INTERNAL CONTROL

Internal control is a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:
 effectiveness and efficiency of operations;
 reliability of internal and external reporting;
 compliance with applicable laws and regulations and internal policies.
Reasonable Assurance
 The cost of the entity’s internal control should not exceed the expected benefits.
 Limitations exist in any entity’s internal control.
Key Components of Managements’ Assessment of Internal Control
 Management must evaluate the design of internal control over financial reporting.
 Management must test the operating effectiveness of those controls.
WHY INTERNAL CONTROL?
 Ensure Reliability
 Promote Compliance
 Prevent & Detect Fraud
 Safeguard Assets
 Optimize Resources
OBJECTIVES OF INTERNAL CONTROL
 Internal Control objectives are desired goals or conditions for a specific event cycle which,
if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation
will occur.
 For a control objective to be effective, compliance with it must be measurable and
observable.
It includes:
 Proper Authorization of Transaction -approved by responsible personnel before it will
be recorded.
 Completeness
 Accuracy
 Validity
 Physical Safeguards & Security
 Error Handling
 Segregation of Duties
 Independent Checks on Performance- Personnel are likely to forget or intentionally fail
to follow procedures, or they may become careless unless someone observes and
evaluates their performance.
Types of internal control
 Directive- encourage good behavior, it’s the right thing to do.
 Preventive- prevent undesirable event from happening
 Detective –detect and correct undesirable events after occuring.
 Corrective- designed to correct errors and abnormalities that have occurred
 Manual- performed by individuals outside of a system.
Limitations of Internal Control
 Judgement.
 Breakdowns.
  Management override.
 Collusion.
 Costs Versus Benefits.
What Internal Control Can Do?
 It can help achieve performance & profitability targets.
 help prevent loss of resources.
 help ensure reliable financial reporting.
 help ensure compliance with laws.
What Internal Control Cannot Do?
It cannot:
 ensure success.
 ensure the reliability of financial reporting.
 ensure compliance with laws and regulations.
What’s More Important?
 Segregation of duties or ethical employees?
 Well written and thorough policy and procedures manuals or competent employees?
 Clear delineation of roles and responsibilities or a group of employees dedicated to
accomplishing the organization’s mission?
COSO- committee of sponsoring organizations of the Treadway commission
MISSION- The COSO mission is to provide thought leadership through the development of
comprehensive framework and guidance on enterprise risk management, internal control and fraud
deterrence designed to improve organizational performance and governance and to reduce the
extent of fraud in organizations.
VISION- COSO’s vision is to be a recognized thought leader in the global marketplace on the
development of guidance in the areas of risk and control which enable good organizational
governance and reduction of fraud.
GOAL- COSO’s goal is to provide thought leadership dealing with three interrelated subjects:
enterprise risk management, internal control and fraud deterrence.
HISTORY- It was organized in 1985 to sponsor the National Commission on Fraudulent Financial
Reporting (NCFFR)
MAJOR PROFESSIONAL ASSOCIATIONS
 American Accounting Association
 AICPA
 IMA
 IIA
 Financial Executives International
CHAIRMAN OF COSO
• First chairman – James C. Treadway Jr.
• Current chairman – Robert Hirth
COSO FRAMEWORK OBJECTIVES
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
INTERNAL CONTROL COMPONENTS AND PRINCIPLES
Control Environment- is the set of standards, processes, and structures that provide the basis for
carrying out internal control across the organization. The board of directors and senior
management establish the tone at the top regarding the importance of internal control including
expected standards of conduct.
PRINCIPLES:
 Demonstrates commitment to integrity and ethical values.
 Exercises oversight responsibility
 Establishes structure, authority and responsibility
 Demonstrates commitment to competence
 Enforces accountability
Risk Assessment- involves a dynamic and iterative process for identifying and assessing risks to
the achievement of objectives.
- is a term used to describe the overall process or method where you:
 Identify hazards and risk factors that have the potential to cause harm
(hazard identification).
 Analyze and evaluate the risk associated with that hazard (risk analysis,
and risk evaluation).
 Determine appropriate ways to eliminate the hazard, or control the risk
when the hazard cannot be eliminated (risk control).
PRINCIPLES:
 Principle 6- The organization specifies objectives with sufficient clarity to
enable the identification and assessment of risks relating to objectives:
 Operational
 External Financial Reporting
 External Non-Financial Reporting
 Internal Reporting
 Compliance
 Principle 7- The organization identifies risks to the achievement of its
objectives across entity and analyzes risk as a basis for determining how the
risks should be manage.
 Principle 8- The organization considers the potential for fraud in assessing
risks to the achievement of objectives.
 Principle 9- The organization identifies and assesses changes that could
significantly impact the system of internal controls.
Control Activities- are the policies and procedures implemented to help ensure that management
directives are carried out.
Examples:
 Review of financial reports
 Information processing
 Physical controls
 Segregation of duties
PRINCIPLES:
 Principle 10- The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
 Principle 11- The organization selects and develops general control
activities over technology to support the achievement of objectives.
  Principle 12- The organization deploys control activities through policies
that establish what is expected and procedures that put policies into action.
Information and Communication:
Information is necessary for the entity to carry out internal control responsibilities to support the
achievement of its objectives.
Communication is the continual, iterative process of providing, sharing, and obtaining necessary
information.
 Internal communication
 External communication
PRINCIPLES:
 Principle 13- The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
 Principle 14- The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to support the
functioning of internal control.
 Principle 15- The organization communicates with external parties regarding
matters affecting the functioning of internal control.
Monitoring Activities- Ongoing evaluations, separate evaluations, or some combination of the
two are used to ascertain whether each of the five components of internal control, including
controls to affect the principles within each component, is present and functioning.
PRINCIPLES:
 Principle 16- The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of internal control are
present and functioning.
 Principle 17- The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for taking corrective
action, including senior management and the Board of Directors, as appropriate.
COBIT FRAMEWORK (Control Objectives for Information and Related Technologies)
COBIT- It was designed as an IT governance model, particularly and initially with audit to give
you control objectives and control practices on how that process should behave.
Purpose: To provide an IT governance model that helps in delivering value from IT and
understanding, managing its risks.
Why does IT need a control framework?
 To ensure that the management needs to get under IT control.
Who needs it?
 Board and Executives- to ensure directions are implemented
 Management- make IT investment decisions
 Users- to obtain assurance on security and control
 Auditors- to advise minimum necessary IT controls.
Difference of COBIT from COSO
 COSO is focused in processes and controls for financial reporting.
 COBIT is focused on IT.
COBIT FRAMEWORK- To provide information that the organization needs to achieve its
objectives, IT resources need to be managed by a set of naturally grouped process.
As a control and governance framework for IT, COBIT focuses on two key areas:
 ► Providing the information required to support business objectives and requirements
► Treating information as the result of the combined application of IT-related
resources that need to be managed by IT processes
COBIT Cube: IT Domains
1. Plan and Organize (PO)
► Objectives:
 Formulating strategy and tactics
 Identifying how IT can best contribute to achieving business objectives
 Planning, communicating and managing the realization of the strategic
vision
 Implementing organizational and technological infrastructure
2. Acquire and Implement (AI)
 Objectives:
 Identifying, developing or acquiring, implementing, and integrating IT
solutions
 Changes in and maintenance of existing systems
3. Deliver and Support (DS)
 Objectives:
 The actual delivery of required services, including service delivery
 The management of security, continuity, data and operational facilities
 Service support for users
4. Monitor and Evaluate (ME)
 Objectives:
 Performance management
 Monitoring of internal control
 Regulatory compliance
 Governance
Business Requirements/Info. Criteria
 Effectiveness- relevant, timely, correct, consistent, and usable in manner
 Efficiency- optimal use of resources (productive and economical)
 Confidentiality- protection of sensitive information
 Integrity- accurate, complete, and valid
 Availability- safeguarding of resources
 Compliance- complying with laws and regulations
 Reliability- appropriate information
IT Resources
 Applications- software that process info.
 Information- processed that data used for business
 Infrastructure- facilities, hardware components of the technology
 People- who plans, organize, acquire, implement, deliver, support, monitor and evaluates.
COBIT 5 PRINCIPLES:
1. Meeting a stakeholder needs- Enterprises have many stakeholders
- Governance is about:
 Negotiating & deciding among different stakeholders’ value interests.
 Considering all stakeholders when making benefit, resource & risk
assessment decisions
 - Enterprises exist to create value for their stakeholders
- Value Creation: realizing benefits at an optimal resource cost while optimizing
risk.

