OVERVIEW

Objective

¾

To evaluate audit reliance on control effectiveness and substantive testing of transactions.

SUBSTANTIVE TESTING TESTING

CONTROL EFFECTIVENESS

EXAM SKILLS

¾ Aim

¾ Approach

¾ Hybrid approach

¾ Components

¾ General approach

¾ Understanding internal control

¾ Testing operating effectiveness

¾ Reliance on past results

REPORTING WEAKNESSES TO

MANAGEMENT

¾ Management letter

¾ Content

¾ Form and presentation

¾ Follow up

¾ Interested third parties

1

TESTING CONTROL EFFECTIVENESS

1.1

Components

1.2

General approach

Reliance

Test effectiveness

Evaluate

Remaining assurance from substantive

procedures

Not effective

No reliance

Report to management

All assurance from substantive procedures Risk assessment and

internal controls.

¾

As part of their risk assessment, the auditor must consider if controls are appropriately designed to prevent, or detect and correct, a material misstatement AND have been implemented (See Sessions 8 and 9).

CONTROL

ENVIRONMENT ASSESSMENT RISK PROCESS

INFORMATION

SYSTEMS ACTIVITIES CONTROL

¾

If, following the risk assessment, controls do not appear to be satisfactory OR the auditor does not seek to place reliance on controls, a fully substantive testing approach is used (eg a high level of testing transactions, balances and disclosures).

¾

If the auditor decides that audit assurance can be obtained through reliance on the effectiveness of internal controls (and it is cost effective to do so) audit evidence must be obtained through testing the effectiveness of such controls (eg throughout the period being audited).

‰ In this context, cost effective means that the time taken to test the controls and carry out a lower level (eg minimum sample size or analytical procedures) of substantive testing on transactions would be less than if a higher level (eg maximum sample size) of substantive testing of transactions alone was undertaken.

¾

If the testing shows the controls have been effective, then the remaining assurance should be obtained through substantive testing. This will mean lower sample sizes for testing transactions, testing of balances and effective use of substantive analytical review procedures.

¾

If the testing shows that the controls are not effective, all audit assurance will be obtained through increased substantive testing (eg larger sample sizes) of transactions, balances and disclosures.

¾

Where the risk assessment or testing indicates that controls are not satisfactory, a report to management must also be made. (See Session 13)

1.3

Understanding internal control

¾

ISA 315 requires the auditor:

‰ to understand internal control in sufficient detail to be able to identify and assess the risks of material misstatement; and

‰ to design and perform further audit procedures (i.e. test the operating effectiveness of controls and substantive testing).

¾

Controls that are likely to prevent, or detect and correct material misstatements will be identified (and understood) as part of the risk assessment process. Often, single controls will be insufficient, but multiple controls (when considered together) will be sufficient to achieve a given control objective.

¾

Conversely, where the availability of substantive evidence to provide sufficient, appropriate audit evidence is insufficient, the testing of controls is essential (e.g. for highly automated systems where a significant amount of data is initiated, recorded, processed and reported electronically, it may not be possible to obtain sufficient audit evidence through substantive testing alone. In this instance, testing of both manual and electronic controls plus extensive analytical review would usually provide the

assurance required).

1.4

Testing operating effectiveness

¾

Appendix 2 Session 36 contains detail on the control objectives, internal control

procedures, tests of control and substantive procedures (see also Appendix 3 Session 37) for revenue and expense transaction cycles. These MUST be studied in order to fully understand and complement the detail within this session and Sessions 8 and 9.

1.4.1

Nature of tests of control

¾

Tests of controls (testing control effectiveness, compliance testing) will use the following procedures:

‰ inspection ‰ observation ‰ inquiry ‰ confirmation ‰ recalculation ‰ reperformance ‰ analytical procedures

all of which may be used for assessing the operating effectiveness of control procedures at the assertion level (PIPSA), e.g.

