three TESTS OF CONTROLS AND TESTS OF DETAILS

Transcription

1 TESTS OF CONTROLS AND TESTS OF DETAILS P A R T three Part 3 covers the major evidence-gathering procedures of the assurance services engagements. Chapter 9 covers tests of controls for the control risk assessment and Chapter 0 covers substantive tests of transactions and balances for the detection risk assessment. Chapter explains the specialised considerations associated with the use of sampling as a form of evidence gathering. CHAPTER 9 Tests of controls 38

2

3 9 CHAPTER Tests of Controls LEARNING OBJECTIVES After studying this chapter you should be able to: appreciate that tests of controls are part of a coordinated approach to the audit in order to gain the most efficient and effective audit approach; identify the types of tests of controls undertaken; identify factors impacting the auditor s assessment of the sufficiency and appropriateness of evidence of tests of controls; describe the audit procedures for testing controls in the revenues, receivables and receipts system; describe the audit procedures for testing controls in the expenditures, payables and disbursements system; describe the audit procedures for testing controls relating to contractual transactions; understand the auditing approaches used to test the controls contained in the client s program, including test data and integrated test facilities; and appreciate the impact of assessing strategic business risk on undertaking tests of controls.

4 Chapteroutline Until this stage of the audit, the auditor has not undertaken any testing of details. As part of the planning process the auditor has undertaken an assessment of strategic business risk and a preliminary evaluation of inherent and control risk. From these assessments and evaluations the auditor has determined the risks and accounts that require attention, and also determined the required detection risk. The auditor then prepares an audit program, which outlines the audit tests they intend to undertake. There are two major types of audit tests, tests of controls and substantive tests. The purpose of tests of controls (to support an assessed level of control risk) is very different from that of substantive tests of transactions and balances (used to reduce the auditor s detection risk). If control risk is assessed at any level less than high (reliance is to be placed on controls) then tests of control must be undertaken to provide evidence of the existence, effectiveness and continuity of these key controls. In this chapter, tests of controls for the major systems of revenue, receivables and receipts, and expenditures, payables and disbursements are covered. Variations in testing for other types of expenditure transactions, including payroll, are also considered. Relevantprofessionalguidance Australian International AUS 4 Auditing in a CIS Environment ISA 40 Auditing in a Computer Information Systems Environment AUS 40 Risk Assessments and Internal Controls ISA 400 Risk Assessment and Internal Controls AUS 404 Audit Implications Relating to Entities Using ISA 40 Audit Considerations Relating to Entities a Service Entity Using Service Organizations AUS 50 Audit Evidence ISA 500 Audit Evidence AGS 060 Computer Assisted Audit Techniques IAPS 006 Computer Assisted Audit Techniques learning objective TESTS OF CONTROLS The auditor must obtain evidence sufficient to support the assessed level of control risk. As outlined in Chapter 8, if at the planning stage the auditor assesses control risk as high for an account balance or assertion there will be no tests of controls for that account balance or assertion. This is because the auditor does not plan to place any reliance on the related controls. Control risk will be assessed as high if the auditor has determined that (i) controls do not exist, (ii) the controls that do exist will not provide reliable evidence, or (iii) it is more efficient or effective to gather the required evidence by undertaking substantive testing. In assessing the control risk at less than high, the auditor has identified specific internal control structure policies and procedures that they believe will prevent or detect misstatements for the assertion. Evidence is needed to support the appropriateness of both (AUS 40.7/ISA ). Tests of controls are usually concerned with gathering evidence concerning the controls associated with the processing of particular classes of transactions through the accounting system. Transactions can also be substantively tested to provide evidence to support the assessment of detection risk. The best way of distinguishing between tests of controls and substantive tests of transactions is that tests of controls relate only to the assessment of controls and do not directly measure monetary error in accounting records. Substantive tests, whether of transactions or balances, are concerned with whether monetary errors have occurred. The co-ordinated program of tests of controls and substantive tests of transactions and balances (which will be discussed further in Chapter 0) is commonly referred to as the audit program. The audit program sets out the combination of evidence-gathering procedures that the auditor believes will result in the most efficient and effective audit. If at any stage during this 384 PART THREE Tests of controls and tests of details