2. Covering the Enterprise end-to-end

- Governance Approach
- Considering all the information and technology management processes as well as
internal and external functions and business processes.
3. Applying a Single Integrated Framework
- latest standards and frameworks
- single, integrated source of guidance in non-technical language.
- simple framework for structuring guidance materials and supporting a consistent
product set
- Provides information & technology governance & management good practices
4. Enabling a Holistic Approach
- Enablers- factors that influence the outcome of the governance & management
activities
 Enterprise resources that need to be governed and managed.
Principles, Policies, and Frameworks- translate the desired behavior into practical guidance for
day to day management.
Processes- describe an organized set of practices and activities to achieve certain objectives.
Organizational Structures- key decision-making entities in an enterprise.
The Culture, ethics and behavior- individuals of the enterprise, are very often underestimated as
a success factor in governance and management activities.
Information- pervasive throughout any organization and includes all information produced and
used by the enterprise. Information is required for keeping the organization running and well
governed, but at the operational level, information is very often the key product of the enterprise
itself.
Services, infrastructure and applications- provide the enterprise with information technology
processing and services
People, skills and competencies- linked to people and are required for successful completion of
all activities and for making correct decisions taking corrective actions.
Separating Governance from Management- Governance or EDM (evaluate, direct and
monitor) is about the ensuring that stakeholder needs are evaluated to identify and agree on
objectives that must be achieved, directed through prioritization and decision making and
monitored for performance and compliance against objectives.
Separating Governance from Management- Management or PBRM (plan, build, run and
monitor) is about ensuring that all activities undertaken and monitored are in alignment with the
direction set by the governance function
CoCo (Criteria of Control)
CoCo- a further control framework that can mean more to teams and individuals and includes an
interesting learning dynamic.
CONTROL
• Broad context
• Comprises those elements of an organization
• Should cover the identification and mitigation of risks
TWO FUNDAMENTAL RISKS
• Failure to maintain the organization’s capacity to
– identify and exploit opportunities;
– respond and adapt to unexpected risks and opportunities,
CICA Criteria of Control Framework
• Purpose- Driver for the control criteria
• Commitment
• Capability- Action
• Monitoring and learning
Cadbury Internal Control Framework
Code of best practices (BOD)
• Should meet regularly
• There should be a clearly accepted division of responsibilities at the head of company
• Should include non-executive directors
• Should have a formal schedule of matters specifically reserved to it for decision
• There should be an agreed procedures for directors in the furtherance of their duties
• All directors should have access to the advice and services of the company secretary
Code of best practices (Non-Executive Directors)
• Majority should be independent of management and free from any business or other
relationship
• Should be appointed for specified terms and reappointment should not be automatic
• Should be selected through formal process
Code of best practices (Executive Directors)
• Service contracts should not exceed three years without shareholder's approval
• There should be full and clear disclosure of total emoluments
• Pay should be subject to recommendations of a remuneration committee
Code of best practices (Reporting and Control)
• It is board's duty to present a balanced and understandable assessment of the company's
position
• Board should ensure that an objective and professional relationship is maintained with the
auditors
• Director's should explain their responsibility for preparing accounts
• Auditors should make an statement about their reporting responsibilities
• Director's should report on the effectiveness of internal control system
Summary of Recommendations
• Compliance with the Code of Best Practice
• Keeping the Code up to date
• Director’s service contracts
• Interim reporting
• Enhancing the perceived objectivity of the audit
 • Enhancing the effectiveness of the audit
• Voting by the institutional investors
• Endorsement of work by others
• Issues for the Committee’s successor body
Components of framework:
• Control environment
• Risk Assessment
• Control procedures/activities
• Monitoring and corrective action
• Information and communication
Principles of Corporate Governance:
• Openness- disclosure of information to all interested parties
• Integrity- described as both straightforward dealing and completeness
• Accountability- responsibility of actions
FORENSIC
Adjective. Relating to or denoting the application of scientific methods and techniques to the
investigation of crime.
Noun. Scientific tests or techniques used in connection with the detection of crime.
FORENSIC AUDIT- A forensic audit is an examination and evaluation of a firm's or individual's
financial information for use as evidence in court.
FORENSIC AUDITING/ACCOUNTING
 often associated with fraudulent activities
 also performed in non-fraudulent cases
 forensic auditing aims at legal determination of whether fraud has actually occurred
 investigating into financial records
 forensic auditing and accounting are the same
Why forensic audit required?
 whenever an entity’s finances present a legal concern
 in cases of suspected fraud
 to determine tax liability
 to investigate allegations of bribery
 to strengthen a company’s already good business practices
 to either determine the loss income as a result of fraudulent financial/operational report
 to determine the damage that falsified reports caused to shareholders, clients or employees
Qualities of a forensic accountant/ knowledge, skills of a forensic auditor:
- accounting knowledge
- dispersed knowledge of auditing, internal controls, risk assessment and fraud
detection
- basic understanding of the legal environment
- a strong set of communication skills, both written and oral
PURPOSE
 Discover if there is a fraud
 Identify those who are involved
 Quantify the monetary amount of fraud
 Present Findings to the client/court

