source
document back to the person who prepared it for correction of
the error. (If required, the necessary authorisation should be
obtained);
• Ensure that the returned documents are recorded in the error
register; and
• Take the rejected transactions into consideration for
reconciliation of control totals.
After the source document has been corrected by the user, the
document should be returned to the person who captures the
documents (i.e. capturer). e capturer makes the necessary
corrections on the document contained in the error suspense le.
e corrected document is then re-entered and must again be
subjected to relevant input controls.
e error suspense le must be reviewed by management on a
regular basis to ensure that errors are investigated and corrected
on a timely basis.
• Control total on batch control sheet differs from control total
calculated by the computer (evidenced on the batch control
report): You will recall from Table 5.4 that the computer system
should not process the transaction le to which the data capturing
took place if the control totals do not agree. is indicates that one or
more of the transactions were captured incorrectly by the data
capturer. e data capturer has to review each transaction captured
to the transaction le (either on-screen or by printing the transaction
le) to identify the transaction(s) incorrectly captured and correct
them. Once they have been corrected, a new batch control report is
printed. e control totals on this report should now agree with
those on the batch control sheet.
5.9.3.2
Processing controls
Processing occurs when the computer system processes (i.e. performs
actions on) information in the computer package or system. In laymen’s
terms, this happens when the computer package is ‘thinking’, storing
data, and recalculating data. Processing occurs in the computer with
little or no user interaction. Logical processing controls are designed to
ensure the integrity of data when it is being processed. Examples of
processing include saving a document, updating a master le from
other transaction les3 and generating a report using data from various
les in the computer. If processing is not managed effectively, or if the
controls are not implemented effectively, it could result in:
• Data being lost, corrupted or inadvertently changed during
processing;
• Existing data being duplicated;
• Invalid data being added during processing;
• Calculation or accounting errors occurring;
• Logical and rounding errors occurring; or
• e incorrect version of the program or data le being used.
REFLECTION
Can you think of the types of controls that should address these
risks?
Controls have to be implemented over the following:
• Access to the programs and the data stored on the computer system;
• Assigning responsibility for processing, le management and
maintenance;
• Ensuring the validity of the programs and the les being used before
processing can take place;
• Control totals being calculated and control reports generated and
checked;
• Actively testing and identifying data and processing errors while
transactions are being processed; and
• Maintenance, review and investigation of audit trails and reports.
ese are further discussed in Table 5.5.
Table 5.5: Controls over the processing of data in a computer system
CONTROLS
User-related
controls4
The user-related controls were discussed in section
5.9.3.1, particularly those relating to access and
isolation of responsibility.
Correct
program and
le
Before processing can commence, a backup should
be made of the data. A data librarian (refer to section
5.8.3.3) should be appointed to ensure that the
correct version of the program and data les are
used. The risk of using incorrect or old data can be
mitigated by having clear internal naming of les (for
example payroll 31_Jan_12.xls; price data v1_8.doc),
as well as by means of using external labels on les.
It is also advisable to have a processing schedule or
register linking each production run with a speci c
date and time. The librarian can then record le
names next to the appropriate date in the register.
CONTROLS
Computer
Various control totals (similar to batch totals
control totals discussed in Table 5.4) must be calculated while
and reports
preparing the data. These should be reconciled to
control totals calculated automatically by the
computer after the data has been processed. The
three most notable types of control totals are:
• Financial elds, which sum all nancial data, such
as total amount invoiced;
Hash totals, which sum the total of any eld that
contains numeric values such as debtors account
numbers, reference numbers and cell phone
• numbers; and
• Record counts, which count the number of data
items, such as number of invoices.
The control totals of the master le, which must be
updated with the transaction data on an independent
transaction le, must be compared with the updated
total of the (actual) master le. Differences must be
investigated. This is known as le balancing or
shadow balancing. A variation on this is run-to-run
totals, which can be calculated and reviewed by the
system itself.
The console log of processing (automatically updated
by system) and other control reports must be
reviewed on a regular basis to identify any errors. Any
unusual items/errors should be investigated.
CONTROLS
Controls
during
processing
Various controls should be programmed into the
computer program. These program controls should
detect any missing transactions or data by
performing:
A le sequence investigation, where the program
investigates whether the rst transaction’s
reference number in the current transaction le
•
follows on the last transaction’s reference number
in the previous transaction le; and
• A completeness test during the processing of data
to identify missing reference numbers.
Other programmed validation tests must be
performed by the system to detect data errors (for
example sequence tests, matching tests and record
comparison tests) and processing errors (for
example, validation tests, mathematical accuracy
tests or reasonableness tests) and exception reports
generated and investigated.
Review,
These controls were discussed in section 5.9.3.1.1.
reporting and
exception
monitoring
Error
correction
process
5.9.3.3
These controls were discussed in section 5.9.3.1.2.
Output controls
Output refers to the distribution of data from where it is stored in one
location to where it is viewed or restored in an electronic format to be
viewed. Examples include a hard-copy document, email format or a
display of information on a screen. Output is a product of the
processing activities. e objective of output controls is to ensure
output is valid and prepared accurately and completely, irrespective of
the nature of the output, is in an appropriate format and is only
distributed to speci c authorised persons. If the process around output
is not managed effectively or if the controls are not implemented
effectively, it could result in:
• Output being distributed to unauthorised persons;
• Output being incomplete or inaccurate, which can result in incorrect
management decisions; or
• Output not agreeing with the underlying data from the system.
When implementing controls over output, it is important to note that
irrespective of the nature of the output, the entire distribution process
from when the output process is started until it reaches its intended
user must be controlled. At each stage of the distribution process, it is
important to implement controls that ensure that the output contains
information that is valid, accurate and complete. Such controls have to
be implemented over the following:
• Limiting access to the output. Responsibility should be assigned for
distribution of the output from where it is generated;
• Ensuring the content of the output is appropriate and correct;
• e (1) generation of output; (2) distribution of output and (3)
receipt of output; and
• Review of the distributed output and the distribution process.
ese are further discussed in Table 5.6.
REFLECTION
Can you list the controls that should be in place to secure a
memory stick with con dential information?
5.9.3.4
Master le change controls
As mentioned earlier in this chapter, a master le contains standing
data that is frequently used by the accounting package, but need not be
changed frequently. Master le changes are where the master le or
standing data is changed, updated or added to the system. For example,
a debtors master le has to be updated when a client updates his or her
home address or telephone number, and the price master le is
changed when the new authorised price list is loaded onto the
computer system. In general terms, master le amendments are
initiated by a user or the instruction arises from an external source. is
is distinct from processing, where the computer updates the data from
transaction les to a master le, which is subject to processing controls
(discussed in section 5.9.3.2), but not to master le change controls.
Master le changes tend to happen less frequently, tend to be high risk
because the data being changed may be re-used in various calculations,
and do not occur during the normal business operating cycles.
Master le data (such as debtors’ details and price lists) is often
captured once into a program and then re-used by various programs
and applications when transactions are captured or being processed.
For example, when a program calculates the total cost of an inventory
item being purchased, it multiplies the quantity captured by the user
with the selling price from the price list master le. As a consequence, a
data error in the master le could have a signi cant impact on an
accounting system, because one error will in uence all transactions
that rely on that master le. erefore, controls over approving master
le amendments and the review performed after an amendment has
been processed are paramount. Controls over master le amendments
also rely heavily on input controls. If the master le amendment process
is not managed effectively or if the controls are not implemented
effectively, it could result in:
• Unauthorised amendments;
• Not all authorised amendments being updated on master les;
• Errors in capturing amendments, which result in all nancial
information that is dependent on the master le being processed
incorrectly; and
• Errors contained in the master le data going undetected.
Table 5.6: Controls over the distribution of information,
documentation and output generated from a computer
system
CONTROLS
User-related
controls5
The user-related controls were discussed in section
5.9.3.1. Access controls should, however, not only be
over the device producing the output (such as the
printer or the screen), but also over the output itself
(for example, reports should be marked con dential
and placed in a sealed envelope; con dential emails
should be encrypted).
CONTROLS
Controls over
the
distribution
of output
There should be a clear, written policy in the entity on
how each type of output and con dential information
should be treated. The policy should be distributed to
all departments and each department should be
made responsible for developing a procedure for all
con dential output of the speci c department,
stating which output may be distributed, to whom,
when, how and in which format or medium. The policy
should address how outputs should be treated at the
following stages:
• At generation;
• During distribution;
• On receipt; and
• After use.
Depending on the nature and content of the output, a
dedicated person should be appointed to accept
responsibility for the distribution of output.
Control should be maintained over who the intended
recipients of the output are and who is authorised to
receive the output. The names of these persons
should be documented in a register, either manual or
electronic. If the output is paper based, a manual
distribution register could be maintained, whereas if
the output is electronic, access to the output can be
restricted using authorisation matrices. Should the
recipient receive the output or review the contents,
they should give an indication that they have received
or reviewed the output. A senior person should
regularly review the distribution register to detect any
unauthorised distribution of outputs.
CONTROLS
Controls
applicable
when
receiving
output
On receipt of output, irrespective of whether the
output is electronic or manual, the recipient should:
• Reconcile the input to the output, as well as major
control totals (if possible);
• Perform an output count and review the number
sequence of the reports;
• Check the page numbers;
• Match the content of the report with the table of
contents and the cover page; and
• Check that blank pages contain words such as
‘empty page’ and that the end of the report
contains words such as ‘end of report’.
There should be xed procedures to prevent
unauthorised persons obtaining outputs after their
intended use. Con dential output should, for
example, be locked away in a cupboard or shredded
after use.
Review,
These controls were discussed in section 5.9.3.1.1.
reporting and An additional control is that management reviews the
exception
distribution register.
monitoring
Error
correction
process
These controls were discussed in section 5.9.3.1.2.
In order to mitigate these and other risks, controls need to be
implemented over the following:
• e person who is authorised to make amendments and the
allocation of responsibility for checking/authorising the
amendments to particular staff;
Documenting and recording requests for master le amendments
(master le amendment form);
• Capturing of the master le amendment; and
• Review of logs and registers to con rm the validity, accuracy and
completeness of the master le amendment and its impact on the
accounting records and nancial data.
•
ese are further discussed in Table 5.7.
Table 5.7: Controls implemented over changes to master le
information
CONTROLS
User-related
controls6
The user-related controls were discussed in section
5.9.3.1, particularly those relating to including an
additional level of authorisation either manually or
electronically. Approval for master le amendments
should be granted by a senior member of staff and
only speci c, designated staff members should be
given the access rights to update master le
information. Any changes that could have a
fundamental impact on the nancial records should
only be allowed to be made on a designated
computer.
If practically possible, backups should be made of
the master le information before changes are made.
Request
forms
All master le amendment requests should be
documented on a hard-copy master le change
request form. This form should meet the acceptable
document standards discussed in Chapter 4, section
4.3.2.4. A senior member of staff should approve the
master le change electronically and manually.
CONTROLS
Input
controls
The capturing of master le changes should be
viewed in a similar light to any other capturing of
data. Therefore, all the input controls that were
discussed in section 5.9.3.1.1 are applicable.
Review,
reporting and
exception
monitoring of
logs and
registers,
and nancial
data
These controls were discussed in section 5.9.3.1.1
(Table 5.4 in particular). Given the signi cant impact
that an incorrect change to the master le could
have, particular consideration should be given to the
types of logs and registers that have to be
maintained, as well as the checks that are performed
after the master le amendment has been made.
Each request logged should be recorded in a master
le amendment request register. This register could
be either manual or electronic. It should regularly be
reconciled with the automated register of completed
requests. Only read-only rights should be granted to
the master le changes register and these rights
must be restricted to management and senior staff.
Both these registers must be reviewed by a
responsible senior staff member on a regular basis
to ensure that:
• All changes are supported by an authorised
request form;
• Changes inputted agree with the request form;
• Only authorised staff members capture the master
le changes; and
• There are no long-outstanding requests not dealt
with to date.
In order to identify any obvious errors made during
the capturing of master le amendments, or any
CONTROLS
unauthorised changes made, a senior member of
staff should on a regular basis:
• Review the relevant master le. If, practically
possible, a senior staff member should also
compare the master le information to the master
le amendment request form; and
• Reconcile the total on the relevant master le
(e.g. debtors master le) to the balance of the
relevant control account (e.g. debtors control
account) in the general ledger.
5.9.3.5
Other controls
Although there are also various specialised application controls that can
be implemented, they fall outside the scope of the undergraduate
audience for whom this text is intended. However, one specialised type
of technology control that does deserve to be mentioned is data
communication control.
Data communication relates to the transmission of data from a
sender to a receiver in electronic form. Irrespective of the method used
to transmit data, be it via xed line, wireless (Wi-Fi and Bluetooth), G3
or other methods, such as a virtual private network (refer to section 5.1),
the same principles apply. When communicating data, control is
achieved by:
• Using controls similar to processing controls that check the validity,
accuracy and completeness of the data being transferred;
• Implementing specialised software, such as encryption, rewalls and
anti-malware programs;
• Implementing specialised communication management software
that manages the communication between the sender and the
receiver, limits access and manages the communication network;
• As far as practically possible, using physical cable protection to
ensure the lines are not tampered with; and
• Using advanced communication technologies such as setting up a
virtual private network (refer to section 5.1).
5.10 How are controls identi ed in
advanced technologies?
e controls that should be implemented over the various stages of the
transaction ows were discussed in general terms in the previous
sections. ese controls remain relevant when advanced technologies
are considered. All technologies, irrespective of their nature, are made
up of different combinations of input, processing, output, master le
change and communication controls. e speci c type of technology
that achieves the principle behind the control might change, but the
substance of the control remains the same. For example, a company
transacting over the internet might use Internet Protocol Security
(IPSec) while another might use Secure Shell (SSH), but both of these
are forms of encryption. ese and other speci c controls are of a
technical nature and fall outside the scope of this textbook.
Google these advanced technologies.
e following process can be followed when implementing or
evaluating controls over any form of technology:
• Obtain an understanding of the technologies being considered or
used.
• Use understanding of the technologies and control objectives to
identify relevant risks.
• Identify and evaluate adequacy of existing controls already in place.
• Break the technology down into its components, for example
security, custody, input, processing, logs and reviews, as well as
programmed controls.
• Map actual components of technologies against the theoretical
controls that should underlie these components.
• Evaluate the impact of the existing controls and the risks identi ed
on the business.
• Select suitable controls to mitigate the remaining risks to an
acceptable level.
e majority, if not all, of the key controls can be identi ed using this
process. is is shown below by way of two examples.
5.10.1 Electronic commerce, electronic funds
transfers and other data communication
Electronic commerce is the process of buying and selling products or
services over the internet or another electronic platform. Online trading
in South Africa is governed by the Electronic Communications and
Transactions Act 25 of 2002. In conducting business over the internet, a
company can use networks or electronic data interchange services. e
biggest risks relate to authenticating users (thereby avoiding later
repudiation of transactions), the correct and accurate capturing of data
on the internet or system, and the communication between the internet
service provider and the company.
In order to address these signi cant potential risks, controls have to be
implemented over the following:
• Capturing data: Input controls;
• Restricting and authenticating the user: Access controls around
the application being used and during the transmission of data, and
authentication controls around the identity of the user (note that
high-risk transactions, such as credit card transactions, would
require special authorisation and authentication controls);
• Transfer of data over the internet: Communication controls using
controls similar to those of processing controls implemented over
the transfer of data and encryption;
• Policies and procedures: Controls over legal matters relating to
ownership and privacy;
• Continuity: If a service organisation is used, ensuring that the
service organisation implements the same controls as it would
implement for its own data in terms of storage, system development,
and so on;
• Logs and reviews: Extracting and reviewing available computer logs,
registers and reports and investigating unusual items; and
• Other specialised controls: Such as assurance logos.
Controls can be identi ed in any advanced technology by simply
identifying detailed controls underlying the areas listed above. e
appendix to this chapter shows how following the process described in
section 5.10 and the areas listed above can assist in identifying controls
in an electronic funds transfer system.
5.10.2 Service organisations, outsourcing and
data warehousing
Outsourcing is where a function that is normally performed by a
company (e.g. preparation of payroll) is outsourced to another (third
party) company. Data warehousing is where a company’s data is stored
on another company’s server for a monthly fee. e newest form of this
technology is called software as a service.
e most important issues to address are how information or data is
going to be transferred to and from the service organisation, how the
data is secured and protected by the service organisation, data
ownership issues (since the data is stored on a third party’s
infrastructure) and protecting the company against potential losses:
• Restricting and authenticating the user: Access controls at general
and application controls level at the third party and during the
transmission of data;
• Transfer of data: Communication controls using controls similar to
those of processing controls implemented over the transfer of data
•
•
•
•
•
and encryption;
Protecting company against losses: Controls to ensure continuity
of operations;
Policies and procedures: Controls over legal issues relating to
ownership and privacy;
Continuity: A service organisation should implement the same
controls as an entity would implement around its own data in terms
of storage, system development, and so on. is can be achieved by
concluding a service level agreement between the entity and the
service organisation and ongoing monitoring of the effectiveness of
the controls. e ongoing monitoring can be achieved by
considering, and if appropriate, placing reliance on the assurance
report issued by the service organisation’s auditor. ISAE 3402 sets out
the process that an auditor should follow to obtain reasonable
assurance about the operating effectiveness of the controls at a
service organisation. However, a discussion of this standard falls
outside the scope of this text;
Logs and reviews: Reviewing available computer logs, registers and
reports and investigating unusual items investigated; and
Other specialised controls: Such as assurance logos.
REFLECTION
Can you identify the controls required should ‘Dropbox’ be used
by an entity to store data?
In designing a system of internal control, it is necessary to understand
the technology and the related risks and to bear in mind that although
the technology might change, the controls and principles do not.
Assessment questions
For questions 1 to 5, indicate whether the statement is true or false:
1. e board of directors can fully delegate their responsibility for
implementing internal controls to the chief information system
officer. (LO 1)
2.
A nancial information system is able to operate effectively without
appropriate control activities being present. (LO 2)
3.
Application controls have an impact on general controls. (LO 4)
4.
Processing controls are implemented over the process in which
data is stored, transferred and updated to the master le at the end
of the processing run. (LO 6)
5.
It is important that operating controls and system maintenance
controls are correctly set up. (LO 6)
For questions 6 to 8, select the correct answer: (Only one answer is
possible.)
6. If processing of data is not managed effectively or if the controls are
not implemented effectively when data is being processed, it could
result in: (LO 5)
a) Data being lost, corrupted or changed during processing or
duplicated
7.
b)
c)
Invalid data being added during processing
Calculation or accounting errors, including logical and
d)
rounding errors being avoided
All of the above
When a le is busy downloading, it is considered: (LO 6)
a) Input
b)
c)
Processing
Output
d)
Master le change
8.
Which of the following is not considered to be one of the steps in
the process that can be followed when implementing or evaluating
controls: (LO 7)
a) Use understanding of the technology and control objectives to
identify relevant risks.
b)
Identify and evaluate adequacy of controls already in place in
the system.
c)
Map actual components of technologies against the
theoretical controls that should underlie these components.
d)
Evaluate the impact of the existing controls and the risks
identi ed on the nancial statements.
Select suitable controls to mitigate the remaining risks to an
e)
acceptable level.
9.
Explain why it is important to govern information technology. (LO
1)
10. Explain how the control environment changes with the
introduction of a computer. (LO 2)
11. Explain the difference between system development and program
change. (LO 3)
12. Discuss how the concept of authorisation changes in a
computerised environment. (LO 3)
13. Which is more important: general controls or application controls?
(LO 4)
14. Describe the potential consequences to an entity of not planning
the implementation of a new computer package properly. (LO 5)
15. Explain why it is important to differentiate between general and
application controls. (LO 6)
16. Describe the access controls that you would implement around a
point-of-sale cash point in a restaurant. (LO 7)
17. Describe the key input controls you would implement around a
computerised cash register. (LO 7)
18. Describe how you would protect yourself against having your
identity stolen in situations where your personal data may be
accessible via the internet. (LO 7)
Appendix: Electronic Funds
Transfer Controls
is appendix uses electronic funds transfers to illustrate how controls
can be designed for an advanced technology using the steps outlined in
section 5.10 of this chapter.
Step 1: Obtain an understanding of technology
Electronic funds transfer (EFT) is a system that is used to transfer
money electronically from a company’s bank account to make direct
payments to parties that can include suppliers and employees (where
salaries or wages are paid in this way). e controls relating to
electronic funds transfer payments differ among banks and depend on
the controls implemented by the bank and written into the EFT
software. However, irrespective of the speci c controls, they address the
same risks (and therefore control objectives) and contain the same
principles. EFT payments can be made via a web interface or by using a
custom-written program supplied and installed by the bank. e
transfer of funds is effected by a direct transfer from the paying
company’s terminal or by means of a data le that is sent from the
paying company’s terminal to the bank, which then makes the payment.
Controls have to be implemented in relation to the loading of
bene ciaries and the making of payments. e same controls are
applicable irrespective of the nature of the payment.
Step 2: Use understanding of the technology and control objectives
to identify relevant risks
Step 3: Identify and evaluate adequacy of existing controls already in
place
Step 4: Break the technology down into its components
Step 5: Map actual components of technologies against the
theoretical controls that should underlie these components
Table 5.8: Controls in an EFT system
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
Capturing of
data
Paymentrelated data is
loaded
accurately and
completely.
Staff have to be
well trained in the
system.
Incorrect
amount and
incorrect
payees are
paid.
Not all
payees
receive
payment.
The following
input controls
should be
implemented in
relation to the
loading of
bene ciaries and
the making of
payments:
• User-friendly
screen design;
• On-screen
instructions
and prompting,
as well as
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
•
•
•
•
compulsory
elds;
Minimum input
required by
means of dropdown menus
and tick boxes;
Bene ciary
details loaded
upfront and
recalled from
the bank’s
database as
needed (data
echo test);
Validation tests
must be in
place, such as
a limit test,
which limits the
daily allowable
transfer
amount; and
On-screen data
is visually
veri ed against
the supporting
documentation.
Transaction
report/payment
vouchers should
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
be printed (from
the data captured
onto the system)
and compared
with supporting
documentation
before being
signed and
captured onto the
EFT system.
Restricting
access of users
and
authenticating
users
Unauthorised
persons
make
payments.
Authorised
persons
make
unauthorised
payments.
Fictitious
payments
are made.
All payments
that are made
have been
authorised
and are made
by authorised
staff
members.
EFT service is only
activated after the
bank has
authenticated the
company (as the
owner of the bank
account) and the
computer that is
to be used to
effect EFTs.
The following
access controls
should be
implemented over
the EFT system:
• Limit the
physical
access to the
terminal that
contains the
EFT software.
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
Limit number
of terminals
and authorised
• users that can
make EFT
payments.
• Rely on leastprivilege rights
of users to the
various
functionalities
in the EFT
system.
The following
controls could be
used to
authenticate
users of the EFT
system:
• Physical
authentication
could be
established by
means of a
dongle inserted
into the
computer USB
port or by using
a random
number
generator
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
•
•
•
•
device. Normal
physical
access (i.e.
custody)
controls around
these devices
apply.
Authenticate
users to the
service by
using a
username
linked to a
password.
Password must
comply with the
normal
password
controls.
Processing of
transactions
requires the
user to capture
the bank pin
before gaining
access to the
system.
High-value
payments
require multiple
user
authorisations
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
by means of
usernames and
passwords.
Transfer of data
over the internet
Fictitious
payments
could be
made.
Payment
data is
intercepted
and payment
details
changed.
Only
authorised
payments are
made.
All payment
data is
received
accurately and
completely by
the bank and
is not changed
while being
transferred
over the
internet.
Limit the ability to
make payments to
a dedicated
computer using
the computer’s
terminal identity
pin.
Rely on a call-back
facility to avoid
active tapping and
call interception.
Payment
instructions to
make payments
are encrypted
when they are
sent to the bank.
EFT payments are
made from a
clearing account
at the bank which
requires that the
total amount to be
paid is rst loaded
into the bank
account before
payments can be
made. The control
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
total on the EFT
terminal is
compared to the
movement on the
clearing account
and any
reconciling items
are investigated.
Protecting
against losses
Cash could
be stolen.
Not all
payments
are made.
Company
assets (i.e.
cash) are
safeguarded.
All payments
are made.
Obtain insurance
cover against
fraud.
Maintain an audit
trail of all
processed
transactions
(containing all
data relating to
the payments) as
a backup.
Bank implements
business
continuity controls
by, for example,
keeping backups,
emergency power,
redundancy
servers and up-todate rewalls.
COMPONENTS RISKS
CONTROL
OBJECTIVES
CONTROLS
Policies and
procedures
Company
assets (i.e.
cash) are
safeguarded.
Company policy
requires that all
pins and
passwords remain
con dential.
Fictitious
payments
could be
made.
EFT payments are
made from a
clearing account
at the bank which
requires that the
total amount to be
paid is rst loaded
into the bank
account before
payments can be
made.
Logs and reviews Incorrect
amounts or
bene ciaries
could be
paid.
Unauthorised
payments
(including
ctitious
payments)
are made.
Duplicate
payments
are made.
All payments
are made
accurately.
No
unauthorised
payments are
made.
Payments are
not
duplicated.
All payments
that should be
made are
made.
Transaction
reports/payment
vouchers (which
comply with
normal
documentation
standards) are
printed and
reconciled with
the underlying
documentation.
Transaction
reports/payment
vouchers must be
COMPONENTS RISKS
Not all
authorised
payments
are made.
CONTROL
OBJECTIVES
CONTROLS
signed and led
sequentially.
All necessary logs
and available
registers should
be reviewed and
investigated.
These include:
• Bank
statements;
• Daily
transaction
listings; and
• Access
violation logs.
Bank
reconciliations
(refer to section
4.3.2.4 of
Chapter 4 and to
Chapter 10) are
performed on a
monthly basis.
COMPONENTS RISKS
CONTROL
OBJECTIVES
Other
specialised
controls
All payments
Specialised bank
made are from written program
genuine origin. from the bank
could be installed
on a dedicated
terminal.
An SMS or email
is sent to a
designated
company
employee after
each transaction
con rming
payments, as a
well as special
transaction
noti cation, for
example, when a
new bene ciary is
loaded and details
are amended.
Fictitious
payments
could be
made.
CONTROLS
Note: Table 5.8 contains only the controls over making EFT payments. It
does not address all controls to ensure that the payment is valid, accurate
and complete (e.g. in a salaries and wages application that the amount
of net wages computed for employees is valid, accurate and complete).
ese are addressed in Chapters 7 and 9 in relation to payments to
creditors and salary-related payments.
Step 6: Evaluate the impact of the existing controls and the risks
identi ed on the business
Step 7: Select suitable controls to mitigate the remaining risks to an
acceptable level
An evaluation must be performed of the manual controls and the
computerised controls in order to make a risk assessment. Based on the
combination of risk assessment and proposed controls, management
must decide which controls would mitigate their risk to an acceptable
level.
Appendix: Accounting
Information Systems
1. What is an accounting information system?
A computer information system (CIS) exists where any IT equipment,
irrespective of its nature or size, plays a part in or impacts on the
processing of nancial and non- nancial information of an entity,
irrespective of whether the IT equipment/software is operated or
owned by the entity or a third party. Many companies use a CIS to
computerise their accounting systems and accounting information. An
accounting information system (AIS) is a system that transforms data
(by collecting, recording, storing and processing data) to produce
decision-useful nancial information that can be used by users in a
company to make business decisions. Ntsimbi Piping uses the PVCACC
accounting package as its AIS.
Data is facts that are collected, recorded, stored, and processed by
an AIS. e data, represented by observations recorded about the
transaction (such as person, price, quantity, description and date that
appear on, for example, an order form or invoice) and observations
recorded about business activities (such as time of transaction and staff
number of sales person) when executing the transaction, is organised
and processed by the AIS to provide meaningful information to a user.
e output of the AIS is information. is information can then be used
by the users in the company for decision making and control purposes
in order to create value for the company.
AIS impacts every aspect of a business and the supply chain,
whether it be part of a company’s primary activities, such as operational
logistics or marketing, or support activities, such as human resource
management and nance. Having an AIS adds value to a company by
enhancing the speed at which decisions are made and improving the
quality of decisions. An AIS also increases the sharing of knowledge,
which promotes an environment of collaboration and shared purpose
in nding ways to achieve the company’s business objectives. In the
long term, AIS also improves the efficiency and effectiveness of a
company’s operations within the business and throughout a company’s
entire supply chain. From a governance perspective, AIS can also assist
in making systems of internal control more efficient and effective (refer
to Chapter 4 section 4.3.2.6).
2. What determines the value of information?
e value of information is the bene t derived from the use of the
information, less the cost of producing it. e challenge is, however, to
quantify the value of the information and the costs to obtain the data,
before it is collected. Having decision-useful information reduces future
uncertainty about the outcome of projects or initiatives, enhances
planning and scheduling of business activities and ensures more timely
decision making. Having too much information, on the other hand,
could have negative consequences. Information overload occurs when
the amount of information that is available exceeds the capacity of an
AIS to effectively process, and of users to absorb, when making a
decision. is negatively impacts the quality of decision making. is
problem typically exists in small- and medium-sized AIS with limited
capabilities.
Modern AIS overcome this problem through the use of arti cial
intelligence, big data analytic algorithms and machine-learning systems
with cognitive abilities that are able to process high-volume, highvelocity information in many forms. ese systems are, however, only
effective if the underlying data and relationships between data are
properly de ned to produce decision-useful information that addresses
a business problem.
Decision-useful information has the following characteristics:
• It is relevant to the decision at hand in that it can be used to address
a business problem, thereby reducing the uncertainty about the
outcome of the decision.
• It is useful in assisting a company to achieve its business objectives
and can be used to achieve a company’s business strategies. e
information produced is at the correct level of detail, summarised
appropriately, etc.
• It is easily accessible and available to users and produced in a
timely manner, so as to be available before a decision is made and
when required by a user.
• It is complete (i.e. without any omissions); reliable, being free from
error or bias to the extent that two independent users who use the
same information would make similar decisions using the same
data. erefore, the information must be veri able.
• It is presented in an understandable, useful format that will
facilitate decision making. e information must be in the format
required by a user.
Information will only have these characteristics if it is based on data
that is valid, accurate and complete and derived from an AIS that
contains the appropriate internal control measures.
Consideration must be given to the cost (time and resources)
invested in collecting, processing and storing data. One cost that has
declined signi cantly recently is data storage and communication costs
per megabyte or even gigabyte. However, the exponential increase in
the amount of available data has increased the overall cost of providing
information, whether it be:
• Statutory information, such as employee statistics or tax
information, required by governmental and regulatory entities (i.e.
mandatory information);
• Information required by business partners (i.e. essential
information), which would allow businesses to conduct business
using a shared platform over, for example, the internet; or
• Discretionary information required by internal users to make
business decisions.
Costs are not limited to quantitative measures: Matters such as the need
for regulatory compliance, non-compliance with industry bestpractices, as well as opportunity costs of not having the relevant
information, must also be taken into account.
3. Which AIS should be implemented?
All business decisions should be driven by the objectives and strategies
of a company. is also applies when deciding which AIS should be
implemented. When deciding on the implementation of an AIS it is
important to ensure the following principles are kept in mind:
• Strategic alignment should exist between investment in an AIS and
its use thereof. It should support the strategic performance and
sustainability objectives of the company and deliver on business
needs.
• Value delivery should occur through the AIS in the form of timely
and quality information, ensuring that the AIS delivers the expected
bene ts in line with the company’s strategy in a cost-effective
manner.
• e AIS should be considered to be an integral part of the
enterprise’s risk management strategy and processes, thereby
ensuring that its IT assets are safeguarded, operate as intended and
that disaster recovery procedures are in place.
• Responsibility for the implementation of AIS and the related system
of internal control and the day-to-day management of the AIS
should be assigned, thereby ensuring accountability.
• e performance and functioning of IT investments should be
monitored, measured and assessed.
Focus should be placed on prioritising the management of all IT
• resources (including the AIS). IT investment should be optimised,
and efficiency maximised by allocating resources based on business
needs.
To determine which AIS should be implemented, one needs to evaluate
the company’s business activities (or processes), the decisions that
would need to be made when performing the activity (or when in this
process) and the information required to make key decisions. For
example, in the purchases and payments business cycle, the payment
clerk would need to decide which supplier should be paid, by when, how
much, etc. In order to make a decision the payment clerk might require
the supplier statement, accounts payable records, payment terms, etc. An
AIS must be able to keep record of all this information and integrate
data from both internal and external sources, so as to ensure the
information is readily available once payment is to be made. Each
business cycle (Chapter 4 Figure 4.3) must record, store and process
data speci c to each cycle in order to produce decision-useful
information.
In Chapters 6 to 10, the functional areas that exist, as well as the
information system used, in each cycle are outlined. e major
activities, documents used, data and information recorded are outlined
for each cycle. A number of key concepts relating to recording and
processing in a computerised environment are discussed in section 4
below in the context of the revenue and receipts cycle.
4. How are transactions recorded and processed?
e AIS is responsible for the effective and efficient processing of data.
In a manual environment, data is recorded in journals and maintained
in the company’s ledgers (de ned in Chapter 6 section 6.3.2.2). In a
computerised environment this process is automated and, as discussed
in Chapter 5 section 5.9.1, the computerised processing of business
transactions takes place in various stages. e operations performed by
the AIS, which converts data into decision-useful information, are
referred collectively to as the data processing cycle or the transaction
processing cycle. e cycle consists of four stages, namely (i) data
input (which includes the entering or capturing of data relating to a
transaction or activity into the AIS) (ii) data processing (where data is
converted into information) (iii) data storage and (iv) information
output, which is used by the user. e information output can be in the
form of nancial statements, or cycle speci c, such as a debtors age
analysis.
4.1 Data input
An activity initiates a transaction. e details relating to a transaction
are recorded on source documentation such as an order form (Chapter
6 section 6.3.2.1), which contains data speci c to the transaction. While
data relating to the transaction is obtained from the source
documentation for input purposes, the AIS also automatically records
the data relating to the participants in the transaction (Chapter 6
section 6.2.1) and the resources affected by the transaction (Chapter 6
section 6.2.2). In the case of the revenue and receipts cycle, the
following information might be recorded data relating to the:
• Transaction: customer details; price; quantity, description of item
sold, etc.;
• Participants: details of the employee that made the sale, approved
credit, etc.; and
• Resources: point-of-sale (POS) device asset number, etc.
In the event that a transaction is recorded in an online environment, the
transaction data is recorded directly into the system when the
transaction takes place.
Once data has been recorded, it can be processed in real-time or
stored to be processed at a later time (Chapter 5 section 5.6).
4.2 Data storage
In a similar manner in which a manual system stores data recorded
using general or special journals in ledgers (Chapter 6 section 6.3.2.2), in
a computerised environment, data relating to transactions is stored in
les (Chapter 6 section 6.3.3). e general ledger contains summary
level data for all accounts, while the subsidiary ledgers record the
detailed data for every transaction contained in the general ledger.
erefore, the sum of all individual balances in the subsidiary ledgers
add up to the amount in the general ledger, and should these not agree,
it would indicate an error. e computerised equivalent of the
subsidiary ledger is a transaction le, and for the general ledger it is a
master le. Files may, however, contain more information than simply
the nancial information, as discussed in Chapter 5 section 5.1. e
master le also contains standing data that is used frequently by the
AIS. Similarly, the transaction le may also contain data relating to the
participants in the transaction and the resources involved.
