CA Sri Lanka - Comprehensive study notes: Governance, Internal Control, Digitalisation, Procurement, Payroll, Cash, PPE and Inventory (Business Level II)
Chapter 1: Introduction to Corporate Governance, Risks and Controls
Purpose and structure
CA Sri Lanka syllabus focuses on corporate governance, internal controls, audit and assurance, ethics, and the role of technology in business processes.
Four knowledge pillars (high-level): AA&E, FA&R, PM&R, T&L, BM&S; with Business Level II bridging core governance, controls, and assurance concepts.
Key concepts and definitions
Corporate governance: the system by which companies are directed and controlled.
Stakeholders: Directors, shareholders, employees, creditors, customers, suppliers, the public, taxation authorities, etc.
Agency theory: separation of ownership and control; shareholders (principals) appoint directors (agents) to manage the business; risk of misalignment between management and owners;
Directors are agents of shareholders; accountability to shareholders for investment performance (capital growth, dividends).
Conformance vs. performance (governance outcomes): conformance = compliance with laws; performance = achievement of corporate objectives and value for stakeholders.
Stakeholder theory: value creation for all stakeholders, not just shareholders (e.g., employees, customers, suppliers, community).
OECD Principles of Corporate Governance (1999, revised 2015)
Purpose: promote transparency, protect shareholder rights, enable effective markets, recognise stakeholder rights, ensure timely disclosure, guide effective governance.
Core questions: governance framework varies by country; good governance should balance interests of shareholders and other stakeholders.
Key components emphasized by OECD: rights of shareholders, disclosure/transparency, board responsibilities, and a framework for governance that supports wealth creation and sustainability.
The Code of Best Practice on Corporate Governance (2017) – CA Sri Lanka
Aimed at listed and large private companies; provides guidance on good governance with a “comply or explain” approach.
Structure and content areas: board leadership and company purpose; division of responsibilities; board composition, succession and evaluation; audit, risk and internal control; remuneration; relations with shareholders; institutional and other investors; cyber security and ESG considerations.
Key features:
A: Directors – board leadership, division of responsibilities, chairman vs CEO, financial acumen, board balance, information quality, director appointments, re-election, board and CEO appraisal, disclosure to shareholders.
B: Directors’ remuneration – formal policy, avoiding self-appointment in setting own pay, disclosure in annual report.
C: Relations with shareholders – AGM use, communication, disclosure of major transactions.
D: Accountability and audit – balanced and understandable reporting; risk management; internal controls; audit committee; related party transactions; ethics code; governance disclosures.
E–H: Institutional investors, other investors, cybersecurity, ESG disclosures.
Comply-or-explain basis: if a provision is not complied with, the reasons must be disclosed and explained how the principle is still applied.
Auditors and governance
Auditors provide independent assurance and interact with the audit committee; external auditors liaise with the committee; internal auditors report to the audit committee on internal controls.
The Code emphasizes the auditor’s role in enhancing reliability, comparability and investor confidence.
Practical implications and examples
Board leadership must ensure long-term strategy and prudent controls; the chair and CEO should have a clear division of responsibilities; senior independent director (SID) may be appointed if needed for shareholder access.
IT and cyber risks are explicitly addressed in governance provisions (G: Internet of Things and Cybersecurity).
ESG reporting is integrated into governance reporting for investors.
Chapter 2: Internal Control
What is internal control (IC)?
COSO-based definition (international standard): an internal control system comprises processes put in place by the board and management to provide reasonable assurance regarding achievement of objectives in:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with laws and regulations
IC reduces risks at the level of business processes and operations; not an absolute guarantee.
The COSO framework’s five components
Control Environment: tone at the top; risk awareness culture; ethical values; integrity.
Risk Assessment: identifying and analysing relevant risks to achieving objectives.
Information and Communication: timely, relevant, and reliable information flows.
Monitoring: ongoing evaluation of the entire IC system; includes identifying deficiencies.
Internal Controls (Control Activities): policies and procedures that mitigate risk.
