16

Purchases and payments

Objectives for this chapter:

• Understand the purchases and payments process.
• Identify objectives, risks and controls associated with the purchases and payments
process.
• Explain the use of analytical reviews and computer assisted audit tools and tech-
niques (CAATTs) in the purchases and payments process.
• Identify fraud risks.

16.1 Introduction
The operation of any organisation results in expenses for necessary materials, products,
equipment, salaries and various services. All these expenses involve organisational
obligations that are either paid immediately in cash (usually by means of electronic
funds transfers) or paid in the near future. This process is referred to as the purchases
and payments process or procurement process. Figure 16.1 illustrates the interrelation-
ships between this business process with the other business processes of which revenue
and receipts is discussed in chapter 15, payroll is discussed in chapter 19 and infor-
mation technology is discussed in chapter 10.

1
2 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

Revenue and
receipts

Human
Financing Resources Inventories,
and Payrol production
investment and
activities * Information warehousing
Technology

Purchases
and
*Including bank & cash payments

Figure 16.1 Interrelationship of processes

The cycle deals with three major activities, the selection of suppliers, the ordering and
receiving of goods and services from approved suppliers and, lastly, the payments made
to suppliers for goods and services received. Purchases may be made on credit or in
cash. The process commences with a need to obtain a specific product or service, pref-
erably from an approved supplier, which ultimately results in a payment that must be
made. Since the majority of purchases in large organisations are done on credit, the
focus of this chapter will be on credit purchases. Normally, the only cash purchases
made by organisations are from petty cash or electronic transfer payments.
Table 16.1 provides examples of the types of purchases made, the type of organisa-
tion from which the purchase can be made and an example of the products that can be
procured.

Table 16.1 Examples of purchases

Type of purchase Type of organisation Example

Purchase Inventory Manufacturing/wholesalers Shoelaces
Purchase raw material Manufacturing/mining company Leather to make shoes
Purchase services Consulting firm Temporary workers, cleaners
Purchase consumable goods Wholesalers Stationery
Acquisition of services City council Water and electricity
 Chapter 16 Purchases and payments 3

Type of purchase Type of organisation Example

Purchase assets Wholesalers Vehicles, furniture
In this chapter, a typical system for the purchases process is discussed. The description
focuses on the flow of functions, activities and transactions related to the process and
highlights the people and departments involved, the risks inherent to the process and
the control activities that should be in place to mitigate these risks.
A high-level overview of the purchases and payments process including the typical
documentation used in each process is illustrated in figure 16.2. The subprocesses are
discussed in more detail in the sections that follow. Note that no two organisations will
operate in the same manner. This is a general discussion of a typical purchases and
payments process.

Figure 16.2 High-level overview of the purchases and payments process

The purchases and payments process affects several accounts in the general ledger as
shown in the table below:
Statement of comprehensive income Statement of financial position
(income statement) (balance sheet)
Purchases Accounts payable (Creditors)
Inventory
Purchases returns Bank
Settlement discount received VAT

A note on value added tax (VAT)

VAT is not as simple as it may appear and the rules can often be tricky. This section will
deal with some of the key concepts of VAT as they relate to the purchases and payments
process. (VAT is also covered in chapter 25.)
Whenever goods or services are acquired from a VAT-registered vendor, the vendor
has to charge VAT on the goods or services rendered (there are some exclusions from
this but it falls outside the scope of this discussion) and pay it over to the South African
Revenue Service (SARS). The VAT status of the person/organisation who acquires the
goods/services has no effect on the responsibility of the supplier to charge and collect
the VAT. If the organisation/person who acquired the goods or services is a VAT-
registered supplier, he/she/it can claim the VAT paid (referred to as input VAT) back
from SARS but has to charge and collect VAT on his/her/its sales to other parties and pay
that over to SARS within a certain timeframe.
By law, all input VAT cannot be claimed back from SARS, even if you are a VAT-
registered supplier. Examples of this is VAT that was paid for entertainment, office
refreshments or certain vehicles.
4 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

If the VAT is not listed separately on the item (for example the price of an item on the
shelf in the supermarket) you can calculate the VAT by using the following formula:
VAT = VAT inclusive price of the item as shown /1,15 × 0,15 (given that the VAT rate is
15%)
The entry on a cash purchase/expense transaction for a VAT registered vendor will be:
Debit Credit
Purchases/expense 100
Input VAT (statement of financial position) 15
Cash 115
The effect of the above transaction is that the input VAT can be claimed back from SARS
and the actual expense incurred only amounts to R100. If the VAT cannot be claimed (for
example VAT on entertainment) the expense account will be debited with the full
amount, i.e., the R115 and no entry will be posted to the VAT account.
The same transaction for a vendor that is not registered for VAT will be:
Debit Credit
Purchases/expense 115
Cash 115
The effect of this transaction is that the full cost of the expense incurred is shown as an
expense for the organisation. Although the cost for this organisation will be higher than
the previous example above, the organisation does not need to add an additional
amount for VAT to its selling price.

