This is a critical part of auditing which the
student must fully understand. These are frequently the basis of examination
questions and a failure to understand what constitutes good control procedures
will undermine your work in the rest of this book.
student must fully understand. These are frequently the basis of examination
questions and a failure to understand what constitutes good control procedures
will undermine your work in the rest of this book.
Examples of specific control procedures are:
·
Segregation
of duties
Segregation
of duties
·
Organizational
controls
Organizational
controls
·
Authorization
and approval
Authorization
and approval
·
Physical
controls
Physical
controls
·
Supervision
Supervision
·
Personnel
Personnel
·
Arithmetical
procedures
Arithmetical
procedures
·
Management
Management
You can remember these through the mnemonic SOAPSPAM
Let’s look at these in more detail.
Segregation of duties
·
This is
the most important single control activity and is the key to good system and
procedure design. What it means is that no one person should be responsible for
the recording and processing of a complete transaction.
This is
the most important single control activity and is the key to good system and
procedure design. What it means is that no one person should be responsible for
the recording and processing of a complete transaction.
·
The
involvement of several people reduces the risk of intentional manipulation or
accidental error and increases the element of checking of work.
The
involvement of several people reduces the risk of intentional manipulation or
accidental error and increases the element of checking of work.
·
An
example of how a given transaction should be separated is:
An
example of how a given transaction should be separated is:
·
Initiation
(e.g. the works foreman decides the firm needs more lubricating oil);
Initiation
(e.g. the works foreman decides the firm needs more lubricating oil);
·
Authorization
(the works manager approves the purchase);
Authorization
(the works manager approves the purchase);
·
Execution
(the buying department order the oil);
Execution
(the buying department order the oil);
·
Receipt
(on arrival the oil is taken in by goods-in section and passed with appropriate
goods-in documented to the stores department);
Receipt
(on arrival the oil is taken in by goods-in section and passed with appropriate
goods-in documented to the stores department);
·
Recording
(they arrival is documented by the goods inward section and the invoice is
compared with the original order and goods-in note by the accounts department,
and recorded by them in the books).
Recording
(they arrival is documented by the goods inward section and the invoice is
compared with the original order and goods-in note by the accounts department,
and recorded by them in the books).
·
Another
example is the area of sales where initiation is by a sales executive,
authorization by credit control and the sales manager, execution is by the
finished goods warehouse staff who physically send the goods, custody is
transferred from the warehouse staff to the transport department, and the
transaction is recorded by the goods outward section, the invoicing section and
the accounts department.
Another
example is the area of sales where initiation is by a sales executive,
authorization by credit control and the sales manager, execution is by the
finished goods warehouse staff who physically send the goods, custody is
transferred from the warehouse staff to the transport department, and the
transaction is recorded by the goods outward section, the invoicing section and
the accounts department.
Organizational
controls
controls
An enterprise should
have a plan of organization which should:
have a plan of organization which should:
·
Define
and allocate responsibilities-every function should be in the charge of a
specified person who might be called the responsible official. Thus, the
administration of the accounts department should be entrusted to a particular
person who is then responsible (and hence answerable) for that function.
Define
and allocate responsibilities-every function should be in the charge of a
specified person who might be called the responsible official. Thus, the
administration of the accounts department should be entrusted to a particular
person who is then responsible (and hence answerable) for that function.
·
Identify
lines of reporting both upwards and downward through the organization, and
where appropriate, across it as well.
Identify
lines of reporting both upwards and downward through the organization, and
where appropriate, across it as well.
In all cases, the delegation of authority and
responsibility should be clearly specified. Employees should always know the
precise powers delegated to them, the extent of their authority and to whom
they should report. Two examples:
responsibility should be clearly specified. Employees should always know the
precise powers delegated to them, the extent of their authority and to whom
they should report. Two examples:
·
Responsibility
for approving the purchase of items of plant may be retained by the directors
for items over £X and within the competence of the works manager for a budgeted
amount agreed by the board up to a total less than this.
Responsibility
for approving the purchase of items of plant may be retained by the directors
for items over £X and within the competence of the works manager for a budgeted
amount agreed by the board up to a total less than this.
·
Responsibility
for the correct operation of internal controls may be delegated by the board to
specific management personnel and to the internal audit department.
Responsibility
for the correct operation of internal controls may be delegated by the board to
specific management personnel and to the internal audit department.
Authorization and approval
All transaction should require authorization or
approval by an appropriate person. The limits to the authorizations should be
specific.
approval by an appropriate person. The limits to the authorizations should be
specific.
Examples of such procedures are:
·
All
credit sales must be approved by the credit control department.
All
credit sales must be approved by the credit control department.
·
All
overtime must be approved by the factory manager.
All
overtime must be approved by the factory manager.
·
All
individual office stationery purchases may be approved by the office manager up
to a limit of £x. higher purchases must be approved by the chief accountant.
All
individual office stationery purchases may be approved by the office manager up
to a limit of £x. higher purchases must be approved by the chief accountant.