Subsystems and components
Control activities: segregation of duties; physical controls; authorisation; performance reviews; information processing controls.
Information systems and communications: role in the overall IC system.
Monitoring mechanisms: to ensure effectiveness and ongoing improvement.
Internal control over financial reporting; IT general controls and application controls.
Key terms and concepts
SPAMSOAP mnemonic for internal control procedures (one category of control procedures): Segregation of duties, Physical controls, Authorisation and approval, Management supervision, Organisation, Arithmetical and accounting controls, People (personnel).
Design vs. operating effectiveness: design must meet objectives; operating effectiveness concerns actual performance of controls.
IT general controls (ITGCs) and application controls: essential for achieving control objectives in IT-enabled processes.
Internal control deficiencies: weaknesses in control design or operation that may lead to misstatements or risk.
Internal control limitations: inherent limitations include human error, collusion, override, and changing environments; IC provides reasonable but not absolute assurance.
Roles and responsibilities
Board: ultimate responsibility for IC system design and effectiveness; oversight via audit committee in listed companies.
Management: design, implement and monitor controls; responsible for day-to-day control operation.
External auditors: assess and report on internal financial controls; not responsible for maintaining IC, but report weaknesses found during audit.
IC in practice: points to remember
The IC system comprises people, processes, and technology; it should cover financial, operational, and compliance controls.
Regular reviews and monitoring are essential; management risk committees and the board should receive timely information on control performance.
There are inherent risks: design flaws, override, collusion, changing business processes, and increasing costs of controls.
Chapter 3: Digitalisation and Business Processes
Introduction to FinTech
FinTech meaning and its impact on the business environment; digitisation affecting payments, data analytics, and processes.
Blockchain technology
Its impact on business processes and auditing; potential to enhance transparency, immutability, and traceability.
Artificial Intelligence (AI) basics
The use of AI in business transaction processes; the role of AI, big data, analytics in decision-making and automation.
Robotic Process Automation (RPA), Big Data, Cyber security
RPA: automation of repetitive tasks; Big Data analytics; cyber risk and security measures; governance and auditing implications.
Practical implications and governance considerations
Digitalisation changes control requirements: data integrity, access controls, monitoring of automated processes, cyber resilience, and incident response planning.
Chapter 4: Ethics and Values
Core ethical framework for accountants
Law, ethics, and morality: distinctions and interdependencies; the importance of ethical behavior in the public interest.
Fundamental ethics principles: Integrity, Objectivity, Professional competence and due care, Confidentiality, Professional behaviour; threats to ethical behaviour and safeguards.
Conceptual framework approach to threats and safeguards; ethical conflicts (e.g., conflict of interest, accepting and giving offers).
Auditor independence and governance decisions
Auditors’ independence in assurance engagements; procedures to avoid conflicts of interest.
Decision-making frameworks
Deontological vs. teleological ethics; other ethical decision-making models; AAA model for conflict resolution.
Chapter 5: Fundamentals of Audit and Assurance
Elements and objectives of an assurance engagement
Assurance engagements include attestation and direct engagements; scope, objectives, and materiality considerations.
Acceptance, planning, and execution
Preconditions for assurance engagements; overall audit strategy; risk assessment procedures; materiality and performance materiality.
Principles of auditing financial statements
General principles: assurance ethics; professional scepticism; professional judgement; risk of material misstatement; need to adhere to SLAuS 10 (audit documentation) and SLAuS standards.
Audit evidence and documentation
Audit evidence concepts: sufficiency and appropriateness; test of controls vs. substantive procedures; nature, timing, and extent of evidence; auditor’s responsibilities relating to fraud.
Audit reporting
Elements of an audit report; when to issue modified opinions or emphasis of matter; related services (AUPs and reports).
Part B: Business Processes and Internal Controls
Chapter 3: Sales Management
Scope and objectives
Understand the sales process, including cash collection and credit control; link to internal controls and risk assessment.
Sales process and documents
Key documents: Quotation, Price List, Customer Order, Delivery Note, Invoice, Credit Note, Remittance Advice, Statement of Account.