In order to nd data relating to a transaction in an easy and efficient
manner, AIS uses coding techniques to organise data in a logical
manner. Coding is the systematic assignment of numbers or letters to
data to classify and organise it. ere are three types of coding:
1. Sequence codes: where, for example, transactions are numbered
consecutively to ensure that there are no gaps in the sequence and
no numbers are repeated. Examples include the sequential
numbers of order forms (ORD0001; ORD0002), or invoices
(INV0001; INV0002).
2. Block codes: where blocks of numbers in a particular numerical
sequential range are reserved for a category of items or activities.
An example is in a store room, that all pipes have a product code
between ‘20001 – 29999’; and polymers have a product code
between ‘70000 – 79999’. Using this method allows the AIS to record
additional information about the item or activity. A storeman
would know that ‘204387’ refers to a particular pipe, which in this
case is ‘Pipe SABS 200mm x 6m Class 340SOE’.
3. Group codes: where each digit in the code or digit positioning has
a particular meaning. For example, a customer number such as
‘RDMRIA002’ used for ‘Riaan Rudman’ would mean that the rst
group of three digits is used as an identi er for the customer’s
surname (RDM) and the second group of three digits is used to
identify the customer’s name (RIA). is method of coding uses
two or more subgroups of digits for an item and is often used in
conjunction with block codes.
An example of coding which is used globally by nancial accountants is
the chart of accounts (being a list of all the general ledger accounts used
by a company), in which each general ledger account is assigned a
speci c accounting number and the positioning of the account number
refers to different classes of transactions or different transactions
classi ed by nature. e coding of the accounts assists with the
preparation of the nancial statements (as similar accounts are grouped
together).
Having a consistent methodology to assign codes to transactional or
other data has the bene t of facilitating the provision of information to
users at a low data storage cost. In deciding on the coding system to be
used, the following should be taken into account: it must be easy to
implement, easy to understand, codes must have a consistent meaning
throughout a company, and it must allow for exibility to modify the
codes. It should also allow a user to link data between les and
databases.
4.3 Data processing
e coding of information allows for the processing or manipulation of
data into information. ere are four basic activities which occur during
processing:
• Reading existing data.
• Creating or adding new data, such as where a new customer is
added to the debtors master le.
• Updating data which is contained in a database or a master le
because it has changed. Examples include the updating of the
debtors master le when a debtor changes his or her address, and
adding sales of items to the sales transaction le. Data can be
updated periodically using a batch processing system, or as the each
transaction occurs in an online real-time processing environment
(Chapter 5 section 5.6).
• Deleting or removing of data.
4.4 Information output
Financial or other information may be required to be used for a speci c
purpose. Operational information provides good insight into the
activities of the company. e purpose for which the information is
produced de nes its value. Financial statements can be used to
evaluate historic transactions, while budgets and forecasts can be used
to evaluate future strategies. Information contained in performance
reports can be used to monitor a company’s performance against set
targets and contribute to a company selecting the most appropriate
strategy for its future. Information can be presented to the user in three
forms, namely in:
• Document form, which presents the details of the activity or
transaction, whether it is recording the information of the
transaction or information of another party to the transaction, for
example a sales invoice or deposit slip. e document can be a hardcopy document or it may be in electronic format. e document
generated at the end of a transaction that re ects the information of
the transaction that has been processed is commonly referred to as
an operational document, as opposed to a source document which
is used to initiate a transaction.
• Report form, which reports information contained in the system,
generally in summary format. ese reports can be used to provide a
historic review of activities in the company. e information
contained in them can also be used to manage operational activities,
make business decisions and design strategies. e frequency of the
reports is determined by the purpose and relevance of the
information to decisions which must be made.
• Queries form, in response to a speci c request by users for pieces of
information, based on predetermined criteria or business problems
for which historic information is required. e advances in big data
and exible reporting have made query form reporting the most
common form of output used in business today.
Output is not limited to hard copy information: it can also be extracted
on a computer monitor in electronic format.
5. How has the role of the AIS changed over time?
Traditionally, AIS were used to record, store and process nancial
information and transactions. Modern CIS also record various types of
non- nancial information, which provides insight into the operations
and operational effectiveness of a company. In many instances all this
data is recorded by one system. Enterprise resource planning (ERP)
systems are designed to integrate all aspects of a company’s operations,
recording of nancial and non- nancial information relating to a
transaction as the transaction occurs and updating all related systems.
Big data systems not only record structured nancial and operational
data, but they also record, store and process unstructured external data,
to provide users with data-rich information in which relationships
between multiple types of data have been considered.
1
2
3
4
5
6
Each computer application must also have its own application-speci c access controls that
restrict access to data, les, functions and features. However, as these access controls relate
only to a particular application, they are classi ed as application controls and not as general
controls.
e user-related controls include controls that were discussed in the section on general
controls. e reason they are included in this section on application controls is that they
contribute directly to the validity, accuracy and completeness of the recording of a particular
type of transaction in a speci c application.
Refer to section 5.1 for an explanation of the difference between the two types of les.
e user-related controls include controls that were discussed in the section on general
controls. e reason they are included in this section on application controls is that they
contribute directly to the validity, accuracy and completeness of the recording of a particular
type of transaction in a speci c application.
e user-related controls include controls that were discussed in the section on general
controls. e reason they are included in this section on application controls is that they
contribute directly to the validity, accuracy and completeness of the recording of a particular
type of transaction in a speci c application.
e user-related controls include controls that were discussed in the section on general
controls. e reason they are included in this section on application controls, is that they
contribute to the validity, accuracy and completeness of master le changes in a speci c
application.
Revenue and receipts cycle
CHAPTER 6
Gerrit Penning
CHAPTER CONTENTS
Learning outcomes
Reference list
6.1 What are the nature, purpose and accounting implications of the cycle?
6.2 What functional areas occur in the cycle?
6.3
6.4
6.5
What information system is used in the cycle?
What could go wrong (risks) in the cycle?
What computer technologies are used in the cycle?
6.6
6.7
6.8
What are the control objectives in the cycle?
What are the controls in the cycle (manual and computerised)?
Cycle illustration: e revenue and receipts cycle at Ntsimbi Piping
Assessment questions
LEARNING OUTCOMES
1.
2.
3.
4.
5.
Explain the nature and purpose of the cycle.
Identify and describe the major general ledger accounts affected by the cycle.
Explain the accounting treatment required for the recording of revenue.
Identify and explain the cycle’s functional areas.
Describe the ow of transactions in the cycle through the information system, including its relation to
source documents and accounting records and its relation to classes of transactions and events, and
balances.
6. Identify and describe the documents and records, both manual and computerised, utilised in the cycle
and describe the purpose of each.
7. Identify and describe the risks of misstatement affecting account balances, classes of transactions and
events in the nancial statements.
8. Describe the computer technologies typically applied in the cycle.
9. Formulate control objectives for the cycle.
10. Describe how internal controls may assist in achieving the control objectives in the cycle and how
these control objectives relate to management’s assertions in the nancial statements.
11. Critically analyse internal control systems in order to identify and explain weaknesses in the control
system and recommend improvements by describing the required internal controls.
12. Design a system of internal controls, both manual and computerised, that will achieve the cycle’s
control objectives.
REFERENCE LIST
International Financial Reporting Standard (IFRS) 15 – Revenue from Contracts with Customers
IN THE NEWS
SEC charges energy services company and executives with accounting fraud1
Washington D.C., Oct. 17, 2016
The Securities and Exchange Commission today charged an energy services provider and four
executives for their roles in an accounting fraud in which the company recognised revenue earlier
than allowed in order to meet internal targets.
Lime Energy Co. agreed to pay $1 million to settle the charges, and its four now-former
executives also agreed to settlements.
The SEC’s complaint alleges that Lime Energy improperly recognised $20 million in revenue from
at least 2010 to 2012. Two then-executives in the company’s utilities division vice president of
operations Joaquin Alberto Dos Santos Almeida and director of operations Karan Raina developed
procedures to enable the company to recognise revenue on newly signed contracts based on
documentation received before year-end 2010. But when documentation did not arrive in time, they
allegedly went ahead and booked the revenue anyway.
According to the SEC’s complaint, Almeida and Raina became even more aggressive in 2011 and
2012 as they further recognised revenue earlier than allowed by accounting principles as they faced
increasing pressure to produce results. They eventually went so far as to direct internal accountants
to book revenue on jobs that didn’t exist. The SEC further alleges that Lime Energy’s then-corporate
controller Julianne M. Chandler accepted new accounting entries to book millions of dollars in
additional 2011 revenue well after the year-end close. And in February 2012 when Lime Energy still
needed $500,000 to meet its 2011 revenue target, the company’s then-executive vice president
James G. Smith suddenly sent Chandler new entries that provided the company with even more
additional revenue to improperly recognise.
‘Lime Energy and its then-executives engaged in a wide array of wrongdoing, including the
improper reporting of a signi cant amount of fake revenue,’ said Scott W. Friestad, Associate Director
of the SEC’s Division of Enforcement. ‘The desire to meet earnings or revenue targets cannot
override corporate of cers’ responsibilities to public shareholders to assure that the company’s
accounting re ects nancial reality.’
CRITICAL THINKING
Can you think of reasons for an entity to want to overstate or understate its reported revenue? In
addition, what personal interest do you think a director of an entity may have in manipulating
revenue?
Such incentives to misstate revenues may give rise to risks relating to the company’s nancial
information not being fairly presented.
6.1 What are the nature, purpose and accounting implications
of the cycle?
6.1.1 e nature and purpose of the cycle
e revenue and receipts cycle relates to an entity’s activities of selling goods or rendering services and
receiving cash from customers in exchange. Without sufficient revenue from sales or services, an entity may
not be a viable going concern. Failure to collect cash from customers for sales or services will place
signi cant strain on an entity’s cash ow. is may lead to eventual bankruptcy if an entity cannot pay its
debts as they become due.
However, the cycle is not just about the business function of making sales and receiving cash. It is also
about the accounting function where transactions associated with those sales and receipts are accounted for
(recorded) in an entity’s accounting records.
e purpose of the revenue and receipts cycle is to:
• Execute the sale of goods and rendering of services to customers;
• Record the associated revenue earned from these transactions in the accounting records;
• Collect and record the payments received from customers relating to these transactions; and
• Address any related activity, such as sales adjustments and the writing off of bad debts, including the
recording thereof.
In terms of the accounting function, sales and services rendered are recorded as revenue in an entity’s
accounting records. It is imperative that all sales and services transactions are recorded, otherwise the
nancial reports will re ect a distorted view of the true nancial position and performance of the entity.
REFLECTION
What are the implications for the owners and employees of an entity and for the tax authorities
should an entity not record all its sales or services transactions?
When an entity manipulates its revenue, it is important to consider the negative consequences to
the entity’s stakeholders – not only from an economic perspective, but also from an ethical
perspective. Shareholders might make wrong investment decisions based on incorrect accounting
information, employees might be told that they have to forfeit the salary increase they could
otherwise have been awarded, and the tax authorities could be defrauded if the entity does not
declare all of its taxable income.
Sales made or services rendered to customers can be either on credit or for cash. If for cash, the entity will
immediately receive cash physically in banknotes and coins or through an electronic credit or debit card
transaction, or through an electronic funds transfer (EFT). If sales are on credit, the goods are provided (or
the service rendered) to the customer, but the customer is allowed to pay the outstanding amount at a later
date (i.e. the customer buys ‘on account’).
WHY?
Why would an entity allow its customers to buy from it on credit given the possibility
that they will not settle their debts to the entity? What are the bene ts and what are
the risks?
By allowing credit facilities, including favourable credit terms, an entity can encourage
customers to purchase goods or services from it. Remember that some customers might
not be able to pay for the goods or services immediately (e.g. in the context of a
wholesaler, its customers may not have cash until they have resold the products). The
major risk, however, is that customers might not settle their accounts in time or not settle
it at all, causing nancial losses to the entity that provided the credit facilities.
6.1.2 Forms of revenue from sale of goods and rendering of services
Although entities are involved in various forms of sales and services, the purpose of the cycle applies to all
entities.
Examples of various forms of sales and services include:
• A retail entity (retailer) selling goods directly to the public (e.g. clothing);
• A wholesale entity selling goods to retailers (e.g. bulk food products);
• A manufacturing entity selling goods it has produced to wholesalers or retailers (e.g. a manufacturer of
wooden furniture);
• A resource entity selling minerals it has mined to a metallurgical re nery (e.g. an iron ore mine);
• A services entity rendering its service to other entities or to members of the public (e.g. a furniture
removal company); and
• A municipality providing utilities to town residents, such as water and electricity.
A business has to implement proper internal controls in its revenue and receipts cycle to enable the
proper handling and recording of its sales/services and the subsequent collection of the amount due
from customers.
No matter the type of a business entity or the nature of its revenue, if a product is sold or a service is rendered
to a customer, revenue will ow to the entity and cash should subsequently be received.
6.1.3 e varied nature of the cycle
It would be rare to nd two entities whose revenue and receipts cycles operate in exactly the same way. In
fact, although the cycle operates in the same way for all entities in principle, each entity will apply these
principles in a different way and to varying degrees. As a result, one is likely to nd variations in the source
documents, accounting records and internal controls used in the cycle among different entities. Also, each
entity will implement its own particular controls and will have its own methods of initiating, recording,
processing and reporting transactions in the cycle.
However, the purpose of the cycle and the objectives of the internal controls in the cycle will remain the
same for all entities. erefore, a proper understanding of the purpose of the cycle and the typical risks an
entity faces when selling goods or rendering services is crucial.
REFLECTION
How would the risks for a company whose customers all pay in cash at its business premises
when buying goods differ from those for a business whose customers pay by means of EFT only?
The answer relates to the risks due to theft from the holding of physical cash versus the risks of
unauthorised access being obtained to the entity’s bank account.
When selling goods and rendering services to consumers, remember the Consumer Protection Act.
The Consumer Protection Act applies to the majority of businesses in South Africa that sell goods
and render services to the public. The Act mainly aims to protect the end-consumer against abuse
and malpractices by businesses. If the Act applies to a business or particular transaction, the seller
should comply with the requirements of the Act, or the seller might face nes and penalties.
Accordingly, a business’s information system, including internal controls, should make provision
for ensuring compliance with the Act.
6.1.4 How transactions in the cycle are triggered (initiated)
ese are the triggers for the cycle:
• For a revenue transaction to commence, an order should be received from a customer.
• For a receipt transaction to commence, payment should be received from a customer.
As soon as one of the above triggers occurs, the revenue and receipts cycle will ‘go into action’ and the
internal controls in the cycle will need to be applied.
When does the cycle end?
• When a sales or service transaction has been recorded in the sales journal and it has been posted to the
general ledger, the revenue part of the cycle is complete.
• When the receipt of cash has been recorded in the cash book (cash receipts journal), the cash has been
deposited in the entity’s bank account and the transaction has been posted to the general ledger, the
receipts part of the cycle is complete.
e cycle will repeat itself each time a new transaction is initiated.
CRITICAL THINKING
How is a sales or service transaction recorded in the accounting records?
A sales or service transaction is ordinarily documented on an invoice and recorded in the sales or
service journal, the total of which is periodically posted to the revenue account in the general ledger.
If the sales or service transaction is on credit, it is also recorded in the customer’s account in the
debtors ledger. In a manual system, these activities would generally be separate actions (writing out
an invoice and posting the sale to the accounting records). In a computerised system, the
generation of an electronic invoice and the processing of a sale to the accounting records (sales
transaction le, general ledger accounts and debtors master le) may happen at the same time
without any manual intervention.
6.1.4.1
A typical transaction in the revenue and receipts cycle
6.1.4.1.1 Wholesalers selling on credit
A typical sales transaction in the revenue and receipts cycle for a wholesale entity selling on credit originates
from a customer order. By this time, a credit background check would already have been performed to
ensure the customer’s creditworthiness before any sale is made.
e customer may phone or email the entity to place an order for goods, or if the entity sells its goods
over the internet, the customer could order goods on the entity’s website. If the goods are available in the
warehouse, the sales department will instruct the warehouse to pick the goods and pack them for despatch.
e despatch function ensures the goods are delivered to the customer, whereupon the invoice is prepared
by the accounting department. When the due date for payment arrives, the customer makes a payment to
the entity and the entity issues a receipt to the customer.
Figure 6.1: A typical transaction in the revenue and receipts cycle
WHAT
IF?
What if an entity neglects to follow up on a customer order it has received? What will
the consequences for the entity be? Are there any implications on the fair presentation
of the nancial statements?
The entity might lose a sale and forgo any resulting pro ts that could have been earned
from the transaction. It might also lose the customer to a competitor, should the customer
deem the entity’s level of service to be unacceptable. However, there is no impact on the
fair presentation of the nancial statements as no sales transaction would have taken
place and therefore there is no misstatement in the revenue line item in the Statement of
Comprehensive Income.
6.1.4.1.2 Retailers selling for cash
How would the ow of a sales transaction appear in a retailer, such as a grocery store, selling to customers on
a cash basis? e process would be simpli ed as fewer supporting documents are required and fewer control
procedures need to be performed.
A sales order does not apply in such an environment and no credit background check is required, as the
customer does not buy on credit. Rather, the receipt of the cash is in effect the authorisation of the
transaction. Goods are not delivered to the customer: the customer simply selects his or her desired goods
from the shelves and proceeds to a cash till point. To pay for the goods, the customer hands cash to the
cashier and the cashier in turn issues the customer with a receipt. e receipt serves as proof of payment and
re ects the goods that were bought.
CRITICAL THINKING
Keep in mind that, even though the transactions might happen at the same time, the recording of a
sale as revenue is a separate transaction from the recording of cash received as a receipt. Each is
subject to nancial reporting risks, while cash (as an asset) received is also at risk of
misappropriation. Revenue should be recorded when goods are sold or services are rendered and a
receipt should be recorded when the cash for these goods/services is received.
6.1.5 Major accounts affected by the cycle
Transactions in the revenue and receipts cycle must all be recorded in the accounting records of the entity
and must be allocated to a particular general ledger account. Understanding which account is affected by a
speci c transaction will enable better understanding of the risks involved in the ow of the transaction
through the cycle.
e following accounts are affected by the revenue and receipts cycle:
1. Statement of Comprehensive Income
• Revenue (income from sales/services)
Refer to the Statement of Comprehensive Income of Ntsimbi Piping (page 8) and note the line item
‘Revenue’. Also refer to its Detailed Income Statement in the supplementary information (page 25) and
note the item ‘Revenue’.
• Sales adjustments (decrease in revenue)
• Bad debts written off.
2.
Statement of Financial Position
• Cash and cash equivalents
• Accounts receivable (including trade debtors
Refer to the Statement of Financial Position of Ntsimbi Piping (page 7) and note the line items ‘Cash
and cash equivalents’, ‘Bank overdraft’ and ‘Trade and other receivables’.
REFLECTION
Which accounts in the accounting records of an entity will be affected should a debtor fail to pay
its debt?
The debtors balance (an asset) will be affected, either due to the debtor’s balance having to be
written off or being included in an allowance for credit losses. These entries will also affect expense
accounts such as ‘bad debts’ and ‘increase/decrease in allowance for credit losses’.
Note that, despite the fact that the entity never receives any money for the goods sold or services
rendered, the revenue that was recorded would not be reversed. It remains revenue in the accounting
records and is reported as such. The bank account is not affected as no cash is received.
Although some forms of income, such as those listed below, are generally categorised under other cycles
(such as the investment and nancing cycle (refer to Chapter 10)), they may be subject to similar risks and
controls as identi ed in the revenue and receipts cycle (e.g. when the amounts from these forms of income
are physically received in cash or deposited into an entity’s bank account):
• Dividend income;
• Rental income;
• Interest income;
• Royalty income;
• Commission income; and
• Income from the disposal of assets.
6.1.6 IFRS 15 and the treatment of revenue for nancial reporting
purposes
IFRS 15: Revenue from Contracts with Customers speci es the principles an entity should apply in
accounting for revenue in its nancial statements. Essentially, IFRS 15 deals with:
• What a ‘contract with a customer’ is. Take note that a ‘contract’ can be as varied as a cash sale transaction
lasting only a few minutes to goods provided or services rendered to the customer over an extended
period of time. A contract also does not have to be formal and written: it could be informal, verbal and
implicit to the nature of the business dealing;
• How an entity should recognise revenue to account for the transfer of goods or services to customers;
• How to determine the amount that the entity expects to receive in exchange for those goods or services;
and
• When to recognise the amount relating to the transaction.
IFRS 15 stipulates that an entity should recognise revenue as and when control over the goods/services
transfers from the entity to the customer, either over time or at a particular point in time depending on the
nature of the contract with the customer. It would therefore not be appropriate for an entity to recognise
revenue upfront in cases where the goods or service are provided to the customer over a period of time. For
extended periods, the entity will need to determine the appropriate method of allocating the transaction
amount over the period of the provision of the goods or rendering of the service to the customer.
Should an entity not comply with the requirements of IFRS 15, it runs the risk of having material
misstatements in its nancial statements, which will result in a modi ed opinion in the auditor’s report and
possibly adverse consequences for the entity.
Other accounting standards that may be applicable to the revenue and receipts cycle (but fall outside the
scope of this text) include:
• IFRS 16, Leases (i.e. speci cally relating to entities that are lessors); and
• IAS 20, Accounting for Government Grants and Disclosure of Government Assistance.
WHAT
IF?
What if the management of an entity were to misinterpret the requirements of IFRS 15
or decide to deliberately misapply the principles?
Consider the following example involving the inappropriate timing for recognising revenue:
A security rm was contracted by another entity to render security services to it for a 24month period. Instead of recognising the revenue over the course of the performance of
the service (i.e. evenly over the 24 months), the security rm inappropriately recognises
the total of all revenue it expects to receive at the end of the rst month.
What are the implications on fair presentation of the nancial statements because of
such accounting treatment?
6.2 What functional areas occur in the cycle?
6.2.1 Description of the functional areas
In order to identify and manage the risks in the business cycles it is useful to divide each cycle into functional
areas. A functional area is a separate stage within the cycle where similar or related activities applicable to a
transaction occur.
From the moment a transaction in the cycle is triggered (i.e. a customer’s order is received) to the time
that the payment from the customer is recorded and banked, many actions take place to ensure that the
transaction is executed properly and that it is properly recorded in the accounting records.
For a typical wholesaler selling on credit to customers (debtors), the cycle can be divided into the following
functional areas:
1. Credit management;
2. Receiving orders from customers;
3. Authorisation of sales orders;
4. Picking of goods from warehouse;
5. Despatch and delivery of goods to customers;
6. Invoicing;
7. Recording of sales in the accounting records;
8. Receipt of cash from customers;
9. Recording of receipts in the accounting records; and
10. Processing and recording of returns and other sales adjustments.
A brief summary of each functional area in a wholesaler that sells goods to customers on credit follows.
1. Credit management
Purpose: To grant credit to creditworthy customers who do not immediately pay cash when receiving goods.
Main activities: Receiving credit application from customer; setting credit limits in terms of customer’s
creditworthiness; ongoing review of customer’s creditworthiness; handling account queries from customers;
collecting outstanding debts; handing over uncollectable debts to attorneys; recommending to management
debtor balances that should be written off as uncollectable.
Persons involved in this area: Credit controller, nancial accountant/ nancial manager.
WHY?
Why is the responsibility for approving new customers and setting credit limits assigned
to a credit controller and not to the sales order clerk who receives orders from the
customers?
Consider the importance of segregation of duties when answering this question and the
risks that arise should these duties be carried out by the same person. For example, what
do you think the consequence might be if a sales order clerk were to receive a sales order
from a friend who is not able to pay for the goods ordered, but the clerk was able to set
the credit limit on the friend’s account? The clerk could supply the goods to the friend
without any problems, but the entity would probably never receive any payment for the
goods.
2. Receiving orders from customers
Purpose: To ensure that orders received from customers are acted on.
Main activities: Receiving orders from customers; checking inventory levels (i.e. whether goods are in
stock); creating backorders (i.e. pending sales orders for goods out of stock and awaiting delivery of these
goods from the entity’s suppliers).
Persons involved in this area: Sales order clerk.
WHAT
IF?
What if the customer is not granted the opportunity to place goods on backorder?
What might the nancial implications for the entity be?
Customers might choose to rather make use of the entity’s competitors in the event of the
unavailability of goods. Its clientele might even be lost permanently, translating into lost
sales for the entity and therefore lower pro ts.
If the entity is a wholesaler, its customers might be business entities themselves, with
a responsibility to promptly satisfy the demands of their own customers’ needs for goods
or services!
3. Authorisation of sales orders
Purpose: To ensure that sales are made only to approved customers and only to those who will be able to
settle their debts when due.
Main activities: Manual and/or computerised authorisation of sales.
Persons involved in this area: Sales order clerk, credit controller.
4. Picking of goods from warehouse
Purpose: To select or pick goods from the warehouse (or from the nished goods store) in a timely manner
in accordance with those ordered by the customer.
Main activities: Picking goods from the warehouse.
Persons involved in this area: Storeman, warehouse supervisor/manager.
WHY?
Why are the warehouse and despatch staff responsible for the picking of goods from the
stores and despatch thereof (respectively), and not the sales order clerk?
If there is a lack of segregation of duties, the sales order clerk could create a fake order
and take the goods for himself or herself, or have a friend’s sales order ‘disappear’ after
the goods were delivered. The risk is even greater if the sales order clerk can also create
customer accounts.
5. Despatch and delivery of goods to customers
Purpose: To ensure that all goods ordered and picked are despatched and delivered intact to the customer.
Main activities: Packaging goods for despatch; safely storing goods until despatched; loading packaged
goods onto delivery vehicle; security checks on goods leaving entity’s premises; transporting goods; delivery
of goods to customer.
Persons involved in this area: Despatch clerk, gate security guard, driver.
REFLECTION
What purpose (from a revenue recognition perspective) is served by having a customer sign a
copy of the delivery note as proof of receiving the goods?
In order to record a sale in the accounting records, there must be proof that a transaction occurred
between the entity and another party, (i.e. that goods were sold or a service was rendered). The
customer’s signature serves as evidence that another party acknowledged its willing participation in
the transaction and that it took control of the goods/services.
6. Invoicing
Purpose: To create and issue an invoice to customers notifying them of their obligation to pay for goods
received.
Main activities: Creating a customer invoice and sending it to the customer.
Persons involved in this area: Invoicing clerk.
REFLECTION
What are the consequences for an entity should a sale take place and goods are delivered to a
customer, but an invoice is never created nor sent to the customer? Consider both the accounting
implications of such a mistake as well as the implications for the entity’s cash ows.
From an accounting perspective, as sales are typically recorded in the entity’s accounting records
from the delivery note and the invoice that is created, revenue might be understated. From a cash
ow perspective, the invoice serves as documentary proof of the amount that the customer has to
pay for the goods or services. Failure to create an invoice may result in the entity/customer
‘forgetting’ that the amount due still has to be paid, resulting in the cash never being received at all
or not received in a timely manner.
7. Recording of sales in the accounting records
Purpose: To record sales transactions in the accounting records; to send out monthly statements to debtors.
Main activities: Posting a sale to the sales journal and to the debtor’s account in the debtors ledger; updating
the general ledger; performing debtors reconciliations; sending monthly statements to debtors.
Persons involved in this area: Accounts receivable bookkeeper, senior bookkeeper/ nancial accountant.
8. Receipt of cash from customers
Purpose: To receive and promptly bank cash from customers.
Main activities: Receiving cash from customers; recording (issuing) a receipt; depositing cash in the entity’s
bank account.
Persons involved in this area: Mail-opening staff, cashier, chief cashier (reviewer), security guard
(depositing).
WHY?
Why should the accounts receivable bookkeeper, responsible for creating invoices and
posting the invoices to the debtors ledger, not also receive cash from debtors or record
receipts in the cashbook?
Under conditions of weak segregation of duties, the accounts receivable bookkeeper could
decide not to post the invoice to the debtor’s account, but still send the invoice to the
debtor. When the debtor pays the accounts receivable bookkeeper, he or she can take the
money for himself or herself without posting a receipt to the debtors account.
Alternatively, and under certain conditions, the bookkeeper might even be able to post
a credit note to the account in order to ‘cancel’ the debt, making it appear as if the debtor
did not have to pay, thereby concealing his or her misappropriation of the cash received.
9. Recording of receipts in the accounting records
Purpose: To ensure all receipts from customers are accurately accounted for in the accounting records.
Main activities: Posting receipts to the cashbook (and general ledger) and to customers’ accounts in the
debtors ledger; performing bank reconciliation.
Persons involved in this area: Cash book clerk (bookkeeping), senior bookkeeper/ nancial
accountant/ nancial manager (reviewing).
Be sure to distinguish between operational activities and nancial recording activities (bookkeeping).
Many actions in the cycle are not performed by accounting/bookkeeping staff. A business is primarily
about selling goods or rendering services, and not about the accounting behind it. However, the
accounting function is crucial as it evidences the history of the transaction from its origin all the way
through to when it is recorded in the accounting records (to eventually form part of the entity’s
nancial statements).
10. Processing and recording of returns and other sales adjustments
Purpose: To ensure that only authorised credits to debtors accounts are granted and recorded.
Main activities: Receiving returned goods from customers; authorising sales returns; granting discount and
other adjustments (e.g. for previously incorrect charges) to customers; recording sales returns and
adjustments.
Persons involved in this area: Storeman (taking custody of returned goods), sales manager and/or credit
controller (approval), sales returns clerk (recording), senior bookkeeper/ nancial accountant/ nancial
manager (reviewing).
6.2.2 Summary of functional areas by department
Table 6.1 provides a summary of the functional areas by department.
Table 6.1: Functional areas by department
SALES AND CREDIT
DEPARTMENT
WAREHOUSE
ACCOUNTING DEPARTMENT
1. Credit management
2. Receiving orders from
customers
3. Authorisation of sales orders
10. Processing returns and other
sales adjustments (including
authorising of returns and
adjustments)
4. Picking of goods from
warehouse
5. Despatch and delivery of
goods to customers
10. Processing returns and
other sales adjustments
(including handling goods
returned)
6. Invoicing
7. Recording of sales in the
accounting records
8. Receipt of cash from
customers
9. Recording of receipts in the
accounting records
10. Recording of returns and other
sales adjustments
6.3 What information system is used in the cycle?
6.3.1 Accounting for revenue and receipt transactions
Sales or service transactions form part of the revenue gure in the nancial statements. Sales made to
customers and services rendered on credit, for which no payment has yet been received, increase the trade
receivables balance (a current asset in the Statement of Financial Position). Cash received from customers
increases the bank and cash balance in the nancial statements and, if it relates to cash received from
debtors, reduces the trade receivables balance.
Figure 6.2 illustrates for a credit sales system the recording of supporting documentation in the books of
primary entry and subledger up to its inclusion in the nancial statements.
Figure 6.2: The recording of supporting documentation in the nancial records
Proper record keeping of transactions on source documents (such as an invoice), in journals (such as the
sales journal) and in ledgers (debtors and general ledgers) is therefore critically important for reliable
nancial reporting. Should the information system (including the accounting system) fail to ensure proper
record keeping of revenue and receipt transactions, together with the resultant accountability for the related
assets, an entity’s revenue total and its accounts receivable and cash balances might be materially misstated.
is may possibly render the nancial statements unreliable, misleading or even meaningless.
6.3.1.1
e use of general journals
e revenue and receipts cycle also includes the use of recurring standard general journal entries on a
periodic basis, such as entries to account for the write-off of bad debts every month, or the annual
adjustment of the allowance for credit losses. Non-standard general journal entries may be used to account
for special credits granted to debtors (e.g. a large discount on bulk purchases in addition to the standard
discount contractually arranged). Additional internal controls are required for general journals as there is an
increased risk of accounting staff and/or management using them to commit fraud.
WHY?
Why should the same staff member not be allowed to create a general journal and
approve it? Consider the role of segregation of duties in answering this question.
The person who initiates or executes the transaction (i.e. the general journal entry) must
not also be able to approve it. This is to prevent a person creating a ctitious or erroneous
transaction without the knowledge of anyone else. The segregation of duties achieved by a
second person reviewing the journal entry will facilitate the detection of the fraud or error.
6.3.2 Supporting documents, journals and ledgers
As a sales or receipt transaction is processed by ( ows through) the information system of an entity, source
documents will be created in each functional area (refer to section 6.2 for an explanation of the functional
areas). ese source documents are used when the transaction has to be recorded in the accounting records,
such as journals and ledgers.
e following sections describe the supporting documents, records, reports and reconciliations that may
be used in the revenue and receipts cycle.
6.3.2.1
Supporting documents
1. Credit application form
is form is to be completed by a new customer wishing to buy from the entity on credit. Full particulars of
the customer have to be provided, including trade references for follow-up.
Example: Refer to document 1I in the appendix at the end of the book.
2. Master le amendment form (computerised systems only)
A master le amendment form is completed in a computerised system each time a debtor’s details are to be
changed on the debtors master le (the debtors master le is a debtors ledger in a computerised system), or
if a debtor is to be added to or deleted from the master le. For example, if a new customer is accepted, the
credit application form will be attached to the master le amendment form as a supporting document for the
amendment to the master le (in other words, the creation of the new debtor).
Example: Refer to document 1D in the appendix at the end of the book.
3. Customer order form
An order is received from a customer by various means, such as email, telephone, fax, post, or in person. If
received verbally, there will not be any physical evidence of the customer order and thus the entity will have
to document the order by own means.
Example: Refer to document 1A in the appendix at the end of the book.
4. Internal sales order
Because customer orders are received from various customers, they will not be sequentially numbered and
may not contain all the information necessary to process the order. Also, in the case of a verbal (such as
telephonic) order, there will not be any evidence of the order if not subsequently recorded on paper or
computer. For this reason, a sequentially numbered internal sales order (ISO) is created (or generated on the
computer) to record the details of the customer and what he or she has ordered.
Example: Refer to document 1B in the appendix at the end of the book.
5. Backorder note
Backorder notes are created for items ordered by a customer, but which are not available in stock. ese outof-stock items are recorded on a backorder note for follow-up by the purchasing department that will order
the goods from the entity’s suppliers.
6. Picking slip
e picking slip is created from the internal sales order. It serves as an instruction for the goods to be picked
from the store or warehouse for eventual delivery to the customer. Sales prices are usually not displayed on
the picking slip, but rather only item codes, descriptions, quantities and store location of goods to be picked.
e picking slip is sometimes referred to as the stores requisition.
Example: Refer to document 1C (internal sales order which also serves as the picking slip) in the appendix at
the end of the book.
7. Delivery note
e delivery note is created from the actual goods being packed for despatch to the customer and should
agree with the items being despatched. Prices are usually not displayed on the delivery note: only item
codes, descriptions and quantities.
Example: Refer to document 1E in the appendix at the end of the book.
WHY?
Why are item prices not usually displayed on a delivery note?
The entity would not want its despatch or delivery staff to see the value of the goods that
were purchased by the customer. This is in order to reduce the chance of those staff
stealing goods that are seen to be of particularly high value. It also assists in preventing
the delivery note from being confused with other documents that do contain prices.
