Internal Controls

Intended Learning Outcomes

After the presentation, you should be able to:
• Appreciate the SAS 78 COSO Framework – Internal Control
• Identify major transaction cycles or business processes
• Understand the risk and control objectives for sales system
• Identify the controls to be implemented for sales system
• Identify audit procedures for testing controls of sales system
Internal Control
Internal Control is a process, effected by an entity's board of directors,
management, and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting, and
compliance.
COSO Internal Control – Integrated Framework
COSO’s Internal Control – Integrated
Framework enables organizations to
effectively and efficiently develop systems
of internal control that adapt to changing
business and operating environments,
mitigate risks to acceptable levels and
support sound management decision
making and governance.
Control Environment
The control environment component is considered the “framework.”
It focuses on people, the ethical and moral values established by an organization’s
leadership team, and competence. It emphasizes that people are the organization and are
the key determinants of the organization’s success or failure.
It is the set of standards, processes and structures that ensure internal control is carried
out across the organization.
It is the foundation of all other components of internal control.
Management’s and the board of directors’ attitude, awareness, and actions toward internal
control.
Control Environment
Sub elements:
• Commitment and competence
• Human resource and practices
• Assignment of authority and responsibility
• Management’s philosophy and operating style
• Board of directors or audit committee
• Integrity and ethical values
• Organizational structure
Risk Assessment
The risk assessment component ensures that mechanisms exist throughout the
organization to identify, manage, and mitigate unwarranted risks. Therefore, goal
alignment is critical throughout the organization and is to be integrated throughout all
significant activities.
It requires that management consider the suitability of objectives and the impact of
possible changes in the external environment and within its own business model that may
render internal controls ineffective.
Risk Assessment
An entity might confront the following risks solely as a result of managing change:
• Changed operating environment
• New personnel
• New information systems
• Rapid growth
• New technology
• New products or services
• Corporate restructuring
Control Activities
The control activities component provides that policies and procedures should be
established and followed to ensure all actions support the achievement of defined goals.
They are performed at all levels of the entity, at various stages within the business
processes and over the technology environment. They encompass a range of manual and
automated activities:
Control Activities
Control activities include the following:
1. Physical Controls 2. IT Controls
• Transaction Authorization • General Controls
• Segregation of Duties • Application Controls
• Supervision
• Accounting Records
• Access Control
• Independent Verification
Monitoring
The monitoring component provides that the entire process must be monitored in order to
recognize problems to make necessary adjustments during the course of operations.
Monitoring activities:
• Separate procedures — test of controls by internal auditors
• Ongoing monitoring:
1. Computer modules integrated into routine operations
2. Management reports which highlight trends and exceptions from normal
performance
Transaction Cycles
The major transaction cycles are:
• Sales (revenue)
• Purchases
• Payroll
Tests of control are also applied to key statement of financial position headings linking into the main
transaction cycles:
• Bank and cash
• Inventory
• Revenue and capital expenditure (non-current assets)
Sales System
Sales System
Elements of the sales system
Excluding the collection of payments from credit customers, the main elements of
the sales accounting system may be classified as follows:
• Receiving orders from customers
• Dispatching the goods and invoicing customers
• Recording sales and amounts receivable in the accounts
Customer Ordering
Customer Ordering
Risks
• Orders may be accepted from new customers and new customers may be given credit,
without checking the customer’s references or without formal authorization of a credit
account for the customer with a credit limit.
• Orders may be accepted from existing customers that take them over their credit limit.
• Some orders are overlooked and are not processed.
• Some orders are processed twice.
• The customer is given a price discount without proper authorization.
Customer Ordering
Control objectives
• Giving credit to new customers and existing customers must be controlled, and
must be consistent with company policy.
• All orders from customers are processed correctly.
• Orders should not be processed if they would take the customer above his agreed
credit limit.
Customer Ordering
Principal controls
• There should be a segregation of duties, and the individuals who process orders from
customers should not also carry out credit reference checks on new customers or credit
limit checks on existing customers.
üThe latter could be done manually by reference to a file of approved credit limits, or
it could be a programmed control whereby the system will only accept an order if the
customer will still be within his credit limit.
• All new customer accounts, and their credit limit, should be authorized.
Customer Ordering
Principal controls
• Orders should be recorded on sequentially-numbered documents or the system should
allocate sequential numbers to documents.
• For every sales order, a dispatch note should be produced (manually, or generated by the
system from the order details). Goods should not be dispatched to customers without a
dispatch note.
Customer Ordering
Tests of control
• The auditor can establish which individuals take orders and process them, and which
individuals carry out credit reference checks on new customers and credit limit checks on
existing customers. The auditor could observe these individuals to see if procedures are
being properly followed.
üIn an IT system, he could use test data to check that orders which would take a customer
over his credit limit would be rejected by the system.
• Further evidence that credit checks have been carried out can be checked by looking at the
signatures or initials of credit checking staff on customer orders or by using test data as
described above.
Customer Ordering
Tests of control
• Evidence that new customer accounts have been approved should be checked by looking
for the signature of the manager giving the authorization on the appropriate approval
document.
