Internal Control & Audit Stages (AUD 4)

Internal Control Audit Stages

Committee of Sponsoring Organizations (COSO)

  • Formed in 1985 to provide guidance for enterprise risk management, internal control, and fraud deterrence.

  • Formed in response to rising concerns of fraudulent financial reporting.

  • Sponsored the National Commission on Fraudulent Financial Reporting, known as the Treadway Commission.

  • COSO Internal Control Framework

    • Original 1992 Framework: Designed to help businesses assess and enhance their internal control systems.

    • Updated 2013 Framework: Retained the core definition of internal control and the five-component framework, while introducing 17 guiding principles for implementation.

  • COSO Members: Comprises five major professional associations in the United States:

    • American Institute of Certified Public Accountants (AICPA): Sets ethical standards for CPAs and auditing standards for private companies and governments.

    • American Accounting Association (AAA): Promotes excellence in accounting education, research, and practice.

    • Financial Executives International (FEI): Represents senior financial executives, providing a platform for interaction and staying updated with financial leadership.

    • Institute of Internal Auditors (IIA): Sets standards and provides professional development for internal auditors.

    • Institute of Management Accountants (IMA): Promotes advanced research, best practices, and the value of the CMA certification for accountants and financial professionals.

Risk

  • Risk is the vulnerability to situations that increase the potential of loss.

  • Risk strategy aligns with risk appetite to manage surprises and avoid unexpected costs or losses.

  • Risk management can be done in the following ways:

    • Risk Avoidance: Choosing not to engage in an activity.

    • Risk Reduction: Implementing compensating or mitigating controls to offset risk.

    • Risk Sharing: Sharing risk with another organization, such as establishing a joint venture or buying insurance.

    • Risk Acceptance: Assuming all of the risks because it is deemed acceptable.

  • The primary way of risk reduction is through internal controls.

Internal Controls - Definition

  • The Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued the Internal Control- Integrated Framework (the Framework) in 1992.

  • The Framework assists boards and management in developing internal control systems that adapt to changing business environments, mitigate risks, and support decision-making and governance.

  • Definition: “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Internal Controls - Objectives

  • The categories of objectives per COSO:

    • Operations: Effectiveness and efficiency of operations, financial performance goals, and safeguarding assets against loss.

    • Reporting: Reliability, timeliness, and transparency of internal and external financial and non-financial reporting. Includes financial and non-financial reporting issues.

    • Compliance: Adherence to relevant laws and regulations.

Internal Controls - Components

  • The Framework was updated to organize its original fundamental concepts into 17 principles associated with five components.

  • Components of Internal Control (Mnemonic: CRIME):

    • C - Control Activities

    • R - Risk Assessment

    • I - Information & Communication Systems

    • M - Monitoring of Controls

    • E - Control Environment

  • Control Environment: Foundation for all other components; sets the tone of an organization and influences the control consciousness of its people.

  • Risk Assessment: Involves identification, evaluation, and management of risks, including external and internal events that may affect financial reporting objectives.

  • Information and Communication: Refers to the identification, retention, and transfer of information in a timely manner, enabling personnel to execute their responsibilities; includes internal and external communication.

  • Monitoring: Evaluates whether the five internal control components and their principles are present and functioning through separate evaluations or ongoing activities; includes corrective actions.

  • Control Activities: Policies and procedures to ensure management directives are executed to mitigate risk; can be preventative or detective, including general, application, and physical controls.

COSO Framework Principles

The five components of the COSO framework, along with their respective principles:

  • Control Environment

    • Demonstrate Commitment to Integrity and Ethics

    • Board of Directors exercise Oversight Responsibility

    • Establish Structure, Authority & Responsibility

    • Demonstrates commitment to competence

    • Enforce Accountability

  • Risk Assessment

    • Specifies suitable objectives

    • Identifies and analyzes risk

    • Assesses fraud risk

    • Identifies and analyzes significant change

  • Information and Communication Systems

    • Uses relevant information

    • Communicates internally

    • Communicates externally

  • Monitoring

    • Conducts ongoing and/or separate evaluations

    • Evaluates and communicates deficiencies

  • Control Activities

    • Selects and develops control activities

    • Selects and develops general controls over technology

    • Deploys control activities through policies and procedures

Segregation of Duties in Internal Control

  • Separation of duties refers to separating responsibilities between more than one person to prevent fraud and error.