BROAD CATEGORIES OF FRAUDS

Corruption  Misuse of Assets
 Conflict of interest Financial Statement Fraud
 Bribery  Deliberate falsification of accounting
 Extortion records
Asset Misappropriation  Omission of
 Cash Theft transactions/balances/disclosures
 Fraudulent Disbursement  Misappropriation of financial
 Inventory Fraud reporting standards

BROAD STAGES OF FORENSIC AUDIT

 Accepting the investigation
 Planning
 Evidence Gathering
 Reporting
 Court Proceedings
EMPLOYEE FRAUD
Fraud consists of knowingly making material misrepresentations of fact with the intent of
inducing someone to believe the falsehood and act upon it and thus, suffer a loss or damage.
• Employee fraud is the use of fraudulent means to take money or other property from an
employer. It consists of three phases: (1) the fraudulent act, (2) the conversion of the
money or property to the fraudster's use and (3) the cover-up.
• Embezzlement is a type of fraud involving employees' or nonemployees' wrongfully
taking money or property entrusted to their care, custody, and control, often accompanied
by false accounting entries and other forms of lying and cover-up.
• Errors are unintentional misstatements or omissions of amounts or disclosures in financial
statements.
Direct-effect Illegal Acts are violations or government regulations by the company, or its
management or employees that produce direct and material effects on dollar amounts in the
financial statements.
There are three conditions that are likely to be present when a fraud occurs. They are:
• Motivation - A motive is some kind of pressure a person experiences and believes to be
unshareable with friends and confidants
 • Opportunity- An opportunity is an open door for solving the unshareable problem by
violating a trust.
• Rationalization- When people do things that are contrary to their personal beliefs – outside
their normal behavior – they provide an argument to make the action seem like it is in line
with their moral and ethical beliefs.
Fraud Prevention
 A strong control environment and tone at the top
 Managing people pressures in the workplace
 Internal control activities and employee monitoring
 Integrity by example and enforcement
MANAGEMENT FRAUD

Management Fraud- involves falsifying financial information for the benefit of the person
committing the crime. This includes false transactions and accounting entries, bogus trades, and
self-dealing by corporate insiders. Fraud negatively impacts organizations in many ways including
financial, reputation, psychological and social implications.
There are three common characteristics of most frauds:
 Pressure or incentive — the need the fraudster is trying to satisfy by committing the fraud.
 Opportunity — the fraudster’s ability to commit the fraud.
 Rationalization — the fraudster’s ability to justify the fraud in his or her mind.
An effective fraud management program includes:
 Company ethics policy- “tone at the top” from senior management.
 Fraud awareness- understanding the nature, causes, and characteristics of fraud.
 Fraud risk assessment- evaluating the risk of various types of fraud.
 Ongoing reviews- an internal audit activity that considers fraud risk in every audit and
performs appropriate procedures based on fraud risk.
 Prevention and detection- efforts taken to reduce opportunities for fraud to occur and
persuading individuals not to commit fraud because of the likelihood of detection and
punishment.
 Investigation- procedures and resources to fully investigate and report a suspected fraud
event.
TYPES OF FRAUDS
1) Misstatements Arising from Misappropriation of Assets
Asset misappropriation- occurs when a perpetrator steals or misuses an organization’s assets. 2)
Misstatements Arising from Fraudulent Financial Reporting -The intentional manipulation of
reported financial results to misstate the economic condition of the organization.
Three common ways in which fraudulent financial reporting can take place include:
 Manipulation, falsification, or alteration of accounting records or sup- porting
 Misrepresentation or omission of events, transactions, or other significant information 