16.2 Management’s responsibility

As stated with the revenue and receipts process, management is responsible for deter-
mining the organisational objectives related the processes within the organisation and
the implementation of an adequate system of internal control that includes specific
functions and activities, as well as documents and records that will be used in the pro-
cess. The overall business objective of the purchases and payments cycle can be de-
scribed as: “Purchases are made from approved vendors for the right goods at the right
quality and price. Goods are received on time and in good order and are accounted for
completely and accurately.”
An important question that management should ask is: “What are the uncertainties
that can impact on achieving the objectives of this process?” Management identifies the
risks (and related consequences for not mitigating these risks) within the process that
threatens the ability of the organisation in meeting its objectives. To mitigate and reduce
the identified risks, management implements internal control activities.
Management needs to ensure that the following internal control objectives are
achieved:
• compliance with applicable policies, procedures, laws and regulations regarding pur-
chases, especially the purchase of capital items, and timeous payments to creditors;
 Chapter 16 Purchases and payments 5

• achievement of activity objectives regarding the validity of expenditure and authori-

sation of payments to suppliers;
• reliability and integrity of information regarding purchases of goods and services and
payments to creditors;
• economical and efficient use of organisation resources regarding the purchases of
goods and services and payments to suppliers;
• safeguarding of the organisation’s assets with the purchases of goods as well as with
payments made from the bank account;
• prevention and detection of fraud.

16.3 The internal audit approach

The internal auditor performs an internal audit engagement (refer to the internal audit
process discussed in chapter 13). During the planning stage, the internal auditor obtains
an understanding of the process. Specific key risks and key control activities are identi-
fied, and an engagement work programme is prepared to achieve the engagement
objectives. The internal auditor performs the engagement procedures (as listed in the
engagement work programme) to gather sufficient, relevant, reliable and useful evi-
dence to support conclusions reached. After performing the audit engagement, the
internal auditor reports the results of the audit engagement (findings) to management.
These findings include weaknesses identified in the process, the risks related to the
weakness and appropriate recommendations. During the follow-up (monitoring pro-
gress) stage of the audit engagement, the internal auditor assesses the extent to which
management acted on the internal audit activity’s recommendations as contained in the
internal audit report.

16.4 Detailed description of the purchases and payments

process
The internal auditor needs to obtain an understanding of the process under review, in
this instance the purchases and payments process. The process description describes the
purchasing of goods. Following the process description, a flowchart of the process is
included in figure 16.3.

16.4.1 Supplier selection

Selecting a supplier (also referred to as a vendor) is probably one of the most important
processes in the organisation, as a supplier that fails to deliver the right quality goods
and services, at competitive prices at the time they are required may affect the ability of
the organisation to meet client’s needs.
The selection of a supplier is based on a clear understanding of the goods or services
required. Ideally, the organisation should have selection criteria that the supplier should
conform with. Criteria may include the value system and business practices of the poten-
6 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

tial supplier, if the supplier subscribes to acceptable work practices and its contribution
to preserving the environment.
The potential supplier completes the necessary documentation and submits it to the
appointed person. Submissions are vetted using the selection criteria and successful
suppliers are added to the supplier master file.
Good practice is the evaluation of all suppliers regularly (for example annually) and
removing those suppliers from whom goods and services have not been acquired for a
specific period or who fail to meet the criteria.

16.4.2 Identify the need for goods

The specific need for goods and services is determined and communicated to the pur-
chasing division. The need is identified by the department that requires the goods and is
based on on-going operational needs, inventory reorder levels or raw materials based on
production schedules in the case of manufacturing organisations. The responsible per-
son identifies the goods to be acquired and captures the specifications, quantities,
delivery requirements and any other pertinent information on a purchase requisition.
When inventory is ordered, most organisations make use of minimum reorder levels and
the purchase requisition is generated automatically. Purchase requisitions are generated
sequentially by the application. The head or an authorised individual from the requesting
department logs onto the application and approves the purchase electronically after
considering the budget and inventory levels. The completed purchase requisition is
routed to the purchasing department.

