Audit Practices Manual_NoRestriction

8/10/2019 Audit Practices Manual_NoRestriction

1/344

THE INSTITUTE OF

CHARTERED ACCOUNTANTS

OF PAKISTAN

AUDIT PRACTICES MANUAL

FEBRUARY 2001

QUALITY CONTROL REVIEW COMMITTEE

FOREWORD

Comprehensiveness in performance and self-regulation are the hallmark of a chartered

accountant. It is because of these distinguishing characteristics that the public has looked up tothe profession for validating and assuring that the information in the published financial

statements is a true and fair view of the state of the affairs of the entity.

The compliance with various standards, corporate regulations, and technical releases of theInstitute automatically assures the excellence in performance. The Institute, to assist the

review partners, managers, and field staff in these efforts, has evolved an Auditing ractices!anual. "iven the multi-variety of the corporate entities, any manual cannot be prescriptive#

this manual also is only descriptive. The working papers etc. are also only sample forms and

are not standards of the Institute as such. There might be a situation where the members may

need to supplement, amend, or add to this manual according to the actual needs of theparticular entity under audit by them.


2/344

The Institute attaches great importance to this process of self-regulation. $ecessaryadministrative mechanism has been put in place in the Institute to assure that the manual is

followed and members% performance is therefore not less than the best.

In conclusion I would express my sincere appreciation for concerted efforts and long hours put

in for the preparation of this comprehensive Auditing ractices !anual by members of thesub-committee, including !r. Asad Ali &hah 'Chairman(, !r. Ather Ali. !r. )ussain *alani,

!r. &aad +aliya, !r. &hafi Ahmed, !r. &hareel utt, !r. !a/har

). )ameedi, !r. $adeem 0ousuf Adil and last but not the least to !r. Ahmed 1. atel,Chairman 2uality Control 3eview Committee, for his personal interest in completion of this

manual.

ir !ohammad A. +aliya, 4CA resident 56 7anuary 8995

PREFACE

The Institute of Chartered Accountants of akistan as member of the International 4ederation

of Accountants 'I4AC( has a professional obligation to implement the standards issued by the

4ederation of the International Accounting &tandards Committee 'IA&C(.

The reface to the International &tandards on Auditing 'I&A%s( issued by the I4AC states that

the obective of audit of financial statements is to enable the auditor to express an opinion

whether the financial statements are prepared, in all material respects, in accordance with an

identified reporting framework 'which would mean accounting standards applicable in

akistan(.

In order to arrive at a correct audit opinion in an efficient and effective manner, the audit is to

be conducted in accordance with the I&A%s and related assurance services and pronouncements

issued by the Council of the Institute.

The manual does not envisage all possible corporate entities or circumstances, for instance

special purpose entities such as banks, airlines, insurance companies, telecommunications and

other utilities etc. may need substantial modifications, even redesigning, to fully conform to

the reuisite reuirements of I&A%s etc.

The 2uality Control 3eview Committee of the Institute hopes that the manual shall be of greatfunctional utility to its practicing members.

The committee expects the practicing members would follow the !anual in letter and spirit.

The manual shall be updated to incorporate the latest reuirements of the I&A%s etc.

WORKING PAPERS


3/344

The working papers are not definitive but are only sample working papers that need to be

supplemented or amended or modified by the members in accordance with the reuirements of

the entity under audit.

ORGANIZATION OF THE MANUAL

Two volumes of the !anual are organi/ed as follows:

Volume 1

Chapter 5:1escribes briefly the salient features of the audit process, including the threephases of planning, execution and completion.

Chapter 8: "ives the contents of theAudit Planning File. Also included therein is

guidance on evaluation of accounting and internal control systems, theinternal control uestionnaires including a guide on the evaluation of general

controls relating to Computeri/ed Information &ystems. 4urther, model audit

programs for a manufacturing entity, duly correlated with possible auditassertions have also been included.

Volume 2

Chapter ;: "ives the contents of theAudit Execution File. This largely comprises of

the standard working paper schedules that are used to collect audit evidenceon the financial statement components, including lead schedules on such

components, referencing methodology and the possible wordings of the

conclusions.

Chapter


4/344

5.5 Audit rocess Chart 5-5

5.8 =verview of the Audit rocess 5-8 lanning hase 5-8 Bxecution hase

5-; Completion hase 5-8.8. Audit !ateriality 8-69

8.8.6 3eview of 4inancial erformance of the Client 8-68 &uggested 4ormat of4inancial erformance 3eview 8-6;

8.; 1etailed lanning

8.;.5 Computer Information &ystem 'CI&( Checklist 8-6@

8.;.8 Audit rograms 8-?; &ample Audit rograms 8-?8.;.; Analytical 3eview rocedures 8-5


5/344

8.@ Audit lanning Checklist 8-5?6

Chapter 3

Audi E'e"uio% File

;.5 "eneral Instructions for 1ocumentation of Audit Bxecution 4ile ;-5;.8 Bxceptions and Control Geaknesses ;-8;.; Audit Gorking aper "uidelines ;-;

;.< &ignificant Components of alance &heet and E * Account F *ead &chedules with

Conclusions ;-@

Chapter 4

Audi Com(leio% ) Re(o!i%& File


6/344

.5 &ummary of &ome I&As

Audi P.$#e

Do"ume%$io%

1/2 OVER VIEW OF THE AUDIT PROCESS

1 The 4ramework on the International Auditing &tandards 'I&As( issued by theInternational 4ederation of Accountants states that the obective of an audit of financial

statements is to enable the auditor to express an opinion whether the financial


7/344

statements are prepared, in all material respects, in accordance with an identifiedreporting framework 'which would mean applicable accounting standards in akistan(.

In order to arrive at a correct audit opinion in an efficient and effective manner, the

audit is to be conducted in accordance with the I&As.

2 The audit is designed to provide reasonable assurance that the financial statements

taken as whole are free from material misstatement. 3easonable assurance is a conceptrelating to accumulation of sufficient and appropriate audit evidence on the basis of

which the auditor can conclude that there are no material misstatements in the financialstatements.

3 The Audit rocess, as described below, has been designed, based on the framework ofauditing suggested by the I&As, with a view to assist an auditor to form an auditopinion in the most efficient manner.

4 The audit process constitutes three phases of lanning, Bxecution and 3eview andCompletion. Bach of these phases are briefly discussed below. These phases are also

described in tabular form at the end of this Chapter to provide a uick comprehensionof the process to the reader.

5 PLANNING PHASE

@.5 The I&A F ;99 reuires that the audit should so plan his work so that the audit is

performed in an effective manner.

@.8 Bfficient planning helps in ensuring that appropriate attention is devoted to theimportant areas of the audit, potential problems are identified and the work is completed

expeditiously.

@.; The extent of planning will vary according to the nature and si/e of the entity beingaudited, the complexity of the audit and the auditor%s experience and knowledge of the

entity%s business.

@.< The planning phase comprises of the following activities:

1eveloping an =verall Audit lan

1etailed Audit lanning *eading to 1evelopment of Audit rogram

1ocumentation in the 4orm of an Audit lanning 4ile

Audit Administration E =ther !atters.0/0 OVERALL AUDIT PLAN

@. The overall Audit lan is a summari/ed strategy for the audit engagement, which

primarily consists of strategic decisions of expected scope and conduct of the audit

based on a preliminary understanding of the entity%s business, its management structure

and philosophy, accounting and internal control systems, audit risk and materiality and

the audit administration. The steps involved are described in the 4low Chart 8 below


8/344

0/ DETAILED AUDIT PLANNING

@.? ased on the audit approach developed in the =verall Audit lan, the auditor should

carry out detailed audit planning leading to the development of the audit programs of

each component of the financial statements containing nature, timing and extent of audit

procedures to be applied to them.

@.> These audit programs need to be reviewed at least by a ualified manager or partner to

ascertain whether the execution of selected audit procedures included therein shall lead

to obtaining sufficient and appropriate audit evidence for forming an audit opinion on

the financial statements.

@.59 An important aspect of detailed planning is the study and evaluation of the internal

control procedures to ascertain the extent to which the internal control systems can be

relied upon for the purposes of the audit. Ghere the accounting and internal control

systems are considered reasonably reliable 'that means when the control risk is assessed

as less than high( and a decision is made to place reliance on such systems and internalcontrol uestionnaires, flow charts or a combination thereof.

@.55 The internal control checklist prepared by the Institute of Chartered Accountants of

akistan# is included in Chapter 8, which can be used for documenting the important

features of the internal control. This checklist is not definitive and may need to be

supplemented, amended or modified according to the need of the audit reuirements of

the entity.

