6. A Manual Purchases System
• Begins in Inventory Control when inventory levels
drop to reorder levels.
• PR is prepared and copies sent to Purchasing and A/P
• Purchasing prepares a PO for each vendor and sends
copies to Inventory Control, A/P, and Receiving.
7. A Manual Purchases System
• Upon receipt, Receiving counts and inspects the goods.
– Blind copy of PO is used to force worker to count goods.
• Rec report is prepared and copies sent to raw materials
storeroom, Purchasing, Inventory Control, and A/P.
8. A Manual Purchases System
• A/P eventually receives copies of the PR, PO, Rec
Report, and the supplier’s invoice.
• A/P reconciles these docs, posts to purchase
journal, and records liability in the AP subsidiary
ledger.
9. A Manual Purchases System
• A/P periodically summarizes the entries in the
purchases journal as a journal voucher which is sent to
the General Ledger (G/L) department.
Inv-Control or Purchases
Accts Payable-Control
DR
CR
• A/P also prepares a cash disbursements voucher and
posts it in the voucher register.
10. A Manual Purchases System
• G/L department:
– posts from the accounts payable journal voucher to
the general ledger
– reconciles the inventory amount with the account
summary received from inventory control
13. A Manual Cash Disbursement System
• Periodically, A/P searches the open vouchers payable
file for items with payments due:
– A/P sends the vendor’s voucher and supporting
documents to Cash Disbursements
– A/P updates the accounts payable subsidiary ledger
14. A Manual Cash Disbursement System
• Cash Disbursements Departement:
– prepares the check
– records the information in a check register (cash
disbursements journal)
– returns paid vouchers to accounts payable, mails
the check to the supplier
– sends a journal voucher to G/L:
Accounts Payable
Cash
DR
CR
15. A Manual Cash Disbursement System
• G/L department receives:
– the journal voucher from cash disbursements
– a summary of the accounts payable subsidiary
ledger from A/P
• The journal voucher is used to update the general
ledger.
• The accounts payable control account is reconciled
with the subsidiary summary.
17. Computer-Based Accounting System
• CBAS technology can be viewed as a continuum with
two extremes:
– automation - use technology to improve efficiency
and effectiveness
– reengineering – use technology to restructure
business processes and firm organization
18. Levels of Automating and Reengineering Ordering
Level 1: Computer generates PR
– Purchases manually generates PO
Level 2: Computer generates PO (no PR needed)
– PO not sent until manually reviewed
Level 3: Computer-generated PO is automatically sent
without manual review
Level 4: Electronic Data Interchange (EDI)
– Computer-to-computer communication without PO
19. Expenditures Cycle Database
• Other Files
• Master Files
– supplier reference and
– supplier (vendor) master file
history file
– accounts payable master file
– buyer file
– merchandise inventory
– accounts payable detail file
master file
• Transaction and Open Document
Files
– purchase order file
• open purchase order file
– supplier’s invoice file
– open vouchers file
– cash disbursements file
23. Computer-Based Purchases
• A Data Processing Dept. performs routine accounting
tasks.
• Purchasing - a computer program identifies inventory
requirements
• The following methods are used for authorizing and
ordering inventories:
– the system prepares POs and sends them to Purchases
for review, signing, and distributing, or
– the system distributes POs directly to the vendors and
internal users, bypassing Purchases, or
– the system uses electronic data interchange (EDI) and
electronically places the order without POs
24. Computer-Based Purchases
• Other tasks performed automatically by the computer:
– Updates the inventory subsidiary file from Rec Report.