16.4.3 Ordering of goods

On receipt of an authorised requisition form, the purchasing clerk determines the ap-
proach to follow for procuring the goods and services based on the organisation’s policy.
Options include the use of any vendor for low-value purchases (using petty cash), obtain-
ing quotations (the norm is three quotations) or following the tender process. The
tender process is dealt with in chapter 17.
Quotations should be obtained from suppliers that appear to meet the requirements.
These suppliers can either be on the pre-approved suppliers list or from a potential new
supplier. The vendor selection process must then be followed. The purchasing clerk
negotiates the terms (if not pre-determined), establishes when delivery can take place
and enters into a formalised purchase agreement by capturing a purchase order on the
procurement application. Purchase order numbers are generated sequentially. The
purchase order must be authorised by the head of the purchasing department based on
the availability of funds, the supplier used and a duly authorised purchase requisition. In
an automated environment, approval is done electronically and only authorised users
have the right to approve transactions.
A copy of the approved purchase order is forwarded to the supplier, either electroni-
cally via the application or via e-mail. The purchase order can be viewed by authorised
users in the accounting department, at the warehouse and the department that issued
the purchase requisition.
The organisation must maintain optimum inventory levels to ensure that the manufac-
turing process does not run out of raw materials or parts, that the retailer does not run
 Chapter 16 Purchases and payments 7

out of goods to sell and that services can be rendered with the necessary material
needed. It is also important not to order too much inventory as this will have a negative
effect on the cash flow of the organisation. Maintaining optimum inventory levels also
reduces the potential loss that the organisation may suffer due to theft.
Follow-up procedures are also necessary to determine that the goods ordered have in
fact been delivered. A system-generated long outstanding order report is generated
regularly (for example daily or weekly) for following up by either the department that
requested the goods or the purchasing department.

16.4.4 Receiving of goods

When actual deliveries are made, the receiving department of the warehouse is respon-
sible for accepting and acknowledging the delivery of goods from suppliers that match
valid purchase orders and for accurate recording of the goods delivered.
Prior to acceptance of goods, physical inspection of the quantity, quality and descrip-
tion of the goods should be carried out. The goods must be compared to the supplier’s
delivery note and the purchase order. An effective control activity is to provide the
receiving clerk with a purchase order on which the quantity ordered is greyed out,
forcing the clerk to physically count the goods received and capture the quantity.
It is important to only accept goods that were actually ordered by the organisation by
means of an official order form. A goods received note (GRN) (or goods received voucher
(GRV)) is generated by the system as proof of receipt of the goods. A copy of the GRV is
forwarded to the supplier via the application or e-mail and authorised users in the
purchasing department, accounting department and warehouse can view GRVs.
When receiving damaged goods, goods that do not meet the expected quality, or in-
correct goods, the receiving clerk writes the detail on the delivery note and returns the
goods to the supplier. When the supplier accepts the returned goods, a credit note is
issued to the organisation. The creditors’ clerk will update the purchases journal (re-
turns) and the creditors ledger along with the appropriate inventory records.
Credit notes are also used to adjust incorrect amounts on invoices received from sup-
pliers, for example an invoice received from the supplier that does not reflect trade
discount received in terms of a written agreement.

16.4.5 Processing invoices

The purpose of this function is to record the purchase in the financial accounting rec-
ords. After receipt of the goods, the invoice is captured on the application and the appli-
cation performs a three-way match between the purchase order, GRN and the invoice by
comparing the following information:
• quantity;
• supplier details;
• dates;
• description of goods; and
• price (either based on a price list or quotation).
8 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

Invoices should also be reviewed for accuracy of calculations, discount and VAT. Tax
invoices should be inspected to ensure that they comply with the legal requirements in
respect of a valid tax invoice.
Once the invoice has been captured, the journal entries to record the purchase trans-
action are posted automatically. The ledger accounts affected include the correct ex-
pense account or inventory account (depending on the type of goods) and the supplier
account in the creditor’s ledger.