@.58 The overall audit plan, audit programs, time budgets, planning checklist and other

documentation encompassing the planning phase of the audit is to be filed as part of the

Audit lanning 4ile as shown in Chapter 8 of the !anual.

AUDIT ADMINISTRATIVE ) OTHER MATTERS

.5 Information regarding audit administration 'Chart-


9/344

proprietorship concern, it must be ensured that the proprietor carries out a thorough

review of all the working papers.

?.8 Care is to be exercised to ensure that disclosure and completion checklist are prepared

and completed and issues such as subseuent event%s review, related party transactions

and going concern aspect etc. are considered before audit opinions of the financialstatements is issued.

?.; 1etails of the steps involved in the completion phase are given in 4low Chart and

matters to be considered and the documentation to be completed are clarified in 3eviewand Completion 4ile in Chapter


10/344

ecause of the test nature and other inherent limitations of an audit, together with the inherentlimitations of any accounting and internal control system, there is an unavoidable risk that

even some material misstatements may remain undiscovered.

In addition to our report on the financial statements, we expect to provide you with a separate

letter concerning any material weaknesses in accounting and internal control systems whichcome to our notice.

Ge remind you that the responsibility for the preparation of financial statements includingadeuate disclosure is that of the management of the company. This includes the maintenance

of adeuate accounting records and internal controls, the selection and application of

accounting policies, and the safeguarding of the assets of the company. As part of our auditprocess, we will reuest from management written confirmation concerning representations

made to us in connection with the audit.

Ge look forward to full cooperation with your staff and we trust that they will make available

to us whatever records, documentation and other information are reuested in connection withour audit. =ur fees, which will be billed as work progresses, are based on the time reuired by

the individuals assigned to the engagement plus out-of-pocket expenses. Individual hourly

rates vary according to the degree of responsibility involved and the experience and skillreuired.

Ge wish to inform you that our working papers files for the audit of the financial statements

of your company would be subect to review by the Institute of Chartered Accountants ofakistan%s 2uality Control 3eview Committee without any further reference to you.

This letter will be effective for future years unless it is terminated, amended or superseded.

Dnless we hear from you to the contrary, we will assume your concurrence with the contentsof this letter.

0ours truly

4I3!%&

$A!B

2/2 OVERALL AUDIT PLAN

2/2/1 CLIENT PROFILE

$ame of client


11/344

$ature of

Client usiness

!aor *ocations:

=ther Information F

1 o anks

2 o *egal Advisor

3 o Tax Advisor etc.

2/2/2 UNDERSTANDING THE CLIENT6S 7USINESS

P!elimi%$!* 8%o9led&e o+ "lie%:# ;u#i%e##

A preliminary knowledge of the clientJs business is reuired in the client

acceptanceretention stage in order to determine whether to accept or reect a new

entity as a client or to retain or relinuish an existing client.

This knowledge is obtained through the performance of activities such as observation,

inspection, inuiry and analytical procedures such as ratio analysis and common si/eanalysis.

De$iled 8%o9led&e o+ "lie%:# ;u#i%e##

A detailed knowledge of the clientJs business is reuired in all audit processes except


12/344

client acceptanceretention stage. !ost of this knowledge should be acuired in the

audit planning stage and is reuired in order to determine the audit approach.

The knowledge may be acuired through the auditor performing such activities asinspection, inuiry and analytical procedures such as ratio analysis, and Computer

Assisted Audit Techniues 'CAAT(, such as test data, programmed code analysis and

speciali/ed audit software.

K%o9led&e o+ Clie% 7u#i%e## Co!e

7u#i%e## A"i


13/344

M$=o! Su((lie!#

M$=o! Com(eio!#

Rel$ed P$!ie# ,i+ $%*-

Si&%i+i"$% A""ou%i%& Poli"ie#

*ist down significant accounting policies 'or change in accounting policy, if any( adopted by

the Company relating to:

1 &taff retirement benefits2 4ixed assets3 3evenue recognition4 Taxation5 4oreign currency transaction

Ke* M$%$&eme% Pe!#o%%el

*ist down key management personnel of organi/ation, i.e.

Di!e"o!#


14/344

O.e! M$%$&eme% S$++

2/2/> FACTORS THAT MA? AFFECT CLIENT6S 7USINESS

Bconomic 4actors:

Industry Conditions:

&ocial Bnvironmental 4actors:

Technological 4actors:

2/2/@ CRITICAL AUDIT AREAS 5 SIGNIFICANT FINANCIAL

STATEMENT COMPONENTS

*ist down the critical audit areas and its impact on the financial statements relating to


15/344

the audit in consideration. It also includes consideration of previous years brought

forward issues.

!aor areas include:

$ew borrowings with extra-ordinary terms and conditions

1iscontinuation of maor suppliers

Acuisition of a significant asset

1iscontinuation of a maor customer

*oss of a significant market share

!aor claims and litigation against the client, etc.

2/2/0 RISK ASSESSMENTS ACCOUNTING AND

INTERNAL CONTROL S?STEM

1/ The International &tandard on Auditing A&- on the captioned subect provides

guidance on obtaining an understanding of the accounting system and internalcontrol systems and on the audit risk and its components. The standard states

that:


16/344

KThe auditor should obtain an understanding of the accounting and internal

control systems sufficient to plan the audit and develop an effective auditapproach. The auditor should use his professional judgment to assess audit

risk and to design audit procedures to ensure it is reduced to an acceptably

low level.

1 The following paragraphs contain guidance on matters relating to risk assessment andinternal control to help members in understanding these concepts based on the

guidance contained in A&- and other related guidance to enable them in developingan efficient and effective audit approach and in complying with the reuirements of

A&-.

2 De+i%iio%#

>/1 BAudi Ri#8 means the risk that an auditor gives an inappropriate audit

opinion when the financial statements are materially misstated. Audit risk hasthree components: inherent risk, control risk and detection risk.

>/2 BI%.e!e% !i#8 is the susceptibility of an account balance or class of

transactions to misstatements that could be material, individually or whenaggregated with misstatements in other account balances or classes, assuming

there are no related internal controls.

>/> BCo%!ol !i#8is the risk that a misstatement that could occur in an accountbalance or class of transactions and that could be material individually or when

aggregated with misstatements in other balances or classes, will not be

prevented or detected and corrected on a timely basis by the accounting andinternal control systems.

>/@ BDee"io% !i#8 is the risk that an auditor%s substantive procedures will not

detect a misstatement that exists in an account balance or class of transactionsthat could be material, individually or when aggregated with other balances and

classes.

>/0 BA""ou%i%& #*#emmeans the series of tasks and records of an entity bywhich transactions are processed as a means of maintaining financial records.

&uch systems identify, assemble, analy/e, calculate, classify, record, summari/e

and report transactions and events.

>/ BI%e!%$l Co%!ol S*#emL means all the policies and procedures 'internal

controls( adopted by the management of an entity to assist in achieving

management%s obective of ensuring, as far as practicable, the orderly and

efficient conduct of its business, including adherence to management policies,the safeguarding of assets, the prevention and detection of fraud and error, the

accuracy and completeness of the accounting records, and timely preparation ofreliable financial information. The internal control system extends beyond those

matters which relate directly to the functions of the accounting system and

comprises of two components: a( the control environment and the control

procedures.

>/ BCo%!ol e%


17/344

and management regarding the internal control system and its importance in the entity.

The control environment has an effect on the effectiveness of the specific control

procedures. A strong control environment, for example, one with the tight budgetary

control and an effective internal audit function, can significantly complement specific

control procedures. )owever, a strong control environment does not, by itself, ensure

the effectiveness of the internal control system. 4actors reflected in the controlenvironment include:

The function of the board of directors and its committees. !anagement%sphilosophy and operating style. The entity%s organi/ational structure and methods ofassigning authority and

responsibility. !anagement%s controlsystem including the internal audit function,

personnel policies and procedures and

segregation of duties.

>/4 BCo%!ol P!o"edu!e#means those policies and procedures in addition to the controlenvironment which management has established to achieve the entity%s specific

obectives. &pecific Control obectives include:

3eporting, reviewing and approving reconciliation. Checking the arithmeticalaccuracy of records. Controlling applications and environment of computerinformation systems, for

example, by establishing controls over: Changes to computer programs.Access to data files.

!aintaining and reviewing control accounts and trial balances. Approving andcontrolling of documents. Comparing internal data with external sources ofinformation. Comparing the results of cash, security and inventory counts withaccounting records. *imiting direct physical access to assets and records.Comparing and analy/ing the financial results with budgeted amounts.

