Download - Expense Purchases

Transcript

Audit database - purchases cycle

IntroductionAudit: Purchasing and payment of expense goods and servicesIntroductionLast updated 21 August 2004PurposeThe purpose of this spreadsheet is to show typical risks, expected controls and example tests for processes related to the purchasing and payment of expense goods and services, (excluding personal expenses)Full details of how to complete and use the database are in the manual which can be downloaded from www.internalaudit.bizThe database is not complete - it must be changed to suit your organisationTo see how this database fits into the audit universe, download the Risk and Audit Database from www.internalaudit.bizAuditing is not about carrying out tests taken from an audit programme, it is about understanding the objectives of the processes you are auditing, the risks which treaten them and the controls which actually operate to mitigate them.The database (Audit programme)The audit programme is in the form of an Excel database. It can be treated just like a large "Word" table but can also be sorted and filtered.The database covers those processes which might be involved in purchases and payments using a computerised system. Thus it covers not only ordering and invoice approval, but also staff management and computer controlsRows with processes which are split down into more detailed processes are coloured and do not have data in some columnsThe processes are only intended as an example. You must change them to those in your organisationIf you construct audit databases please make them available to other auditors through AuditNet (http://www.auditnet.org/)For a full explanation of the content of the columns, go to the "Column key" worksheetThe example controls and monitoringThese examples are suggestions only. They cannot possibly apply to every size of organisation who might use this database. You must decide on the controls which mitigate the risks to accepatable levels in your organisationRemember that the examples are general and therefore rather vague. Your entries should be much more specific, in particular, noting the names of staff carrying out the checksWorksheetsThere are 7 worksheets in this spreadsheet:IntroductionScopeProcess mapExpense purchases databaseColumn keyScoring risksAllocating conclusionsLanguageI have used UK english for the risk register. Variations from US english include:Supplier = VendorPurchase = ProcureCheque = CheckI have used the term "accounts payable" for purchase ledger, since this is now common in the UK.All sheets copyright David M GriffithsNot to be copied or distributed without acknowledging the author, or in conjunction with a commercial product

&LAudit: Purchase of expense goods and services&R&T &D&L&10Copyright D M Griffiths&C&A&RPage&P of &NFull details of how to complete and use the database are in the manual which can be downloaded from www.internalaudit.biz

ScopeAudit: Purchasing and payment of expense goods and servicesScope of the auditReasons for the auditThe organisations risk analysis has identified significant risks to its objectives from the processes involved in the purchase of expense goods and services. The audit will conclude on whether:Risks threatening the objectives of the processes have been properly identified, evaluated and managed.Internal controls are operating properly to mitigate these risks to levels defined as acceptable by board policy.Action is being taken to improve controls, where risks are not being properly mitigatedMore monitoring, by management, is necessary to ensure proper internal controls into the future.A sound system of internal control is maintained for the processes auditedObjectives of the processes being auditedThe overall objective of the process (4.5) is to purchase expense goods and services for the organisation. (That is goods which are not for resale)The processes covered by this audit are:Define the objectives for purchasing expensesSet up suppliers on the computer fileSet up items for purchase on the computer fileRaising requistionsRaising ordersReceive goods/servicesReturning of unsatisfactory goodsIn addition, the following support functions are covered:Invoice processingPayment to suppliersAccounting for expense purchasesKey risks of the processes being auditedExpense goods/services requested are not needed or are not for the benefit of the companyOrders are placed with suppliers who do not provide best value (quality/price/delivery)Payment is made for goods or services which have not been receivedTransactions are not correctly entered in the books of accountThe processes concerned are not operated efficiently and effectivelyAudit work planIn order to carry out this audit the auditors will:Take into account any previous audits, noting particularly the issues raisedObtain organisation charts, procedure manuals, training documentation and any other documentation which should be being used by the departments involved in the auditObtain budgets, actual figures and any other relevant financial informationIf appropriate, meet the external auditors and any other parties with an interest in the processes being auditingMeet with staff at all levels to understand their responsibilities and concernsVisit all locations which affect the risks involved (warehouses, factories, outsource suppliers)Carry out walkthrough tests to understand the processes involved, including monitoring controlsUnderstand the changes made since the last auditObtain relevant risk registers, noting when they were last updatedCarry out interviews and risk workshops, as necessary, to ensure all risks have been identifiedAdd to the risks in the risk registerScore the inherent risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet)Carry out the tests necessary to confirm that the controls are operating properlyScore the residual risks, according to the risk appetite of the organisation, which have been approved by the board. (Examples are shown in the "Scoring risks" worksheet)Draw conclusions as to whether each risk is properly controlled (see the example)Submit a report

Process mapAudit: Purchasing and payment of expense goods and servicesDiagram of processes with key risksThis diagram shows the key processes for purchasing expenses and is the next level down from the risk registerKey risks are collected in the boxes, prior to putting them on the audit databaseIt is used to drive the main audit databaseRisks

