AUD1207 Integrated Internal Auditing Review PDF

Page 1 of 23 FAR EASTERN UNIVERSITY INSTITUTE OF ACCOUNTS, BUSINESS AND FINANCE DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING AUD1207 – INTEGRATED INTERNAL AUDITING REVIEW...

Page 1 of 23 FAR EASTERN UNIVERSITY INSTITUTE OF ACCOUNTS, BUSINESS AND FINANCE DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING AUD1207 – INTEGRATED INTERNAL AUDITING REVIEW COURSES SECTION D – OPERATIONS AUDITING OA 02 – AUDIT OF BUSINESS PROCESSES, PART 1 MR. CHRISTIAN ANDREI G. UTANES, CPA, CMA, MBA units NOTE TO STUDENTS: These handouts are of property of the reviewer. Unnecessary sharing and uploading of these materials are not allowed. LEARNING OBJECTIVES Upon completion of this chapter, you should be able to: Identify internal controls related to financial reporting, revenue, and disbursements cycles. Recall the fundamental tasks performed, departments involved, and the documents related in the transaction cycles. Determine the risks associated with these processes. Enumerate best practices in the aforementioned processes. Recommend business process improvement initiatives to bridge the current state of the processes to a desired future state. Lay down a simple but comprehensive implementation plan for the recommendations proposed. LECTURE NOTES ORDER TO CASH (REVENUE TO COLLECT) PROCESS The revenue cycle is a recurring set of business activities and related information processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. The basic activities in the revenue cycle are order entry - soliciting and processing customer activities- filling customer orders and shipping merchandise- invoicing customers and maintaining customer accounts collections - the cashier handles remittances and deposits them in the bank; accounts receivable personnel credits customer accounts for the payments received. The sales department receives the order information from the customer, either by mail, phone, or in person. Information is captured on a sales order form which includes customer name, account number, name, number, and description of items ordered, quantities and unit prices plus taxes, shipping info, discounts, freight terms. This form is usually prepared in multiple copies that are used for credit approval, packing, stock release, shipping, and billing. The credit department provides transaction authorization by approving the customer for a credit sale and returns and allowances. The shipping department receives information from the sales department in the form of packing slip and shipping Page 2 of 23 notice. When the goods arrive from the warehouse, the documents are reconciled with the stock release papers. The goods are packed and labeled. The packing slip is included. The shipping notice is sent to billing. A bill of lading is prepared to accompany the shipment. The common documents in revenue cycle are as follows: Sales invoice notifies customer of amount to be paid. Monthly statement summarizes all transactions that occurred during month. Credit memo authorizes the billing department to credit the customer's account, should be issued by credit manager. Control Objectives for Pricing and Discount Policies Pricing should be driven by the organization’s strategic and operational goals, and is influenced by market share, competition, prevailing economic conditions, estimates of the quantity demanded by consumers, and price elasticity of demand. Inelastic demand indicates that price increases may be feasible, but the perception of value also plays a key role in that analysis. a. To ensure that pricing and discount structures are authorized and documented. b. To ensure that pricing levels are competitive, proﬁtable, and adequately cover the underlying costs. c. To ensure that an awareness of market trends, competitor pricing, etc. is maintained to enable the appropriate commercial response. d. To ensure that authorized prices and discounts are correctly applied to invoices. e. To ensure that changes to prices and discounts are authorized and correctly implemented. f. To ensure that accurate and reliable records of costs are maintained in support of determining the pricing policy. g. To provide adequate costing information as a means of identifying the potential for cost savings, etc. h. To ensure that the effects of taxation and duty are taken into account when setting prices. i. To ensure that, when applicable, geographic differentials and the effects of cyclical sales patterns are taken into account when determining variations to the pricing policy. j. To ensure that pricing structures accord with the relevant distributor, agent, retailer chain and are competitive at each stage. k. To ensure that government, national and international pricing restrictions are taken into account when applicable. Typical Controls Pricing and discount policies are documented, authorized, and implemented consistently. Management maintains an accurate awareness of market trends and competitor prices as determinants of pricing policy. Required price, profit, and quantity of returns are determined with the input of SMEs, market information, and accurate company data. Value-ranges, access, and data transfer controls make sure that price and discount amounts are within acceptable limits, authorized by appropriate individuals and are captured accurately in financial and operational reports. Process controls ensure the mathematical accuracy of cost, pricing, and billing information. System interfaces make sure that data input and output from other systems (e.g., product costing) are accurate. Segregation of duties is in place to protect sensitive pricing information from unauthorized access. Risk and Control Issues for Pricing and Discount Policies Page 3 of 23 Key Risks Prices and discounts make products/services uncompetitive or unprofitable. Prices, and related sales projections, are unrealistic. Prices and discounts are applied incorrectly. Excessive and unauthorized prices and discounts are applied. Individuals and organizations use proprietary information inappropriately. 1 Key Issues 1.1 Have documented pricing and discount policies been authorized and implemented (and are they based on established proﬁt margins, etc.)? 1.2 What steps are taken to ensure that prices remain competitive, proﬁtable and sustainable? 1.3 How is management assured that the correct prices and discounts are always applied to invoices (and what mechanisms are in place to detect and report any unauthorised variations)? 1.4 How does management conﬁrm that product costing information is accurate, complete and reliable as the basis for determining prices? 1.5 What measures ensure that changes to prices and discount structures are justiﬁed, authorized, and correctly applied? 1.6 Does management take into account the effects of taxation (e.g. VAT or sales tax), duty and any prevailing price constraints when determining pricing levels? 2 Detailed Issues 2.1 How does management ensure that the most appropriate form of product costing is applied? 2.2 How does management maintain an accurate awareness of market trends, competitor prices, etc. as determinants of pricing policy? 2.3 Are the required proﬁt levels and returns realistically established? 2.4 What processes link individual customers to the correct pricing and discount structure, to ensure the accurate calculation of invoices? 2.5 What parameters govern the eligibility for discounts, and what mechanisms ensure that they are correctly applied? 2.6 What steps are taken to protect commercially sensitive pricing information from unauthorised access and leakage? 2.7 Does management take into account the potential for geographic differentiation in pricing policy, and if so, what assurances are there that the variations are correctly applied to invoices? 2.8 Where the sales of a product are affected by cyclical patterns, does the pricing structure vary in relation to demand (and is this process duly authorized)? 2.9 Where prices vary according to cyclical sales patterns, how does management ensure that the correct price is applied? 2.10 What measures prevent the set-up and application of invalid or unauthorised prices and discounts? Page 4 of 23 2.11 How does management verify that the prevailing pricing structure complies with any national or international pricing regulations? 2.12 How is the accuracy of data input from other systems (e.g., product costing) conﬁrmed? 2.13 How is the accuracy of data output to other systems (e.g., accounts receivable or advertising and promotion) conﬁrmed? Control Objectives for Order Processing a. To ensure that all valid orders are correctly identiﬁed, accounted for and processed in accordance with the organization’s policies and procedures. b. To ensure that ofﬁcial orders are accepted only from bona ﬁde, authorized and suitable customers. c. To ensure that orders are accepted only for creditworthy customers with sufﬁcient available credit limits. d. To ensure that new customers are properly assessed and authorized for set-up with an appropriate credit limit. e. To ensure that the determination and amendment of credit limits is appropriately authorized. f. To ensure that effective credit control is exercised to ensure that customers’ accounts are promptly followed up and payments obtained. g. To ensure that all order details are accurately captured for subsequent processing purposes. h. To ensure that all affected functions are coordinated so that the order is promptly and efﬁciently fulﬁlled. i. To ensure that orders are promptly and accurately acknowledged. j. To ensure that delivery and any other special customer requirements are identiﬁed and appropriately addressed. k. To ensure that all orders are promptly fulﬁlled, delivered and conﬁrmed as received. l. To ensure that invoices are raised against all fulﬁlled orders and accounted for within the accounts receivable system and accounts. m. To ensure that the correct terms, prices, and discounts are reﬂected on subsequent invoices. n. To ensure that key data (product prices, order records, etc.) are adequately protected from unauthorised access and amendment. o. To ensure that export orders are handled in accordance with all the prevailing regulations. p. To ensure that all the current laws and regulations are correctly and fully observed. Risk and Control Issues for Order Processing 1 Key Issues 1.1 What measures ensure that all orders (from all possible sources) are correctly identiﬁed, logged, reviewed, authorized to proceed, and accounted for? 1.2 What measures prevent the acceptance of orders based on invalid or unauthorised terms and conditions (e.g., those outside the deﬁned company policies)? 