Business Level II – Audit, Business Processes & Digitalisation (Comprehensive Notes)

Curriculum & Module Overview

  • Business Level II course (CA Sri Lanka 2020 Curriculum)
    • Pillar: Audit, Business Processes & Digitalisation (BL5)
    • 5 main syllabus areas with % weightings
    • A. Corporate Governance, Risks & Controls – 10%10\%
    • B. Business Processes & Internal Controls – 25%25\%
    • C. Digitalisation & Business Processes – 10%10\%
    • D. Ethics & Values – 15%15\%
    • E. Fundamentals of Audit & Assurance – 40%40\%
    • Emphasises practice: examples, progress tests, revision kit, bold key terms
  • Action-Verb taxonomy tiers 1-6 supplied for guidance on exam verbs
  • Flow-chart symbols & study‐text navigation aids listed

A. Corporate Governance, Risks & Controls

1. Essence of Corporate Governance

  • Cadbury definition: “system by which companies are directed & controlled.”
  • Key stakeholder groups
    • Shareholders (principals) ↔ Directors (agents/stewards)
    • Employees, creditors, public, tax authorities
  • Accountability & stewardship duties; Agency theory – separation of ownership & control
  • Conformance (compliance) vs Performance (value creation)
  • Tricker’s framework: inward-/outward-looking; past/present/future balance

2. OECD 2015 Principles (abridged)

  • Transparency, equitable shareholder treatment, stakeholder recognition, disclosure, board responsibilities, efficient markets
  • Allow hybrid comply-or-explain approaches (e.g. UK & Sri Lankan codes)

3. CA Sri Lanka Code of Best Practice 2017

  • Structure: Principles A–H with provisions
    • A Directors (board balance, Chairman/CEO split, audit & evaluation)
    • B Remuneration (committee of ≥3 INEDs; 6 clarity/risk criteria)
    • C Shareholder relations (AGM, disclosures)
    • D Accountability & Audit (risk, IC, audit committee, RPT committee)
    • E Institutional investors’ stewardship
    • F Other investors’ voting/analysis
    • G IoT & cyber-security (CISO, policy, disclosure)
    • H ESG reporting
  • Audit committee (≥3 NEDs, majority independent) – responsibilities list inc. policy, risk, internal audit, AFS review, whistle-blowing mechanism

4. Internal Control System (COSO-based)

  • Five components
    1. Control environment
    2. Risk assessment
    3. Control activities (SPAMSOAP mnemonic)
    4. Information & communication
    5. Monitoring
  • Types of controls
    • Preventive / Detective / Corrective
    • Financial, Operational, Compliance
  • Limitations: human error, collusion, management override, cost/benefit, change
  • IT general vs application controls; design vs operating effectiveness

B. Business Processes & Internal Controls

1. Sales Management (O2C)

  • Document flow: enquiry → quotation/price list → customer order → delivery note → GDN & invoice → credit note (if) → receipt/remittance → monthly statement
  • Key risks & controls
    • Unauthorised pricing – check to approved price list
    • Dispatch without order – match PO & delivery
    • Incorrect invoice – 3-way match (order, GDN, price list)
    • Credit risk – credit limit, aged receivables review
  • Worked EOQ-style billing example + VAT calc
  • International sales: currency, tax/tariff, logistics, Incoterms, Letters of Credit, UNCISG

2. Procurement to Pay (P2P)

  • Cycle: PRN → PO → delivery note → GRN → supplier invoice → 3-way match → payment (cheque/EFT) → supplier statement recon
  • CAPEX vs revenue buys; tendering for big items
  • Authorisation levels; budget codes; JIT, two-bin, ABC selective controls
  • Incoterms 2020 clusters (EXW, FCA, CPT, CIP, DAT, DAP, DDP; FAS, FOB, CFR, CIF) & shipping docs (B/L, Customs, insurance)

3. Payroll / Human-Capital Process

  • Master-file maintenance (starters/leavers forms) – segregation HR vs Payroll
  • Gross→Net: time & attendance (swipe/biometric); overtime sheets; PAYE, EPF 8 + 12 %, ETF 3 %
  • Payroll report → bank list → cash/petty cash for wages incl. unclaimed list
  • Controls: approvals, reconciliations, segregation, exception reports

4. Cash Management

  • Cash book (bank column) – daily balancing; bank reconciliation
  • Receipts: cheques + EFT; Remittance advice; separation of duties
  • Payments: EFT/cheque, dual signatory; petty-cash imprest cycle (voucher, IOU, summary)
  • Investments of surpluses under Board-approved policy

5. Property, Plant & Equipment Management

  • CAPEX budget; capital expenditure request & authorisation form
  • Vendor selection & tender evaluation (price + qualitative factors); fraud risk (bribery)
  • Recording: asset register fields; cost capitalisation; depreciation (SL/diminishing balance)
  • EOQ=2C<em>ODC</em>HEOQ = \sqrt{\frac{2 C<em>O D}{C</em>H}} for spare-parts
  • Physical safeguards, tagging (barcode / RFID); disposal procedure & disposal form

