Auditing Standard No. 2

An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements

Example B-1 - Daily Programmed Application Control and Daily Information Technology-Dependent Manual Control

The auditor has determined that cash and accounts receivable are significant accounts to the audit of XYZ Company's internal control over financial reporting.  Based on discussions with company personnel and review of company documentation, the auditor learned that the company had the following procedures in place to account for cash received in the lockbox:

1. The company receives a download of cash receipts from the banks.
2. The information technology system applies cash received in the lockbox to individual customer accounts.
3. Any cash received in the lockbox and not applied to a customer's account is listed on an exception report (Unapplied Cash Exception Report).
   • Therefore, the application of cash to a customer's account is a programmed application control, while the review and follow-up of unapplied cash from the exception report is a manual control.

To determine whether misstatements in cash (existence assertion) and accounts receivable (existence, valuation, and completeness) would be prevented or detected on a timely basis, the auditor decided to test the controls provided by the system in the daily reconciliation of lock box receipts to customer accounts, as well as the control over reviewing and resolving unapplied cash in the Unapplied Cash Exception Report.

Nature, Timing, and Extent of Procedures.   To test the programmed application control, the auditor:

• Identified, through discussion with company personnel, the software used to receive the download from the banks and to process the transactions and determined that the banks supply the download software.

  --	The company uses accounting software acquired from a third-party supplier.   The software consists of a number of modules.  The client modifies the software only for upgrades supplied by the supplier.

• Determined, through further discussion with company personnel, that the cash module operates the lockbox functionality and the posting of cash to the general ledger.  The accounts receivable module posts the cash to individual customer accounts and produces the Unapplied Cash Exception Report, a standard report supplied with the package.  The auditor agreed this information to the supplier's documentation.
• Identified, through discussions with company personnel and review of the supplier's documentation, the names, file sizes (in bytes), and locations of the executable files (programs) that operate the functionality under review.  The auditor then identified the compilation dates of these programs and agreed them to the original installation date of the application.
• Identified the objectives of the programs to be tested.  The auditor wanted to determine whether only appropriate cash items are posted to customers' accounts and matched to customer number, invoice number, amount, etc., and that there is a listing of inappropriate cash items (that is, any of the above items not matching) on the exception report. 

In addition, the auditor had evaluated and tested general computer controls, including program changes (for example, confirmation that no unauthorized changes are undertaken) and logical access (for example, data file access to the file downloaded from the banks and user access to the cash and accounts receivable modules) and concluded that they were operating effectively.

To determine whether such programmed controls were operating effectively, the auditor performed a walkthrough in the month of July.  The computer controls operate in a systematic manner, therefore, the auditor concluded that it was sufficient to perform a walkthrough for only the one item.  During the walkthrough, the auditor performed and documented the following items:

1. Selected one customer and agreed the amount billed to the customer to the cash received in the lockbox.
2. Agreed the total of the lockbox report to the posting of cash receipts in the general ledger.
3. Agreed the total of the cash receipt download from the bank to the lockbox report and supporting documentation.
4. Selected one customer's remittance and agreed amount posted to the customer's account in the accounts receivable subsidiary ledger. 

To test the detective control of review and follow up on the Daily Unapplied Cash Exception Report, the auditor:

1. Made inquiries of company personnel.  To understand the procedures in place to ensure that all unapplied items are resolved, the time frame in which such resolution takes place, and whether unapplied items are handled properly within the system, the auditor discussed these matters with the employee responsible for reviewing and resolving the Daily Unapplied Cash Exception Reports.  The auditor learned that, when items appear on the Daily-Unapplied Cash Exception Report, the employee must manually enter the correction into the system.  The employee typically performs the resolution procedures the next business day.  Items that typically appear on the Daily Unapplied Cash Exception Report relate to payments made by a customer without reference to an invoice number/purchase order number or to underpayments of an invoice due to quantity or pricing discrepancies.
2. Observed personnel performing the control.  The auditor then observed the employee reviewing and resolving a Daily Unapplied Cash Exception Report.  The day selected contained four exceptions - three related to payments made by a customer without an invoice number, and one related to an underpayment due to a pricing discrepancy.
   • For the pricing discrepancy, the employee determined, through discussions with a sales person, that the customer had been billed an incorrect price; a price break that the sales person had granted to the customer was not reflected on the customer's invoice.  The employee resolved the pricing discrepancy, determined which invoices were being paid, and entered a correction into the system to properly apply cash  to the customer's account and reduce accounts receivable and sales accounts for the amount of the price break.
3. Reperformed the control.  Finally, the auditor selected 25 Daily Unapplied Cash Exception Reports from the period January to September.  For the reports selected, the auditor reperformed the follow-up procedures that the employee performed.  For instance, the auditor inspected the documents and sources of information used in the follow-up and determined that the transaction was properly corrected in the system.  The auditor also scanned other Daily Unapplied Cash Exception Reports to determine that the control was performed throughout the period of intended reliance.