1.3 What measures are applied to ensure that only orders from established, authorized, bona ﬁde customers are accepted? 1.4 What mechanisms prevent the acceptance and processing of orders from customers who have an outstanding/overdue balance on their account or insufﬁcient authorized credit remaining? 1.5 How does management assess new customers for their ﬁnancial stability and suitability, etc. (and what measures prevent the acceptance of inappropriate customers)? Page 5 of 23 1.6 Are all new customers and the setting of their initial credit limits subject to suitable authorities? 1.7 How is management assured that credit limits are strictly observed and amended only when suitably authorized? 1.8 What measures ensure the accurate capture of order data? 1.9 What mechanisms ensure the appropriate coordination of the following functions in the correct and prompt processing of customer orders: sales production stock control export department accounts receivable credit control dispatch/distribution after sales support? 1.10 What measures ensure that all orders are acknowledged and efﬁciently fulﬁlled? 1.11 How is management assured that accurate invoices are raised and accounted for within the accounts receivable system? 1.12 How does management ensure that all export orders are correctly processed and handled in accordance with all the prevailing regulations? 1.13 What measures are in place to ensure that all the relevant legislation and regulations are correctly observed? 2 Detailed Issues 2.1 Have authorized and documented policies been established for the following: new customer acceptance setting credit limits credit control pricing and discounting standard terms/conditions export sales procedures? 2.2 How is compliance with all the authorized policies assured? 2.3 Are accurate and reliable records of authorized existing customers maintained, and how are they protected from unauthorised access and invalid amendments? 2.4 What form of assessment and veriﬁcation is applied to new or potential customers to conﬁrm their acceptability? 2.5 What measures prevent the set-up of a customer record when the required assessment and credit checks have not been applied? 2.6 Are procedures in place governing the determination and amendment of credit and trading limits, and how is management sure that they are always correctly complied with? 2.7 What mechanisms prevent the acceptance of an order where the customer has previous accounts overdue for payment? Page 6 of 23 2.8 Are measures in place to identify and cater for any special customer requirements (e.g., speciﬁc delivery dates, modiﬁed speciﬁcation)? 2.9 What measures are in place to identify accurately the status of all orders and highlight those outstanding for delivery? 2.10 What processes identify and accordingly progress outstanding orders? 2.11 Are all deliveries accurately recorded and documented as either received or rejected (in whole or in part)? 2.12 What procedures link orders delivered to the accurate generation of the relevant invoices? 2.13 What mechanisms ensure that the correct, appropriate, and authorized details (prices, discounts, quantities, terms, etc.) are reﬂected on invoices? 2.14 What processes prevent the delivery of an order without the generation of the relevant invoice? 2.15 What measures protect key data (prices, discounts, order records, invoice records, etc.) from unauthorised access and amendment? 2.16 Are all invoices correctly and accurately accounted for on the customer’s debtors accounting record? 2.17 What measures ensure that all invoices are promptly dispatched to customers? 2.18 In order to prevent staff malpractice and fraud, are key duties adequately segregated? 2.19 Is management provided with adequate, accurate and timely management information about orders received and in progress, etc.? 2.20 How is the accuracy of data input from other systems (e.g., agencies or stock control) conﬁrmed? 2.21 How is the accuracy of data output to other systems (e.g., distribution or accounts receivable) conﬁrmed? Control Objectives for Accounts Receivable a. To ensure that all income generating activities are identiﬁed and accurately invoiced to customers. b. All amounts due to the company undergo collection efforts. c. Transactions are posted accurately and in time in financial statements. d. Credit is granted based on the buyer’s risk profile. e. To ensure that all invoices are paid, and the income is correctly identiﬁed and accounted for and reﬂected in the accounts. f. To minimize the extent of debt and provide for the prompt follow-up of overdue accounts. g. To maintain the integrity of the accounts receivable system and data. Typical Controls Procedures are in place for the authorization and setting of realistic customer credit limits and to make sure they are not exceeded. Credit limits are based on credit worthiness. Access controls prevent unauthorized employees from accessing and manipulating the accounts receivable system and data. Page 7 of 23 Customer credits and bad debt write-offs are monitored and issued by authorized individuals and require management approval. All customer complaints are researched and appropriately acted on. Delinquent and uncollectable balances are researched and appropriately acted on. Risk and Control Issues for Accounts Receivable Key Risks The posting of sales transactions is inaccurate. Collection efforts are inefficient, ineffective, inconsistent, or unlawful. Deposit of customer payments is delayed. Bills (i.e., invoices) are inaccurate or not sent to customers promptly. Customers with poor credit worthiness and lacking financial stability are granted credit. Unidentified payments are not processed promptly. Credit limits are excessive. Unauthorized individuals modify customer accounts or obtain customer information inappropriately. Fraud is perpetrated against the organization (e.g., embezzlement, skimming, kiting, write-offs, or credits for kickbacks). Excessive and inappropriate credits are issued to customers. Excessive account adjustments and write-offs are issued. 1 Key Issues 1.1 How does management ensure that all goods delivered, and services performed are identiﬁed and duly invoiced to customers? 1.2 What steps are taken to avoid trading involvement with ﬁnancially unstable or unsuitable customers? 1.3 What procedures ensure all the required invoices are correctly raised using the appropriate prices and discounts, and that they are recorded, dispatched, and accounted for within the accounting system? 1.4 How is management certain that all customer remittances are correctly identiﬁed, recorded and accounted for? 1.5 Is management provided with adequate, timely and accurate information on potential and actual debt cases to enable prompt reaction? 1.6 Are overdue accounts promptly identiﬁed and effectively progressed? 1.7 Is output VAT (or equivalent sales taxes) correctly and consistently applied in accordance with the prevailing legislation? 2 Detailed Issues 2.1 Are all goods and services provided by the organization accurately identiﬁed as the basis for subsequent customer billing? 2.2 How does management verify that all invoices are raised using the correct/appropriate prices and discounts? 2.3 What processes prevent the generation of duplicate invoices? Page 8 of 23 2.4 What would prevent the generation and dispatch of an incorrectly completed invoice? 2.5 Are all invoices and credit notes identiﬁed and accounted for? 2.6 Are all invoices and credit notes correctly posted to an individual customer account? 2.7 What steps are taken to ensure that the correct rate of output VAT (or equivalent sales tax) is applied to all relevant invoices? 2.8 What mechanisms ensure that all the required invoices are printed and promptly dispatched to customers? 2.9 Are potential customers appraised for creditworthiness and ﬁnancial stability prior to trading relations being established? 2.10 What other measures are taken to prevent future bad debt situations? 2.11 Are there adequate procedures for the authorization and setting of realistic customer credit limits? 2.12 What measures ensure that agreed credit limits are not exceeded? 2.13 What action is taken if an invoice is returned as undelivered by the postal service? 2.14 How does management ensure that all invoice values are posted to the accounts receivable system? 2.15 What prevents staff raising invalid or false credit notes in order to manipulate an account? 2.16 Are all credit notes checked for validity/accuracy and authorized by an appropriate member of staff? 2.17 Are all credit notes accounted for and conﬁrmed as despatched? 2.18 Are all other account adjustments authorized as valid and conﬁrmed as being processed? 2.19 Are all accounts receivable transactions accurately reﬂected in the general ledger for the appropriate accounting period? 2.20 How does management ensure that all customer remittances are identiﬁed, accounted for, correctly entered the system against the relevant customer and promptly banked? 2.21 Is someone responsible for reconciling all transactions passing through the accounts receivable system to the relevant source and target systems? 2.22 How does management ensure that the individual customer account balances are correct? 2.23 Are customer remittances banked as soon as possible? 2.24 Are queries raised by customers logged and promptly resolved? 2.25 Are rejected or unidentiﬁed payments highlighted and promptly reacted to? 2.26 Are unauthorised members of staff prevented from accessing and amending the accounts receivable system and data? 2.27 Are statements accurately produced for all relevant customers and conﬁrmed as dispatched? 2.28 Have speciﬁc responsibilities been allocated for the speedy identiﬁcation and follow-up of overdue accounts? Page 9 of 23 2.29 Are all overdue accounts (and those approaching being overdue) highlighted for action? 2.30 Is adequate, accurate and timely information produced and circulated for debt follow- up purposes? 2.31 Are all reasonable and permitted courses of action taken to pursue outstanding accounts and how is the action taken evidenced? 2.32 Are levels of bad debt accurately and regularly reported to management? 2.33 Are all bad debt write-offs authorized by an appropriate member of staff or management? 2.34 Can invalid or false write-off entries be processed? 2.35 Are the more serious and signiﬁcant bad debt cases adequately and cost-effectively pursued? 2.36 Are all transactions adequately trailed and supported by appropriate documentation? 2.37 Have documented operational procedures been provided for the accounts receivable department? 