Supplier of vital services/goodsmay go out of businessSupplier details are not correctly input/modifiedNew suppliers improperly set upItem details are not correctly input/modifiedGoods/services are not what was orderedIncorrect quantities received are inputThe order is placed with a supplier not providing the best valueThe order is incorrectThe requistion may be for goods and services not requiredThe requistion may be incorrectPurchase expense goodsPromoteSellSupplySell - retailSet up itemsSet up suppliersPlace orderRequistion goods and servicesPromote to customersPromote in-storeAdvertise on TVAdvertise in papersDistribute goodsStore goodsSell to resellersSell in storesSupport salesSell directResearch marketsResearch productsResearch locationsResearch customersDefine objectivesDefine objectivesDefine objectivesDefine objectivesDefine objectivesSupport purchase expense goodsReceive goodsReturn goodsCredit is not obtained for goods returnedPayment is made when goods/services have not been receivedSettlement discount is not correctly deductedPayment is not made on the due dateThe strategy is not consistent with the overall strategyThe strategy has not been communicated

Expense purchases databaseAudit: Purchasing and payment of expense goods and servicesAudit databaseLast follow-up results (date)L1L2L3L4L5LRefProcessProcess DescriptionRisk to processRisk sourceIRCIRLIRSExample controlExample monitoringTestsRefRRCRRLRRSCont scoreIssueActionBy whomConclusion RisksConclusion ControlsConclusion ActionConclusion MonitoringReport refFollow-up RisksFollow-up ControlsFollow-up ActionFollow-up Monitoring4524.5Purchase expense goodsPurchase goods and services for the organisation(Summary level)Not applicable45134.5.1Define objectivesDefine the strategy for expense purchases, communicate and deliver it(Summary level)Not applicable451144.5.1.1Define the strategy for expense purchasingSet down targets for the year(s) ahead, for example, meeting the budget, improving staff efficiency, handling more ordersThe strategy does not maximise efficiency and effectiveness and is not consistent with the organisation's strategyThe strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concerned. These targets and budgets are approved by management finance.Directors check the strategy for departments under their control. The overall budget is approved by the boardExamine the latest strategy documentNot applicable451144.5.1.1Define the strategy for expense purchasingSet down targets for the year(s) ahead, for example, meeting the budget, improving staff efficiency, handling more ordersThe strategy has not been updatedThe strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concernedDirectors check the strategy for departments under their controlExamine the latest strategy document. Check that the budget forms part of the organisation's overall budget. Examine variances for the current year and ensure adequate explanations have been made for excessive variances.Not applicable451244.5.1.2Communicate the strategyInform the staff about the targetsStaff are unaware of the strategyStaff are briefed by their managersThe strategy is available on notice boards and the intranetAsk staff to confirm they have been briefed. Determine the date of the briefing and attendeesNot applicable451344.5.1.3Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyNo action plan exists to deliver the strategyAn action plan to deliver the strategy is part of the budgeting processDirectors check the action plan for departments under their controlExamine the action plan Check for progress to implement it.Not applicable451344.5.1.3Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyThe strategy is not built into individuals' targetsIndividuals are given their targets based on those of the departmentDirectors, or senior managers, check the staff targets for departments under their controlExamine staff targets for a selection of staffNot applicable451344.5.1.3Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyAny member of staff can authorise the purchase of any goods or servicesRights to place requisitions and orders are in a written policyThe policy is checked every year to ensure it is correctExamine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policyNot applicable451344.5.1.3Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyAny member of staff can requisition any goods or servicesRights to authorise requisitions and orders are in a written policyThe policy is checked every year to ensure it is correctExamine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policyNot applicable45234.5.2Set up SuppliersSet up new Suppliers on the computer system, or modify existing details. Includes addresses and payment termsSupplier details are not correctly input/modifiedDetails of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier detailsDetails of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing DirectorCheck individual reports over the last six months for evidence of checking. Observe the process in action.Not applicable45234.5.2Set up SuppliersSet up new Suppliers on the computer system, or modify existing details. Includes addresses and payment termsFalse Suppliers are set up and paidDetails of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier detailsDetails of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing DirectorCheck individual reports over the last six months for evidence of checking. Observe the process in action.Not applicable45234.5.2Set up SuppliersSet up new Suppliers on the computer system, or modify existing details. Includes addresses and payment termsNo settlement discount, or other discounts, are negotiatedDetails of all changes to the Supplier master file are printed on a report which is checked to supporting documentation by staff who are not involved in changing Supplier detailsDetails of Suppliers and the amount spent with them are printed out every six months for authorisation by the Purchasing DirectorCheck individual reports over the last six months for evidence of checking. Observe the process in action.Not applicable45434.5.4Departments requisition goods/servicesRaise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be orderedExpense goods/services requested