8. Sales invoice
e sales invoice is prepared for those goods or services that have been accepted by the customer and for
which the customer is liable to pay. It contains, among other things, proper descriptions and quantities of
the goods sold or services rendered, the prices of all items, and the total amount due.
Example: Refer to document 1F in the appendix at the end of the book.
In many computerised systems it is not necessary for a computer user to input product quantities
and prices for the purpose of generating an electronic sales invoice: item codes, descriptions and
quantities can be programmatically retrieved (i.e. by the computer) from the delivery note previously
generated in the warehouse and prices can be obtained from the sales order already stored on the
computer system (if the sales order contained prices, or alternatively it can be automatically
retrieved from price list master le). The sales invoice is therefore ‘generated’ using data that
already exists on the system, thereby avoiding data capturing errors.
9. Debtors statement
e debtors statement represents a summary of all the transactions (invoices, receipts and adjustments)
relating to a debtor, usually over a period of a month. At the end of a month, a debtors clerk (manual system)
or a computer (computerised system) prepares a statement from each debtor’s account in the debtors ledger
to indicate clearly to the customer what the customer still owes (i.e. what the customer’s outstanding debt
is). e outstanding balance per the debtors statement should agree with the outstanding balance per the
debtor’s account in the debtors ledger.
10. Customer receipt
When payment is received from a customer, a receipt is made out to the customer, showing the payee and
amount received.
Example: Refer to document 1G in the appendix at the end of the book.
11. Remittance advice and proof of payment
A remittance advice is sent to the entity by a debtor together with payment to indicate which invoices the
debtor is settling with a particular payment.
When a debtor settles the amount outstanding via EFT, the debtor has to submit a proof of payment
document to the entity after payment, typically by fax or email. (It may, however, not indicate the breakdown
of the balance being settled as with a remittance advice.)
12. Mail register
A mail register is used by an entity to record incoming payments from debtors, such as cheques or cash
placed in an envelope and posted by the customer to the entity. However, due to the risk of payments getting
lost in the mail, sending money through the post is the exception rather than the norm. Whenever payments
are received by post, each payment is recorded in the mail register (in numerical sequence) to serve as a
record of money received.
13. Deposit slip
Should money from debtors have been received in cash or by cheque, a deposit slip will be prepared by the
entity’s staff to indicate the total cash and cheques received for the period (e.g. daily, weekly) and taken to
the bank, together with the cash and/or cheques to be deposited.
Example: Refer to document 1H in the appendix at the end of the book.
14. Goods returned voucher
A goods returned voucher is an internal document which is prepared when goods are returned by a
customer. e goods returned voucher serves as proof of goods being returned, enabling a credit note to be
issued.
Example: Refer to document 1J in the appendix at the end of the book.
15. Credit note
A credit note is prepared when the debtor’s account has to be credited for any reason. If, for example, the
debtor returned faulty goods to the entity after having been invoiced, the entity will have to write back the
amount associated with the faulty goods by making out a credit note on the basis of a goods returned
voucher.
Example: Refer to document 1K in the appendix at the end of the book.
EXAMPLE
Source documents in the cycle serve as a transaction trail. They are also used to create other
source documents as a transaction ows through the cycle. For example, a customer order will be
used to create an internal sales order (and backorder note if applicable).
Further examples:
6.3.2.2
Journals and ledgers
1. Sales (or services) journal
e sales journal is used to record all sales or service transactions (invoices) with customers. Credit sales or
services are posted to the debtors’ accounts in the debtors ledger and the debtors control account in the
general ledger.
Example: Refer to document 1M in the appendix at the end of the book.
REFLECTION
What is the sales journal called in a computerised system?
In a computerised system, the sales journal may also be referred to as the ‘sales transaction le’.
2. Sales adjustments journal
e sales adjustments journal contains all transactions relating to sales returns (i.e. where a credit note has
been issued to a customer for the return of goods purchased from the entity) and other adjustments (e.g.
where a credit note has been issued to correct pricing or other errors on invoices issued). In all such cases, an
entry is made in the sales adjustments journal to record the amount for which the credit was granted or for
which the adjustment was made.
3. Cash book (cash receipts journal)
e cash book contains all transactions relating to amounts received from customers. If the amount is
received from a debtor, the receipt is also posted to the debtors ledger.
4. General journal
e general journal contains a record of all non-routine transactions and events not posted to the sales, sales
adjustments or cash receipts journals, such as the write-off of bad debts or when management creates an
allowance for credit losses.
5. Debtors ledger
e debtors ledger contains a detailed record of all transactions (invoices, receipts, returns and adjustments)
applicable to all debtors. Each debtor has its own account in the debtors ledger. e closing balance of each
debtor in the debtors ledger constitutes the outstanding debt payable by the debtor to the entity.
6. General ledger
e general ledger contains accounts drawn from all journals to serve as a collection point for all
transactions that occurred in the various business cycles of an entity. e general ledger facilitates the
compilation of a trial balance and the nancial statements. It further enables a double-entry bookkeeping
function that ‘controls’ the recording of transactions in an accounting system. For example, a credit to the
sales account will always be matched to a debit to the debtors control account.
REFLECTION
What type of transactions might a person who attempts to fraudulently reduce a debtor’s
outstanding balance post to a debtor’s account in the subsidiary ledger?
Such transactions could include ctitious credit notes (for returns) or receipts for amounts that were
never in fact received. It could also involve any ctitious sales adjustments that would decrease the
debtors’ outstanding balance.
6.3.3 Databases and master les (computerised systems only)
1. Debtors master le
Manual system equivalent: Debtors ledger and/or Debtors list
e debtors master le is a database in an entity’s computer system that contains all permanent (standing)
data relating to the entity’s debtors, including their outstanding balances and credit limits. e standing data
further includes data elds such as a debtor’s name, address, contact details and outstanding balance. If, for
example, a person opens a credit account at a clothing store, his or her personal details on the application
form will be entered into the computer system and stored in the entity’s debtors master le.
Example: Extract of records from a debtors master le
Debtor
account code
Debtor name
Debtor’s address
Contact
number
Outstanding
balance
DEB007
AJS Trading (Pty)
Ltd
22 Green Avenue,
Westville
023 123
4567
R15,610
R20,000
DEB024
Kopanong Electric
50 Blue Lane,
Eastburgh
033 7654
321
R7,500
R10,000
DEB033
Sunrise Stationary
14 Yellow Drive,
Northton
034 456
7123
R27,866
R35,000
Credit limit
2. Price list master le
Manual system equivalent: Price list
e price list master le contains the entity’s authorised prices applicable to the sale of items or rendering of
services to customers. You may have noticed that when you buy groceries at the supermarket for instance,
the cashier scans the items with a barcode scanner and a price appears on the till screen. e price that
appears on the screen would have been automatically retrieved from the authorised price list master le that
is stored in the computer system.
3. Inventory master le
Manual system equivalent: Inventory list
e inventory master le is a database containing, among other things, the inventory codes, the description
of each item, together with the cost per unit, the unit selling price, and the quantities of goods available for
sale for each item of inventory.
6.3.4 Reports
1. Debtors listing (summary list of all debtors) (computerised systems only)
In a computerised system, the debtors listing is printed from the debtors master le. A computer application
typically allows a user to choose which information (data elds) to include in the list, for example debtor’s
code, debtor’s name, credit limit and balance due. e total outstanding balances when adding all individual
debtors’ balances on the list should agree with the total balance according to the debtors master le.
2. Debtors age analysis (manual and computerised systems)
e debtors age analysis is more comprehensive than the debtors listing as it also contains a breakdown of
the debtor’s outstanding balance in terms of its ageing, for example current balance, 30 days, 60 days and, 90
days. is report can, among other functions, assist an accountant in his or her decision about what a
reasonable allowance for credit losses should be.
Many accounting software applications allow the printing of a debtors list, but with the option of also
showing the ageing of the debtors’ balances.
Example: Refer to document 1L in the appendix at the end of the book.
6.3.5 Reconciliations
1. Debtors reconciliation
A debtors reconciliation takes place between the total of all the individual debtor accounts in the debtors
ledger and the total balance per the debtors control account in the general ledger at a speci c point in time
(for example, at month end). In this way, an accountant can identify posting errors, such as where a receipt
from a debtor was recorded in the debtor’s account (debtors ledger), but was not recorded in the debtors
control account in the general ledger.
2. Bank reconciliation
A bank reconciliation is performed between the bank balance as per the bank statement (external balance
per the entity’s bankers) and the balance as per the cashbook (internal balance as per the entity’s accounting
records) at a speci c point in time (for example, at month end). If these two balances are not the same,
reconciling items will exist.
Such reconciling items may include, for example, deposits (or payments) that have been recorded in the
entity’s cash book, but which have not yet been processed by the entity’s banker and would therefore not yet
appear on the bank statement (or vice versa where the transaction has been processed by the banker, but not
yet recorded in the entity’s cash book).
6.3.6 Illustration: Transaction ow in the revenue and receipts cycle
e following diagrams in Figure 6.3 show the typical ow of a sales and a receipt transaction through the
cycle. e entity illustrated sells goods to customers on credit and delivers these to customers using its own
staff (i.e. it does not use a third-party courier to transport the goods).
You should expect to encounter scenarios where the ow of the transactions, names, types and numbers
of copies of documents and application of the internal controls differ from the one illustrated. Any revenue
and receipt system should, however, address the risks facing the cycle in order to achieve the control
objectives of validity, accuracy and completeness of nancial information relating to this cycle.
Figure 6.3: Transaction ow
6.4 What could go wrong (risks) in the cycle?
6.4.1 Financial reporting risks
Owing to its signi cance as a line item in the nancial statements, revenue is particularly prone to error and
fraudulent nancial reporting. In addition, revenue is an important indicator of an entity’s size and market
share. Changes in the revenue gure are a key focus for investors and other stakeholders in assessing an
entity’s growth and even future viability. e revenue gure may also have a signi cant effect on the entity’s
pro t and can be regarded as a key indicator of an entity’s nancial performance.
6.4.1.1
Major reporting risks affecting revenue
e following are typical risks affecting reported revenue in nancial statements:
• Fictitious sales are recorded. In other words, sales transactions that never in fact occurred are recognised
as revenue in the nancial statements. Revenue will thus be overstated. Fictitious sales may also give rise
to non-existent assets, such as ctitious debtor accounts or bank balances.
• Sales transactions are recorded in the incorrect nancial period. Management could thus manipulate
the timing of revenue by:
• not deferring revenue over the period when it is earned (e.g. revenue is inappropriately recognised
upfront in nancial period one when the sales contract is concluded and/or cash is received for the
delivery of goods or rendering of a service over the span of future nancial periods two, three etc.).
is will lead to an overstatement of revenue in nancial period one; and
• not accruing revenue at the point when it is earned (e.g. goods were sold or services were rendered on
credit in nancial period one, but recognised only when the cash is received in nancial period two).
is will lead to an understatement of revenue in nancial period one.
• Revenue is understated by not recording all sales transactions that occurred. Pro ts (as well as taxable
income) will, in turn, be understated. Net assets may also be understated, such as where unrecorded
credit sales have resulted in the exclusion of a trade debtor balance. Management may want to understate
an entity’s revenue in order to avoid paying taxes in a particular nancial year. ey may even understate
sales to deliberately downplay the true performance of the entity in order to avoid scrutiny from
stakeholders such as employees. If staff did not receive increases in salaries and wages, but the entity
made a signi cant pro t, the employees may accuse management of unfair distribution of the entity’s
wealth.
• Revenue is not recognised in terms of the applicable nancial reporting standards.
6.4.1.2
Major reporting risks affecting cash and cash equivalents
e following risks may affect cash balances reported in nancial statements:
• Bank and cash balances are overstated owing to ctitious receipts having been recorded in the nancial
records (which may also be related to ctitious sales).
• e non-recording of cash receipts or deposits where sales which were made for cash are not recorded
in the cash book as receipts (e.g. due to theft of the cash by the entity’s staff before it was banked),
resulting in a decrease in the bank and cash and possibly also the revenue gures.
REFLECTION
How does the presence of a high volume of cash sales in an entity affect the risk of fraud in terms
of revenue recognition?
Keep in mind that in a cash sales system, cash is received at the same time as when the goods are
delivered (think of a grocery store) or the service is rendered. Because the timing of revenue
recognition and recording of the cash receipt is the same, the risk of fraud resulting from the
manipulation of timing differences is reduced. However, there is a risk that cash is received from
customers, but that neither the receipt nor the revenue is recorded (in order to, for instance, evade
the entity’s income tax obligations).
6.4.1.3
Speci c fraudulent nancial reporting techniques
6.4.1.3.1 Revenue recognition
A risk exists that an entity may abuse the principles underlying revenue recognition and thereby falsely
overstate or understate its revenue (as explained under section 6.4.1.1). e following example, involving the
company Leisurenet Ltd, illustrates the possible consequences of an entity misapplying the revenue
recognition requirements:
CASE STUDY
A South African corporate collapse2
What if an entity were to immediately recognise the full revenue from the rendering of a service that
is worth say R9 600 per customer, but the service to the customer is provided over a period of two
years (24 x R400 per month)?
Ignoring the time value of money for this example, IFRS 15 requires that the R9 600 should not
be recognised as revenue in the accounting records immediately, even if the customer signed a twoyear contract on day one promising to pay R400 per month for a period of two years. As the entity
will incur expenses each month for as long as the contract is in operation, the recognition of the
revenue should be ‘spread’ over the period over which expenses will be incurred.
The practice of recognising revenue in advance, instead of deferring it, will signi cantly distort
the true nature of the entity’s ability to cover its future expenses. Should the full revenue from such
a long-term contract be recorded all at once (‘upfront’), the entity may be inclined to pay out the
revenue as dividends soon thereafter, leaving little to cover future expenses that the entity is
obliged to incur as it continues to render the service over the period of the contract.
The inappropriate recognition of revenue in advance contributed to one of the largest corporate
collapses in South African history. The case involved Leisurenet Ltd, a company that was listed on
the JSE. Leisurenet operated a chain of gyms and offered, among other things, long-term gym
memberships to customers. The company did not in all instances recognise revenue from
membership fees over the duration of the membership contracts, but instead did so upfront when a
contract was signed.
In 1999, Leisurenet’s revenue recognition policies included a statement reading as follows:
Revenue from long-term membership fees is spread over the period of the contract based on the
estimated usage of the facilities by members. A statistical analysis is performed so as to establish the
average percentages of users and non-users and the trends established are used in the calculation of
the income deferred.3
Deferring gym membership fees only for those members who regularly utilised Leisurenet’s gym
facilities and not also for the large percentage of members who did not regularly attend gym,
resulted in a distorted view of the actual nancial performance of Leisurenet. The distortion was
evidenced by the restatements to the nancial statements that were required when the company
implemented its new (‘correct’) accounting policy for revenue recognition. It came to light that much
of the revenue that was recorded for many years up to that point was in fact ctitious. As a result,
an annual pro t of R109,5 million turned into a loss of R46,8 million and shareholders’ funds of
R610 million were reduced to about R157 million.
The collapse and ultimate demise of the company nally happened in October 2000 when the
company was liquidated. This was followed by many years of litigation against the directors of
Leisurenet and even against the company’s auditor.
HOW?
How does an understanding of the appropriate accounting treatment for revenue assist
an auditor?
The auditor will be able to identify and assess more comprehensively the risks relating to
material misstatements in the annual nancial statements, both in terms of errors and
fraud.
6.4.1.3.2 Boosting sales through round-trip deals
A round-trip deal is an arti cial sales transaction, usually initiated between related parties, where one party
sells goods or services to the other, only to purchase them back from the other immediately or soon
thereafter. Such round-trip dealing can occur for several transactions, perhaps even hundreds or thousands
of transactions, amounting to millions of rands. In this way, both parties’ sales increase considerably and,
although their expenses (purchases) increase proportionately, a false re ection of market share and sales
growth is portrayed when revenue is reported in the nancial statements.
6.4.1.3.3 Channel-stuffing business partners with excessive inventory to increase sales
Channel-stuffing is a technique used by some companies to increase their revenue by unethical means. In
channel-stuffing, a company forces its commercial customers (such as wholesalers) to purchase much more
of the company’s inventory than the customer would usually require. Bear in mind that some corporations
wield considerable bargaining power over their commercial customers (e.g. the corporation is the
customer’s major or sole supplier) and may be in a position to force the latter’s behaviour accordingly. By
channel-stuffing excess inventory off its records, sales are recorded as revenue (inventory has been sold),
even though the customers did not require the goods at that time. In effect, an illusion of increased sales
activity is created.
6.4.1.3.4 Kiting with bank transfers
Kiting with bank transfers is a fraudulent technique whereby an entity which has bank accounts with two or
more banks exploits the time it takes to clear (settle) bank transfers between different banks. Clearing of
transfers between banks does not take place instantly. erefore, should an entity use its online banking
system with Bank Y to request funds to be transferred into the bank account it holds with Bank Y from the
bank account it holds with Bank Z, the deposit will immediately be re ected in the entity’s bank account it
holds with Bank Y, but the withdrawal will only appear in the bank account held at Bank Z a few days later.
is delay provides the entity with an opportunity to inappropriately ‘double-count’ the transferred amount
in an entity’s nancial records as follows: e deposit in the entity’s bank account of Bank Y is recorded on
the day of the transfer, whilst the withdrawal from the bank account with Bank Z is not recorded until a few
days later (normally in the next nancial reporting period). An entity might therefore apply ‘kiting’ to
(fraudulently) overstate the bank and cash balance in its nancial statements and, by doing so, will convey a
more favourable net asset position. is practice of ‘kiting’ can also occur between entities in the same group
of companies (which hold bank accounts across different banks) in order to (fraudulently) ‘improve’ the
group’s apparent cash/net asset position. Note that kiting can also occur with cheque payments. Kiting poses
the greatest risk for fraudulent nancial reporting around the end of a nancial year.
EXAMPLE
Consider two entities A (Pty) Ltd and B (Pty) Ltd in the same group of companies utilising different
banks, but they each have the ability to request transfers from the other company’s bank accounts
using their online banking platforms. Before kiting was applied, the cash positions of the two
entities re ected the following:
A (Pty) Ltd bank balance at 31 December 20X1: R8 million
B (Pty) Ltd bank balance at 31 December 20X1: R3 million
Group’s total cash position: R11 million
Assuming a transfer request of R2 million was made by B (Pty) Ltd from the bank account of A (Pty)
Ltd and assuming the group engages in the practice of kiting, the cash position of the entities in
their respective general ledgers and the group’s net position will appear as follows:
A (Pty) Ltd bank balance at 31 December 20X1: R8 million (out ow of funds not yet recorded)
B (Pty) Ltd bank balance at 31 December 20X1: R5 million (in ow of funds has been recorded)
Group’s total cash position: R13 million (overstated by R2 million)
The recipient of the transfer, B (Pty) Ltd, records the R2 million received in its nancial records as a
deposit (as soon as the funds are requested) and this deposit will actually show on the bank
statement before year-end as such. The entity which has to settle the transfer, A (Pty) Ltd, however,
refrains from making any accounting entry relating to the disbursement until after year-end. In other
words, A (Pty) Ltd does not record an out ow, due to the funds still ‘appearing’ in its bank account.
Accordingly, A (Pty) Ltd abuses the time it takes for A (Pty) Ltd’s bank to process the transfer,
leading to a situation where both A (Pty) Ltd and B (Pty) Ltd account for the very same funds (i.e.
overall, the group double-counts for the funds).
To address the risk of kiting, auditors prepare transfer schedules whereby they list all the transfers that
occurred (usually close to year-end and shortly thereafter) in bank account 1 as well as those in bank
account 2. ey then reconcile the amounts to ensure that for every deposit recorded in the nancial records
prior to year-end, a corresponding disbursement has also been recorded in the same nancial period.
6.4.2 Misappropriation risks
e following risks apply to the misappropriation of the entity’s assets relating to the revenue and receipts
cycle.
6.4.2.1
eft of cash
A common risk pertaining to the cycle is that of cash theft, considering that the cycle addresses the receipt of
cash from other parties. Typical risks include the following:
• Cash is misappropriated (stolen) by employees working for the entity on receipt of the cash from
customers.
• Cash is stolen from the premises of the entity while kept in custody (e.g. from the till or from a safe).
• Cash is stolen from the entity while the cash is on its way to the bank to be deposited.
• Cash is stolen from the entity’s bank account through electronic means (e.g. if a person should obtain the
access details of the entity’s online banking pro le and transfer funds out of the account).
6.4.2.2
Speci c misappropriation techniques
6.4.2.2.1 Lapping (rolling of cash)
Lapping occurs where a cashier takes cash paid by one of the entity’s debtors, and covers up the shortfall
using a subsequent debtor’s cash or cheque receipt. Also called cash rolling, lapping is a higher risk in
companies where:
• Cash and cheques are received from debtors;
• ere is weak segregation of duties and especially where cashiers also record transactions to the debtors
ledger and handle queries from debtors;
• ere is a lack of supervisory or review controls.
EXAMPLE
Debtor A pays the cashier R1 000 to settle his account. The cashier misappropriates the money by
taking it without the debtor knowing. Even though a receipt might have been issued to the debtor,
the money is not banked. The cash-up results for the day would appear as follows:
Total cash received (per receipt issued): R1 000
Total cash banked: R0
Shortfall: R1 000 (cash misappropriated by cashier)
If the cashier does not engage in cash lapping by rolling the misappropriated funds, Debtor A will
become suspicious at the end of the month (on receiving a debtors statement) when his or her
balance still shows an outstanding amount of R1 000. (Note: The receipt would not have been
recorded to the debtors account/cash book, as no money was deposited in the bank in order to justify
the recording thereof.) In order to avoid scrutiny from Debtor A, the cashier will have to apply a
subsequent debtor’s cash/cheque receipt (e.g. Debtor B’s) or part thereof (i.e. at least R1 000) to
Debtor A’s outstanding account balance in order to make it appear as if the money had been
received from Debtor A:
Total cash received (receipt): R2 000 (received from Debtor B)
Total cash banked: R2 000 (of which R 1 000 is allocated to Debtor A’s account and R1 000 is
allocated to Debtor’s B account)
Shortfall: R0 (the original shortfall of R1 000 is being lapped)
On the last day of the month, by which time Debtor C’s money might be lapped to make up for the
shortfall in Debtor B’s account, it is practical for the cashier simply to tell Debtor C (on enquiry and
if the cashier handles debtor queries) that the reason for Debtor C’s statement showing a balance
of R1 000 (instead of R0) is due to ‘an error on the part of the entity, which will be corrected by the
next statement date’ (or some similar excuse). The theft of the original R1 000 cash, however, has
been concealed using lapping. Note that Debtor C’s account will show R1 000 as outstanding at the
end of the month despite Debtor C having paid, because an amount of R1 000 from Debtor A was
misappropriated by the cashier and subsequently lapped.
A system of lapping can continue into perpetuity if not detected by management. Besides being
caught out, the perpetrator involved can also end the lapping by returning the shortfall from his or
her ‘personal’ funds before debtors or management become suspicious. This will restore all
balances to the correct amounts. A lapping ‘system’ can become highly complex and dif cult to
detect. For this reason, it is imperative that cashiers should:
• Not deal with the bookkeeping function (they should especially not be allowed to post credit
adjustments to debtors’ accounts, otherwise they might easily conceal theft);
• Not handle debtor queries/complaints; and
• Be compelled to go on leave for extended periods of time during which lapping systems may
become exposed if the cashier is not present to cover-up and manage his or her system of cash
lapping.
6.4.2.2.2 Dishonoured cheques (applies only to cheque payments)
A dishonoured or bounced cheque occurs where a customer pays for a cash sale by cheque, but does not
have sufficient funds in his or her bank account to honour the cheque. When the entity that received the
cheque banks it, the entity may soon nd that the bank cannot transfer the funds from the drawer’s bank
account, resulting in the cheque being dishonoured. It might not be easy (or even possible) to get hold of the
customer to demand repayment, resulting in a nancial loss for the entity.
6.4.2.2.3 Fictitious deposits (EFTs and direct deposits only)
When a customer makes an EFT or a direct deposit into an entity’s bank account, the bank’s system
generates an electronic proof of payment document for the customer, which the customer can submit to the
entity as proof of having made the deposit. However, these documents are easily manipulated and forged. A
common act of fraud present in systems where EFTs and direct deposits occur consists of such a ‘customer’
buying goods from an entity and supplying the entity with a forged proof of payment document in return.
e fake proof of payment appears to show that money has been deposited in the entity’s bank account in
exchange for the goods, but no deposit was in actual fact made. Should the entity simply accept the proof of
payment, incorrectly believing that the money has been deposited into its bank account and without
con rming whether a deposit has indeed been cleared by its bank, nancial losses may result if the goods
cannot be recovered. Losses may be incurred in the same way where services are rendered based on a fake
proof of payment.
A variation on the above act of fraud involves the fraudster informing the entity that he or she (the
fraudster) has accidentally deposited an amount into the entity’s bank account that was intended for a
different recipient. e fraudster may make up an elaborate excuse as to why it is urgent that the entity repay
the funds as soon as possible, for example needing the money to pay employees their weekly wages. Should
the entity accept the claim in good faith without ensuring that a deposit has indeed been credited to its bank
account and cleared by the bank (it may take several days for a deposit to clear), the entity may suffer
nancial loss as a result.
Such naïve acceptance of a proof of payment or claim of deposit may lead to sizeable nancial losses for
an entity, as banks do not necessarily compensate their banking customers if it is found that the customer
was negligent. It is therefore in the best interests of an entity to ensure deposits have been cleared by its own
bank before acting on any requests to repay a deposit.
6.4.2.2.4
Phishing scams (EFT systems only)
In order to gain access to its online banking account (pro le), an entity’s staff member responsible for online
banking is required (by the bank’s online system) to furnish a username and password rst (some banks’
websites may require an additional pin). e staff member may, if he or she is not careful, however, fall
victim to a ‘phishing scam’.
In a phishing scam, a fraudster sends an email or SMS to the staff member which purports to have been
sent from the entity’s banker. e email may even contain the bank’s logo (falsely included). In the email the
fraudster would use trickery to convince the staff member to send his or her online banking username and
password via email (back to the fraudster). Reasons given by the fraudster could, for example, be ‘security
purposes’ or ‘account veri cation’. e fraudster may go to great lengths to convince the staff member to
provide this information – including threatening the staff member that he or she will ‘forever lose all access
to the entity’s online bank account’ or will ‘lose funds from the account’ if the information is not provided
urgently. Should the staff member submit these details, the fraudster is likely to log onto the entity’s bank
account and steal funds. It should be noted that banks would never ask for a customer’s online banking
username or password – even in so-called ‘special circumstances’ or ‘emergencies’.
6.5 What computer technologies are used in the cycle?
Various computer technologies may be applied in the revenue and receipts cycle. Some examples of such
technologies follow.
6.5.1 Point-of-sale systems and barcode scanning
A point-of-sale (POS) system (also referred to as a checkout system) typically consists of an electronic cash
register (either a till or a computer, or a till connected to a computer), a barcode scanner connected to the
cash register and a software application loaded on the till/computer.
Many shops (such as supermarkets) use POS systems with barcode scanning functionality. A cashier
scans the barcode of a customer’s selected items at the till with either a handheld or a xed barcode
scanning device. e till is linked to the price list master le in the store’s computer system in order to
display the price of the product on the till screen. e scanner is also linked to the inventory master le in
order to display the product’s description. In this way, a receipt with the product’s price and description can
be printed for the customer, and the transaction recorded in the correct amount.
Fraud involving revenue suppression software
The tax authorities frequently rely on the tax-compliant nature of software used by businesses to
record revenue transactions. Revenue suppression software is a specialised computer application
used by unscrupulous businesses to evade taxes. A company will collude with the developer of a
software application to code the software in such a way that the application does not record all
transactions (or only part thereof) that pass through the computer system, leading to a reduced
taxable income for the company.
6.5.2 Electronic funds transfer
An EFT transaction involves the transfer of money from one bank account to another by means of a
computer and a network linking those computers (such as a wide area network or the internet) (refer to
Chapter 5 for details). Some customers will pay an entity by means of an EFT and not physically in cash. e
entity might request that the customer email or fax the entity a proof of payment slip or printout after the EFT
has been made.
6.5.3 Online sales (internet-based)
Some entities sell their goods via the internet. A customer can visit the entity’s website and select the
products he or she wishes to purchase. e customer is asked to enter his or her credit card particulars on a
secure web page, after which the customer’s bank will pay the consideration over to the entity’s bank. is
web-based sales system of the entity is linked to its inventory and price list master les. An internal sales
order and picking slip is automatically generated by the sales system for the entity to process the sale and to
pick the goods from its warehouse and to despatch them to the customer.
6.6 What are the control objectives in the cycle?
6.6.1 Control objectives in the cycle
An entity faces various risks in virtually all of its nancial operations, some more signi cant than others. is
also applies to the entity’s revenue and receipts cycle. Should an entity not be able to avoid these risks, the
revenue and receipts transactions recorded in its accounting records might be invalid, inaccurate or
incomplete, leading to eventual misstatements in its nancial statements.
Accordingly, management implements application controls (refer to Chapter 5, section 5.9) to ensure
that revenue and receipt transactions (including any adjustments) are valid, and are completely and
accurately recorded and processed.
6.6.1.1
e aim of the control objectives in the cycle
Validity, accuracy and completeness of revenue and receipt information comprise the control objectives
that management aims to achieve to address the major risks present in the cycle.
To ensure that revenue transactions are valid, they should be genuine (i.e. the sale of goods/rendering of a
service did happen and relates to a transaction between the entity and a willing, creditworthy customer).
Furthermore, any required authorisation for the transaction should have been granted by the entity’s
management. e transactions in the cycle should also have been recorded in the nancial period to which
they pertain. Lastly, the transactions should be supported by sufficient documentation.
Similarly, with the validity control objective, management aims to ensure that revenue adjustments (such
as those relating to credit notes for the return of goods) and receipt transactions are genuine and that the
requisite authorisation for the transactions has been obtained. ey would further aim to ensure that
revenue adjustments and receipts are recorded in the correct accounting period (i.e. the period to which
they pertain) and that sufficient supporting documentation exists for the transactions.
To ensure that revenue transactions are accurate, a transaction should be recorded at the appropriate
amount. e amount on the sales invoice should therefore have been calculated correctly (e.g. in terms of
the correct quantity and unit price for a particular item) and the price should be in terms of the authorised
price list of the entity. ey should also be correctly classi ed as sales transactions in terms of the entity’s
chart of accounts and correctly summarised and posted to the accounting records.
In the same way, any revenue adjustments should be accurately calculated and recorded correctly in the
nancial records. Receipt transactions should also be recorded correctly in terms of the amount of cash that
was actually received from a customer.
To ensure that revenue transactions are complete, all revenue transactions (including applicable
adjustments to revenue) that took place in a given period should have been recorded in the accounting
records and this recording should be done in a timely manner. In other words, no authorised revenue
transaction that occurred should be omitted from the entity’s accounting records.
6.6.1.2
Consequences if the control objectives in the cycle are not achieved
Table 6.2 summarises the consequences if the control objectives for revenue (sales/services transactions) are
not achieved.
Table 6.2: Consequences if control objectives are not achieved for revenue (sales/services) transactions
CONTROL OBJECTIVE
CONSEQUENCE IF CONTROL OBJECTIVE IS NOT
ACHIEVED
Validity
Overstatement of revenue and/or debtor accounts
Accuracy
Over or understatement of revenue and/or debtor
accounts
Completeness
Understatement of revenue and/or debtor
accounts
Example: If ctitious sales transactions are recorded in the nancial records, the control objective of validity,
which should have prevented such transactions from being recorded, would not have been achieved.
Revenue would thus be overstated in the Statement of Comprehensive Income.
Table 6.3 summarises the consequences if the control objectives for revenue adjustment (e.g. sales
returns) transactions are not achieved.
Table 6.3: Consequences if control objectives are not achieved for revenue adjustment (e.g. sales
returns) transactions
CONTROL OBJECTIVE
CONSEQUENCE IF CONTROL OBJECTIVE IS NOT
ACHIEVED
Validity
Understatement of revenue and/or debtor
accounts
Accuracy
Over or understatement of revenue and/or debtor
accounts
Completeness
Overstatement of revenue and/or debtor accounts
Example: If all transactions relating to sales returns are not included in the nancial records, the control
objective of completeness of nancial information would not have been achieved. is would lead to an
overstatement of revenue, since sales returns would decrease sales in the Statement of Comprehensive
Income.
Table 6.4 summarises the consequences if the control objectives for cash receipt transactions from
debtors (as opposed to those relating to cash sales) are not achieved.
Table 6.4: Consequences if control objectives are not achieved for cash receipt transactions from
debtors (as opposed to those relating to cash sales)
CONTROL OBJECTIVE
CONSEQUENCE IF CONTROL OBJECTIVE IS NOT
ACHIEVED
Validity
Overstatement of the bank account and
understatement of debtor accounts
Accuracy
Over or understatement of the bank account and
under or overstatement of debtor accounts
Completeness
Understatement of the bank account and
overstatement of debtor accounts
Example: If a receipt transaction is recorded in the nancial records which did not in fact take place (i.e. the
validity control objective was not achieved), the receipts recorded in the cash book would be overstated, and
therefore also the bank account in the general ledger. Should the transaction have been (evidently) received
from a debtor, the debtors balance would be understated, as the debtor’s account would have been
wrongfully credited with a receipt.
6.6.2 Achievement of the control objectives in the cycle
e control objectives in the cycle are achieved through the proper implementation and operation of an
information system, including an accounting system and related internal controls, in an entity. Note that the
control objectives can either be achieved manually (a person performs the internal control) or by automated
means (a computer performs the control).
e following examples serve to illustrate in broad terms several ways in which the control objectives can
be achieved in the cycle. Note that these examples are not a re ection of the detailed control activities
required to achieve the control objectives.
Validity of revenue and receipts:
• Selling only to those credit customers who have been approved, are creditworthy and can pay their debt
in the near future;
• Sales orders being approved, by either manual or automated means;
• Picking of goods from the warehouse based on an authorised sales order only;
• Obtaining a customer’s signature (customer acknowledgement) of the sales transaction on delivery of
goods or rendering of services. e customer acknowledgement serves as an indication that a sales
transaction has taken place and that a sale can therefore be recorded in the accounting records;
• Recording revenue transactions in the accounting records that relate to actual sales (i.e. transactions that
are not ctitious) that are supported by genuine supporting documentation; and
• Recording receipts that relate to genuine cash transactions where cash was actually received and was
received from a customer who transacted with the entity.
Accuracy of revenue and receipts:
• Recording correct quantities on supporting documentation (such as on the internal sales order, delivery
note and invoice);
• Recording correct amounts on supporting documentation (such as on the invoice and receipt);
• Ensuring the mathematical correctness of calculations for quantities as well as sales, receipt and tax
amounts on supporting documentation and in the accounting records;
• Performing regular reconciliations between the debtors ledger and the general ledger control account;
and
• Performing regular reconciliations between the balance in the cash book and the balance according to
the bank statement.