• The auditor can look at lists of customer orders, sequentially numbered, and confirm
that for every customer order there is a dispatch note number.
üAlternatively, for an integrated IT system, he can follow test data through from order
to dispatch note and confirm that sequences are complete by viewing documents on
screen.
Customer Ordering
Dispatch of Goods and Invoicing
Return of Goods
Dispatch of Goods and Invoicing
Risks
• For some customer orders, goods are not dispatched, or the goods are dispatched
twice.
• Goods are dispatched to customers who do not have sufficient credit (either
because no credit terms have been agreed, in the case of a new customer, or
because the order takes an existing customer above his credit limit).
• Invoices are not produced for goods that have been dispatched to some
customers.
Dispatch of Goods and Invoicing
Risks
• Customers may claim that they did not receive the goods that have actually been
delivered to them.
• Returns from customers are not properly recorded, so that the client company
does not know the correct figure for sales net of sales returns.
Dispatch of Goods and Invoicing
Control objectives
• Goods should be dispatched for every authorized customer order.
• Goods should not be dispatched twice, for the same sales order.
• Customers should acknowledge the receipt of goods.
• For every dispatch note, there must be an invoice.
• Invoices should be for the correct amount.
• For all goods returned by customers, there must be an authorized credit note.
Dispatch of Goods and Invoicing
Principal controls
• Dispatch notes or Goods Delivery Notes (GDNs) should be numbered sequentially, and
should be attached to a copy of a specific customer order. The GDN should be signed by
an authorized member of the dispatch staff. Sequential numbering of GDNs allows a
check to be made that all deliveries can be accounted for.
• Customers should sign a delivery note for the receipt of goods, as confirmation of
receipt.
Dispatch of Goods and Invoicing
Principal controls
• The signed delivery note should be attached to a copy of the dispatch note and
customer order. Copies of these documents should be transferred to the accounts
department after dispatch, so that a sales invoice can be produced.
• Each sales invoice should be linked to a copy of the dispatch note and customer order or
produced automatically from them.
• Sales invoices should be sequentially numbered, or the system should allocate
sequential numbers to documents.
Dispatch of Goods and Invoicing
Principal controls
• There should be a segregation of duties, and the individuals who dispatch goods should
not be the same as those who prepare sales invoices or process the customer orders.
• Credit notes should be sequentially numbered and authorized.
• There should be periodic checks by someone in the accounts staff on the accuracy of
invoices or strong IT controls to ensure the accuracy of invoices.
Dispatch of Goods and Invoicing
Tests of control
• Some delivery notes should be checked to confirm that customers do sign them.
• The auditor can check that the segregation of duties does exist.
• There should be a check to ensure that all GDNs have been sequentially numbered, and
that if there is any non-sequential numbering of GDNs an error report has been
produced by the system to explain the reason for the error
• The auditor should check that (sequential) lists of invoices show a customer order
number and a dispatch note number.
Dispatch of Goods and Invoicing
Tests of control
• The auditor should check a list of credit notes to make sure that they cross-refer to a sales invoice
number.
• Credit notes should be checked to make sure that they contain the authorization signature of the
appropriate manager or have been raised, on the computer, only by a member of staff with authority
to do so.
• The auditor can observe the dispatch process in operation.
• There should be documentary evidence that a member of the accounts staff has carried out
arithmetical checks on the accuracy of invoices. Alternatively, the auditor may prove that there are
strong IT controls which will ensure the accuracy of invoices by checking the calculations himself.
Recording Sales and Accounting
Recording Sales and Accounting
Recording Sales and Accounting
Risks and control objectives
• Invoices and credit notes may not be recorded in the accounting system.
üEnsure that they are all recorded.
• Invoices and credit notes are recorded in the wrong customer accounts.
üPrevent this from happening, or to detect errors when they do occur.
• Debts may be written off as uncollectable without proper consideration.
üMake sure that this does not happen.
Recording Sales and Accounting
Principal controls
• Invoices and credit notes should be sequentially numbered.
• Regular statements should be sent to customers.
• Control account reconciliations should be carried out on trade receivables.
• Bad debts must be authorized.
• There are procedures for identification and follow-up of overdue accounts and
unpaid invoices.
Recording Sales and Accounting
Tests of controls
• Lists of invoices and credit notes can be checked to make sure that there is sequential
numbering or documents can be viewed on screen.
• There should be a segregation of duties between the individuals who prepare and send out
invoices, and individuals who collect payments, and individuals who follow up late payments.
• The auditor can check that statements are produced and dispatched to customers.
• The auditor can look for documentary evidence that control total checks have been made.
Recording Sales and Accounting
Tests of controls
• There should be documentary evidence that proper authorization is given for a debt to
be written off as bad.
• There should be individuals responsible for collecting overdue debts, and evidence of
their work.
üAlternatively, the auditor might check that an exception report is regularly produced
by the system, listing all overdue debts, and look for evidence that this is followed
up.
Checklist
qAppreciate the SAS 78 COSO Framework – Internal Control
qIdentify major transaction cycles or business processes
qUnderstand the risk and control objectives for sales system
qIdentify the controls to be implemented for sales system
qIdentify audit procedures for testing controls of sales system