Because the tests of controls were performed at an interim date, the auditor had to determine whether there were any significant changes in the controls from interim to year-end.  Therefore, the auditor asked company personnel about the procedures in place at year-end.  Such procedures had not changed from the interim period, therefore, the auditor observed that the controls were still in place by scanning Daily Unapplied Cash Exception Reports to determine the control was performed on a timely basis during the period from September to year-end. 

Based on the auditor's procedures, the auditor concluded that the employee was clearing exceptions in a timely manner and that the control was operating effectively as of year-end. 

Example B-2 - Monthly Manual Reconciliation

The auditor determined that accounts receivable is a significant account to the audit of XYZ Company's internal control over financial reporting.  Through discussions with company personnel and review of company documentation, the auditor learned that company personnel reconcile the accounts receivable subsidiary ledger to the general ledger on a monthly basis.  To determine whether misstatements in accounts receivable (existence, valuation, and completeness) would be detected on a timely basis, the auditor decided to test the control provided by the monthly reconciliation process.

Nature, Timing, and Extent of Procedures.   The auditor tested the company's reconciliation control by selecting a sample of reconciliations based upon the number of accounts, the dollar value of the accounts, and the volume of transactions affecting the account.  Because the auditor considered all other receivable accounts immaterial, and because such accounts had only minimal transactions flowing through them, the auditor decided to test only the reconciliation for the trade accounts receivable account.  The auditor elected to perform the tests of controls over the reconciliation process in conjunction with the auditor's substantive procedures over the accounts receivable confirmation procedures, which were performed in July. 

To test the reconciliation process, the auditor:

1. Made inquiries of personnel performing the control.  The auditor asked the employee performing the reconciliation a number of questions, including the following:
   • What documentation describes the account reconciliation process?
   • How long have you been performing the reconciliation work?
   • What is the reconciliation process for resolving reconciling items?
   • How often are the reconciliations formally reviewed and signed off?
   • If significant issues or reconciliation problems are noticed, to whose attention do you bring them?
   • On average, how many reconciling items are there? 
   • How are old reconciling items treated?
   • If need be, how is the system corrected for reconciling items?
   • What is the general nature of these reconciling items?
2. Observed the employee performing the control.  The auditor observed the employee performing the reconciliation procedures.  For nonrecurring reconciling items, the auditor observed whether each item included a clear explanation as to its nature, the action that had been taken to resolve it, and whether it had been resolved on a timely basis. 
3. Reperformed the control.  Finally, the auditor inspected the reconciliations and reperfomed the reconciliation procedures.  For the May and July reconciliations, the auditor traced the reconciling amounts to the source documents on a test basis.  The only reconciling item that appeared on these reconciliations was cash received in the lockbox the previous day that had not been applied yet to the customer's account.  The auditor pursued the items in each month's reconciliation to determine that the reconciling item cleared the following business day.  The auditor also scanned through the file of all reconciliations prepared during the year and noted that they had been performed on a timely basis.  To determine that the company had not made significant changes in its reconciliation control procedures from interim to year-end, the auditor made inquiries of company personnel and determined that such procedures had not changed from interim to year-end.   Therefore, the auditor verified that controls were still in place by scanning the monthly account reconciliations to determine that the control was performed on a timely basis during the interim to year-end period.

Based on the auditor's procedures, the auditor concluded that the reconciliation control was operating effectively as of year-end.