@/ In the audit of financial statements, we are only concerned with those policies and

procedures within the accounting and internal control systems that are relevant to the

financial statement assertions. The understanding of relevant aspects of the accounting

and internal control systems, together with inherent and control risk assessments will

help the auditor to:

1 a. Identify the type of potential material misstatements that could occur in the

financial statements#2 b. Consider factors that affect the risk of material misstatements# and3 c. 1esign appropriate audit procedures to minimi/e risk to an acceptable level.

0/ Therefore, while developing the audit approach, we should consider the preliminary

assessment of control risk 'in conunction with the assessment of inherent risk( todetermine the appropriate detection risk to accept for the financial statement

assertions. ased on such assessment, we should decide on the timing, nature and


18/344

extent of the substantive procedures for the financial statement assertions.

/ I%.e!e% Ri#8

/1 4or developing the overall audit plan, we should assess inherent risk at the financial

statement level. 4or developing audit programs, we should relate such assessment to

material account balances and class of transactions at the assertion level, or assumethat the inherent risk is high.

/2 The assessment of inherent risk reuires the use of professional udgment

considering the following factors:

/2/1 A .e +i%$%"i$l #$eme% le


19/344

/1 Transactions are executed in accordance with the management%s general and specificauthori/ations.

/2 All transactions and other events are promptly recorded in the correct amount, in the

appropriate accounts and in the proper accounting period so as to permit preparation of

reliable financial statements in accordance with acceptable accounting policies.

/> Access to assets and records is permitted only in accordance with management%s

authori/ation.

1 3ecorded assets are compared with the existing assets at reasonable intervals andappropriate action is taken regarding any differences.

2 U%de!#$%di%& .e $""ou%i%& $%d i%e!%$l "o%!ol #*#em#

4/1 Ge are reuired by A&- to obtain an appropriate understanding of the accounting and

internal controls system to enable us to design our substantive audit procedures aimed

at minimi/ing the detection risk to an acceptable level.

4/2 The process of understanding involves obtaining knowledge of the design of the

accounting and internal control systems, and their operation. Ge usually perform a

KGalk-throughL test that is, tracing a few transactions through the accounting system,

for understanding the accounting and internal control systems.

4/> revious periods audit experience, review of the previous years files containing

documentation of the accounting and internal control systems also enhances our

understanding of such systems.

4/@ The procedures, which may be used for obtaining such understanding include:

Inquiries of appropriate management, supervisory and otherpersonnel at various organizational levels within an entity,together with reference to documentation, such as proceduresmanuals, job descriptions and ow charts;

Inspection of records and reports produced by the accountingand internal control systems; and

bservation of the entity!s activities and operations, includingobservation of the organization of computer operations,management personnel and the nature of transactionprocessing"

/ Ge are reuired to obtain a level of understanding of the accounting

system that is sufficient to identification and understanding of:

1 a. !aor classes of transactions in the entity%s operations#2 b. )ow such transactions are initiated#3 c. &ignificant accounting records, supporting documents and accounts in the

financial statements# and


20/344

4 d. The accounting and financial reporting process, from the initiation ofsignificant transactions and events to their inclusion in the financial statements.

1/ I% !e#(e" o+ "o%!ol e%


21/344

such accounting and internal controls are suitably designed and operating effectively.

12/2 =bective of tests of controls is to obtain evidence about the effectiveness of:

The design of the accounting and internal control systems, that is, whether

they are suitably designed to prevent or detect and correct materialmisstatements# and =peration of the internal controls through out theperiod under audit.

12/> Tests of controls may include:

Inspection of documents supporting transactions and other events to gain auditevidence that internal controls have operated properly, for example, verifying that atransaction has been authori/ed.

Inuiries about, and observation of, internal controls which leave no audit trail, forexample, determining who actually performs each function and not merely who is

supposed to perform it.

3e-performance of internal controls, for example, reconciliation of bank accountsto ensure that they were correctly performed by the entity.

12/@ ased on the results of the tests of controls, we should evaluate whether the internal

controls are designed and operating as contemplated in the preliminary assessment of

control risk. If the results of test of controls highlight deviations, the preliminary

assessment of control risk may need to be revised. In such cases, there will be a need

to modify the timing, nature and extent of planned substantive procedures.

12/0 efore the conclusion of the audit, based on the results of substantive procedures and

other audit evidence obtained, we should consider whether the assessment of control

risk is confirmed.

1> Rel$io%#.i( ;e9ee% .e $##e##me% o+ I%.e!e% $%d Co%!ol Ri#8#

1 !anagement often reacts to inherent risks situations be designing accounting andinternal control systems to prevent or detect and correct misstatements and therefore,in many cases, inherent risk and control risk are highly interrelated. In such situations,

if the auditor attempts to assess the inherent and control risks separately, there is a

possibility of inappropriate risk assessment. As a result, audit risk may be more

appropriately determined in such situations by making a combined assessment.2 Dee"io% Ri#8

1@/1 The level of detection risk relates to the substantive procedures. =ur assessment of

control risk, together with the inherent risk assessment, will influence the nature,

timing and extent of substantive procedures to be performed to reduce the detection

risk, and therefore audit risk, to an acceptably low level. )owever, some detection risk

would always be present, even of an auditor were to examine 599M of the account

balance or class of transactions because, for example, most audit evidence is

persuasive rather than conclusive.


22/344

1@/2 Ge should consider the assessed levels of inherent and control risks in determining the

timing, nature and extent of substantive procedures reuired reducing audit risk to an

acceptably low level. In this regard, we should consider:

The nature of substantive procedures, for example, using tests directed toward

independent parties outside the entity rather than the tests directed toward partiesor documentation within the entity, or using tests of details for particular auditobective in addition to the analytical procedures#

The timing of substantive procedures, for example, performing them at period endrather than at an earlier date# and

The extent of substantive procedures, for example, using a larger sample si/e.

1@/> There is inverse relationship between detection risk and the combined level of inherent

and control risks. 4or example, when inherent and control risks are high, acceptable

detection risk needs to be low to reduce the audit risk to an acceptably low level. =n

the other hand, when inherent and control risks are low, we can accept higher detection

risk and still reduce audit risk to an acceptably low level. This inverse relationship isillustrated below. The shaded areas in the table relate to the detection risk.

Ou! A##e##me% o+ Co%!ol Ri#8

)igh !edium *ow

Ou! $##e##me% o+ )igh *owest *ower !edium

I%.e!e% Ri#8 !edium *ower !edium )igher

*ow !edium )igher )ighest

1@/@ The assessed levels of inherent and control risks cannot be sufficiently low to

eliminate the need for us to perform any substantive procedures. 3egardless of the

assessed levels of inherent and control risks, there would invariably be a need to

perform some substantive procedures for material account balances and class of

transactions.

1 The higher the assessment of inherent and control risk, the more audit evidence wouldbe reuired to be obtained from the performance of substantive procedures. Ghen bothinherent and control risks are assessed as high, we need to consider whether

substantive procedures can provide sufficient appropriate audit evidence to reduce

detection risk, and therefore audit risk, to an acceptably low level. Ghen it isdetermined that detection risk regarding a financial statement assertion for a material

account balance or class of transactions cannot be reduced to acceptably low level, we

should express a ualified opinion or a disclaimer of opinion.

2 Audi Ri#8 i% .e Sm$ll 7u#i%e##

10/1 Ge need to obtain the same level of assurance in order to express an unualified

opinion on the financial statements of both small and large entities. )owever, many

internal controls which would be relevant to large entities are not practical in the small

businesses. 4or example, in small business, accounting procedures may be performed


23/344

by few persons who may have both operating and custodial responsibilities, and

therefore segregation of duties may be missing or severely limited. Inadeuate

segregation of duties may, in some cases, offset by a strong management control

system in which ownermanager supervisory controls exist because of direct personal

knowledge of the entity and involvement in transactions. In circumstances where

segregation of duties is limited and audit evidence of supervisory controls is lacking,the audit evidence necessary to support the auditor%s opinion on the financial

statements may have to be obtained entirely through performance of substantive

procedures.

10/2 The following paragraphs provide more guidance for a better understanding of the twocomponents of internal control system described above, i.e., control environment and

control procedures.

1/ Co%!ol E%/1 !anagement is responsible for Nsetting the toneN for their organi/ation. !anagement

should foster a control environment that encourages:

The highest levels of integrity and personal and professional standards,

A leadership philosophy and operating style which promote internal controlthroughout the organi/ation, and,

An assignment of authority and responsibility.

1/@ Co%!ol E%


24/344

training, evaluations, counseling, promotions, compensation, and disciplinary actions.In the event that an employee does not comply with an organi/ationJs policies and

procedures or behavioral standards, an organi/ation must take appropriate disciplinary

action to maintain an effective control environment. T.e "o%!ol e%


25/344

1/1 Control procedures means the policies and procedures in addition to the control

environment, which the management has established to achieve the entity%s specific

control obectives.