16.4.6 Making payments

This is an extremely important step in the process as invalid payments or payments to
fictitious creditors may be made in the absence of proper controls. Payments should be
made to valid creditors for the correct amount and on a timely basis to avoid interest
charges by suppliers and forfeiting settlement discounts.
Creditors are paid in line with payment terms agreed upon with the supplier, usually
within 30–90 days, usually on a specific date, for example on the 26th of every month.
Many organisations only pay upon receipt of a statement. With receipt of a statement
from a creditor, a creditors clerk in the accounting department will:
• compare the statement to the:
– invoices referred to on the statement; and
– goods received notes to confirm receipt of goods;
• compare the statement to the creditors ledger to confirm the accuracy of the out-
standing amount according to the organisation’s records;
• prepare a payment requisition (electronically) to request payment of the creditor;
and
• forward the payment requisition and the supporting documentation to the responsi-
ble department for payment.
Creditors can be paid either by:
• electronic funds transfer (EFT); or
• cash.
The current most common method of payment is by EFT, as this method has certain
built-in control activities, as discussed below. EFT is an electronic messaging system that
transfers funds electronically from one bank account to another and is commonly used
for payment of general expenses and creditors, wages and salaries.
EFTs initiated and executed by the account holder are performed in four steps by us-
ing a bank’s digital banking platform (for example through the organisation’s internet
banking profile):
• A beneficiary profile (the person or organisation that needs to be paid) is created and
applicable information captured, for example bank account details and the organisa-
tion’s reference number/description that will appear on the other party’s bank
statement when funds are transferred into their bank account.
• EFT transactions are prepared for execution and a list of payment requests prepared
and sent to the authorised persons to execute the payments.
 Chapter 16 Purchases and payments 9

• EFT transactions are executed by authorised personnel.

• Proof of successfully executed EFT is generated and sent to beneficiaries and the
accounting department as proof of payment.
Payments are approved by an authorised official after reviewing supporting documenta-
tion. Most organisations implement payment mandates where the value determines the
level of the person that may authorise. High-value purchases often require approval by
two persons. Authorisation is either done online or manually. In both instances support-
ing documentation must be endorsed as approved to avoid duplicate payments.
Approved payments are included in the EFT payment run by the payments clerk and
released by a payments manager.
The journal entries to record the payments are posted automatically. The ledger ac-
counts affected are the bank account and the supplier account in the creditor’s ledger.
An independent person, not responsible for payment or recording the transactions,
should reconcile the creditors control account and the creditors ledger monthly.

16.5 Application controls

Application controls are those controls built into the application and are executed auto-
matically when a transaction is captured and processed. In addition to the controls
included in the process description in section 16.4, the controls listed below are found in
most applications:
• User access
Only authorised staff may have access to the application. Access must be limited
based on each user’s role, referred to as role-based access. Each user logs onto the
application using a unique user ID and a password.
• Edit and validation tests
These are tests performed by the application to increase completeness and accuracy
of information captured. They are primarily used when transactions are captured. In
the purchases and payments process, it will apply when purchase requisitions, pur-
chase orders, supplier master data and invoices are captured. Examples of edit and
validation tests were covered in chapter 10.
• Processing rules
Processing rules are rules stipulated in organisational policies or applicable legisla-
tion. Examples of rules stipulated in a policy are the payment term that applies to
paying creditors and that only approved suppliers may be used as reflected in the
supplier database.
• Processing logic
The application will automatically generate a purchase requisition when the invento-
ry level for a specific product is below the minimum reorder level.
10 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

16.6 Flowchart of the purchases and payments process

A flowchart is often used to document a process as it provides a visual overview of the
flow of transactions that makes it easier to understand. A flowchart of the process
described in sections 16.4.1–16.4.4 is included in figure 16.3.
 Chapter 16 Purchases and payments 11

Purchases and payments process

12 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

Figure 16.3 Flowchart of the purchased and payments process

16.7 Risks and control activities

Management is responsible for the identification of risks inherent to the purchases and
payments process and risk mitigation strategies. A useful tool available to management
in designing and implementing an effective system of internal control is the Committee
of Sponsoring Organisation’s framework of internal control, also referred to as the COSO
framework.
The internal auditor will evaluate the control environment (COSO step 1) and the con-
trol activities related to purchases and payments (COSO step 2), identify weaknesses in
the system and the risks related to these weaknesses (COSO step 3), and make appropri-
ate recommendations to management to address these risks.
Figure 16.4 illustrates the relationship between objectives, risks and control activities
in the purchases and payments process. Risks exist as a result of objectives (strategic and
operational). Thus, all risks must be linked to a particular objective. In addition, control
activities must address (mitigate) a particular risk. If a risk does not exist, it is not neces-
sary to design a control activity. The same argument is true in respect of objectives: if a
risk cannot be linked to a particular objective, there is no risk.