– Calculates batch totals for general ledger update
– Closes the
correspond
records in the
open PO file to
closed PO file
– Validates the
voucher
records
against valid
vendor files
25. Computer-Based Cash Disbursements
• Tasks performed automatically by the computer:
– the system scans for vouchers currently due
– prints checks for these vouchers
– records these checks in the check register
– batch totals are prepared for the general ledger
update procedure
26. Advantages of Real-Time Input and Processing over
Batch Processing
• Shortens the time-lag in record-keeping;
hence, records are more current
• Eliminates much of the routine manual
procedures, such as transcribing information onto
paper documents
• Eliminates much of the storage and shuffling of paper
documents
• Reduces data entry correction procedures
28. General Internal Controls
• Organization controls
– segregation of duties
• Documentation
• Asset Accountability Controls
• Management Practices
• Data Center Operations Controls
• Authorization Controls
• Access Controls
29. Manual Authorization Controls
• Purchases of inventory should be authorized by the
Inventory Control department, not by purchasing
agents
• Accounts Payable authorizes the payments of bills, not
the cash disbursements clerk, who writes the checks
How do these controls change in a CBAS?
30. Computer-Based Authorization Controls
• Authorizations are automated.
– programmed decision rules must be debugged (find
and reduce bug/ defect)
• Automating inventory in EDI and JIT
– faulty inventory model can lead to over-purchasing or
under-purchasing
• Cash disbursements may automate check printing and
signing.
– programming logic must be flawless
– automated signing only below a dollar threshold
31. Traditional Segregation of Duties
• Warehouse (stores)
• Inventory control
• Accounts payable
• General ledger
• Requisitioning
• Purchases
• Purchases returns and allowances
• Cash disbursements
32. Manual Segregation of Duties
• Custody of the asset, inventory, by the Warehouse
must be separate from recordkeeping for the assets by
the Inventory Control.
• Custody of the asset, cash, by Cash Disbursements
must be kept separate from recordkeeping for the asset
by A/P.
How do these controls change in a CBAS?
33. Computer-Based Segregation of Functions
• Extensive consolidation by the computer of tasks
traditionally segregated
– computer programs authorize and process purchase
orders (reduce order time-lag)
– computer programs authorize and issue checks to
vendors
34. Manual Supervision
• Within the expenditure cycle, supervision is of highest
importance in the Receiving department, where the
inventory arrives and is logged in by a receiving clerk.
Need to minimize:
– failures to properly inspect the assets
– theft of the assets
How do these controls change in a CBAS?
35. Computer-Based Supervision
• Automation often leads to a collapsing of the
traditional segregation of duties.
– requires greater supervision
• Supervision takes on new aspects as technology
advances.
– electronic monitoring
• Supervision because more difficult as the workplace
becomes more sophisticated.
– employees may have advanced IT training
36. Manual Accounting Records
• Must maintain adequate records for:
– accounts payable
– vouchers payable
– checks
– general ledger
– subsidiary ledgers
How do these controls change in a CBAS?
37. Computer-Based Accounting Records
• Accounting records rest on the reliability and security
of stored digitalized data.
– Accountants should be skeptical about the accuracy of
hard-copy printouts.
– Backups - the system needs to ensure that backups of
all files are continuously kept.
• Most automated systems still have a lot of paper
documents.
– This is good for audit trail purposes but is often
inefficient.
– As the system becomes increasing paperless,
maintaining an audit trail becomes more difficult.
38. Manual Access Controls
• Access to:
– inventories (direct access to make fraud)
– cash (direct access)
– accounting records (indirect access)
How do these controls change in a CBAS?
39. Computer-Based Access Controls
• Magnetic records are vulnerable to both authorized and
unauthorized exposure and should be protected
– must have limited file accessibility
– programs must be safeguarded and monitored
40. Manual Independent Verification
• A/Payable Dept. verifies much of the work done within
the expenditure cycle.
– PR, PO, receiving reports, and suppliers’ invoices
must be checked and verified by A/P.
• G/Ledger Dept. verifies:
– the total obligations recorded equal the total
inventories received
– the total reductions in accounts payable equal the
total disbursements of cash
How do these controls change in a CBAS?
41. Computer-Based Independent Verification
• Automating the accounting function reduces the need
for verification by reducing the chances of fraud and
error in the expenditure cycle.