Document flow for credit sales: customer enquiry -> quotation -> order -> delivery -> invoice -> settlement; statements monthly.
Worked example: invoicing cycle (De Silva Electrical)
Stepwise process: verify order against quotation; ensure delivery note matches; confirm price and discounts; apply VAT; generate invoice with correct VAT, discount and terms; record in sales ledger; issue credit notes for returns; manage remittance advice and statements.
Illustrative numbers (example): example invoice using a list price, trade discount 10%, bulk discount 5%, VAT 8%; Net and gross amounts calculated accordingly; example of settlement discount (4%) for early payment.
Documentation and control objectives
Ensure only goods actually delivered are invoiced; correct product codes and quantities; ensure prices match price list; ensure customer details and VAT rate are correct; ensure proper document signatures and approvals; maintain audit trail in IT systems.
Credit control and customer selection
Process for assessing customer creditworthiness: external and internal sources (bank references, trade references, credit references agencies, management accounts, media, internet, staff knowledge, customer visits, historical trading records).
Bank references: interpretive phrases and their real meaning (e.g., “undoubted” means low risk; “unable to speak for your figures” indicates higher risk).
Credit decisions: potential refusal of credit with justifications; monitoring of aging receivables; risk-based decisions for limits and terms.
Aged receivables and risk management
Aging analysis categories (Current, 31–60 days, 61–90 days, >90 days); actions for slow payers; handling of invoices beyond credit limits; proposed actions like reminders or settlement discounts.
Key controls in the sales process
Segregation of duties (order processing, delivery, invoicing, cash collection, and recording); checks against delivery notes; verification of prices against price lists; use of IT controls to manage and log changes.
Revenue recognition and write-down considerations
Distinguish between irrecoverable and doubtful debts; write-offs vs. allowances; monitoring of recoverability; impact on financial statements.
Practice and testing content
Questions and progress tests on document flows, internal controls, and credit management; practice with combining documents and recognizing proper sequences.
Chapter 4: The Procurement Cycle
The procurement process overview
Stages: supplier selection, placing orders within budget, receiving delivery, paying suppliers; documents drive the cycle: Purchase Requisition, Purchase Order, Delivery Note, Goods Received Note (GRN), Purchase Invoice, Credit/Debit notes, Remittance Advice.
Role of documents: evidence, authorization, and control of payments.
Supplier selection and evaluation
Criteria: reliability, capacity, financial stability, ethical considerations (child labour policies), references from customers, and site visits.
Tendering for large PPE purchases; selection based on price, capability, delivery, and relationship; justification if not choosing the lowest price.
Budgetary controls and ESP/CAPEX concepts
Budgets for purchases and CAPEX; maintaining line-item budget control; the capability to reallocate funds within budget lines; the need for formal approvals for variations.
Purchasing processes and documents
Purchase Requisition: authorization and purpose; used to place orders.
Purchase Order: formal contract with supplier; copies go to supplier, stores, and accounts.
Goods receipt and delivery documentation: GRN as a standard form; delivery notes from supplier; receiving verification against PO.
Electronic data interchange (EDI)
EDI enables automatic exchange of PO, despatch advice, and invoices between buyer and supplier; reduces errors and lead times.
Delivery, GRN, and inventory updates
Delivery notes: physical evidence of goods received; must be checked against PO; multiple copies for distribution; used to prepare GRN.
Goods Received Note (GRN): internal record that matches the PO; used to update inventory records.
Invoicing, payment, and controls
Invoices must be checked against PO and GRN; arithmetic checks; authorisation for payment; segregation of duties (check vs. pay).
Debit notes/credit notes: adjustments where necessary (damaged goods, price corrections, etc.).
Reconciliation: supplier statements vs. buyer records; discrepancy investigations.
Incoterms and international procurement
Ex works (EXW), Free Carrier (FCA), Carriage Paid To (CPT), Carriage and Insurance Paid To (CIP), Delivered at Place (DAP), Delivered Duty Paid (DDP), Free Alongside Ship (FAS), Free on Board (FOB), CFR, CIF.