Completeness of revenue and receipts:
• Ensuring that for every delivery note, there is a corresponding sales invoice recorded in the accounting
records;
• Ensuring that there are no gaps in the sequential numbering (recording) of sales invoices or receipts in
the accounting records;
• Depositing all cash receipts from customers in the entity’s bank account and recording them in the cash
book; and
• Performing reconciliations as noted under accuracy above.
Details of control objectives and controls in the cycle appear in section 6.7 of this chapter.
6.6.3 Link between the control objectives in the cycle and
management’s assertions
Transactions that are not valid, accurate and complete (caused by the control objectives not having been
achieved) will result in revenue and receipts (and related account balances) being misstated in the
accounting records, which will in turn result in the nancial statements being misstated.
e process of recording a transaction in the nancial records and thus for it to be included in the
nancial statements, is as follows:
During a transaction’s ow through an entity’s information system, it will be subject to numerous internal
controls that help ensure that the control objectives are achieved. e transaction will only reach its end
point appropriately if it ends up in the nancial statements in a manner that achieves the control objectives.
us, if management wishes to ensure proper nancial recording (and fairly presented nancial statements),
they need to implement and maintain a proper information system, including an accounting system and
related internal controls. In this way, the control objectives contribute to the appropriateness of the
assertions made by management in the nancial statements and will indirectly result in the latter being free
from material misstatement.
CYCLE CASE STUDY
Application of the assertions to Ntsimbi Piping
The following assertions are made by the management of Ntsimbi Piping, either implicitly or explicitly,
as communicated to users of the nancial statements.
Account balances and related disclosures
Refer to the Statement of Financial Position in the nancial statements of Ntsimbi Piping (page 7).
Note the line item ‘Trade and other receivables’ with a balance of R17,241,701. Also refer to the
Notes to the Annual Financial Statements of Ntsimbi Piping – speci cally note 5 (Trade and other
receivables) (page 17).
• In relation to existence, trade debtors and other receivables making up the balance exist (i.e.
the underlying assets are not ctitious).
• In relation to rights, Ntsimbi Piping is the entity that holds or controls the underlying assets
making up the balance (rights). The assets do not belong to another entity.
• In relation to accuracy, valuation and allocation, the balance of R17,241,701 is considered an
appropriate amount as the balance re ects the appropriate value of the underlying amounts
receivable in the future. Further, any adjustments as to the value or allocation of the underlying
assets have been recorded appropriately, and the related disclosures have been appropriately
measured and described.
• In relation to completeness, all assets deemed trade and other receivables and which are
assets of Ntsimbi Piping, have been recognised as such in the nancial statements
(notwithstanding the measurement thereof, which is dealt with separately under the accuracy,
valuation and allocation assertion). In addition, all disclosures relating to ‘Trade and other
receivables’ that should have been made in the notes to the nancial statements, have been
made.
• In relation to classi cation, the amounts making up the balance of R17,241,701 have been
recorded in the proper accounts constituting ‘Trade and other receivables’.
In relation to presentation, trade debtors and other receivables have been appropriately
• aggregated/disaggregated and are clearly described in the nancial statements, while the
disclosures pertaining to the account balance have been made in a relevant and understandable
manner. For instance, no debtors with credit balances have been included in trade receivables,
and vague descriptions (such as ‘provisions’ without indicating what they are for) have been
avoided.
Transactions and events and related disclosures
Refer to the Statement of Comprehensive Income in the nancial statements of Ntsimbi Piping (page
8). Note the item ‘Revenue’ in the amount of R128,320,126. Also note from note 13 to the Annual
Financial Statements of Ntsimbi Piping (Revenue) (page 19) that this item consists entirely of the sale
of goods.
• In relation to the occurrence assertion, sales transactions amounting to R128,320,126 did in
fact take place (they occurred and are not ctitious) and also pertain to Ntsimbi Piping.
• In relation to accuracy, the sales transactions making up the total have been recorded in the
correct amounts (e.g. in terms of the correct item quantities delivered to customers and prices
agreed with (or proposed to) customers). Moreover, the related disclosures in the nancial
statements have been appropriately measured and described.
• In relation to completeness, all sales transactions that took place during the nancial year and
which pertain to Ntsimbi Piping have been recorded and included under ’Revenue’. Moreover, all
related disclosures regarding ‘Revenue’ that should have been included in the nancial
statements have been included.
• In relation to cut-off, all the sales included in ‘Revenue’ relate to transactions that took place
within the nancial year (i.e. the transactions concerned relate only to deliveries of goods to
customers between the rst and last day of the nancial year (inclusive of both days)).
• In relation to classi cation, all transactions constituting the total of R128,320,126 are
appropriately classi ed as sales and do not relate to, for instance, interest income.
• In relation to the presentation assertion, revenue has been appropriately
aggregated/disaggregated and clearly described, while the related disclosures pertaining to
revenue have been made in a relevant and understandable manner.
e assertions for revenue (including sales adjustments) and accounts receivable are linked to the control
objectives in the cycle as shown in Table 6.5.
Table 6.5: Assertions for revenue and accounts receivable
MANAGEMENT ASSERTIONS
CONTROL OBJECTIVE
Classes of transactions and events and
related disclosures
Revenue (including sales returns)
(Assertions are indicated in bold)
Account balances and related
disclosures
Accounts receivable
(Assertions are indicated in
bold)
MANAGEMENT ASSERTIONS
CONTROL OBJECTIVE
Classes of transactions and events and
related disclosures
Account balances and related
disclosures
Validity
Occurrence and Cut-off
Existence and Rights
A control achieving the validity
objective for a sales transaction
will ensure that the recorded
transaction was authorised,
actually took place and pertains to
the entity (occurrence) and will
further ensure that it has been
recorded in the nancial period to
which the transaction relates (cutoff).
Sales transactions that were
authorised, actually took
place and pertaining to the
entity will result in the raising
of a debtor balance that is
approved, genuine and is
rightfully the asset of the
entity (existence and rights).
Accuracy and Classi cation
Accuracy, valuation and
allocation and Classi cation
Accuracy
Revenue (including sales returns)
(Assertions are indicated in bold)
A control achieving the accuracy
objective for a sales transaction
will ensure that the transaction is
recorded at the correct amount,
including quantities, prices and
correct calculations (accuracy). It
will further ensure the transaction
has been correctly classi ed and
posted to the correct account in
the nancial records in
accordance with its nature
(classi cation).
Accounts receivable
(Assertions are indicated in
bold)
If a sales transaction making
up a debtor’s balance can be
con rmed for the accuracy
assertion, the gross amount
of the asset will be
appropriate. Furthermore,
any transaction resulting in a
valuation or allocation
adjustment to the gross
amount will be appropriate if
the adjustment can be
con rmed for accuracy (e.g.
adjustments pertaining to
impairments/allowances for
credit losses or debt writeoffs). Controls achieving
accuracy will also ensure the
asset is appropriately
classi ed.
MANAGEMENT ASSERTIONS
CONTROL OBJECTIVE
Classes of transactions and events and
related disclosures
Account balances and related
disclosures
Completeness
Completeness
Completeness
A control achieving the
completeness objective for a
sales transaction will ensure that
all transactions that took place
during the nancial period being
considered are recorded
(completeness).
Should all sales transactions
that took place with debtors
be recorded, all accounts
receivable that should be
created would be recorded
as a result (completeness)
and the asset balance would
be complete in terms of the
underlying sales transactions
(completeness).
Revenue (including sales returns)
(Assertions are indicated in bold)
Accounts receivable
(Assertions are indicated in
bold)
Note: Controls that achieve the control objectives of validity, accuracy and completeness collectively contribute
to management being able to properly present both classes of transactions and events and the related
disclosures, and account balances and the related disclosures in the nancial statements. Consequently, the
Presentation assertion is not included explicitly in Table 6.5 above.
e assertions for cash receipts are linked to the control objectives in the cycle as shown in Table 6.6.
Table 6.6: Assertions for cash receipts
MANAGEMENT ASSERTIONS
CONTROL OBJECTIVE
Classes of transactions and events and related disclosures
Validity
Occurrence and Cut-off
Receipts (recorded in the cash book)
(Assertions are indicated in bold)
A control achieving the validity objective for a receipt transaction will
ensure that the receipt pertains to the entity and actually took place
(occurrence) and will further ensure that it has been recorded in the
nancial period to which the payment relates (cut-off).
Accuracy
Accuracy and Classi cation
A control achieving the accuracy objective for a receipt transaction will
ensure that the receipt is recorded at the correct amount (accuracy). It
will further ensure the receipt has been correctly classi ed,
summarised and posted to the correct account in the nancial records
in accordance with its nature (classi cation).
MANAGEMENT ASSERTIONS
CONTROL OBJECTIVE
Classes of transactions and events and related disclosures
Completeness
Completeness and Cut-off
Receipts (recorded in the cash book)
(Assertions are indicated in bold)
A control achieving the completeness objective for a receipt transaction
will ensure that all receipts during the nancial period are recorded as
such (completeness) in a timely manner (cut-off).
6.7 What are the controls in the cycle (manual and
computerised)?
6.7.1 Internal control activities in the cycle
In order to address the risks of an entity not achieving the control objectives of validity, accuracy and
completeness in the revenue and receipts cycle, proper control activities have to be implemented over the
ow of information through the entity’s information system. Examples of the major control activities speci c
to the revenue and receipts cycle, established either manually (by people) or programmatically (by a
computer system) depending on the circumstances involved, are summarised below.
6.7.1.1
Documentation and records
All the documentation relating to the cycle should be:
• Properly designed;
• Placed under proper stationery control; and
• Used in conjunction with a proper chart of accounts for transactions related to the purchases and
payments cycle.
Refer to Chapter 4, section 4.3.2.4 for details of the above-mentioned types of controls.
6.7.1.2
Authorisation or approval
Authorisation or approval is required each time before:
• A customer is awarded the right to purchase on credit from the entity, including the awarding or increase
of a credit limit for the customer;
• A sales order is processed (for sales to credit customers);
• A credit adjustment is made to a customer’s account, such as for a sales return; and
• Authorisation and approval can be made either manually (written) or electronically (computer-based).
6.7.1.3
Segregation of duties
e following activities should be performed by different staff or departments in the cycle:
• Initiation of a transaction;
• Execution of the transaction;
• Approval of the transaction;
• Custody of the asset underlying the transaction; and
• Recording of the transaction.
Typical duties that should be segregated and performed by different persons in the revenue and receipts
cycle include those shown in Figure 6.4 below. Each block represents an activity performed by a person and
should be segregated from the functions performed in any other block. In this table, blocks are grouped
together in terms of the functional areas.
Figure 6.4: Overview of segregation of duties in the revenue and receipts cycle
6.7.1.4
Access controls
Assets in the cycle include inventory and cash. Access controls to protect against misappropriation of assets
(or damage to goods) should apply whenever:
• e entity picks goods for despatch from the warehouse and despatches the goods to a customer;
• Goods are returned from customers; and
• Cash is received from a customer and kept secure until banked.
6.7.1.5
Independent checks and reconciliations
Examples of veri cation checks (the checking of work initially performed by someone else) in the revenue
and receipts cycle include:
• Checking the quantities and descriptions of goods on sales orders and on picking slips for accuracy and
completeness;
• Checking physical goods being despatched to customers to supporting documentation;
• Checking the sequential number order of supporting documentation (e.g. delivery notes) to determine
whether all transactions (e.g. sales) have been recorded; and
• Matching of source documents with each other, such as an invoice and a delivery note.
• e cycle includes the performance of the following reconciliations:
• Between the total of the debtors balance per the debtors ledger and the balance on the debtors control
account in the general ledger (debtors reconciliation) (refer to section 6.3.5); and
• Between the balance per the cash book and the balance per the bank statement (bank reconciliation).
Reconciliations are usually performed by a clerk and must be reviewed by a senior staff member. In the event
that the person who is responsible for recording transactions in the accounting records also performs a
reconciliation on recorded information (typically of smaller entities), strong and thorough review controls
should be in place over the reconciliation.
6.7.2 Internal control tables
e following tables include the most common activities and related internal controls for the revenue and
receipts cycle to address the risks associated with each activity.
e control tables clearly demonstrate the link between what could go wrong/risks, control objectives,
assertions and internal controls (both manual and computerised) that were discussed in section 4.4 of
Chapter 4. is link is demonstrated by means of a numbering system.
Have a look at the control table on the next page. You will notice that each ‘what could go wrong/risk’ is
related to a control objective in the column to its right. e control objective is numbered (e.g. ‘A’). e
assertion(s) affected by the ‘what could go wrong/risk’ (and impacted by the related control objective) is
indicated in the next column. In the next two columns you will nd the control(s) that address the control
objective (linked to the control objective by means of a letter (e.g. ‘A’)). (It follows that these controls then
address the related ‘what could go wrong/risk’.) e additional numbering that you will see in the controls
columns (e.g. ‘1.1’) relates each control to the activity where it belongs.
Note that the controls in a manual system are described in full, whereas only controls additional to those
controls in a manual system and alternative controls to those in a manual system that are required in a
computerised environment are included in the right-hand column. erefore, to form a complete picture of
all controls in a computerised environment, the columns headed ‘Manual controls’ and ‘Alternative and
additional controls in a computerised environment’ should be read together.
e difference between internal controls with nancial reporting objectives and those with operational
objectives were discussed in section 4.4.3.2 of Chapter 4. Note that where a control is indicated in the control
tables as being ‘operational’, the risk underlying the control would not have any accounting implications (i.e.
no effect on the assertions in the nancial statements). However, where a nancial control is indicated (i.e.
the related control objective is validity, accuracy or completeness), an assertion would be affected by the
underlying risk.
e tables that follow are for a manufacturing entity producing goods and selling to customers on credit.
Any reference to ‘warehouse’ involves the nished goods warehouse. e entity delivers the goods using its
own staff (i.e. it does not use an external courier). e speci c activities performed, and hence the internal
controls, will vary from entity to entity, but the overall control objectives remain the same for all entities.
Furthermore, controls similar to those that apply to sales apply to services rendered to clients.
Table 6.7: Credit management
1 CREDIT MANAGEMENT
| CREDIT DEPARTMENT |
Activity
Responsible
party
Documents
and records;
master les
What could go
wrong/risks
Control objective
Account/
assertion
affected
Manual c
New
customers
who are not
creditworthy
(i.e. who
cannot pay
their incurred
debt in the
future) are
accepted
and provided
with credit.
A New
customers are
creditworthy
and would
therefore be
able to settle
the debts they
incur. (Validity)
Accuracy,
valuation and
allocation of
trade debtors
1.1A Cus
complete
applicati
submits
referenc
Allowance for credit losses and bad debt write-offs
1.1 New
customers
wishing to order
entity’s goods
apply for credit.
Credit
controller
Data
capture
clerk
Financial
accountant/
Financial
manager
Credit
application
form
Master le
amendment
form
Log of
master le
amendments
Debtors
ledger
(referred to
as a debtors
master le in
Credit co
performs
backgrou
on custo
referenc
con rms
status w
bureaus
1 CREDIT MANAGEMENT
| CREDIT DEPARTMENT |
a
computerised
system).
Credit co
a credit
amount
custome
and reco
credit ap
form.
Debtors
reviewed
accounta
manager
basis fo
debtors
to applic
1 CREDIT MANAGEMENT
| CREDIT DEPARTMENT |
1.2 The
creditworthiness
of existing
customers
changes over
time.
Existing
customers
fail to pay
their debt,
leading to
uncollectable
debt and
nancial
losses for
the company.
B Existing
customers are
retained only if
they remain
creditworthy.
(Validity)
Accuracy,
valuation and
allocation of
trade debtors
1.3 Customers
request
changes to their
credit limits.
Unauthorised
changes to
credit limits
are made to
debtors’
records/the
debtors
master le.
C Changes to
credit limits
are authorised.
(Validity)
Accuracy,
valuation and
allocation of
trade debtors
1.3C All
changes
limits or
particula
approved
controlle
performi
similar t
above.
Company
fails to
collect
outstanding
D All cash that
can be
received from
defaulting
N/A:
Assuming the
debts were
written off,
1.4D Cre
controlle
recomme
nancial
1.4
Management
evaluates the
collectability of
Credit
controller
Financial
accountant/
Debtors
master le
(debtors
ledger)
1.2B Cre
controlle
follow-up
checks a
existing
con rm t
continuin
creditwo
reviews
analysis
long-outs
balances
indicate
risk of n
1 CREDIT MANAGEMENT
| CREDIT DEPARTMENT |
outstanding
Financial
debt (some may manager
require inclusion
in an allowance
for credit
losses).
Credit controller
attempts to
collect overdue
amounts from
debtors who
have not settled
their
outstanding
accounts
timeously.
Debtors age
analysis
(compiled or
generated
from debtors
ledger)
General
journal
debt from
defaulting
debtors as
collection
procedures
not followed
promptly.
debtors is
collected.
(Operational
control)
Allowance for E Allowance for
credit losses credit losses
is misstated. (impairment
adjustment) is
reasonable in
terms of the
requirements
of the nancial
reporting
standards and
correctly
calculated.
(Accuracy)
then no
further
accounting
implications
(assertions
therefore not
affected).
accounta
for appro
overdue
collected
submits
debtors
or credit
agency i
manner.
Accuracy,
valuation and
allocation of
trade
debtors.
1.4E Reg
monitori
ageing o
outstand
balances
and follo
debtors
non-paym
which an
should b
Financia
approves
created
account
policies
policies.
1 CREDIT MANAGEMENT
| CREDIT
1.5
DebtorDEPARTMENT |
balances
become
uncollectable
(bad debts to be
written off).
Unauthorised
bad debts
that are in
fact
collectable,
are written
off from
customer
accounts.
F All bad debts
written off are
authorised by
senior
management
in terms of
company
policy. (Validity)
Completeness
of trade
debtors.
Occurrence of
bad debts
written off.
1.5F Bad
offs are
recomme
credit co
submitte
managem
supporti
documen
decision
to write
debts.
Debts that
have become
uncollectable
are not
written off.
G All debts
that should be
written off, are
written off.
(Completeness)
Accuracy,
valuation and
allocation of
trade
debtors.
Completeness
of bad debts
written off.
1.5G Reg
monitori
ageing o
outstand
balances
and follo
debtors
be writte
Table 6.8: Receiving orders from customers
2 RECEIVING ORDERS FROM CUSTOMERS
| SALES DEPARTMENT |
Activity
Responsible
party
2.1 An
order for
goods is
received
from a
customer.
Sales order Customer order
clerk
Internal sales
Manual
order (ISO)
system
only:
Supervisory
staff
member in
sales order
department
Documents and
records; master
les
Picking slip
What could go
wrong/risks
Control
objective
Account/
assertion
affected
Manual contro
Order is
received from
customer, but
not acted on
(or not acted
on
timeously),
leading to
lost sales or
unfavourable
A All orders
accepted are
processed
timeously.
(Operational
control)
N/A:
Operational
measure
without
accounting
implications:
Should an order
not lead to a
sale, it would
be
inappropriate to
2.1A A prepr
sequentially
internal sale
(ISO) on whic
details of cu
order are rec
made out by
order clerk.
When goods
picked in wa
warehouse s
2 RECEIVING ORDERS FROM CUSTOMERS
| SALES DEPARTMENT |
customer
relations.
record a
transaction in
the nancial
records.
a copy of the
slip to the sa
department
4.1) for matc
the ISO. This
indicate that
customer ord
been proces
despatch.
ISO le is ch
supervisor in
order depart
Long-outstan
orders (i.e. I
without a ma
picking slip),
followed up w
warehouse a
reason for de
picking;
Sequential n
to ensure all
accounted fo
are obtained
cancelled IS
sequence if
unclear or un
Backorder
note Order is
2 RECEIVING ORDERS FROM
CUSTOMERS
accepted
| SALES DEPARTMENT | Inventory
without there
listing/Inventory
being
master le
suf cient
inventory in
stock to
despatch to
customer,
leading to
delays in
delivery and
possible
negative
customer
relations.
B Items and
quantities
ordered are
in stock, or
are promptly
put on
backorder if
not available,
which will
thus not
unnecessarily
delay the
processing of
the
customer’s
order.
N/A:
Operational
measure
without
accounting
implications.
Accuracy of
revenue: The
undercharging
of customers
would lead to
an
understatement
in revenue if
error not
detected before
nal invoicing.
2.1B Sales o
requests wa
perform inve
availability a
check, or co
inventory list
which clerk h
access.
If items are
stock, clerk
with custome
goods can b
backorder an
a backorder
customer ag
(Note: Copy o
backorder no
to buying dep
for purchase
from supplier
(Operational
control)
Regular follo
outstanding
notes by sale
department
department/
until the goo
been receive
Sales order c
informs custo
goods are rec
ready for des
Customer quote Product
Authorised price prices
included on
list/Pricelist
ISO are not
master le
those agreed
with
customer
(e.g. quoted)
and approved
by
management,
leading to
customers
being
undercharged
and a
resulting
C Sales
amounts of
products on
ISO are those
quoted to
customers
and are
authorised in
terms of
management
approved
prices.
(Accuracy)
To the extent
that the
customer
realises it,
overcharging
would lead to
overstatement
of revenue until
such time as
the customer
complains and
the error is
corrected. This
may fall over a
nancial yearend (Note: If
overcharging is
2.1C Before
processed fu
is checked b
supervisory
member in s
department
that authoris
have been se
from the ma
approved pri
If ISO is bas
quote made
customer, th
are as per q
terms of ma
approved pri
2 RECEIVING ORDERS FROM CUSTOMERS
| SALES DEPARTMENT |
nancial loss
(assuming
error is not
detected
before
invoicing), or
overcharged,
resulting in
incorrect
accounting
records until
such time as
the customer
complains
and the error
is corrected
(assuming
error is not
detected
before
invoicing).
corrected prior
to year-end on
the basis of
customer
complaints, the
overcharging of
customers
would
constitute an
operational
issue affecting
customer
relations and
not the
accounting
amounts).
For telephon
preceding co
the above in
clerk reading
details on th
the custome
concluding th
ensure all de
as per custo
request.
Table 6.9: Authorisation of sales orders
3 AUTHORISATION OF SALES ORDERS
| CREDIT AND SALES ORDER DEPARTMENT |
Activity
Responsible
party
Documents What could go
and
wrong/risks
records;
master
les
Control
objective
Account/
assertion
affected
Manual
controls
3.1 Approval of
customer:
Sales order
clerk
A
person/business
places a sales
order with the
entity.
Credit
controller
(authorisation
and approval)
Customer Order is
order
accepted
from a nonDebtors
approved
master
customer,
le
(Debtors leading to
possible
ledger)
uncollectable
debt in
future and
nancial
losses for
entity.
A All orders
received are
from
approved
customers
only.
(Validity)
Accuracy,
valuation
and
allocation of
trade
debtors.
3.1A Order
clerk accepts
order only
from a
customer who
is able to
provide an
account
number and
who is on the
authorised
customer list
Existence of
trade
debtors.
If the
customer is
not on the
customer list
the customer
is referred to
the credit
controller to
commence
credit
application
process (see
activity 1.1).
Sales order
clerk
requests
customer to
provide
pertinent
details (such
as ID number
address,
contact
details etc.)
to con rm
customer is
genuine (i.e.
the person
requesting
the order is
3 AUTHORISATION OF SALES ORDERS
| CREDIT AND SALES ORDER DEPARTMENT |
the actual
customer
associated
with the
customer
number).
Management
to review
debtors
ledger for
evidence of
possible
ctitious
debtor
accounts as
sales order
clerk is not
allowed to
create
accounts.
3.2 Approval of
sales
transaction:
A sales order is
received from an
approved
customer.
Sales order
clerk
Credit
controller
(authorisation
and approval)
Internal
sales
order
(ISO)
Debtors
master
le
(Computerised
(debtors
system:
ledger)
programmatic
authorisation
of sale in
terms of preauthorised
credit limit set
by credit
controller.)
An order is
accepted
from an
approved
customer
who will
exceed his
credit limit
should the
sale be
accepted,
which may
give rise to
irrecoverable
debts.
B Credit
sales are
only made
to debtors
who are
creditworthy,
i.e. who will
still be
within their
credit limits
after the
sale is
accepted.
(Validity)
Accuracy,
valuation
and
allocation of
trade
debtors
3.2B All ISOs
are submitted
to the credit
controller for
approval (with
attached
picking slip –
refer to 3.3C
below). Order
only approved
(by the credit
controller
signing the
ISO) if the
customer is
still within his
or her credit
limit, with
reference to
the
preapproved
credit limit on
the
authorised
customer list
3 AUTHORISATION OF SALES ORDERS
| CREDIT AND SALES ORDER DEPARTMENT |
(list compiled
from debtors
ledger).
Only credit
controller is
allowed to
increase
credit limit of
customer (i.e
override the
limit) should
order exceed
credit limit,
and after
investigating
the client’s
current
nancial
position.
3 AUTHORISATION OF SALES ORDERS
| CREDIT AND SALES ORDER DEPARTMENT |
3.3 Instruction
to pick (select)
goods from
warehouse is
created.
Sales order
clerk
Credit
controller or
second
administrative
clerk
Picking
slip
Unauthorised
pickings
slips are
created,
leading to
goods being
removed
from the
warehouse
for despatch
to a
customer
who signs for
the goods
(takes
custody
thereof) but
who will not
be able to
settle his or
her debt.
C Only valid
picking slips
are created
based on
approved
ISOs.
(Validity)
Accuracy,
valuation
and
allocation of
trade
debtors.
3.3C Picking
slips are preprinted and
crossreferenced to
the
corresponding
ISO and
attached to
the ISO for
submission
for approval
of order as
per 3.2B
above.
3 AUTHORISATION OF SALES ORDERS
| CREDIT AND SALES ORDER DEPARTMENT |
Picking slip
details (e.g.
item code,
quantity) are
incorrect (i.e.
the risk
exists that
details on
picking slip
do not agree
with the
authorised
details on
the ISO).
D Picking
too few
items for
delivery may
negatively
affect
customer
relations,
whereas
picking too
many items
may result
in the return
of the items
(where
customer
signs for
and accepts
only those
items
ordered).
(Operational
control)
N/A:
Operational
measure
without
accounting
implications.
3.3D Second
staff member
in sales order
department
(or approver
as per 3.2B
Revenue is
above)
not affected checks
as a sale will accuracy of
be recorded item codes
based on
and
actual
quantities on
number of
picking slip
items
back to the
delivered
ISO before
and as
picking slip is
signed for by sent to
customer.
warehouse.
Account/
assertion
affected
Manual
controls
Table 6.10: Picking of goods from warehouse
4 PICKING OF GOODS FROM WAREHOUSE
| WAREHOUSE |
Activity
Responsible
party
Documents What could
and
go
records;
wrong/risks
master
les
Control
objective
Alternative
and
additional
controls in a
computerised
environment
4 PICKING OF GOODS FROM WAREHOUSE
| WAREHOUSE |
4.1 Goods Storeman Picking
are picked Warehouse slip
from the
supervisor
warehouse
with
reference
to an
authorised
picking
slip.
Goods are
erroneously
picked from
warehouse
that have
not been
ordered by
the
customer,
i.e. are not
in terms of
an
approved
ISO,
leading to
short or
overdeliveries
and the
resultant
negative
customer
relations.
A Goods
are picked
from
warehouse
in terms of
the
authorised
ISO and
picking slip.
(Operational
control)
N/A:
Operational
measure
without
accounting
implications
(customers
are only
charged for
what they
sign for on
delivery of
goods).
4.1A
Supervisory
staff
member in
warehouse
checks the
goods
picked back
to the
picking slip
to con rm
all goods
correctly
picked by
picker
before
goods are
sent to
despatch
and signs
the picking
slip as
evidence of
the check.
4.1A
Computer
system
does not
allow
warehouse
staff to
create
picking
slips or
make
additions o
changes to
on-screen
picking
slips (i.e.
they have
read-only
access to
picking
slips based
on the
access
tables that
grant
access to
the system
on a least
privilege
basis).
4 PICKING OF GOODS FROM WAREHOUSE
| WAREHOUSE |
Delays in
picking or
no picking
of items at
all results
in negative
customer
relations.
B Items are
promptly
picked from
the
warehouse
on receipt
of a picking
slip from
the sales
order
department.
(Operational
control)
N/A:
Operational
measure
without
accounting
implications.
4.1B
Supervisor
in
warehouse
regularly
checks le
of
sequentially
numbered
picking
slips for
any that
have not
been acted
on. (Picking
slips would
have been
received
from sales
order
department
in duplicate
by means of
a carbon
copy
document.)
When
goods have
been
picked, one
copy of the
picking slip
is returned
to the sales
order
department
to indicate
that picking
of goods
has taken
place (refer
to 2.1A).
Refer to 5.2B for controls applicable to the completeness control objective.
Table 6.11: Despatch and delivery of goods to customers
5 DESPATCH AND DELIVERY OF GOODS TO CUSTOMERS
| WAREHOUSE |
4.1B When
goods have
been
picked,
warehouse
staff
changes
the status
of the onscreen
picking slip
to ‘Picked’
on the
computer
system.
Warehouse
supervisor
prints a
report of
picking
slips
without
status
‘Picked’
(i.e. those
still
pending) on
the
computer
system for
follow-up.
5 DESPATCH AND DELIVERY OF GOODS TO CUSTOMERS
| WAREHOUSE |
Activity
Responsible
party
5.1 Picked Despatch
goods are clerk
transferred
from the
warehouse
to the
despatch
bay.
Documents What could go
and
wrong/risks
records;
master
les
Control objective
Account/
Manual
assertion affected controls
Picking
slip
A Only those
quantities of
goods in
accordance
with a
supporting
picking slip are
transferred to
the despatch
bay.
(Operational
control relating
to the custody
and
safeguarding
of assets)
N/A:
Operational
measure.
However,
existence of
inventory
affected where
goods go
missing on
transfer to
despatch bay
and are never
found, yet
included in
inventory
balance.
Quantities on
authorised
picking slip are
not those
transferred to
the despatch
bay (i.e. more or
fewer items are
transferred).
This risk may
lead to possible
misappropriation
of inventory
before despatch
to customer
takes place.
5.1A A
despatch
exists,
consisting
a wellde ned,
separate
area of th
warehous
fenced off
with physi
access
controls,
such as a
locking
mechanis
for the ga
and keys
allocated
only to the
despatch
clerk.
When goo
are
transferre
from
warehous
to despat
bay, the
despatch
clerk
physically
inspects t
quantities
and
descriptio
of all item
back to th
attached
picking sl
Despatch
clerk does
not accep
any of the
5 DESPATCH AND DELIVERY OF GOODS TO CUSTOMERS
| WAREHOUSE |
physical
items that
are not
indicated
the pickin
slip and
follows up
any missi
items.
Despatch
clerk sign
the pickin
slip as pro
of having
taken
custody o
the items
that were
accepted.
5.2 Goods
are loaded
onto
delivery
vehicle,
which then
exits
business
premises.
Despatch
Delivery
clerk and
note
other
despatch staff
Gate security
guard
Driver
Goods leaving
premises are
not recorded on
a supporting
document,
leading to
delivery without
charge to the
customer (where
goods are not
returned) or to
theft of the
goods before
reaching the
customer.
B All goods
loaded into the
delivery truck
for despatch
have been
recorded on a
delivery note.
(Completeness)
Completeness
of revenue. (If
ordered goods
are not
recorded on
delivery note, it
might not be
invoiced to
customer
despite
customer taking
custody thereof
or if the goods
are
misappropriated
en route.)
Existence of
inventory.
5.2B
Despatch
clerk crea
numerical
sequence
delivery
notes for
goods bei
despatche
Driver
checks
goods
loaded on
trucks bac
to delivery
note and
signs as
evidence
taking
custody o
goods.
To ensure
goods
leaving
premises
have been
recorded o
a delivery
note,
security
5 DESPATCH AND DELIVERY OF GOODS TO CUSTOMERS
| WAREHOUSE |
guard at e
gate
inspects
delivery n
and
performs:
• Check
numbe
boxes
truck; a
• Spot
checks
conten
where
possib
by
agreein
boxes
and/or
conten
back to
deliver
note,
depend
on the
nature
the goo
sold.
5.3 Goods
are
delivered
to
customer.
Driver/delivery Delivery
personnel
note
Customer
denies having
received goods
(leading to a
sale inappro‐
priately recorded
for a transaction
that may not
have occurred).
C Proof of
delivery is
obtained for
every delivery.
(Validity)
Occurrence of
revenue.
5.3C
Customer
required t
sign (and/
stamp) a
copy of th
delivery n
to
acknowled
acceptanc
of goods.
Table 6.12: Invoicing
6 INVOICING
| ACCOUNTING DEPARTMENT |
Activity
Responsible party
Documents What could go Control objective
and records; wrong/risks
master les
Account/
assertion
affected
Manual co
6 INVOICING
| ACCOUNTING DEPARTMENT |
6.1
Customersigned copy
of delivery
note is
received by
accounting
department,
initiating
the creation
of a
customer
invoice.
Invoicing clerk
(invoicing)
Customer
invoice
Goods are
delivered to
customer,
Senior/supervisory Sales
but
debtors clerk
journal
customer is
(recording)
(Sales
never
transaction
invoiced for
le)
those
Debtors
goods.
ledger
(Debtors
master
le)
Price list
(Price list
master
le)
A All deliveries Completeness 6.1A A co
give rise to a
of revenue.
the custo
corresponding
signed de
invoice.
note (refe
(Completeness)
5.3C) is r
from driv
returning
delivery a
in a pend
in seque
order by t
invoicing
For each
note rece
the invoic
clerk pre
sequenti
numbere
invoice a
copy is
the
correspo
delivery n
(Note: int
sales ord
received
sales ord
departme
would als
led with
delivery n
invoice.)
6 INVOICING
| ACCOUNTING DEPARTMENT |
Supervis
member
bookkeep
of ce rev
pending
delivery n
identify:
• Any m
delive
(gaps
seque
follow
the de
bay on
delive
not ye
place;
• Delive
for wh
invoice
yet be
record
the sa
journa
6 INVOICING
| ACCOUNTING DEPARTMENT |
Deliveries
are not
invoiced
timeously,
resulting in
sales
possibly
being
recorded in
an incorrect
accounting
period.
Invoices are
created
when no
goods were
in fact
delivered to
the
customer
(i.e. leading
to ctitious
sales
revenue if
recorded in
the sales
journal).
B Sales are
recorded in the
period to which
the transaction
relates.
(Validity)
C Sales
invoices are
only for actual
sales
transactions
with bona de
customers.
(Validity)
Cut-off of
revenue.
Occurrence of
revenue
6.1B Dur
review of
delivery n
as per 6.
above,
superviso
member
that the d
the invoic
correspo
the nan
period in
the delive
made (as
date on d
note).
6.1C Invo
cross-refe
and attac
original
authorise
internal s
order and
delivery n
invoice is
created o
authorise
and cust
signed de
note exis
Second/
staff mem
checks th
invoice is
supporte
custome
delivery n
an appro
internal s
order.
6 INVOICING
| ACCOUNTING DEPARTMENT |
Incorrect
quantities
and prices
on invoice
leads to
under- or
overcharging
of customer.
D All invoices
are created
with accurate
quantities,
prices and
calculations
thereon.