2.38 Have speciﬁc responsibilities and authorities been clearly deﬁned and allocated? 2.39 How is the accuracy of data input from other systems conﬁrmed? 2.40 How is the accuracy of data output to other systems conﬁrmed? PROCURE TO PAY (EXPENDITURE) PROCESS The expenditure cycle is a recurring set of business activities and related data processing operations associated with the purchase of and payment for goods and services. The basic activities in the expenditure cycle are: Requesting the purchase of needed goods. Ordering goods to be purchased. Receiving ordered goods. Approving vendor invoices for payment. Paying for goods purchased. Inventory control monitors inventory and authorizes restocking with a purchase requisition. A copy is retained, and one is sent to accounts payable. Purchasing acts on the purchase requisition and prepares a purchase order (PO). The original is sent to a vendor. Copies go to inventory control and accounts payable. A blind copy is sent to receiving and another is filed in purchasing. When the goods are received, the receiving staff count and inspect the goods. The blind PO tells what goods were ordered. The count is a significant control check. Receiving prepares a receiving report. One copy accompanies the goods to the storeroom. Other copies go to purchasing, inventory control, and accounts payable. Accounts payable reconciles the purchase requisition, purchase order and receiving report. When the vendor invoice arrives, it is examined thoroughly and reconciled and if all documents agree, the transaction is recorded in the purchases journal and the accounts payable subsidiary ledger. The information is filed until the time arises to make payment. The general ledger department receives a journal voucher from AP and a summary from inventory control. The inventory and accounts payable control accounts are updated. For the disbursements, accounts payable reviews the documents related to a liability: purchase requisition, purchase order, receiving report, and vendor invoice. If proper, cash disbursements department is authorized to make payment. Cash disbursements prepares the check, a separate person signs it, sends it to the vendor, and notifies accounts payable. At the end of the period, cash disbursements and accounts payable send summary information to general ledger. Page 10 of 23 Control Objectives for Purchasing a. To ensure that all purchasing activities are supported by authorized and documented policies and procedures. b. To ensure that purchasing appropriately supports the business objectives of the organization. c. To ensure that the appropriate goods/services are obtained at the optimum price and at the relevant time. d. To ensure that all purchasing activity is valid, justiﬁed and authorized within the prescribed budgets. e. To ensure that suppliers are reliable, ﬁnancially stable and able to satisfy the organization’s purchasing demands. f. To ensure that all goods and services are of an appropriate quality to satisfy the organization’s objectives. g. To ensure that supplier’s trading terms and conditions are appropriate. h. To ensure that purchasing activities comply with all the prevailing legislation and regulations. i. To ensure that all purchasing activity is correctly reﬂected in the organization’s stock control records and accounts. j. To ensure that overdue and late deliveries are progressed. k. To ensure that supplier performance is adequately monitored and reacted to. l. To provide management with adequate, accurate and timely information on purchasing activities. Typical Controls Purchasing activities are supported by documented, up to date, and authorized policies and procedures. Authority limits and access controls restrict which employees can create and approve purchase orders and purchase requisitions. All purchases require documentation justifying the need for the items purchased and related budgets to be charged for the expenses. Vendor assessment and selection criteria are in place, detailing required documentation such as minimum number of price quotes, quality standards, financial condition, etc. Terms of the relationship are documented in purchase orders and/or contracts. Vendor records are reviewed periodically to make sure terms of the relationship are appropriate and up to date. The organization obtains audited financial statements and declaration of insurance before engaging in purchasing activities from significant vendors and obtains updated documents periodically. Appropriate demand requirements (e.g., forecasts and replenishment thresholds) reduce the likelihood that excess items are purchased at any location, while there are excess supplies at another location. All POs are supported with sufficient details, descriptions, specifications, prices, delivery dates, delivery locations, and terms. All changes to purchase orders are valid, correctly applied, and authorized. A robust process ensures all vendors are screened when they are first contracted with, and performance monitoring mechanisms are in place subsequently. Purchasing decisions are based on highest value (e.g., combination of price, quality, service, and delivery), not merely lowest price. A preferred vendor list is in place and purchases from other vendors are restricted and monitored. Vendor records are reviewed periodically to make sure the information (e.g., addresses, contacts, and terms) are up to date and suppliers meet quality and delivery requirements. Page 11 of 23 Approval decisions include a review of payment terms to make sure the organization takes advantage of all applicable discounts available. Employees have received and agree to abide by a conflict-of-interest statement. An ethics hotline is in place and ways to contact that resource are prominently advertised within and outside the organization. Note: Sharing the contact information for the ethics hotline outside the organization is important because it makes it easier for others to contact an appropriate party in the event unethical activities exist. The activities of ordering, accounting, and receiving goods are separated to prevent inappropriate activities. Risk and Control Issues for Purchasing Key Risks The organization overpays for items purchased. There are excessive, overdue, poor quality, and late deliveries. Vendors are selected inappropriately (e.g., favoritism and poor quality). The organization buys more than it needs. Unqualified or illegal vendors are used. 1 Key Issues 1.1 Have authorized and documented purchasing policies and procedures been developed, implemented, and adequately communicated to all affected parties? 1.2 How does management verify that all purchase orders are justiﬁed, authorized, within budget and accounted for within the correct accounting period? 1.3 What mechanisms prevent the invalid, unauthorised and fraudulent use of ofﬁcial orders? 1.4 How does management ensure that adequate and appropriate supplies are obtained to sustain the required business activities? 1.5 How does management ensure that goods and services are always obtained at the most economical and fair price? 1.6 How does management verify that all suppliers are stable, reliable, and capable of meeting the organization’s needs at the optimum price? 1.7 What processes ensure supplies are to the required standard, speciﬁcation and quality? 1.8 What mechanisms ensure that all goods are received on time and that overdue deliveries are identiﬁed and progressed? 1.9 How does management verify that all purchases are correctly reﬂected in stock control and accounting records? 1.10 What processes ensure that all purchasing activities fully comply with all the relevant legislation and regulations? 2 Detailed Issues 2.1 Have purchasing authority limits (ﬁnancial and type) been established, and what mechanisms prevent such limits being exceeded? Page 12 of 23 2.2 Are adequate purchasing procedures in place and what processes ensure that they are kept up to date? 2.3 What measures ensure that purchase orders are issued only from authorized sources? 2.4 What mechanisms prevent the processing of purchase orders out with the established policy conditions? 2.5 Are all purchase orders formally justiﬁed and suitably authorized, and how is this evidenced? 2.6 How is management assured that all purchasing activity across the organization is suitably coordinated in order to avoid waste and maximize purchasing terms, etc.? 2.7 Are purchase orders conﬁrmed to be within the agreed budgets at the point of commitment, and how is an unauthorised commitment prevented? 2.8 How does management verify that the format and content of all ofﬁcial orders conform to the required standards and legislation? 2.9 Are purchase orders adequately supported with sufﬁcient details, descriptions, speciﬁcations, prices, delivery location, call-off and freight terms in order to ensure that the precise requirements of the business are met? 2.10 What processes prevent the dispatch of inaccurate, incomplete, or ambiguous purchase orders? 2.11 What processes prevent the raising and dispatch of duplicate purchase orders? 2.12 What mechanisms ensure that the appropriate quantities of goods are ordered to support the operational requirements of the business? 2.13 What mechanisms ensure that all subsequent purchase order amendments are valid, authorized, and correctly applied? 2.14 What mechanisms are in place to prevent over-ordering of items? 2.15 How are potential suppliers selected and what prevents the use of unstable or poor quality suppliers? 2.16 How is management certain that the purchasing function fully researches the optimum sources for their requirements? 2.17 Where approved suppliers have been identiﬁed, what mechanisms prevent the use of unauthorised sources of supply? 2.18 Are suppliers adequately and independently assessed for “approved” status, and what prevents staff/supplier misuse of the process? 2.19 Are accurate and up-to-date records of approved/suitable suppliers maintained, and what mechanisms prevent unauthorised and invalid access or amendment of such records? 2.20 Is the performance of suppliers monitored against all requirements and expectations so that unsuitable, unreliable or poor quality suppliers can be promptly identiﬁed and the appropriate action taken? 2.21 Would management be alerted if there was undue preference being given to a speciﬁc supplier, or there was an unreasonable demand being placed on any one supplier, or if there was potential for an unethical relationship being established between a supplier and purchasing management? Page 13 of 23 2.22 Is there adequate liaison between the purchasing function and all other affected activities (production, sales, stock control, etc.) and how are problems and conﬂicts avoided? 