5 testing phase the auditor determines that controls are not working as they expected and that they have placed too much reliance on these controls they can reduce the extent of tests of controls and increase the extent of substantive testing. Planning the scope of tests of controls The auditor s underlying objective in undertaking tests of controls is to gain reasonable assurance that the controls associated with the processing of transactions of a particular class are working as expected. This will enable the auditor to reduce substantive tests. The considerations that affect the nature, timing and extent of tests of controls are explained in the following discussion. Nature Based on the understanding of the internal control structure gained in assessing control risk, the auditor identifies whether there are internal control structure policies or procedures to provide reasonable assurance of achieving control objectives. If such policies or procedures are prescribed, the auditor designs tests of their functioning (tests of controls). If there are no internal control structure procedures prescribed that provide reasonable assurance of achieving specific control objectives, the auditor designs substantive tests of transactions or balances. This planning process is best understood by considering the following example. EXAMPLE 9. Controls for recording of sales A specific control objective for sales transactions is that goods shipped (or services rendered) have been recorded. A test of controls is to see that shipping documents are prenumbered, the numbers are accounted for and the shipping documents are matched to sales invoices and approved sales orders. The auditor would need to conduct a test of the numerical sequence of shipping documents issued and select a sample of shipping documents and trace them to the related sales invoices. Timing To aid the auditor s ability to meet deadlines and the scheduling of staff, the auditor sometimes schedules tests of controls to provide audit evidence for an interim period (this testing is usually undertaken one to three months before balance date). The auditor would not normally undertake this testing at an early stage unless they believed that there were adequate controls in place to allow roll-forward of testing (extending tests until year-end). When obtaining evidence about the design or operation of internal control structure policies and procedures during this interim period, the auditor determines what additional evidence should be obtained for the remaining period. The factors that influence whether tests of control are necessary for the remaining period (the period between the interim date and the balance date) are as follows: Results of the tests of the interim period If results indicate that internal control structure policies and procedures lack operating effectiveness, control risk should be assessed at a high level and substantive tests of transactions and balances should be made for the remainder of the period. If expanded tests show that the accounting data are not reliable, tests of controls should not be relied on in determining the extent of substantive tests of transactions and balances. Response to inquiries concerning the remaining period The most important inquiries should be directed at determining whether there were any significant changes in control or accounting procedures during the remaining period. CHAPTER 9 Tests of controls 385

6 Nature and amount of the transactions and balances involved If the transactions occurring between the completion of tests of controls and the end of the year are atypical of the transactions for the year, this implies the need to test further. That is the case with a highly seasonal business and with an entity that has several large or unusual transactions near the end of the year. Evidence of compliance within the remaining period obtained from substantive tests Evidence obtained through tests such as the pricing of inventory or confirmation of accounts receivable at balance date (covered in Chapter 0) shows both the accuracy of total debits and credits to those accounts and the propriety of the ending balances. If these tests indicate satisfactory results, there is less need to test transactions in the remaining period. Other matters the auditor considers relevant in the circumstances These include the auditor s assessment of strategic business risk and inherent risk and the results of analytical procedures applied as an aid in planning the audit program. Extent The extent of tests of controls that consist of inspecting documents for indication of the performance of a checking routine or approval by stamps, initials or signatures and those substantive tests that involve inspection of documents are determined using audit sampling techniques. Determination of the extent of tests of controls using audit sampling is explained in Chapter. The extent of reperformance of completed accounting routines is not, however, determined by reference to audit sampling. Many reconciling and balancing routines (for example, bank reconciliations) are performed monthly by the client. A common audit approach is to recompute one or a few such reconciliations or balancings and then see that the routine was performed in the other months. If the routine is performed much more frequently, the common approach is still to recompute only one or a few of the routines. However, a sample of routines is selected, rather than all of them, to see whether the routine was performed throughout the period. The rationale for this approach is that inspecting a reconciliation or trial balance provides reasonable evidence that the routine was properly performed, and if not, sloppy or improper performance will be apparent. Quick review 3 4 Tests of controls are required to be undertaken if reliance is to be placed on controls (i.e. control risk is assessed at a level less than high). Tests of controls will only be undertaken if the increased effort is more than offset by a reduced level of substantive testing. The auditor chooses the most efficient and effective combination of tests of controls and substantive tests of transactions and balances. The auditor does not have to undertake tests of controls if there is no reliance to be placed on controls, or if a substantive approach will result in a more efficient or effective audit. In either of these circumstances control risk should be assessed as high. When planning the scope of tests of controls, the auditor considers the: nature: the specific control objectives for a transaction class provide a framework for designing tests of controls; timing: many tests of control are undertaken at an interim period and the auditor should determine what additional evidential matter should be obtained for the remaining period; and extent: usually determined by reference to audit sampling techniques. 386 PART THREE Tests of controls and tests of details