Purchases fromfrom
Purchases approved
ap-
suppliers at
Operational
Operational proved suppliers
Negotiated prices
at
objective
objective negotiated prices and
and acceptable quality
acceptable quality

Risk (of
Risk (ofnot
not Purchasing from
Purchasing from unauthorised
Achieving
achieving unauthorised suppliers,
suppliers, paying the
the objective)
the objective payingwrong price or price or
the wrong
receiving low quality goods.
receiving low quality goods

Confirm
Confirm totoapproved
approved
Control Activity
Control Activity suppliers
suppliers listlist

Figure 16.4 The relationship between objectives, risks and control activities
Internal auditors perform engagement procedures to evaluate the adequacy and effec-
tiveness of control activities implemented by management. These engagement proce-
dures depend on an understanding of the risks and control activities associated with the
purchases and payments process. The risks and control activities are documented on a
Risk and Control Matrix (RACM). Table 16.2 is an example of a completed RACM for
 Chapter 16 Purchases and payments 13

purchases. It is not a comprehensive list of all risks and controls and it is important to note
that the risks and controls may also differ from organisation to organisation. The RACM
included does not include the impact and likelihood of the risks as these will differ from
organisation to organisation. For the same reason, the frequency, nature and type of the
controls are not included.
14 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

Table 16.2 Example RACM

RACM: Purchases and Payments
Process objectives
Purchases are made from approved vendors for goods required at the right quality and
at reasonable prices. Goods are received on time and in good order and are accounted
for completely and accurately. Payments are valid and only made for goods received and
are accounted for completely and accurately.
Risks
Control description
Event Cause Effect
Ordering of The wrong goods Wastage as the Inventory:
goods that or unnecessary goods can either Automatic, sequentially numbered
are not goods are ordered. not be used or generation of purchase orders based on
required by customers do not pre-determined reorder levels. (inventory
the want to buy it. purchases)
organisation
Expenses:
An authorised business representative
captures a purchase requisition. Purchase
requisition numbers are generated
automatically.
Expenses:
Authorised employee logs onto the
application and approves the purchase
requisition.
Expenses:
Sequentially numbered purchase order is
generated by the order clerk based on an
approved purchase requisition and an
approved quotation.
Purchase orders Wastage as the Inventory/Expenses:
are not approved goods can either Purchase orders are approved
or approved by the not be used or electronically by the senior buyer after
wrong people. customers do not confirmation of the availability of funds,
want to buy it. the supplier used and a duly authorised
purchase confirmation to ensure that only
goods required by the organisation is
ordered.
continued
 Chapter 16 Purchases and payments 15

Risks
Control description
Event Cause Effect
Goods are Quotes are not Inventory does not Quotations are requested and received
procured at obtained from sell or is sold at a from suppliers.
prices that suppliers. loss.
Quotations are compared and evaluated
are too high. Expenses exceeds by the buying department and the best
the budgeted quote is selected and approved by the
amount. chief buyer.
Goods are Validation that The vendor is The purchase order clerk selects the
ordered vendor is listed on unreliable, and vendor from the vendor drop down menu
from approved vendor goods are not when creating a purchase order.
vendors that database is not supplied in time,
do not meet performed. prices are higher
the than other
organisation suppliers or poor
’s criteria. quality goods that
cannot be used or
sold are received.
Vendors that have The vendor is Only authorised users have access to
not been subject to unreliable, and capture new vendor details on the vendor
an evaluation of goods are not master data file.
the organisation’s supplied in time, An audit trail of changes to the vendor
criteria are added prices are higher
master data file is generated and retained
to the master file. than other electronically by the application.
suppliers or poor
quality goods that The purchase manager logs onto the
cannot be used or application, access the audit trail, review
sold are received. the changes made and either approves or
rejects the changes. The audit trail is
updated automatically with review details.
The supplier list is reviewed and approved
at least annually.
continued
16 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