  • Incompatible duties that must be segregated:

    • Custody: Custody over assets

    • Authorization: Authorization of transactions affecting those assets

    • Recording: Recording of such related transactions

    • Reconciliation: Performing periodic reconciliations and verification of authorized and recorded amounts

Considerations for Internal Control

  • The following should be considered while implementing internal control measures:

    • Small Entities: Limited segregation of duties due to few employees; however, some degree of segregation or other effective controls should be implemented for vital areas.

    • Cost-Benefit Analysis: The cost of a procedure or control objective should not exceed the impact of the risk.

    • Non-Routine Matters: Risks related to significant non-routine or judgmental matters are less likely to be subject to routine controls; may require review by senior management or experts.

    • Routine Matters: Risks may concern routine transactions that are highly automated; evidence may be available only in electronic form, and its appropriateness depends on the effectiveness of controls over its completeness and accuracy.

    • Manual Vs. Automated Processing: Evidence about manual control implementation at a point in time does not provide evidence about its operating effectiveness at other times. IT processing is inherently consistent; procedures to determine the implementation of an automated control may serve as a test of that control’s operational effectiveness.

Internal Controls - Limitations

  • Internal controls can only provide reasonable assurance regarding the accomplishment of control objectives and are subject to lapses in human judgment, circumvention of controls, and collusion among employees.

  • Inherent limitations which can result in the breakdown of internal control include:

    • Competence: Human errors like mistakes or misjudgments by personnel.

    • Collusion: Circumvention of controls through collusion between personnel.

    • Override by management: Intervention by management in a control process.

    • Obsolescence: Existing controls become obsolete due to changes in the operating environment.

    • Cost constraints: Benefits expected from internal controls need to be more than the cost of implementing and maintaining them.

Internal Control - Deficiencies

  • Can be categorized as control deficiencies, significant deficiencies, and material weaknesses based on severity.

  • Factors that should be considered when determining the severity of a finding:

    • Materiality

    • Mitigating controls

    • Intent.

  • A matter is material if there is a substantial likelihood that a reasonable person would consider it important.

  • Control Deficiencies: Design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis.

  • Significant Deficiencies: A deficiency in internal control over financial reporting that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.

  • Material Weaknesses: A deficiency in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis.

Internal Control - Types

  • Preventive Controls: Prevent errors and misappropriation of assets.

  • Detective Controls: Detect errors and misappropriations after they occur.

  • Corrective Controls: Correct errors and bring the system back to the status quo.

  • Directive Controls: Produce positive results for an enterprise.

  • Compensating Controls: Enhance the effectiveness of controls that are already in place.

Auditor’s Consideration of Internal Control: Test of Controls: Non-Issuers vs. Issuers

  • Non-Issuers: The auditor expresses an opinion on the client's financial statements but not on the client's internal control.

    • Mandatory to perform Substantive Procedures (Test of Details & Analytical Procedures).

    • Optional to perform Test of Controls. However, an auditor may perform Test of Controls if the auditor wants to assess Control Risk at less than the maximum level such that the Auditor can afford a high Detection Risk and reduce the Nature, Extent, and Timing of Substantive Procedures.

  • Issuers: The auditor expresses an Opinion on the Client's Financial Statements and on the Client's Internal Control.

    • Mandatory to perform Substantive Procedures (Test of Details & Analytical Procedures).

    • Mandatory to perform Test of Controls: The auditor tests controls to opine on the effectiveness of ICFR, and the auditor audits Financial Statements to provide their opinion on Financial statements. However, the Auditor will conduct both these audits simultaneously such that the auditor can leverage the assessed Control Risk to reduce the scope (Nature, Extent, and Timing) of Substantive Procedures.

