Assurance and Risk: Chapter 6 - Revenue system

What is the revenue (sales) system?

The revenue system records transactions from customer order, dispatch, invoicing and cash collection, ensuring sales and receivables are complete, accurate and authorised.

Identify key risks in the revenue system.

• Customers may not pay (bad debts)

• Goods may be dispatched but not invoiced (incomplete revenue)

• Incorrect prices or quantities invoiced

• Revenue recorded in wrong period

• Cash received may be stolen or not recorded

What is a control objective?

A control objective states what the control system is trying to achieve and which risk it aims to prevent, not how it is done.

State key control objectives for revenue.

• Only sell to credit-worthy customers

• All goods dispatched are invoiced

• Sales are recorded accurately

• Revenue is recorded in the correct accounting period

• Cash received is safeguarded

Controls over accepting customer orders?

• Credit checks to assess ability to pay

• Credit limits to restrict exposure to bad debts

• Authorisation of new customers to prevent unauthorised sales

• Pre-numbered orders to ensure completeness

Controls over dispatch of goods?

• Pre-numbered goods dispatch notes (GDNs) to ensure all dispatches are recorded

• Quantity and quality checks to prevent disputes

• Customer signature to confirm receipt

Controls over invoicing?

• Pre-numbered invoices to ensure completeness

• Matching invoices to GDNs and orders to ensure correct quantity and price

• Review of unmatched GDNs to detect unbilled sales

Controls over receipt of customer payments?

• Matching receipts to invoices to identify unpaid balances

• Prompt banking to reduce theft risk

• Bank reconciliations to detect missing or incorrect receipts

What is segregation of duties?

Splitting responsibilities between different staff so no one person controls ordering, dispatch, invoicing and cash, reducing fraud and error risk.

Why is segregation of duties important in revenue?

Without segregation, an employee could create a customer, invoice them, and steal the cash, then hide the theft by writing off the balance.

What is a control deficiency?

A control deficiency exists when a control is absent, poorly designed or not operating, meaning the risk is not adequately prevented or detected.

How do you identify a control deficiency?

Identify the risk that still exists because the control does not fully address it.

What sources help auditors understand revenue controls?

• Narratives and flowcharts

• System documentation

• Walkthroughs of transactions

• Staff interviews

• IT system records

What are tests of controls?

Audit procedures used to check whether internal controls are operating effectively, not whether balances are correct.

Give examples of tests of controls in revenue.

• Inspect evidence of credit checks for new customers

• Check authorisation of new customer accounts

• Review matching of GDNs to invoices

• Check sequence of invoices for gaps

What are substantive procedures?

Audit procedures designed to detect material misstatements in account balances or transactions.

Substantive procedures for revenue?

• Trace dispatch notes to invoices

• Recalculate invoice totals

• Perform receivables confirmations

• Cut-off testing at year end

How do digital systems affect revenue risk?

Automation reduces human error but increases cyber risk, such as unauthorised access or manipulation of customer and invoice data.

What are the limitations of internal controls?

Controls provide reasonable not absolute assurance due to human error, management override, collusion and system failures.