Risks
Control description
Event Cause Effect
Goods that Goods received are Potential loss as The goods received clerk checks the goods
are not not matched the organisation delivered and the quantity against the
required or against the may not be able to purchase order and the delivery note.
that do not purchase order to use or sell the Goods not wanted are returned to the
meet the ensure that it was goods. supplier and discrepancies are noted on
required ordered and that the delivery note.
quality is the correct
accepted. quantity is
delivered.
Goods received are Potential loss as The goods received clerk inspects the
not inspected to the organisation goods delivered to make sure it is not
check that the may not be able to broken or damaged and is of the right
quality meet use or sell the quality. Goods not wanted are returned to
expectations and goods. the supplier and discrepancies are noted
that goods are not on the delivery note.
damaged or Delivery note is signed by both the
broken.
receiver and person making the deliver
and a copy is retained.
Theft of Goods not securely Loss of both goods Goods are received in a physical secured
goods. protected. and revenue if area with access restricted to authorised
Sick society inventory is stolen. individuals. Proper security around the
warehouse.
Inventory or Goods received Financial The goods receive note captured is
expenses notes are not statements may be automatically linked to the purchase order
are recorded captured. materially based on the purchase order number.
incorrectly misstated.
The buyer follows up on the report of
in the Decision -makers outstanding purchase orders on a weekly
accounting in the organisation basis.
records. base their decision
on inaccurate or
incomplete
information.
Goods received Financial The application matches the goods
notes are captured statements may be received voucher with the purchase order
incorrectly. materially and generates a report of all differences
misstated. that is followed up by the buyer on a daily
Decision -makers basis.
in the organisation A review of the follow up of the report of
base their decision differences between goods received
on inaccurate or vouchers and purchase orders is
incomplete performed by the chief buyer on a weekly
information. basis and signed as evidence of review.
continued
 Chapter 16 Purchases and payments 17

Risks
Control description
Event Cause Effect
Inventory or Invoice received Financial The buyer follows up the report of
expenses from supplier is statements may be outstanding invoices on a weekly basis.
are recorded not captured. materially
A review of the follow up of the report of
incorrectly misstated.
outstanding invoices is performed by the
in the Decision-makers in chief buyer on a weekly basis and signed
accounting the organisation as evidence of review.
records. base their decision
(continued) on inaccurate or
incomplete
information.
Invoice received Financial A three way match is performed by the
from supplier is statements may be application.
captured materially A report of discrepancies on the 3-way
incorrectly. misstated.
match is system generated on weekly
Decision-makers in basis and followed up by the buyer.
the organisation
base their decision A review of the follow up of the report of
on inaccurate or discrepancies on the 3-way match is
incomplete performed by the chief buyer on a weekly
information. basis and signed as evidence of review.
Posting of entries Financial The application posts entries
do not happen statements may be automatically when the source documents
automatically. materially (purchase order, goods received note and
misstated. invoice) are captured.
Decision-makers in
the organisation
base their decision
on inaccurate or
incomplete
information.
Transactions are Financial The application posts transactions
posted to the statements may be automatically to the subledger accounts
incorrect accounts. materially based on built in rules.
misstated.
The application posts transactions
Decision-makers in automatically between subledger and
the organisation general ledger accounts based on built in
base their decision rules.
on inaccurate or
incomplete
information.
continued
18 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

Risks
Control description
Event Cause Effect
Invalid Payments are Financial loss. The application rejects payment requests
payments made to suppliers to suppliers that are not on the supplier
are made. that do not exist. data base.
Duplicate Potential financial Application checks for and rejects
payments are loss if supplier duplicate invoices.
made. refuses to refund.
Application checks for same amount
payments to the same supplier in a short
period of time.
Payments are Interest is raised Payments are approved electronically by
made by persons by the supplier. authorised users based on their mandate
without the Supplier refuses to after reviewing supporting
necessary supply goods. documentation.
authorisation. Cause damage to Payments exceeding a pre-determined
reputation. amount are approved by two authorised
individuals.
Only approved payments are available for
inclusion on the EFT payment run by an
authorised user.
Payments loaded on the EFT payment run
are released by an authorised user.
Segregation of duties is achieved between
approval of payments, creation of the EFT
payment run and the release of EFT
payments.
 Chapter 16 Purchases and payments 19

16.8 Adequacy and effectiveness of control activities

The audit of internal control activities involves two distinct components. Firstly, the
adequacy of a control activity is assessed. These procedures include internal control
questionnaires, reviewing of system descriptions and control self-assessment work-
shops. Control adequacy assessments are typically performed during the planning stage
of the audit engagement. The purpose of a control adequacy assessment is to evaluate
the adequacy of the system of internal control implemented by management. Control
adequacy refers to the design (timing, economy, accountability, placement, flexibility,
cause identification and appropriateness) of control activities – whether the control
activity is designed by management in such a manner that it addresses management
objectives and control objectives that are derived from risk assessments. Control ade-
quacy assessments are covered in detail in chapter 14.
Based on the outcome of the control adequacy assessment, the internal auditor can
continue to the second component of audit of control, namely control effectiveness
testing. Control effectiveness testing refers to testing whether control activities identi-
fied as adequate actually achieve the control or management objectives. Testing the
effectiveness of controls typically involves activities such as inspection, observation,
enquiry, confirmation and re-performance, all of which were covered in detail in chapter
14. The testing is based on an engagement work programme (audit programme) that
clearly articulates the steps that the internal auditor must perform. The requirements of
an engagement work programme are covered in chapter 14.