2.23 How does management verify that delivery requirements and call-offs are accurate, up to date and complied with? 2.24 Does the purchasing function maintain an adequate awareness of market conditions, prices, etc. in order to ensure the placement of orders at the optimum price? 2.25 How does management ensure that all available discounts are suitably exploited? 2.26 Are all relevant purchase versus leasing options adequately appraised to ensure that the most advantageous purchase terms are utilized? 2.27 How does management monitor that all the required quality and standards for supplied goods are achieved? 2.28 Would the supply of substandard, inadequate or poor quality goods be detected? 2.29 Are all rejected and returned goods correctly identiﬁed and a suitable credit claimed and accounted for? 2.30 How does management conﬁrm that all the goods ordered and invoiced have in fact been received on time? 2.31 How is accuracy of data input from other systems (e.g., sales or production requirements) conﬁrmed? 2.32 How is the accuracy of data output to other systems (e.g., stock control, warehousing) conﬁrmed? 2.33 What steps are in place to ensure that the value of all order commitments and the associated cash ﬂow impact is accurately calculated and accounted for? 2.34 Are the processes of ordering, accounting, and receiving goods adequately segregated to prevent staff malpractice? 2.35 If staff purchase orders are processed, what mechanisms ensure that they are correctly and separately accounted for, and correctly and fully settled by the employee? 2.36 Where goods are obtained from overseas suppliers, how does management ascertain that all the relevant import and foreign exchange regulations have been identiﬁed and correctly addressed? 2.37 Is management provided with accurate, timely and relevant information on purchasing activities to support their decision making, etc.? Bidding Bidding is a common process to obtain information from organizations that are vying for the work. It typically begins with the definition of requirements and the distribution of a request for bids, request for proposals, or request for tenders. This is a formal and structured invitation to suppliers. Interested organizations then respond by submitting their details as proposals, which are then reviewed by the hiring organization, and often after some final negotiations, a contract is signed and the relationship formalized resulting in the purchase and delivery of goods and services. Page 14 of 23 Key Objectives The bidding process is competitive and prevents fraud and collusion. The bidding process is fair and the work is awarded to the vendor providing the best value for money. The bidding process is free from bias or undue influence. An adequate bidding timetable is used. Bids are correctly identified, recorded, accounted for, and protected from tampering. Typical Controls Bidding instructions are accurate, complete, and unambiguous. Appropriate internal procedures are in place to protect the recording, handling, storage, and assessment of submitted bids, including the prevention of unauthorized access, opening, amendment, or tampering/alteration. Management has established minimum competition criteria for the bidding process; generally, a minimum of three bids, except in sole-provider situations, where detailed documentation is required to demonstrate there are no other eligible vendors in the marketplace. Documented and up-to-date policies and procedures for bidding on tenders are in place. The organization protects submitted tenders from alteration, information leakage, or destruction by using an electronic bid or supplier portal, or by retaining them in a sealed condition by an impartial party. All bids are opened simultaneously in the presence of an independent observer. Late or incomplete bids are disqualified. A scoring scheme is in place to make sure evaluation criteria are applied consistently, the evaluation process is transparent, and performed by independent parties. Management obtains reliable documentations to verify that potential bidders are financially stable, reliable, and technically competent, such as audited financial statements, certificates of insurance, reliable and recent references, and certificates showing quality standards are met (e.g., ISO 9000). Procedures are in place to make sure that any additional information or amendments to the original RFP are fairly circulated to all bidding vendors. The bid review committee or team is balanced, unbiased, and suitably qualified. Key Risks Bidders provide false information that result in selecting an inappropriate vendor. Nepotism, favoritism, or bribery results in inappropriate organizations being selected because individuals within the hiring organization steer business to preferred suppliers for personal gain. The hiring company hires a provider that is unable to meet its requirements. The organization suffers from internal and/or external fraud. Product Receipt (Quality) Quality is a critical differentiator for most organizations, and those in the manufacturing sector, face an additional risk factor—suppliers who provide defective parts. Organizations must develop robust procedures to ensure production processes adhere to high-quality standards and that goods are shipped according to client expectations. Defective inputs, however, can diminish the effectiveness of such procedures. Page 15 of 23 Key Objectives Incoming materials meet company specifications and delivery requirements. Materials are protected from loss or damage. Materials are processed right away so they move promptly within the production cycle. Typical Controls Incoming materials are inspected upon receipt by a qualified individual. Inspection reports are reviewed by a designated individual who is objective and competent. Inspection reports are retained according to the company’s document retention policy. Performance reports are prepared and distributed promptly for review. Corrective action is taken promptly if anomalies (e.g., packaging, quality, and delivery time) are identified. Materials are segregated upon receipt and are not entered into production/manufacturing cycle until after they have been properly inspected. Key Risks Incoming materials are defective, arrive too early or past the due date. Inspection reports are inaccurate and prepared past their due date. Relevant quality and inspection reports are not retained as required. Supplier performance deteriorates without management knowledge and appropriate corrective action. Employees in the receiving department do not know how to inspect materials received. Materials are issued to production without, or before, being inspected. Control Objectives for Accounts Payable a. To ensure that all payments are for valid and suitably approved creditor accounts for goods and services actually received. b. Payments are for goods and services received in acceptable condition. c. Prevailing sales taxes regulations are complied with. d. Positive working relationships are maintained with key suppliers. e. Financial statements reflect all liabilities outstanding and paid. f. To ensure that all payments are correct and accurately reﬂected in the accounting system. g. To prevent the possibility of supplier or staff malpractice. Typical Controls All invoices are authorized at the appropriate level before payment, and this is documented electronically in the company’s payment processing system. A monthly reconciliation confirms the accuracy of financial reporting. There is adequate segregation between those originating purchase orders and those authorizing the related invoice for payment. System controls make sure all invoices are correctly coded and reflected in the financial records. All checks, electronic funds transfers (EFTs), or other forms of payment, are confirmed as correct and authorized by an appropriate manager before release. Vendor records are reviewed annually for accuracy. Page 16 of 23 Credit notes and other adjustments (e.g., balance write-offs) are confirmed as correct and authorized before processing. Outstanding liabilities are accrued accurately and entered in the accounting system and financial statements during the preparation of financial reports. Risk and Control Issues for Accounts Payable Key Risks The organization pays for goods and services not received. The organization pays multiple times for the same items. The organization suffers employee, contractor, and supplier fraud. Employees make purchases not previously budgeted and approved. Invoice payments are made to invalid, unapproved, or unauthorized vendors. Invoice pricing, amounts, deductions, or other terms are paid incorrectly. Financial statements are inaccurate. 1 Key Issues 1.1 How does management ensure that only valid invoices are paid where the goods and services have been correctly and fully received? 1.2 What mechanisms prevent the payment of inaccurately priced/calculated or duplicated invoices? 1.3 Are all invoices authorized prior to payment and conﬁrmed as being within the agreed budget? 1.4 How does management ensure that the application and accounting treatment of Input VAT (or local sales tax) and duty is correct and in accord with the prevailing legislation or requirements? 1.5 What processes ensure that the values of paid accounts and outstanding invoice liabilities are accurately and completely reﬂected in the accounting system? 2 Detailed Issues 2.1 Is the organization adequately protected from the payment of invalid or fraudulent invoices? 2.2 What would prevent staff from introducing false invoices into the system and these subsequently being paid? 2.3 Are all invoices identiﬁed, recorded, trailed, and accounted for? 2.4 How does management ensure that the goods and services being charged for have actually been fully received? 2.5 What prevents payment of invoices where the goods were returned or proved to be unsatisfactory? 2.6 What prevents invoices from being paid more than once? 2.7 What prevents copy invoices from being paid? 2.8 Are invoice payments only made to valid and approved suppliers? Page 17 of 23 2.9 Would all invoice pricing and calculation errors be detected and resolved prior to payment? 2.10 Are all invoices subject to authorization at the appropriate management level prior to payment and how is this process evidenced? 2.11 Is there adequate segregation applied between those originating purchase orders and those authorizing the relevant invoice for payment? 