• However, the need for verification shifts to the
computer program and the programmers where fraud
and error may still be present.
42. Threats in Ordering Goods
Threats in the process of ordering goods include:
–
THREAT 1: Stockouts and/or excess inventory
–
THREAT 2: Ordering unnecessary items
–
THREAT 3: Purchasing goods at inflated prices
–
THREAT 4: Purchasing goods of inferior quality
–
THREAT 5: Purchasing from unauthorized suppliers
–
THREAT 6: Kickbacks
–
EDI-Related threats
–
Threats related to purchases of services
43. Threats in Receiving and Storing Goods
The primary objectives of this process are to:
–
–
Verify the receipt of ordered inventory.
Safeguard the inventory against loss or theft.
Threats in the process of receiving and storing goods include:
–
THREAT 7: Receiving unordered goods
–
THREAT 8: Errors in counting received goods
–
THREAT 9: Theft of inventory
44. Threats in Approving and Paying Vendor Invoices
The primary objectives of this process are to:
– Pay only for goods and services that were ordered and
received.
– Safeguard cash.
Threats in the process of approving and paying vendor
invoices include:
– THREAT 10: Failing to catch errors in vendor invoices
– THREAT 11: Paying for goods not received
– THREAT 12: Failing to take available purchase discounts
– THREAT 13: Paying the same invoice twice
– THREAT 14: Recording and posting errors to accounts
payable
– THREAT 15: Misappropriating cash, checks, or EFTs
45. EXPENDITURES CYCLE AUDIT
OBJECTIVES, CONTROLS, AND TEST OF CONTROLS
• Achieving audit obj require designing audit procedure to gather
evidence that either corroborates or refutes mgt assertions.
• It involves a combination of ToC and substantive tests of details.
The specific controls addressed here are based on the
application controls framework, which classifies controls into:
input controls, process controls, and output controls.
• Within this framework, we examine application controls, tests of
controls, and the audit objectives to which they relate.
46.
47. INPUT CONTROLS
Input controls are designed to ensure that transactions are
valid, accurate, and complete.
• Data Validation Controls
Input validation controls are intended to detect transcription
errors in transaction data before they are processed.
Missing data checks: to examine the contents of a field for the
presence of blank spaces.
Numeric-alphabetic data checks.
Limit checks.
Range checks assign upper and lower limits to acceptable data
values.
Validity checks compare actual values in a field against known
acceptable values.
Check digit controls.
48. INPUT CONTROLS
Testing Validation Controls
Audit procedures provide evidence about the accuracy assertion:
The auditor may decide to rely on the quality of other controls to
provide the assurance needed to reduce substantive testing. Ex:
after reviewing systems development and maintenance
controls, auditor may determine that controls over original
program design and testing and subsequent changes to programs
are effective.
ITF or the test data approach enable the auditor to perform explicit
tests of the validation logic. This evidence help auditor determine
the nature, timing, and extent of subsequent substantive tests.
The auditor can achieve some degree of assurance by reviewing
error listings and error logs. These documents provide evidence of
the effectiveness of the data entry process, the types and volume
of errors encountered, and the manner in which the errors are
49. INPUT CONTROLS
Batch Controls
The objective of batch control is to reconcile output produced by
the system with the input originally entered into the system.
The information contained in the transmittal sheet is entered as a
separate control record that used to verify the integrity of the
batch. Periodic reconciliation between the data in the transmittal
record and actual processing results provides assurance of the
following:
All invoices that were entered into the system were processed.
No invoices were processed and paid more than once.
All invoices entered into the system are accounted for as either
successfully processed or rejected because of errors.
50. INPUT CONTROLS
Testing Batch Controls
Tests of batch controls provide the auditor with evidence
relating to the assertions of completeness and accuracy.
Testing batch controls involves reviewing transmittal records
of batches processed throughout the period and reconciling
them to the batch control log.