1/2 Co%!ol (!o"edu!e# $!e $"io%# #u((o!ed ;* (oli"ie# $%d (!o"edu!e# .$ 9.e%

"$!!ied ou (!o(e!l* i% $ imel* m$%%e! m$%$&e o! !edu"e !i#8#/ T.ee++e"i


26/344

transactions within limited parameters. In addition, management specifies thoseactivities or transactions that need supervisory approval before they are performed or

executed by employees. A supervisor%s approval 'manual or electronic( implies that he

or she has verified and validated that the activity or transaction conforms to established

policies and procedures.

1/ Re"o%"ili$io% ,Dee"i


27/344

1/11 Co%!ol P!o"edu!e# JA((!o


28/344

".$!&ed o $ de($!me%:# $""ou%#/ To e%#u!e (!o(e! #e&!e&$io% o+

duie# .e (e!#o% 9.o $((!o


29/344

inventories should establish perpetual inventory control over these items by

recording purchases and issuances, eriodically, the items should be physically

counted by a person who is independent of the purchase authori/ation and asset

custody functions and the counts should be compared to balances per the

perpetual records. !issing items should be investigated, resolved, and analy/ed

for possible control deficiencies# perpetual records should be adusted tophysical counts if missing items are not located.

1/10 Co%!ol P!o"edu!e#JSe&!e&$io% O+ Duie# !Preventive and etective"

$o one person should...>Initiate transaction>Approve transaction>3ecordtransaction>3econcile balances>)andle assets>3eview

reports

At least two sets of eyes

1/10/1 &egregation of duties is critical to effective internal control# it reduces the risk

of both erroneous and inappropriate actions. I% &e%e!$l .e $((!o


30/344

TRANSACTION

T?PE

WHO INITIATES WHO

AUTHORIZES

WHO RECORDS WHO

RECONCILES

CONTROLS

,CUSTOD?-

Pu!".$#e o+ Good# Issues 3euisitionPe!#o% A

Approves .=.Invoice Pe!#o% 7

Accounting 3ecordsPe!#o% D

udget 3eportPe!#o% C

3eceives "oodsPe!#o% A o! C

Pu!".$#e o+ Se!


31/344

computer processing centers.

1/1/> 4inally, these controls ensure the adoption of disaster planning to guide the

successful recovery and continuity of networks and computer processing in the

event of a disaster.

1/14 Co%!ol P!o"edu!e#JA((li"$io% Co%!ol# ,Preventive And etective-

1/14/1 Applications are the computer programs and processes, including manual

processes, that enable us to conduct essential activities# buying products,

paying people, accounting for research costs, and forecasting and monitoring

budgets.

1/14/2 Application controls apply to computer application systems and include input

controls 'e.g., edit checks(, processing controls 'e.g.,record counts(, and output

controls 'e.g., error listings(, they are specific to individual applications.

Application Controls Include:

P!o&!$mmed P!o"edu!e# Wi.i% A((li"$io% So+9$!ea oInput Controls '1ata Bntry( Authori/ation Oalidation Brror $otification

and Correction

b o rocessing Controls

c o =utput Controls

1/14/> They consist of the mechanisms in place over each separate computer system

that ensures that authori/ed data is completely and accurately processed. They

are designed to prevent, detect, and correct errors and irregularities as

transactions flow through the business system. They ensure that thetransactions and programs are secured, the systems can resume processing after

some business interruption, all transactions are corrected and accounted for

when errors occur, and the system processes data in an efficient manner.

1/14/@ Electronic Data Interchange, oice !esponse,andE"pert #ystemsare types of

applications that may reuire certain controls in addition to general application

controls.

1/14/0 Ghen an organi/ation decides to purchase or to develop an application, its

personnel must ensure the application includes adeuate application controls:

'5( input controls, '8( processing controls, and ';( output controls.

1/14/ I%(u "o%!ol# e%#u!e .e "om(lee $%d $""u!$e !e"o!di%& o+ $u.o!ied

!$%#$"io%# ;* o%l* $u.o!ied u#e!# ide%i+* !e=e"ed #u#(e%ded $%d

du(li"$e iem# $%d e%#u!e !e#u;mi##io% o+ !e=e"ed $%d #u#(e%ded iem#/

E'$m(le# o+ i%(u "o%!ol# $!e e!!o! li#i% +ield ".e"8# limi ".e"8#

#el+J".e"8i%& di&i# seuence checks, validity checks, key verification,

matching, and completeness checks.


32/344

1/14/ rocessing controls ensure the complete and accurate processing of authori/ed

transactions. Bxamples of processing controls are run-to-run control totals,

posting checks, end-of-file procedures, concurrency controls, control files, and

audit trails.

1/14/4 =utput controls ensure that a complete and accurate audit trail of the results ofprocessing is reported to appropriate individuals for review. Bxamples of

output controls are listings of master file changes, error listings, distribution

registers, and reviews of output.

1/14/ If an organi/ation has applications that are critical to it%s success, then its

personnel must ensure that application controls reduce input, processing, and

output risks to reasonable levels.

1/14/1 A((li"$io% Co%!ol#:E%d U#e! Com(ui%&

1/14/1/1 Twenty years ago, an information system professional was needed to operate a

computer. Today many user departments% personnel can obtain and use

information on the computer themselves. &ome of the common applications

used by them are word processing, desktop publishing, spreadsheets, database

management systems, graphics programs, electronic mail, proect management,

scheduling software, and mainframe-based uery systems that are used to

generate reports. In addition to computer applications, the user departments use

other information systems applications such as voice mail and video

conferencing.

1/14/1/2 Advancing technology enables user departments to purchase or developinformation systems and applications, shifting certain general control

responsibilities from the centrali/ed information systems department to end-

user departments. This often happens in the move from the mainframe to a

client-server environment.

1 The end-user department becomes responsible for segregation of duties within thedepartmentJs information systems environment, backup and recovery procedures,

program development and documentation controls, hardware controls, and access

controls. If a department has end-user information systems that are critical to itssuccess, then department personnel must ensure that application E general controls

reduce information systems risks to reasonable levels.

2 I%e!%$l Co%!olJ i%e&!$ed +!$me9o!8

=ver the years the awareness and focus on internal control has been increasing

for achieving management%s obectives of efficiency, effectiveness and

economy. The Committee of &ponsoring =rgani/ations of the $ational

Commission on 4raudulent 4inancial 3eporting 'known as Treadway

Commission( of D&A 'comprising of five maor sponsoring institutions of


33/344

D&A( undertook a study to establish an integrated framework on internal

controls. This study, which was released in &eptember 5>>8 generally known

as C=&= study, provides a comprehensive framework, which organi/ations can

use for review and enhancing their internal control systems. This framework

can also be used by external auditors for the purpose of their study and

evaluation of internal control systems of their client organi/ations. JInternalControl -Integrated 4rameworkJ defines internal control as a method for

achieving reasonable assurance that obectives in areas related to the

effectiveness and efficiency of operations, reliability of financial reports, and

compliance with laws and regulations are met. The report also identifies the

five interrelated components of internal controls: the control environment, risk

assessment, control activities, information and communication, and monitoring.

1 The components of control environment and control activities 'control procedures( arelargely covered in the guidance contained in the A&-, which has been describedabove. The remaining three components, which have now been included as an integral

part of the internal control system, of risk assessment, information and communicationand monitoring are discussed below.

2 Ri#8 A##e##me%

1/1 Dee!mi%e Go$l# $%d O;=e"i


34/344

P$*!oll

P!o"e##i%&JCom(e%#$io%5 Wi..oldi%&

Compensation rates and payroll deductions should be

=perations accuratelyand promptly entered into the payroll system.

'=(.

Bach accounting period, prepare ournal entries for payroll, payroll

deductions, and related adustments.

4inancial '4(

P!o"e##i%&JAu.o!i$io%#

ersonnel management should properly and accurately maintain all

compensation documentation.

Compliance'C(

An employee master file that is accurate and complete should be maintained.

=, 4, C

1/1/@ A clear set of goals and obectives is fundamental to the success of an

organi/ation as well as the departments and functions within it. &pecifically, a

department or work unit should have '5( a mission statement, '8( written goals

and obectives for the department as a whole, and ';( written goals and

obectives for each significant activity in the department 'see diagram below(.

4urthermore, goals and obectives should be expressed in terms that allow

meaningful performance measurements.