Auditor’s Consideration of Internal Control - Assess Inherent Risk

  • To assess Inherent Risk, an auditor should obtain an understanding of the Entity & its Environment, including:

    • Objectives & Strategies: What is the entity aiming to achieve, and what risks are associated with its strategies?

    • Financial Performance: Past and present financial health, including revenue streams, profitability, and cash flow.

    • External Environment: Industry trends, regulations, competition, and other factors that could impact the business.

    • Nature of Operations: The type of business, products, or services offered, geographic spread, etc.

    • Ownership and Governance: The structure of ownership, board of directors, and other governance mechanisms.

    • Investments: Details about significant investments made or to be made.

    • Financing Structure: How the entity is funded, including debt and equity.

    • Accounting Policies: Methods and assumptions used in preparing financial statements.

  • Procedures to Assess Inherent Risk:

    • Analytical Procedures: Helps in understanding the client's business and identifying unusual trends or transactions that might need further investigation.

    • Inquiries: Conversations with key personnel like management, internal auditors, and those charged with governance (TCWG) can provide insights into the entity's operations and risks.

    • Inspection: Reviewing essential documents like articles of incorporation, by-laws, and permanent files can offer a wealth of information.

  • Auditors should carefully document their understanding of each of these aspects, often in working papers, for reference throughout the audit.

Auditor’s Consideration of Internal Control - Assess Control Risk

  • To assess Control Risk, an auditor should obtain an understanding of the Entity’s Internal Control.

  • Gaining an understanding of an entity's internal control system involves a two-fold process:

    • Evaluate the Design of Internal Controls: Auditors evaluate the design of internal controls to determine if they are structured effectively to prevent, detect, and correct material misstatements.

      • Considering Prevention Controls, Detection Controls and Correction Controls.

    • Assess the Implementation of Internal Controls: The auditor determines whether the controls are implemented and placed in operation.

  • Procedures for Understanding Internal Control:

    • Inquiries: Auditors performs inquiries of Management, Internal Auditors, TCWG, others within the entity. Corroborate responses to inquiries by performing at least an inspection, walkthroughs or observation, but if better evidence is not available by performing other procedures, an auditor may corroborate inquires made of multiple people.

    • Walkthroughs: Walkthroughs involve following a transaction and tracing its processing through the entity's information processing system all the way through to its reporting in the Financial Statements.

    • Inspection: An Auditor performs an inspection of relevant documents such as Internal Control Manuals, Internal Control Documentation.

    • Observation: Auditors physically watch the control process being performed.

Top-Down Approach

  • Top-Down Approach to testing the Design and Implementation (D&I) of Internal Controls in an audit is a methodology that helps the auditor understand the Overall Control Environment of an entity, starting from the Financial Statement Level and gradually focusing on Account Balances, Transaction & Disclosures Level and finally on Assertion Level.

  • Step 1: Assess Risk at Financial Statement Level / Entity Level

    • Auditor must do the following:

      • Evaluate Risk at Overall Entity Level & Financial Statement Level

      • Evaluate Entity Level Controls. Entity Level Controls include the following:

        • Controls related to the Control Environment

        • Controls over Management Override

        • Entity's Risk Assessment Process

        • Centralized Processing and Controls, including shared service environments controls to monitor other controls, like Internal Auditors, TCWG

        • Controls over the period-end Financial Reporting Process

    • Overall responses to address Assessed Risk at Financial Statement level may include:

      • Emphasize the Need for Professional Skepticism

      • Assign Experienced Staff or Specialists

      • Increase Level of Supervision

      • Incorporate Unpredictability in Audit Procedures

      • Communicate with Those Charged with Governance (TCWG)

  • Step 2: Evaluate Risk at Account Balances, Transactions & Disclosures Level

    • To Evaluate Risk at Account Balances, Transactions & Disclosures Level:

      • Identify Significant Account Balances, Transactions and Disclosures and their relevant assertions.

      • Consider the volume of activity, complexity, and whether there is the involvement of subjectivity in account balances or transactions.

      • Evaluate the risks and controls related to specific financial reporting elements like revenue recognition, expenses, assets, and liabilities.