  Intentional misapplication of accounting principles
3)Bribery and corruption- This includes schemes such as cuts, kickbacks
or commission, bid rigging, gifts or gratuities, and manipulation of contracts.
Revenue Cycle is a recurring set of business activities and related information processing
operations associated with providing goods and services to customers and collecting cash in
payment for those sales.
REVENUE CYCLE SUBSYSTEM
1. Order Entry/ Sales Process
ORDER ENTRY/ SALES PROCESS – interacting structure of people, equipment, methods,
and controls that is designed to achieve a certain goals. It supports the repetitive work routines of
the sales order department, credit department and shipping department.
a. Presales activities
b. Sales order processing
c. Picking and packing of goods
d. Shipping
2. Billing/ Accounts Receivable/ Cash Receipts Process
Customer Relationship Management (CRM) Systems
CRM is designed to manage all the data related to customers, such as marketing, field
service, and contact management data. It for the organization to cultivate customer relationships
by prospecting, acquiring, servicing, and retaining customers.
 Picking ticket – authorizes the warehouse to “pick” the goods from the shelf and send
them to shipping.
 Customer acknowledgement – sent to the customer to notify him of the order’s
acceptance and the expected shipment date.
 Sales order notification – sent to the billing department to notify them of a pending
shipment
 Bill of lading – contract between the shipper and the carrier in which the carrier agrees to
transport the goods to the shipper’s customer.
 Packing slip – is attached to the outside of the package and identifies the customer and
the contents of the package.
RECOMMENDED CONTROL PLANS
 Customer credit check
 Compare picking ticket to picked goods
 Independent shipping authorization
 Compare shipment to sales order and picking ticket
 Independent customer master data maintenance
 Review file of open sales orders
A. BILLING/ ACCOUNTS RECEIVABLE/ CASH RECEIPTS PROCESS - interacting
structure of people, equipment, methods, and controls that is designed to create
information flows and records that accomplish repetitive work routines of the credit
department, cashier, and the accounts receivable department .
1. Billing customers
2. Managing customer accounts
3. Securing payment for goods sold or services rendered
MANUAL CASH RECEIPTS PROCESS
 Customer checks and remittance advices are received in the Mail Room.
 Cash Receipts:
 A/R posts from the remittance advices to the accounts receivable subsidiary ledger.
 G/L department:
 The Controller reconciles the bank accounts.
Authorization Controls
 Proper authorization of transactions (documentation) should occur so that only valid
transactions get processed.
 Within the revenue cycle, authorization should take place when:
o a sale is made on credit (authorization)
o a cash refund is requested (authorization)
o posting a cash payment received to a customer’s account (cash pre-list)
Invoice– business document used to notify the customer of an obligation to pay the seller for the
merchandise (or service) ordered and shipped (or provided, if a service).
Remittance advice (RA)– business document used by the payer to notify the payee of the items
being paid.
RECOMMENDED CONTROL PLANS
 Review shipped not billed sales orders
 Compare shipping notice input to sales order master data
 Independent billing authorization
 Check for authorized process, terms, freight, and discounts
 Independent pricing data
 Confirm customer accounts regularly
 Immediately endorse incoming checks
 Immediately separate checks and remittance advices
 Reconcile bank account regularly to confirm the validity and accuracy of the recorded
cash receipts
 Monitor open accounts receivable
REVENUE CYCLE—MAJOR THREATS & CONTROL
(1) Sales to customers with poor credit—(uncollectable sales and losses due to bad debts).
Prevention—independent credit approval function and good customer accounting.
(2) Shipping errors—wrong quantities, items, or address: mad customers. Prevention—
reconcile shipping notices and picking tickets, bar code scanners, data entry controls.
(3) Theft of inventory—loss of assets ----> inaccurate records. Prevention—Secure inventory
and document transfers, good accountability for picking and shipping, and frequently
reconcile records with physical count.
(4) Failure to bill customers—loss of inventory, and erroneous data about: sales, inventory, and
receivables. Prevention—Separate shipping and billing. Prenumber of shipping
documents and reconciliation of all sales documents.
(5) Billing errors—pricing mistakes, overbilling for items not shipped or back ordered—loss
assets and mad customers. Prevention—reconciliation of picking tickets and bills of lading
with sales orders, data entry edit controls, and price lists.
 (6) Theft of cash—loss of assets and overstated A/R. Prevention—separation of duties:
handling cash and posting to customer accounts; handling cash and authorizing credit
memos & adjustments; issuing credit memos and maintaining customer accounts. Use
lockboxes and EFT. Mail customer statements monthly. Use cash registers in retail.
Deposit cash intact daily in the bank.Bank reconciliation done by noncash handler.
(7) A/R incorrectly posted—mad customers, incorrect records, and poor decisions. Prevention—
reconcile sub. A/R ledgers with general ledger, monthly stmts. to customers, and edit and
batch totals
(8) Loss of data—loss of confidential info., and poor decision making. Prevention—regular on-
site & off-site backup, logical and physical access controls to prevent leakage to
competitors.
(9) Poor performance—inefficient and ineffective operations. Prevention—sales and
profitability analysis, A/R aging, and cash budgets to track operations.
Segregation of Functions
 Sales Order Processing
o credit authorization separate from SO processing
o inventory control separate from warehouse
o accounts receivable sub-ledger separate from general
o ledger control account
 Cash Receipts Processing
o cash receipts separate from accounting records
o accounts receivable sub-ledger separate from general ledger