(Accuracy)
Accuracy of
revenue.
6.1D Pric
quantitie
included
invoice w
reference
(quoted p
and deliv
(delivered
quantity)
Second s
member
prices on
to of cia
company
list and
quantitie
delivery n
(Prices s
however,
to quoted
a quote i
applicabl
The abov
second s
member
checks c
and calcu
on the in
con rm a
before in
sent to
custome
to the sa
journal.
Table 6.13: Recording of sales
7 RECORDING OF SALES IN THE ACCOUNTING RECORDS
| ACCOUNTING DEPARTMENT |
Activity
Responsible party
7.1 Sales
invoice is
posted to
the sales
journal and
debtors
account in
the
debtors
ledger.
Accounts
Sales
receivable
journal
clerk/Bookkeeper
(Sales
Financial
transaction
manager/
le)
Sales are
posted
from the
sales
journal to
the trade
receivables
control
account in
the general
ledger.
Financial
accountant
Documents
What could
and records; go
master les wrong/risks
Posting to
the sales
journal,
debtors
ledger and
control
Debtors
account
ledger
and
(Debtors
revenue
master le) account in
the general
General
ledger may
ledger:
be
Revenue
incomplete,
and trade
inaccurate
receivables or invalid.
control
accounts
Debtors
statement
Control objective
Account/
assertion
affected
A Only valid
invoices are
posted to the
sales journal,
debtors ledger
and general
ledger.
(Validity)
Occurrence,
accuracy and
completeness
of revenue.
B Details of
sales
transactions
are correctly
posted from
the invoice to
the sales
journal,
debtors ledger
and general
ledger.
(Accuracy)
C All sales
invoices are
posted to the
sales journal,
debtors ledger
and general
ledger.
(Completeness)
Manual contro
7.1A Second
bookkeeping
checks the
recorded invo
in the sales
Existence,
journal by
accuracy,
agreeing the
valuation and
entries to th
allocation
supporting
and
invoices to
completeness
con rm that
of trade
valid invoice
receivables.
exists for ea
recorded sal
transaction.
(Occurrence)
Invoices wer
accurately po
by agreeing
amounts
(Accuracy); a
All invoices w
posted by
checking the
numerical
sequence of
entries.
(Completene
7.1BC Secon
bookkeeping
also checks
posting of
invoices from
invoice to the
sales journa
the debtors
ledger to con
7.1ABC Debt
reconciliation
performed by
supervisor in
bookkeeping
7 RECORDING OF SALES IN THE ACCOUNTING RECORDS
| ACCOUNTING DEPARTMENT |
section to
reconcile the
of all accoun
the debtors
ledger to the
balance as p
the trade
receivables
control acco
the general
ledger.
Financial
manager/ n
accountant
reviews the
debtors
reconciliation
follows up on
reconciling it
before mont
statements a
prepared for
mailing to
debtors.
A person
independent
the recording
receipt of ca
functions fol
up on all deb
queries, e.g.
where debto
complain abo
errors on the
invoices.
Table 6.14: Receipt of cash
8 RECEIPT OF CASH FROM CUSTOMERS
| ACCOUNTING DEPARTMENT |
Activity
Responsible Documents What could go
party
and
wrong/risks
records;
master
les
Control objective
Account/
assertion
affected
8.1 Receipt
of cash from
Mail
opening
staff
A All cash
received is
deposited in
Completeness 8.1A For mon
of bank and
received in th
post:
Mail
register
For money
received by post
and in person:
Manual controls
Cashier
8 RECEIPT OF CASH
FROM Receipt
CUSTOMERS Money is
received from
| ACCOUNTING Chief
DEPARTMENT
|
Cashingcustomer,
cashier
up sheet
customers
entity’s bank
cash
• but is not
by:
account.
balances.
Security
Bank
deposited
(Completeness)
company
deposit
• Postal
into entity’s
guards
slip
mail
bank
(cheques);
account.
• In person
Instances where
at
cash can be
cashiers
misappropriated
(cash or
between receipt
cheques).
from customer
and banking of
cash include:
• Theft of
monies in
mail-opening
stage where
cheques are
received in
the post and
stolen by
mail
openers.
• Theft of
monies paid
in person by
recipient
preparing
ctitious
receipt or no
receipt at all
(theft cannot
be picked up
timeously as
no record of
receipt
exists). (Risk
also applies
to
unauthorised
or fake handwritten
receipts used
in a
computerised
environment
to unaware
customer.)
At least tw
persons, o
which at le
• one
independe
of the bank
depositing
and record
functions,
open mail.
• Mail regist
is maintain
in which da
of receipt,
debtor nam
and amoun
received is
recorded.
• Both staff
members s
register
(isolation o
responsibi
When mon
and mail
register is
transferred
cashiers,
cashiers
count mon
received in
the presen
of mail
openers an
sign regist
as proof of
accepting
custody of
cash.
For monies
received by
cashiers
(cheques from
mail openers
cash/cheques
from walk-in
customers):
• Adequate
security
arrangeme
8 RECEIPT OF CASH FROM CUSTOMERS
| ACCOUNTING DEPARTMENT |
to be made
(e.g.
appointme
of security
company;
installation
and
monitoring
cash regist
by CCTV).
• Notice stat
that custom
should ins
on a receip
from cashi
• Cashier
creates a
numerically
sequenced
multicopied
receipt for
money
received.
• Theft of cash
from till by
cashier and
loss not
identi ed due
to insuf cient
cashing-up
and review
procedures.
• Theft of cash
from facilities
where cash
is stored
before being
taken to the
bank.
• Theft of cash
while in
transit to
bank.
• Cashier
counts
cheques a
cash at en
shift and
reconciles
with total o
receipts
issued.
• Chief cash
reviews all
cash-up
results of
cashiers to
con rm an
shortages
surpluses
identi ed a
reported, a
signs as
evidence o
this review
and for tak
custody of
cash.
8 RECEIPT OF CASH FROM CUSTOMERS
| ACCOUNTING DEPARTMENT |
• Chief cash
completes
bank depo
slip indicat
total cash
received.
• Cash is ke
in a secure
reproof dr
safe (a saf
with a sma
dedicated
opening fo
cash bag)
until collec
for banking
• Drop safe
able to unl
with two se
of keys, on
set carried
manageme
and one se
by security
company.
• Security
company
collects ca
(e.g. during
the next
business d
for banking
• Bank-stam
deposit sli
returned to
company fo
reconciliati
with
company’s
copy of
deposit sli
and the tot
of cashingsheets for
cashiers of
the previou
day. (Contr
performed
person
independe
8 RECEIPT OF CASH FROM CUSTOMERS
| ACCOUNTING DEPARTMENT |
of cashing
and bankin
process.)
• Bank depo
slip is led
date
sequence
regularly
reviewed b
staff memb
independe
of the cash
and bank
function fo
missing
deposit da
indicating
possible
unbanked
cash for a
particular d
Table 6.15: Recording receipts
9 RECORDING RECEIPTS IN THE ACCOUNTING RECORDS
| ACCOUNTING DEPARTMENT |
Activity
Responsible
party
Documents
and records;
master les
What could go Control objective
wrong/risks
Account/
assertion
affected
Manual controls
9 RECORDING RECEIPTS IN THE ACCOUNTING RECORDS
| ACCOUNTING DEPARTMENT |
9.1
Receipt
from
debtor
is
posted
to the
cash
book
(cash
receipts
journal)
and the
debtor’s
account
in the
debtors
ledger.
Cash book
clerk
Financial
manager/
Cash book
(cash
receipts
journal)
Debtors
Financial
ledger
accountant
(debtors
master le)
General
ledger:
Bank and
cash
control
accounts
and
debtors
control
account
Bank
statement
List/report
of
unidenti ed
deposits.
Fictitious
cash
receipts are
recorded in
cash book
and in
customer’s
account in
debtors
ledger.
A Cash receipts
recorded relate to
actual cash
received, i.e. each
entry in cash book
is supported by
cash
deposited/received
in bank account.
(Validity)
Occurrence of
cash
receipts.
9.1ABC Debtors
reconciliation is
performed on a
monthly basis to
Completeness
ensure correct
and accuracy,
posting of
valuation and
receipts to the
allocation of
debtors ledger
trade
and general
receivables.
ledger control
account (refer to
functional area 7
above for detaile
controls).
9 RECORDING RECEIPTS IN THE ACCOUNTING RECORDS
| ACCOUNTING DEPARTMENT |
Receipts are
not posted
accurately
to the cash
book or to
the debtor’s
account in
the debtors
ledger
(incorrect
amounts or
incorrect
debtor
account).
B Cash deposited
is posted in the
correct amounts to
the cash book and
posted to correct
debtor account in
debtors ledger.
(Accuracy)
Cash book (cash
receipts journal)
totals are posted
to general ledger
bank and cash
control account
and debtors
control account in
the correct
amounts.
(Accuracy)
Accuracy of
cash
receipts.
Accuracy,
valuation and
allocation of
trade
receivables.
9.1ABC Bank
reconciliation is
performed by a
staff member
independent of
the cash and
bank function on
a regular (e.g.
monthly) basis by
reconciling
balance per cash
book to balance
per bank-supplied
bank statement.
Fictitious entries
in cash book will
be identi ed as
these receipts
would not have
been processed
by the bank. Any
deposits not
recorded in cash
book or recorded
erroneously will
be identi ed in
the same way.
Deposits made
into bank accoun
but which have
not been recorde
in cash book, will
also be identi ed
9 RECORDING RECEIPTS IN THE ACCOUNTING RECORDS
| ACCOUNTING DEPARTMENT |
Not all cash
receipts are
posted to
the cash
book or to
debtors
accounts in
the debtors
ledger.
C All cash receipts
that occurred are
recorded in the
cash book and
posted to the bank
and cash control
account/debtors
control account in
the general ledger.
(Completeness)
Completeness 9.1C Reconciling
of cash
items are
receipts.
re ected on bank
reconciliation and
Existence and
the reasons
accuracy,
valuation and noted (e.g.
outstanding
allocation of
deposits and
trade
cheques,
receivables.
referenced to
supporting
documentation).
Bank
reconciliations
are reviewed,
including for
unusual or longoutstanding
reconciling items
by nancial
manager/ nancia
accountant and
signed as
evidence of
review.
Second
bookkeeping cler
checks posting o
receipts from
receipts to cash
book and to
debtors ledger fo
accuracy and
correct allocation
to debtors’
accounts.
9 RECORDING RECEIPTS IN THE ACCOUNTING RECORDS
| ACCOUNTING DEPARTMENT |
For direct
deposits
and EFTs:
Deposits in
bank
account that
cannot be
identi ed by
the cash
book clerk
as having
been
deposited
by a known
party/debtor
are not
adequately
recorded,
leading to
misappropriated
cash or unrecorded
credits to
customer
accounts.
D All unidenti ed
Completeness 9.1D An
deposits made into of cash
unidenti ed
bank account are
receipts.
deposit suspens
appropriately
account in the
recorded in
general ledger is
accounting
created to which
records.
all unidenti ed
(Completeness)
deposits are
credited (i.e.
debit entry to
cash and bank
account and
credit to
suspense
account).
A list of
unidenti ed
deposits is
prepared by cash
book clerk with
full details of
each deposit
received. The list
is reconciled to
suspense
account on
regular basis by
nancial
accountant and
any unusual or
recurring entries
followed up.
Table 6.16: Processing and recording of returns and other sales adjustments
10 PROCESSING AND RECORDING OF RETURNS AND OTHER SALES ADJUSTMENTS
| WAREHOUSE, SALES AND ACCOUNTING DEPARTMENT |
Activity
Responsible
party
Documents
and records;
master les
What could go
wrong/risks
Control objective
Account/ assertion
affected
10.1
Customer
returns
goods to
entity for
credit
and/or
Goods
Goods
receiving
returned
clerk/storeman voucher
(warehouse)
Credit note
Sales returns
(internally
clerk
generated)
Unauthorised
(invalid)
credit is
granted to
customer
accounts,
e.g. credit
A Credit
adjustments to
customer
accounts are
authorised in
terms of
Occurrence of sales
adjustments.
Completeness of
revenue.
Completeness of trade
receivables.
Bookkeeper
10 PROCESSING
AND RECORDING OF RETURNS AND OTHER SALES ADJUSTMENTS
(accounts
| WAREHOUSE,
SALES AND ACCOUNTING DEPARTMENT |
receivable)
requests
and debit
granted for
company
Financial
credit to
note
goods that
policy. (Validity)
account for manager/
(received
were not
accountant
matters
from debtor) returned.
such as
Sales manager Sales
inferior or
and/or credit
adjustments
damaged
controller
journal
goods
(approval of
General
delivered,
discounts)
journal
other
overcharges
Debtors
or errors in
ledger
the
General
customer’s
ledger
account
requiring
correction.
10 PROCESSING AND RECORDING OF RETURNS AND OTHER SALES ADJUSTMENTS
| WAREHOUSE, SALES AND ACCOUNTING DEPARTMENT |
j
j
Sales
returns are
not recorded
at the
correct
quantities or
amounts.
B Sales
returns are
recorded at the
correct
amounts.
(Accuracy)
Accuracy of sales
returns/revenue.
Accuracy, valuation and
allocation of trade
receivables.
j
10 PROCESSING AND RECORDING OF RETURNS AND OTHER SALES ADJUSTMENTS
| WAREHOUSE, SALES AND ACCOUNTING DEPARTMENT |
Not all credit
granted to
customers is
recorded in
the
accounting
records.
C All credit
notes issued
are timeously
issued and
posted to
debtors’
accounts.
(Completeness)
Completeness of sales
adjustments/Occurrence
of revenue.
Existence of trade
receivables.
j
10 PROCESSING AND RECORDING OF RETURNS AND OTHER SALES ADJUSTMENTS
| WAREHOUSE, SALES AND ACCOUNTING DEPARTMENT |
10.2
Settlement
or other
discount is
provided to
a customer.
Accuracy,
valuation
and
allocation of
trade
receivables.
Unauthorised
(invalid)
discount is
provided on
sales to
customer.
D Discounts
provided to
customers are
authorised in
terms of the
discount policy
of the
company.
(Accuracy)
Accuracy of sales
discounts/Accuracy of
revenue.
Accuracy, valuation and
allocation of trade
receivables.
Note: The
underlying
transaction
remains valid,
despite the
unauthorised
discount
amounts.
Discounts to
customers
are not
accurately
recorded.
E Discount is
calculated in
terms of the
authorised
discount
percentage
and correctly
recorded on
the invoice.
(Accuracy)
Accuracy of sales
discounts.
Accuracy, valuation and
allocation of trade
receivables.
6.8 Cycle illustration: The revenue and receipts cycle at Ntsimbi
Piping
Cycle background: All sales to customers are made on credit and Ntsimbi Piping is also responsible for
making its own deliveries to its customers. e company operates a large nished goods store (subsequently
referred to as warehouse) located adjacent to its factory, from where nished goods are despatched to
customers.
6.8.1 Credit management
• is function is the ultimate responsibility Ntsimbi Piping’s accounting and nance division, although
some aspects of the function are carried out by staff in other divisions. Note that certain functions have
been outsourced to an external service provider.
• Persons involved in function:
• Mike Milton (credit controller in the credit section of the marketing and sales division)
• Janice Fourie (data capturer in operations)
• James Khumalo ( nancial manager in the accounting and nance division).
6.8.1.1
Application for credit
A potential new customer who wishes to buy products from Ntsimbi Piping is referred to the credit
controller, Mike Milton. Mike asks the customer to complete a credit application form (in triplicate), on
which the customer must disclose its business particulars, including the contact details of several trade
references. A copy of the customer’s latest nancial statements is also requested.
Mike submits the credit application with supporting documentation to an external service provider,
DebtACheck (Pty) Ltd, who assesses the customer’s credit quality by performing a credit background check
on the customer as follows:
• Following up with the customer’s trade references (to con rm whether the customer is in good standing
with its suppliers and other business associates);
• Querying credit bureaus to con rm the customer has a favourable credit history (i.e. the customer’s credit
rating is not impaired); and
• Analysing the nancial information provided by the customer (such as audited nancial statements) to
con rm customer has a healthy cash and liquidity position.
e check usually takes one day to complete. Only customers who are rated as ‘AA’ or ‘BB’ quality by
DebtACheck (Pty) Ltd are advanced credit by Ntsimbi Piping. Should the credit assessment be successful
(i.e. for AA and BB-rated customers) DebtACheck (Pty) Ltd recommends a credit limit for the customer’s
account by indicating the limit on the customer’s application form. Credit limits may only be recommended
within the overall parameters previously approved by Ntsimbi Piping’s board of directors. Unsuccessful
applicants are indicated on the application form as such.
When the nalised application form with supporting documentation is received back from DebtACheck
(Pty) Ltd, Mike Milton rst reviews and approves the credit limits recommended by DebtACheck (Pty) Ltd.
His review involves ensuring that proper supporting documentation (such as evidence of the credit
background check) is attached and that the credit limit is reasonable given the information obtained by
DebtACheck (Pty) Ltd in making its decision on the customer’s credit limit. e three copies of the
application form are distributed as follows:
• e original is retained by Mike and led in numerical sequence;
• e rst copy is given to the customer for the customer’s records; and
• e nal copy is sent to Janice Fourie, the data capture clerk, for capturing onto the computer system, in a
batch together with a master le amendment form.
6.8.1.2
Amendments to the debtors master le
Company policy only allows for changes to master les on the computer system to be captured if the changes
are made on the basis of an authorised master le amendment form (MAF). Whenever Mike sends debtors
master le amendment requests to the data capturer, they are accompanied by an MAF, which also serves as
a batch cover sheet. e MAF contains the reference numbers of all the attached supporting documentation
(e.g. customer application form number) and the type of change required such as:
• New customer;
• Change to an existing customer account;
• Account correction; and
• Account removal.
To initiate capturing, Janice Fourie accesses the customer master le module on the company’s
computerised accounting application (PVCACC) with her unique username and password and selects the
‘Amend debtor details’ function. Working her way down the master le amendment form, she enters all the
particulars of the new customers as they appear on the attached application forms. e system automatically
allocates a unique sequential account number (customer code) to each new customer account as Janice
captures the information. PVCACC does not allow Janice to choose or furnish an account number herself for
new customers.
6.8.1.3
Changes to credit limits
Should an existing customer wish to increase its credit limit, Mike Milton must evaluate the request based on
the customer’s credit history with Ntsimbi Piping or other information supporting the customer’s request to
increase their credit facilities. All other existing customers’ credit limits are reviewed periodically by Mike in
accordance with the requirements of the National Credit Act. He ensures that all debtors with longoutstanding balances are considered for a reduction in credit limit or a possible hold on their account,
freezing the customers’ ability to order goods in the future. Changes to the credit limit on Ntsimbi Piping’s
accounting system take place through the official master le amendment procedures as described above.
6.8.1.4
Review of modi cations to customer master le
On a weekly basis, James Khumalo accesses the debtors master le module on PVCACC (by means of readonly access with his unique username and password) and prints a log of all master le amendments. He
matches all amendments on the log with the following:
• Corresponding master le amendment form; or
• Attached credit application form/other attached supporting documentation.
He also reviews the log for any unusual modi cations such as possible duplications or exorbitant credit
limits captured. Any exceptions are followed up with Janice or Mike and resolved. James signs the log as
evidence of having performed the review.
6.8.1.5
Write-off of bad debts
At the end of each month, Mike Milton prints a debtors age analysis from the debtors master le (i.e. debtors
ledger), to which he has read-only access. e age analysis displays the number of days for which each
debtor’s balance has been outstanding since the dates of invoicing. In consultation with James Khumalo, a
decision is made about which debtors must be handed over to Ntsimbi Piping’s attorneys for collection
(typically debt that is outstanding for longer than 120 days), but only after Mike can provide proof that the
debtor has been contacted several times to request payment.
A list of bad debts to be written off is created, signed by both Mike and James and then transferred to the
accounting and nance division for processing to the debtors’ accounts and general ledger. Neither Mike nor
James has write-access to journals on the system: they can only approve hard-copy journals for capturing by
a clerk in the accounting and nance division.
6.8.1.6
Allowance for credit losses
As part of the accounting activities at the end of each nancial year, Mike and James re-evaluate the ability of
Ntsimbi Piping to collect debtors with long-outstanding balances at year-end. As per the company’s
accounting policy, a trade receivable is deemed to be ‘credit impaired’ once it has aged to more than 90 days
overdue. To estimate the expected credit losses, Mike and James consider historic debtor information,
including the ageing of debtors’ accounts, and adjust it for forward-looking information (such as the state of
the local economy). ey then compute an ‘Allowance for credit losses’ supported by their reasoning. A hardcopy general journal is created by James and captured on the system by an accounting clerk after the journal
has been approved by Lee-Ann Losper.
6.8.2 Receiving orders from customers
• Function performed by the sales order office, a section in Ntsimbi Piping’s marketing and sales division.
• Person involved in function:
• Curtis Lesley (sales order clerk in sales order office).
6.8.2.1
Receiving sales orders and creating an internal sales order
All sales to customers are on credit. When a customer wishes to order products from Ntsimbi Piping, they
can do so by submitting a sales order either verbally by telephone or in writing by fax or email. Curtis Lesley,
the sales order clerk, is responsible for receiving all orders. He accesses the sales order module on PVCACC
by entering his unique username and password (which gives him write-access to creating sales orders
according to his user access pro le).
For telephone orders, Curtis requests that the customer provide his or her account number and selects the
number from a drop-down list on the ‘Enter new sales order’ screen. Without a customer account number,
the accounting system will not allow Curtis to continue creating an order. Should the person wishing to place
an order not have an account number, he or she is referred to Mike Milton, who initiates the credit
application process.
Once the computer system nds the account number in the customer master le (veri cation check), all
details of the customer appear on screen, including any warnings for Curtis’ attention. Such warnings may,
for instance, include a warning that the debtor has already exceeded its credit limit or that the customer’s
account has been frozen by the credit controller (usually due to problems experienced with collectability of
the customer’s debt). Should such a message appear, Curtis will not be able to proceed with the sales order
and the credit controller (Mike Milton) will have to be called (refer to 6.8.3.1 below).
Curtis asks pertinent questions from the customer, such as business address and contact details, to
con rm the authenticity of the person phoning. He compares the customer-supplied information to the
standing data displayed on-screen to ensure the customer is valid.
If a customer is allowed to proceed to place an order, Curtis creates an on-screen sequentially numbered
internal sales order (ISO).
e customer then proceeds to provide Curtis with the item codes and quantities of goods he or she
wishes to order. (Ntsimbi Piping emails an updated electronic product catalogue to all its customers at the
beginning of each month, which the customer uses to order goods.) Curtis is only required to enter the stock
code number of the item being ordered and the computer system automatically performs a product
veri cation and availability check on the inventory master le. e price of the item is automatically
allocated to the internal sales order with reference to the official product prices stored in the price list
master le (which agrees with the latest product catalogue sent to customers).
Before concluding the order, Curtis rst reads back the order details to the customer to con rm the
accuracy of the product descriptions and quantities ordered, as well as the prices appearing on the internal
sales order.
For email and fax orders, Curtis captures the orders directly onto the ‘Enter new sales order’ screen. As
with telephone orders, the same computerised veri cation and limit checks apply to email and fax orders
being captured. After an email or fax order has been captured, Curtis either phones or emails the customer to
con rm the total price of the order and to inform the customer that the order is being processed.
A second staff member in the sales department checks the accuracy of the capturing performed by Curtis
by comparing the results of the capturing (as contained on a printed ‘pending ISO report’) back to the email
or fax.
WHY?
Why are telephone orders not checked for accuracy by the second staff member?
Recall that Curtis captured the order directly from his conversation with the customer,
leaving no paper trail for a second person to check. However, Curtis did read back the
details on the on-screen ISO to the customer, which in effect served as the accuracy
check.
6.8.2.2
Following up on ISOs
On a regular basis, Curtis prints a report titled ‘ISOs not yet picked’ from PVCACC, which lists all ISOs for
which the status indicates ‘Awaiting picking’ on the computer. As long as the warehouse staff have not yet
changed the status of the ISO to ‘Picked’ (refer to 6.8.4.2 below), the ISO remains on this report. Curtis
follows up with the warehouse staff for reasons for a delay in the picking of the goods on the ISO.
6.8.2.3
Backorders
Should there not be sufficient quantities of an item on hand at the time of the order, Curtis informs the
customer accordingly and, should the customer wish to proceed, Curtis ags the item on the ISO for transfer
by the computer to the backorder system. e computer sends an electronic backorder note to Ntsimbi
Piping’s purchasing division for acquisition from suppliers. Curtis regularly reviews the list of backorders on
the computer for long-outstanding backorders and follows up with the purchasing division about delays.
6.8.2.4
Distribution of source documents (ISOs)
e electronic ISO remains on PVCACC and is sequentially stored in a sales order transaction le
accessible for query purposes through read-only access by the stores supervisor (refer to 6.8.4.1 below) and
the invoicing clerk in the accounting and nance division (refer to 6.8.6.1 below). No physical copy of the ISO
is printed.
6.8.3 Authorisation of sales orders
• Function primarily performed by the sales order office (a section in the marketing and sales division).
• Persons involved in function:
• Curtis Lesley (sales order clerk in the sales order office of the marketing and sales division)
• Leanne Ford (sales manager in the marketing and sales division)
• Mike Milton (credit controller in the credit section of the marketing and sales division).
6.8.3.1
System authorisation of sales
Authorisation of an ISO is automatically granted by the computer system if the order does not result in the
customer’s pre-authorised credit limit being exceeded.
Should the credit limit be exceeded, Curtis Lesley calls Mike Milton to ask him to consider an override of
the system restriction. Mike has to enter his username and password and approve the sale should he deem
the customer sufficiently creditworthy to order over and above his credit limit. Mike must enter a reason as
justi cation on the computer. Curtis’ user access on PVCACC does not allow him to continue with sales
orders where the credit limit of the customer will be exceeded after the sale and if the credit controller has
not granted approval for the excess.
6.8.3.2
Management review of orders
Manual approval of an order where the customer will still be within his or her credit limit after the sale is not
required, owing to the system authorisation described in 6.8.3.1 above. However, at regular intervals, Leanne
Ford (sales manager) accesses the sales order module with her unique username and password and asks the
system to print a summary list of all new sales orders from the sales order transaction le (e.g. name of
customer and total amount ordered). She scrutinises this list for any unusual sales, such as possible
duplications, unexpected signi cant order amounts and orders with noti cations and warnings printed next
to the order, and follows up any queries she has with Curtis Lesley or Mike Milton.
She also reviews the ‘credit limit override report’ for reasonability and unusual entries. is report lists all
instances where Mike Milton authorised a sale that led to a customer’s credit limit being exceeded.
She signs both the sales order list and credit limit override report as proof of review and les them in her
office.
No staff member, including managers, has the ability to make any changes to the summary list of orders or
the credit limit override report.
6.8.3.3
Creating a picking slip
After an ISO has been authorised, the system automatically generates a sequentially numbered picking slip.
e computer application has been designed in such a way that stand-alone picking slips (i.e. picking slips
without a supporting ISO) cannot be generated.
e picking slip contains the following information about the items ordered: item code, item description,
storage location of item in warehouse and quantity required. Prices are not indicated on the picking slip. e
picking slip serves as an instruction to the storeman in the warehouse to pick the goods from the warehouse
for eventual delivery to the customer.
No staff member in any section has the logical ability to change the details on the computerised picking slip,
or to generate a picking slip without there being a pre-existing ISO on the system.
6.8.3.4
Distribution of source document (picking slip)
A hard copy of the picking slip is printed by Curtis Lesley and submitted to James Price, a supervisor in the
warehouse, for further follow up. An electronic version of the picking slip is retained on the system.
6.8.4 Picking of goods from warehouse
• Function performed by Ntsimbi Piping’s nished goods warehouse in the manufacturing division.
• Persons involved in function:
• James Price (a warehouse supervisor in nished goods warehouse)
• Raymond Harris (production manager in the factory).
6.8.4.1
Selecting of goods from warehouse
On receipt of the hard copy of the picking slip, James Price instructs his picking staff to pick the ordered
goods from the warehouse’s storage area. ey securely pack all goods into containers or fasten piping with
dedicated packing materials. James ticks the goods off the picking slip as his staff packs each item, and, once
all picked, he signs the picking slip as proof of having checked the goods picked.
6.8.4.2
Finalising picking
When the goods on the picking slip have been picked and checked, James changes the status of the related
ISO on PVCACC to ‘Picked’ (the ISO’s number is referenced on the hard-copy picking slip for query
purposes). By default, the computer assigns a status description of ‘Awaiting picking’ for all ISOs not yet
addressed by the warehouse. is action of updating the ISO’s status removes the ISO from the report of
‘ISOs not yet picked’ printed for follow up by Curtis Lesley in the sales order office (refer to 6.8.2.2 above).
6.8.4.3
Further distribution of source document (picking slip)
e hard-copy picking slip accompanies the packed goods to the despatch area for the despatch staff to
check the quantity and descriptions of goods as they take custody of them.
6.8.5 Despatch and delivery of goods to customers
• Function performed by the despatch area of the nished goods warehouse in the manufacturing
division.
• Persons involved in function:
• Simon Peters (despatch supervisor in the despatch area)
• Delivery truck drivers
• Security guards at gate.
6.8.5.1
Preparing goods for despatch
On receipt of the picking slip and packed goods from the warehouse, Simon Peters inspects the contents of
the containers and piping fastened together with dedicated packing materials with reference to the picking
slip and signs the picking slip as evidence of having received all goods from James Price. e signed picking
slip is led in numerical sequence for record-keeping purposes.
Simon accesses the despatch module on the inventory module of PVCACC and enters the picking slip
number. Details of the corresponding ISO appear on-screen, including the ISO number and customer details
for delivery (such as name, address and contact number). A sequentially numbered multicopy delivery note
is created and printed using the ISO data stored on the computer, indicating item codes, item descriptions
and quantity of items to be delivered. No item prices are indicated on the delivery note.
6.8.5.2
Delivery of goods to customers
After the goods have been loaded onto the delivery vehicle, the delivery truck driver proceeds to the exit gate
where security guards rst perform a check on the contents of the delivery vehicle by agreeing the number
and description of items in the truck to the product details indicated on the delivery note. e security
guards also perform a random spot check on the contents of some deliveries leaving the premises.
6.8.5.3
Distribution of source document (delivery note)
e delivery note is distributed as follows:
• An electronic copy is retained on PVCACC; and
• ree printed carbon copies are signed by the customer and distributed as follows:
• Copy one is retained by the customer;
• Copy two is returned to Simon Peters in the nished goods warehouse, and he updates the status of
the delivery on PVCACC to ‘Delivered’; and
• Copy three is submitted directly to Mary Carlson in the invoicing section for the purpose of invoicing
the customer.
6.8.6 Invoicing
• Function performed by the bookkeeping office (a section in the accounting and nance division).
• Persons involved in function:
• Mary Carlson (the invoicing clerk and bookkeeper responsible for accounts receivable)
• Jason Naidoo (senior bookkeeper in the bookkeeping office).
Mary Carlson is responsible for creating and emailing invoices to customers. As and when a customer-signed
delivery note is received from the driver (see distribution of delivery notes in 6.8.5.3 above), Mary les it
sequentially in a ‘pending invoice le’.
6.8.6.1
Creating an invoice
Each day, Mary accesses the ‘Customer invoicing’ menu option in the debtors module of PVCACC to create
customer invoices. e computer application rst shows her a list containing all deliveries that have been
lled (refer to 6.8.5.3), together with the delivery note number. Mary then checks that a customer-signed
delivery note exists (as received from the driver, refer to 6.8.5.3) for each delivery note on the computer list.
For each completed delivery transaction, she selects the ‘create invoice’ button next to each delivery in order
to generate an on-screen invoice.
Customer details and item prices on the invoice are automatically retrieved from the supporting internal
sales order (ISO) data previously stored on the system, whereas item codes, product descriptions and item
quantities are retrieved from the delivery note data stored on the system. e computer automatically
allocates the delivery note and ISO numbers to the invoice created (for the purpose of cross-referencing).
Once the invoice is created, Mary agrees the quantities on the on-screen invoice with the customersigned delivery note to ensure the customer is only invoiced for those goods that appear on the delivery note.
e system does not allow Mary to make changes to the quantities or prices on the on-screen invoice. Should
changes be necessary, standard credit note procedures should be followed (see section 6.8.10).
All invoices are generated by the system in sequential number order and only if a agged delivery note
( lled order) is stored in its database. It is therefore not possible to create a duplicate invoice for the same
delivery note or an invoice for which no delivery note and ISO exists.
e computer application performs a range of programmed edit checks on the invoice:
• ‘Matching check’ with delivery note and ISO as explained above;
• ‘Sequential numbering check’ to ensure invoices are generated in sequence; and
• ‘Missing data check’ to ensure that all information has been included on the invoice from the other
supporting documents, as well as full customer details such as name, address, VAT number and crossreferencing to delivery note and ISO.
6.8.6.2
Following up on outstanding invoices
On a routine basis, the senior bookkeeper, Jason Naidoo, prints a report from the debtors module of PVCACC
which shows completed deliveries for which no invoice has yet been generated. He follows up any such
instances with Mary. is review procedure by Jason ensures that customers are always promptly invoiced
for any goods delivered and that sales transactions are processed in the nancial period to which they relate.
6.8.6.3
Distribution of source document (invoice)
e electronic version of the invoice is retained on PVCACC while an electronic copy is emailed to the
customer. Mary performs emailing of invoices on a daily basis and this is checked by Jason to a systemgenerated ‘Daily emailing report’ to ensure that all invoices have been emailed.
6.8.7 Recording of sales in the accounting records
• Function performed by the bookkeeping office (a section in the accounting and nance division).
• Persons involved in function:
• Mary Carlson (bookkeeper responsible for accounts receivable)
• Jason Naidoo (senior bookkeeper).
6.8.7.1
Posting of sale
e posting of sales transactions to the sales transaction le (sales journal) takes place after Mary Carlson
has generated an invoice on PVCACC (i.e. when an invoice has been nalised). After having generated all
invoices from the delivery notes as described above, she selects the ‘Post invoices’ button on-screen, which
automatically initiates batch processing by the computer to the sales transaction le. At the same time, the
transactions are also automatically posted to the debtors master le and the general ledger. e system does
not allow any person to make changes to the sales transaction le, debtors master le or general ledger other
than by following the steps described above.
6.8.7.2
Reviewing of posted sales transactions
On a routine basis (usually once a week), Jason Naidoo (senior bookkeeper) prints a log (list) of all sales
transactions posted to the sales transaction le. He reviews the postings for any unusual items and for
missing invoice numbers (these are usually due to cancellations). He follows up on any queries he may have
with Mary Carlson for resolution. He signs the list as proof of having reviewed the sales transaction le and
les the transaction log in his office.
6.8.7.3
Debtors reconciliations
At the end of each month, Mary Carlson performs a debtors reconciliation between the grand total of
outstanding debtors balances in the debtors master le (computerised debtors listing) and the balance of the
trade debtors control account in the general ledger. Any reconciling items are followed up and resolved by
Mary. e reconciliation is printed and handed to Jason Naidoo for him to review and sign.