    • Overall responses to address Assessed Risk at Account Balances, Transaction & Disclosures Level may include:

      • Alter the Nature, Timing, and Extent of Audit Procedures

      • Employ Computer-Assisted Audit Techniques (CAATs)

      • Enhance Review and Supervision of Team Members

      • Engage Specialists

      • Reassess the Use of External Confirmations

      • Increase Communication with Management and Those Charged with Governance (TCWG)

  • Step 3: Evaluate Risk at Assertion Level

    • To Evaluate Risk at Assertion Level. Focus on the controls related to specific assertions within the significant accounts identified.

      • Evaluate the Design and Implementation of controls related to assertions such as completeness, accuracy, and authorization.

      • Consider the manual and automated controls that prevent, detect, or correct material misstatements.

    • Overall responses to address Assessed Risk at Assertion Level may include:

      • Tailor Substantive Procedures

      • Modify Sample Sizes and Selection Techniques

      • Use of Confirmations or External Evidence

      • Employ Computer-Assisted Audit Techniques (CAATs)

      • Increase Depth of Testing

      • Evaluate Related Disclosures

  • Document Understanding of Internal Controls

    • Proper Documentation of Understanding of Internal Controls is not only a professional requirement but also facilitates the planning, performance, and review of the audit. The form and extent of documentation can vary based on factors such as the nature, size, and complexity of the entity, as well as the availability of information and the audit technology and methodology used.

    • Key Elements to Document:

      • Each of the Internal Control Components: Documentation must Include all 5 components Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring.

      • Any Significant Risks Identified and Related Internal Controls: Documentation must specify which controls are in place to mitigate significant financial statement risks.

    • Types of Documentation Forms:

      • Flowcharts: A flowchart is a graphical representation of a process, showing the sequence of steps involved in that process in a structured, diagrammatic manner.

      • Internal Control Questionnaire (ICQ): An Internal Control Questionnaire is a set of written questions related to various aspects of an organization's internal control environment.

      • Narratives: A narrative is a detailed written description outlining the procedures, processes, and controls within an organization's internal control system.

      • Decision Tree: A Decision Tree is a tree-like model that displays decisions and their possible consequences, including chance event outcomes, resource costs, and utility, often in a graphical format.

Auditor’s Consideration of Internal Control - Assess Risk of Material Misstatement (RMM)

  • Risk of Material Misstatement (RMM) is used to assess the risks associated with an entity's financial statements.

  • RMM=InherentRisk(IR)×ControlRisk(CR)RMM = Inherent Risk (IR) \times Control Risk (CR)

  • Steps to Assess RMM:

    • Identify Risks: Review Financial Statements, Internal Controls Operations, Industry Factors, and Previous Audits to identify potential areas of risk.

    • Consider the Likelihood of Identified Risks: Evaluate how likely it is that a material misstatement could occur in the absence of controls.

    • Consider the Magnitude of the Impact on Financial Statements: Assess how significant a material misstatement would be in terms of its potential impact on the financial statements and whether it would affect users’ decisions.

    • Determine if Identified Risks are Significant: Decide whether the identified risks are of such significance that they require special audit consideration.

  • RMM Implications

    • High Levels of RMM: High Levels of RMM often result in more intensive substantive testing, less reliance on controls, or a combination of both, to gather sufficient appropriate audit evidence.

    • Low Levels of RMM: Low Levels of RMM often result in less intensive substantive testing, more reliance on controls, or a combination of both, to gather sufficient appropriate audit evidence.

Auditor’s Consideration of Internal Control - Determine Audit Approach

  • Audit Approach depends on the Assessed Risk of Material Misstatement (RMM), which is a product of Inherent Risk (IR) and Control Risk (CR).

  • Audit Approach can be either:

    • Non-Control Reliance Approach (Substantive Approach: Substantive Tests): Used when controls are not designed and implemented properly, making it inefficient or unproductive to perform tests of controls.

    • Control Reliance Approach (Combined Approach: Test of Controls + Substantive Tests): Used when controls are designed and implemented properly.