The auditor needs to investigate out-of-balance conditions
to determine their cause.
51. INPUT CONTROLS
Purchases Authorization Controls
Purchases authorization actually occurs in the revenue cycle when goods
are sold to customers.
At that time, the system compares the quantity-on-hand with the reorder
point to determine if the inventory needs to be reordered.
Testing Purchases Authorization Controls
The following tests of controls provide evidence pertaining to the
accuracy and valuation assertions.
Since PReq are internally generated, they should be free from clerical
errors and do not need validating. However, computer logic errors in this
procedure can cause negative operational and financial consequences.
Testing these controls using CAATTs involves creating test inventory
records and sales trans that reduce the inventory items below their
reorder point. The resulting PReq and inventory records can then be
examined for evidence of properly functioning controls.
52. INPUT CONTROLS
Employee Authorization
The personnel department:
prepares and submits personnel action forms to the payroll
department. These documents are used to effect changes in
hourly pay rates, payroll deductions, and job classification.
identify employees who are authorized to receive a paycheck.
This information plays an important role in preventing errors and
payroll fraud.
A common form of fraud: overcharging or fictitiounus.
When employee authorization procedures are computerized, the
payroll program matches each attendance record with a
corresponding record in the current personnel action file.
→ Any attendance records that do not match should be rejected
and investigated by management.
53. INPUT CONTROLS
Testing Employee Authorization Procedures
The following tests of controls provide evidence pertaining to the
existence, accuracy, valuation, and rights and obligation assertions.
Using either the test data or integrated test facility (ITF)
approaches:
→ the auditor can assess the correctness of programmed
procedures that validate employee authenticity.
The auditor can obtain assurance that the file has integrity when the
following controls exist:
access to the authorized employee file is password controlled;
additions to and deletions from the file are restricted to
authorized individuals in the personnel department;
and the employee records stored on the file are encrypted.
54. PROCESS CONTROLS
Process controls include computerized procedures for updating files
and restricting access to data.
File Update Controls
Run-to-run controls use batch control data to monitor the batch as
it moves from one programmed procedure (run) to another.
Sequence Check Control.
Liability Validation Control. An important control in
purchases/accounts payable systems is the validation of the
liability prior to making payment. The process involves reconciling
supporting documents including the purchase order, receiving
report, and supplier’s invoice.
Valid Vendor File. The valid vendor file is similar to the authorized
employee file.
55. PROCESS CONTROLS
Process controls include computerized procedures for updating files
and restricting access to data.
Testing File Update Controls.
Failure of file update controls can result in transactions (1) not being
processed (liabilities are not recognized and recorded), (2) being
processed incorrectly (i.e., payments are approved for unauthorized
recipients), or (3) being posted to the wrong supplier’s account.
Tests of file update controls provide evidence relating to assertions of
existence, completeness, rights and obligations, and accuracy.
Tests of sequence checks can be performed using either ITF or the test
data approach.
Testing the liability validation logic requires understanding the decision
rule for matching supporting documents. By creating test purchase
orders, receiving reports, and supplier invoices, the auditor can verify
whether decision rules are being correctly applied.
56. PROCESS CONTROLS
Access Controls
Access controls prevent and detect unauthorized and illegal access to the
firm’s assets. An individual with unrestricted access to data can
manipulate the assets of the firm and cause fs to be materially misstated.
The following are examples of risks specific to the expenditure cycle:
1. Once recognized by the system as a legitimate liability, the AP account
will be paid even though no purchase transaction transpired.
2. Access to employee attendance cards may enable an unauthorized
individual to trigger an unauthorized paycheck.
3. An individual with access to both cash and accounts payable records
could remove cash from the firm and record the act as a legitimate
disbursement.
4. An individual with access to physical inventory and inventory records
can steal products and adjust the records to cover the theft.