1epartment 1epartment Activities to Activity *evel

!ission "oals and Achieve "oals "oals and

=bectives and =bectives =bectives

1/1/0 There are certain activities which are significant to all departments: budgeting,

purchasing goods and services, hiring employees, evaluating employees,

accounting for vacationsick leave, and safeguarding property and euipment.

Thus, all departments are expected to have appropriate goals and obectives,

policies and procedures, and internal controls for these activities.

1/2 Ide%i+* Ri#8# A+e! De+i%i%& Go$l#

1/2/1 3isk assessment is the identification and analysis of risks associated with theachievement of operations, financial reporting, and compliance goals and

obectives. This, in turn, forms a basis for determining how those risks should


35/344

be managed.

1/2/2 Re#(o%#i;ili*'To properly manage their operations, managers need to

determine the level of operations, financial and compliance risk they are

willing to assume. 3isk assessment is one of managementJs responsibilities and

enables management to act proactively in reducing unwanted surprises. 4ailure

to consciously manage these risks can result in a lack of confidence thatoperation, financial and compliance goals will be achieved.

1/2/> Ri#8 Ide%i+i"$io%. A risk is anything that could eopardi/e the achievement

of an obective. 4or each of the departmentJs obectives, risks should be

identified. !anagement could ask the following uestions to help to identify

risks:

Ghat could go wrongP )ow could we failP Ghat must go right for usto succeedP Ghere are we vulnerableP Ghat assets do we need to protectP 1o we have liuid assets or assets with alternative usesP )ow could

someone steal from the departmentP )ow could someone disrupt ouroperationsP )ow do we know whether we are achieving our obectivesP=n what information do we most relyP =n what do we spend the mostmoneyP )ow do we bill and collect our revenueP Ghat decisions reuirethe most udgmentP Ghat activities are most complexP Ghat activities areregulatedP Ghat is our greatest legal exposureP

1/2/@ It is important that risk identification be comprehensive-at overall organi/ation

level, department level and at the activity or process level-for operations,financial reporting, and compliance obectives-considering both external and

internal risk factors. Dsually, several risks can be identified for each obective.

1/2/0 The following table illustrates the concepts discussed above. $ote that the identifiedrisks relate to the goals and obectives previously determined.

Go$l# $%d O;=e"i


36/344

P$*!oll rovide service and supportto the entity%s employees.

P!o"e##i%&JCom(e%#$io%5

Wi..oldi%& Compensation rates

and payroll deductions should be

accurately and promptly enteredinto the payroll system. Bach

accounting period, prepare ournalentries for payroll, payroll

deductions, and related

adustments. P!o"e##i%&J

Au.o!i$io%# ersonnel

management should properly and

accurately maintain all

compensation documentationincluding filing of periodic returns

to the income tax departments. Anemployee master file that isaccurate and complete should be

maintained.=perations '=(.4inancial '4(

Compliance 'C(

=, 4, C

Transactions may not be processedor processed incorrectly. 4inancialstatements may be misstated due

to entry omissions, incorrect

coding, duplicate ournal entries,or improper cutoffs.

Bmploymenttax laws and

regulations may be violatedresulting in fines, penalties, or

litigation. Incorrect data in the

master file could result in incorrect

wage payments. ayrollwithholdings may be incorrect.

Awards, incentives, recognitions,

etc., may not be accuratelyreflected on the master file.

1/2/ elow are some types of transactions that may pose higher risks:


37/344

Hi&. Ri#8

*arge cash payments 'not routed through bank(

T!$%#$"io%

!aor acuisitions

T*(e#

Dnusually large transactions Accounting transactions that reuire

subective assessment &oftware *icensing Issues Intellectual roperty

Bstimation of provisions against inventory or other assets

1/2/ These are transaction types that deserve a conscious risk review. In evaluating

the potential impact of risk, both uantitative and ualitative costs need to be

addressed.

u$li$i/1After risks have been identified, a risk analysis should be performed to prioriti/e those

risks:

Assess the likelihood 'or freuency( of the risk occurring. Bstimate the potentialimpact if the risk were to occur# consider both uantitative and ualitative costs. 1etermine how the risk should be managed# decide what actions are necessary.


38/344

1/>/2 rioriti/ing helps focus management%s attention on managing significant 'i.e.,risks

with reasonable likelihood of occurrence and large potential impacts(.risks

1/@ Ri#8 A##e##me% Ti(#

5>.


39/344

21/2 Information and communication systems can be formal or informal. 4ormalinformation and communication systems--which range from sophisticated computer

technology to simple staff meetings-should provide input and feedback data relative

to operations, financial reporting, and compliance obectives# such systems are vitalto an organi/ationJs success. 7ust the same, informal conversations with customers,

suppliers, regulators, and employees often provide some of the most critical

information needed to identify risks and opportunities.

When assessing internal control over a significant activit !or "rocess#$the %e&'estions to as% a(o't infor)ation an* co))'nication are as follo+s,

1oes the organi/ation get the information it needs from internal andexternal sources-in a form and timeframe that is usefulP

1oes the organi/ation get information that alerts it to internal or externalrisks 'e.g., legislative, regulatory, and developments(P

1oes the organi/ation get information that measures its performance-information that tells management whether it is achieving its operations,

financial reporting, and compliance obectivesP 1oes the organi/ation identify, capture, process, and communicate the

information that others need 'e.g., information used by our customers or

other departments(-in a form and timeframe that is usefulP 1oes our organi/ation provide information to others that alerts them to

internal or external risksP

1oes our organi/ation communicate effectively--internally and externallyP

Information and communication are simple concepts.

$evertheless, communicating with people and getting information

to people in a form and timeframe that is useful to them is a

constant challenge.

22/ Mo%io!i%&

22/1Mo%io!i%& i# .e $##e##me% o+ i%e!%$l "o%!ol (e!+o!m$%"e o


40/344

Applicable laws and regulations are being complied.

22/2 Ghile internal control is a process, its effectiveness is an

assessment of the condition of the process at one or more points in

time.

22/> 7ust as control procedures help to ensure that actions to manage risks are

carried out, monitoring helps to ensure that control procedures and other

planned actions to effect internal control are carried out properly and in a

timely manner and that the end result is effective internal control. =ngoing

monitoring activities include various management and supervisory activities

that evaluate and improve the design, execution, and effectiveness of internal

control. &eparate evaluations, on the other hand, such as self-assessments and

internal audits, are periodic evaluations of internal control components

resulting in a formal report on internal control. 1epartment employees perform

self-assessments internal auditors who provide an independent appraisal of

internal control perform internal audits.

22/@ !anagementJs role in the internal control system is critical to its effectiveness.!anagers, like auditors, donJt have to look at every single piece of information

to determine that the controls are functioning and should focus their monitoring

activities in high-risk areas. The use of spot checks of transactions or basic

sampling techniues can provide a reasonable level of confidence that thecontrols are functioning.

DOCUMENTATION ) EVALUATION OF ACCOUNTING AND

INTERNAL CONTROL S?STEMS

()*ER)A+ C#)*R#+

rocedures and processes designed by management to provide

reasonable assurance that organi/ational obectives are met. Improve effectiveness management decision making E

efficiency of business process Increase reliability ofaccounting information Achieve appropriate compliance withrules and regulations

E+E,E)*- #F ()*ER)A+ C#)*R#+ --*E,

Control Bnvironment 3isk Assessment Control Activities


41/344

1 o erformance 3eview

2 o Information rocessing Controls

3 o hysical Controls

o &egregation =f 1uties Information AndCommunication !onitoring Activities

C#)*R#+ R(-/ A-E--,E)*

AD1IT 3I&+ Q I$)B3B$T 3I&+ x C=$T3=* 3I&+ x 1BTBCTI=$ 3I&+ Control risk must be assessed to determine appropriate degree of reliance on controls and

what level of detection risk will be necessary to achieve desired audit risk

If control risk is to be assessed at less than 599M then some level of testing must benecessary

#0*A()() A) )ER-*A)() #F ACC#)*() ()*ER)A+ C#)*R#+

--*E,-

Interviews 3eview =f Company 1ocuments =bservations Transactions RGalk-Through%

#C,E)*() *E ACC#)*() ()*ER)A+ C#)*R#+ --*E,-

Gritten $arrative 4lowcharts Control 2uestionnaire 1ecision Table Combination =f revious

+()/AE *# A(* *E-*()

Controls

Identify

&trengthsTest of Controls


42/344

3eliance Q 3educe &ubstantiveTest

Controls

Geaknesses

=ffsetting Controls =r &ubstantiveTests

REP#R*() #) ()*ER)A+ C#)*R#+

3eportable Conditions:

1 Bfficiency or Bffectiveness

!anagement *etter

1 8. Affecting the financial reporting or compliance with laws but risk coveredthrough substantive procedures

!anagement *etter

1 ;. Affecting financial reporting or compliance with laws E risk cannot be covered

through substantive tests

2ualification in Auditors% 3eport

INTERNAL CONTROL UESTIONNAIRE

CONTENTSI/ C#)*R#+ E)(R#),E)*

A. !anagement hilosophy and =perating &tyle

. =rgani/ation &tructure

C. ersonnel olicies and rocedures

1. !anagement Control !ethods

B. Internal Audit 4unction

II/ACC#)*() --*E,


43/344

A. "eneral Accounting

. reparation of 4inancial &tatements

III/REE)E CC+E

A. 3evenue and 3eceivables

. Cash 3eceipts

1. IV/EPE)(*RE- CC+E2. A. urchases and Accounts ayable3. . ayroll4. C. Cash 1isbursements

2 V/PR#C*(#) !C#)ER-(#)" CC+E

A. roduction Costs and Inventories

. roperty and Buipment

VI/ F()A)C() !*REA-R" CC+E

A. Investments

. Buity Capital

PAE)#.