7 TYPES OF TESTS OF CONTROLS The suitability of the design of the internal control policy or procedure These tests help evaluate whether the policy or procedure is suitably designed to prevent or detect material misstatement in the specific assertion. They generally include inquiries of entity personnel, inspection of documents and reports, and observation of the application of specific internal control structure policies and procedures, including walk-throughs. These tests often require the preparation of flowcharts or questionnaires if the internal control structure procedure is complex. The operation of the policy or procedure An assessment of the suitability of design is usually made while control risk is being assessed at the planning stage of the audit (refer to Chapter 8). Where design is determined to be suitable and control risk is assessed at low or medium, tests concerning the operation will be performed to provide evidence on the three aspects of internal control discussed in Table 9.. The auditor must gather evidence on each of these internal control aspects before they can place reliance on a control for reducing the risk of misstatements being included in the financial report. TABLE 9. Aspects of internal control operation for which evidence is gathered Aspects Definitions How tested Existence Whether prescribed internal control Sighting documents bearing evidence of the procedures actually exist. For example, control (e.g. stamp, signature, etc.). if a clerk is supposed to verify the If there is no documentary evidence of the mathematical accuracy of an invoice, control, observing the control procedure does he/she actually perform the being performed (e.g., for segregation of verification? duties, observe to see that there is segregation). If the control is programmed, such as checking authorisation codes, review the program to make sure that the control exists. Effectiveness Whether the control is operating Re-performing the control (e.g. checking the effectively. That is, does the control price, quantities and maths on invoices). prevent or detect the misstatements Sighting documents to see that controls were that it is designed to prevent or detect? complied with (e.g. checking that a voucher contains supporting documentation). If the control is programmed, such as checking authorisation codes, run unauthorised transactions through the program to make sure they are correctly identified and excluded. Continuity Whether the control operated through- Usually achieved by ensuring that the sample out the period of intended reliance. of transactions to be tested is selected from For example, if the control was oper- throughout the year. ational for only part of the year, then no reliance can be placed on the control when it was not operating. learning objective SUFFICIENCY AND APPROPRIATENESS OF EVIDENCE AUS 50.0 (ISA 500.0) requires the auditor to consider the sufficiency (quantity) and appropriateness (quality) of the audit evidence to support the assessed level of control risk. The quantity of evidence necessary to support a specific level of control risk is a matter of audit 3 learning objective CHAPTER 9 Tests of controls 387

8 judgment. The auditor requires stronger evidence as to the adequate design and operation of a procedure if the assessed level of control risk is low rather than medium. This is because a low assessment of control risk indicates that the auditor is going to place greater reliance on this procedure as an appropriate form of audit evidence: the greater the reliance, the greater the evidence required. Other factors that the auditor considers in determining whether the tests of controls have yielded sufficient appropriate evidence include: type and source of evidence; timeliness of evidence; and interrelationship with other evidence. EXAMPLE 9. Existence, effectiveness and continuity of controls Assume there is a control where before cash payments are authorised, a manager must ensure that there is appropriate supporting documentation (such as a supplier s invoice, and evidence that goods were received) to support the payment. Existence will involve ensuring that authorisation for the payment is signed. Effectiveness will involve ensuring that the control is doing what it is supposed to do, which is stopping unauthorised payments with insufficient supporting documentation. Continuity involves ensuring that the control has been in existence and effective over the period of intended reliance, and would involve sampling from all the cash payments in the period of audit. Only after the auditor has gathered evidence on all three existence, effectiveness and continuity can reliance be placed on the controls. Type and source of evidence The auditor recognises that some audit tests provide stronger evidence than others (AUS 50.5/ISA 500.5). For example, inquiry and observation that the accounts payable manager reviews invoices and supporting documents before cheques are written provide some evidence, but inspection of written approvals for a sample of cheques throughout the period provides more assurance. Timeliness Timeliness enhances the amount of assurance provided by the evidence. The two factors in timeliness are: When the evidence was obtained For example, the auditor may look at evidence obtained from interim testing. The auditor must then consider whether the procedure in place has changed, and whether the assurance provided decreases as the amount of time since the test of controls was performed lengthens. Whether it applies to the entire audit period or only a portion of it To evaluate continuity of controls, tests of controls should demonstrate the effectiveness of the policy or procedure for the entire audit period. Interrelationship of evidence The auditor considers the combined effect of various pieces of evidence concerning a particular assertion. Included in the consideration is the interaction of the control environment, accounting system and control procedures and how this affects risk for the assertion. Individual pieces of evidence that, taken alone, are not sufficient may be sufficient when taken together. Conversely, evidence that is persuasive taken by itself may be relied upon less if, for example, there is evidence that the control environment is weak. 388 PART THREE Tests of controls and tests of details