‰ Performance reviews (e.g. analytical procedures, reperformance, observation) ‰ Information processing (e.g. inspection, recalculation, reperformance)

‰ Physical controls (e.g. observation, inquiry, reperformance, analytical procedures) ‰ Segregation of duties (e.g. observation, inspection, reperformance)

‰ Authorisation (e.g. inspection, inquiry, confirmation)

¾

Note that the nature of such tests is exactly the same as used by the auditor to

understand the design and implementation of the control. The major differences are the timing and extent of tests of control.

1.4.2

Timing of tests of control

¾

Testing a control at any moment in time will only provide evidence of the effectiveness (and implementation) of that control at that point in time. Depending on the objective of the test, it is often necessary to test the effectiveness of controls over a period of time, eg:

‰ Year end inventory counts only require testing of control (and substantive procedures) at the year end since no reliance is placed on day-to-day controls.

‰ Controls over continuous inventory systems will need to be tested throughout the year (e.g. discrepancy reports must be followed up and acted upon) if reliance is to be placed on inventory records at the year end.

¾

A common (efficient) approach to testing of controls is to conduct, wherever possible, this procedure during the interim audit. In doing so, the auditor is able to reassess their audit approach, as necessary, prior to the rear end audit (rather than making last minute discoveries that impact upon the audit approach).

¾

When an interim audit is carried out, the approach to auditing the remaining period must be considered. Factors to take into account include:

‰ the significance of the assessed risks of material misstatement during the remaining period;

‰ the length of the remaining period (eg four months of transactions will be more material than just one month);

‰ the control environment; and

‰ significant changes made to the internal control system since the interim audit.

Illustration 1

¾

An interim audit is carried out two months before the year end.

¾

The results show that there is a high degree of operating effectiveness (no errors noted).

¾

During the remaining two months, a change is made to the procurement procedures. This is considered by the auditor to be significant in that if the changed control did not work, there is a risk of material misstatement in the financial statements. No other changes to internal control were identified by the auditor.

¾

Full understanding and risk assessment is made based around this change in control. The operational effectiveness of the change and its impact on the procurement system will be tested from the date of its introduction.

¾

As the monitoring of controls was assessed as being effective at the interim

1.4.3

Extent of tests of control

¾

Takes into consideration:

‰ The frequency of the performance of the control by the entity during the period. ‰ The length of time during the audit period that the auditor is relying on the

operating effectiveness of the control. (This will generally be the whole period.) ‰ The relevance and reliability of the audit evidence to be obtained.

‰ The extent to which audit evidence is obtained from tests of other controls related to the assertion.

‰ The extent to which the auditor plans to rely on the operating effectiveness of the control in the assessment of risk (and thereby reduce substantive procedures based on the reliance of such control).

‰ The expected deviation (ie number of errors) from the control. A common expected deviation is zero – thus any deviations may result in increased substantive testing.

¾

If the system is changed partway through a year (eg manual system converted to a computer based system), effectively two systems will need to be fully assessed and tested, depending on the length of time each system has been in operation (eg if the change occurred during the last month, a detailed analytical review may provide sufficient audit evidence for the last month).

¾

What is of prime importance will be the procedures and control over the transfer of data, ie that the integrity of data was maintained during the change. This must be fully assessed and tested by the auditor (see Session 12).

1.4.4

Errors found during tests of control

¾

The concept of materiality does not apply when dealing with control test errors – if the expected deviation is zero (the most common expectation) then any error means that the control did not work. What is important is for the auditor to determine the reason for the error(s).

¾

If there was only one (or very few) errors from the sample tested, this may be indicative of an isolated error (e.g. no purchasing authorisation for a day because the buying manager was sick).

‰ A review should be undertaken to see if the error was repeated at any other time (e.g. at what other times was the manager ill and were alternative controls in place) plus analytical review of the purchases actually made on those days.

‰ It may then be concluded that if there is no material impact on the financial statements, substantive procedures may not need to be increased.