Purpose: determine risk, costs, and responsibilities for carriage, insurance, and import duties; risk passes at defined points in the contract.
The procurement cycle risks and controls
Operational risks identified (supplier failure, over-ordering, price variances, improper authorisation, counting and receiving issues, etc.).
Controls include supplier qualification, budgetary controls, purchase orders, GRN verification, invoice matching, segregation of duties, stock reconciliations, and supplier statement reconciliation.
Other procurement considerations
Just-in-time (JIT) purchasing and agile supply chains; managing lead times and fluctuations; buying from foreign suppliers and related payment and documentary risk.
Example processes and flowcharts (Appendix content)
End-to-end procurement processes are supported by flows and diagrams showing the interaction between departments (Purchasing, Import, Accounts, Stores) and documents (PO, GRN, Invoice, etc.).
Chapter 5: Payroll Management
Overview
The payroll system aims to avoid under- and over-payments; HR provides data (new hires, changes, leaves, terminations) to payroll; payroll officer validates and processes payroll; bank transfer or cheque disbursements are used.
Key components
Employee master file: core data about employees; changes must be authorised and recorded.
Attendance records: essential for hourly-paid employees; swipe cards and biometric devices used; time sheets generated for payroll.
Payroll processing: segregation of duties (HR, payroll, and accounts) to prevent fraud; payrolls processed on a regular schedule.
Joining, leaving, and changes
New employees: recruitment requisition form; HR notifies payroll; banking details collected; payroll record created.
Leavers: leaver’s form; payroll removal from payroll system; records archived.
Standing data changes: address, bank details must be updated via HR to payroll.
Attendance and timekeeping
Timekeeping systems (swipe cards, biometrics) track attendance, hours, and location; invalid swipe reports are investigated and corrected.
Overtime and other pay elements
Overtime, bonuses, commissions recorded via payroll; line managers approve overtime; payroll officer processes payments.
Payroll processing and bank instructions
Payroll reports summarise pay and deductions; approval and reconciliation against HR data; bank transfer instructions generated; bank instructions verified against payroll report; two-signature control for cheques; electronic approvals possible.
Deductions and statutory requirements
PAYE (income tax), EPF, ETF; statutory rates used and updated by the Inland Revenue Department; employee benefits and deductions recorded and monitored.
Leave and attendance controls
Leave balances and leave types tracked; absences may affect pay; doctor’s certificates may be required for longer absences.
Payroll reconciliation and governance
Reconciliation between payroll and HR records; annual or quarterly reconciliations; analytical reviews to track budget vs actual payroll costs.
Internal controls and testing
Controls include: recording changes to master file; verifying time sheets; budgeting controls; clock card checks; payroll master file reconciliation to general ledger; cut-off procedures for payroll periods.
Chapter 6: Cash Management
Cash management overview
Treats cash as bank balances plus cash in hand; emphasis on minimizing cash handling risks; IC controls for receipt and payment; fraud risk management in cash handling.
The cash book and format
Cash book records receipts and payments; acts as book of prime entry and general ledger account; two sides: receipts (debit) and payments (credit); closing balance calculation.
Banknotes, cheques, and bank transfers
Avoid cash handling where possible; when cash is used, use cash registers and proper receipts; cheques and bank transfers require verification and logging.
Recording cash receipts and payments
All receipts and payments should be recorded; reconciliation with bank statements via bank reconciliation.
Bank reconciliations
Purpose: identify timing differences, bank charges, unpresented cheques, and misstatements; reconciling cash book balance with bank balance regularly.
Differences between cash book and bank balance
Timing differences; bank charges; bounced cheques; mispostings; adjustments needed to reconcile.
Investments and surplus cash
Surplus cash may be invested securely (e.g., short-term deposits); approvals required.
Petty cash and imprest system
Petty cash used for minor expenses; petty cash float; petty cash vouchers; imprest top-ups ensure accountability; audits and reconciliations.
Petty cash controls and IOUs
Formal requisitions; receipts and authorisation; sequential voucher numbers; daily petty cash summaries; end-of-day balance checks.
