6.

Test of Controls Page 47

Ch # 6: Test of Controls

Computer-Assisted Audit Techniques (CAAT)

Any technique that enables auditor to use IT systems as a source of generating audit evidence.

CAATs are often necessary in audit of IT systems because

▪ These systems may not provide an adequate audit trail.
▪ Processing is ‘invisible’ because it is electronic.
(so auditor needs to ‘get inside the computer’ to check the completeness and accuracy)

Two commonly-used types of CAATs are:

▪ Test data (commonly used in Test of Controls)
▪ Audit software (commonly used in substantive procedures)

Test data

Involves the auditor processing a sample of data through the IT system and comparing the results
obtained from the processing with pre-determined results.

Procedures may be written into client’s computer information systems that will generate data for audit
purposes every time the process is run.

Normally, to avoid corrupting client’s data files, an extra ‘dummy’ department is stablished, to which the
test data results are allocated. Only the auditor should have access to the data stored in this dummy
department.

Costs of using CAATs

CAATs can be expensive, and the use of CAATs should be evaluated on a cost benefit basis.

The costs related to the use of CAATs may include:

▪ Purchasing or developing the programs
▪ Keeping programs up-to-date for changes in hardware and software
▪ Training audit staff in the use of computer systems to run the CAATs.

Use of Audit Software

Embedded audit facilities

It is audit software that is built into the client’s IT system, either temporarily or permanently.
(Also known as ‘resident audit software’ or ‘integrated audit module’)

▪ Purpose is to allow the auditor to carry out tests at the time that transactions are being processed, in
‘real time’.
▪ This can be very useful for the audit of online systems where:
- Data is continually processed and master files are being continually updated, and/or
- It is difficult for system to provide a satisfactory audit trail.
▪ An embedded audit facility may also keep record of the transactions it has monitored so that the
auditor can study those.
6. Test of Controls Page 48

Problems with using audit software

Audit software may need to be compatible with the client entity’s IT system, and can therefore be
expensive to use, especially:
▪ When used for the first time for a client (set-up costs)
▪ Client entity changes its accounting system
(New audit software is needed)
▪ When client has an old purpose-written IT accounting system for which there is incomplete system
documentation.

Auditor should also be aware of the possibility that if he uses copies of the client’s files for carrying out tests
with audit software that the client may provide a file that is not actually a copy of the current ‘live’ files.
When using such files, auditor should insist on being present to observe the copying of the files, to make sure
that they are ‘genuine’.

Auditing around the computer

With auditing around the computer, the client’s internal software is not audited. Instead, inputs to the
system are checked and agreed with the outputs from the system.

Auditing around the computer has greater audit risk than auditing of the client’s internal software,
because:
▪ If the actual files or programs are not tested, there will be no evidence that programs are functioning
properly, as documented
▪ Where auditor finds discrepancies between input and output, there is no way of finding out how the
discrepancy has occurred.
6. Test of Controls Page 49

SALES System

Source 2012 Gleim Publications, Inc. www.gleim.com

Risk Controls by Management Test of Controls

Receiving Orders from Customer

▪ Orders may be accepted ▪ There should be segregation of ▪ Check that proper segregation of
from new customers; or duties between duties is present between these
they may be given credit, ✓ Processing of orders functions
without authorisation ✓ Checking credit reference on ▪ Check that new customer have been
▪ Orders of more than new customers or checking limit approved by looking for the
credit limit may be on existing. signature of the manager giving the
accepted. ▪ New customers, and credit limit, authorisation
▪ Overlooking of orders should be authorised. ▪ Look at lists of customer orders,
▪ Orders may be processed ▪ Sequentially-numbered documents sequentially numbered, and
twice. should be used. confirm that for every customer
▪ Price discount is given ▪ Goods should not be dispatched to order there is a dispatch note
without authorisation. customers without a dispatch note. number.
6. Test of Controls Page 50