9 Effect of documentation of controls along the audit trail The methods and procedures the auditor uses for tests of controls depend on whether the control structure procedure leaves a documentary trail of its performance. If there is: no documentation of controls along the audit trail, this involves inquiries and observation of accounting personnel and routines to determine how control procedures are performed and, especially, who performs them. For example, this approach is used to see whether cash is handled by someone who does not record cash transactions. a documentary trail, this involves inspection of documents supporting a particular type of transaction to see whether a control procedure, such as approval or checking, was performed (by noting signatures or initials) and whether the procedure was performed effectively. The auditor usually observes the client s personnel and processing routines and makes corroborative inquiries of appropriate personnel when on the client s premises for other purposes. The inquiries and observations are done at this time, but the auditor is concerned with operations in the entire period covered by the financial report. Thus, the auditor s inquiries extend beyond the immediate duties of the personnel being interviewed. The auditor inquires about the employee s understanding of the duties of others; what happens when review and reconciliation procedures detect errors; who handles the investigation and resolution of errors; and what happens when employees with key assigned duties are on vacation. When documentary support of consistent application of a control procedure exists, the auditor inspects a sample of the documents to see whether they were approved or checked as prescribed and to see who performed the control procedures. Documentation of high level controls For many of the high level controls that are emphasised in today s audit (e.g. an ethical approach by management) evidence may be indirect. Existence may be covered by the fact that there is a code of ethics, effectiveness by the fact that the general environment has an ethical feel and continuity by looking for evidence of breaches of this code over the period of audit. Quick review 3 The auditor must undertake tests of controls to support an assessed level of control risk at any level less than high. If control risk is assessed as high, no reliance is to be placed on the particular internal control. If control risk is assessed at some level less than high, then some evidence is required to support this assessment. The more reliance that is placed on the particular internal control (the lower the assessment of control risk), the greater the quantity of evidence through tests of controls that is required. Other factors affecting sufficiency of evidence include: type and source of evidence; timeliness of evidence; and interrelationship with other evidence. The evidence should support both: design: the internal control structure is suitably designed to prevent and/or detect and correct material misstatements; and operation: the internal control structure exists and has operated effectively throughout the relevant period. Continued CHAPTER 9 Tests of controls 389

10 4 5 Tests of controls directed toward design generally include inquiries of entity personnel, inspection of documents and reports and observation of the application of specific internal control structure policies and procedures, including walk-throughs. These tests often require the preparation of flowcharts or questionnaires if the internal control structure is complex. Tests of control directed toward operation include inquiries of entity personnel, inspection of documents and reports indicating performance of the policy or procedure, observation of the application of the policy or procedure and reperformance of the policy or procedure by the auditor. AUDITING CONTROLS OF MAJOR ACTIVITIES The next two sections of this chapter explain tests of controls for the central activities of most businesses buying and selling. Although some of the descriptive terms differ, most businesses are engaged in acquiring goods or services from vendors or suppliers and providing goods or services to customers. These activities are usually characterised by a large volume (many relatively small transactions) and are repetitive and recurrent in nature (transactions of a particular type are very similar and continuing). For these reasons, the audit approach in these areas often emphasises tests of controls. When tests of controls are not feasible or efficient, the scope of substantive tests of transactions or balances for the related account balance has to be expanded. learning objective 4 REVENUES, RECEIVABLES AND RECEIPTS This section is primarily concerned with the controls relating to transactions of merchandise to customers on credit. The sales accounting system of such an entity is relatively unaffected by whether the merchandise is acquired from others (retailing or wholesale merchandising) or produced by converting raw materials to a finished product (manufacturing). Thus, the discussion applies to most manufacturing and retail entities. Some special considerations that apply to other industries or other types of revenue-generating transactions are discussed briefly at the end of the section. One characteristic of this type of revenue accounting system is that the audit problems tend to be those related to high-volume clerical processing rather than complex accounting principles. For example, revenue is typically recognised when merchandise is shipped and recording of sales and receivables is routine and does not involve complicated issues of revenue recognition. A relatively large number of clerical staff work in the accounting and operating departments and there is a fairly standard document flow among operating and accounting departments which can be confusing to junior auditors. An overview of functions, documents, inputs and accounting systems A narrative of a typical credit sales cycle is outlined below, while a corresponding flowchart is shown in Figure 9.. An order entry function is the starting point in the credit sales cycle. In this function, orders are received, accepted and then translated into shipping and billing instructions. Order entry may or may not be integrated with the accounting system. The original order may be a written purchase order mailed in by a customer, or be taken over the phone or through electronic lodgment by mechanisms such as the Internet. The first document or input by the audit client is usually a sales order. At this point, a decision needs to be made concerning whether to accept the 390 PART THREE Tests of controls and tests of details

11 FIGURE 9. Typical credit sales flowchart Order Entry Credit Department Shipping Department Customer order (internal sales order) 3 Compare order with records for credit approval Customer order S Customer's records (credit approval) Shipping order documents variations from customer order Customer order Prepare shipping order and bill of lading Bill of lading 3 S Filed (P) by customer (A) Shipping order Bill of lading carrier s copy to obtain customer's signature Filed (P) by customer (A) Bill of lading for customer KEY S = Signed source document A = Alphabetic filing P = Permanent file N = Numeric filing Invoicing Department Accounting Department 3 Customer order S Invoice 3 Shipping order Bill of lading Enter in sales journal and accounts Reconcile documents and prepare sales invoice Invoice 3 Invoice Filed (P) by customer (A) Invoice to customer Invoice 3 Filed (P) by invoice no. (N) Sales journal Accounts receivable master file CHAPTER 9 Tests of controls 39