6.8.7.4
Debtors statements
After Mary has successfully completed the debtors reconciliation, she instructs the system to generate a
debtors statement (in electronic format) for each debtor. ese re ect the outstanding balance of the debtor
brought forward (if any), all transactions with the debtor during the past month (including invoices, receipts
and adjustments) and the outstanding balance payable by the debtor at statement date, with ageing of the
balance. She emails each debtor statement to the applicable debtor.
6.8.8 Receipt of cash from customers
• Function performed by the cashiers (a section in the accounting and nance division).
• Persons involved in function:
• Tracy Lee (cashier)
• Jason Naidoo (senior bookkeeper).
Customers pay their outstanding debtors balances mostly by making EFTs (using their internet banking
facility) directly into Ntsimbi Piping’s bank account. A minority of customers pay in cash at the company’s
head office where the cashier is located, or they make direct deposits into the company’s bank account by
depositing money in person at a branch of Ntsimbi Piping’s bank.
6.8.8.1
Cash received by cashier
Tracy Lee is responsible for receiving cash from debtors. When arriving at the cashier, the debtor provides his
or her customer account number to Tracy, who then accesses the ‘Receipts module’ in PVCACC. She is
asked by the computer system to enter the debtor’s account number before she is allowed to process a
receipt.
When the customer hands the cash to Tracy, she keys in the amount into the computer, which then
opens the drawer of a cash register connected to the computer. She hands any applicable change to the
customer, while the computer records the amount received and prints a sequentially numbered receipt slip.
6.8.8.2
Distribution of the receipt
• A printout of the receipt slip is handed to the customer.
• It is not necessary for Tracy to print a receipt for ling due to the automatic updating of the cash receipts
transaction le, debtors master le and general ledger when the receipt is generated by the system.
However, an electronic receipt is stored on the computer system for record purposes.
6.8.8.3
Cashing up
At the end of each day, Tracy prints a ‘daily cash-up report’ from PVCACC, which shows the total receipts
recorded by the computer for the day. She counts the physical cash received and reconciles it to the total of
the daily cash-up report. Although it rarely occurs that there is a surplus or shortage of cash takings, she has
to inform Jason Naidoo (senior bookkeeper) of any discrepancy should it arise.
Tracy proceeds to complete a bank deposit slip in triplicate, indicating the total cash that should be
banked for the day. is is ordinarily equal to the total of the daily cash-up report.
6.8.8.4
Security over cash
Tracy puts the cash in a bank bag and attaches a tamper-proof zip seal to the bag. (Should there be
tampering with the bag, a plastic tag on the zip will tear and cannot be repaired.) She inserts the bank bag
with the deposit slip into a secure reproof drop safe in the accounting office for safekeeping overnight. Only
the nancial manager and Ntsimbi Piping’s external security company have keys to the safe, and both keys
have to be used simultaneously to open the safe.
6.8.8.5
Banking of cash
e next morning, guards of the security company contracted by Ntsimbi Piping pick up the bank bag after
signing a ‘handing-over register’ as proof of taking custody of the bank bag. ey transport the bank bag to
the bank, deposit it and return a bank-stamped copy of the deposit slip to Sibongile Mathlabe, the cash book
clerk.
6.8.8.6
Reviewing of deposits
Once a week, Jason Naidoo reviews the sequence of deposit slips and ensures no gaps (i.e. missing deposits)
exist. He also con rms that each deposit slip contains a bank stamp and that the total amount deposited
agrees with the attached ‘daily cash-up report’.
6.8.9 Recording of receipts in the accounting records
• Function performed by the bookkeeping office (a section in the accounting and nance division).
• Persons involved in function:
• Sibongile Mathlabe (cash book clerk)
• Jason Naidoo (senior bookkeeper).
6.8.9.1
Posting of receipts to cash book and debtors master le (computer system activity)
When Tracy Lee issues a receipt to a customer, the receipt is automatically posted to the cash receipts
transaction le (cash book) and general ledger by the computerised accounting application. In addition, the
receipt is also automatically posted to the applicable debtor’s account in the debtors master le, crediting the
debtor’s account. It is not possible for a user to make changes to the cash receipts transaction le, debtors
master le or general ledger other than by following the steps described above.
6.8.9.2
Allocating deposits other than cash receipts by the cashier to debtor accounts
On a daily basis, Sibongile Mathlabe posts receipts that were received by EFTs and direct bank deposit to the
accounting records. Customers are required to quote their customer account number as banking reference
when effecting an EFT or making a direct deposit. is practice enables Sibongile to identify which deposit
belongs to which debtor. He is able to download the company’s bank statements electronically using Ntsimbi
Piping’s online banking facility.
In order to allocate deposits to debtor accounts, Sibongile rst accesses the ‘Record receipts’ function on
PVCACC with his unique username and password. He also accesses the online banking facility using readonly access and prints a hard copy of the bank statement. He then ticks off each deposit that appears on the
bank statement as he posts it to a debtor’s account in the computer application. e crediting of the debtor’s
account in the debtors master le takes place automatically at the same time that a receipt is posted by
Sibongile to the cash receipts transaction le. is automated posting is possible as Sibongile has entered the
debtor’s account number before posting the deposit, enabling the system to identify the account to which the
receipt should be allocated.
6.8.9.3
Unidenti ed deposits
It does on occasion happen that Sibongile nds a deposit on the bank statement that does not have any
customer account number as banking reference, or the number is not recognisable as a customer number
belonging to a debtor of Ntsimbi Piping. In such cases, Sibongile compiles a ‘list of unidenti ed deposits’,
which in turn becomes a reconciling item on the bank reconciliation (i.e. money has been received in the
bank, but not yet recorded).
In most cases, these deposits are resolved after the debtor statements have been sent out, when debtors
query why their accounts have not yet been credited with deposits. Sibongile then requests the debtor to
send him a ‘proof of payment’, after which he can identify the deposit on the bank statement, should it exist.
Only then can he clear the list of unidenti ed deposits of that particular amount and allocate the receipt to
the relevant debtor’s account.
6.8.9.4
Performing a bank reconciliation
At the beginning of each month, Sibongile performs a bank reconciliation for the previous month between
the month-end bank statement received from Ntsimbi Piping’s bank and the cash balance as per the
company’s cash book on the computer system. He performs the bank reconciliation using the facility
provided by PVCACC.
e bank reconciliation identi es, among others, any deposits and cheques that have been recorded in
the cash book, but which have not been processed by the bank yet, and vice versa. After completing the bank
reconciliation and making sure there are proper reasons for all reconciling items, Sibongile prints the
reconciliation, signs it as proof of performance and hands it to Jason Khumalo for review. Jason carefully
agrees the bank statement and cash book balances with the supporting evidence attached and also agrees
the reconciling items with attached supporting documentation (such as deposit slips for deposits not yet
processed by the bank and the unidenti ed deposits with the list of unidenti ed deposits).
In addition, James scrutinises the cash book and list of unidenti ed deposits on the computer for any
unusual items and follows up with Sibongile and/or Tracy (cashier) as to reasons for these.
6.8.10 Processing and recording of returns and other sales adjustments
• Function performed by the warehouse in the manufacturing division, marketing and sales division and
accounting and nance division.
• Persons involved in function:
• Abdul Paruk (goods receiving supervisor in the warehouse)
• James Price (supervisor of the nished goods warehouse)
• Mary Carlson (invoicing clerk in invoicing section of the accounting and nance division)
• Leanne Ford (sales manager in the marketing and sales division).
It occasionally happens that customers are justi ably not satis ed with goods delivered or that goods are
damaged in transit. In such cases, a customer sends the goods back to Ntsimbi Piping for a credit to his or
her account.
Strict controls are in place over the issue of sales credits due to the high risk of fraud in this area.
6.8.10.1 Receiving returned goods from customers
Should a customer return goods to Ntsimbi Piping, they are received by Abdul Paruk in the receiving area of
the warehouse.
Abdul accesses the ‘Create goods returned voucher’ (GRV) option in PVCACC and must rst provide an
invoice reference number, as quoted by the customer, before the system allows him to proceed. Should the
system nd a matching invoice, Abdul enters the item codes and quantities of all goods that are being
returned and the system matches it to the product descriptions on the original invoice for validity. He then
prints a sequentially numbered GRV, which is handed to James Price. James performs an additional check on
the goods (e.g. to ensure that the goods are in fact damaged as claimed by the customer) and authorises the
GRV. e goods are then transferred to a separate area in the nished goods warehouse from where they will
be repaired or written off.
6.8.10.2 Distribution of source document (goods returned voucher)
• One copy of the GRV is led by Abdul in the warehouse for record purposes.
• e second copy is given to the customer as proof of having returned the goods.
• A third copy is sent to the invoicing clerk (Mary Carlson).
6.8.10.3 Creating a credit note
When Mary Carlson receives an approved GRV from the warehouse, she accesses the ‘Create credit note’
function in PVCACC with her unique username and password. She is asked to input a GRV number as well
as an invoice number relating to the goods returned, before she can continue creating the credit note.
e accounting application automatically furnishes the transaction details on the credit note (item code,
description and quantity), retrieved from the GRV data previously captured by Abdul in the warehouse and
stored on the computer system. It also matches the credit note to the corresponding invoice data stored on
the system in order to retrieve the prices that were originally charged to the customer, and for which credit is
being granted. When generated, credit notes are written by the computer to a pending credit notes
transaction le to await approval.
6.8.10.4 Approval of credit notes
Leanne Ford (the sales manager) must log in to PVCACC using her unique username and password in order
to approve pending credit notes. She electronically approves the credit notes with reference to the
supporting documentation submitted to her by Mary (including GRV and original invoice). Leanne cannot
create or make changes to any credit note on the system, as she has read-only access to view credit notes and
only has write-access to approve them.
Note: Where credit being granted to a customer is not based on returned goods, but is related to other
adjustments, such as account corrections, Leanne Ford must rst authorise the adjustment. Mary Carlson
would generate a preliminary credit note on the accounting application (e.g. to correct a debtor account that
was overcharged) and submit any documentation supporting the adjustment to Leanne. Such documentation
may, for instance, consist of a debit note from the debtor and a print-out of the erroneous invoice. Leanne
authorises the credit note on-screen after con rming that a valid reason exists for the adjustment with reference
to the supporting documentation.
Upon on-screen approval, the credit note is processed automatically to the sales adjustments transaction le
and debtors master le without further action by Mary.
Leanne Ford prints a monthly report of all credit notes generated by the system for review. She
scrutinises this report for any unusual credit transactions or large transaction amounts and performs a
month-to-month comparison of total credit granted to investigate months with unexpectedly large totals.
6.8.10.5 Distribution of source document (credit note)
• PVCACC retains an electronic version of the credit note.
• Once approved by Leanne Ford, an electronic copy of the credit note is emailed to the customer by Mary
Carlson.
Assessment questions
For questions 1 to 3, select the most appropriate answer(s) from the options provided:
1. A sale to a customer can ordinarily be recognised in the accounting records as revenue once: (LO 3 & 5)
a) A sales order has been received from the customer
b) e sales order received from the customer has been approved
c) Ordered goods have been delivered to the customer
d)
2.
A reason for making out an internal sales order (ISO) despite the fact that a written customer order has
been received is that: (LO 6)
a) e entity requires customer orders to be sequentially numbered, while those received from
various customers are not in sequential number order
b) e entity requires an ISO in order to prove the validity of the future sales transaction, without
c)
d)
3.
An invoice has been sent to the customer to demand payment
which a sale cannot be recorded as revenue
An internal sales order is necessary for the proper approval of an order
An internal sales order is necessary to create a picking slip
A customer is required to sign the entity’s delivery note on delivery of goods or rendering of a service
because the signature: (LO 8)
a) Proves that the correct sales prices were originally quoted to the customer
b) Serves as an indication that a sales transaction can be recorded in the accounting records
c) Removes the possibility that delivery staff might misappropriate goods en route to the customer
d)
Prevents collusion between the customer and delivery staff
For questions 4 to 9, indicate whether the statement is true or false and explain your answer:
4. A picking slip is an essential document needed for a sale to be recorded in the accounting records and
for an invoice to be created. (LO 5 & 6)
5.
If an entity renders a service to a customer over a 24-month period, but the customer paid all 24 months’
fees up front (i.e. on the day the contract was signed), the entity can record the total contract value (24
months’ worth of services) in the initial nancial year if the customer agrees to this. (LO 3)
6.
Only staff members at managerial level (and accordingly, not clerks) should be allowed to perform
reconciliations, such as a bank and debtors reconciliation. (LO 10)
7.
For proper segregation of duties to occur, the staff member who receives and processes customer orders
should not be allowed also to post sales transactions to debtors’ accounts in the accounting records. (LO
10)
8.
It is possible for a computer program to approve a credit note without any manual intervention from a
staff member. (LO 10)
9.
A point-of-sales system is linked to the inventory master le in the company’s computer system to
enable it to retrieve the selling prices of items being sold. (LO 8)
10. Brie y explain the purpose of the revenue and receipts cycle. (LO 1)
11. State the major general ledger accounts that are affected by the revenue and receipts cycle. Provide your
answer in terms of the double-entry bookkeeping system, i.e. also state the contra-accounts affected.
(LO 4)
12. State the general ledger accounts most likely affected when the following activities occur: (LO 4)
a) An order is received from a customer.
b)
c)
d)
An invoice is made out to a credit customer.
Money is received from a credit customer to settle his or her account.
A customer returns faulty goods to an entity and a credit note is approved.
13. Brie y explain the main purpose of each of the following functional areas present in the revenue and
receipts cycle: (LO 4)
a) Credit management
b) Invoicing
c) Recording of sales in the accounting records
d)
Processing and recording of returns and other sales adjustments
14. Describe the purpose of each of the following documents/accounting records used in the revenue and
receipts cycle: (LO 6)
a) Internal sales order
b) Delivery note
c)
d)
e)
Invoice
Credit note
Sales journal
f)
g)
Cash receipts journal
Debtors master le
15. State the source documents used in order to record the following in the cash receipts journal (cash
book): (LO 5 & 6)
a)
b)
c)
d)
A deposit is received from a customer via an electronic funds transfer.
A deposit is received from a customer via a direct deposit made at a branch of the company’s bank.
Physical cash is received from a debtor who settled his or her account.
A cheque is received from a customer through postal mail.
16. For each of the following risks, state whether the risk will result in an overstatement or an
understatement of revenue in the nancial statements and also state the revenue-related assertion
affected by each risk: (LO 7)
a) Fictitious sales are recorded in the sales journal.
b) A clerk incorrectly used a sales price of R22 for a particular item and not the official price of R30
c)
d)
e)
when preparing an invoice for a customer.
A customer order is accepted and processed from a customer who has exceeded their credit limit,
without management approval.
Sales invoices were destroyed in a re and could not be recorded in the sales journal.
Sales transactions are deliberately omitted from the accounting records in order fraudulently to
reduce an entity’s tax liability.
17. For each of the following risks, state whether the risk results in an overstatement or an understatement
in the accounts receivable account balance and also state the accounts receivable-related assertion
affected by each risk: (LO 7)
a) Trade debtors become uncollectable, but are carried at their original (gross) values in the nancial
statements.
b) An entity delivers goods to a customer, but neglects to record a sale or create an account for the
c)
debtor in the debtors master le.
e entity sold its debtors to a debt collection agency, but still shows the debtors in its nancial
statements.
d)
A ctitious sale is recorded in the sales journal.
18. Formulate the control objectives of validity, accuracy and completeness in the context of a sales
transaction. (LO 10)
19. For each of the following risks: (LO 10)
• State the control objective that best relates to the risk;
• Describe the internal control(s) that should be in place to prevent and/or detect the risk; and
• State the assertion(s) affected.
Assume that physical products are sold and that no computerisation applies:
a) An invoice is recorded as a sale in the sales journal without the goods relating to the sale having
b)
c)
d)
e)
been delivered to the customer.
Not all sales transactions (invoices) are recorded in the nancial records.
A credit note is issued to a debtor who has not requested an adjustment to his or her account.
A sales transaction is incorrectly posted to a debtor’s account in the debtors ledger from the sales
journal through a transposition error (e.g. incorrectly as R1 240 and not correctly as R1 420). e
general ledger entries are, however, correct.
A cashier receives money from a debtor, but misappropriates the money for personal gain and
writes off the customer’s debt in the debtors ledger to conceal the theft.
20. Consider the following scenario: (LO 11)
In recent weeks, customers of Brickalot (Pty) Ltd have complained that their orders are not always acted
on and that short-deliveries are a general occurrence. Because of the resulting major customer
dissatisfaction, the company has started losing customers. On investigation by internal auditors
contracted by the company to resolve problems in its system of internal controls, it was found that:
a) Although internal sales orders (ISOs) are made out in sequential number order and are approved,
delivery notes are not always made out for all ISOs.
b) Goods are picked from the warehouse shelves and are loaded directly onto delivery vans that park
next to the shelves. At this stage, a delivery note is prepared by the warehouse staff member who
picked the goods.
Required: Identify and state the weaknesses in internal controls in the above scenario that may have led
to the customer dissatisfaction and describe the internal controls that should be implemented to
prevent the problems from recurring.
1
2
3
Source: US Securities and Exchange Commission news release. [Online]. Available: https://www.sec.gov/news/pressrelease/2016-218.html
Based on information found at: http://www.accountancysa.org.za/resources/ShowItemArticle.asp?ArticleId=625&Issue=449.
Information obtained and prepared from: ‘Non-audit services: How it affects the independence of the auditor’; Deon Basson, 2004. [Online].
Available: http://reference.sabinet.co.za/webx/access/journal_archive/10289003/28.pdf Reprinted by permission of e Southern African
Institute of Government Auditors (SAIGA).
Purchases and payments cycle
CHAPTER 7
Gerrit Penning
CHAPTER CONTENTS
Learning outcomes
7.1
7.2
7.3
What are the nature, purpose and accounting implications of the cycle?
What functional areas occur in the cycle?
What information system is used in the cycle?
7.4
7.5
7.6
What could go wrong (risks) in the cycle?
What computer technologies are used in the cycle?
What are the control objectives in the cycle?
7.7 What are the controls in the cycle (manual and computerised)?
7.8 Cycle illustration: e purchase and payments cycle at Ntsimbi Piping
Assessment questions
LEARNING OUTCOMES
1.
2.
3.
4.
5.
Explain the nature and purpose of the cycle.
Identify and describe the major general ledger accounts affected by the cycle.
Explain the accounting treatment required for the transactions in the cycle.
Identify and explain the cycle’s functional areas.
Describe the ow of transactions in the cycle through the information system, including its relation to
source documents and accounting records and its relation to classes of transactions and events, and
balances.
6. Identify and describe the documents and records, both manual and computerised, utilised in the cycle
and describe the purpose of each.
7. Identify and describe the risks of material misstatement in the cycle affecting account balances, classes
of transactions and events in the nancial statements.
8. Describe the computer technologies typically used in the cycle.
9. Formulate control objectives for the cycle.
10. Describe how internal controls may assist in achieving the control objectives in the cycle and how
these control objectives relate to management’s assertions in the nancial statements.
11. Critically analyse internal control systems in order to identify and explain weaknesses in the control
system and recommend improvements by describing the required internal controls.
12. Design a system of internal controls, both manual and computerised, that will achieve the cycle’s
control objectives.
IN THE NEWS
SEC charges Bankrate and former executives with accounting fraud1
Extract from a securities2 fraud3 complaint submitted to the Securities and Exchange Commission,
United States of America
8 September 2015
The Securities and Exchange Commission today announced that Bankrate Inc. has agreed to pay
$15 million to settle accounting fraud charges. Three former executives are charged in the case that
involves fraudulent manipulation of the company’s nancial results to meet analyst expectations.4
The SEC alleges that Bankrate’s then-CFO Edward DiMaria, then-director of accounting Matthew
Gamsey, and then-vice president of nance Hyunjin Lerner, engaged in a scheme to fabricate
revenues and avoid booking certain expenses to meet analyst estimates for a key nancial metric:
adjusted earnings before interest, taxes, depreciation, and amortisation (EBITDA). Bankrate
consequently overstated its second quarter 2012 net income. Bankrate’s [securities] rose when the
company announced the in ated nancial results, and DiMaria allegedly proceeded to sell more than
$2 million in company [securities].
Lerner agreed to pay more than $180,000 to settle the SEC’s charges. The litigation continues
against DiMaria and Gamsey.
‘We allege that at the highest levels of its accounting department, Bankrate improperly in ated
its nancial performance to avoid falling short of Wall Street’s expectations,’ said Andrew J.
Ceresney, Director of the SEC’s Division of Enforcement. ‘Bankrate manipulated its nancial results
through numerous small accounting entries in order to meet analyst estimates on a key metric.’
According to the SEC’s complaint led in federal court in Manhattan: [extract of some complaints
only]
• After learning that Bankrate’s preliminary nancial results for the second quarter of 2012 fell
short of analyst estimates, DiMaria arbitrarily decided to increase the company’s revenue after the
end of the quarter.
• In addition to booking improper revenue, Bankrate, through the accounting executives, improperly
reduced certain expenses or failed to book them at all in order to meet analyst estimates.
• One of the expense accounts and related accrual account manipulated by Bankrate had been
used as a ‘cushion’5 account to manipulate the company’s nancial results for at least a year.
• DiMaria, Gamsey, and Lerner lied to the company’s auditor regarding the improper accounting
entries.
Lerner also agreed to be barred from serving as an of cer or director at a public company for ve
years and from public company accounting for at least ve years.
REFLECTION
What incentives do you think an entity might have to fraudulently overstate its pro ts by arti cially
understating its expenditure? Which of the entity’s stakeholders would you say could be affected by
such fraudulent manipulation of the nancial information?
On the other hand, do you think an entity might have an incentive to overstate its expenses in
order to understate its pro ts? Which stakeholders would be affected if this were the case?
7.1 What are the nature, purpose and accounting implications
of the cycle?
7.1.1 e nature and purpose of the cycle
e purchases and payments cycle relates to an entity’s acquisition of goods and services from suppliers,
and payment to the suppliers in exchange. It is also sometimes referred to as the ‘acquisitions and payments’
or ‘requisitions to cheque’ cycle. e cycle does not deal with the purchase of capital assets (such as
investments, property, plant and equipment), which is dealt with separately in the investment and nancing
cycle in Chapter 10.
e main purposes of the cycle are to ensure that:
• Sufficient products and services are purchased at a competitive price in order to satisfy the demand from
customers;
• e purchase is promptly and appropriately recorded in the nancial records; and
• Suppliers are paid in a timely manner for only those goods and services actually purchased.
An entity needs to acquire goods and services from other entities in order to enable sales to its own
customers. Failure to acquire goods on time, or failure to acquire goods at all, may render an entity unable to
engage in further business activities. Similarly, an inability to pay suppliers in a timely manner may lead to
suppliers withdrawing their commercial ties with the entity.
WHAT
IF?
What if an entity fails to provide goods to its customers within a reasonable time due to a
failure to acquire goods in time or if it fails to provide goods at all? What could the
economic implications be for the entity?
Establishing good business relations with suppliers is an important component of an entity’s ability to
remain competitive. Not only can it result in reduced purchase costs, but will also contribute to an
uninterrupted supply chain of goods and services from the supplier to the entity and on towards the entity’s
customers. To maintain favourable supplier relations, an entity should, among other things, strictly adhere to
the payment terms as negotiated with suppliers, for example payment of all purchases within 30 days from
date of receiving the supplier’s invoice, in order to qualify for a purchase discount.
A supply chain is the process whereby products or services are transferred from a supplier to a customer.
Ensuring a continuous, unbroken supply chain may add to an entity’s ability to remain a viable business
concern.
It is typical of a successful business always to attempt to increase the ef ciency, effectiveness and
economy of its supply chain activities. A business may seek to automate (computerise) the bulk of
its purchases and payments cycle in order to gain further supply chain ef ciencies and maintain
control over increasing volumes of business information and transaction data.
7.1.2 Forms of purchases
Purchases may take a variety of forms, depending on the type of entity and the industry within which it
operates. Examples of different forms of purchases include:
• A construction entity purchasing raw materials such as cement, bricks and other materials for the
construction of a building;
• A manufacturing entity purchasing raw materials from a mine, a re nery or a farm for use in a
manufacturing process to produce nished goods;
• A wholesale entity purchasing manufactured goods for bulk sale to retailers;
• A retail business purchasing goods from a wholesale entity for sale to the general public; and
• Any entity acquiring various items such as fuel, stationery, maintenance and repair services for internal
use in the conduction of its business (i.e. not for resale).
7.1.3 e varied nature of the cycle
e speci c internal controls in the cycle can vary from entity to entity. ere is no set recipe of controls that
can be applied to each and every business scenario. e risks facing individual entities will be a determining
factor in the internal controls that an entity will implement in the cycle. For example, some entities may be
heavily reliant on a small number of suppliers, which can lead to delays in production or even the entity’s
demise, should it not be able to obtain the necessary goods and services from these suppliers. For this
purpose, such an entity will implement additional measures beyond the standard procurement controls
addressed in this chapter in order to enhance its procurement process.
However, regardless of the type of entity making the purchase, the industry in which it operates, or the
type of goods or services it purchases, the purpose of the cycle and the objectives of the internal controls in
the cycle will remain the same. Accordingly, it is crucial to have a proper understanding of the nature and
purpose of the cycle and the typical risks an entity faces in the cycle.
7.1.4 How transactions in the cycle are triggered (initiated)
e cycle makes speci c provision for routine purchase and payment transactions:
• For a purchase transaction to commence, an internal purchase requisition should be issued by the
department in the entity that requires the goods or services. is action will in turn lead to an order being
submitted to a supplier.
• For a payments transaction to commence, an invoice should become payable within the agreed payment
terms.
A transaction in the cycle will come to an end once the goods or services purchased have been received or
rendered respectively, payment to the supplier has been made, and the purchase and payment transaction
has been appropriately recorded in the nancial records.
e cycle will repeat itself each time a purchase or payment transaction is initiated.
Figure 7.1: The purchases and payments cycle
7.1.5 Example of a typical transaction in the purchases and payments
cycle
A routine transaction in the cycle will originate from an internal requisition. Should the warehouse (or raw
materials stores) for instance, identify a product with a low inventory level, the warehouse staff may request
that the entity’s procurement department initiate an order with a supplier. With the necessary approval, the
procurement department will order the goods from the supplier. e supplier will deliver the goods ordered
to the entity’s warehouse and request payment by sending the entity an invoice. e entity will record a
purchase in its nancial records and, at a speci ed time, pay the supplier, followed by the recording of the
payment.
Sometimes services are ordered instead of goods, for instance repairs to plant. e cycle operates in a
similar way for this type of transaction.
In some computerised systems it is possible to programme the computer to identify low inventory
levels. The software would trigger an alert or send a noti cation to the appropriate staff member in
the entity when a particular item of inventory has fallen to a certain minimum theoretical quantity.
Such automation may allow for faster identi cation of low-running inventory and can optimise the
purchase process accordingly. Automation however, does not change the need for an internal
requisition: it should still be generated in order to document the need for the item.
7.1.6 Major accounts affected by the cycle
Transactions in the cycle have to be recorded in the entity’s nancial records and posted to speci c general
ledger accounts. e following accounts are affected by the cycle:
1.
Statement of Comprehensive Income (classes of transactions and events)
Purchases of goods (periodic inventory systems)
• Cost of sales (perpetual inventory systems, and periodic inventory systems when purchases are
reversed at period end)
Refer to the Statement of Comprehensive Income of Ntsimbi Piping (page 8) and note the line item
‘Cost of Sales’. Also refer to its Detailed Income Statement in the supplementary information (page 25)
and note the item ‘Purchases’ under ‘Cost of Sales’.
• Period costs allocated to various expense accounts, including those accounts affected when services
are purchased (e.g. water and electricity charges, rental fees and security expenses).
Refer to the Detailed Income Statement in the supplementary information to Ntsimbi Piping’s nancial
statements (page 26) and note the detailed list of operating expenses (period costs).
2.
Statement of Financial Position (account balances)
• Current assets:
• Cash and cash equivalents (including cash in bank accounts and cash on hand)
• Inventory (including raw materials, work-in-progress and nished goods)
• Current liabilities:
• Trade and other payables (including trade creditors, accruals and other payables).
Refer to the Statement of Financial Position of Ntsimbi Piping (page 7) for above line items.
7.1.7 Accounting treatment of certain speci c transactions in the cycle
7.1.7.1
Purchases or cost of sales?
Entities that operate a periodic inventory system record acquisitions as purchases in their nancial
records. After performing an inventory count at period end, the purchase entries will be reversed against
inventory (assets on hand remaining after the period’s sales) and cost of sales (expenditure relating to the
sales).
An entity that operates a perpetual inventory system will record acquisitions as inventory (current
assets acquired) in its nancial records. Immediately on the sale of the inventory to customers, an expense in
the form of cost of sales is raised. ere is no purchases account in a perpetual inventory system.
REFLECTION
By referring to the nancial statements of Ntsimbi Piping, can you determine the type of the inventory
system operated by the company?
In both the above-mentioned systems, accounts payable in the form of trade creditors are raised on
acquiring inventory on credit.
e journal entries will comprise the following:
Perpetual system
Account
Periodic system
Dr
R
Cr
R
Account
Dr
R
Cr
R
i. Buy 1 000 items of inventory from supplier costing R2 000 in total (R2 per item)
Inventory
2 000
Purchases
Trade creditors
2 000
2 000 Trade creditors
2
000
ii. Sell 750 items to customer for a total of R2 250 (R3 per item)
Trade debtors
2 250
Sales
Trade debtors
2 250
2 250 Sales
Cost of sales
1 500
Inventory
2
250
No entry
1 500 No entry
iii. End-of-period inventory adjustment
No entry
Inventory
No entry
Cost of sales
Purchases
(Remaining 250 inventory items already up-todate in inventory records due to perpetual
recording after each transaction.)
7.1.7.2
500
1 500
2
000
(Remaining inventory items recorded as inventory
balance, reversing purchases and recognising the
difference as cost of sales.)
Credit purchases
Purchases made on credit will lead to the creation of trade creditor accounts in the nancial records.
Transactions with trade creditors are typically recorded in the creditors subsidiary ledger, and allocated to
the trade creditors control account in the general ledger. e entity’s bank account will be used when
creditors are paid, affecting cash and cash equivalents.
An entity will arrange with each supplier what the supplier’s payment terms are for payment of
outstanding debt. A supplier may require that all its invoices be paid within 30 days of invoice (or
statement) date should the entity want to make use of a payment discount. Suppliers may also
charge interest for late payments beyond an allowed period. It is in an entity’s best interest to ensure
optimal cash ow is derived from favourable payment terms.
REFLECTION
Refer to document 2E (supplier statement) in the appendix at the end of the book. Can you
determine the date on which the balance on the statement is due for payment?
7.1.7.3
Accruals
Accruals is a form of liability recorded in the statement of nancial position at the year-end. It relates to
existing liabilities that have not yet been paid at year-end and which have not yet been included in accounts
payable. Accruals may, for example, relate to water and electricity services received from the municipality,
but which have not been paid for at the year-end, as no invoice has yet been received from the municipality.
An accrual will be raised at year-end to record an outstanding liability payable to the municipality. In the
subsequent period, the accrual is reversed against the relevant expense account. Refer to Figure 7.2 for a
municipal bill that was subsequently received and which will reverse the accrual previously created for the
bill.
Figure 7.2: Municipal bill
Other expenses that may result in the need to accrue for liabilities include:
• Telephone accounts for which invoices are only received in the period following the month in which the
calls were made (refer to Figure 7.3 for an example of a telephone account);
• Contractual expenses paid only in the period subsequent to the month in which the goods were received
or a service was rendered to the entity; and
• Salaries and wages or any other expenses incurred before year-end, but which are only paid after yearend and are not normally included in trade creditors or other liability accounts.
WHAT
What if an entity has received goods from a supplier before the nancial year-end, but the
supplier has not invoiced the entity yet. Will accruals be affected? What would the effect
IF?
on net pro t for the nancial year be if the entity neglects to accrue for the outstanding
invoice?
Figure 7.3: Telephone account
7.1.7.4
Expenditure or capitalisation?
It is important to distinguish between transactions that relate to the acquisition of items that are of a capital
nature (resulting in the creation of an asset balance in the Statement of Financial Position) and transactions
that relate to expenditure (re ected in the Statement of Comprehensive Income). e Conceptual
Framework for Financial Reporting makes an explicit distinction between an asset (an item of capital nature
written down over its useful life) and an expense (an item expensed in the year in which it was incurred).
Certain items, such as repairs and maintenance expenses, cannot be capitalised (i.e. recognised as an
asset), as they do not meet the recognition criteria of an asset and should therefore be expensed. Other
expense items, however, may sometimes meet the de nition of an asset and should then be capitalised.
ese items include certain types of interest, development costs and lease payments.
WHAT
IF?
7.1.7.5
What if an entity were to purchase consumables for its of ce (such as cleaning materials,
small kitchen utensils and stationary) and instead of expensing it, the entity capitalises
the items as assets. What would the effect on the entity’s total assets in the nancial
statements be? And on its net pro t? Which accounts will be over or understated as a
result?
Other expenditure and payment transactions
Transactions that are generally classi ed under other business cycles (e.g. the investment and nancing
cycle) may be affected by risks and controls in the purchases and payments cycle. When interest on loans, for
example, is paid in cash, or when cash dividends are distributed to shareholders, the transaction will result
in a cash out ow for the entity and will be affected by this cycle’s controls relating to payments.
Refer to the ‘Detailed Income Statement’ in the supplementary information to Ntsimbi Piping’s nancial
statements (page 25) for examples of speci c transactions and events relating to types of expenditure other than
purchases and cost of sales.
7.1.7.6
Acquisitions from foreign suppliers
e nancial record keeping for acquisitions from foreign suppliers is complex and falls mostly outside the
scope of this text. Only the conversion of transactions and balances between local and foreign currency is
explained here.
7.1.7.6.1
Date of acquisition
Should acquisitions be made from foreign suppliers, it is important that the entity establishes the exact time
at which control of the goods purchased are transferred to the entity. is point in time will determine the
date on which the entity has to record the transaction in its nancial records.
7.1.7.6.2 Currency exchange rates
On the date when control of the acquired goods is transferred, a transaction with a foreign supplier has to be
recorded at the spot rate. e spot rate is the currency exchange rate ruling on date of the purchase
transaction. In addition, according to IAS 21, the liability should be recalculated at the closing rate at each
subsequent reporting date.
In other words, if the amount owing to the supplier is still outstanding at reporting date (i.e. year-end),
the entity will have to recalculate the outstanding liability with reference to the period end (closing) exchange
rate. Any exchange difference resulting from the application of the spot rate and closing rate to the liability
has to be recorded as a foreign exchange gain/loss to pro t or loss.
Terms that one will encounter when importing goods
• Free on board (FOB): The seller delivers when the goods pass the ship’s rail at the named port of
shipment. This means that the buyer has to bear all costs and risk of loss of or damage to the
goods from the port of shipment to the nal destination. The FOB term requires the seller to clear
the goods for export.