Risk Controls by Management Test of Controls

Dispatch of Goods and invoicing

▪ Goods are not dispatched ▪ Goods Delivery Notes (GDNs) ▪ Check some delivery notes to
▪ Goods are dispatched should be numbered sequentially confirm that customers do sign
twice. ▪ GRN should be attached to copy of them.
▪ Goods dispatched to customer order. ▪ Check that the segregation of duties
customers who do not ▪ GDN should be signed by an does exist.
have sufficient credit authorised dispatch staff. ▪ Check that all GDNs are serially
▪ Invoices not produced for ▪ Customers should sign a delivery numbered
goods dispatched. note for the receipt ▪ Check that (sequential) lists of
▪ Customers may claim not ▪ Signed delivery note should be invoices show a customer order
receiving the goods attached to a copy of GDN and number and a dispatch note
▪ Sales return are not customer order. number.
properly recorded ▪ Copies of documents should be ▪ Check a list of credit notes to make
transferred to accounts department sure that they cross-refer to sales
after dispatch. invoice number
▪ Each sales invoice should be linked ▪ Check authorization of relevant
to these documents. staff on credit notes
▪ Sales invoices should be ▪ Observe the dispatch process in
sequentially numbered operation.
▪ Segregation of duties between
✓ Dispatching goods
✓ Preparing sales invoice.
▪ Credit notes should be properly
authorised.
▪ There should be periodic checks on
accuracy of invoices

Recording Sales and Accounting

▪ Invoices and credit notes ▪ Invoices and credit notes should be ▪ Check for the sequential numbering
may not be recorded in sequentially numbered. of invoices and credit notes
the system. ▪ Regular statements should be sent ▪ Check that statements are produced
▪ Invoices and credit notes to customers. and dispatched to customers.
are recorded in the ▪ Control account reconciliations ▪ Look for documentary evidence for
wrong customer ▪ Bad debts must be authorised. control total checks
▪ Debts may be written off ▪ Procedures for identification and ▪ Check authorization for bad debt.
as without proper follow-up of overdue accounts etc ▪ Check that exception report is
consideration. regularly produced by system,
listing all overdue debts, and check
that this is followed up.
6. Test of Controls Page 51

PURCHASES System

Source 2012 Gleim Publications, Inc. www.gleim.com

Risk Controls by Management Test of Controls

Placing Order
▪ Orders are made without ▪ Segregation of duties between ▪ Check that the segregation of duties
authorisation. ✓ Requisition of purchase does exist.
▪ Orders may be placed ✓ Placing of order. ▪ Look at lists of sequentially-
with unapproved ▪ Purchase orders should be numbered purchase orders or view
suppliers sequentially numbered. documents on screen.
▪ The order might not be ▪ There should be a procedure of ▪ Ask management to provide
given to the supplier ‘approved list’ of suppliers. documentary of mainitaining an
quoting the lowest price. ▪ All orders must be placed with approved list
(for large order) suppliers on an approved list. ▪ Check purchase orders to make
▪ Orders above a certain value must sure that they contain approved
be authorised by a senior manager supplier reference.
▪ Check authorization in case of large
orders
6. Test of Controls Page 52

Risk Controls by Management Test of Controls

Receiving goods and invoices
▪ Goods may be accepted ▪ Copy of all delivery notes should ▪ Check that delivery notes, GRNs
from a supplier without be retained, with a signature of the and purchase invoices are
having been ordered. receiving staff matched with each other.
▪ Company may fail to claim ▪ Goods received notes (GRN) ▪ Check for documentary evidence
discounts from suppliers for should be produced for each that discounts are checked and
big orders delivery claimed from suppliers when
▪ Suppliers may invoice for ▪ Any accounts/purchasing staff available.
goods that have not actually must be responsible for checking ▪ Check that the segregation of
been provided. discounts allowed. duties does exist.
▪ Segregation of duties between
✓ Receiving of goods
✓ Placing of order.
✓ Recording of purchase invoice
in accounts
▪ All purchase invoices should be
checked against a purchase order
and a GRN
Recording and accounting for purchases and invoice
▪ Purchase invoices may be ▪ Purchase invoices must be ▪ Chcek that purchase invoices are
recorded for goods or checked against purchase orders matched against purchase orders.
services not provided before recording ▪ Chcek that statements from
▪ Purchase invoices may be ▪ Purchase order number should be suppliers are checked and
incorrectly recorded in the written on an invoice approved.
accounts ▪ Regular statements should be ▪ Look for documentary evidence of
▪ Credit may not be claimed received from suppliers control account reconciliations.
from suppliers for goods ▪ Balance on the statement should ▪ Check a list of sequentially-
returned. be checked against the account numbered debit notes and make
balance. sure that it is cross-referenced to
▪ Regular control account a supplier’s credit note.
reconciliations
▪ Debit note should be created each
time that goods are returned to a
supplier.
▪ Debit notes should be sequentially
numbered and matched with
supplier’s credit note when it is
received.
6. Test of Controls Page 53