‰ A report of the weakness and potential impact must still be made to the client.

¾

If there were several errors within a test, then the conclusion may usually be reached

1.5

Reliance on past results

1.5.1

General

¾

Audit evidence of the operating effectiveness of controls in a prior period may be relied upon as audit evidence for the current period, provided:

‰ inquiries, observations and inspections are made to confirm that no changes have occurred in the current period;

‰ if an individual control, that control is tested at least once every three years; ‰ if a number of controls, then a sufficient portion (auditor’s judgment) of those

controls must be tested each year and each control must be tested at least every three years;

‰ the assessed risk is not a significant risk (auditor’s judgement).

1.5.2

Significant risks

¾

For significant risks, the operating effectiveness of controls must be tested each year. Whilst the audit evidence obtained in a prior year relating to the design of such controls may be relied upon (provided no changes to the design have been made), the evidence of its implementation AND operating effectiveness must be fresh each year.

¾

In general, the higher the risk of material misstatement, or the greater the reliance on the control, the higher the need for that control to be tested every year. Factors to consider include:

‰ the effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls, and the entity’s risk assessment process;

‰ the risks arising from the characteristics of the control, including whether controls are manual or automated;

‰ the effectiveness of general IT-controls, if applicable;

‰ the effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control from tests of operating effectiveness in prior audits;

‰ whether the lack of a change in a particular control poses a risk due to changing circumstances;

‰ the risk of material misstatement and the extent of reliance on the control.

Example 1

Solution

¾

¾

¾

¾

2

SUBSTANTIVE TESTING

2.1

Aim

¾

Substantive procedures are those procedures that are performed in order to detect material misstatements at the assertion level and include:

‰ tests of detail of transactions ‰ tests of detail on account balances ‰ tests of detail on disclosures; and ‰ analytical review.

2.2

Approach

¾

Fully (100%) substantive procedures must be considered when:

‰ it will be more effective to use purely substantive procedures (e.g. low volume, high value items, often non-homogenous – non-current assets for example); ‰ the effectiveness of internal controls are not to be relied upon; or

‰ from testing controls they are found to be ineffective.

2.2.1

Nature

¾

Substantive analytical procedures are generally more applicable to large volumes of transactions that tend to be predictable over time, and are often used in conjunction with a strong control environment AND where audit evidence has been obtained from testing the effectiveness of controls (eg computer information systems). See Session 16

for further detail on substantive analytical review.

Illustration 2

After carrying out a risk assessment, an auditor decides that substantive tests of detail on an entity’s manual sales system are required as part of their procedures to reduce audit risk. Reliance cannot be placed on the effective operation of internal controls. Transaction tests carried out include:

‰ Agreeing a despatch entry in the inventory records to the despatch note and then through to a sales invoice.

‰ Agreeing details on the sales invoice including customer name,

address, unit prices, VAT and the arithmetical accuracy of the invoice. ‰ Agreeing that the invoice is correctly posted and analysed in the sales

day book (SDB) and agreeing the arithmetical accuracy of the SDB. ‰ Agreeing the correct posting of the day book to the general ledger.

¾

Effectively they are tests that trace a transaction through a system, for example to ensure that a despatch is correctly recorded as a sale or a purchase entry recorded in the daybook is supported by a purchase invoice, goods received note and purchase order.

¾

If no reliance is placed on controls, the level (ie sample size) of transaction testing will

be high. If reliance can be placed on controls, then the level of transaction testing will be lower. The auditor may assess that audit risk can be reduced to an acceptable level by reliance on controls and substantive analytical review, rather than transaction testing (as above).

¾

Tests of detail on balances (and disclosures) primarily deal with assets/liabilities and related assertions, eg existence, valuation, control. The assertions and approach to tests of detail are covered in Session 15.