Auditor’s Consideration of Internal Control - Perform Test of Controls

  • An auditor should design and perform Test of Controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls.

  • Quality of Audit Evidence: The amount and quality of audit evidence needed are directly related to the auditor’s assessment of whether a control is effective and the level of reliance the auditor plans to place on that control.

  • Risk Assessment Procedures as Tests of Controls: Sometimes, even if not designed as tests of controls, risk assessment procedures like inquiries or walkthroughs can provide valuable audit evidence about the effectiveness of controls.

  • Dual-Purpose Tests: Dual-purpose tests serve to both Test the Operating Effectiveness of Controls and to gather Substantive Audit Evidence. Dual-purpose tests can improve the efficiency of the audit process.

Nature, Extent, and Timing of the Tests of Controls

  • The Nature, Extent, and Timing of the Tests of Controls depend on the risk assessment, the complexity of the entity's operations, and the reliability of its internal controls.

  • Nature of Test of Controls: Involves:

    • Performing Tests to see how the controls were applied at relevant times during the period under audit.

    • Performing Tests to see the consistency with which the controls were applied.

    • Performing Tests to see by whom or by what means they were applied.

    • Determining whether the controls to be tested depend upon other controls (indirect controls).

  • Extent of Test of Controls: Can vary depending upon whether controls are automated or manual.

    • Automated Controls: The inherent consistency of IT processing might allow for a smaller sample size or less frequent testing, assuming there have been no changes to the system.

    • Manual Controls: May require a larger sample size and more frequent testing due to higher susceptibility to inconsistency and errors.

  • Timing of Test of Controls: Differ depending on the type of entity being audited (non-issuers vs. issuers) and whether the audit is a first-year or recurring engagement.

    • For Non-Issuers and Changes in Controls: If there have been changes in the control, the controls should be tested again in the current year.

    • For Non-Issuers, No Changes in Controls: If no significant changes have occurred, the controls should be tested at least once every third year.

    • For Non-Issuers, Significant Risks: Controls address significant risks should be tested in the current period.

    • For Issuers: Auditors are required to test controls each year for issuers. The controls should be tested even if there have been no changes since the last audit. This is particularly important for key controls related to significant accounts and disclosures.

Procedures for Test of Controls to Determine Operating Effectiveness

  • Reperformance: An auditor independently carries out the control procedures that were initially performed by the company's employees.

  • Inquiry: An auditor collects information by interviewing and making inquiries with appropriate personnel within or outside the entity.

  • Inspection: An auditor reviews documents, records, or physical assets to assess the effectiveness of controls.

  • Observation: An auditor physically observes the control procedure being performed by the company's personnel.

Decide NET of Audit Procedures

  • (NET = Nature, Extent, Timing)

  • If controls are designed properly and could be Operating Effectively. (Control Reliance Approach)

    • Perform Test of Operating Effectiveness of Internal Controls.

      • If Operating effectively: Assess CR below Maximum, RMM is Low, and Detection Risk is High and Decrease NET of Audit Procedures.

      • If Not Operating effectively: Assess CR at Maximum, RMM is High, and Detection Risk is Low and Increase NET of Audit Procedures.

  • If controls are Not designed properly. (Non-Control Reliance Approach)

    • Then Assess CR at Maximum, RMM is High, Detection Risk is Low and Increase NET of Audit Procedures.

Transaction Cycles

  • When auditing an entity, the auditor breaks down the audit into various operating cycles to better manage the complexity and ensure a thorough evaluation.

  • The Transaction Cycles include:

    • Revenue Cycle

    • Cash Receipts Cycle

    • Expenditures Cycle

    • Inventory Cycle

    • Personnel & Payroll Cycle

    • Investing Cycle

    • PPE Cycle

    • Financing Cycle

Revenue Cycle

  • A Revenue Cycle encompasses all the activities involved in selling goods or services, from the initial customer engagement to the final payment.

  • Flowchart:

    • Customer sends a Purchase Order to prospective Sellers.