PAYROLL

Source 2012 Gleim Publications, Inc. www.gleim.com

Principal controls Tests of control

Risk: All benefits and deductions (tax, pension etc) may not be computed correctly
▪ Verification of payroll amounts and benefit ▪ Recalculate benefits and deductions for a sample of
calculations. employees.
▪ Payroll budgets in place and reviewed. ▪ Review budgeting procedures
▪ Agreement of gross earnings and total tax ▪ Inspect documentation for evidence of management's
deducted with taxation returns. review.
Risk: Payroll transactions may not be correctly recorded in the accounting system.
▪ Changes to master payroll file verified through ▪ Review reconciliation o ‘before and after’ reports to
‘before and after’ reports. payroll master file.
▪ Payroll master file reconciled to general ledger. ▪ Review reconciliation o payroll master file to general
ledger. Confirm whether discrepancies are followed-
up promptly and resolved.
Risk: Payroll transactions may not be recorded in the correct accounting period.
▪ All starters, leavers, changes to salaries and ▪ Review entity’s procedures for reporting changes to
deductions are reported promptly to payroll the payroll department.
department and changes are updated to payroll ▪ Check sample of starters and leavers.
master file promptly.
6. Test of Controls Page 54

Principal controls Tests of control

Risk: Payment may not be made to bona fide employees of the entity.
▪ Segregation of duties between HR and ▪ Observe and evaluate proper segregation.
payroll functions ▪ Review a sample of starters and leavers in year to
▪ Personnel files held for all employees. ensure correct documentation is in place.
▪ Authorisation procedures for hiring, ▪ Review and test authorisation procedures.
terminating, time worked, wage rates, ▪ Review policies and procedures in place for changing
overtime, benefits etc. status and consider their adequacy.
▪ Any changes in employment status of ▪ Observe employees’ use of time clocks.
employees (eg maternity, special leave etc) ▪ Inspect a sample of clock cards for evidence of
informed to HR department. approval by appropriate level of management.
▪ Use of time clocks to record time. ▪ Review and test procedures for entering and
▪ Clock cards approved by supervisor. removing employee numbers from the payroll
▪ Only employees with valid employee master file.
numbers are paid. ▪ Review numerical sequence of clock cards.
▪ Pre-numbered clock cards in use.
▪ Segregation of duties If wages are paid in cash
▪ Authorisation of wage cheque cashed ▪ Attend the pay-out of wages to confirm that the
▪ Custody of cash – Encashment of cheque – official procedures are being followed.
Security of pay packets – Security of transit – ▪ Before the wages are paid compare payroll with
Security and prompt banking of unclaimed wage packets to ensure all employees have a wage
wages packet.
▪ Verification of identity ▪ Examine receipts given by employees; check
▪ Recording of distributions unclaimed wages are recorded in unclaimed wages
▪ Preparation and authorisation of cheques book.
and bank transfer lists ▪ Observe whether any employee receives more than
▪ Comparison of cheques and bank transfer list one wage packet.
with payroll ▪ Check that unclaimed wages are banked regularly by
▪ Maintenance and reconciliation of wages and inspection of bank statements and supporting
salaries bank account documentation.
▪ Preparation and authorisation of cheques ▪ Inspect that unclaimed wages books to check it
and bank transfer lists shows reasons why wages are unclaimed.
▪ Comparison of cheques and bank transfer list
with payroll Holiday pay
▪ Maintenance and reconciliation of wages and ▪ Verify a sample of payments with the underlying
salaries bank account records and check the calculation.
▪ For salaries, review whether comparisons are being
made between payment records.
▪ Examine paid cheques or a certified copy of bank list

Possible control weaknesses in a payroll system

▪ Weaknesses in the system for recording time spent at work.