2.2.2

Timing

¾

Substantive procedures may be carried out at an earlier date than the entity’s year end and the final audit, i.e. at an interim audit. If carried out at an interim date, further tests must be carried out to cover the remaining period. These tests (substantive and/or tests of control) must be sufficient to ensure that the risk of misstatement does not increase during this period.

¾

Unlike tests of control, where prior year audit evidence may be relied upon under certain circumstances, prior year substantive evidence will be insufficient to address a risk of material misstatement in the current period.

2.2.3

Extent

¾

For any one substantive procedure, the extent of testing usually relates to sample sizes, e.g. increase the extent means increasing the sample size. However:

‰ selecting large (eg material) or unusual items from a population, or

‰ stratifying the population into homogeneous subpopulations for sampling are also appropriate ways of considering the extent of substantive procedures.

¾

It is not unusual in many substantive testing approaches that all items greater than the materiality level (or a ‘tolerable error’, e.g. 50% of the materiality level) are selected for testing. If an error is found, then that error is likely to be material to the financial statement assertions.

2.3

Hybrid approach

¾

In some cases, a single test approach can achieve both the control and substantive objective at the same time.

Illustration 3

¾

The auditor decides to place reliance on internal controls in a sales system and determines the sample sizes as 30 for control testing and 30 for transaction testing. Without reliance on controls, a sample size of 60 would be appropriate.

¾

Rather than using two separate samples, the auditor decides to use one sample to cover the transaction testing and control testing as appropriate. Those controls that cannot be tested during the transaction testing will be covered by separate tests.

¾

The transaction is recognised by issue of inventory resulting in a despatch document, sales invoice, sales day book entry, ledger entries. 30 inventory issues are selected (throughout the year) and traced through the system to the general ledger.

¾

At the various stages of the sales system where controls have been identified for testing, control testing is also carried out.

¾

For example, the control of sales invoice authorisation requires that the sales manager has agreed the details to the authorised despatch note, the sales price and discounts to the sales customer data-base, checked the VAT and cross cast the invoice. The manager then signs all copies of the

invoice.

¾

As part of the transaction test, each invoice for all of the above sample would have been substantiated by the auditor (inventory issue to despatch note, despatch note to sales invoice, other details on invoice to supporting evidence, calculations and casting). Thus they have effectively

¾

If invoices were found that did not have the manager’s signature on them AND the auditor concludes (after further investigation) that the control cannot be relied upon (eg no alternative control), an additional 30

inventory despatch items would be selected for further transaction testing.

¾

Every month a reconciliation is carried out between the control account and sales ledger account. This does not form part of the sales system transaction testing, thus testing this control would be dealt with separately.

3

REPORTING WEAKNESSES TO MANAGEMENT

3.1

Management letters

¾

Under the terms of a standard engagement letter (see Session 5) the auditor is required to inform management of any material weaknesses in the design or implementation of internal control relating to financial reporting that came to their attention during their audit.

¾

They are also required, under ISA 260 Communications of Audit Matters with Those Charged with Governance and most corporate governance codes, to discuss such matters with those charged with governance, eg the audit committee. The primary form of doing so is the management letter (sometimes referred to as a letter of weakness, internal control memoranda, letters of recommendation, constructive service letters or post-audit letters).

¾

Apart from dealing with control weaknesses, the management letter may also be used to:

‰ provide constructive advice on business systems, risk systems and managing risk (eg through benchmarking client’s systems against expected norms as part of the auditor’s understanding the entity and environment);

‰ indicate areas in which audit efficiency could be improved and thereby reduce audit costs (eg extended use of CAATs, preparation of documents by the client);

‰ protect the firm against potential litigation by demonstrating that critical weaknesses had been identified and drawn to the attention of management.

3.2

Content

¾

The report must be clear, concise, constructive, and structured. It will usually consist of two elements:

‰ a covering letter; and

‰ supporting detail of the weaknesses, suggestions for corrective action and management response.