Remembering the principle of segregation of duties
outlined earlier it should not, for example, be the case that the individual
who has authority to say, set up a new supplies’ account in the purchase ledger
is also responsible for authorizing
invoices from that supplier and approving payment to them.
outlined earlier it should not, for example, be the case that the individual
who has authority to say, set up a new supplies’ account in the purchase ledger
is also responsible for authorizing
invoices from that supplier and approving payment to them.
That opens the door to a particular kind of
fraud-the creation of a fictitious supplier. Auditors should always, when
reviewing use of authorizations and authorities as system controls, also look
at what else those individuals are allowed to do and how they do it.
fraud-the creation of a fictitious supplier. Auditors should always, when
reviewing use of authorizations and authorities as system controls, also look
at what else those individuals are allowed to do and how they do it.
Physical controls
These are such things as physical custody of assets
and involve procedures designed to limit access to assets and systems to
authorized personnel only.
and involve procedures designed to limit access to assets and systems to
authorized personnel only.
These controls are especially important in the case
of valuable, portable, exchangeable or desirable assets. Examples of physical
controls are:
of valuable, portable, exchangeable or desirable assets. Examples of physical
controls are:
·
Use of
passes to restrict access to a warehouse;
Use of
passes to restrict access to a warehouse;
·
Locks or
keypads on doors;
Locks or
keypads on doors;
·
Use of
passwords to restrict access to particular computer files;
Use of
passwords to restrict access to particular computer files;
·
Hierarchal
menus for computer operators.
Hierarchal
menus for computer operators.
Supervision
All actions by all levels of staff should be
supervised. The responsibility for supervision should be clearly laid down and
communicated to the person being supervised.
supervised. The responsibility for supervision should be clearly laid down and
communicated to the person being supervised.
Personnel
Procedures should be designed to ensure that
personnel operating a system are competent and motivated to carry out the tasks
assigned to them, as the proper functioning of a system depends upon the
competence and integrity of the operating personnel.
personnel operating a system are competent and motivated to carry out the tasks
assigned to them, as the proper functioning of a system depends upon the
competence and integrity of the operating personnel.
Measures include appropriate remuneration and
promotion and career development prospects, selection of people with
appropriate personal characteristics and training, and assignment to tasks of
the right level.
promotion and career development prospects, selection of people with
appropriate personal characteristics and training, and assignment to tasks of
the right level.
Arithmetical procedures
These are the controls in the recording function
which check that the transactions are all included and that they are correctly
recorded and accurately processed.
which check that the transactions are all included and that they are correctly
recorded and accurately processed.
Procedures include checking the arithmetical
accuracy of the records, the maintenance and checking of totals,
reconciliations, and control accounts, trial balances, accounting for documents
(sometimes known as sequence checks or continuity checks). Examples include:
accuracy of the records, the maintenance and checking of totals,
reconciliations, and control accounts, trial balances, accounting for documents
(sometimes known as sequence checks or continuity checks). Examples include:
·
Bank
reconciliations;
Bank
reconciliations;
·
Control
accounts;
Control
accounts;
·
Reconciliations
of suppliers statements with purchase ledger accounts;
Reconciliations
of suppliers statements with purchase ledger accounts;
·
Checking
the calculations on purchase invoices.
Checking
the calculations on purchase invoices.
Management
These are controls, exercised by management, which
are outside and over about the day-to-day routine of the system. They include
overall supervisory controls review of management accounts, comparisons with
budgets, internal audit and any other special review procedures.
are outside and over about the day-to-day routine of the system. They include
overall supervisory controls review of management accounts, comparisons with
budgets, internal audit and any other special review procedures.
Examples are:
·
Senior
management must be aware be aware of day-to-day activities and be seen by staff
to be so, glaring failure of control (stock thefts, excess stocking,
unnecessary overtime) will become apparent and staff will be motivated to
perform well.
Senior
management must be aware be aware of day-to-day activities and be seen by staff
to be so, glaring failure of control (stock thefts, excess stocking,
unnecessary overtime) will become apparent and staff will be motivated to
perform well.
·
Management
accounts should be designed to summaries performance in detail. Any anomalies
(cost overruns, higher than budgeted wastage levels) should become apparent.
Management
accounts should be designed to summaries performance in detail. Any anomalies
(cost overruns, higher than budgeted wastage levels) should become apparent.
·
Budgeting
and variance analysis is management wool which should prevent or at least
detect departure from management’s intended plans.
Budgeting
and variance analysis is management wool which should prevent or at least
detect departure from management’s intended plans.
Individuals performing control activities should
acknowledge their checking by means of signatures, initials rubber stamps, etc.
for example, if invoice calculations have to be checked, the checker should
initial some kind of posting slip attached to the invoice to indicate that this
check has been carried out.
acknowledge their checking by means of signatures, initials rubber stamps, etc.
for example, if invoice calculations have to be checked, the checker should
initial some kind of posting slip attached to the invoice to indicate that this
check has been carried out.
If a control procedure is not evidenced it cannot
be proved to have been performed. Auditors will look for this evidence of
performance as part of their audit procedures.
be proved to have been performed. Auditors will look for this evidence of
performance as part of their audit procedures.