16.9 Substantive testing

Substantive procedures are performed to provide evidence that the assertions in finan-
cial statements are correct. An external auditor usually performs detailed testing of
transactions and balances, but management could request that its internal auditor
confirm the accuracy of specific amounts or balances. When performing substantive
testing, the assertion related to the statement of comprehensive income and statement
of financial position items are considered. Purchases is a statement of comprehensive
income item and the assertions that apply, with the objective as summarised in ta-
ble 16.3. Accounts payable is a statement of financial position item. Table 16.4 provides
a summary of the assertions relevant to the balances of accounts payable.

Table 16.3 Statement of comprehensive income assertions and their objectives

Assertions Objectives
Occurrence Only transactions that have occurred are recorded.
Completeness All purchases that were ordered and received have been
recorded.
Cut-off Purchases have been recorded in the correct accounting
period.
Accuracy The correct amount of the transaction has been recorded
appropriately.
20 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

Assertions Objectives
Classification The purchase has been recorded in the proper accounts.
Presentation and disclosure All the matters pertaining to the transactions in this cycle
are complete in terms of the accounting framework.

The following is an example of substantive procedures for purchases related to the

occurrence assertion:
• vouching of transactions recorded in the purchases journal to the supporting docu-
mentation and inspect that the:
– invoice agrees with the purchase order and goods received voucher;
– purchase order is approved by an authorised individual;
– goods received voucher details include:
o quantity and nature of goods received;
o name, address and telephone number of the supplier; and
o signature that goods were inspected by the receiver before acceptance of
the goods.

Table 16.4 Statement of financial position assertions and their objectives

Assertions Objectives
Existence Accounts payable balances included in the financial state-
ments actually exist; they are not fictitious.
Completeness All accounts payable and accruals outstanding have been
recorded.
Valuation and allocation Accounts payable are included in the financial statements
at appropriate amounts.
Obligation The accounts payable represent obligations pertaining to
the organisation.
Presentation and disclosure The matters pertaining to the transactions in this cycle are
complete in terms of the accounting framework.

The existence assertion for accounts payable is usually low risk as organisations do not
normally wish to overstate their liabilities. Thus, in the absence of any contrary evidence,
the auditor can assume that the accounts payable that appear in the financial records do
actually exist. The auditor will, however, perform cut-off procedures at year end to
confirm that purchases and accounts payable have not been understated and have not
been prematurely raised. The main assertion for the internal auditor to focus on during
these procedures should be completeness, where the organisation wants to hide its debt
by not declaring all its accounts payable (risk of unrecorded liabilities).
The following are examples of substantive procedures related to existence of accounts
payable (creditors):
• Inspect the numbers of the goods received notes issued in the week prior and after
year end to verify that they were recorded in the correct financial year.
 Chapter 16 Purchases and payments 21

• Inspect payments to creditors immediately after year end to verify that the credit
purchase transaction was recorded prior to year end.
Auditors also perform analytical reviews to provide an indication of the reasonableness
of the amounts included in the financial statements.

16.9.1 Analytical procedures

Analytical procedures are performed to provide an indication regarding the reasonable-
ness of the amounts included in the financial records or to assist the internal auditor
with trend analysis and the identification of potential high-risk areas. Analytical proce-
dures can either be used:
• in the planning phase (identifying problem areas); or
• as a substantive test.
Analytical procedures consist of, amongst others, comparisons of and identification of
the relationships between various types of information. Performing an analytical review
is a useful decision-making tool for the internal auditor and management. A few ex-
amples are as follows:
Purchases
• Compare the current year’s trade creditors as a percentage of the current liabilities
with previous years’ and with industry data.
• Compare actual purchases with budgeted purchases for the year.
• Analysis of month-on-month purchases per department/business unit.*
• Analysis of expenses (for example rent) against total operating expenses on a month-
to-month basis.*
*If data is available, this can be done for multiple periods.
Accounts payable
• Compare current year’s creditors’ days outstanding period with previous years’ and
with industry data.
• Compare current year’s trade creditors’ balance with previous years’.