Accounting Records
 With a properly maintained audit trail, it is possible to track transactions through the systems
and to find where and when errors were made:
o pre-numbered source documents
o special journals
o subsidiary ledgers
o general ledger
o files
Segregation of Functions: Three Rules
1. Transaction authorization should be separate from transaction processing.
2. Asset custody should be separate from asset recordkeeping.
3. The organization should be so structured that the perpetration of a fraud requires collusion
between two or more individuals.
Independent Verification
Physical procedures as well as record-keeping should be independently reviewed at various
points in the system to check for accuracy and completeness:
o shipping verifies the goods sent from the warehouse are
o correct in type and quantity
o warehouse reconciles the stock release document (picking
o slip) and packing slip
o billing reconciles the shipping notice with the sales
 o invoice
o general ledger reconciles journal vouchers from billing,
o inventory control, cash receipts, and accounts receivable
Supervision
o Often used when unable to enact appropriate segregation of duties.
o Supervision of employees serves as a deterrent to dishonest acts and is particularly
important in the mailroom.
Access Controls
o Access to assets and information (accounting records) should be limited.
o Within the revenue cycle, the assets to protect are cash and inventories and access to
records such as the accounts receivable subsidiary ledger and cash journal should be
restricted.
THE EXPENDITURE CYCLE
DEFINITION:
 An expenditure cycle is a set of purchasing decisions and actions. It's the repetitive process
of creating purchase orders and ordering goods and services, receiving these items,
approving the invoices for these items and services, and paying the invoices.
EXPENDITURE CYCLE SUBSYSTEMS
1. The Purchases Processing System
A. MONITOR INVENTORY RECORDS
B. PREPARE PURCHASE ORDER
C. RECEIVE GOODS
D. UPDATE INVENTORY RECORDS
E. SET UP ACCOUNTS PAYABLE
F. POST TO GENERAL LEDGER
2. The Cash Disbursements Processing System
A. IDENTIFY LIABILITIES DUE
B. PREPARE CASH DISBURSEMENT
C. UPDATE AP RECORD
D. POST TO GENERAL LEDGER
DOCUMENTS PERTAINING IN EXPENDITURE CYCLE
1. Purchase Requisition
2. Purchase Order
3. Receiving Report
4. Supplier’s (Vendor’s) Invoice
5. Disbursement Voucher
6. Disbursement Check
7. Debit Memorandum
8. New Supplier Form
9. Request for Proposal
EXPENDITURE CYCLE BUSINESS ACTIVITIES
 Order materials, supplies, and services
  Receive materials, supplies, and services
 Approve supplier (vendor) invoice
 Cash disbursement
1. Order Goods
Threat 1—Stock-outs or Excess Inventory
Controls: Accurate inventory control and sales forecasting; use of perpetual inventory method;
supplier performance reports; recording of inventory changes in real time; bar-coding inventory;
and periodic physical counts.
Threat 2—Ordering Unnecessary Items
Controls: Integrate databases of various divisions and produce reports that link item descriptions
to part numbers to allow consolidation of orders.
Threat 3—Purchasing Goods at Inflated Prices.
Controls: Price lists for frequently-purchased items; use of catalogs for low-cost items; solicitation
of bids for high-cost and specialized products; review of purchase orders; budgetary controls and
responsibility accounting; and performance review.
Threat 4—Purchasing Goods of Inferior Quality
Controls: Use of approved supplier list; review of purchase orders; tracking of supplier
performance; purchasing accountability for rework and scrap.
Threat 5—Purchasing from Unauthorized Suppliers
Controls: Review of purchase orders; restriction of access to supplier list; periodic review of
supplier list; and coordination with procurement card providers to restrict acceptance of cards.
Threat 6—Kickbacks
Controls: “No gift” policy for buyers; employee training on gift handling; job rotation and
mandatory vacation; audits of buyers; review of conflict of interest statements; vendor audits.