8-


44/344

8-@> 8-@

8-6 8-?

I/ CONTROL

ENVIRONMENT

?ES NO N5A

A/ M$%$&eme% P.ilo#o(.* $%d O(e!$i%& S*le

2uestions-olicies and rocedures

1 1oes management have clear obectives in terms ofbudgets, profit and other financial and operating goalsP

2 Are such policies:

1 a. clearly writtenP2 b. actively communicated throughout the entityP3 c. actively monitoredP4 7/ O!&$%i$io% #!u"u!e

=bective

1efinitions of responsibilities and authority assigned to

specific individuals permit identification of whether

persons are acting within the scope of their authority.


1 Is the organisation of the entity clearly defined in terms of lines of authority andresponsibilityP

2 1oes the entity have a current organisation chart and related materials such as obdescriptions.3 Is there adeuate computer system documentationP

C/ Pe!#o%%el Poli"ie# $%d P!o"edu!e#



45/344

5. 1oes the entity:

1 a. Adeuately plan for staff needsP2 b. Bmploy sound hiring practices, including

background investigations, where appropriateP

?ES NO N5A

1 Are employees adeuately trained to meet their ob responsibilitiesP2 1oes the entity systematically evaluate the performance of employeesP3 Is good performance appropriately rewardedP

D/ M$%$&eme% Co%!ol Me.od#


1 Are there regular meetings of the board of directors 'or comparable bodies( to setpolicies and obective, review the entity%s performance and take appropriate action,

and are minutes of such meetings prepared and signed on a timely basisP

2 )as the entity established planning and reporting systems that set forth management%splans and the results of actual performanceP

3 1o the planning and reporting system in place:

1 a. Adeuately identify variances from planned performanceP2 b. Adeuately communicate variances to the appropriate management levelP


46/344

employees, and their training and experienceP

2 c. 1on the internal auditors document the internal control structure and performtests of control

3 d. 1o they perform substantive tests of the details of transactions and accountbalancesP

4 e. 1o they render written reports on their findings and conclusionsP5 f. Are their reports submitted to the board of directors or to a committee thereofP6 g. Are copies of reports made available to external auditorsP

Are copies of reports made available to external auditorsP

1 1oes management take adeuate and timely actions to correct conditions reported bythe internal audit function.

2 1oes the internal audit function follow up on corrective actions taken by managementP

II/ ACCOUNTING S?STEM

?ES NO N5A

A/ Ge%e!$l A""ou%i%&

=bectives

1 a. Accounting policies and procedures, including selection among alternativeaccounting principles are determined in accordance with management%s authori/ation.

2 b. Access to the accounting and financial records is limited to minimise

opportunities for errors and irregularities and to provide reasonable protection fromphysical ha/ards.

3 c. Accounting entries are initiated and approved in accordance withmanagement%s authorisation.

4 d. All accounting entries are appropriately accumulated, classified andsummarised in the accounts.

ue#io%JPoli"ie# $%d P!o"edu!e#

1 1oes the entity have adeuate written statements and explanations of its accountingpolicies and proceduresP

2 Are the entity%s accounting policies and procedures adeuately communicated toappropriate personnelP

3 Are there adeuate facilities for custody of the general ledger and related recordsP4 Are all ournal entries reviewed and approved by designated individuals at appropriate

levels in the organisationP

5 Are all ournal entries adeuately explained and supportedP6 1o all ournal entries include indication of approval in accordance with management%s

general or specific authorisationP


47/344

7 1o all ournal entries include adeuate identification of the accounts in which they areto be recordedP

?ES NO N5A

1 Are adeuate accounts and records maintained so that adustments and write-offs madeto account balances do not impair accountability for actual amountsP

2 Is approval of responsible official reuired to open new accountsP3 Are accounting records updated regularly and on timely basisP4 Are correction of entries prohibited except through procedures for ournal entries.

7/ P!e($!$io% o+ Fi%$%"i$l S$eme%#

=bectives

1 a. The general ledger and related records permit preparation of financial

statements in conformity with approved accounting standards.2 b. Individuals at appropriate levels in the organisation consider sufficient, reliable

information in making the estimates and udgments reuired for preparation of

financial statements including related disclosures and other externally reportedfinancial information.

3 c. 4inancial statements including related disclosures are prepared and released inaccordance with management%s authorisation.

ue#io%#JPoli"ie# $%d P!o"edu!e#

1 Are there adeuate instructions and procedures for statement preparationP

2 Are financial statements subected to overall review, including comparisons with theprior period and budgeted amounts, by appropriate levels of management before the

statements are approved for issuanceP

III/ REVENUE C?CLE

?ES NO N5A

A/ Re


48/344

ue#io%#JCo%!ol Poli"ie# $%d P!o"edu!e#

5. 1o policies and procedures for acceptance and approval of sales orders appear clearly

defined and adeuately communicated for:

1 a. &tandard goods and servicesP2 b. Dnusual delivery arrangementsP3 c. Bxport salesP4 d. &ales to related partiesP

1 Is responsibility clearly assigned for approval sales orders before shipment orperformanceP

2 Are sales orders approved in accordance with management%s general or specificauthorisation before shipment or other performance concerning:

1 a. CustomerP2 b. 1escription and uantitiesP3 c. riceP4 d. =ther terms of salesP5 e. Credit 'account balances limits(P


49/344

1 1o policies on granting of credit appear clearly defined and adeuatelycommunicatedP

2 Is there periodic review of credit limitsP3 1o persons who perform the credit function receive timely information about past due

accountsP

S.i(me%#

=bectives

1 a. "oods delivered and services provided are basedon orders which have been approved in accordance

with management%s authorisation.

2 b. 1eliveries of goods and rendering of servicesresult in preparation of accurateand timelybillings.

ue#io%JCo%!ol Poli"ie# $%d (!o"edu!e#

1 Are goods shipped or services rendered based on documented sales or work orderswhich include indication of approval in accordance with management%s authorisationP

2 Are shipping documents prepared for all shipmentsP

?ES NO N5A

;. Are shipping documents subected to:

1 a. re-numberingP2 b. Accounting for all shipping documents issuedP3 c. Timely communication to persons who physically perform the shipping

functionP

4 d. Timely communication to persons who perform the billing functionP5 e. Timely communication to persons who perform the inventory control functionP

1 Is access to finished goods and merchandise restricted so that withdrawals of inventoryare based only on properly approved sales orders

2 Are uantities of goods shipped independently verifiedP

3 Are shipping and performance documents reviewed and compared with billings on atimely basis to determine that all goods shipped or services rendered are billed and

accounted forP

7illi% $%d Re"o!d#

=bectives


50/344

1 a. &ales and such related transactions as commissions and sales taxes are based ondeliveries of goods or rendering of services and recorded at the correct amounts and in

the appropriate period and are properly classified in the accounts.

2 b. &ales related deductions and adustments are made in accordance withmanagement%s authorisation.