Reconciliation and control objectives
Cash book and bank reconciliation; timely reporting of discrepancies; control over cash and petty cash.
Appendix: Process flows and organizational responsibilities
Detailed diagrams show cash collection, cash book maintenance, bank reconciliation, and petty cash flows across locations.
Chapter 7: Property, Plant and Equipment (PPE) Management
What is PPE?
PPE are non-current tangible assets (land, buildings, plant, machinery, vehicles); capital expenditure is needed to acquire PPE.
Capital expenditure (CAPEX) budgeting and approval
CAPEX budgets allocate limited funds to PPE; spending limits per department; approvals for major items; CAPEX authorization forms capture description, supplier, cost, funding method, etc.; post-approval processes for amendments.
Vendor selection and tender procedures
For large PPE, multiple suppliers may bid; evaluation based on price, quality, delivery, and supplier capabilities; reasons for selecting non-lowest-bid must be recorded.
Recording and capitalization of PPE
PPE is capitalized; costs include purchase price plus delivery and installation; depreciation begins when asset is available for use; non-current asset register and general ledger must reflect new assets.
Depreciation and accounting for PPE
Depreciation spreads cost over useful life; residual value considerations; depreciation methods (e.g., straight-line, units of production); accumulated depreciation tracked to determine net book value.
Non-current asset register (fixed asset register)
Separate register (manual or computerized) listing all PPE; roles to verify existence, location, and condition; used to compute depreciation and to reconcile with the general ledger.
Fixed asset components and sub-assets
Buildings and other assets may consist of multiple components (e.g., building vs. elevator); depreciation rates differ by component; separate records maintained for accurate depreciation.
Physical controls over PPE
Security and safeguarding through locks, guards, maintenance, inventory checks; asset sign-out for removed items; serial numbers or RFID tracking where applicable.
Disposal of assets
Disposal requires authorization; formal disposal forms capturing description, date, cost, accumulated depreciation, proceeds, and gain/loss; board approval for major disposals; update fixed asset register and the general ledger.
PPE governance and risk management
Controls over CAPEX budgeting, tendering, financial justification for discretionary investments (NPV and other analyses); physical controls; register-based controls; ongoing asset verification.
Appendix: PPE process flows
End-to-end PPE processes with fixed asset receiving, recording, depreciation, disposals, and revaluation workflows.
Chapter 8: Inventory Management
Inventory control overview
Inventory control covers ordering, receiving, storing, issuing, recording levels, and safeguarding inventory; inventory as a capital investment; integration with procurement.
Classifications of inventories
Raw materials and components; work-in-progress (WIP); spare parts/consumables; finished goods.
Core processes and documents
Materials requisition notes; materials transfer notes; materials returns notes; bin cards; stores ledger accounts; purchase orders and GRNs.
Inventory master file and computerised systems
Inventory master file stores item data: code, description, current level, reorder level/quantity, cost per unit, etc.
Computerised systems enable perpetual inventory (updates on every receipt/issue); stock counts (stocktake) to verify and adjust records.
Perpetual vs. periodic stocktaking
Perpetual inventory keeps running balance; stocktakes used to correct discrepancies; continuous vs. periodic stocktakes.
Stock control concepts
EOQ: Economic Order Quantity to minimise total holding and ordering costs; EOQ formula: EOQ = rac{ ext{const}}{ ext{cost}} actually, the standard EOQ formula is EOQ = \sqrt{\frac{2CD}{H}} where C = cost of placing an order, D = demand (units per year), H = annual holding cost per unit.
Reorder level: trigger point for new purchase; formula: Maximum consumption rate × maximum lead time.
Minimum inventory level: warning level to avoid stockout; formula: Minimum level = reorder level − (average usage × average lead time).
Maximum inventory level: warning for excessive stock; formula: Maximum level = reorder level + reorder quantity − (minimum consumption rate × minimum lead time).
NRV and cost accounting for inventory
Inventory valuation under LKAS 2: lower of cost and net realisable value (NRV).
Costing methods: FIFO (first-in, first-out) or AVCO (average cost); LIFO not permitted under LKAS 2.