    • Sales Department (Authorization):

      • Receive a Purchase Order from Customer

      • Sales Clerk will prepare a Sales Order from the Purchase Order and forward it Credit Department for Approval

    • Credit Department (Authorization):

      • Credit Department will receive Sales Order from Sales Department.

      • Credit team will do a credit check on the customer and approve or disapprove a sale. If the Sales Order is approved, approved Sales Order is prepared in triplicate and sent to Shipping, Billing and Accounting.

    • Shipping Department (Custody):

      • Shipping Team receives the Approved Sales Order and will ship Inventory to the Client.

      • Bill of Lading prepared by Shipping team and is sent to Client & Billing Department.

    • Billing Department (Recordkeeping):

      • Billing Team receives Approved Sales Order & Bill of Lading and will prepare Invoice and send it to the Client.

      • Billing Team will Prepare Sales Journal, Sales Summary and Update Accounts Receivable Master File

    • Accounting Department:

      • Accounting Team records sales in General Ledger.

Segregation of Duties in Revenue Cycle

  • Authorization, Recording, Custody, and Comparison should not be performed by the same individual to ensure that incompatible functions are adequately segregated.

    • Sales Manager (Authorization): Responsible for authorizing and initiating the sales process by generating internal sales orders.

    • Credit Manager (Authorization): Conducts credit checks and approves credit terms for customers, ensuring they meet the company's credit policies.

    • Warehouse Clerk (Custody): Holds custody of the inventory. Manages the physical inventory and releases items for shipping upon receipt of an approved internal sales order.

    • Shipping Clerk (Custody): Responsible for shipping inventory to the customers. Handles the actual shipping process, ensuring that goods are sent to the correct customer location based on the approved sales order.

    • Billing Clerk (Recordkeeping): Generates invoices based on approved sales orders and shipping details, and sends them to customers.

    • Receivables Clerk (Recordkeeping): Records the details of Sales Invoices in the Accounts Receivable Master File, ensuring accurate tracking of amounts due.

    • General Ledger Bookkeeper (Recordkeeping): Posts sales transactions to the general ledger, ensuring accurate financial reporting.

Internal Controls and Test of Controls for Revenue Cycle

  • Sales Department

    • Internal Control: Use Pre-Numbered Sales Orders, Require managerial approval for large sales orders and Use standardized templates for Sales Orders.

    • Test of Control: Verify that Sales Orders are Pre-Numbered, Review a sample of large sales orders to ensure managerial approval was obtained and Audit a sample of Sales Orders to ensure they follow the standardized format

  • Credit Department

    • Internal Control: Use standardized criteria for credit checks and Periodic review of customer credit limits.

    • Test of Control: Inquire about credit checks for new customers and Inspect sample of documents to test if credit checks were done before approval of sales orders and audit a sample of credit checks to ensure criteria were consistently applied and Verify that credit limits are reviewed and updated at regular intervals

  • Shipping Department

    • Internal Control: Warehouse Department to release goods to Shipping only after receipt of approved sales order; Shipping Department to check if goods released by warehouse conform to approved sales orders, and Match Bill of Lading with Sales Order before shipping

    • Test of Control: Observe physical controls over goods in the warehouse; inspect (Vouch) sample of shipping documents to sales order; and review a sample of shipped orders to ensure Bill of Ladings match Sales Orders

  • Billing Department

    • Internal Control: Match Sales Orders and Bill of Lading before Invoicing, Verify pricing on sales order with master price list, customer agreement, etc. and Use Pre-Numbered Sales Invoices.

    • Test of Control: Inspect (Vouch) sample of sales invoices to bills of lading and approved sales orders; Reperform pricing check by checking prices in a sample of sales invoices with master price list; and Verify that Invoices are Pre-Numbered.

  • Accounting Department

    • Internal Control: Post to General Ledger and Generate General Ledger exception report and resolve the exceptions

    • Test of Control: Observe / Reperform the recordkeeping process and Inspect General Ledger exceptions and resolution

Cash Receipts Cycle

  • The Cash Receipts Cycle focuses on the process of receiving and recording cash from customers.