12 order. Specific approval of the credit department may be required; there may be a list of approved customers determined by the credit department; or credit limits may be established that are checked by order entry. The availability of the items ordered is also established by checking the inventory records for the level of inventory items currently on hand. After an order is accepted, a shipping order is sent to the shipping department and a copy of the order is maintained in a pending file. The system generates an aged open order report. Usually this report is used as a record of backlog orders (orders not completed) and a routine review of it helps to prevent loss of orders. Physical control of the forms used as shipping orders and physical inspection of shipments for a shipping document help to prevent unauthorised shipments. The shipping function is an operating department that sends merchandise to customers. When shipments are made, the shipping department completes a shipping notice. Input of the shipping notice clears the open order file and initiates the process of invoicing the customer. If a common carrier is used for shipments, the shipping notice is a copy of a bill of lading (the contract with the carrier). Any source document that serves the purpose of recording the event of shipment is normally referred to simply as a shipping document. The invoicing function is usually the first department involved in the sequence that is part of the accounting department. The invoicing department is responsible for ensuring that a sales invoice is sent to bill the customer. Usually, a sales invoice is a multipart form: the original is mailed to the customer and duplicates are used to notify other departments within the business. Of primary concern to the auditor is the flow that creates the debit to accounts receivable. The individual sales invoices are one of the inputs to accounts receivable processing. Sales invoices are used to update the accounts receivable master file. The invoicing department also compares a total of bills prepared (a control total of sales invoices). This total is sent to the general ledger function to become the debit to the accounts receivable control account. The totals sent to the general ledger function should not go through the accounts receivable function. If this separation is maintained, a reconciliation of the control account with the total of the accounts receivable master file can be a key control in the auditor s assessment of control risk. Cash collection is the next step in the cycle and several functions may be involved. A flowchart of this part of the cycle is contained in Figure 9.. The first step is opening mail and creating an initial record of cash received. This function may be performed by a receptionist, although greater control occurs if two people are present at the mail opening. The important consideration from a control viewpoint is that this function should be separate from other functions which involve handling and keeping cash and recording in the accounts receivable master file. The person responsible for opening the mail creates a prelist of cash receipts, which is simply a list of the amounts received and from whom they were received, and this is usually used strictly for control purposes. Mail receipts are usually accompanied by a remittance advice, which is often a tear-off portion of the sales invoice that is returned by the customer. The remittance advices and the payments (usually cheques) are sent to the cashier function, where the cashier prepares the bank deposit slip. The remittance advices are sent to the accounts receivable function and become the input for posting to the accounts receivable subsidiary ledger. The total of remittance advices is sent to the general ledger function to update the accounts receivable control account in the general ledger. Accounting systems differ substantially in the summarisation steps that take place between the source document, such as a sales invoice or remittance advice, and the entries to the general ledger. Computer reports and files are generally titled as they were historically in manual systems a sales journal for credit sales and a cash receipts journal for remittances. The systems usually produce some form of printed report or computer-readable file that includes all daily 39 PART THREE Tests of controls and tests of details

13 FIGURE 9. Typical cash collection flowchart Mail Opening Accounting Cheques received Prepare receipt listing $ Prelisting Prepare bank deposit slip $ To Bank Bank validated deposit slip Prelisting Reconcile prelisting to remittances; enter in cash receipts journal and accounts receivable master file Prelisting Filed (P) by date Prelisting with remittance advice when available Cash receipts journal Accounts receivable master file Use updated accounts receivable master file to prepare customer's statement Filed (P) by date Filed (P) by customer (A) Customer's statement Key $ = Processing of cash P = Permanent file A = Alphabetic filing S = Signed source document activity. That is, all the transactions entered that day are recorded and retained for back-up and recovery purposes. The auditor can generally use these daily activity reports or sales journals. However, in some systems only summary information is retained for more than a short time and advance arrangements must be made if more detail is required by the auditor. Adjustments and cost of sales From a control standpoint, these adjustments are of concern because they are less routine than sales and collections and require the exercise of some discretion in deciding whether that adjustment should be allowed. The usual approach is to use a specialised source document, a credit memorandum or debit memorandum, and to require the approval of responsible supervisors before processing. CHAPTER 9 Tests of controls 393