6. Inventory Management (R2R interface)

  • Records: bin cards, stores ledger, perpetual IT file
  • Control levels
    • Re Order Level=Max Usage×Max Lead TimeRe\ Order\ Level = Max\ Usage \times Max\ Lead\ Time
    • Min Level=ROL(Avg Usage×Avg Lead Time)Min\ Level = ROL - (Avg\ Usage \times Avg\ Lead\ Time)
    • Max Level=ROL+EOQ(Min Usage×Min Lead Time)Max\ Level = ROL + EOQ - (Min\ Usage \times Min\ Lead\ Time)
  • Valuation per LKAS 2: lower of cost & NRV; costing methods FIFO / AVCO NRV=Sale priceCost to completeSelling expenses\text{NRV}=\text{Sale price}-\text{Cost to complete}-\text{Selling expenses}
  • Stocktakes (periodic vs continuous); two-bin; ABC; JIT

C. Digitalisation & Emerging Tech

  • FinTech: amalgamation of finance & tech, impacts on audit & processes
  • Block-chain attributes (distributed ledger, immutability, consensus) – effect on traceability, smart contracts
  • AI & machine learning – predictive analytics, anomaly detection
  • Robotic Process Automation (RPA) – rules-based repetitive tasks (e.g. invoice matching)
  • Big Data (5 Vs) & data analytics; cyber-risk management framework: CISO, governance, insurance

D. Ethics & Values

  • Fundamental principles (IESBA Code): Integrity, Objectivity, Professional Competence & Due Care, Confidentiality, Professional Behaviour
  • Threat categories: self-interest, self-review, advocacy, familiarity, intimidation
  • Conceptual Framework: identify threats → evaluate → apply safeguards (eliminate/reduce)
  • Conflict scenarios (gifts, hospitality, inducements, whistle-blowing)
  • Ethical theories: Deontological (duty-based), Teleological (consequence / utilitarian)
  • AAA Seven-Step Ethical Decision Model

E. Audit & Assurance Fundamentals

1. Assurance Engagement Structure (SLAuSs)

  • Three-party relationship; subject matter; suitable criteria; sufficient appropriate evidence; written report
  • Types: reasonable vs limited; attestation vs direct reporting
  • Engagement acceptance pre-conditions (ISA 210)

2. Audit Planning & Risk

  • Audit strategy & detailed plan Audit Risk=IR×CR×DR\text{Audit\ Risk} = IR \times CR \times DR
  • Materiality (ISA 320)
    • Overall FS level & performance materiality \$
  • Risk assessment procedures: Enquiry, Observation, Inspection, Analytical procedures
  • Significant risks; fraud triangle; brainstorming; documentation

3. Responses & Evidence

  • Tests of controls vs substantive procedures (tests of detail + analytical)
  • Audit sampling (ISA 530): attribute vs monetary-unit; sampling risk \text{TM} = \text{PM}
  • Computer-assisted audit techniques: GAS, test data, audit data analytics
  • Written representations (ISA 580)

4. Subsequent Events & Going Concern

  • Adjusting vs non-adjusting events (LKAS 10)
  • ISA 570 requirements; management & auditor responsibilities; reporting modifications

5. Auditor’s Report (ISA 700, 705, 706)

  • Unmodified opinion vs Modified (Qualified, Adverse, Disclaimer)
  • Emphasis of Matter & Other Matter paragraphs

6. Related Services

  • Review engagements (ISRE 2400), Agreed-Upon Procedures (SLSRS 4400), Compilation, VFM audits

Internal Audit & Audit Committees

  • Internal audit definition (IIA): independent assurance & consulting to add value & improve operations; reports principally to Audit Committee
  • Scope: financial, operational, compliance, IT, VFM, procurement
  • Independence safeguarded via functional reporting line to Board/Audit Committee

Key Formulae Quick Sheet

  • EOQ =\sqrt{\dfrac{2 CO D}{CH}}</li><li>Reorderlevel</li> <li>Re-order level=\text{Max usage} \times \text{Max lead time}</li><li>Minlevel</li> <li>Min level=ROL-(Avg\ usage \times Avg\ lead\ time)</li><li>Maxlevel</li> <li>Max level=ROL+EOQ-(Min\ usage \times Min\ lead\ time)</li><li>AuditRisk</li> <li>Audit Risk=IR\times CR\times DR</li><li>Materialitybenchmarks(common):</li> <li>Materiality benchmarks (common):5\%PBT,PBT,1\%revenue,revenue,1!-2\%$$ assets/equity (context-specific)

Practical Implications & Recommendations

  • Establish robust CAPEX governance – budget plus documented economic analysis
  • Integrate ERP modules (sales, purchasing, inventory, fixed assets) for real-time controls
  • Leverage AI & RPA for high-volume reconciliations & anomaly detection, but retain human oversight
  • Cyber-security – board agenda item; appoint CISO; periodic independent review; disclose risk processes (SL Code G)
  • Promote ethical culture; provide whistle-blower hotline; rotate sensitive roles to mitigate familiarity threats

Typical Examination Tips

  • Always link risk ⇄ control ⇄ assertion in audit questions
  • Use SPAMSOAP to generate control points rapidly
  • For inventory and cash essays, quote the numerical control level formulae
  • Remember “comply or explain” & Audit Committee composition (3 NEDs; majority INED)
  • Quote LKAS 2 lower-of-cost-and-NRV rule and FIFO/AVCO treatments
  • In ethics scenarios, identify threat, evaluate significance, cite safeguards, reference fundamental principles