2. Receive and Store Goods

Threat 7—Receiving Unordered Goods
Controls: Accept goods only when there’s an approved purchase order.
Threat 8—Errors in Counting Received Goods
Controls: Bar-coding of ordered goods; quantities blanked out on receiving forms; signature of
receiving clerks; bonuses for catching discrepancies; re-counting of items by inventory control.
Threat 9—Stealing Inventory
Controls: Secure storage locations for inventory; documentation of intra-company transfers;
periodic physical counts; segregation of duties.
3. Approve and Pay Vendor Invoices
The primary objectives of this process are to:
1. Pay only for goods and services that were ordered and received.
2. Safeguard cash.
Threat 10—Failing to Catch Errors in Vendors Invoices
Controls: Check mathematical accuracy; verify procurement card charges; adopt Evaluated
Receipt Settlement; train staff on freight terminology; use common carrier to take advantage of
discounts.
Threat 11—Paying for Goods not Received
Controls: Compare invoice quantities to quantities reported by receiving and inventory control;
use tight budgetary controls.
Threat 12—Failing to Take Available Purchase Discounts
Controls: File and track invoices by due date; prepare cash flow budgets.
Threat 13—Paying the Same Invoice Twice
Controls: Approve invoices only with complete voucher package; pay only on original invoices;
cancel invoices once paid; use internal audit to detect and recover overpayments; control access to
accounts payable master file.
Threat 14—Recording and Posting Errors in Accounts Payable
Controls: Data entry and processing controls; reconcile supplier balances with control accounts.
Threat 15—Misappropriation of Cash, Checks, or EFT
Controls: Restrict access to cash, checks, and check signing machines; use sequentially numbered
checks and reconcile; segregate duties; two signatures on checks over a certain limit; restrict access
to supplier list; cancel all documents; have independent bank reconciliation; use check protection
measures or positive pay; provide strict logical and access controls for EFT; log, encrypt, stamp,
and number all EFT transactions; monitor EFT transactions; and use embedded audit modules.
THE HUMAN RESOURCE CYCLE
Internal Control on Human Resources (HR)
Internal Control Procedure on HR
 HR Managers enforce control by making employees aware of company policy.
 HR managers use internal controls to ensure that employees complete objectives and
abide by company rules.
 Model of Control
 An organization must outline what is expected of employees in company policies and
handbooks.
 Control Issues
 Managers and supervisors use official company policy, project plans and precedents
as standards for instituting controls.
 Organizational Rules
 A company’s rules are the foundation of HR’s management controls.
 Control and Discipline
 The discipline portion of HR control should both inhibit infractions and strengthen
desirable conduct.
Importance of Internal Control Procedures in Human Resources
 HR internal controls are important in identifying and managing internal risks.
 HR Departments Function:
 - Transactional Function is concerned with process documentation, records
maintenance and security, payroll and recruiting and hiring employees.
- Compliance Function function focus on ensuring the business adheres to federal
and state employment and labor laws.
 Environmental Importance of Control Procedures
 The importance of internal control procedures within HR lies in the efficient,
effective and compliance-oriented environment internal controls create.
 Limiting Consequences of Uncontrolled Risk
 HR internal control procedures are significantly important in limiting what can be
severe consequences for failing to control risk.
 Importance in Risk Reduction
 Preventative HR internal controls are an important first line of defense. Preventative
controls decrease the likelihood of intentional or unintentional data entry errors and
discourage or deter illegal or unethical actions.
 Detecting and Dealing with Violations
 Detective controls are a second level of defense designed to identify and deal with an
error or irregularity after it has occurred.
AUDITING THE HR FUNCTION
Scope of HR Management Audit
 A comprehensive HR audit may look at the following aspects of the organization’s people
practices:
 Mission and strategic objectives  Structure
 Culture  Staffing
 Goals and objectives  Employee relations
 Corporate policies  Employee services
 Management practices  Facilities and equipment
Implementing Best Practices in HR Management
Audit Steps
 Establish audit scope and objectives  Develop Recommendations and
 Appoint, orient and train the audit team Suggested action plans
 Orient the HR Department Staff  Validate the Results
 Prepare a plan  Report the findings and
 Gather Data and make Observations recommendations
 Analyze Organizational Performance  Implement Action Plans
 Interpret Data and Develop Conclusions  Follow up
THE CAPITAL ACQUISITION CYCLE
The transaction cycle that involves the acquisition of capital resources in the form of interest-
bearing debt and owners' equity, and the repayment of capital.
4 CHARACTERISTICS OF THE CAPITAL ACQUISITION AND REPAYMENT CYCLE
 1) Relatively few transactions affect the account balances, but each transaction is often highly
material
2) The exclusions of a single transaction could be material in itself (completeness, accuracy)
3) A legal relationship exists between the client entity and the holder of the stock, bond, or
similar ownership document
4) A direct relationship exists between the interest and dividends accounts and debt and equity
Accounts in Capital Acquisition Cycle
1) Retained Earnings
2) Capital Stock (Preferred Stock)
3) Cash, Notes Payable
4) Interest Expense, Accrued Interest
5) Dividends Declared, Payable
6) APIC
Notes Payable Audit Objectives
 Internal controls over notes payable are adequate
 Transactions for principal and interest involving notes payable are properly authorized and
recorded in accordance with the transaction related audit objectives
 Liability for NP and related interest expense and accrued liability are properly stated
 Disclosures related to notes payable and related interest expense satisfy 4 presentation/disc
objectives
4 IMPORTANT CONTROLS OVER NOTES PAYABLE
1) proper authorization for the issue of new notes
2) Adequate controls over the repayment of principal and interest
3) Proper documents and records
4) Periodic independent verification
Two most important balance related objectives for Notes payable:
1) Existing notes payable are included (COMPLETENESS)
2) NP in the schedule are accurately recorded (ACCURACY)
 Vital because if even one note is missing it can become material
Proper Record Keeping for Segregation of Duties
Internal controls must be adequate so:
 Actual owners of the stock are recognized in the corporate record
 The correct amount of dividends are paid to the stockholders owning the stock as of the
dividend record date
 The potential for misappropriation of assets in minimized
Capital Stock Certificate Record
 record of issuance and repurchase of capital stock for the life of corporation
Shareholder's Capital Stock Master File
 the record of the outstanding shares at any given time
 acts as a check on the accuracy of the capital stock certificate record and the common
stock balance in the general ledger
INTERNAL CONTROLS REGARDING DIVIDEND PAYMENTS
 Dividend checks are prepared from the capital stock certificate record by someone who is
not responsible for it
 After the checks are prepared there is an independent verification of the stockholder's
names and amounts as well as a reconciliation of the total amount of the checks with total
dividends authorized in the minutes
 A separate imprest dividend account is use to prevent a larger amount of dividends paid
than authorized
Independent Registrar
 outside entity engaged by a corporation to make sure that its stock is issued in accordance
with capital stock provisions in the corporate charter and authorizations by the board of
directors; required by the SEC for publicly held corporations
Stock Transfer Agent
 An institution responsible for maintaining detailed records of shareholders and handling
transfers of stock ownership.
Main concern in auditing capital stock and paid-in capital
 Existing capital stock transaction are recorded
 Recorded capital stock transactions occurred and are accurately recorded
 Capital stock is accurately recorded
 Capital stock is properly presented and disclosed
Audit of Retained Earnings
Most companies transactions are only involving net earnings and dividends declared/Can also
include prior period adjustments
 First, analyze retained earnings
 Permanent file will have all transactions and a description
 Are all included, recorded and classified correctly?
Audit of Dividends
 Recording dividends occurred (occurrence)
 Existing dividends are recorded (completeness)
 Dividends are accurately recorded (Accuracy)
 Dividends are paid to stockholders that exist (occurrence)
 Dividends payable are recorded (completeness)
 Dividends payable are accurately recorded (accuracy)
THE INVESTMENT ACTIVITY CYCLE
SEGREGATION OF DUTIES:
1. Custody of assets involved
2. Recording transactions
3. Authorization to execute transactions
4. Periodic reviews and reconciliation of existing assets to recorded amounts
Objectives
For all forms of investment, judgements need to be taken on three issues:
 1. Security. The company will want to ensure that the initial investment remains secure. At
the extreme, a counterparty will fail, resulting in the total loss of principal. There is also the
risk that poor investment performance will lead to some of the principal being lost.
2. Liquidity. The treasurer will also want to ensure that the funds are accessible when they are
needed. Treasurers will want to avoid, wherever possible, having to borrow cash when
surplus cash has been generated by the company
3. Yield. Given these constraints, the treasurer will want to maximize the yield from each
investment.
THE SCOPE OF AN INVESTMENT POLICY
Instruments
The policy should state the process by which different instruments are approved as suitable
investment vehicles. It will not necessarily state the approved instruments themselves, although a
list can be contained in an appendix to the investment policy.
Currencies
The second step is to establish the currencies in which investments can be made. This may be to
invest only in those that are operating currencies for the group.
Maturities
The range of maturities will depend largely on the nature of the business, but most companies
will want to ensure that a minimum level of funds is available either as cash or near cash. This is
a crucial part of the process of managing cash flow risk.
Counterparties
The policy will also establish which counterparties the company can deal with. The policy will
not usually name approved counterparties, but rather list the criteria they will need to meet in
order to be approved.
Tax considerations
The investment policy needs to recognize the importance of the tax treatment of any investments.
RESPONSIBILITY FOR INVESTMENT DECISIONS
The investment policy should state who has responsibility for taking investment decisions on a
day-to-day basis. The choice between the following four main alternatives will depend on both
the resources available in treasury and the nature of the surplus to be invested.
 In-house.
The first choice is to leave the responsibility for all investment decisions within the treasury
department. If this option is taken, care should be given to integrate a clear system of
authorization and individual dealing limits.
 Automatic sweeps.
Companies can set up automatic sweeps for short-term cash surpluses from bank accounts
to money market funds or other investment accounts. This can be an appropriate alternative
for a company with variable, but very short-term, surpluses.
 Specialist investment manager.
 In some cases, it is worth appointing a specialist investment manager to invest funds on the
behalf of the company. An investment manager will need to be given clear terms of
reference within which to operate.
 Outsource.
It is possible to outsource cash management to an agency treasury provider. This requires
clear terms of reference to be given to the outsource provider. The service offered is broader
than that offered by a specialist investment manager.
 Investment procedures.
Having established the overall policy, treasury should have a separate document describing
the procedures that need to be followed when taking an investment decision. This should be
a document identifying the step-by-step process for investing surpluses.
AUDIT PLANNING – proper utilization
 Planning an audit involves establishing the overall audit strategy for the engagement and
developing an audit plan, in order to reduce audit risk to an acceptably low level.
Before the Initial Planning:
1. Acceptance / Accept Client
a. Old/Existing Client
b. New Client
- We must first see the risk involved. The higher the risks involved the more work we have
to perform in audit.
2. Engagement letter
- “Contract”
- Reviewed by both client and auditor
- Contains the scope of services and fees
Major Auditing Planning Activities
1. Obtaining an understanding of the client and its environment- The auditor should obtain an
understanding of the entity and its environment, including its internal control or an in-depth
study of the client’s business.
 Sources of Understanding of the Entity and the Environment:
o Previous experience with the entity and its industry – financial performance &
reporting requirements
o Legislations and regulations that significantly affect the entity
o Past/other auditors
 Risk assessment procedures
o Inquiries of management and others within the entity
o Analytical procedures
o Observation and inspection
2. Determining the need for experts- When determining the need to use the work of an expert,
the auditor would consider:
 a. The engagement team’s knowledge and previous experience of matter being
considered;
b. The risk of material misstatement based on the nature, complexity, and
materiality of the matter being considered, and
c. The quantity and quality of other audit evidence expected to be obtained.
 Situations which may warrant the use of an expert:
o Valuations of certain types of assets
o Determination of quantities or physical condition of assets
o Measurement of work completed
o Legal opinions concerning interpretations of agreements and regulations
3. Establishing materiality and assessing risk.
 MATERIALITY – information is material if its omission or misstatement could
influence the economic decision of users.
 Assessing the Risks of Material Misstatement:
o Understand the entity and its environment
o Identify the risks
o Magnitude of risks
 Assessment of Inherent Risk: The auditor uses professional judgment to evaluate
numerous factors.
 Assessment of Control Risk: Management often reacts to inherent risk situations by
designing internal control systems to prevent or detect and correct misstatements.
(internal controls in transaction cycles discussed)
4. Assessing the possibility of non-compliance- In order to plan the audit, the auditor should
obtain a general understanding of the legal and regulatory framework applicable to the
entity and the industry and how the entity is complying with that framework.