14 The other complication is the relation between sales and cost of sales. Ideally, there should be a direct correlation between the items of merchandise recorded as sales and the items recorded as cost of sales. In some accounting systems the recording of sales and cost of sales are simultaneous, and copies of the shipping document are used as notification both for billing the customer and for relieving the inventory of the quantity and cost of merchandise sold. Although this chapter will not discuss in detail the integration of the recording of cost of sales with the recording of sales, the correlation between sales and cost of sales should always exist. Transactions in a revenue, receivables and receipts system Usually, the transactions recorded in a revenue, receivables and receipts accounting system are: credit sales to customers (recognition of revenue, recording of receivable owing); cash collections from customers (recording that receivable owing is now paid and the cash received); and adjustments for return of merchandise, allowances for defective merchandise, and write-offs or allowances of bad debts. In addition, the revenue, receivables and receipts cycle includes accounting estimates that are not exchange transactions but more in the nature of allocations of recorded amounts among accounting periods that require the judgment of management. Invariably, an estimate is necessary of customer accounts that will become uncollectable (doubtful debts expense and provision for doubtful debts). In some cases liability under warranty arrangements has to be estimated (warranty expense and provision for warranty expense). While, on the basis of materiality, sales returns and allowances are normally recorded in the period in which they occur, if the auditor believes that such items are becoming material, an adjusting entry for expected returns and allowances should be suggested so that they are recorded in the period of sale. One of the areas that the strategic business risk audit approach emphasises is that control systems around routine transactions (such as sales and cash collections) are usually very well controlled, and well suited to tests of controls. Control systems for non-routine transactions, such as the return of goods or the estimates of the doubtful debts provisions, are not usually well developed. Because these non-routine transactions involve managerial discretion rather than rules (and thus can be more easily manipulated) they will usually receive increased emphasis from the auditor, although this will be more likely of a substantive testing nature (discussed in Chapter 0). Primary control-related features Specific control procedures are considered later in relation to specific control objectives. However, at this point it is worthwhile to summarise the primary control-related features of a sales accounting system. Segregation of duties As explained in the overview of sales accounting, the departments or functions in Table 9. are involved in processing transactions and handling assets. 394 PART THREE Tests of controls and tests of details

15 TABLE 9. Operating departments and accounting functions involved in transaction processing Operating departments Sales and order entry Credit approval Opening mail Cashier Accounting functions Invoicing Accounts receivable master file update General ledger update Ideally, all these functions should be independent. Combining them makes it easier to perpetrate and conceal errors or irregularities. However, separation of these functions is usually an integral part of the plan of organisation. In other words, separation can usually be achieved as a byproduct of efficient specialisation of tasks rather than as an overlay on existing processing and handling of assets. A small business, however, may have too few people in the accounting department to achieve an adequate separation of accounting functions. The most important functions to keep separate are those that involve the handling of assets and those that involve the recording of transactions. This will allow the recording function to act as a check or control and, via inspection and reconciliation with accounting records, allow for a comparison of the assets that should be there (as recorded) with the assets that are there. The authorisation of adjustments to records, such as the issuing of credit notes or the writing off of bad debts, should also be kept separate from the handling of assets and the recording function. This is done so that the accounting records cannot be adjusted for items that are misappropriated or lost, and also to aid the reconciliation process. Control over source documents and inputs The source documents created during processing, such as shipping documents, invoices and credit notes, should be printed on prenumbered forms. Thus, personnel can account for the sequence independent of processing to help ensure the completeness of processing. Missing or out-of-sequence numbers may indicate lost or improper transactions. Adequate physical safeguards are necessary for unused forms and files of forms used in processing. Often copies of originals of prepared forms are maintained in the originating department. These files usually serve both control and operating purposes. Table 9.3 provides examples. TABLE 9.3 Examples of source documents and their maintenance Department or function Source document File Sales and order entry Customer order Customer order file Accepted sales order or shipping order Open order file (for orders accepted but not yet shipped) Shipping Bill of lading or shipping document Bill of lading file Invoicing Sales invoice Sales invoice file Opening mail Prelist of cash receipts Prelist file Cashier Bank pay-in slip Bank records file CHAPTER 9 Tests of controls 395