are not needed or are not for the benefit of the companyRequisitions are authorised by an appropriate managerBudgets are maintained for all expenses with monthly monitoring against actualObserve the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor.Not applicable45434.5.4Departments requisition goods/servicesRaise a request (may be on the computer system, but could be an e-mail or manual form) for goods or services to be orderedDetails on the requisition are incorrectRequisitions are authorised by an appropriate managerBudgets are maintained for all expenses with monthly monitoring against actualObserve the procedure for electronically authorising requisitions. If possible, have the computer controls checked by a competent auditor.Not applicable45534.5.5Purchasing order raised for goods/servicesBased on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new SupplierThe order is incorrect, that is does not agree to the approved requisitionConfirmation is required on the order screen before the order is sent or printedThe requisitioner will query any differenceObserve the process and try submitting without confirmationNot applicable45534.5.5Purchasing order raised for goods/servicesBased on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new SupplierThe price on the order does not give the organisation maximum valueThe order is placed by trained purchasing staff using prices on the computer, or negotiated with the supplier.Budgets are maintained for all expenses with monthly monitoring against actualExamine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists.Not applicable45534.5.5Purchasing order raised for goods/servicesBased on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new SupplierOrders are placed with suppliers who do not provide best value (quality/price/delivery)Orders can only be placed with suppliers previously set up on the computerHalf-yearly report listing suppliers and spend which is approved by the Purchasing DirectorExamine the input of orders. Try and set up a new supplier from the order screenNot applicable45534.5.5Purchasing order raised for goods/servicesBased on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new SupplierOrders are placed lateComputer report showing requisitions not turned into orders within 2 days is checked by the supervisorRequistioners will complain if orders are received lateExamine this report for items older than 2 daysNot applicable45534.5.5Purchasing order raised for goods/servicesBased on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new SupplierOrders have incorrect account codes inputThe requisitioner supplies the codes. The computer checks these exist but cannot check if they are correct.Budget holders check their expenses each month for incorrect itemsExamine accounts journals and other documentation used to correct coding errors to judge how frequent they areNot applicable45534.5.5Purchasing order raised for goods/servicesBased on the authorised requisition, purchasing department raise an order. This may be on an existing Supplier but might require negotiations with a new SupplierOrders are placed for goods not required, without approved requisitionsAll orders have to be placed through the computer. Orders can only be raised by purchasing staff. Orders without requisitions must be approved by a senior managerBudget holders check their expenses each month for incorrect itemsCheck access to order screens is limited to approved purchasing staff. Check orders raised without approved requisitions are approvedNot applicable45634.5.6Contracts raised for continuing services or supply of materialsSuitable suppliers are identified to supply goods/services. Sealed tenders (quotes) are called for and opened in the presence of an independent person. The cheapest tender is chosen, if all conditions have been complied withContracts are not negotiated to ensure the best prices for ongoing services such as maintenanceExpenditure on services is constantly monitored to check if contracts should be raised to ensure best prices and service. Contracts are tendered, as necessary, to ensure best prices.Senior purchasing management monitor expenses, and check all tenders to confirm the processCheck expenditure over X to see if contracts have been raised. Examine the tendering process, and last contracts signed, to ensure the process is operating. (This could done as a separate audit)45734.5.7Goods/services received. Quantity received inputReceive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of servicesGoods/services vital to the organisation's operation become unavailable or too expensiveIf possible, have two, or more, sources of supply. Hold sufficient stocks of vital spares. Have contingency plans for failure of vital suppliesContinuity of supply is written into managers' targets, on which they are assessedCheck for the existence of recent, tested contingency plansNot applicable45734.5.7Goods/services received. Quantity received inputReceive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of servicesQuantities, or service, is not what was orderedComputer report showing where quantities received differ from the orderRequistioners should complain if the goods/services differ from the orderExamine this report and check on the action taken. Note items which may be old and uncorrectedNot applicable45734.5.7Goods/services received. Quantity received inputReceive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of servicesQuantities incorrectly inputThe computer warns if the quantity received is different from that orderedRequistioners should complain if the goods/services differ from the orderObserve the process and try submitting a different quantityNot applicable45734.5.7Goods/services received. Quantity received inputReceive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of servicesStock records (for example engineers' spares) not updatedAutomatic update with exception reports where this has not occurredPeriodic physical checks to stock recordsCheck a sample of items received through to the stock systemNot applicable45734.5.7Goods/services received. Quantity received inputReceive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of servicesReceipt details input when no goods or services have been receivedDivision of duties between requisitioners, purchasing staff and receiversBudget