▪ Employees may ‘clock on’ on behalf of a colleague, using the identity card that the colleague has given
him.
(biometric attendance system can prevent this from happening)
▪ Overtime payments may not be properly authorised.
▪ The actual payments of wages and salaries (often payments through banking system) may be made by
a junior person in the accounts department without proper authorisation.
▪ The payroll lists for each department may not be properly authorised.
6. Test of Controls Page 55

The bank and cash system

Principal controls Tests of control

Risk: All money received may not be recorded
▪ There should be segregation of duties. ▪ Check that segregation of duties does exist.
▪ The handling of cash should be kept separate from
other accounting functions. Controls over receipts by post
▪ Observe that mail opening and cash handling
Controls over receipts by post procedures are being followed.
▪ There should be supervision of opening of mail. ▪ Check amounts recorded as receipts from
▪ There should be a listing of all money received. customers against the remittance advices
▪ Mail and cheques should be date-stamped. (document from the customer confirming the
amount paid).
Cash sales
▪ Only a restricted number of employees should be Cash sales
authorised to receive cash. ▪ Check amounts in receipt books or on till rolls
▪ Cash tills and till rolls should be used to record cash to paying-in slips, the cash book and bank
sales. statements.
▪ Another person should check the actual cash received ▪ Check whether bankings are made daily.
against the till roll total. ▪ Check payments out of cash takings
▪ Restrict employees who are able to receive cash ▪ Check for evidence that till roll totals or
▪ If till rolls are not produced, receipts should be given receipts totals are checked against cash
for cash receipts, and a copy be retained. received by an authorised person.
▪ Receipts should be sequentially numbered.
Risk: All money received may not be banked
▪ There should be daily banking, if possible. ▪ Check the frequency of banking receipts.
▪ Cash payments received should be recorded, and ▪ Check that receipts are recorded in cash book
subsequently checked against amount banked. and bank statement matches that.
▪ Risk: Proper safeguards may not exist over money held
Bank Bank
▪ There should be established procedures for opening ▪ Confirm that new bank accounts have only
new bank accounts. been opened under the procedures
▪ There should be restrictions on individuals authorised ▪ Observe which individuals are involved with
to prepare and hold cheques. company cheques.
▪ There should be safe custody of cheque books. ▪ Enquire as to custody of cheque books
▪ There should be no pre-signed cheques. ▪ Check to see whether any cheques are blank
▪ In an IT system there must be strong physical controls and pre-signed.
over access to pre-signed cheques, such as being kept ▪ In an IT system, observe the effective
in a safe until next payment run functioning of the system.
Cash Cash
▪ Notes and coin should be kept in a secure place. ▪ Review nature of cash payments made.
▪ Only a very limited number of employees should have ▪ Observe cash custody procedures.
access to the cash.
▪ Cash Receipts and payments must be recorded.
Risk: All payments through cheques may not be properly authorised, made to the correct person and may
not be properly recorded
▪ Cheque requisition forms should be used to request ▪ Review paid cheques for payee, date, amount
payments with supporting documents and signature.
6. Test of Controls Page 56

Principal controls Tests of control

▪ Cancellation of documentation once cheque has been ▪ Agree payments in the cheque book or BACS
prepared. list to entries in accounting records, bank
▪ There should be established authority levels for statements & supplier statements.
cheque signing. ▪ Review the supporting documents
▪ Payments must be recorded promptly. ▪ Review the sequence of cheque numbers
▪ All cheques must be numbered sequentially.

Petty cash

Control objectives
▪ To avoid or reduce the risk of petty cash being stolen.
▪ To ensure that all spending out of petty cash is properly authorised.
▪ To ensure that only correct amounts of cash are withdrawn from bank to go into petty cash.
▪ To ensure that all spending out of petty cash is accounted for.