16 These files, which are usually maintained in the departments responsible for organisation, are technically not part of the accounting system. Even though invoicing is usually an accounting department function, the initial entry in the accounting records is the debit to accounts receivable. However, the files are used for implementation of control procedures and are part of the internal control structure, hence they are inspected when applying audit procedures for tests of controls. Checks, approvals and reconciliations The checks, approvals and reconciliations that are added to processing are overlays for control purposes. For instance, independent approval could be required before each processing step, each step could be checked for completeness and accuracy by a second person, and many reconciliations between separate but related records and files could be made. Review and approval by supervisors at various points are also possible. In general, the more independent checks, reviews, approvals and reconciliations there are, the greater the control. Additional cost is associated with such controls and a balance must be achieved. The checks, reviews, approvals and reconciliations that are commonly used to achieve specific control objectives are discussed later in relation to specific tests of controls. Tests of controls for sales The exact nature and extent of tests of controls for sales are influenced by the specific control procedures and the auditor s consideration of the most efficient audit strategy. The auditor may, on the basis of the understanding of the internal control structure, decide that it is more efficient to apply more extensive substantive tests. In that case, tests of controls for a particular class of transactions, such as sales, may be omitted. Substantive tests for related balances such as accounts receivable and the relationship of those tests to tests of controls are discussed in Chapter 0. An auditor who plans to assess control risk at less than high for a particular transaction class needs to identify specific control procedures that provide a basis for the risk assessment, and perform tests of controls for those control procedures. Identifying specific control objectives and procedures Table 9.4 presents specific control objectives for sales transactions for the type of entity described in the overview of functions, documents and accounting systems for the sales cycle. Because of the correlation between sales and cost of sales, it is important to separate the functions of shipping, invoicing and merchandise (inventory) storekeeping. It can be seen that the list of policies and procedures outlined in this table covers the procedures outlined in Chapter 8 for determining the accuracy and reliability of transactions. For example, the first control objective of bona fide transactions includes policies and procedures for authorisation and approval, occurrence and reconciliation. The second control objective of all sales shipped being invoiced and properly recorded includes policies and procedures related to completeness. The third control objective, relating to invoices having been recorded correctly as to amount and period, includes policies and procedures related to measurement. Common control procedures to achieve these specific control objectives are also presented in Table 9.4. Not all the listed procedures are necessary in every circumstance to achieve the objective, and other control procedures may achieve the objective. 396 PART THREE Tests of controls and tests of details

17 TABLE 9.4 Control policies and procedures and tests of controls for sales transactions Common control policies Specific control objectives and procedures Tests of controls All sales recorded are bona fide transactions for merchandise actually shipped to customers All sales for the period of merchandise shipped are invoiced and properly recorded in accounting records Invoices have been recorded correctly as to amount and period and summarised correctly Policy of authorisation of credit and terms Quantities shipped periodically reconciled to quantities invoiced independently of shipping and invoicing Monthly statements mailed to customers Signed acknowledgment that goods are received by customers Shipping documents and sales invoices prenumbered and sequence accounted for Quantities shipped periodically reconciled to quantities invoiced independently of shipping and invoicing Open order file or backlog report reviewed independently of shipping and invoicing Shipments checked for shipping documents Approval of invoices independent of preparer, including recomputation and comparison of details (quantity, price, terms) to supporting documents Separation of functions of billing, shipping, accounts receivable and general ledger Monthly statements mailed to customers Authorisation and independent follow-up of correspondence with customers Supervisory review and approval of summarisation and posting Periodic ageing of accounts receivable, including established collection procedures and approval of write-offs of uncollectable accounts Select a sample of sales transactions from sales journal (daily activity report), check for appropriate authorisation and trace to shipping document file Inspect reconciliation of shipments to invoices Observe mailing of monthly statements, examine customer correspondence file and investigate non-cash credits to accounts receivable Review the accounting for numerical sequence of shipping documents and sales invoices or test numerical sequence Inspect reconciliations of shipments to invoices Select a sample of shipping documents and trace to sales invoices and sales journal. Inspect indication of supervisory review Observe checking of shipments or inspect selected shipments Select a sample of transactions from the sales journal (daily activity report) and apply the following procedures to supporting sales invoices and shipping documents: trace prices to approved list recompute extensions and footings compare details trace posting to accounts receivable master file Inspect sales invoices selected for indication of approval Review customer correspondence and complaint files Inspect indication of supervisory review and approval Foot (add up) sales journal (daily activity report) and trace to general ledger Continued CHAPTER 9 Tests of controls 397

18 Common control policies Specific control objectives and procedures Tests of controls Inspect ageings and indications of collection follow-up and approval of write offs Check last sales recorded before balance date and first sales recorded after balance date are recorded in correct period (cut-off) Sales are disclosed and classified in accordance with disclosure policies Separate accounting in chart of accounts for related-party sales Appropriate account codings on sales documents As part of testing of sample of transactions, review account codings on sale documents Inquire about any relatedparty transactions. Review sales journal for transactions with known related parties The auditor needs to consider whether the specific control procedures the client has adopted provide reasonable assurance of achieving the objective. Reasonable assurance is influenced by the extent of supervision and the auditor s assessment of the control environment. For example, consider the objective that all merchandise shipped is invoiced. In an entity with a strong control environment and good supervision of separate shipping and invoicing functions, an independent reconciliation of quantities shipped to quantities invoiced may be unnecessary for reasonable assurance of achieving the objective. However, some testing, be it a different control or a substantive test, is necessary. In another entity, this independent reconciliation may be essential for reasonable assurance. The auditor identifies control policies and procedures that permit assessing control risk at less than high when obtaining an understanding of the internal control structure. The next step is to plan and conduct audit tests for the particular class of transactions reviewed. Selecting audit procedures for tests of controls Typical tests of controls are presented in Table 9.4. The arrangement of audit tests shown there is often referred to as a design format for tests of controls. In the planning phase the auditor plans tests, using specific control objectives as a guide. This format helps to ensure that the auditor has not omitted consideration of the achievement of an important objective. However, the audit procedures selected need to be rearranged in the most logical sequence, and duplications need to be eliminated. Since some control procedures and some audit tests relate to more than one objective, in the design format some audit tests are unavoidably listed more than once. Sequence is also important: when the auditor selects a sample of documents, it is efficient to apply all the planned procedures relevant to those documents at that point. The listing of the procedures to be performed in the order of performance is the preliminary audit program. The most logical sequence for audit tests is affected by the nature of the test. The general categories of tests of controls are listed below, with examples of such tests for sales transactions being contained in Table PART THREE Tests of controls and tests of details