$uestions%&ontrol 'olicies and 'rocedures

5. Are sales invoices prepared for all shipments of goods or services rendered 'including

purchases which are shipped directly to customer(P

?ES NO N5A

8.Are billing and invoice preparation functions performed bypersons who are independent of the selling 'soliciting and

receiving orders from customers(, credit, and cash functionsP

;. Are all sales invoices:

a. b. c.

d. e. f.

re-numberedP Accounted for to determine all invoices

are recordedP !atched with properly approved sales

ordersP !atched with shipping documentsP Traced toauthorised current source information on prices and

terms 'for example, price list, schedules, catalogues, or

computer stored master filesP 3ecorded promptlyP


51/344

a. b. 3eviewed by a responsible employee who isindependent of the accounts receivable and cash

functionsP !ailed by a responsible employee who is

independent of the accounts receivable and cash

functionsP

6.Is an aging schedule or schedule of past due accounts

prepared monthly by someone independent of the billing andcash receipts functionsP

?.Is the accounts receivable subsidiary ledger reconciledmonthly to the general ledger control accountP

?ES NO N5A

1 1oes the credit manager review monthly ageing schedules or listings of past duecustomer accounts and investigate delinuent accounts and unusual items on a timelybasisP

2 Is there documentation of review and analysis of accounts receivable balances todetermine valuation allowances 'for doubtful accounts( and any specific balances to bewritten-offP

3 Are valuation allowances and write-offs approved by a responsible employeeP

7/ C$#. Re"ei(#

rocessing Collections =bectives

1 a. Access to cash receipts and cash receipts records, accounts receivable records,and billing and shipping records is controlled to prevent or detect, on a timely basis,

the taking of unrecorded cash receipts or the abstraction of recorded cash receipts.2 b. 1etails transaction and account balance records are reconciled, at reasonable

intervals, with applicable control accounts and bank statements for timely detection

and correction of errors.

ue#io%JCo%!ol Poli"ie# $%d P!o"edu!e#

1 Is the mail opened by a person's( whose duties do not involve any shipping, billing,accounts receivable detail, general ledger, invoice processing, payroll and cash

disbursement functionsP

2 Are receipts of currency controlled by cash registers andor pre-numbered cash receiptformsP

3 Are each day%s receipts 'by mail and over the counter( except for post-dated itemsdeposited intact dailyP


52/344

4 Are post-dated items segregated on daily detail listings of remittances to aid in controlof total items receivedP

5 Are all employees who handle receipts adeuately bondedP

?ES NO N5A

1 Are banks instructed not to cash cheues and other instruments drawn to the order ofthe companyP

2 1oes company policy prohibit the asking of any accommodation cheues for example,personal and payroll cheues( out of collectionsP

3 Are entries to the cash receipts ournal compared with

1 a. 1uplicated deposit slips authenticated by the bankP2 b. 1eposits per the bank statementsP

>. Are the comparisons described in item 5; above made by a person's( whose duties do

not include cash receipts and accounts receivable functionsP

Re"o!di%& Colle"io%#

=bectives

All cash receipts recorded are at the correct amount in the period in which received and areproperly classified and summarised.

2uestion-Control olicies and rocedures

1 Is information captured from remittances 'by mail and over the counter( adeuate foraccurate posting of credits to individual accounts receivable subsidiary records or toclassifications concerning such other sources as investment income, rents sales of

property or scrape and proceeds of financingP2 Are details of daily collections balanced with the total credits to be distributed to

appropriate general ledger accounts and to the total collections for the day before

posting to the subsidiary recordsP

3 1o postings of the general ledger control accounts and subsidiary records include thedate on which the remittance was receivedP

4 Are posting to the general ledger control accounts made by a person's( independent of:

1 a. hysical handling of collectionP2 b. osting accounts receivable subsidiary detailP

IV/ E3PENDITURE C?CLE

?ES NO N5A

A/ Pu!".$#e# $%d A""ou%# P$*$;le Pu!".$#e#


53/344

(bjectives

The types of goods, other asset and services to he obtained, the manner in which they are

obtained, the vendors from which they are obtained, the uantities to be obtained and the

prices and other terms are initiated and executed in accordance with managementJs general or

specific authori/ation.

Adustments to vendor accounts and account distributions are made in accordance with

managementJs general or specific authori/ation.


1 Are all purchases based on reuisitions which have been approved in accordance withmanagement)s authori/ation P

2 Are written purchases orders *orother euivalent document( used for all commitmentsand do those orders include the vendor description, uantity, price, term and delivery

reuirements for the goods or services orderedP

3 Are all purchase orders, before issuance, approved by specific individuals or classes ofindividuals designated by managementP

4 Are all purchase orders pre-numberedP5 Is the purchases function independent of receiving, shipping, invoice processing and

cash functionsP

6 Are all purchase orders routinely accounted forP7 Is custody of unissued purchases order form adeuate to prevent their misuseP8 Are open purchase orders periodically reviewed and investigatedP

Re"ei


54/344

4 d. 1istribution of copies for timely matching withpurchase orders and vendorJsinvoices and ifapplicable, timely maintenance of perpetual inventoryrecordsP

@. Are receiving functions performed by designated

employees who are independent of the purchasing,

shipping, invoice processing and cash functionsPI%


55/344

. Are processed invoices and supporting documents

approved by designated employees before paymentP

6. Are approved debit memos used to notify vendors of

goods returned and other adustments of their accountsP

?. Are accumulation of processed invoice and follow-up of

unmatched purchase orders and receiving reports adeuateto result in a proper cut off for financial reporting

purposesP

>. Are vendors statements reviewed for overdue items and

reconciled with accounts payable detail

59. Are there adeuate controls to ensure recognition of

liabilities for goodsservices received but not invoicedP55. Are employee expense accounts:

a. repared in accordance with criteria set by

managementP

b. &ubmitted promptlyP

c. Adeuately supportedP

d. Approved before paymentP

58. Are approved debit memos used to notify vendors of

goods returned and other adustments of their accountsP

5;. Is accounts payable detail periodically reconciled with the

control accounts at reasonable intervalsP

?ES NO N5A

7/ P$*!oll

Au.o!i$io% o+ W$&e# S$l$!ie# $%d Dedu"io%# O;=e"i


56/344

P!e($!$io% $%d Re"o!di%&

#%&ective$

1 a. Compensation is made only to company employees at authori/ed rates and for

services rendered in accordance with managementJs authori/ation.2 b. "ross pay, deductions and net pay are correctly computed based on authori/ed

rates and services rendered and properly authori/ed deductions.

3 c. ayroll costs and related liabilities are correctly accumulated, classified, andsummari/ed in the accounts in the appropriate period.

7ue$tion$8Control Policie$ and Procedure$

5. 1o employees who perform the payroll processing function receive timely notificationof.

1 a. Gage and salary rates resulting from new hires, rate changes, changes in

position, and separationsP2 b. Changes in authori/ed deductionsP

?ES NO N5A

8. Is gross pay determined using authori/ed rates and:

1 a. Time or attendance records for employees paid bythe hour or by salaryP

2 b. iecework records for employees whose wages are

based on productionP

3 c. Adeuate detail records of sales for commissionsalesmenP

1 Are accruals for gratuity provided on the based of contractual agreements with theemployeesP

2 Are total production hours used for determination of gross pay reconciled withproduction statistics used for cost accounting purposesP

3 Are piece rate records reconciled with production recordsP

4 Are salesmen%s commission records reconciled with recorded salesP5 Are such data as hours worked, piecework and commission sales used to determine

gross pay compared at reasonable intervals with applicable production and salesrecords by responsible persons.

Di#;u!#eme% , P$*!oll-

#%&ective


57/344

$ot pay is disbursed to the appropriate employees when due.


1 Are payrolls approved in writing by responsible employees before issuance of payrollcheues or distribution of cash for net payP

2 Is net pay distributed, by persons who are independent of payroll preparation, time-keeping, and cheue preparation functionsP

3 4or payrolls paid by cheue:

1 a. Are cheues drawn on a separate imprest accountP2 b. Are deposits eual to the amount of net ayP


58/344

3 c. reparation of payrollsP4 d. Approval of payrolls+5 C/ C$#. Di#;u!#eme%#

A##i&%me% o+ Fu%"io%#

(bjective

4unctions are assigned so that no single. individual is in a position to both perpetrate and

conceal errors or irregularities in the normal course of his duties.


5. Is the cash disbursements function performed by persons who are independent of the

following functions:

1 a. urchasingP

2 b. 3eceivingP3 c. Invoice processingP4 d. &hippingP

?ES NO N5A

P!o"e##i%& Di#;u!#eme%#

#%&ective$

1 a. 1isbursements are made only for expenditures incurred in accordance withmanagementJs authori/ation.

2 b. Adustments to cash. accounts are made only in accordance with managementJsauthori/ation.

3 c. 1isbursements are recorded at correct amounts in the appropriate period andare properly classified in the accounts.

4 d. Access to cash and cash disbursement records is restricted to minimi/eopportunities for irregular or erroneous disbursements.