2.12 Are Input VAT (or the equivalent sales taxes) and duty charges checked for validity and mathematical accuracy? 2.13 How does management verify that all VAT (or the equivalent sales tax) and duty is being correctly and accurately accounted for and recovered (if applicable)? 2.14 How does management conﬁrm that all invoice transactions are correctly coded and accurately reﬂected in the ﬁnancial records? 2.15 Are cheques or other methods of payment conﬁrmed as correct and suitably authorized by an appropriate ofﬁcial before release? 2.16 Are all settlement cheques or payments accurately recorded, conﬁrmed as being promptly dispatched and subsequently accounted for through the relevant bank accounts? 2.17 Are individual supplier accounts accurately maintained so as to reﬂect the current situation? 2.18 Are foreign currency payments accurately calculated using the correct exchange rates? 2.19 Are invoices from overseas suppliers correctly treated in respect of sales tax or VAT recovery, etc.? 2.20 Are staff (and others) prevented from applying unauthorised amendments to the accounts payable system data? 2.21 How is the integrity of the accounts payable system assured? 2.22 Is management provided with accurate and relevant data from the accounts payable system on a timely basis? 2.23 Are credit notes and other adjustments (i.e., balance write-offs) conﬁrmed as being correct and authorized for entry? 2.24 Are all transactions adequately trailed and supported by the relevant documentation? 2.25 Are discounts (including settlement discounts) correctly applied whenever relevant? 2.26 Are invoice payments made at the appropriate time (i.e., avoiding premature or overdue payment)? 2.27 Have comprehensive and up-to-date procedures been produced and circulated governing the accounts payable function? 2.28 Do the current procedures accurately deﬁne the requirements for ensuring compliance with any applicable regulatory requirements? 2.29 Are staff aware of their speciﬁc obligations and responsibilities? 2.30 How is the accuracy of data input from other systems conﬁrmed? 2.31 How is the accuracy of data output to other systems conﬁrmed? Page 18 of 23 PETTY CASH AND EXPENSES Petty cash reviews are generally related to questions of scale. The levels of petty cash and general expense expenditure will vary considerably between organizations. Taking account of the possible low- level scale of petty cash costs, management may feel content with the application of common controls and cost containment principles, as it will consider that there are more pressing business issues to address. However, given the relatively simple processes involved and the possible proliferation of an attitude that “everybody ﬁddles their expenses, don’t they?” a lack of basic control can very easily lead to losses and staff behaving unethically. Control Objectives for Petty Cash and Expenses a. To ensure that all expenses are valid and authorized. b. To ensure that all expenses are correctly identiﬁed, recorded and accurately reﬂected in the accounting system. c. To ensure that all expense payments are in accord with company policy and any relevant external regulations (e.g., for sales tax or VAT). Risk and Control Issues for Petty Cash and Expenses 1 Key Issues 1.1 How does management monitor that only valid, accurate and authorized expenses are processed? 1.2 What mechanisms prevent the acceptance and processing of invalid, unauthorised, or incorrect expenses? 1.3 Are all petty cash ﬂoats identiﬁed and accounted for? 1.4 Has management established clear policies and procedures for recording, authorizing, and processing petty cash and expense claims? 1.5 How does management conﬁrm that all petty cash and expenses are correctly reﬂected in the accounting system? 1.6 How is compliance with the prevailing VAT (or the equivalent sales tax) regulations for expenses conﬁrmed? 2 Detailed Issues 2.1 Are expenses claims and petty cash returns supported by the relevant receipts? 2.2 Have expense authority levels and mandates been established, and how is their correct application evidenced? 2.3 Are petty cash and personal expense ﬂoats accounted for and regularly veriﬁed? 2.4 How does management ensure that petty cash/expense ﬂoats are appropriately recovered when an employee leaves the organization? 2.5 Have staff been made aware of their responsibilities in respect of petty cash and expenses, especially their guardianship of ﬂoats? 2.6 What prevents the processing of personal cheques, loans and IOUs through the petty cash ﬂoat? Page 19 of 23 2.7 Is the VAT or sales tax content being correctly identiﬁed and accounted for, and how are errors prevented? 2.8 Are all petty cash/expense claims adequately supported and trailed? 2.9 Are ﬂoats accurately determined, and how are excessively large ﬂoats avoided? 2.10 Have adequate and secure storage facilities been provided for petty cash and expense ﬂoats? 2.11 Has management determined and implemented standard rates for selected expense categories (e.g., meal allowances or mileage rates) and what prevents the processing of a claim for an invalid rate? 2.12 Have procedures been established governing the use of company fuel cards and credit cards? 2.13 What processes prevent the misuse of fuel cards (e.g., to cover private journeys)? 2.14 What processes prevent the misuse or inappropriate use of company credit cards? Page 20 of 23 MULTIPLE CHOICE QUESTIONS 1. The two primary classes of transaction in the sales and collection cycle are: A. Sales and sales discounts B. Sales and sales receipts C. Sales and sales returns D. Sales and accounts receivable 2. Which of the following is not one of the five classes of transaction included in the sales and collection cycle? A. Sales returns and allowances B. Charge-off of uncollectible accounts C. Bad debt expense D. Depreciation expense 3. Which of the following is not a business function within the “Sales” class of transactions? A. Processing customer orders B. Granting credit C. Processing and recording sales returns and allowances D. Shipping goods 4. Which of the following documents is not commonly associated with the “Cash Receipts” class of transactions? A. Remittance advice B. Sales order C. Prelisting of cash receipts D. Cash receipts journal or listing 5. Which one of the following is not an auditor’s concern about a key authorization point in the sales/collection cycle? A. Credit must be authorized before the sale. B. Goods must be shipped after the authorization. C. Prices must be authorized. D. The receiving room must have authorization before releasing items to inventory control. 6. What event initiates a transaction in the sales and collection cycle? A. Customer request for goods. B. Delivery of product to a customer. C. Identification of a new customer. D. Receipt of cash. 7. A _____ is a document that indicates a request for merchandise by a customer. A. Customer order B. Sales invoice C. Sales order D. Vendor invoice 8. A ________ is a document that communicates the description, quantity, and related information for goods ordered by a customer. A. Customer order B. Sales invoice C. Sales order D. Vendor invoice 9. Before goods are shipped on account, a properly authorized person must: A. Approve the customer’s credit. B. Approve the journal entry. C. Prepare the sales invoice. D. Verify that the unit price is accurate. Page 21 of 23 10. For most firms, the function of indicating credit approval is recorded on the: A. Customer order B. Remittance advice C. Sales order D. Sales invoice 11. Which of the following controls most likely would be effective in offsetting the tendency of sales personnel to maximize sales volume at expense of high bad debt write-offs? A. Subsidiary accounts receivable records are reconciled to the control account by an employee independent of the authorization of credit. B. Shipping documents and sales invoice are matched by an employee who does not have matched by an employee who does not have authority to write off bad debts. C. Employees responsible for authorizing sales and bad debt write-offs denied access to cash. D. Employees involved in the credit-granting function are separated from the sales function. 12. A _____ document that, is a contract between a carrier (e.g. a trucking company) and the seller of goods, initiates shipment of goods and indicates the description of the merchandise, the quantity shipped, and customer name and address is the: A. Vendor invoice B. Sales invoice C. Picking ticket D. Bill of lading 13. The document used as the basis for recording sales transactions and updating the accounts receivable master file is the: A. Sales order B. Sales journal C. Sales invoice D. Bill of lading 14. Which of the following control procedures could prevent or detect errors or frauds arising from shipments made to unauthorized parties? A. Documents policies and procedures for scheduling shipments. B. Establish procedures for reviewing and approving prices and sales terms before sale. C. Prenumber bills of lading and assure that related billings are made on a periodic basis. D. Prepare and periodically update lists of authorized customers. 15. Most companies recognize sales revenue when: A. Sales are invoiced. B. Goods are shipped. C. Customer orders are received. D. Customer orders are approved. 16. The classes of transactions in the acquisition and payment cycle include acquisition of: A. Goods B. Goods and services C. Goods and services and cash disbursement D. Goods and services and cash disbursement, and purchase returns and allowances 17. Debits to manufacturing equipment arise from which cycle(s)? A. Sales and collection B. Payroll C. Acquisition and disbursement D. Inventory and warehousing 18. It usually takes more time to audit the acquisition and payment cycle than other cycles because: A. There is a greater possibility of fraud in these transactions. B. Internal controls in this area are usually the weakest. C. Of the large number of accounts affected. Page 22 of 23 D. There is greater likelihood of lawsuits against the CPA relating to these accounts. 19. With respect to a small company’s system of purchasing supplies, an auditor’s primary concern should be to obtain satisfaction that supplies ordered and paid for have been: A. Requested by and approved by authorized individuals who have no incompatible duties. B. Used in the course of business and solely for business purposes during the year under audit. C. Received, counted, and checked to quantities and amounts on purchase orders and invoices. D. Properly recorded as assets and systematically amortized over the estimated useful life of the supplies. 