57. PROCESS CONTROLS
Testing Access Controls
In the absence of adequate controls, supplier invoices can be deleted,
added, or falsified. Individual payroll account balances can be erased or
the entire accounts payable file can be destroyed.
Evidence gathered about the effectiveness of access controls tests the
management assertions of existence, completeness, accuracy, valuation
and allocation, rights and obligations, and presentation and disclosure.
Since payments to false vendors carries such potential for material loss,
the auditor is concerned about the integrity of the valid vendor file. By
gaining access to the file, a computer criminal can place his or her name
on it and masquerade as an authorized vendor.
The auditor should therefore assess the adequacy of access controls
protecting the file. These include password controls, restricting access to
authorized managers, and using data encryption to prevent the file
contents from being read or changed.
58. PROCESS CONTROLS
Physical Controls
Purchases System Controls
Segregation of inventory control from the warehouse.
Segregation of the GL and AP from cash disbursements.
Supervision of receiving department, reduces the chances of failure to
properly inspect the assets and the theft of assets.
Inspection of assets. Receiving clerks must inspect items for proper
quantities and condition (damage, spoilage, and so on), with a blind
PO. Incoming goods are accompanied by a packing slip. A supervisor
should take custody of the packing slip while receiving clerks count
and inspect the goods.
Reconciliation of supporting documents: PO, Receiving report, and
supplier’s invoice.
59. PROCESS CONTROLS
Payroll System Controls
Verification of timecards, verify their accuracy and sign them.
Supervision / CCTV.
Paymaster. The use of an independent paymaster to distribute checks
(rather than the normal supervisor) helps verify the existence of the
employees.
Payroll imprest account. Employee paychecks are drawn on a special
payroll imprest account at the bank, which is used only for payroll
clearing.
60. PROCESS CONTROLS
Testing Physical Controls
The auditor’s review of organizational structure should disclose the more
egregious examples of incompatible tasks, such as one individual
opening and approving timecards, authorizing employee payments, and
receiving and distributing the paychecks.
In automated environments, the auditor’s concern should focus on the
integrity of the computer programs that perform these tasks. Is the logic
of the computer program correct? Has anyone tampered with the
application since it was last tested? Have changes been made to the
program that could have caused an undisclosed error? Are there
adequate formal procedures (i.e., supervision) to compensate for the lack
of segregation of duties?
Answers to these questions come from the auditor’s review of systems
development and maintenance controls and by reviewing organizational
structure.
61. OUTPUT CONTROLS
Output controls are designed to ensure that information is not
lost, misdirected, or corrupted and that system processes function as
intended.
Invoice (AP) file listing past-due liabilities can identify discounts lost and help
mgt assess the operational performance of the AP process.
Reconciling the GL can detect certain types of transaction errors.
Example, total of all reductions to AP should = total cash disbursements to
vendors.
Other important element of output control is the maintenance of an audit trail.
The following are examples of audit trail output controls.
Accounts Payable Change Report
Transaction Logs
Transaction Listing
Log of Automatic Transactions
Unique Transaction Identifiers
62. OUTPUT CONTROLS
Testing Output Controls
Evidence gathered through tests of output controls relates to the
completeness and accuracy assertions.
Testing output controls involves reviewing summary reports for accuracy,
completeness, timeliness, and relevance to the decision that they are
intended to support.
In addition, the auditor should trace sample transactions through audit
trail reports, including transaction listings, error logs, and logs of
resubmitted records.
Alternatively, the auditor can test output controls directly using ITF. A
well-designed ITF system will permit the auditor to produce a batch of
sample transactions, including some error records, and trace them
through all phases of processing, error detection, and output reporting.
63. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Expenditure Cycle Risks and Audit Concerns
External auditors are concerned primarily with the potential for
understatement of liabilities and related expenses. Substantive tests of
expenditure cycle accounts are therefore directed toward gathering
evidence of understatement and omission of material items rather than
their overstatement.