5. Identifying related parties.

 A related party transaction is a transfer of resources, services or obligations between
related parties, regardless of whether a price is charged.
 Related parties may be identified by inquiries of management and predecessor
auditors and by reviews of stockholder listings, and material investment transactions.
6. Performing preliminary analytical procedures.
 Analytical procedures refer to evaluations of financial information made by a study
of plausible relationships among both financial and non-financial data; only provide
a broad initial indication about whether a material misstatement may exist.
 Analytical procedures may be helpful in identifying the existence of unusual
transactions or events, and amounts, ratios and trends that might indicate matters
that have financial statement and audit implications.
7. Development of the overall audit strategy and detailed audit plan
  Establishing the audit strategy involves designing optimized audit approaches that
seek to achieve the necessary audit assurance at the lowest cost within the
constraints of the information available.
o SCOPE – Determining the characteristics of the engagement that define its
scope:
 Framework, Reporting Requirements, Expected Audit Coverage,
Currency to be used, Availability of client and personnel data.
o TIMING – Ascertaining the reporting objectives of the engagement to plan
the timing of the audit and the nature of the communications required:
 Timetable for reporting, Meetings, Expected type and timing of
reports to be issued
 Communication with auditors, Timing of the review of work
performed, Communication with related parties involved
o FOCUS – Considering the important factors that will determine the focus
or direction of the engagement team’s effort:
 Industry developments (changes), Changes in accounting standards,
Changes in legal environment
 A detailed audit plan addresses the various matters identified in the overall audit
strategy, taking into account the need to achieve the audit objectives through the
efficient use of the auditor’s resources.
8. Preparation of preliminary audit programs.
 The audit program is a list of procedures (test of controls or substantive tests) used
to gather sufficient appropriate audit evidence.
TEST OF CONTROLS- an audit procedure to test the effectiveness of a control used by a client
entity to prevent or detect material misstatements.