• CIF (Cost, insurance, freight): The risks of ownership are transferred to the buyer once the goods
are loaded on the vessel (pass the rail of the ship) and apply to transport by sea/inland
waterways only. However, the seller must pay the costs and freight necessary to bring the goods
to the named port of destination and is responsible for a minimum insurance coverage against
the buyer’s risk of loss or damage to the goods.
7.2 What functional areas occur in the cycle?
7.2.1 Description of functional areas
For a typical retail entity purchasing goods from suppliers on credit, the following functional areas in the
purchases and payments cycle will apply:
1. Purchase requisition (requesting of goods and services);
2. Ordering goods and services;
3. Receiving goods and services;
4. Recording of purchases;
5. Payment preparation;
6. Paying the supplier;
7. Recording payments; and
8. Returning goods and recording a purchase adjustment.
A brief summary of each functional area follows.
1. Purchase requisition
Purpose: To ensure that an entity’s operational and sales requirements are met timeously.
Main activities: Determining anticipated sales levels using sales forecasts and budgets; identifying inventory
that is at low levels and needs replenishment, or services that are required; preparing a requisition and
obtaining authorisation therefor; requesting the procurement department to obtain goods (including raw
materials for the production process – refer to Chapter 8) from suppliers.
Persons involved: Depends on department in the entity that initiates the requisition, such as the sales
department, warehouse or factory.
2. Ordering goods and services from suppliers
Purpose: To ensure that purchases are made from reliable suppliers in a cost-effective and timely manner,
based on approved requisitions.
Main activities: Identifying the most suitable suppliers; obtaining quotes; negotiating competitive prices;
ordering goods and services from suppliers; following up on long-outstanding orders.
Persons involved: Buying staff in procurement department.
3. Receiving goods and services from suppliers
Purpose: To ensure that all goods and services ordered from suppliers are received in accordance with an
approved purchase order.
Main activities: Receiving and accepting delivery of goods from suppliers at receiving bay; checking quantity
and quality of goods received; transferring goods into warehouse; recording inventory received in inventory
system; receiving services from suppliers and ensuring that a service has been sufficiently rendered by the
supplier at the required quality.
Persons involved: Goods receiving clerk in warehouse/factory stores; designated staff member signing off as
proof of a service having been rendered to the entity.
CRITICAL THINKING
Why do you think the ordering and the receiving of goods and services are two separate functions?
What are the risks involved in relation to the possible misappropriation of the purchased goods or
services should the staff member ordering the goods or services also receive them and take
custody of them?
4. Recording of purchases
Purpose: To ensure that all valid purchases made are accurately accounted for in the entity’s nancial
records, and in a timely manner.
Main activities: Recording purchases, cost of sales and other expenses and related creditors (liabilities) in
the nancial records; performing creditors reconciliations.
Persons involved: Accounts payable clerk and senior bookkeeping clerk (accounting department).
5. Payment preparation
Purpose: To prepare payment timeously for purchases that are payable to suppliers.
Main activities: Performing reconciliations of the supplier’s account in the entity’s records to the supplier’s
statement; preparing payment documentation based on valid supporting documents.
Persons involved: Accounts payable clerk and senior accounting staff (accounting department).
6. Paying the supplier
Purpose: To pay suppliers based on valid payment documentation.
Main activities: Approval of payment to suppliers; paying suppliers by cheque, cash, direct deposit or EFT.
Persons involved: Management staff authorised to approve payments.
CRITICAL THINKING
Why do you think senior staff members, usually at management level, are responsible for the
payment of suppliers, rather than the clerks responsible for the recording of purchases? Consider
for instance the risk that exists from a bookkeeping clerk creating a creditor account and posting a
purchase invoice to the account and subsequently paying that creditor a certain amount to settle the
apparent debt.
7. Recording payments
Purpose: To record properly all payments made to suppliers in the entity’s accounting records.
Main activities: Recording of payments in the books of primary entry and posting the payment to the
subsidiary and general ledgers.
Persons involved: Cash book clerk (accounting department).
8. Returning goods and recording a purchase adjustment
Purpose: To return unsatisfactory (e.g. damaged or faulty) goods previously purchased and to record the
transaction as a purchase return; to record other adjustments to supplier accounts, such as where incorrect
prices or item quantities have been invoiced by a supplier.
Main activities: Returning goods to suppliers; updating the inventory system with the returned goods;
initiating and recording a debit note.
Persons involved: Warehouse staff (return of goods); accounts payable clerk (recording); senior nancial
and accounting staff (authorisation and review).
7.2.2 Summary of functional areas by department
Table 7.1 provides a summary of the functional areas by department.
Table 7.1: Functional areas by department
Various originating departments
1. The requisition of goods and services will originate from various departments in the entity, where
approval for the purchase will also be granted usually by the departmental/warehouse manager.
Procurement department
Warehouse (Stores)
Accounting department
2. Ordering goods and services
from suppliers
3. Receiving goods from
suppliers
8. Returning goods to suppliers
4. Recording of purchase
5. Payment preparation
6. Paying the supplier
7. Recording of payment
8. Recording of purchase returns
7.3 What information system is used in the cycle?
7.3.1 Accounting for purchases and payments transactions
e purchases and payments cycle forms part of an entity’s information system, which includes the
accounting system. e information system aims to achieve management’s control objectives of validity,
accuracy and completeness of nancial information. is information eventually forms part of the entity’s
nancial statements.
7.3.1.1
Routine transactions and the use of speci c journals in the cycle
e documents shown in Figure 7.4 will ordinarily be used to enter routine purchases (and related returns)
and payment transactions into speci c books of primary entry (journals) in the accounting system, should
goods be purchased from suppliers on credit.
Figure 7.4: Documents in the purchases and payments cycle
7.3.1.2
Non-routine transactions and the use of general journals in the cycle
On occasion, a non-routine transaction or event, including adjusting entries, may occur. ese will not be
recorded on standard documentation or in a speci c journal. In such instances, a general journal voucher
will be used to record the transaction or event in the general journal. An example of non-routine
transactions in the cycle is the raising of accruals (refer to section 7.1.7.3).
7.3.2 Supporting documents, journals and ledgers
As a purchase or payment transaction ows through the information system of an entity, source documents
will be created in each functional area to document and track the transaction, among other things. A list of
supporting documents, records, reports and reconciliations that may be found in the purchases and
payments cycle is discussed below.
7.3.2.1
Supporting documents
1. Master le amendment form (computerised systems)
A master le amendment form is completed in a computerised system each time a creditor’s (supplier’s)
details are to be changed on the creditor master le (the creditor master le represents the creditors ledger in
a computerised system), or if a creditor is to be added to or removed from the master le. For example, if a
new supplier has been selected to provide goods or services to the entity, a document approving the supplier
will be attached to the master le amendment form to support the amendment to the master le.
Example: Refer to document 2C in the appendix at the end of the book.
2. Purchase requisition
A purchase requisition is created when a need for goods or services is identi ed in the entity. A requisition
may originate from various sources in the entity, including the warehouse or factory (e.g. when low inventory
levels are identi ed), the sales department (e.g. based on customer orders received for out-of-stock items) or
any department requiring items or services for use in the entity (e.g. the administrative offices requiring
stationery such as printer cartridges or paper).
A purchase requisition has to be authorised by the relevant departmental supervisor or manager
(including the warehouse manager if the requisition originates from the stores), depending on the approval
structure in the entity. A purchase requisition is usually not sent to the supplier – it remains an internal
document used only by the entity to initiate the purchasing process.
Example: Refer to document 2H in the appendix at the end of the book.
3. Quotation
e department requisitioning the goods or services, or the procurement department, may have to obtain
quotations from one or more suppliers (depending on the procurement policy of the entity). A quotation
stipulates the best price of the goods or services offered by the supplier. Quotations from different suppliers
can then be compared and the best quotation (based on a combination of factors such as price and quality)
can be accepted. Obtaining quotations can further ensure that the entity receives relevant or appropriate
goods and services to meet its requirements at a cost-effective price and that the entity is not biased towards
a certain supplier for unacceptable reasons.
WHAT
IF?
What if an entity was to allow its buying department to order goods or services from any
supplier without obtaining quotations? Consider the possible nancial consequences for
the entity and the effect that this leniency may have on the business relationships between
the entity and its customers.
4. Purchase order
A purchase order is an internally created, sequentially numbered document that is sent to the supplier
indicating the goods or services needed by the entity. It contains the quantity, description and, in some
cases, the price of the items required. A purchase order will typically be based on the approved internal
requisition and will be referenced to a quotation if a quotation was received from the supplier. e purchase
order will further stipulate the delivery address where the supplier must deliver the ordered goods or
services to.
Example: Refer to document 2A in the appendix at the end of the book.
5. Supplier delivery note
e supplier delivery note (prepared by the supplier) is a document that speci es the details of the goods
delivered to the entity. When a supplier delivers goods to the entity, the supplier will provide the entity with a
copy of the delivery note, which the receiving staff member signs as proof of acceptance of the delivery. is
external document serves as proof that goods have been delivered by the supplier and that the goods have
been accepted by the entity. It contains the quantities and descriptions of items delivered, but may not
contain item prices. Similarly, for services rendered, a delivery note (or appropriately named equivalent
document such as a job card) will be provided to the entity by a supplier to serve as proof of the service
having been rendered.
6. Goods received note (also referred to as a goods receipt)
A goods received note (GRN), a written record created by the entity’s staff on taking custody of inventory
from suppliers, indicates the quantities and descriptions of goods received and serves as documentary proof
that the entity did receive the ordered goods. e GRN also indicates the date on which the goods were
received, prompting the accounting department to record the purchase in the nancial records with
reference to the amounts on the supplier invoice.
Example: Refer to document 2B in the appendix at the end of the book.
Note that for services rendered, a GRN will not apply as no goods are delivered. e supplier would typically
request the entity to sign the supplier invoice or a job card as proof that the services stipulated on the document
have been rendered. A job card sets out the details of the work done by the supplier.
WHAT
IF?
What if a GRN is not created for goods received and only the supplier’s delivery note is
signed and used as evidence of the goods having been received? What could the potential
effect be on an entity’s inventory records and accounts payable records as a result of this
shortcoming in its purchases cycle?
7. Supplier invoice
An invoice is a supplier’s documented instruction to the entity that the entity owes it compensation for goods
delivered or services rendered. e invoice contains the quantity and description of goods delivered/service
rendered, as well as the amounts charged for the goods/services. e invoice may further indicate payment
terms and conditions (e.g. the payment due date or discount eligibility, if applicable). In most instances, a
separate invoice will be generated for each purchase transaction.
Example: Refer to document 2D in the appendix at the end of the book.
CRITICAL THINKING
Can you think of possible nancial consequences for an entity if it was to pay a supplier upon receipt
of an invoice for goods sold by the supplier, without rst ensuring that a goods received note has
been created by the warehouse staff who took custody of the goods?
8. Supplier statement
A supplier statement is received from a supplier at periodic intervals (e.g. once a month). It indicates the
entity’s outstanding balance with the supplier, made up as follows:
• Balance carried forward from the previous period’s statement (if unpaid);
• All amounts invoiced since the previous statement date;
• Any subsequent adjustments made to the entity’s account by the supplier (such as credit notes granted for
goods returned);
• Payments received from the entity since the previous statement date;
• Any payment discounts for which the entity quali ed; and
• e ageing of the entity’s outstanding balance (current, 30 days, 60 days, etc.).
Example: Refer to document 2E in the appendix at the end of the book.
9. Remittance advice and proof of payment
A remittance advice is sent by the entity to the supplier to accompany a payment and indicates which
invoice(s) the payment relates to.
In addition, a proof of payment document may be sent to the supplier after payment has been made to
inform the supplier of the payment having been made. With EFT systems, such as through internet payment
facilities, the entity can request via the EFT system that the bank automatically notify the supplier of the
payment made, whether through fax, SMS or email.
Example: Refer to document 2F and document 2G in the appendix at the end of the book.
10. Goods returned to supplier voucher
A goods returned to supplier voucher (GRSV) is a document indicating the quantities and descriptions of
goods that are returned to a supplier. Several reasons may result in an entity returning goods previously
purchased, for example unsatisfactory or defective goods received from the supplier and broken/damaged
goods sent back by customers (which should be returned to the supplier if they are still under warranty).
Example: Refer to document 2I in the appendix at the end of the book.
11. Debit note
A debit note is a documentary request to a supplier to debit the entity’s account, in other words to reduce the
outstanding debt owing by the entity to the supplier. A debit note may, for instance, be created due to a
purchase return (see goods returned to supplier voucher above). e debit note indicates the quantity and
description of goods being returned and the amount of the debit requested (usually equal to the price of the
goods involved as per the supplier’s invoice). e entity records a debit entry in its creditors ledger, reducing
the outstanding balance it owes to the supplier, after recording a debit note in the purchase returns (or credit
adjustments) journal.
Example: Refer to document 2J in the appendix at the end of the book.
7.3.2.2
Journals and ledgers
1. Purchase journal
e purchase journal is a book of primary entry in which routine purchase transactions are recorded. Cash
purchases are not recorded in the purchase journals, only credit purchases. (Cash purchases are posted to
the purchases account in the general ledger from the cash book.) Purchase transactions are commonly
recorded in the number sequence of GRNs. Daily purchase totals are posted from the purchase journal to the
purchases account and the creditors control account in the general ledger.
Example: Refer to document 2K in the appendix at the end of the book.
In order to record a purchase in the purchase journal (and, resultantly, a trade creditor in the
creditors ledger), a bookkeeper will require the following documents (for the purpose noted in
brackets):
• Purchase order (proof of authorisation of the purchase);
• Supplier delivery note (supplier name and proof that goods were delivered);
• GRN (further proof that goods were delivered and actual quantity of goods accepted from supplier
and classi cation of the expense); and
• Supplier invoice (supplier name and prices invoiced).
Once these documents are matched, it makes sense to record purchases in the purchases journal in
GRN number sequence, as this will facilitate the identi cation of goods received (for which the entity
is liable to pay the supplier), but which have not been recorded (i.e. ensuring the completeness of
recording of purchases).
WHY?
Why would purchase transactions be recorded in GRN number sequence in the purchase
journal and not in the sequence in which or on the date when supplier invoices are
received? Consider the timing difference between the receipt of goods and the receipt of
invoices from suppliers and the risk involved for proper cut-off of the purchase transaction:
a supplier might not necessarily supply an invoice with the delivered goods. And goods
could be received a few days before the entity’s nancial year-end, while the invoice from
the supplier is only received several days after year-end.
WHAT
IF?
What would the purchase journal look like if the entity uses a computerised system?
The purchase journal may be referred to as the ‘purchases transaction le’. If one could
download the purchases transaction le from the computer system and open it on a
computer screen, it would resemble a spreadsheet or set of data, consisting of the same
columns one would nd in a typical purchase journal (called ‘data elds’ in the
computerised system) and numerous rows (‘records’ of individual purchase transactions).
2. Cash payments journal (cash book)
e cash payments journal is a book of primary entry in which all payment transactions are recorded. Such
payments may relate to cash expenses (including cash purchases) and payments made to suppliers for
goods/services previously acquired on credit. Should a cash payment be made to a creditor, the payment will
be posted from the cash book to the creditor’s account in the creditors ledger (and (as part of a total) to the
creditors control account in the general ledger).
3. Purchase returns journal (or credit adjustments journal)
e purchase returns journal is another book of primary entry, used for the recording of debit notes. It
contains a summary of all transactions involving the return of goods to suppliers (purchase returns) and
other debits obtained from a supplier (e.g. adjustments in item quantities or unit prices incorrectly invoiced
by a supplier and subsequently corrected).
In order to record a purchase return in the purchase returns journal, the following will be needed:
• Original supplier invoice to which the return relates (description and price of goods returned);
• Goods return voucher (GRV) (authorisation for the return; contains the description and quantity of
goods returned and supplier name); and
• Debit note (approval for the recording of the return; contains description, price and quantity of
goods returned to supplier).
4. General journal
e general journal, also a book of primary entry, contains a record of all non-routine transactions and
events and adjusting entries not allocated to the above specialised books of primary entry.
Example: Refer to document 2L in the appendix at the end of the book.
5. Creditors ledger (a subsidiary ledger to the general ledger)
e creditors ledger contains a detailed record of all transactions (invoices, payments, purchase returns and
adjustments) applicable to creditors. Each creditor has its own account in the creditors ledger. e closing
balance per the creditors ledger should represent the outstanding debt payable by the entity to the supplier
according to the entity’s records and should be the same as the balance on the creditors control account in
the general ledger, unless reconciling items exist (refer to section 7.3.5 below).
6. General ledger
e general ledger contains accounts drawn from all books of primary entry affected by the cycle to serve as
a collection point for transactions that occurred in the cycle. e general ledger facilitates the preparation of
a trial balance and the nancial statements. e use of a creditors control account in the general ledger
further facilitates the validity, accuracy and completeness of the accounting records, as the balance on this
control account can be compared to the total of the subsidiary ledger (creditors ledger) on a monthly basis.
7.3.3 Databases and master les (computerised systems only)
1. Creditors master le
Manual system equivalent: Creditors ledger
e creditors master le is a database on an entity’s computer system containing all permanent (standing)
data relating to the entity’s trade creditors. Standing data includes data elds such as the creditor’s name,
address, contact details and any applicable payment terms. In addition, the creditors master le serves as the
creditors ledger in a computerised system, implying that it contains the transactions that were undertaken
with a supplier, as well as the outstanding balance owing.
2. Inventory master le
Manual system equivalent: Inventory listing or Inventory register
e inventory master le is a database containing the quantities of inventory on hand, together with
standing data pertaining to the inventory, for example inventory code, description and location.
7.3.4 Reports
1. Creditors list
A creditors list is printed from the creditors master le (computerised systems), or can be manually prepared
using the balances due to each supplier in the creditors ledger (manual systems). A computer application
will commonly allow a user to choose which information (data elds) to include in the list, for example
creditor’s code, name and balance due. e total outstanding balances when adding all individual creditor’s
balances should agree with the grand total due to all creditors according to the creditors ledger (as well as
the creditors control account in the general ledger).
2. Creditors age analysis
e creditors age analysis is an extended creditors listing that also contains a breakdown of the balance
owing to each creditor in terms of the balance’s ageing, for example current balance, 30 days, 60 days and 90
days, etc.
Example: Refer to document 2M in the appendix at the end of the book.
7.3.5 Reconciliations
1. Supplier statement reconciliation
A supplier statement reconciliation is made between the outstanding balance owing to a creditor as per the
creditors (subsidiary) ledger (internal accounting information) and the balance owing as re ected on the
statement received from the creditor/supplier (external information). It is an internal reconciliation
performed by the entity’s staff.
e reconciliation re ects all reconciling items that cause the balances not to agree. A reconciling item
may exist due to the entity having recorded a transaction with the supplier, but which the supplier has not yet
recorded in its nancial records, or vice versa.
Reconciling items may also exist due to disputes with suppliers (e.g. when one party records an amount
which is different from the other party’s amount). It is important that the reconciling items not include
amounts that are in fact errors in the entity’s own records – these should be corrected by way of an
appropriate adjustment to the entity’s records.
A supplier statement reconciliation is a critical accounting function, particularly where payments to
suppliers are based on the supplier statements and not on supplier invoices.
Example: Refer to document 2N in the appendix at the end of the book.
WHAT
IF?
What if an entity does not perform a supplier statement reconciliation before it pays a
supplier ‘on statement’ – what are the risks associated with the disbursement? In
considering this matter, ask yourself whether the supplier could have made a mistake on
its statement. Do you think the entity’s accounts payable staff could perhaps have made a
mistake in the entity’s internal records? How would a reconciliation bene t the accounting
process in such a case?
Pay on invoice or on statement?
An entity can pay its suppliers based either on invoices or on monthly statements received from the
supplier.
Paying on invoice implies that the payment being made to a supplier is based on individual
invoices. For each invoice received, a corresponding payment will be made. Paying on invoice may
thus simplify record keeping in relation to trade creditors as each invoice received is simply matched
to supporting documentation and then paid. However, an entity may run the risk of an invalid
payment being made:
• Should the supplier accidentally send the same invoice twice;
• Should the supplier send an inaccurate invoice;
• Should an adjustment relating to the invoice have been processed subsequent to the invoice
being received; or
• If a false invoice is received from an unauthorised party.
These risks apply especially to entities where controls over payments are weak, such as where
supporting documentation is not properly kept or reviewed before payment, or where supporting
documentation is not cancelled after payment and can therefore be resubmitted for a future
payment. The risks are lower where an invoice received is matched to both a purchase order and
GRN before payment to reduce the likelihood of an invalid payment being made.
Paying on statement implies the payment of an amount determined with reference to the
outstanding balance re ected on a supplier’s statement, which is usually received on a monthly
basis. Paying on statement requires that a supplier statement reconciliation be prepared before
payment is made, ensuring that the amount to be paid reconciles with the outstanding supplier
balance in the entity’s creditors ledger. Although paying on statement will require more detailed
record keeping of transactions with suppliers, it can assist in avoiding invalid, double or
overpayments, as the entity will not pay an outstanding balance if not adequately supported by
detailed purchase transactions in its own accounting records.
2. Creditors reconciliation
A creditors reconciliation reconciles the creditors control account in the general ledger with the creditors
(subsidiary) ledger. When adding all creditors’ balances in the subledger, the total outstanding balance
owing to all creditors should agree with the outstanding balance per the creditors control account.
Such a reconciliation will identify purchase, payment or purchase return transactions recorded in the
primary journals and posted to the general ledger, but which have not been posted to the subsidiary ledger. It
can also identify double or other inaccurate postings to the subsidiary ledger.
7.3.6 Illustration: Transaction ow in the purchases and payments cycle
e following diagrams in Figure 7.5 show the typical ow of a purchase (and related returns) and payment
transaction through the cycle. e diagram depicts an entity that purchases goods from suppliers on credit.
Note that entities differ regarding the exact nature of the ow of the purchase and payments transactions,
the names, types and numbers of copies of documents and the application of the internal controls. Any
purchases and payments cycle should, however, address the risks facing the entity relating to purchases and
payments in order to achieve the control objectives of validity, accuracy and completeness of nancial
information relating to this cycle.
Figure 7.5: Transaction ow diagram
7.4 What could go wrong (risks) in the cycle?
ere are various risks of misstatement relating to the nancial information produced in the purchases and
payments cycle. Should a misstatement be material and it is not corrected, the nancial statements will not
be fairly presented. e following risks of misstatement, whether due to fraud or error, apply to the cycle.
7.4.1 Financial reporting risks
Financial reporting risks may result from the fraudulent manipulation or the erroneous recording or
omission of nancial information.
7.4.1.1
Expense transactions
• Not all purchase transactions, other expense transactions or accrual events are recorded (i.e. expenses are
incomplete, which will also result in incomplete accounts payable balances should those
transactions/events relate to credit expenses). is risk may result in:
• An overstatement of pro ts which will incorrectly portray a more favourable nancial performance for
the entity as reported in its Statement of Comprehensive Income; and/or
• An understatement of liabilities, which will improperly lead to more favourable liquidity or solvency
ratios as reported in its Statement of Financial Position.
• Invalid purchases or other expenses are recorded, resulting in a reduction in pro ts, with a resultant
inappropriate reduction in taxable income. ‘Invalid’ may include transactions that were never authorised,
or transactions that never took place (i.e. ctitious transactions). is misstatement risk will also result in
an overstatement of the accounts payable balance should the expenditure relate to credit purchases.
Note that the theft of inventory does not create an under or overstatement risk for purchases or
accounts payable. (It does, however, create an overstatement risk for inventory.) In most cases, as
soon as there is evidence of the entity having taken control of the goods, usually evidenced by
acknowledgement of receipt through the signing of a delivery note (or sometimes through the
realisation of a condition in an agreement), a purchase transaction occurs and the entity becomes
liable for payment to the supplier. Should goods be stolen before being received by the entity’s staff
(i.e. in transit to the entity), there is no misstatement risk for the entity as control over the goods
has not yet transferred from the supplier. The goods remain the property (and risk) of the supplier
until the entity has taken control of the goods (or as per the conditions of an agreement, if
applicable).
• Purchases or other expense transactions are not recorded accurately, leading to expenditure and
accounts payable or accruals balances being either under- or overstated. Such misstatements might occur
where a purchase transaction, for instance, is inaccurately recorded in the purchase journal from the
supplier invoice by recording an incorrect price. For example, the supplier charged R230 for item A on its
invoice, but the entity’s bookkeeper erroneously recorded an amount of R320 in the purchase journal. e
result is an overstatement of purchases (or inventory in a perpetual system) and an overstatement of the
trade creditor liability.
• Purchase or other expense transactions are not recorded in the nancial period to which they pertain.
Such incorrect cut-off of purchase transactions may result in either:
• An overstatement of expenditure/accounts payable if the transaction took place in a different nancial
period than the one in which the transaction was recorded; or
• An understatement of expenditure/accounts payable if the transaction took place in the nancial
period under consideration, but was recorded in a preceding or subsequent period.
• Purchase or other expense transactions are not classi ed in the appropriate account in the nancial
records, leading to either an over or understatement of expenditure and possibly accounts payable should
the transaction relate to a credit purchase.
CRITICAL THINKING
Can you identify from the above the risk(s) which may apply in the following cases?
• A director of an entity fraudulently records a personal expense incurred by the director in his/her
private capacity, as a business expense of the entity.
• Goods are received by the warehouse and taken custody of, but because of circumstance, the
warehouse staff neglect to ever create a goods received note.
• Goods are received by the warehouse on the last day of the nancial year, but due to the
computerised system having gone off-line, the warehouse staff could only create the necessary
goods received notes on the computer system several days later.
• On the last day of the nancial year, a bookkeeper responsible for expense accounts enquired
from the municipality as to when the invoice relating to the water and electricity account for the
last month of the entity’s nancial year would be received. The municipality couldn’t provide the
bookkeeper with an answer. Accordingly, the bookkeeper decided not to take any further action in
relation to the accounting records for the particular nancial year.
7.4.1.2
Payment transactions
• Not all payments made to suppliers are recorded, leading to an overstatement of the accounts payable
balance and an overstatement of the cash book balance.
• Invalid payment transactions are recorded, resulting in an understatement of accounts payable and
possibly an understatement of the bank balance.
7.4.2 Misappropriation risks
Misappropriation risks relate to misstatements in the nancial statements as a result of theft of assets. Assets
affected by the cycle are inventory and cash. Such risks include, among others:
• Goods received from a supplier and recorded as inventory, but stolen by parties (either internal or
external to the entity) before they can be sold to customers. Effect on nancial statements: overstatement
of inventory (if shortage is not detected during an inventory count and subsequently corrected); and
• eft of cash (either physically or through electronic means) before suppliers are paid, resulting in an
invalid party being paid instead of the actual supplier. Effect on nancial statements: none, as the trade
creditor would still be owed the money while a payment would have been recorded in the cash book.
In order to reduce or eliminate the above-mentioned nancial reporting and misappropriation risks,
management will implement and maintain a system of internal controls to achieve the control objectives of
validity, accuracy and completeness of nancial information related to purchases (and related returns) and
payments transactions.
Unauthorised purchases and payments in a supply chain process
An entity’s supply chain activities are a prime target for theft and fraud, as they involve:
• Obtaining assets (which can be misappropriated through theft or unauthorised use); and
• Payment of money to outside parties (which can be misappropriated through overpayments or
unauthorised payments).
Common instances of fraud in a supply chain process may include:
• Not procuring goods through the established levels of procurement authorisation. For example, an
entity’s procurement policy states that staff at assistant managerial level may authorise the
acquisition of goods and services up to a maximum of R20 000 per order, while senior managers
may request goods up to R40 000 per order. If, in this scenario, an assistant manager were to
authorise an order to the value of say, R50 000 and thus exceed his level of authority, it may lead
to unnecessary goods being purchased (unauthorised) or the misappropriation of the goods for
personal use (theft) if not detected;
• Obtaining goods and services from parties that are related to the entity (e.g. purchasing goods
from a company owned by a director of the entity) while the procurement policy of the entity
explicitly disallows purchases from related parties;
• Procurement staff colluding with a supplier to place orders at excessively high prices in exchange
for kickbacks from the supplier;
• Adding ctitious suppliers to an entity’s supplier database with resultant unauthorised payments
to the ctitious suppliers;
• Loss of funds if payments are made for goods and services never received; and
• Abuses through various means in a tendering process whereby the most appropriate supplier who
tendered or quoted is not awarded the tender.
The above unauthorised actions may also lead to invalid nancial information being recorded in the
nancial records.
7.5 What computer technologies are used in the cycle?
Various computer technologies can be applied in the purchases and payments cycle. Some examples of such
technologies are discussed below.
7.5.1 Electronic funds transfer (EFT)
An entity may choose to pay its suppliers by means of an EFT facility (refer to the appendix of Chapter 5 for
details). Some banks provide a dedicated online payment facility onto which an entity can load all its
intended supplier payments and have the payments electronically transferred to the suppliers’ bank
accounts.
7.5.2 Electronic data interchange (EDI)
An EDI system enables an entity to process business transactions with its suppliers with minimal manual
intervention. EDI is an electronic communication system between an entity and its suppliers whereby both
parties are connected to a joint computer network through which electronic data can be transferred (in a
structured format), back and forth. e internet or a wide-area network might be used as the medium
through which the EDI information is communicated.
Purchase orders can, for example, be placed through EDI, enabling the supplier to receive the purchase
order on its sales order system directly (i.e. without the customer having to phone, fax or email the purchase
order to the supplier).
An EDI system can further assist with dedicated backorder, goods delivery and payment facilities
between the entity and the supplier.
7.6 What are the control objectives in the cycle?
7.6.1 Control objectives in the cycle
An entity faces various risks in virtually all of its nancial operations, some more signi cant than others. is
also applies to the entity’s purchases and payments cycle. Should an entity not be able to avoid these risks,
the purchases and payments transactions recorded in its accounting records might be invalid, inaccurate or
incomplete, leading to eventual misstatements in its nancial statements.
Accordingly, management implements application controls (refer to Chapter 5 section 5.9) to ensure that
purchases and payments transactions (including any adjustments) are valid, and are completely and
accurately recorded and processed.
7.6.1.1
e aim of the control objectives in the cycle
Validity, accuracy and completeness of purchase and payment information comprise the control objectives
that management aims to achieve to address the major risks present in the cycle.
To ensure that the recorded purchases and payments transactions are valid, these transactions should:
• Have been authorised in terms of management’s policy;
• Relate only to genuine transactions that occurred (i.e. are not ctitious);
• Have been recorded in the year to which they pertain; and
• Be supported by sufficient documentation.
To ensure that purchase and payment transactions are accurate, they should be recorded at the appropriate
amount. ‘Appropriate’ implies that all amounts were calculated correctly (in terms of quantity and price in
respect of goods purchased and in terms of price where services have been rendered). Accuracy further
entails that internal controls ensure these transactions are correctly classi ed in terms of their nature and
recorded in the appropriate accounts.
To ensure that purchase and payment transactions are complete, all purchase and payment transactions
that occurred in a given period should have been recorded in the accounting records and recorded in a
timely manner. No purchase or payment transaction that occurred should thus be omitted from the entity’s
accounting records.
7.6.1.2
Consequences if the control objectives in the cycle are not achieved
Table 7.2 summarises the consequences if the control objectives are not achieved.
7.6.2 Achievement of the control objectives in the cycle
e control objectives in the cycle are achieved through the proper implementation and operation of an
information system, including an accounting system and related internal controls, in an entity. Note that the
control objectives can be achieved either manually (a person performs the internal control) or by automated
means (a computer performs the control).
Table 7.2: Consequences if control objectives not achieved
CONTROL OBJECTIVE
Validity
CONSEQUENCE FOR ENTITY’S FINANCIAL STATEMENTS IF
CONTROL OBJECTIVES ARE NOT ACHIEVED (INTERNAL CONTROLS
HAVE FAILED)
Purchases and purchase returns
Payments
Fictitious or unauthorised
purchases, or purchases
recorded in the incorrect
nancial period: overstatement
of expenditure and accounts
payable due.
Invalid payments (e.g. recording
in the wrong period):
understatement of accounts
payable and bank and cash
account (invalid payment
inappropriately reduces liabilities
and bank/cash funds).
Fictitious or unauthorised
purchase returns, or purchase
returns recorded in the incorrect
nancial period: understatement
of expenditure and accounts
payable.
Invalid payments (due to
misappropriation – e.g. employee
paying personal expenses that
are recorded as entity expenses):
overstatement of expenditures.
Accuracy
Inaccurate purchases and
purchase returns: over or
understatement of expenditure
and accounts payable depending
on the nature of the inaccuracy.
Inaccurate payments: over or
understatement of accounts
payable and bank and cash
account depending on nature of
misstatement.
Completeness
Incomplete purchases:
understatement of expenditure
and accounts payable due to
unrecorded purchases.
Incomplete payments:
overstatement of accounts
payable and bank and cash
account (non-payment results in
the balances not being reduced).
Incomplete purchase returns:
overstatement of expenditure
and accounts payable due to
unrecorded purchase returns.
e following examples illustrate in broad terms several ways in which the control objectives can be
achieved in the cycle. Note that it is not a re ection of the detailed control activities required to achieve the
control objectives.
Validity of purchases and payments:
• Preapproval, by an authorised staff member, of the supplier from which the goods/services are
purchased;
• Authorising each individual subsequent purchase from and payment to the approved supplier in terms
of management’s policies; and
• Preparing supporting documentation for all these transactions.
Accuracy of purchases and payments:
• Recalculation of the amounts on a supplier invoice; and
• Checking of recorded amounts in the purchase journal by a supervisory staff member. is staff member
would request the supporting documents for a transaction (such as the supplier delivery note and
invoice) to compare the recorded amounts with both the quantities of items delivered (in cases where
goods were received) and the prices charged by the supplier and accepted during initial authorisation of
the transaction.
Completeness of purchases and payments:
• Checking by a supervisory staff member of the sequential recording of GRNs in the purchase journal
for indications of gaps in the sequence, which will point to possible non-recording of purchase
transaction, and following up to attempt to obtain reasons for the missing transaction and have it
recorded to ensure all purchase information is complete in the nancial records.
Details of control objectives and controls in the cycle appear in section 7.7 of this chapter.
Operational versus nancial controls in the cycle
Not all internal controls implemented by an entity in its purchase and payments cycle affect nancial
reporting (refer to Chapter 4, section 4.4.3.2). As long as a transaction between the entity and
supplier has not yet taken place it cannot be assumed that all controls operating prior to the
transaction are nancial in nature. Controls that do not affect nancial reporting risks are referred to
as operational controls. (Note: A transaction is usually recognised as such at the point in time when
the transfer of control over purchased goods and services occurred between the entity and its
supplier).
For example, obtaining quotations from suppliers in order to secure the best prices does not aim
to prevent misstatement of recorded nancial information: should an expensive supplier be chosen
over a supplier who could have offered more reasonable prices, there is no misstatement of nancial
gures because of this action. If the higher prices were authorised and accurately recorded and the
transaction is supported by the necessary documentation, the nancial control objectives of validity,
accuracy and completeness would have been achieved regardless of the non-performance of an
operational control to secure more favourable prices.