holders check their expenses each month for incorrect itemsExamine a report which shows the access rights of each person in purchasing and payables. Confirm that proper division of duties exists.Not applicable45734.5.7Goods/services received. Date of receipt inputReceive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of servicesQuality is not up to standardResponsibility of the person receiving the goods/services to complain of poor quality to the ordering departmentNo formal monitoringAsk a sample of staff their opinions on the quality of goods receivedNot applicable45734.5.7Goods/services received. Date of receipt inputReceive the goods and services ordered. Goods may be received at a central location, and their receipt keyed into the computer. Some type of confirmation should be required for the receipt of servicesGoods are lostAll goods are received at one, secure, location, which inputs their receipt against the orderRequisitioner will complain if goods are not receivedVisit the receiving area. Check security and observe the receipt of goods.Not applicable45834.5.8Goods/services returnedIf the goods are not those ordered, are damaged, or too many are delivered, they will be returned to the Supplier. If they are found to be faulty after the processing of an invoice, or payment, a credit note will be requiredCredit is not obtained from the supplierGoods can only be returned on the authority of the buyer, who raises a "Goods Return Note". One copy goes with the goods, the other is keyed into the computer as a debit note. This automatically reduced the next payment.Requisition will complain if credit is not receivedTake a sample of Goods Returned Notes and check that the correct credit has been receivedNot applicable45834.5.8Support purchasing of expenses(Summary level)Not applicable458144.5.8.1Define objectives for supporting expense purchasing(Summary level)Not applicable458115Define the strategySet down targets for the year's) ahead, for example, meeting the budget, improving staff efficiency, handling more ordersThe strategy has not been updatedThe strategy for purchasing expense goods and services is updated each year, prior to setting targets and budgets for the areas concernedDirectors check the strategy for departments under their controlExamine the latest strategy documentNot applicable458125Communicate the strategyInform the staff about the targetsStaff are unaware of the strategyStaff are briefed by their managersThe strategy is available on notice boards and the intranetAsk staff to confirm they have been briefed. Determine the date of the briefing and attendeesNot applicable458135Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyNo action plan exists to deliver the strategyAn action plan to deliver the strategy is part of the budgeting processDirectors check the action plan for departments under their controlExamine the action planNot applicable458135Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyThe strategy is not built into individuals' targetsIndividuals are given their targets based on those of the departmentDirectors, or senior managers, check the staff targets for departments under their controlExamine staff targets for a selection of staffNot applicable458135Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyNo limitation is set on the authority of staff to commit the organisationRights to place requisitions and orders are in a written policyThe policy is checked every year to ensure it is correctExamine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policyNot applicable458135Deliver the strategyForm an action plan, with the staff involved, to deliver the strategyNo limitation is set on the authority of staff to commit the organisationRights to authorise requisitions and orders are in a written policyThe policy is checked every year to ensure it is correctExamine the policy. Check it is up-to-date, appropriate staff have a copy and know how to use it. As part of other tests, ensure adherence to the policyNot applicable458244.5.8.2Process transactionsProcess transactions resulting from the purchase of expensesTransactions are not processed completely and accuratelyNot applicable4582154.5.8.2.1Purchasing expenses - Invoice inputReceive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation.Invoice input against incorrect supplierMost invoices are input against an order and the supplier details are checked. If no order exists there is no controlThe supplier will send a reminder to payExamine transactions which correct mis-postingsNot applicable4582154.5.8.2.1Purchasing expenses - Invoice inputReceive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation.Incorrect values inputWhere the invoice is matched to an order, an exception report is produced for invoices not matching and these are held until purchasing approve the difference. Invoices without orders are batch totalledMonthly check, by management, of the report showing invoices held in query. Follow-up of invoices over one month oldExamine the query report to ensure no queries are outstanding for an excessive period of time, and that all are being actively persuedNot applicable4582154.5.8.2.1Purchasing expenses - Invoice inputReceive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation.Invoices are input twiceWhere the invoice is matched to an order the computer will not allow the input of another invoice. Invoices are stamped "input"Budget holders should check the actual expenditure against their budget each monthAsk a sample of budget holders to provide evidence that they have checked the expenses for the previous monthNot applicable4582154.5.8.2.1Purchasing expenses - Invoice inputReceive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation.Duplicate invoices are inputWhere the invoice is matched to an order the computer will not allow the input of another invoice. If copy invoices are received, where no orders exist, they are checked to the supplier account before processing. The computer will not accept duplicate invoice numbersBudget holders should check the actual expenditure against their budget each monthExamine transactions which correct mis-postingsNot applicable4582154.5.8.2.1Purchasing expenses - Invoice inputReceive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation.Invoice input where no goods or services have been received.Most