  • Flowchart:

    • Customer sends checks and remittance advice.

    • Mailroom (Custody):

      • Receive Checks and Remittance Advice

      • Separate Checks and Remittance Advice

      • Prepare Check Listing Summary for Checks and send it to Cashier, Accounts Receivable and Accounting

      • Send Remittance Advice to Accounts Receivable.

    • Cashier (Custody):

      • Receive Checks and Check Listing Summary from Mailroom.

      • Deposit Checks and Prepare a Check Deposit Summary and send it to Accounts Receivable and Accounting.

    • Accounts Receivable Department (Recordkeeping):

      • Receive Remittance Advice, Check Listing Summary, Check. Deposit Summary and Prepare a Cash Deposit Summary

      • Update Accounts Receivable Master File

    • Accounting Department (Recordkeeping):

      • Accounting Team updates General Ledger.

Segregation of Duties in Cash Receipts Cycle

  • Mail Room Clerk (Custody): Receive Checks and Remittance Advice, Separate Checks and Remittance Advice. Prepare Check Listing Summary for Checks and send it to the Cashier, Accounts Receivable, and Accounting. Send Remittance Advice to Accounts Receivable

  • Cashier (Custody): Receive Checks and Check Listing Summary from the Mailroom. Deposit Checks and Prepare a Check Deposit Summary and send it to Accounts Receivable and Accounting.

  • Receivables Clerk (Recordkeeping): Receive Remittance Advice, Check Listing Summary, Check Deposit Summary and Prepare a Cash Deposit Summary. Update Accounts Receivable Master File

  • General Ledger Bookkeeper (Recordkeeping): Posts collections transactions to the general ledger. Ensures that all cash receipts are accurately reflected in the company's financial records.

Internal Controls and Test of Controls for Cash Receipts Cycle

  • Mail Room

    • Internal Control: Use Pre-Numbered List for Check Listing Summary and Forward Checks to Cashier and Remittance advice to Accounts Receivable

    • Test of Control: Verify that lists for received checks are Pre-Numbered and Observe the handling and forwarding process

  • Cashier

    • Internal Control: Prepare Deposit Slips for Checks Received

    • Test of Control: Observe the Deposit Process and Reperform a sample of deposit slip preparations

  • Accounts Receivable

    • Internal Control: Update Accounts Receivable Master with Collections Received and Reconcile Cash Receipts to Bank Deposits

    • Test of Control: Inspect updates to Accounts Receivable Master and Reperform reconciliation of a sample of Cash Receipts to Bank Deposits

  • Accounting

    • Internal Control: Record Collections in the General Ledger and Reconcile General Ledger with Accounts Receivable Master

    • Test of Control: Inspect entries in the general ledger and Reperform a sample of General Ledger to Accounts Receivable Master reconciliations

Expenditure Cycle

  • The Expenditure Cycle focuses on the processes related to purchasing goods and services, receiving them, and making payments.

  • Flowchart:

    • Requisition Department:

      • Prepare a requisition. Department Head or any other approving authority will approve the requisition. Approved Requisition would be sent across to the Procurement Department

    • Procurement Department (Authorization):

      • Receives Approved Requisition.

      • Prepares Purchase Order and sends it to Vendors, Accounts Payable and Receiving.

      • Based on Purchase order, Procurement Department would invite various quotations from different vendors. Select the best vendor and negotiate terms and conditions of the purchase and authorize the purchase

    • Receiving Department (Custody):

      • Receives Blind Copy of Purchase Order (excludes quantity of goods ordered).

      • Receive and Count the inventory

      • Prepare Receiving Report and send it to Accounts Payable Department.

    • Accounts Payable Department. (Recordkeeping):

      • Receives Voucher Package (comprises of Approved Requisition, Purchase Order, Receiving Report & Invoice). 3-Way Match.

      • Approve the voucher for payment and send approved voucher to Treasury Team.

      • Update Purchase Journal, Purchase Summary and Accounts Payable Master.

    • Treasury Department (Custody):

      • Receive Approved Voucher Package, Pay the Voucher Package and Stamp it paid to avoid double payment.