1 Are all bank accounts authori/ed by the board of directorsP2 Are all cheue signers authori/ed by the board of directorsP3 Are bank promptly notified of any changes in authori/ed cheue signersP4 Are all disbursement and bank transfers based on vouchers and cheue reuests which

have been approved by responsible employees designated by managementP

5 Are all disbursements except from petty cash made by cheueP6 Are properly approved supporting documents presented with cheues and reviewed by

the cheue signer's( before signing the cheuesP


59/344

7 Are supporting documents for cheues properly canceled and cheue number enteredto avoid duplicate paymentP

8 Are cash funds on an imprest basis and

1 a. +ept in a safe placeP

2 b. 3easonable in amountP3 c. eriodically counted by someone other the custodianP

>. Are all disbursements from cash funds:

1 a. &upported by vouchers which are prepared in inkP2 b. Approved in accordance with managementJs authori/ationP3 c. Canceled to prevent reuseP4 d. &ubect to a predetermined maximum limit for any individual disbursementP

?ES NO N5A

59. Are reimbursements of cash funds:

1 a. &ubect to the same review and approval as processed invoicesP2 b. 3emitted by cheues drawn payable to the order of the custodian of the cash

fundP

1 Are all voided cheues retained and mutilatedP2 Are all cheues promptly recorded when issued and listed in detailP

7$%8 Re"o%"ili$io%#

(bjective

Comparison of detail records, control accounts, and bank statements are made at reasonable

intervals for detection and appropriate disposition of errors or irregularities.


1 Are the bank accounts reconciled monthly by an employee's( who is independent ofinvoice processing, cash disbursements, cash receipt, petty cash and general ledger

functionsP

2 Are old outstanding cheues investigatedP

V/ PRODUCTION

,CONVERSION-

C?CLE ?ES NON5A


60/344

A/ P!odu"io% Co## $%d I%


61/344

?ES NO N5A

1 Is labor effort 'lime, cost or both( reported promptly and recorded in sufficient detail tobe identified with applicable classification such as ob orders or allocation to units in

process.

2 Are transfers of completed units from production to custody of finished goodsinventory based on approved completion reports which authori/e such transferP

3 Are there adeuate procedures for reporting defective unit and scrap resulting from theproduction processP

4 Are perpetual inventory records maintained of both uantities and amounts.5 Are the perpetual records of inventory detail:

1 a. Controlled by general ledger accountsP2 b. ased on documentation of inventory movement and adustments which has

been approved in accordance with managementJs authori/ationP3 c. Adusted to periodic physical inventories taken annually or on a cycle basis at

least once a yearP4 d. 3econciled with the inventory control accounts at reasonable intervalsP

>. Are there adeuate procedures for identifying and reporting excess, slow-moving,

and obsolete inventoriesP

Re"o!di%& T!$%#+e!# o Cu#ome!# $%d O.e! I%


62/344

documents used to recogni/e revenue and the related receivableP

2 b. rovide a means 'such as pre-numbering or hatching( of accounting for allshipping documents and other release documents issuedP

A""umul$io% $%d Cl$##i+i"$io% o+ P!odu"io% $%d I%


63/344

conditionsP

'4or example, comparison of raw material costs with vendorsJ invoices, standard labor

rates with actual rates, standard material usage and machine hours with product

engineering changes, standard labor hours with time studies, etc.(

b. Are significant variances investigated and the resulting explanation brought tomanagementJs attention on timely basisP

I%


64/344

3 c. &ufficient segregation of duties so that errors ofomission or commission are prevented or detected

promptlyP


65/344

physical countsP

m. Investigation and disposition of differences between

physical counts and detailed inventory recordsP

. Are inventory instructions adeuately communicated to and

understood by persons who perform the physical countP6. Is inventory movement adeuately controlled during the

count so that items are not missed or double counted.

?. Are controls over purchases and receiving activity

sufficient to result in recording of liabilities for any iteminclude in inventory which have not been paid forP

>. Are controls over sales and shipping activity sufficient to

result in exclusion from the physical inventory of any

items which have been sold and billed but not yet

shippedP

59. Are inventory counts subect to adeuate verification such

as recounts by persons other than those who made theinitial counts or spot checks by others, such as internal

auditorsP

55. Are difference between physical counts and detailed

inventory records investigated in accordance with

managementJs authori/ation before the records are

adustedP

58. Is there documentation of review and analysis of the

physicalinventory to:

a. Conform with the lower of cost or market

principle,

b. Identify items which are excessive, slow-moving,

defective or obsoleteP

c. 1etermine the need for adustments or valuation

allowancesP

5;. Are adustments of the inventory detail records andcontrol accounts given prior approval in accordance with

managementJs authori/ationP

?ES NO N5A

7/ P!o(e!* $%d Eui(me%

I%ii$io% $%d E'e"uio% o+ P!o(e!* $%d Eui(me% T!$%#$"io%#

#%&ective

Additions and related accumulation of depreciation or amorti/ation, retirements, and


66/344

dispositions of property and euipment 'owned and leased( are made in accordance with

managementJs authori/ation.


1 Is advance approval in accordance with managementJs criteria reuired for all propertyand euipment transactionsP

2 Are reuests for additions, transfers, major maintenance and repair, retirement anddisposition of property and euipment.

1 a. Initiated by designated individuals in accordance with managementJsauthori/ationP

2 b. 4ormally documented, including an adeuate description of the proposal, itsreasons, and the estimated amount of the transactionsP

1 Are authori/ations to execute property and euipment or transactions adeuately

documentedP2 Are procedures adeuate for determining that component and services for property and

euipment are receivedP

3 Are procedures adeuate for determining that all dispositions of property andeuipment have been executed and proceeds, if any, received in accordance with

management%s authori/ationP

Re"o!di%& P!o(e!* $%d Eui(me% $%d !el$ed De(!e"i$io% $%d Amo!i$io%

#%&ective

Transactions involving property and euipment and related depreciation and or

amorti/ation are accurately recorded, accumulated, and classified in detail and incontrol accounts to:

1 '5( ermit preparation of statements in conformity with recogni/ed accountingprinciples or

2 '8( !aintain accountability for assets.

7ue$tions8Control Policie$ and Procedure$

5. Are detailed records maintained for each classes of property and euipment 'owned

and leased(P

?ES NO N5A

1 Are general ledger control accounts maintainedfor the appropriate classes of ownedand leased property and euipment and related depreciation and amorti/ationP

2 Are the detailed property and euipment records reconciled at reasonable intervalswith the control accounts and differences, if any, investigated and resolved in

accordance with management%s authori/ation P

3 Are depreciable and amorti/able lives reviewed at reasonable Intervals for adeuacy inrelation to use or obsolescence based on actual experienceP


67/344

S$+e&u$!di%& P!o(e!* $%d Eui(me%

#%&ective

roperty and euipment is reasonably safeguarded from loss.


1 Is property and euipment insured in accordance with managementJs authori/ationbased on appraisals made at reasonable intervalsP

2 Are items of property and euipment subect to reasonably adeuate physicalprotection techniuesP

3 Are items of property and euipment 'owned and leased( physically inspected atreasonable intervals and compared with the detailedproperty records+

1


68/344

7ue$tion$8Control Policie$ acid Procedure$

5 . Are adeuate general ledger control accounts

maintained for various investment classifications and

in the related incomeP

1 Are adeuate detailed investment records maintained currently including control of

related incomeP2 Are procedures adeuate to determine that investment income is properly accrued and

promptly collectedP

3 Are investments and related collateral reviewed and appraised or valued at market atreasonable intervals for comparison with cost valuations and-:

1 a. 3eporting of the findings to managementP2 b. 1etermination of need for any valuation

allowancesP

?ES NO N5A

@. A!e de$iled i%


69/344

Transactions and obligations concerning euity capital are promptly and accurately recorded

and classified in detailed recorded and control accounts.


1 1oes the general ledger include appropriate control accounts for euity capitalP2 Are detailed share certificate records reconciled at reasonable intervals with the control

records and the general ledgerP

?ES NO N5A

P.*#i"$l S$+e&u$!d# $%d Cu#odi$l P!o"edu!e#

#%&ective$

1 a. Access to records, agreements, and such negotiable documents as sharecertificates concerning euity capital is permitted only in accordance withmanagementJs authori/ation

2 b. 3ecords, agreements, and negotiable documents are subected to reasonablyadeuate physical safeguards and custodial procedures.


1 Are unissued share certificates subect to reasonable physical safeguardsP2 Are unissued share certificates examined and all certificate numbers accounted for at

reasonable intervals by, a responsible officialP

2/2/ MATERIALIT?

There are two aspects to materiality -Pl$%%i%&

Date post:	02-Jun-2018
Category:	Documents
Upload:	innovativies
View:	219 times
Download:	0 times

Audit Practices Manual_NoRestriction

Documents