19 Inquiry and observation of segregation of duties and restricted access to assets, documents, records and online functions (if applicable): Undertake observation and inquiries concerning the separation of the following functions: order entry; shipping; invoicing; accounts receivable master file; and general ledger. Observe checking of shipments for shipping documents. Observe mailing of monthly statements to customers and review customer correspondence and complaint file. Inspection of completed accounting routines and reperformance of one or a few such routines: Review the accounting for numerical sequence of shipping documents and sales invoices, or test numerical sequence. Inspect reconciliations of quantities shipped to quantities billed. Inspect reconciliations of accounts receivable master file to control account in general ledger, and sales journal (daily activity report) to accounts receivable master file. Inspect periodic ageings of accounts receivable. Inspect indication of supervisory review of footing and posting of sales journal (daily activity report) to general ledger, and foot and trace a few postings. 3 Inspection of documents for indication of the performance of a checking routine or approval and reperformance to establish effectiveness: Select a sample of shipping documents from the shipping document file and trace to sales invoices or sales journal (daily activity report). Select a sample of sales transactions from the sales journal (daily activity report), obtain the supporting documents and: inspect sales order for approval of credit and terms; compare details (customer, descriptions, quantities and prices) of sales order, shipping document and sales invoice; trace prices on sales invoice to approved price list or other indication of approval; recompute extensions and footings on sales invoices; and inspect sales invoices for indication of checking. Tests of controls for cash receipts The specific control objectives for cash receipts and examples of common control policies and procedures and tests of controls are summarised in Table 9.5 (overleaf). In general, the concepts discussed for sales transactions identifying control policies and procedures that achieve specific control objectives and selecting audit procedures for tests of controls and substantive tests also apply to cash receipts transactions. This discussion concentrates on matters that might be misunderstood without further explanation. Notice that some control procedures for sales transactions, such as sending monthly statements to customers, contribute to the achievement of specific control objectives for cash receipts. Tests of these control procedures are performed either in testing sales transactions or in testing cash receipts; they are not duplicated.. CHAPTER 9 Tests of controls 399

20 TABLE 9.5 Control policies and procedures and tests of control for cash receipts transactions Common control policies Specific control objectives and procedures Tests of controls Recorded cash receipts are for collection of receivables from customers All cash receipts are recorded and deposited Cash receipts have been recorded correctly as to account, amount and period Cash receipts matched to specific sales invoices in posting to accounts receivable master file Opening of mail and prelisting of cash receipts independently of cashier, accounts receivable master file and general ledger Policy of depositing cash receipts each day Comparison of deposit slips, prelists and posting from cash receipts journal (daily activity report) independent of cashier, accounts receivable master file, general ledger and mail opening Prelist forms prenumbered and sequence accounted for Monthly statements mailed to customers Cash handling (receipt and deposit) independent of accounting functions and authorised cheque signing Authorisation of remittance invoices for discounts Restrictive endorsement on cheques received Supervisory review and approval of posting to general ledger Monthly statements mailed to customers All bank accounts are reconciled promptly with cash records independent of cash handling, accounts receivable master file and general ledger Review of reconciling items and approval of bank reconciliations Select a sample of entries in cash receipts journal and trace to remittance advices or sales invoices Observe opening of mail and preparation of deposits Select a sample of remittance advices or items on prelist and trace deposits on bank statement and recorded cash receipts Review the prelist forms for numerical sequence Observe mailing of monthly statements, examine customer correspondence and complaints and investigate non-cash credits to accounts receivable Select a sample of remittance advices for associated entries in the cash receipts journal, ensure discounts are appropriately authorised, and trace to accounts receivable subsidiary ledger Foot cash receipts journal (daily activity report) and trace to general ledger posting Inspect posting for indication of supervisory review and approval Inspect client reconciliations and reperform one or a few reconciliations Consider reasonableness of reconciling items and explanations of such items Potential misstatements Generally, the types of misstatements that may occur in an accounting system are classified as: clerical mistakes (omissions, misclassifications or miscalculations); employee fraud; 400 PART THREE Tests of controls and tests of details