      • Send Checks or Remittance Advice to Vendor Payable Master.

    • Accounting Department (Recordkeeping):

      • Accounting Team updates General Ledger.

Segregation of Duties in Expenditure Cycle

  • Purchasing Clerk (Authorization): Responsible for initiating and authorizing purchases by generating Purchase Orders. Send copies of the Purchase Orders to the Receiving Department and Accounts Payable.

  • Receiving Clerk (Custody): Receives goods and matches them to the Purchase Orders. Prepares a Receiving Report and sends it to Accounts Payable and Accounting

  • Accounts Payable Clerk (Recordkeeping): Receives Purchase Orders, Invoices, and Receiving Reports. Matches these documents and updates the AP Master File. Prepares a Payment Voucher and sends it to the Cash Disbursement Clerk and Accounting.

  • Treasurer (Authorization): Receives Payment Vouchers from Accounts Payable. Reviews and approves all cash disbursements. Ensures that only valid and necessary payments are made. Prepares checks for payment. Once approved, mails the checks to vendors and sends a copy of the disbursement record to Accounting.

  • General Ledger Bookkeeper (Recordkeeping): Receives copies of Purchase Orders, Receiving Reports, Payment Vouchers, and Cash Disbursement Records. Posts these transactions to the general ledger to ensure accurate financial reporting.

Internal Controls and Test of Controls for Expenditure Cycle

  • Requisition Department

    • Internal Control: Appropriate approval required for all purchases

    • Test of Control: Review a sample of purchase orders for proper authorization

  • Procurement Department

    • Internal Control: Use Pre-Numbered Purchase Orders

    • Test of Control: Verify that Purchase Orders are Pre-Numbered

  • Receiving Department

    • Internal Control: Use Pre-Numbered Receiving Reports and Inspect and Match Received Goods to Purchase Orders

    • Test of Control: Verify that Receiving Reports are Pre-Numbered and Observe the receiving process and inspect a sample of matched goods to purchase orders

  • Accounts Payable Department

    • Internal Control: Receive Invoices from Vendors and Perform 3-Way Match of Invoice , Purchase Order and Receiving Report (Voucher Package)

    • Test of Control: o Inspect (Vouch) a sample of invoices to purchase orders and receiving reports

  • Treasury Department

    • Internal Control: Prepare Checks for Payment, Use Sequentially Numbered Checks, Approve Cash Disbursements and Cancel Voucher Package to avoid double payments.

    • Test of Control: Observe the check preparation process, Verify that checks are sequentially numbered, Review a sample of cash disbursements to ensure Treasurer's approval, Inspect a sample of checks for authorized signatures; and Observe review of documents and cancellation of vouchers by Treasurer

  • General Ledger Bookkeeper

    • Internal Control: Record Expenditures in the General Ledger and Reconcile General Ledger with A/P Master File

    • Test of Control: Inspect entries in the general ledger and Reperform a sample of General Ledger to A/P Master File reconciliations

Inventory Cycle

  • The Inventory Cycle refers to the process of ordering, storing, and using a company's inventory. This includes the management of raw materials, components, and finished products, as well as warehousing and processing such items.

  • Flow:

    • Procurement Department (Authorization). (Discussed in Expenditure Cycle)

    • Receiving Department (Custody) (Discussed in Expenditure Cycle)

    • Warehousing Department (Custody)

    • Shipping Department (Custody) (Discussed in Revenue Cycle)

Personnel & Payroll Cycle

  • The Personnel and Payroll Cycle involves the various processes related to employee management and compensation. This cycle is crucial for ensuring that employees are paid accurately and on time, and that all related taxes and benefits are properly administered.

  • Flowchart:

    • Payroll Department:

      • Prepare Check and send it to Treasury, Update Employee records & Payroll Journal and Prepare Payroll Summary

    • Treasury Department (Custody):

      • Receive Pay rate authorization from HR Department and receive Approved Time Record from Production Department and unsigned Checks from Payroll.

      • Sign Checks and hand