¾

The detail within the letter should not conflict with the opinion expressed within the audit report, eg matters within the report indicate that proper books and records have not been kept, yet the audit report is unqualified.

¾

The covering letter should contain statements that:

‰ accounting and internal control systems were considered only to the extent necessary to determine the auditing procedures (ie design/implementation plus effectiveness if deemed appropriate to obtain audit assurance) and not to determine the adequacy of internal control for management purposes or to provide assurance on the accounting and internal control systems;

‰ only weaknesses in internal control which have come to the auditor’s attention as a result of their audit procedures are included;

‰ other weaknesses in internal control not assessed by audit procedures may exist; ‰ the report is provided for use only by management (and those charged with

governance where necessary) in the context of the audit.

Example 2

As audit manager, what qualities would you look for when reviewing a letter of weakness drafted by an audit senior?

Solution

¾

¾

¾

¾

¾

¾

¾

3.3

Form and presentation of supporting detail

¾

The matters raised by the management letter may be within the body of the covering letter, or as a separate appendix. They will usually be prioritised, eg high risk first, lower risk following. They may also be categorised into audit sections (eg purchases, sales, inventory, receivables).

¾

Matters that have been raised in previous management letters, but have not yet been acted upon by management, should be dealt with in a separate section of the report. Care should be taken to ensure that such matters are still relevant and not considered irrelevant by management, eg not considered cost effective to implement

recommendation.

¾

A common structure of the recommendations covers:

‰ Explanation/details – The description of each weaknesses is concise but specific, and the extent of the error quantified if possible.

‰ Consequence/impact – Expressed in terms of the financial statements (e.g. they could contain errors), and/or the business’s assets (e.g. financial loss may result). Care must be taken not to imply that the errors are already there, but were not found, or that any employee has taken advantage of the weakness.

‰ Recommendation – How each problem could be overcome. Must be practical, beneficial and cost-effective to encourage management to adopt them.

‰ Management response– If points already raised with client, include action agreed. Otherwise, request reply to points raised.

¾

All matters raised should normally be in writing. However, if a written report is

considered unnecessary, inappropriate or not cost effective (eg only one matter of note), the matter should be discussed with the client and fully recorded as audit evidence within the working papers. Ideally, a copy of the note should be sent to the client for confirmation and response.

3.4

Follow up

¾

Once issued, the management response should be obtained as quickly as possible and assessed for its impact on the next stage of the audit, eg will recommendations be implemented before the year end and final audits.

Example 3

You are the auditor of Homecontrols, a company which manufactures components for domestic appliances. The company operates a perpetual inventory system and also performs quarterly physical inventory counts, amending the perpetual inventory records where appropriate to reflect actual quantities counted.

During your interim visit you review the results of the last physical count. It appears that a number of high value items included in the records were not in inventory. Also, returns from customers are added into physical inventory but are not recorded in the perpetual inventory records.

Required:

State the points which you would make in your report to management in respect of these matters and comment on their possible impact on your year-end audit work.

Solution

Weaknesses

¾

¾

Risks

¾

¾

¾

¾

Recommendations

¾

¾

¾

3.5

Interested third parties

¾

The auditor cannot disclose the detail of the management letter to any third party without the client’s consent as it is confidential information. A disclaimer/caveat would normally be placed within the report:

‰ report prepared for use by management (or other specific named party) ‰ written consent for auditor required for client to disclose to another party ‰ no responsibility to third parties.

3.6

Specimen letter

A, B & C Per. Schorwsa, 777 Oceanana, 030598 21 May 20XY The Board of Directors

Revup Automotives Rada Str, 56A Oceanana, 010145

Dear Sirs

20XY Audit

During our recent interim audit for the year ending 30 June 20XY, we examined the internal controls and procedures that your company has established to enable it to ensure, as far as possible, the accuracy and reliability of its financial records, safeguard its assets and achieve its business objectives.