20. To control purchasing and accounts payable, an information system must include certain source documents. For a manufacturing organization, these documents should include: A. Purchase orders, receiving reports, and vendor invoices. B. Receiving reports and vendor invoices. C. Purchase requisitions, purchase orders, inventory reports of goods needed, and vendor invoices. D. Purchase requisitions, purchase orders, receiving reports and vendor invoices. 21. Which of the following errors would be least likely to be discovered during the audit of the acquisitions and payments cycle? A. Duplicate payments of a vendor’s invoice B. Improper payments of officers’ personal expenditures C. Payment for raw materials that were not received D. Payment of interest to a related party for an amount in excess of the going rate. 22. Which of the following is not a key control in the acquisition and payment cycle? A. Authorization of purchases B. Authorization of credit C. Timely recording and independent review of transactions D. Authorization of payments 23. What typically initiates the acquisitions and payment cycle? A. Issuance of a purchase requisition or request for purchase of goods/services B. Issuance of payment to vendor C. Approval of a new vendor D. Purchase requisition 24. After a purchase requisition is approved, what must be initiated to purchase the goods or services? A. Purchase order B. Vendor order C. Call order D. Vendor invoice 25. Which of the following would be an appropriate initiation of a purchase requisition? One initiated based on a One initiated by stockroom periodic count of raw personnel as raw materials materials are needed A. Yes Yes B. No No C. Yes No D. No Yes 26. Proper authorization for acquisition is essential because it A. Ensures that goods/services were purchased from approved vendors. B. Ensures that goods/services are for authorized company purposes. C. Ensures that goods/services were purchased at the lowest possible price. D. Ensures that goods/services are used efficiently by company employees. Page 23 of 23 27. One risk associated with the purchasing cycle is the possibility that quantities in excess of organizational needs may be ordered. Which of the following controls would address this exposure? A. The warehouse delays the storage of all goods until the inspection department provides a receiving report that is consistent with the packing slip provided by the vendor. B. The receiving department delays the unloading of each shipment presented for receipt until an originating purchase order is available. C. The purchasing department places all orders when the computer indicates allow inventory level. D. A user department supervisor reviews each purchase requisition prior to its being forwarded to the purchasing department. 28. Which of the following acquisition transactions is likely to be covered by a general authorization by company policy? Purchase of office equipment Purchase of office buildings maintenance services for company use A. Yes Yes B. No No C. Yes No D. No Yes 29. A written purchase order is a legal document that is A. Not enforceable if it is not in writing. B. An offer to buy. C. An acceptance of a vendor’s catalog offer to sell. D. A binding agreement between purchases and vendor. 30. For good internal control, the purchasing department should not be responsible for A. Authorizing the acquisition of goods. B. Designing the purchase order form. C. Finding the lowest cost vendor. D. Reviewing vendors’ catalog descriptions and prices for standardized items. GOODLUCK, FEUture CIAs! ---END--- “Many of life’s failures are people who did not realize how close they were to success when they gave up” – THOMAS A. EDISON Page 1 of 10 FAR EASTERN UNIVERSITY INSTITUTE OF ACCOUNTS, BUSINESS AND FINANCE DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING AUD1207 – INTEGRATED INTERNAL AUDITING REVIEW COURSES SECTION D – OPERATIONS AUDITING OA 01 – OPERATIONS AUDITING CONCEPTS MR. CHRISTIAN ANDREI G. UTANES, CPA, CMA, MBA units NOTE TO STUDENTS: These handouts are of property of the reviewer. Unnecessary sharing and uploading of these materials are not allowed. LEARNING OBJECTIVES Upon completion of this chapter, you should be able to: Define operations auditing. Differentiate efficiency, effectiveness and economy and other components of seven E’s. Understand the risk-based audit model. Appreciate the nature and the value of audits other than external financial audits. Describe the benefits and challenges of operations audit. LECTURE NOTES NATURE OF OPERATIONS AUDITING Internal audit is undergoing a massive transformation. While its role to provide independent, objective assurance and consulting services to organizations in ways that improve their operations has remained constant for decades and remains true today, how this has been accomplished has changed over time. As defined by Institute of Internal Auditors (IIA), Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. However, the classic management writers, Koontz, O’Donnell and Weihrich, endorsed this approach to operational auditing: “An effective tool of managerial control is the internal audit, or, as it is now coming to be called, the operational audit... Although often limited to the auditing of accounts, in its most useful aspect operational auditing involves appraisal of operations generally... Thus, operational auditors, in addition to assuring themselves that accounts properly reﬂect the facts, also appraise policies, procedures, use of authority, quality of management, effectiveness of methods, special problems, and other phases of operations. Page 2 of 10 There is no persuasive reason why the concept of internal auditing should not be broadened in practice. Perhaps the only limiting factors are the ability of an enterprise to afford so broad an audit, the difﬁculty of obtaining people who can do a broad type of audit, and the very practical consideration that individuals may not like to be reported upon. While persons responsible for accounts and for the safeguarding of company assets have learned to accept audit, those who are responsible for far more valuable things—the execution of the plans, policies and procedures of a company—have not so readily learned to accept the idea.” Beyond ﬁnancial auditing activities, internal auditors, government auditors, and CPAs also do operational auditing, which deals with efﬁciency and effectiveness of an organization. Other auditors use the terms management auditing or performance auditing instead of operational auditing to refer to these activities, while others do not distinguish among the terms, performance auditing, management auditing, and operational auditing and use them interchangeably. We prefer to use operational auditing broadly, as long as the purpose of the test is to determine the effectiveness or efﬁciency of any part of an organization. Testing the effectiveness of internal controls by an internal auditor may therefore be considered part of operational auditing—if the purpose is to help an organization operate its business more effectively or efﬁciently. Similarly, determining whether a company has adequately trained assembly line personnel may also be operational auditing, if the purpose is to determine whether the company is effectively and efﬁciently producing products. DEFINITIONS OF OPERATIONAL AUDITING The Institute of Internal Auditors’ (IIA) defines operational audit as “a systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement.” While an audit is usually associated with financial matters, operational audits are more comprehensive and go beyond financial data (although that type of reporting is often included). The primary information sources are policies and achievements related to the objectives of the organization. Operational auditing is a future-oriented, independent, systematic, and business-focused evaluation of management, and the organization’s activities controlled by management and third parties. This is done to benefit the organization’s stakeholders who trust internal auditors to identify anomalies, verify that resources are handled responsibly, and that the organization is structured and operating in ways that it is likely to succeed. The purpose of operational auditing is to improve organizational profitability and the attainment of organizational objectives. These go beyond a review of internal control issues since management does not achieve its objectives simply by adhering to satisfactory systems of internal control. Instead, management must define its goals, set appropriate strategies, staff the organization with enough and competent workers, and execute effectively. Operational auditing also involves evaluating management’s performance, since they have a fiduciary responsibility toward the organization’s owners and other relevant stakeholders. Over the past few decades, the expectations of stakeholders have increased monumentally creating a more challenging environment for managers and auditors alike. These expectations range from CSR, to acting ethically, safeguarding key information, and maintaining a positive reputation. Another important aspect of operational auditing is that rather than merely verifying that employees are performing their duties according to established policies and procedures, internal auditors also verify a variety of qualitative aspects of the organization and its activities. Regarding procedures documentation, internal auditors are expected to verify that these documents are up to date, that they are relevant, that they reflect the best way to perform the work with regards to efficiency and effectiveness, that these documents are safe from unauthorized change, they are understood by Page 3 of 10 employees, and that their location is known by employees so they can refer to them for guidance when there are questions. Operational audits may also be concerned with the structure of the organization, since a poorly structured organization, or one where information does not flow accurately and promptly jeopardizes efforts to achieve objectives. Instead, poorly structured organizations tend to be disorganized, inefficient, have high employee, customer, and vendor turnover, and become wasteful. All of these manifestations of dysfunction erode the ingredients for success and an auditor who brings a fresh and objective perspective to the review can identify these weaknesses. In the end, operational auditing is designed to evaluate the effectiveness and efficiency of business activities, processes, programs, functions, and units. The scope may be different from traditional fiscal- year scope periods, since achieving these objectives may require an analysis of multiple time periods to identify, analyze, and understand trends, patterns, outliers, and other positive or negative dynamics of interest. 