invoices are matched against approved orders. Other invoices must be approved by a senior manager and accountant, who writes the account code on. Invoices can only be paid to suppliers set up on the system, for which separate checks apply. Duties are divided to ensure staff who input invoices do not set up suppliers or paymentsBudget holders should check the actual expenditure against their budget each monthCheck a sample of items received through to the stock system, or other evidence, to prove that the goods/services were received Check the access to computer screens to ensure division of duties is enforcedNot applicable4582154.5.8.2.1Purchasing expenses - Invoice inputReceive an invoice from the Supplier for the goods and services supplied. If it has an order number, match it an the computer system against the receipt and order, for quantity and price. Differences outside a pre-defined tolerance are held and cleared by purchasing. Invoices with no order have to have senior management authorisation.The tax analysis of invoices is incorrect, for example "Business entertainment"All purchasing and transaction processing staff have specific training on the analysis of Value added tax (VAT). Detailed guidelines are available. The computer checks for incorrect calculationsTax department scrutinise certain nominal codes for exceptional itemsCheck a sample of invoices to ensure that the tax treatment is correctNot applicable4582254.5.8.2.2Purchasing expenses - Invoice filedAfter input of the invoice, it is sent for microfiching and the paper copy destroyedInvoices are not filed and microfichedInvoices are sequentially numbered on input. When microfiching, the continuity of these numbers is checkedThe fiche are checked by staff when received back from the microfiching departmentCheck a selection of fiche to ensure no numbers are missingNot applicable4582354.5.8.2.3Purchasing expenses - no invoice received, for example taxReceive a properly approved cheque requistion, with supporting documentationIncorrect payments may be madeComputer payments can only be made against invoices matched to orders, or authorised invoices. Payments can only be generated by staff who do not have access to order, invoice or supplier master data input. Manual payments cheques must be supported by the cheque requistion and signed by two senior managersBudget holders should check the actual expenditure against their budget each monthCheck a sample of cheque requistions, to ensure this type of transaction should have been used (that is no invoice is available) nad it was properly approved. Check that the item being paid for is genuineNot applicable4582454.5.8.2.4Purchasing expenses - paymentThe computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.Computer payment is made for goods or services which have not been receivedComputer payments can only be made against invoices matched to orders, or authorised invoices. Payments can only be generated by staff who do not have access to order, invoice or supplier master data input. Manual payments cheques must be supported by the original invoices and signed by two senior managersBudget holders should check the actual expenditure against their budget each monthCheck a sample of payments taken from the cash sheets to proof that the goods/services paid for were receivedNot applicable4582454.5.8.2.4Purchasing expenses - paymentThe computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.Incorrect settlement discount is takenPayment terms are set up on the supplier account. They can only be changed on written instructions for a buyer. Settlement discount can be overidden for a specific order, but only a managerPayment terms are checked by buyers every 6 monthsFor the sample of payments used in the above test, check that the correct settlement discount has been takenNot applicable4582454.5.8.2.4Purchasing expenses - paymentThe computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.Payment is not made on the due datePayment terms are set up on the supplier account. They can only be changed on written instructions for a buyerPayment terms are checked by buyers every 6 monthsFor the sample of payments used in the above test, check that the payment was made on the correct dateNot applicable4582454.5.8.2.4Purchasing expenses - paymentThe computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.Manual payments made are fraudulentCheques are kept in a locked cupboard to prevent theft and subsequent forgery. Overseas payment instructions are signed by two directors. The bank has instructions to telephone the Chief Financial Officer if payments are over an agreed amount.Bank reconciliation will detect payments made not correctly entered in the books of accountFor a sample of manual and overseas payments, ensure that goods/services were received. Check the bank understands its instructions to phone the CFO. If appropriate, carry out a separate audit on foreign paymentsNot applicable4582454.5.8.2.4Purchasing expenses - paymentThe computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.Cheques are altered or forgedCheque signing signatures are embossed. Cheques are printed by specialist printers with the latest security featuresBank reconciliation will detect payments made not correctly entered in the books of accountObserve the cheque printing process to ensure it is physically secure. Check that the signature plates are stored in a safe with limited accessNot applicable4582454.5.8.2.4Purchasing expenses - paymentThe computer automatically schedules payments depending on the terms set for each Supplier. Payments may be made by electronic funds transfer (home and foreign) or cheque. Non-invoice payments (for example payments of tax) may be made by entering details in the computer, or by paying with a manual cheque.The payment output file is altered. (This file holds payment data to be transmitted to the bank, or used to print cheques)Access controls on the computer to prevent alterationException reports, checked by management, which detail exceptional alterations to filesObtain details of those staff with access to the computer files. They should only be senior IT staff with no access to accounting systemsNot applicable4582554.5.8.2.5Purchase expense invoices / credit notes posted to accountsInvoices and payments are posted to the general (nominal) ledger