As agreed at our meeting on 26 April 20XY and stated within our engagement letter of 1 August 20XX , we are writing to you in order to draw your attention to the weaknesses in internal control which have come to our notice during this examination, and to suggest ways in which the system could be improved. These matters are set out in the attached appendix.

It must be appreciated that the matters dealt with in this letter came to our notice during the conduct of our normal audit procedures which are designed primarily to enable us to express an independent opinion on the financial statements of the company. Consequently, our work did not encompass a detailed review of all aspects of the control system and cannot be relied upon necessarily to disclose all defalcations or other irregularities or to include all possible improvements in internal control. As confirmed in our meeting by the finance director and chief accountant, all of these matters have been discussed by us with them and they are in broad agreement with the recommendations made. This report has been prepared for the use of the board and audit committee of Revup Automotives, and no responsibility is accepted to third parties without our prior knowledge and agreement in writing. We look forward to hearing from you in due course regarding the future action that you intend to take.

Finally, we should like to take this opportunity to thank your staff for their co-operation during the course of the audit.

Yours faithfully A, B & C

Weakness

Impact

Recommendations

Hours worked by service employees

¾

The total hours worked by service

employees (including overtime) are not independently verified and authorised.

¾

Employees may be paid for work that

they have not done, eg by getting other employees to input their time card and code on arriving and leaving the premises.

¾

The service manager should review and authorise

the computer time schedules as an accurate record of time spent working by employees. He should also regularly review the security tapes of the employees inputting their time card and code to check for misuse, eg more than one card being used.

Goods received

¾

Goods received notes are not always

authorised to show that details have been agreed to purchase orders and that the quality of the goods has been checked.

¾

Financial loss would occur if, for

example, the goods received were not ordered or were not of the right quality. Using poor quality goods may result in customer claims against the firm. From our tests carried out, we estimate that 60% of goods received are not being agreed to purchase orders or physically checked.

¾

All goods received should be checked for quality

and agreement to the purchase orders. Any goods received note sent to accounts (to await the purchase invoice) should be returned to goods received department if not authorised or not in agreement with the copy purchase order already held by accounts. The financial accountant should follow up any such instances.

Data security

¾

There is no access security for the computer

terminals in the wages department.

¾

Because the password facility has been disabled, anybody can access the system without authority and, for example, change or corrupt data, eg add non-existent employees or increase wage rates.

¾

Whilst our tests did not find any errors, the

password system should be activated immediately. Although users find it difficult to remember their passwords (they should not write it down or use easily connected elements eg date of birth) the risk of data corruption data and financial loss is too high.

¾

The current data held on the system should be

4

EXAM SKILLS

4.1

Effectiveness of controls

5 KEY SKILLS

Specify control objectives

¾

To ensure that

... something good

happens/ something bad does not

Key words ⇒

CAVe Specify control activities

¾

Control environment

¾

Risk assessment procedures

¾

Information systems

¾

Monitoring Suggest tests of controls

¾

“Ideas list”

– inquire – observe – inspect – reperform – test Identify control weaknesses

¾

Deficiencies in control components Make recommendations

¾

Be specific

– Who? – What? – When

Illustration 3

Consider the sales cycle. Identify the overall control objective (that all goods despatched are correctly recorded in the general ledger) break down transaction into components, i.e. the flow of documentation, and ask “what could go wrong?” – that is, what would be an appropriate control objective for that element (eg to ensure that goods cannot be despatched without the correct authorisation)? Effectively, devise control objectives at each stage.

Customer order

Sales order

Despatch note

Sales day book General ledger

Dr SLC a/c Cr Sales

Can goods be despatched without authorisation?

Can invoices be raised but not recorded?

Can goods be despatched or charged to the wrong customer? Can invoices be raised

when no goods despatched?

Invoice Can goods be despatched _{but not invoiced?}

Receivables ledger

Then ask yourself what control activities need to be in place to achieve the control objective, e.g. authorisation, completeness checks, reconciliations, analytical review, pre-numbering of documents, segregation of duties, etc.