- Procedures designed to evaluate the effectiveness of the design and operation of

internal controls
- Auditor assesses whether the control has been properly designed to prevent or
detect a material misstatement in the financial statements
- Auditor then assesses the operational effectiveness of the control, which determines
whether the control is applied consistently through the period and by whom is it
applied
TEST OF CONTROLS OF THE REVENUE CYCLE
Tests of Controls: Cash Collections and Deposits
Collections:
1. On a surprise basis, take control of bank deposits jut prior to delivery by client personnel
to the bank.
2. Compare the total amount of checks to the total recorded on deposit slip.
3. Compare checks to details in cash receipts records and the A/R subsidiary ledger and
determine that the lapse of time between cash receipt and deposit is reasonable.
Deposits:
1. For an interim month:
 a. Compare entries in the cash receipts journal with deposits listed on the monthly
bank statement.
b. Ascertain that cash receipts not listed on the bank statement are listed as deposits-
in-transit in the bank reconciliation and are included with deposits in the
subsequent month’s bank statement.
2. Trace totals in the cash receipts journal to postings in the GL.
3. Document any deviations or discrepancies observed.
Tests of Controls: Shipping
1. Randomly select a sample of shipping documents from Shipping Department files.
2. Examine each shipping document to determine whether the document:
a. is accompanied by a sales order bearing Credit and Inventory Control
authorization.
b. agrees with this sales order as to description of goods, quantity, destination, etc.
3. Trace details of sampled shipping documents to copies of shipping documents and related
sales invoices in Billing Department files.
4. Trace details of related sales invoices (customer name) to entries in the sales journal and
accounts receivable (A/R) subidiary ledger.
5. Trace sales invoices to inventory record in Inventory Accounting.
6. Document any deviations or discrepancies observed.
Tests of Controls: Billing
1. Randomly select a sample of sales invoice from Billing Department files.
2. For each sampled invoice, verify unit prices and clerical accuracy.
3. Trace details of sampled sales invoices to shipping documents.
4. Trace details of sampled sales invoices to entries in the sales journal and accounts
receivable subsidiary ledger.
5. Trace sales invoices to inventory records in Inventory Accounting.
6. Document any deviations or discrepancies observed.
Tests of Controls: Recording
1. Review evidence of internal procedures for:
a. Reconciliation of daily sales summaries with sales journal totals by
General Accounting personnel.
b. periodic reconciliation of A/R trial balances with General Ledger (GL)
control balances.
2. Scan the sales journal for unusual transactions or unusually large amounts and follow up
on any such items identified.
3. Verify accuracy of the sales journal for selected periods and trace totals to postings in
GL.
4. Document any deviations or discrepancies observed.
Tests of Controls: Sales Returns and Allowances
1. Obtain a random sample of credit memoranda from the files of the issuing department .
2. Trace details of sampled credit memoranda to:
a. receiving reports
b. perpetual inventory records
c. entries in the A/R subsidiary ledger and GL
3. Review the credit register for unusual items and investigate.
4. Document any deviations or discrepancies observed.
 Tests of Controls: Uncollectible Accounts
1. Select a sample of write-off entries.
2. Trace each entry to the related write-off authorization memo; examine memo for
appropriate authorization and compare authorized amount with recorded amount.
3. Trace each entry to posting in GL.
4. Review all write-off entries for unusual items and investigate.
5. Document any deviations or discrepancies observed.
TEST OF CONTROLS OF THE EXPENDITURE CYCLE
Tests of Controls: Purchasing
1. Randomly select a sample of paid voucher packages
a. Review each voucher package for appropriate cancellation
b. Review documents in each sampled voucher package for appropriate
authorization.
c. Compare details on purchase requisitions, purchase orders, receiving reports,
vendor’s invoices, and voucher; and verify mathematical accuracy.
2. For each sampled voucher package, obtain a copy of the related purchase order and
requisition from Purchasing Department files
a. Compare purchase orders in voucher packages with copies of purchase orders in
Purchasing Department files.
b. Trace prices on purchase orders to competitive bids, formal price quotations, or
other pricing sources.
c. Examine periodic reports by personnel independent of the Purchasing Department
regarding prices and vendor selection practices.
3. Document any deviations or discrepancies observed.
Tests of Controls: Receiving
1. For each sample voucher package, obtain the related copy of the receiving report from
the Receiving Department files
a. Compare receiving reports in voucher packages with copies of receiving reports
in Receiving Department files.
b. Review receiving reports for evidence that received good have been inspected,
counted, and compared with packing slips and purchase orders.
c. Trace receiving reports to entries in the receiving log.
2. Document any deviations or discrepancies observed.
Tests of Controls: Cash Disbursement and Recording
1. For each sampled voucher package, obtain the cancelled check
a. Examine cancelled checks for appropriate signatures and endorsements.
b. Compare details of the voucher package with the cancelled check-check number,
date, payee, and amount.
c. Trace voucher packages and cancelled checks to postings in the accounts payable
subsidiary ledger and to entries in the voucher register.
2. Document any deviations or discrepancies observed.