in the same accounting periodInvoice / credit notes are posted to incorrect accountsInvoices are posted to the cost centre and nominal account set up on the requisition. The computer verifies that these exist and prevents certain combinations of cost centre and nominal codesBudget holders check their expenses each month for incorrect items. Plus Financial Accounts check balances to the previous month's and investigate significant discrepanciesFor a sample of invoices, check the coding is correctNot applicable4582654.5.8.2.6Accounts Payable month-end processesIn order to compile month-end accounts, the value of goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledgerAccruals not calculatedThe value of all goods received not invoiced is calculated by the computerComparison made with previous month's figure. Major differences investigatedCheck the report providing the accruals figure. Check that large variances from the previous month have been explainedNot applicable4582654.5.8.2.6Accounts Payable month-end processesIn order to compile month-end accounts, the value of goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledgerAccruals not calculated correctlyIn major expense service functions (for example advertising) managers must detail services provided which have not been invoicedMajor variances from budget are investigatedCheck the composition of the accruals figure. For a sample of recepts on the report, ensure they are recent and obtain expalnations why old receipts have not had invoices processedNot applicable4582654.5.8.2.6Accounts Payable month-end processesIn order to compile month-end accounts, the value of goods received not invoiced is calculated by the computer , from unmatched receipts. Checks are made to ensure all services received, but not invoiced, are also accrued. To ensure details have been correctly passed from the accounts payable system to the general ledger, the total of the accounts payable ledger is reconciled to the accounts payable control account in the general ledgerAccounts payable ledger total does not represent all liabilitiesTotal of supplier balances reconciled to Accounts Payable control account in the General ledgerReconciliation is signed by a senior managerFor a number of months, check this reconciliation has been properly carried outNot applicable4582754.5.8.2.7Manage the accounts payable ledgerEnsure the accounts payable ledger is correctly updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisationAccounts payable ledger total does not represent all liabilitiesSample check reconciliation of Supplier statements to the Accounts Payable balanceThe check is noted and scrutinised by a senior manager at month-endScrutinise the reconciliations carried out to ensure they contain no unusual items. If necessary, reperform some reconciliations to ensure they are correctNot applicable4582754.5.8.2.7Manage the accounts payable ledgerEnsure the accounts payable ledger is correctly updated, properly represents amounts owed to creditors and is correctly included in the accounts of the organisationSupplier with a debit balance, due to credits issued, goes out of businessException report highlighting large debit balances. Payment stop put on the account. Systems in place to request repayment of the amount owingManagement scrutiny of large debit balances each month, with a progress report on their recoveryCheck the accounts payable list of balances for debit balances. For a sample of balances, determine why they arose and the action being taken to recover themNot applicable458344.5.8.3Provide systemsProvide systems, including computer systems to support the organisations operations(Summary level)n/aNot applicable4583154.5.8.3.1Maintain central systemsThe proper operation of applications is maintained by a central IT departmentData lost through main computer failure, systems unavailable for a prolonged periodRange of controls maintained by the IT departmentUsers monitor their output, such as reconciling the accounts payable balance with the general ledgerCovered by audits of the IT processesNot applicable4583254.5.8.3.2Maintain user systemsUsers set up their own computer systems (for example spreadsheets) to produce dataUser-maintained systems lose dataData is kept on the network which is backed-up dailyIT management should monitor system reportsEnsure data is backed-up - try retrieving yesterday's files. If a stand-alone computer, check back-up to discsNot applicable4583254.5.8.3.2Maintain user systemsUsers set up their own computer systems (for example spreadsheets) to produce dataUser-maintained systems produce inaccurate dataAll important data is checked, or reconciled, to an independent source to ensure it is correct. If this is not possible, some manual reperformance of calculations, or checks of formulas.Output should be examined for "reasonableness"Check formulas are correct. If possible use a spreadsheet analyser to detect possible problems. Reperform manually important calculations, if possible.Not applicable4583254.5.8.3.2Maintain user systemsUsers set up their own computer systems (for example spreadsheets) to produce dataUser-maintained systems understood by only the programmerA user guide has been written and independently tested after each revisionManager holds a copyCheck all programs have a clearly written user guide.Not applicable458444.5.8.4Prepare management accountsCollect the data from processed transactions into accounts for management to make decisionsInformation is incorrectly analysed and summarisedTotals on the management accounts are reconciled to totals from the accounts payable systemOutput should be examined for "reasonableness"Trace figures from the accounts payable system through to totals in the top level management accountsNot applicable458544.5.8.5Prepare financial accountsCollect the data from processed transactions into accounts for statutory or tax purposesInformation is incorrectly analysed and summarisedEach month, or more frequently, the accounts payable ledger total is reconciled to the accounts payable control account in the general ledgerManager checks the reconciliation. Management and financial accounts are reconciledTrace figures from the accounts payable system through to totals in the top level financial accountsNot applicable458644.5.8.6Provide staffRecruit staff and manage staff