7 E’s OF OPERATIONAL AUDITING Operational audits often incorporate into their scope of work the 7 Es that play a key role in the success or failure of organizations. These Es, when used in the form of themes, can help the auditor add considerable value to the engagement and show audit clients that auditors are genuinely interested in helping the organization succeed. These 7 Es can then be incorporated into the planning process, making sure that interview questions, document reviews, goals and objectives, flowcharts, walkthroughs, and other activities performed during the audit, (1) probe for the presence of these attributes, (2) verify that these are functioning effectively, and (3) are considered when making recommendations for improvement. The 7 Es are effectiveness, efficiency, economy, excellence, ethics, equity, and ecology. 1. Effectiveness. (doing the right things) It refers to meeting objectives, such as producing parts without defects. In an operational audit for effectiveness, an auditor, for example, might need to assess whether a governmental agency has met its assigned objective of achieving elevator safety in a city. To determine the agency’s effectiveness, the auditor must establish speciﬁc criteria for elevator safety. For example, is the agency’s objective to inspect all elevators in the city at least once a year? Is the objective to ensure that no fatalities occurred as a result of elevator breakdowns, or that no breakdowns occurred? 2. Efﬁciency. (doing things well) It efers to determining the resources used to achieve those objectives, such as determining whether parts are produced at minimum cost. Like effectiveness, there must be deﬁned criteria for what is meant by doing things more efﬁciently before operational auditing can be meaningful. It is often easier to set efﬁciency than effectiveness criteria if efﬁciency is deﬁned as reducing cost without reducing effectiveness. For example, if two different production processes manufacture a product of identical quality, the process with the lower cost is considered more efﬁcient. Operational auditing commonly uncovers several types of typical inefﬁciencies, including identical production records are kept by both the accounting and production departments because they are unaware of each other’s activities (there is a duplication of effort by the employees) and the ofﬁce work could be done effectively with one less administrative assistant (there are too many employees). 3. Economy. (doing them cheap) It refers to the price paid for organizational resources. Historically, the main criteria to assess economy was the price of goods and services used by the organization. While price is an important element, it has become quite apparent that buying shoddy merchandise or tools will most likely lead to having to buy replacements with greater frequency than if a higher quality item had been bought in the first place. The key is to buy Page 4 of 10 based on value, not merely price, so company procedures should focus on the assessment of value when defining allowable purchases. A better approach to assessing economy is to consider the entire value of the item. This includes warranties, replacement or repair guarantees, speed, and reliability of delivery, expected useful life of the item, and so on. It is important to mention that this criterion applies to tangible goods like materials, machinery, equipment and tools, as well as financial inputs. 4. Excellence. Another key aspect of organizational priorities is the performance of all work with high quality. Quality in all everyone does is essential for continued success. Measuring quality is essential to determine if it is being achieved and always remember that people do what is measured, repeat what is rewarded, and stop doing what is punished. Quality is clearly an important value element when selling to customers. 5. Ethics. It is a critical subject for internal auditors because an individual’s viewpoint regarding what is right and wrong will drive most aspects of decision-making and corporate behavior, including that related to the performance of control activities and treatment of others. Internal auditors should have a familiarity with the underlying concepts that define ethical thought and apply that knowledge to review and recommend improvements. After all, the lack of ethics is a key driver of inappropriate behavior and has significant implications in policy-making and organizational conduct. 6. Equity. It relates to the treatment of others with dignity and respect. This should be done consistently, by everyone, always. Equity is often thought of in terms of fairness, reciprocity, and impartiality. 7. Ecology. Environmental concerns have reached high levels over the past years and will likely continue to garner much attention in the future. In addition, customers, employees, local communities, regulators, and other stakeholders increasingly expect organizations to act responsibly toward the environment. Beyond compliance, ecological awareness and stewardship can also have a positive impact on the organization’s profitability. RISK-BASED AUDIT Every organization is different, with a different attitude to risk, different structure, different processes and different language. Experienced internal auditors need to adapt these ideas to the structures, processes and language of their organization in order to implement Risk Based Internal Auditing. IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organization's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. Operational risk (as opposed to effectiveness) is the risk of loss resulting from inadequate internal processes, people, and systems or from external events. Page 5 of 10 “People”, who performs the ‘operation’. Deviation from operating guideline and or inadequacy in operating guideline increases the risk of shortcoming. “Processes” and “Systems”, business activities consist of processes. When there are discrepancies in an existing procedure, or if procedure is not defined, this could result in losses (lowers effectiveness). Operational risk summarizes the uncertainties and hazards a company faces when it attempts to do its day-to-day business activities within a given field or industry. A type of business risk, it can result from breakdowns in internal procedures, people and systems—as opposed to problems incurred from external forces, such as political or economic events, or inherent to the entire market or market segment, known as systematic risk. Operational risk can also be classified as a variety of unsystematic risk, which is unique to a specific company or industry. DIFFERENCES BETWEEN OPERATIONAL AND FINANCIAL AUDIT The three major differences between operational and ﬁnancial auditing are the purpose of the audit, distribution of the report, and inclusion of nonﬁnancial areas in operational auditing. Purpose of the Audit. This is the most important difference. Financial auditing emphasizes whether historical information was correctly recorded, while operational auditing emphasizes effectiveness and efﬁciency. Financial auditing is oriented to the past, while operational auditing focuses on improving future performance. An operational auditor, for example, may evaluate whether a type of new material is being purchased at the lowest cost to save money on future raw material purchases. Distribution of the Reports. Financial auditing reports are typically distributed to external users of ﬁnancial statements, such as stockholders and bankers, while operational audit reports are intended primarily for management. The widespread distribution of ﬁnancial auditing reports requires a well- deﬁned structure and wording. The limited distribution of operational reports and the diverse nature of audits for efﬁciency and effectiveness allow operational audit reports to vary considerably from audit to audit. Inclusion of Nonﬁnancial Areas. Financial audits are limited to matters that directly affect the fairness of ﬁnancial statement presentation, while operational audits cover any aspect of efﬁciency and effectiveness in an organization. For example, an operational audit might address the effectiveness of an advertising program or efﬁciency of factory employees. Please see table below for further comparison: FINANCIAL AUDIT OPERATIONAL AUDIT To look into the correctness of To see that the financial accounting financial data and records along with records have been properly designed correctness of the accounting and maintained to furnish the procedure followed. management with timely information to help them in judging the extent to which the profitability goals have been achieved. To see that the internal control To see that the internal control system system has been working properly. has been designed from the point of view of achieving better efficiency and whether the same have been functioning effectively. To see that all payments have been To study whether some expenditure of made with proper authorization and sizeable magnitude could have been approval. avoided and reduced. Page 6 of 10 To see that the credit control has been To study the credit control system for strictly followed. suggesting better measures where considered necessary. To see that the financial statements To examine whether the operational have been prepared following GAAP functions are in tune with the and that the same display a true and management objectives and to carry fair view of the business transactions out the cost benefits analysis for as also of the position of the concern helping the management is taking as on particular date. decisions. CATEGORIES OF OPERATIONAL AUDIT Operational audits fall into three broad categories: functional, organizational, and special assignments. In each case, part of the audit is likely to concern evaluating internal controls for efﬁciency and effectiveness. 