¾

In the examination, be prepared for a ‘practical theory’ question, where you are presented with a scenario and have to identify internal control weaknesses. Basically place the ideal “framework” over the scenario and identify the errors/gaps.

¾

Ensure you fully understand the difference between the control objective (eg what does the control aim to achieve … to ensure that ….) and the control activities (eg what actions have to take place to ensure the objective is achieved).

Example 4

Break down the purchases cycle into components and generate four key control questions.

4.2

Transaction testing

¾

Remember that a transaction test is a substantive procedure, not a control procedure. Whilst, as with control testing, it is necessary to identify the accounting system and the documents generated by the system, transaction testing deals with the flow of data through the system and not the controls over the system (eg the data on a sales invoice and not the authorisation control).

Illustration 4

Consider sales transactions. Identify the overall audit objective (as above). Break down the transaction into components and documents produced.

Customer order

Sales order

Despatch note

Sales day book General ledger

Dr SLC a/c Cr Sales

Invoice

Receivables ledger

¾

Assertions and the approach to the audit of balances and disclosures are covered in

Session 15.

FOCUS

You should now be able to:

¾

explain the importance of internal controls to auditors;

¾

explain how auditors identify weaknesses in internal control systems and how those weaknesses limit the extent of auditors reliance on those systems;

¾

discuss the difference between tests of control and substantive procedures;

¾

explain, analyse and provide examples of internal control procedures and control

activities;

¾

explain and tabulate tests of control suitable for inclusion in audit working papers;

¾

analyse the limitations of internal control components in the context of fraud and error;

¾

explain the need to modify the audit strategy and audit plan following the results of

tests of control;

EXAMPLE SOLUTION

Solution 1 — Prior period audit evidence

¾

A weak control environment.

¾

Weak monitoring of controls.

¾

A significant manual element to the relevant controls.

¾

Personnel changes that significantly affect the application of the control.

¾

Changing circumstances that indicate the need for changes in the control.

¾

Weak general IT-controls.

Solution 2 — Qualities

¾

Timeliness – as soon as possible after completion of audit procedures.

¾

Use of specific examples to illustrate weaknesses/deficiencies.

¾

Clear explanations of implications/risks.

¾

Commercial awareness of the client’s expectations.

¾

Practicable recommendations for improvements.

¾

Inclusion of prior year points not actioned, suitably amended.

¾

Clear, constructive and concise.

¾

Careful presentation (e.g. “tiered”’ structure).

¾

Factual accuracy.

¾

Evidence of discussion (e.g. inclusion of client’s comments).

¾

No remarks of a personal nature.

Solution 3 — Management letter points

Weaknesses

¾

Authorised inventory movements (e.g. customer returns) may not be recorded.

¾

Possibility of unauthorised inventory movements/misappropriation/theft.

Risks

¾

Records unreliable for year-end inventory figures.

¾

Management decisions (e.g. to place orders/make sales) are based on unreliable figures.

¾

Receivables will be overstated if returns not accounted for.

¾

Unexplained inventory losses represent financial loss.

Recommendations

¾

Improve physical security (e.g. with gate controls).

¾

All movements to be accompanied by sequentially numbered document.

Impact on year-end audit

¾

Reliance to be placed on perpetual inventory records reduced (if any).

¾

Inventory count results more important – attend and increase number of test counts.

¾

Differences between perpetual inventory records and physical results to be

investigated/resolved.

¾

Inventory losses to be identified and properly accounted for.

Solution 4 — Purchases cycle

Purchase requisition

Purchase order

Goods received note

Purchase day book General ledger

Dr Purchases Cr PLC a/c

Can goods be ordered without authorisation?

Can a liability be raised for the wrong supplier? Can goods be received

without a liability being

raised? Invoice

Can a liability be recorded for the wrong amount?

Payables ledger Can goods be received

without authorisation?