policies(Summary level)Not applicable4586154.5.8.6.1Establish job descriptionsJob descriptions, in accordance with policy, are written and approvedStaff competencies required have not been identifiedAll jobs have written job descriptions, which show the competencies requiredHR and manager sign off job descriptionsCheck for job descriptions of all staff levelsNot applicable4586254.5.8.6.2Carry out regular appraisalsTargets are set for staff with regular appraisals in accordance with policyActual competencies of the staff have not been matched with required competenciesThe targets take into account the competencies requiredHR and manager sign off appraisalsCheck appraisal filesNot applicable4586354.5.8.6.3Training of staffStaff are trained in order to achieve their targets with maximum effectiveness and efficiency, within the ethical guidelinesTraining is not provided, or is inadequate. For example it omits ethical guidanceTraining is provided when taking on new responsibilities and during a job, to ensure the staff member understand how to do the job and the controls which must operateManagers monitor the training their staff receive to ensure it is appropriate at all timesCheck training materials. Ask staff who have recently changed jobs about their trainingNot applicable4586354.5.8.6.3Training of staffStaff are trained in order to achieve their targets with maximum effectiveness and efficiency, within the ethical guidelinesStaff not allowed to attend trainingClear policy from the board that training is important.HR monitor staff not attending training courses and determine whyQuestion staff who have been on coursesNot applicable4586454.5.8.6.4Recruit suitable staffRecruit staff to fill vacanciesApplicants falsify referencesAll references and qualifications are checked by HRManager can request references if requiredTake a sample of recent joiners and check that references were supplied. (Other tests are carried out as part of the audit of HR)Not applicable4586454.5.8.6.4Recruit suitable staffRecruit staff to fill vacanciesInsufficient staff are available to carry out all duties, and maintain division of dutiesHR maintain succession plans for senior key staff. Managers have plans for other key staffSenior managers should monitor their managers to ensure succession plans existExamine staff budgets to ensure staff numbers are being maintained at levels which ensure controls are operatedNot applicable458744.5.8.7Provide legal servicesAdvise all areas of the company concerning action to be taken on legislationStaff involved in expense purchasing are not aware of legislation which affects them, thus threatening the organisation with prosecutionThere is a clear, preferably written, understanding that legal services will update the appropriate managers with legislation which affects them. The managers will brief their staffSenior management check that important legislation is understood by the functions under their controlDetermine when the last update from legal services was received and how it was briefed to staff. If you are aware of any legislation affecting the processes being audited (for example competition legislation), make sure it has been briefed in. These processes will also be covered by audit BSNot applicable458844.5.8.8Provide tax servicesAdvise all areas of the company concerning action to be taken on tax legislationStaff involved in expense purchasing are not aware of tax legislation which affects them, thus threatening the organisation with fines or the loss of tax creditsRegular briefings from tax department to all staff concerned. Induction training to include the relevant aspects of taxSenior manager to check that new tax legislation has been briefed to staffAsk staff about their induction. Do they understand the tax implications of their work? Check invoices for correct treatment of taxes (for example VAT)Not applicable458944.5.8.9Ensure health & safetyEnsure the organisation complies with legislation and good practice to ensure the safety of staff and customersSuppliers provide services without observing safety procedures, resulting in injury to staffAudit of suppliers to ensure they understand health and safety legislation. Orders and contracts contain clause to ensure suppliers comply with regulationsQualified staff check suppliers workingExamine documents given to suppliers and their written agreement. Attend, with qualified staff, the suppliers working on-siteNot applicable4581044.5.8.10Manage the environmentEnsure the operations of the organisation obey all environmental laws and good practiceGoods purchased, for example cleaning solvents, may create an unsafe environment for employeesPurchasing staff have training on general health and safety topics, with specific training for staff ordering chemicals and other potentially hazardous itemsPeriodic audits by health and safety departmentCheck training records, and H & S audit documentationNot applicable45812Ensure securityThe physical security of tangible and intangible assets, and staff and customers, is maintained at all times to ensure the continued operation of the organisation(Summary level)Not applicable45812154.5.8.12.1Provide securityAll assets, including physical assets, stock and information, are physically secureLoss of the organisation's assetsAll buildings have entry restricted by card operated gatesPeriodic audits, by security department, of the access to buildingsDuring audit, observe security precautions. Otherwise the test of physical security are carried out in audit group BXNot applicable45812254.5.8.12.2Identify documents required to achieve the objective of these processesDecide on the documents, paper or electronic, which are essential to the operation of expense purchases, or for tax reasons. These may include paper orders, supplier invoices, cash sheets and chequesDocuments essential to operations (such as cheques) may be lost in a fireSupplies of paper documents, such as orders and cheques, are stored in a separate building. Documents which must be kept for tax purposes are microfiched, and these are stored in a fireproof safeIt is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessaryCheck the existence of the paper documents kept off-site. Check that all microfiche are stored in the fireproof safe, with none left out at night.Not applicable45812354.5.8.12.3Decide on