NRV considerations must be reassessed at period end; write-downs for NRV deficits; reversals allowed if NRV increases.
Inventory costs and ordering quantities
Costs include purchase, holding, ordering, and stock-out costs.
ABC and other classifications (A, B, C) for selective stores control.
Stock protection and physical safeguards
Proper storage conditions, secure warehouses, physical protection against theft and damage; insurance for inventory.
Stock control risks and controls
Potential discrepancies due to theft, miscount, misposting, obsolescence; controls include regular cycle counts, independent checks, and reconciliation with financials.
Inventory valuation and reporting
NRV write-downs, cost methods, and appropriate disclosures in financial statements.
Appendix: stocktaking and stock movement flows
Flow diagrams for receiving, issuing, bin card updates, stores ledger integration, and stock reconciliation.
Formulas and key equations (summary)
Economic Order Quantity (EOQ)
EOQ = \sqrt{\frac{2 C D}{H}}
Where: C = cost of placing an order; D = annual demand; H = annual holding cost per unit.
Inventory management levels
Minimum level: Minimum ext{ level} = Reorder ext{ level} - (Average ext{ usage} imes Average ext{ lead time})
Maximum level: Maximum ext{ level} = Reorder ext{ level} + Reorder ext{ quantity} - (Minimum ext{ consumption rate} imes Minimum ext{ lead time})
NRV vs. cost for inventory valuation
Inventory should be valued at \text{the lower of } cost \text{and NRV}.
Depreciation (conceptual)
Depreciation is the systematic allocation of cost over the asset’s useful life; net book value = cost − accumulated depreciation.
Connections, principles, and exam-oriented takeaways
Governance foundations
Understanding the interplay between governance (owners, board, management) and internal controls is essential for audits and assurance tasks.
Internal control fundamentals
COSO five components and SPAMSOAP mnemonic provide a framework to analyse and design effective controls across financial, operational and compliance domains.
Ethical and professional considerations
Ethical behavior and independence are foundational to reliable financial reporting and stakeholder trust; the CA Sri Lanka Code of Best Practice provides the benchmark for governance, while SLAuS/SAS standards guide audit practice.
Digitalisation implications
FinTech, blockchain, AI, RPA and cyber risk require updated governance, risk management and control strategies; auditors must consider IT controls and data analytics in audits.
Procurement, payroll, cash, PPE and inventory are core processes with significant control requirements
Each process involves documentation trails, segregation of duties, physical controls, authorisation workflows, and reconciliation to ensure accurate financial reporting and asset/security integrity.
Real-world relevance
The material demonstrates how governance and internal controls translate into practical procedures (e.g., purchase orders, GRNs, payroll approvals, PPE authorisation, stock counts) and how these controls underpin reliable financial statements and investor confidence.
Quick reference: Key terms to remember
Corporate governance, stakeholders, agency theory, stakeholder theory, conformance vs. performance, comply-or-explain.
OECD Principles, Code of Best Practice on Corporate Governance (2017).
COSO components: Control Environment, Risk Assessment, Information & Communication, Monitoring, Control Activities.
SPAMSOAP: Segregation of duties; Physical controls; Authorisation; Management supervision; Organisation; Arithmetical and accounting controls; Personnel.
EOQ, NRV, FIFO/AVCO, LIFO (not allowed under LKAS 2), perpetual inventory, stocktake.
Incoterms (EXW, FCA, CIP, CIF, CFR, DAP, DDP, FOB, FAS, etc.).
PPE management: CAPEX budget; depreciation; fixed asset register; disposals; capital expenditure forms.
Payroll controls: master file integrity, attendance, approvals, bank instructions, payroll reconciliation.
Cash management: cash book, bank reconciliations, petty cash, imprest, IOUs, cash controls.
Inventory control: requisitions, bin cards, stores ledger, EOQ, reorder levels, ABC method, NRV valuation.
If you’d like, I can tailor these notes into separate, slide-friendly handouts for each chapter or expand any section with more worked examples and practice questions.