Controls
▪ Maximum amount held in petty cash should be restricted to about 1 month spending.
▪ Petty cash should be kept in a locked cash box in the office safe, or if there is no safe in a locked drawer
in the accountant’s desk. This is a basic physical control over cash.
▪ All withdrawals of petty cash should be recorded on a petty cash voucher and vouchers must be
sequentially numbered.
▪ All petty cash spending should be authorised in advance by a properly authorised person (and not by
the person withdrawing the cash).
▪ Receipts should be provided for petty cash spending and attached to petty cash voucher.
▪ When money is withdrawn from bank to ‘top up’ petty cash, the amount of cheque for cash withdrawal
should be checked against total of petty cash vouchers in the petty cash box.
▪ There should be occasional checks of petty cash by a senior person (not the person responsible for
holding and issuing petty cash) .
▪ There should be a system for the regular recording of petty cash expenses in the petty cash book. Each
entry in the petty cash book should include the voucher number
6. Test of Controls Page 57

The Inventory system

Control objectives Principal controls Tests of control

Recording inventory
Inventory records should ▪ Segregation of duties ▪ Look for evidence that inventory
be complete, accurate and (ordering inventory, custody of movements (as recorded in the
include only items inventory, accounting for inventory department) agree with
belonging to the inventory). dispatch documents and GRN.
company. ▪ There should be proper ▪ Look for documentation providing
documentation for all issues of evidence that inventory movements
All inventory movements inventory from the store. are properly authorised.
should be recorded & ▪ All goods received should be
authorised checked and recorded
▪ Appropriate inventory records
should be maintained
Physical safeguards
Inventory is protected ▪ There should be restricted access ▪ Look for compliance with access
against loss & damage. to storage areas. restrictions.
▪ Regular inventory counts should ▪ Obtain confirmation that periodic
be performed using appropriate inventory counts are performed, and
procedures. counts are checked with records
Valuation
Inventory should be ▪ IAS 2 should be applied. ▪ Look for evidence of how inventory
correctly valued at the ▪ There should be procedures for valuations are reviewed, in order to
lower of cost and NRV. identifying obsolete and slow apply the principles of IAS 2.
moving inventory.
Inventory management
Appropriate levels of ▪ There should be maximum and ▪ Carry out a review for excessive
inventory should be held minimum inventory levels for all inventory levels
at all times. inventory items. ▪ (This is often performed in
▪ There should be appropriate re- conjunction with inventory count or
order levels and re-order ‘stock take”).
quantities. ▪ Monitor the frequency of out-of-
stock situations.

Note: The above given controls are only related to the maintenance of the inventory. Controls relating to receipt and
dispatch of inventory are discussed earlier in Sales and Purchase system.
6. Test of Controls Page 58

Non-current assets

Control objectives Principal controls Tests of control

Authorisation
All expenditure on non- ▪ Appropriate authorisation ▪ Many tests of control for the
current assets should be procedures should be in place. purchase of non-current assets are
properly authorised. ▪ Documentation and analysis similar to those for the purchase of
should be produced to support inventory items.
(capital) expenditure requests. ▪ Look for documentary evidence of
▪ There should be approval capital expenditure authorisations.
procedures for the payment of
invoices to the suppliers of non-
current assets.
Recording
All expenditure on non- ▪ Invoices must be analysed and ▪ Check the capital/revenue analysis
current assets should be account codes entered on the of invoices.
properly recorded. invoices.
▪ Management should review the ▪ Check that entries are made in the
Expenditure should be analysis of purchased items as non-current asset register.
properly analysed as capital or revenue items, to ensure
capital or revenue. compliance with accounting
practice.

Tests of controls in smaller entities

▪ Control systems in smaller entities are often less sophisticated than larger organisations.
▪ This is largely due to a lack of resources.
▪ A proper segregation of duties is often very difficult in small entities.
▪ Most probably there will be extensive involvement in control activity by senior management or the
entity’s owner.
▪ Auditor will look for the existence of ‘minimum business controls’.
▪ Auditor is unlikely to be able to use controls as a basis for using a systems-based approach.
▪ A large amount of substantive testing is likely to be adopted.