1. Functional Audits. Functions are a means of categorizing the activities of a business, such as the billing function or production function. Functions may be categorized and subdivided many different ways. For example, the accounting function may be sub-divided into cash disbursement, cash receipt, and payroll disbursement functions. The payroll function may be subdivided into hiring, timekeeping, and payroll disbursement functions. A functional audit deals with one or more functions in an organization, concerning, for example, the efﬁciency and effectiveness of the payroll function for a division or for the company as a whole. A functional audit has the advantage of permitting specialization by auditors. Certain auditors within an internal audit staff can develop considerable expertise in an area, such as production engineering. They can be more efﬁcient and effective by spending all their time auditing in that area. A disadvantage of functional auditing is the failure to evaluate interrelated functions. For example, the production engineering function interacts with manufacturing and other functions in an organization. 2. Organizational Audits. An operational audit of an organization deals with an entire organizational unit, such as a department, branch, or subsidiary. An organizational audit emphasizes how efﬁciently and effectively functions interact. The plan of organization and the methods to coordinate activities are important in this type of audit. 3. Special Assignments. In operational auditing, special assignments arise at the request of management for a wide variety of audits, such as determining the cause of an ineffective IT system, investigating the possibility of fraud in a division, and making recommendations for reducing the cost of a manufactured product. WHO PERFORMS OPERATIONAL AUDITING? Operational audits are usually performed by one of three groups: internal auditors, government auditors, or CPA ﬁrms. 1. Internal Auditors. Internal auditors are in such a unique position to perform operational audits that some people use the terms internal auditing and operational auditing interchangeably. It is, however, inappropriate to conclude that all operational auditing is done by internal auditors or that internal auditors do only operational auditing. Many internal audit departments do both operational and ﬁnancial auditing, often simultaneously. Because they spend all their time working for the company, they are auditing, internal auditors have an advantage in doing operational audits. They can develop considerable knowledge about the company and its business, which is essential to effective operational auditing. Page 7 of 10 To maximize their effectiveness for both ﬁnancial and operational auditing, the internal audit department should report to the board of directors or president. Internal auditors should also have access to and ongoing communications with the audit committee of the board of directors. This organizational structure helps internal auditors remain independent. If internal auditors report to the controller, it is difﬁcult for them to do independent evaluations and make recommendations to senior management about inefﬁciencies in the controller’s operations. 2. Government Auditors. State government auditors perform operational auditing, often as a part of doing ﬁnancial audits. Government standards are set for performance audits, which are essentially the same as operational audits. Performance audits include the following: Economy and efﬁciency audits. The purpose of an economy and efﬁciency audit is to determine: 1. Whether the entity is acquiring, protecting, and using its resources economically and efﬁciently 2. The causes of inefﬁciencies or uneconomical practices 3. Whether the entity has complied with laws and regulations concerning matters of economy and efﬁciency Program audits. The purpose of a program audit is to determine: 1. The extent to which the desired results or beneﬁts established by the legislature or other authorizing body are being achieved 2. The effectiveness of organizations, programs, activities, or functions 3. Whether the entity has complied with laws and regulations applicable to the program The ﬁrst two objectives of each of these types of performance audits are clearly operational in nature, while the ﬁnal objective concerns compliance. 3. CPA Firms/External Auditors. When a CPA ﬁrm does an audit of historical ﬁnancial statements, part of the audit often consists of identifying operational problems and making recommendations that may beneﬁt the audit client. The recommendations can be made orally, but they are typically included in a management letter. The background knowledge about a client’s business, which an external auditor must obtain while doing an audit, often provides useful information for giving operational recommendations. For example, suppose that the auditor determined that inventory turnover for a client slowed considerably during the current year. The auditor should determine the cause of the slower turnover to evaluate the possibility of obsolete inventory that would misstate the ﬁnancial statements. In determining the cause of the reduced inventory turnover, the auditor may identify operational causes, such as ineffective inventory acquisition policies, that can be brought to the attention of management. An auditor who has a broad business background and experience with similar businesses is more likely to be effective at providing clients with relevant operational recommendations than a person who lacks those qualities. Clients commonly engage a CPA ﬁrm to do operational auditing for one or more speciﬁc parts of its business. For example, a company can ask the CPA ﬁrm to evaluate the efﬁciency and effectiveness of its computer systems. Usually, management engages the CPA ﬁrm for these audits only when the company does not have an internal audit staff or if the internal audit staff lacks expertise in a certain area. In some cases, management or the board of directors outsources the entire internal audit function to a CPA ﬁrm or co-sources select internal audit activities, such as IT operational auditing activities, to be done jointly by a CPA ﬁrm and certain members of the company’s internal audit staff. In most cases, the CPA ﬁrm’s management consulting staff performs these services. Note that CPA ﬁrms cannot provide these services to their public company audit clients. Page 8 of 10 MULTIPLE CHOICE QUESTIONS 1. Which of the following is not one of the broad categories of operational audits? a. Functional audits. b. Organizational audits. c. Single Audit Act audits. d. Special assignment audits. 2. Which of the following is not a similarity between external and internal auditors? a. Both must be independent of the company. b. Both must be competent. c. Both use similar methodologies in performing their work. d. Both consider risk and materiality in their work. 3. External auditors consider internal auditors effective if they are: a. independent of the operating units being evaluated. b. competent and well trained. c. have performed relevant audit tests of the internal controls and financial statements. d. all of the above. 4. Which of the following groups could not be involved in an operational audit? a. CPA firms. b. Internal auditors. c. Government auditors. d. All of the above could be involved. 5. The professional organization which is responsible for providing guidance for internal auditors is the: a. ACPACI. b. IIA. c. PICPA. d. AIA. 6. An audit designed to evaluate the efficiency and effectiveness of an organization or some part of an organization would not be called a(n): a. performance audit. b. management audit. c. operational audit. d. compliance audit. 7. Which of the following is not one of the major differences between financial and operational auditing? a. The financial audit is oriented to the past, but an operational audit concerns performance for the future. b. The financial audit report is distributed to many readers, but the operational audit report goes to a few managers. c. Financial audits deal with the information on the financial statements, but operational audits are concerned with the information in the ledgers. d. Financial audits are limited to matters that directly affect the financial statements, but operational audits cover any aspect of efficiency and effectiveness. 8. Before an operational audit for effectiveness can be performed, there must be a. a financial audit by an independent auditor. b. a financial audit by an internal auditor. c. a review performed by either an independent or an internal auditor. d. specific criteria developed to define effectiveness. Page 9 of 10 9. Which of the following statements regarding types of operational audits is false? a. A functional audit has the advantage of permitting specialization by auditors. b. An advantage of functional auditing is its ability to evaluate interrelated functions. c. The emphasis in an organizational audit is on how efficiently and effectively functions interact. d. Special operational auditing assignments arise at the request of management. 10. A typical objective of an operational audit is to determine whether an entity’s: a. internal control is adequately operating as designed. b. financial statements present fairly the results of operations. c. specific operating units are functioning efficiently and effectively. b. operational information is in accordance with generally accepted government auditing standards. 11. The following are the similarities between internal and external auditors except a. Both must be competent as auditors and remain objective in performing their work and reporting their results. b. Both follow a similar methodology in performing their audits, including planning and performing tests of controls and substantive tests. c. Both functions serve the needs of the management. d. Both consider risk and materiality in deciding the extent of their tests and evaluating results. However, their decisions about materiality and risks may differ because external users may have different needs than management or the board. 12. Below are the criteria which the external auditors typically consider internal auditors effective if they meet the following except: a. Independent of the operating units being evaluated. b. Competent and well-trained. c. Have performed relevant audit tests of the internal controls and financial statements. d. All of the above are correct. 13. Operational auditing is the review of an organization for efficiency and effectiveness. Which of the following statements are true? a. Effectiveness refers to the degree to which the organization’s objectives and goals are accomplished. b. Efficiency refers to the degree to which costs are reduced without reducing effectiveness. c. Both a and b are correct. d. Both a and b are incorrect. 14. Which of the following statements is/are correct? Statement I - Independence is a fundamental ethical principle for int

AUD1207 Integrated Internal Auditing Review PDF

Document Details

Tags

Related

Summary

Full Transcript