arrangements to safeguard theseFor each document, decide on the appropriate storage mediumLevel of protection may not be sufficientA formal process has been carried out to identify the documents used and their method of storageIt is the responsibility of the departmental manager to ensure documents are retained and securely stored for as long as necessaryCheck for evidence of the formal process, and that it is being followedNot applicable4581344.5.8.13CommunicateInform internal and external stakeholders of the organisation's policies and intentionsReputation of the company suffers because the press are mis-informed about the organisation's policy of not using suppliers who might use child labourA documented ethical policy, which includes purchasing policyThe Ethical Committee ensures a complete policy is communicated to all stakeholdersExamine the policy and check specifically for purchasing policyNot applicable4581444.5.8.14Manage risks threatening expense purchasing processes(Summary level)Not applicable45814154.5.8.14.1Identify risksRisk workshops and interviews are held to determine the risks threatening the objectives of the expense purchasing functionRisks are not knownQuarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessaryInternal Audit maintain the risk register, and ensure each function provides a list of scored risks with controlsExamine processes to set up the risk register and examine the register. Ensure all types of risk, including external risks, have been consideredNot applicable45814254.5.8.14.2Evaluate risksScore the risks on the organisation's likelihood and consequence scalesSignificant risks are not understoodQuarterly examination of the risk register by management, with written confirmation to Internal Audit of changes, or confirmation that no changes are necessaryInternal Audit maintain the risk register, and ensure each function provides a list of scored risks with controlsExamine the process which score the risksNot applicable45814354.5.8.14.3Control risksFor all risks, decide on a cost-effective control to reduce the risk to the risk appetite of the organisationSignificant risks are not controlledControls are put into operation which reduce residual risks to the risk appetite of the organisationInternal Audit maintain the risk register, and ensure each function provides a list of scored risks with controlsCheck controls as part of the auditNot applicable

&LDavid M Griffiths&C&A

Column KeyAudit: Purchasing and payment of expense goods and servicesColumn key:L1Level 1 risk number. Corresponds to the Risk databaseL2Level 2 risk number. Corresponds to the Risk databaseL3Level 3 risk numberL4Level 4 risk numberL5Level 5 risk numberLLevel of the process on this row (1 to 5)RefReference number of the process (L1.L2.L3.L4.L5). This is a unique number which defines this process throughout the organisationProcessTitle of the processProcess DescriptionA brief description of what the process does. Any more details should be filed in the audit fileRisk to processThe threat to the process. There may be several risks to one process, or one risk may threaten several processesRisk sourceWho identified the risk (management, risk workshop, auditor, meeting)IRCInherent risk consequence score. See "Scoring risks" worksheetIRLInherent risk likelihood score score. See "Scoring risks" worksheetIRSInherent risk scores multiplied to give significanceExample controlAn example of a control which might mitigate the risksExample monitoringAn example of a monitoring control which might check the operation of the controlTestsAn example of a test which might confirm the operation of the controlRefReference to the schedule giving more details of the testRRCResidula risk consequence score. See "Scoring risks" worksheetRRLResidual risk likelihood score score. See "Scoring risks" worksheetRRSResidual risk scores multiplied to give significanceCont scoreControl score = IRS - RRS. The higher it is the more important the controlIssueDetails where the risk is not mitigated to the acceptable level ("Risk appetite")ActionAction which management is taking to reduce the riskBy whomThe job title and name of the person responsible for ensuring the action takes placeConclusion RisksConclusion on risk management (see "Allocating conclusions" worksheet)Conclusion ControlsConclusion on the adequacy of internal controls (see "Allocating conclusions" worksheet)Conclusion ActionConclusion on any action required to reduce risks (see "Allocating conclusions" worksheet)Conclusion MonitoringConclusion on the adequacy of processes to monitor the correct operation of controls(see "Allocating conclusions" worksheet)Report refThe paragraph number in the report where the issue is reportedFollow-up RisksConclusion on risk management from the last follow-up audit (see "Allocating conclusions" worksheet)Follow-up ControlsConclusion on the adequacy of internal controls from the last follow-up audit (see "Allocating conclusions" worksheet)Follow-up ActionConclusion on any action required to reduce risks from the last follow-up audit (see "Allocating conclusions" worksheet)Follow-up MonitoringConclusion on the adequacy of processes to monitor the correct operation of controls from the last follow-up audit (see "Allocating conclusions" worksheet)

Scoring risksAudit: Purchasing and payment of expense goods and servicesAdvice on scoring risks (inherent and residual)1 to 3 scale1 to 5 scaleIf the consequence when the risk occurs is:OR the likelihood of the risk occurring is:Then the measure is defined to be:If the consequence when the risk occurs is:OR the likelihood of the risk occurring is:Then the measure is defined to be:To prevent the organisation achieving all, or a major part, of its objectives for a long time.Almost certainHigh (3)A catastrophic impact on the organisation, threatening its existenceAlmost certainCatatrophic (5)Cash at risk> 100,000Cash at risk> 1,000,000To stop the organisation achieving its objectives for a limited period.PossibleMedium (2)To prevent the organisation achieving all, or a major part, of its objectives for a long time.ProbableMajor (2)Cash at risk 5,000Cash at risk 100,000To cause minor inconvenience, not affecting the achievement of objectivesUnlikelyLow (1)To stop the organisation achieving its objectives for a limited period.PossibleModerate (2)Cash at risk