In resolving these concerns, the auditor will seek evidence by performing
a combination of tests of internal controls and substantive tests. Tests of
controls include testing both general controls and application controls.
In addition to tests of controls, the auditor must perform substantive tests
to achieve audit objectives.
64. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Understanding Data
The substantive tests described in this section involve extracting data
from accounting files for analysis.
The auditor must verify that he or she is working with the correct version
of the file to be analyzed. To do so, the auditor must understand the file
backup procedures and, if possible, work with the original files.
Data description of each file follows.
Inventory File
The Inventory file contains quantity, price, supplier, and warehouse
location data for each item of inventory. When inventory items are
sold or used in production, the Quantity-on-Hand field is reduced
accordingly by a computer application. With each inventory
reduction, the system tests for a “reorder” condition, which occurs
when the quantity-on-hand falls below reorder point. The system
prepares a PO, which is sent to the vendor, and adds a record to
Purchase Order file.
65. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Understanding Data
Purchase Order File
This file contains records of purchases placed with suppliers.
Purchase Order Line Item File
The Line Item file contains a record of every item ordered.
Receiving Report File
When the ordered items arrive from the supplier, they are counted and
inspected, and receiving documents are prepared.
Disbursement Voucher File and Check Register File
If the items, quantities, and prices match, then a record is added to
the Disbursement Voucher File. Each payment day, the Cash
Disbursement application selects the items due to be paid and adds a
record to the Check Register File for each payment.
67. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Testing the Accuracy and Completeness Assertions
The audit procedures described in this section provide evidence relating to
management assertions of accuracy and completeness.
Review Disbursement Vouchers for Unusual Trends and Exceptions
Auditor use ACL’s
Stratify and Classify
features to identify
various characteristic
and anomalies
associated w/ AP.
Excessive purchases
from a single supplier
reflect an unusual
business dependency
Large number of small
volume suppliers is
evidence of a highly
inefficient purchasing.
68. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Testing the Accuracy and Completeness Assertions
Reviewing for Accurate Invoice Prices
Comparing prices on supplier invoices to original PO prices provides
evidence for testing the mgt assertion of accuracy.
Significant discrepancies between expected prices and the prices
actually charged may be due to:
(1) clerical errors,
(2) failure to review supporting documents before authorizing
payment, or
(3) AP personnel exceeding their authority in dealing with price
discrepancies.
Testing pricing accuracy involves matching records from the two files
using ACL’s Join feature and creating a third output file.
69. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Testing the Completeness, Existence, and Rights and Obligations Assertions
The search for unrecorded liabilities provides evidence that tests the
completeness, existence, and rights and obligations assertions.
Searching for Unrecorded Liabilities
The search for unrecorded liabilities involves the Disbursement
Voucher and Receiving Report files. Again, using the Join feature, the
two files can be compared for the existence of mismatched records.
Searching for Unauthorized Disbursement Vouchers (prepared by?)
Unsupported disbursement vouchers may signify an attempt at fraud
or a poor control environment in which multiple payments are made
for the same purchase.
70. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Testing the Completeness, Existence, and Rights and Obligations Assertions
Review for Multiple Checks to Vendors
The auditor can test for duplicate records in a large file by employing
ACL’s Duplicate feature. This technique is demonstrated below using
the Disbursement Voucher file.
Various fields or combination of fields may be used to test for
duplicate records. The auditor
needs to understand the
relationship between the files
to draw meaningful
conclusions from the test
results.
71. SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Auditing Payroll and Related Accounts
Testing accrued payroll and related accounts for completeness and
accuracy consist primarily of analytical procedures and reviews of
cash disbursements made in the following period.
The auditor should test the mathematical accuracy of payroll
summaries and trace totals to the payroll records and to the general
ledger accounts.
The average salary per employee in the current period can be
compared to the previous year’s averages. ACL’s Stratify feature can
help the auditor detect unusual trends and abnormal balances in the
payroll file.