7.6.3 Link between the control objectives in the cycle and
management’s assertions
Transactions that are not valid, accurate and complete (caused by the control objectives not having been
achieved) will result in purchases and payments (and related account balances) being misstated in the
accounting records, which will in turn result in the nancial statements being misstated.
e process of recording a transaction in the nancial records, and thus for it to be included in the
nancial statements, is as follows:
During a transaction’s ow through an entity’s information system, it will be subject to numerous internal
controls that ‘assist it’ along the way to ensure that the control objectives are achieved. e transaction will
only reach its end point appropriately if it ends up in the nancial statements in a manner that achieves the
control objectives. us, if management wishes to ensure proper nancial recording (and fairly presented
nancial statements), they need to implement and maintain a proper information system, including an
accounting system and related internal controls.
In this way, the achievement of the control objectives contributes to the appropriateness of the assertions
made by management in the nancial statements. It will indirectly also result in the nancial statements
being free from material misstatement.
CYCLE CASE STUDY
Application of the assertions to Ntsimbi Piping
The following assertions are made by the management of Ntsimbi Piping, either implicitly or explicitly,
as communicated to users of the nancial statements.
Account balances and related disclosures
Refer to the Statement of Financial Position in the nancial statements of Ntsimbi Piping (page 7).
Note the line item ‘Trade and other payables’ with a balance of R13,381,893. Also refer to the Notes
to the Annual Financial Statements of Ntsimbi Piping – speci cally note 11 (Trade and other payables)
(page 19).
• In relation to existence, trade and other payables (i.e. the underlying short-term liabilities making
up the balance) exist (i.e. these constitute liabilities that are not ctitious).
• In relation to rights and obligations, Ntsimbi Piping is the party obliged to settle the underlying
liabilities making up the balance (obligations). It is not for the account of another entity.
• In relation to accuracy, valuation and allocation, the balance of R13,381,893 is considered an
appropriate amount as the balance re ects the appropriate value of the underlying liability
accounts repayable in the future. Further, any adjustments as to the value or allocation of the
underlying liabilities have been recorded appropriately.
• Classi cation implies that the liabilities making up the balance of R13,381,893 have been
correctly classi ed as trade and other payables. There are, for instance, no creditors with debit
balances included in it.
• Concerning completeness, all liabilities deemed trade and other payables, and which are
obligations of Ntsimbi Piping, have been recognised as such in the nancial statements
(notwithstanding the measurement thereof, which is dealt with separately under the valuation
assertion).
• In relation to the presentation assertion, trade and other payables have been appropriately
presented in the nancial statements and notes thereto and have been clearly described. The
components making up the balance have been appropriately disaggregated (broken down) where
applicable. Related disclosures are relevant and understandable.
Transactions and events and related disclosures
Refer to the Detailed Income Statement in the supplementary information of the nancial statements
of Ntsimbi Piping (page 25). Note the item ‘Purchases’ in the amount of R104,794,348.
• In relation to the occurrence assertion, purchase transactions amounting to R104,794,348 did
in fact take place (they occurred and are not ctitious) and also pertain to Ntsimbi Piping.
• Regarding accuracy, the purchase transactions making up the total have been recorded at
correct amounts (e.g. in terms of the correct item quantities accepted during delivery and prices
agreed with suppliers).
• In relation to completeness, all purchase transactions that took place during the nancial year
and which pertain to the company have been recorded and included under purchases.
• As to cut-off, all the purchases included in the total relate to transactions that took place within
the nancial year (i.e. the transactions concerned relate only to deliveries of raw materials
accepted from suppliers between the rst and last day of the nancial year (inclusive of both
days)).
• Classi cation implies that all transactions constituting the total of R104,794,348 should indeed
have been classi ed as purchases and do not relate to, for instance, repairs and maintenance or
insurance expenses.
• In relation to the presentation assertion, purchase transactions have been appropriately
presented in the nancial statements and notes thereto and have been clearly described.
Related disclosures are relevant and understandable.
e assertions for purchases and accounts payable are linked to the control objectives in the cycle as shown
in Table 7.3.
Table 7.3: The link between the assertions for purchases/accounts payable and the control objectives
MANAGEMENT ASSERTIONS
CONTROL OBJECTIVE
Validity
Classes of transactions and events
and related disclosures
Account balances and related
disclosures
Occurrence and Cut-off
A control achieving the validity
objective for a purchase will
ensure that the recorded
transaction pertains to the
entity, was authorised, actually
took place (i.e. is not ctitious)
and is supported by suf cient
documentation (occurrence) and
further ensure that it has been
recorded in the nancial period
to which the transaction relates
(cut-off).
Existence and Rights and
obligations
Purchase transactions that
pertain to the entity were
authorised and actually took
place, resulting in the raising of a
creditor liability that is approved,
is genuine and is the obligation
of the entity (existence and
obligations).
Purchases (including purchase Accounts payable (including
returns)
accruals)
(Assertions are indicated in bold) (Assertions are indicated in bold)
MANAGEMENT ASSERTIONS
Classes of transactions and events
and related disclosures
Account balances and related
disclosures
Accuracy
Accuracy and Classi cation
A control achieving the accuracy
objective for a purchase will
ensure that the transaction is
recorded at the correct amount
(including quantities, prices and
correct calculations) (accuracy).
It will further ensure the
transaction has been correctly
classi ed, summarised and
posted to the correct account in
the nancial records in
accordance with its nature
(classi cation).
Accuracy, valuation and allocation
and Classi cation
A control achieving the accuracy
objective for purchase
transactions making up a liability
will ensure that the gross amount
of the liability (accuracy) is
appropriate. Furthermore, a
control achieving the accuracy
objective for any transaction
resulting in a valuation or
allocation adjustment to the
gross amount of the liability will
ensure that the net amount of
the liability is correctly valued
and allocated (valuation and
allocation). Furthermore, controls
that achieve the accuracy
objective for transactions that
affect accounts payable balances
will also ensure the liability has
been appropriately classi ed.
Completeness
Completeness
A control achieving the
completeness objective for a
purchase will ensure that all
transactions that occurred
during the period are recorded
(completeness).
Completeness
A control that ensures that all
credit purchases that took place
from suppliers are recorded in a
timely manner, will ensure that all
creditor liabilities are raised and
included in the nancial records
(completeness).
CONTROL OBJECTIVE
Purchases (including purchase Accounts payable (including
returns)
accruals)
(Assertions are indicated in bold) (Assertions are indicated in bold)
Note: Controls that achieve the control objectives of validity, accuracy and completeness collectively contribute
to management being able to properly present both classes of transactions and events and the related
disclosures, and account balances and the related disclosures in the nancial statements. Consequently, the
Presentation assertion is not included explicitly in the table above.
e assertions for payments are linked to the control objectives in the cycle as shown in Table 7.4.
Table 7.4: Assertions for payments
CONTROL OBJECTIVE
MANAGEMENT ASSERTIONS
CONTROL OBJECTIVE
Classes of transactions
MANAGEMENT
ASSERTIONS
and events and related disclosures
Payments (recorded in the cash book) (Assertions are
indicated in bold)
Classes of transactions and events and related disclosures
Payments (recorded in the cash book) (Assertions are
indicated in bold)
Validity
Occurrence and Cut-off
A control achieving the validity objective for a payment
transaction will ensure that the payment pertains to the
entity, was authorised, actually took place (occurrence) and
will further ensure that it has been recorded in the nancial
period to which the payment relates (cut-off).
Accuracy
Accuracy and Classi cation
A control achieving the accuracy objective for a payment
transaction will ensure that the payment is recorded at the
correct amount (accuracy). It will further ensure the payment
has been correctly classi ed, summarised and posted to the
correct account in the nancial records in accordance with
its nature (classi cation).
Completeness
Completeness and Cut-off
A control achieving the completeness objective for a
payment transaction will ensure that all payments that were
made during the nancial period are recorded as such
(completeness).
7.7 What are the controls in the cycle (manual and
computerised)?
7.7.1 Internal control activities in the cycle
As with other business cycles, proper control activities have to be implemented in the cycle to ensure that the
entity achieves its control objectives of validity, accuracy and completeness of nancial information. e
major control activities particular to the purchases and payments cycle, performed either manually or
programmatically (by a computer system), are summarised below.
7.7.1.1
Documentation and records
All the documentation relating to the cycle should be:
• Properly designed;
• Placed under proper stationery control; and
• Used in conjunction with a proper chart of accounts for transactions related to the purchases and
payments cycle.
Refer to Chapter 4, section 4.3.2.4 for details of the above-mentioned types of controls.
7.7.1.2
Authorisation or approval
Authorisation or approval is required each time before:
• A request for goods or services is submitted to an entity’s procurement department;
• A new supplier is added to the entity’s approved list/database of suppliers;
• An order is placed with a supplier;
• Goods are returned to a supplier;
• A debit adjustment request (other than a goods return) is sent to a creditor; and
• A payment is made to a supplier.
Authorisation or approval can be made either manually or electronically (computer-based) in terms of
preprogrammed restrictions.
7.7.1.3
Segregation of duties
e following activities should be performed by different staff members/departments:
• Initiation of a transaction;
• Authorisation of the transaction;
• Execution of the transaction;
• Recording of the transaction; and
• Custody of the assets involved.
Typical duties that should be segregated and performed by different persons in the purchases and payments
cycle include those shown in Figure 7.6. (Each block represents one or more persons performing the same
function that should be segregated from the functions performed by a person(s) in the other blocks.)
Figure 7.6: Segregation of duties for the purchases and payments cycle
In a computerised system, segregation of duties can be achieved through the implementation of user pro les
whereby an employee is only granted access to the part of the accounting system that is necessary for the
performance of the employee’s duties.
7.7.1.4
Access controls
Assets affected by the cycle include inventory and cash. Access controls to protect against the
misappropriation of assets (or damage to goods) should apply whenever:
• e entity takes custody of goods from a supplier;
• Inventory received from a supplier is transferred to the requesting department within the entity;
• Goods are returned to a supplier (purchase returns); and
• A payment is made to a supplier (in cash or by cheque or EFT).
7.7.1.5
Independent checks and reconciliations
Examples of veri cation checks (the checking of work initially performed by another person or by the
computer system) in the purchases and payments cycle include:
• Agreeing purchase transaction information collected by the entity to the supplier’s invoice before the
transaction is recorded in the purchase journal; and
• Checking the completeness of the sequential number order of GRNs for missing items and thus
incomplete recording of purchases.
e cycle includes the performance of the following reconciliations:
• Supplier statement reconciliation (refer to section 7.3.5);
• Creditors reconciliation (refer to section 7.3.5); and
• Bank reconciliation (also applicable to the revenue and receipts cycle).
Reconciliations will usually be performed by a clerk and must be reviewed by a senior staff member. In the
event that the person who is responsible for recording transactions in the accounting records also performs a
reconciliation on recorded information (typically of smaller entities), strong and thorough review controls
should be in place over the reconciliation.
7.7.2 Internal control tables
e following tables include the most common activities and related internal controls for the purchases and
payments cycle to address the risks associated with each activity.
e control tables clearly demonstrate the link between what could go wrong/risks, control objectives,
assertions and internal controls (both manual and computerised) that were discussed in section 4.4 of
Chapter 4. is link is demonstrated by means of a numbering system.
Have a look at the control table illustrated in Table 7.5. You will notice that each ‘what could go
wrong/risk’ is related to a control objective in the column to its right. e control objective is numbered (e.g.
‘A’). e assertion(s) affected by the ‘what could go wrong/risk’ (and impacted by the related control
objective) is indicated in the next column. In the next two columns, you will nd the control(s) that address
the control objective (linked to the control objective by means of a letter (e.g. ‘A’)). (It follows that these
controls then address the related ‘what could go wrong/risk’.) e additional numbering that you will see in
the controls columns (e.g. ‘1.1’) relates each control to the activity where it belongs.
Note that the controls in a manual system are described in full, whereas only controls in addition to the
controls in a manual system and alternative controls to those in a manual system that are required in a
computerised environment are included in the right-hand column. erefore, to form a complete picture of
all controls in a computerised environment, the columns headed ‘Manual controls’ and ‘Alternative and
additional controls in a computerised environment’ should be read together.
e difference between internal controls with nancial reporting objectives and those with operational
objectives was discussed in section 4.4.3.2 of Chapter 4. Note that where a control is indicated in the control
tables as being ‘operational’, the risk underlying the control would not have any accounting implications (i.e.
no effect on the assertions in the nancial statements). However, where a nancial control is indicated (i.e.
the related control objective is validity, accuracy or completeness), an assertion would be affected by the
underlying risk.
e tables apply to a business entity that manufactures goods and purchases its raw materials on credit
from suppliers. e speci c activities performed, and hence the internal controls, will vary from entity to
entity, but the overall control objectives remain the same for all entities. Furthermore, controls similar to
those that apply to purchases apply to services (e.g. repairs).
Table 7.5: Purchase requisition
1 PURCHASE REQUISITION
| ORIGINATES FROM DEPARTMENT WHERE THE NEED FOR RAW MATERIALS/GOODS IS IDENTIFIED |
1 PURCHASE REQUISITION
| ORIGINATES FROM DEPARTMENT WHERE THE NEED FOR RAW MATERIALS/GOODS IS IDENTIFIED |
Activity
Responsible party
1.1 A need for
raw materials
(for
manufacturing
purposes) or
goods (for the
purpose of
reselling to
customers) is
identi ed in the
entity. Needs
can be
identi ed
through:
Sales
forecasts
and budgets;
Low raw
• materials
levels in the
factory;
• Low levels of
goods in the
warehouse;
• Speci c or
customised
orders
received
from
customers;
and
• Operational
requirements
necessitating
purchases
such as fuel
for entity’s
vehicles and
stationery for
of ce use.
Staff member in Purchase
department who requisition
becomes aware
of the need to
requisition raw
materials/goods.
Departmental
supervisor or
manager
Documents What could go
and
wrong/risks
records;
master les
Failure to
identify need for
purchase of raw
materials/goods
(inventory) or
services may
lead to
production
delays, loss of
potential sales
and customer
dissatisfaction.
Control objective
Account/assertion
affected
A Sales or
production
demand for
inventory is
timeously
identi ed to
ensure
availability of
goods for
production or
sale to
customers. (No
control objective
applicable as
this is an
operational
control.)
N/A:
Operational
control
objective, no
nancial
reporting
implications.
Assertion(s)
only affected
once a
transaction has
taken place.
1 PURCHASE REQUISITION
| ORIGINATES FROM DEPARTMENT WHERE THE NEED FOR RAW MATERIALS/GOODS IS IDENTIFIED |
Unauthorised
requisitioning of
raw
materials/goods
not needed by
the entity.
Incorrect items
are
requisitioned.
B Only raw
materials/goods
that are needed
by the entity
(e.g. for
operational or
sales purposes)
are
requisitioned.
(Operational
control)
N/A:
Operational
control, no
nancial
reporting
implications for
expenditure or
accounts
payable.
Valuation of
inventory
affected if
unnecessary
raw
materials/goods
ordered that
must
subsequently be
written down to
net realisable
value.
Table 7.6: Ordering raw materials/goods from suppliers
2 ORDERING RAW MATERIALS/GOODS FROM SUPPLIERS
| PROCUREMENT DEPARTMENT |
Activity
Responsible Documents What could go wrong/risks
party
and
records;
master les
Control objective Account/assertion Manu
affected
2 ORDERING RAW MATERIALS/GOODS FROM SUPPLIERS
| PROCUREMENT DEPARTMENT |
2.1
Purchase
order is
created
and sent
to
supplier.
Buying
clerk
Chief
buyer
Purchase
order (PO)
Approved
list of
suppliers.
Invalid or unauthorised
orders are sent to
suppliers and may lead to
inappropriate/unnecessary
inventory being received,
or items being ordered for
personal use.
A All purchase
orders are
supported by
valid and
authorised
documentation
(purchase
requisition).
(Validity)
Occurrence of
expenditure.
(Although a
transaction has
not yet taken
place, approval
of the
requisition
would apply to
the occurrence
assertion once
the transaction
has eventually
taken place.)
2.1A
creat
purc
cross
to an
purc
requ
Chie
revie
auth
purc
ensu
supp
appr
of th
that
purc
requ
been
the r
depa
2 ORDERING RAW MATERIALS/GOODS FROM SUPPLIERS
| PROCUREMENT DEPARTMENT |
Purchase orders are
created but do not agree
with the supporting
purchase requisitions,
leading to incorrect orders
being placed with
suppliers.
Purchase orders are not
sent to suppliers in a
timely manner and/or do
not lead to delivery of
ordered items.
B A purchase
order is only
sent to
suppliers if
the order is
accurate in
terms of
quantity,
description
and price of
items being
ordered.
(Operational
control)
Operational
control:
Incorrectly
ordered items
will not be
accepted and
simply returned
to suppliers
before being
recorded in the
accounting
records.
However, should
these goods
indeed be
accepted and
not returned,
they may
subsequently
have to be
written off as
obsolete, which
affects valuation
of inventory.
2.1B
buyin
chief
• C
ca
ca
th
or
• C
qu
de
ite
or
su
pu
re
C
pr
or
th
•
qu
lis
su
th
no
di
en
pu
or
• In
pu
as
th
2 ORDERING RAW MATERIALS/GOODS FROM SUPPLIERS
| PROCUREMENT DEPARTMENT |
Purchase orders are not
sent to suppliers in a
timely manner and/or do
not lead to delivery of
ordered items.
C All purchase
orders sent to
suppliers lead
to delivery of
ordered
inventory in a
timely manner.
(Operational
control: No
transaction
has taken
place yet as
no inventory
has yet been
delivered by
the supplier.)
N/A:
Completeness of
expenditure and
completeness
of accounts
payable only
affected once
inventory has
been taken
custody of.
2.1C
orde
in nu
sequ
Purc
proc
depa
matc
(rece
facto
rece
led
orde
sequ
Chie
revie
purc
on a
to fo
miss
orde
purc
not y
a GR
outs
orde
2 ORDERING RAW MATERIALS/GOODS FROM SUPPLIERS
| PROCUREMENT DEPARTMENT |
Items are ordered from
inappropriate suppliers
(e.g. suppliers who cannot
supply the required items
or who supply them at
inferior quality).
D The most
appropriate
supplier is
identi ed who
can ful l the
business
needs of the
entity in terms
of availability,
quality and
nature of
inventory
needed.
(Operational
control)
N/A:
Operational
control not
affecting
nancial
reporting. (A
purchase
transaction can
occur albeit it
with an
inappropriate
supplier.)
2.1D
supp
auth
chief
orde
mad
supp
supp
inclu
of ci
supp
can o
with
the o
2 ORDERING RAW MATERIALS/GOODS FROM SUPPLIERS
| PROCUREMENT DEPARTMENT |
Supplier
Items are ordered at
quotations excessive item prices.
E The best
prices are
obtained for
items to be
ordered.
(Operational
control)
N/A:
Operational
control not
affecting
nancial
reporting.
Table 7.7: Receiving raw materials/goods from suppliers
3 RECEIVING RAW MATERIALS/GOODS FROM SUPPLIERS
| RECEIVING BAY IN WAREHOUSE |
Activity
Responsible party
Documents What could go
and
wrong/risks
records;
master
les
Control objective
Account/ assertion
affected
2.1E
polic
that
pred
minim
of qu
obta
supp
an o
prep
Chie
revie
of qu
befo
the p
orde
3 RECEIVING RAW MATERIALS/GOODS FROM SUPPLIERS
| RECEIVING BAY IN WAREHOUSE |
3.1
Goods receiving
Supplier clerk in
delivers factory/warehouse
ordered
items to
entity.
Supplier
delivery
note
Goods
received
note
(GRN)
Items that have
not been
ordered (i.e.
unauthorised
items) are
accepted and
recorded as
inventory.
A All inventory
received has been
ordered in terms of
an approved
purchase order.
(Validity)
Occurrence of
expenditure.
3 RECEIVING RAW MATERIALS/GOODS FROM SUPPLIERS
| RECEIVING BAY IN WAREHOUSE |
Physical
security risk:
items being
received are
misappropriated
(e.g. stolen)
after having
been recorded
as inventory.
B All inventory
received is kept
secure after receipt.
(Validity)
Existence of inventory
(risk may lead to
lost/stolen goods
inappropriately being
included in nancial
statements should it
have been recorded
after delivery and
before theft).
3 RECEIVING RAW MATERIALS/GOODS FROM SUPPLIERS
| RECEIVING BAY IN WAREHOUSE |
Recording risk:
goods are
received, but
are not
recorded on
source
documents,
leaving
insuf cient
evidence of the
goods having
been received.
It will also be
dif cult or
impossible to
identify
subsequent
inventory
losses if goods
are not
recorded on
receipt.
C All goods
delivered are
recorded as
purchases/inventory
on hand on the
entity’s inventory
system in a timely
manner.
(Completeness)
Completeness and cut
off of expenditure.
Completeness of
accounts payable.
Completeness and cut
off of purchases.
Completeness of
inventory.
Goods of
inferior quality
or damaged
goods are
accepted from
suppliers.
D All goods received
are in terms of the
quality standards of
the entity. (Validity)
Occurrence of
expenditure.
Accuracy, valuation an
allocation of inventory
3 RECEIVING RAW MATERIALS/GOODS FROM SUPPLIERS
| RECEIVING BAY IN WAREHOUSE |
Quantities of
inventory
received are
inaccurately
recorded on
GRNs, leading
to possible over
or
understatement
of recorded
purchases and
inventory
holdings.
E Quantities of
goods physically
accepted agree with
the quantities
recorded on the
GRN. (Accuracy)
Accuracy of
expenditure.
Accuracy, valuation an
allocation of accounts
payable.
Existence/completene
of inventory.
Table 7.8: Recording of purchases
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
Activity
Responsible
party
Documents What could
and records; go
master les wrong/risks
Control objective
Account/
assertion
affected
Manual controls
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
4.1 Invoice
is received
from
supplier
and
purchase
is
recorded.
Accounts
payable
clerk
Senior
bookkeeping
clerk
Financial
manager
Standard
chart of
accounts
Purchase
journal
(Purchases
transaction
le)
Goods
received
note (GRN)
Supplier
invoice
Supplier
statement
Creditors
subsidiary
ledger
General
ledger
creditors
control
account
Fictitious
purchases
are
recorded in
the
accounting
records.
This may
occur where
a purchase
is recorded
for items
that were
never
ordered
and/or for
items that
were never
received.
Purchases
are
erroneously
duplicated
in the
accounting
records.
A All purchase
transactions
that are
recorded in the
accounting
records pertain
to actual
purchase
transactions
that took place
with bona de
suppliers and
are only
recorded if an
order was
approved and
items have
been delivered.
(Validity)
Occurrence of
expenditure.
Existence and
obligation of
accounts
payable.
4.1A Senior
bookkeeping cle
reviews purchase
journal (and cred
ledger) to ensure
each recorded
purchase is supp
by a GRN, suppl
delivery note and
authorised purch
order.
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
Purchases
are not
recorded in
the nancial
period to
which the
transactions
pertain.
B All purchases
are recorded in
the correct
nancial period
(i.e. in the
period when
control
associated with
the delivered
goods/services
have been
transferred
from the
supplier to the
entity).
(Validity)
Cut-off of
expenditure.
Existence and
completeness
of accounts
payable.
4.1B Senior
bookkeeping cle
when checking
whether all purch
are supported by
appropriate supp
documentation a
also notes the d
GRN when inven
was received to
ensure purchase
recorded in corre
nancial period.
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
Amounts on
supplier
invoices are
inaccurately
recorded in
the
accounting
records.
C All purchases
in the
accounting
records are
based on
correct
quantities of
goods received
and correct
prices as
agreed with
supplier.
(Accuracy)
Accuracy of
expenditure.
Accuracy,
valuation and
allocation of
Accounts
payable –
gross
amount.
4.1C Accounts p
clerk:
• Reperforms a
calculations o
supplier’s invo
before record
• Matches quan
of goods on
supplier invoi
those per the
and
• Matches unit
on supplier
invoices with
on purchase o
or
quotations/su
agreement/of
price list.
Any price varianc
between invoice
purchase order a
followed up and
resolved accordi
The invoice is in
by the above cle
evidence of the a
checks.
4.1D Expense ac
to which transac
should be poste
speci ed on the
purchase requis
(and also indicat
purchase order)
reference to a
standard chart o
accounts.
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
Purchase
transactions
are
allocated to
the
incorrect
general
ledger
accounts.
D Purchase
transactions
are recorded in
the correct
accounts
based on their
nature.
(Accuracy)
Classi cation
of
expenditure.
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
Unrecorded Senior
purchases bookkeeping
clerk
E For all goods
received, a
corresponding
purchase
transaction is
recorded in the
purchase
journal.
(Completeness)
Completeness
of
expenditure.
Completeness
of accounts
payable
(trade
creditors and
accruals).
4.1E Matching of
supplier invoices
GRNs
Accounts payabl
clerk keeps a
numerical le of
copies of GRNs
received from
warehouse
(completeness) f
matching to sup
invoices up to an
including the las
created at the en
the nancial yea
off).
Unrecorded purc
Senior bookkeep
clerk reviews abo
le of GRNs on a
regular basis an
follows up with
warehouse on m
GRNs:
• Ensures that
GRNs with a
corresponding
supplier invoi
purchase has
recorded in th
purchase jour
and a liability
been raised i
creditors ledg
Reviews purc
journal for
sequential
• numbering of
recorded
transactions
(purchases w
likely be reco
in GRN seque
number) and
follows up on
missing entrie
Unmatched GRN
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
year-end accruals
For all GRNs with
corresponding
supplier invoice
year-end, a liabil
accrued at year-e
means of a gene
journal entry. The
amount of the jo
is determined wi
reference to pric
the correspondin
purchase orders
other supporting
document conta
item prices.
Performing credi
reconciliations
Accounts payabl
clerk performs a
reconciliation be
the creditors con
account in the ge
ledger and the g
total of all credit
accounts in the
creditors ledger
identify postings
were made from
purchase journa
the GL without b
posted to credito
accounts in cred
ledger or vice ve
Financial manag
reviews reconcili
Note: Reconciliat
may also identify
inaccurate or inv
postings.
Accounts payabl
clerk performs a
supplier stateme
reconciliation to
identify any amo
on supplier
statements that
not recorded as
purchases/trade
creditors in the
4 RECORDING OF PURCHASES
| ACCOUNTING DEPARTMENT |
accounting recor
(see also contro
under 5A).
Table 7.9: Payment preparation
5 PAYMENT PREPARATION
| ACCOUNTING DEPARTMENT |
Activity
Responsible
party
5.1
Supplier
invoices
fall due
Accounts
for
payable
payment. clerk
Senior
bookkeeping
clerk
Documents and
records; master
les
What could go
wrong/risks
Control
objective
A All
amounts
due for
payment
Payment
Amounts
schedule
prepared for relate to
payment are goods
Cheque
actually
incorrectly
requisition
determined. received
and cheque
and are
(manual
Fictitious or
accurate in
system)
unauthorised
relation to
suppliers are
EFT listing
the amount
(computerised identi ed for invoiced by
payment.
system)
the
Fictitious or supplier.
Remittance
duplicated
advice
(Occurrence
invoices are and
used in
accuracy)
payment.
Account/
assertion
affected
Manual controls
Occurrence
and
accuracy of
payments. 5.1A
Alter
addi
cont
comp
envir
5.1A
the
subs
inte
the
cred
If payment
mas
takes place
(cre
based on the
ledg
supplier
statement (not EFT
be g
invoice), a
auto
supplier
base
statement
amo
reconciliation
agg
for each
paym
supplier is
mas
performed by
(avo
the accounts
inpu
payable clerk
tran
before each
subs
payment run,
from
between the:
cred
• Balance
payable as ledg
(Ref
per the
Cha
supplier’s
statement; cont
EFTs
and
A
• The
com
supplier’s
outstanding syst
Performing a
supplier
statement
reconciliation
5 PAYMENT PREPARATION
| ACCOUNTING DEPARTMENT |
balance as
per the
creditors
ledger.
The
reconciliation
should identify
any errors in
the entity’s
records that
should not be
re ected as
reconciling
items on the
reconciliation,
but corrected
in the entity’s
records
instead.
All reconciling
items are
investigated by
the clerk
performing the
reconciliation.
Financial
manager
performs a
review of the
supplier
statement
reconciliations
and ensures
valid reasons
and
supporting
documentation
exists for all
reconciling
items.
Preparing a
payment
schedule
A payment
schedule is
prepared by
the accounts
payable clerk
from the
ena
sup
stat
reco
to b
perf
scre
alth
prin
stat
man
cont
rem
sam
The
be r
ente
bala
outs
per
sup
stat
the
syst
this
com
the
the
bala
the
com
cred
mas
(cre
ledg
Man
calc
follo
reco
item
subs
have
perf
afte
of
reco
5 PAYMENT PREPARATION
| ACCOUNTING DEPARTMENT |
creditors
ledger (and
from
reconciled
supplier
statements)
containing a
listing of all
balances due
to suppliers,
accompanied
by a
remittance
advice and
supplier
statement
reconciliation
for each
balance to be
paid. Each
payment on
schedule to be
further
supported by
purchase
documentation
including
supplier
invoices,
GRNs,
supplier
delivery notes
and
authorised
purchase
orders relating
to the
outstanding
balance being
paid.
If suppliers
are to be paid
by cheque, the
clerk also
prepares a
cheque
requisition and
unsigned
cheque for
each payment
5 PAYMENT PREPARATION
| ACCOUNTING DEPARTMENT |
(both
documents to
be issued in
sequential
number order).
Financial
manager
reviews
payment
schedule
ensuring
cheque
requisitions
and cheques
have been
accurately
prepared for
each supplier
on the
schedule.
B
Occurrence
Stationery
of
controls
payments.
ensure the
safekeeping
of cheques
and cheque
requisitions
and strict
issuing
controls
over these
are
enforced.
(Validity)
5.1B
Safekeeping
of blank
cheques and
check
requisition
documents to
be the
responsibility
of a
designated
member of
management.
The
documents
are locked
away in a
secure
location.
Staff
requesting
these
documents to
sign a register
indicating the
numbers of
the
documents
requested.
N/A
5 PAYMENT PREPARATION
| ACCOUNTING DEPARTMENT |
5.2
Entity is
entitled
to a
payment
discount.
Supplier
invoice,
statement or
trade
agreement
with supplier.
Table 7.10: Paying the supplier
6 PAYING THE SUPPLIER
| ACCOUNTING DEPARTMENT |
Entity
forfeits its
opportunity
to receive a
payment
discount due
to not
keeping to
the
supplier’s
negotiated
payment
terms (e.g.
due to late
settlement
of account).
A Amounts
due are
timeously
identi ed
for payment
in order to
avoid
penalty
charges or
to qualify
for payment
discount
offered by
supplier.
(Operational
control)
N/A:
Operational
control. No
impact on
recording
in nancial
records.
5.2A Accounts
payable clerk
scrutinises the
le of unpaid
supplier
statements
(i.e.
statements
that have not
been stamped
as ‘cancelled’
or ‘paid’ by
the payment
signatories yet
– refer to
function 6) on
a periodic
basis in order
to identify
statements
that have
fallen due but
have not been
paid.
Senior
bookkeeping
clerk follows
up on unpaid
supplier
statements on
a regular basis
to ensure all
outstanding
amounts are
paid to
suppliers
according to
discount
terms.
5.2A
syst
prog
such
that
paym
sche
auto
re e
invo
cred
mas
that
falle
paym
orde
for a
6 PAYING THE SUPPLIER
| ACCOUNTING DEPARTMENT |
Activity
Responsible party
Documents
and records;
master les
6.1
Payment/cheque Signed
Entity
signatories
cheque
pays
(manual
supplier
system)
for
Proof of
goods
payment
received.
(EFT system)
Bank
statement
Bank
reconciliation
What could go
wrong/risks
Control
objective
Account/
assertion
affected
Manual controls
Payments are not
made in terms of
the payment
documentation
prepared during
payment
preparation.
Suppliers/parties
that are not on
the payment
schedule are
paid.
A Only
supplier
invoices
authorised
for
payment
are paid.
(Validity)
Occurrence 6.1AB For
of
payments by
payments. cheque
At least two
senior manage
staff members
authorise
payments on t
signing of
cheques.
The cheque
signatories rev
the payment
documentation
before signing
cheques and
ensure the
following:
• Payment
schedule ha
been signed
by senior
bookkeepin
clerk during
payment
preparation
• Each payme
due as per
payment
schedule is
supported b
cheque
requisition,
cheque,
supplier
statement,
remittance
advice, all
supplier
invoices, GR
and purcha
orders relat
6 PAYING THE SUPPLIER
| ACCOUNTING DEPARTMENT |
to items be
paid;
• Amounts ag
between the
cheque and
supporting
payment
documentat
and
• Cheques ar
crossed ‘no
transferrab
and contain
alterations.
Amounts paid do
not agree with
the amounts
prepared for
payment.
B
Accuracy
Payments
of
are made
payments.
in
accordance
with the
amounts
that should
be paid.
(Accuracy)
The cheque
signatories ca
all supporting
documentation
(including
payment
schedule) by
stamping it as
‘Paid’ to avoid
being presente
for payment ag
in the future.
Cheques are
mailed to
suppliers or di
deposits are
made into
suppliers’ ban
accounts by a
person who wa
not involved in
payment
preparation.
Table 7.11: Recording of payments
7 RECORDING OF PAYMENTS
| ACCOUNTING DEPARTMENT |
Activity
Responsible Documents
party
and records;
master les
What could Control objective
go
wrong/risks
Account/
assertion
affected
Manual
controls
Altern
addit
contr
comp
enviro
7 RECORDING OF PAYMENTS
| ACCOUNTING DEPARTMENT |
7.1 After Cash book
payment, clerk
payment
details
are
recorded
in the
nancial
records.
Receipt (for
cash
payments)
Bankstamped
returned
cheque or
approved
cheque
requisition
(for cheque
payments)
Proof of
payment/EFT
voucher (for
EFT
payments)
Bank
statement
Bank
reconciliation
Fictitious
payments
(payments
that never
took
place) are
recorded.
A All recorded
Occurrence of
payments
payments.
relate to actual
payments
made. (Validity)
7.1ABC All
control
objectives to
be addressed
through the
performance
of a bank
reconciliation,
which
reconciles
the cash
book balance
(general
ledger control
account) with
the balance
as per the
bank
statement.
In this way,
payments can
be identi ed
which:
• Never took
place but
were
recorded;
• Were
recorded
at
incorrect
amounts;
and/or
• Took place
but were
not
recorded.
7.1A
Com
syste
perfo
auto
bank
reco
shou
state
bala
avail
elect
for
com
with
com
cash
book
ledge
bala
Man
revie
requ
follow
any u
reco
item
error
reco
7 RECORDING OF PAYMENTS
| ACCOUNTING DEPARTMENT |
Payment
amounts
are
incorrectly
recorded
(amount
recorded
does not
agree with
amount
actually
paid).
B Payments
Accuracy of
are recorded at payments.
the correct
amount (i.e. in
terms of the
amount
actually paid).
(Accuracy)
All
payments
that were
made are
not
recorded
in the
nancial
records.
C All payments Completeness
that took place of payments.
are recorded in
the nancial
records.
(Completeness)
Table 7.12: Returning goods and recording of a purchase adjustment
8 RETURNING GOODS AND RECORDING OF A PUR