16.10 Computer assisted audit tools and techniques

(CAATTs)
The auditor can use CAATTs during the planning phase of the audit to identify potential
risk areas or when performing the engagement. CAATTs enable the auditor to interro-
gate the entire population and can be used to determine the extent of failure of edit and
validation tests, extract anomalies, search for patterns and sample selection.
A few examples how the tool can be used are as follows:
Purchases
• Vendors that supplied goods that do not exist on the supplier master database.
• Delivery dates that are earlier than the order date.
22 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

• The top 10 suppliers and the total value of purchases per annum.
• Incomplete supplier master data (specifically mandatory fields).
Payments
• Supplier bank details compared to employee bank details and duplicate accounts
identified.
• Actual approvers versus authorised approvers.
• Payment of goods that are earlier than the order date.
• Duplicate payments.

16.11 Operational audit: Engagement procedures

Operational audits are performed to evaluate the economy, efficiency and effectiveness
of the activities and functions under review. The main objective in performing an oper-
ational audit is to determine if activities can be performed “better and cheaper” but still
achieve the necessary objectives or goals. In table 16.5 the engagement objectives,
considerations and engagement procedures are illustrated by means of the payments.

Table 16.5 Operational audit engagement considerations

Effectiveness Efficiency Economy
Engagement To assess that the To assess that the best To assess that all pur-
objective purchasing function possible method/system chases made are at the
orders goods of good was used when purchas- best possible terms
quality, the right es were made (cheapest possible
quantity and the price)
best price
Considerations • Relevance • Time span between • Suppliers: price,
• Achieving objectives identifying need, order, quality, delivery
• Meeting targets delivery • Quotations
• Benchmarking • Quantity ordered and • Quantity of goods:
delivered ordered and delivered
• Determine need for • Personnel: quantity,
goods (over/under skills
ordering) • System used
Engagement Relevance: Time span: Suppliers:
procedures • Determine that • Determine time from • Determine whether
goods ordered and purchase requisition to prices are comparable
received are used in purchase order with the market (qual-
processing • Determine time from ity also needs to be
(manufacturing purchase order to evaluated)
organisation) or deliver
sold (retailer)
 Chapter 16 Purchases and payments 23

16.12 Compliance audit: laws and regulations

Public sector organisations are subjected to numerous requirements that govern their
procurement and payment processes including the Public Finance Management Act,
Treasury regulations as well as the Preferential Procurement Policy Framework. These
guidelines describe criteria that need to be complied with in the procurement process
and internal auditors working in the public sector are required to perform compliance
audit engagements to determine compliance with the laws and regulations applicable to
the public-sector entity.

16.13 Fraud
Examples of fraudulent activities include employees purchasing goods for personal use
through the organisation or paying suppliers excessive amounts for goods or services
never received or using substandard suppliers and sharing in the suppliers’ profits ob-
tained from such transactions. Procurement staff colluding with one another and with
suppliers allow for fraudulent activities to occur.

16.13.1 Fraud risks

Several fraud risks exist within the purchases and payments process. Examples include:
• expenses that are either significantly above or below industry norms;
• unexpected increases in the number of suppliers;
• expense accounts that have significant credit entries;
• travel and entertainment expense accounts, but no documentation or approval of
expenditures;
• unusual relationships that may indicate to collusion between suppliers and employ-
ees;
• irregular reversal of credit notes;
• transactions hidden in the VAT account;
• non-processing of invoices;
• payments to suppliers that are not on the supplier database;
• supplier and employee bank details that are the same.

16.14 Summary
It is important for the internal auditor to obtain a comprehensive understanding of the
process, transaction flow or activity to be audited. As part of the planning stage of the
internal audit process, the internal auditor should also determine the risk areas related
to purchases and payments, identify the engagement objectives (determined by the type
of audit) and prepare an engagement work programme (list of engagement procedures)
to achieve the set engagement objectives. When performing an engagement related to
purchases and payments, the internal auditor will execute the set engagement proce-
24 A Guide to Performing Internal Audit Engagements – Internal Audit Technician

dures as listed in the engagement work programme. The results of the engagement will
then be communicated to management before the final step in the internal audit pro-
cess: scheduling the necessary follow-up actions.