Example B-3 - Daily Manual Preventive Control

The auditor determined that cash and accounts payable were significant accounts to the audit of the company's internal control over financial reporting.  Through discussions with company personnel, the auditor learned that company personnel make a cash disbursement only after they have matched the vendor invoice to the receiver and purchase order.  To determine whether misstatements in cash (existence) and accounts payable (existence, valuation, and completeness) would be prevented on a timely basis, the auditor tested the control over making a cash disbursement only after matching the invoice with the receiver and purchase.   

Nature, Timing, and Extent of Procedures.   On a haphazard basis, the auditor selected 25 disbursements from the cash disbursement registers from January through September.  In this example, the auditor deemed a test of 25 cash disbursement transactions an appropriate sample size because the auditor was testing a manual control performed as part of the routine processing of cash disbursement transactions through the system.  Furthermore, the auditor expected no errors based on the results of company-level tests performed earlier.  [If, however, the auditor had encountered a control exception, the auditor would have attempted to identify the root cause of the exception and tested an additional number of items.  If another control exception had been noted, the auditor would have decided that this control was not effective.  As a result, the auditor would have decided to increase the extent of substantive procedures to be performed in connection with the financial statement audit of the cash and accounts payable accounts.]

1. After obtaining the related voucher package, the auditor examined the invoice to see if it included the signature or initials of the accounts payable clerk, evidencing the clerk's performance of the matching control.  However, a signature on a voucher package to indicate signor approval does not necessarily mean that the person carefully reviewed it before signing.  The voucher package may have been signed based on only a cursory review, or without any review.
2. The auditor decided that the quality of the evidence regarding the effective operation of the control evidenced by a signature or initials was not sufficiently persuasive to ensure that the control operated effectively during the test period.   In order to obtain additional evidence, the auditor reperformed the matching control corresponding to the signature, which included examining the invoice to determine that (a) its items matched to the receiver and purchase order and (b) it was mathematically accurate. 

Because the auditor performed the tests of controls at an interim date, the auditor updated the testing through the end of the year (initial tests are through September to December) by asking the accounts payable clerk whether the control was still in place and operating effectively.  The auditor confirmed that understanding by performing a walkthrough of one transaction in December.

Based on the auditor's procedures, the auditor concluded that the control over making a cash disbursement only after matching the invoice with the receiver and purchase was operating effectively as of year-end. 

Example B-4 - Programmed Prevent Control and Weekly Information Technology-Dependent Manual Detective Control

The auditor determined that cash, accounts payable, and inventory were significant accounts to the audit of the company's internal control over financial reporting.  Through discussions with company personnel, the auditor learned that the company's computer system performs a three-way match of the receiver, purchase order, and invoice.  If there are any exceptions, the system produces a list of unmatched items that employees review and follow up on weekly. 

In this case, the computer match is a programmed application control, and the review and follow-up of the unmatched items report is a detective control.  To determine whether misstatements in cash (existence) and accounts payable/inventory (existence, valuation, and completeness) would be prevented or detected on a timely basis, the auditor decided to test the programmed application control of matching the receiver, purchase order, and invoice as well as the review and follow-up control over unmatched items.    

Nature, Timing, and Extent of Procedures.   To test the programmed application control, the auditor:

1. Identified, through discussion with company personnel, the software used to process receipts and purchase invoices.  The software used was a third-party package consisting of a number of modules.
2. Determined, through further discussion with company personnel, that they do not modify the core functionality of the software, but sometimes make personalized changes to reports to meet the changing needs of the business.  From previous experience with the company's information technology environment, the auditor believes that such changes are infrequent and that information technology process controls are well established.
3. Established, through further discussion, that the inventory module operated the receiving functionality, including the matching of receipts to open purchase orders.   Purchase invoices were processed in the accounts payable module, which matched them to an approved purchase order against which a valid receipt has been made.  That module also produced the Unmatched Items Report, a standard report supplied with the package to which the company has not made any modifications.  That information was agreed to the supplier's documentation and to documentation within the information technology department.
4. Identified, through discussions with the client and review of the supplier's documentation, the names, file sizes (in bytes), and locations of the executable files (programs) that operate the functionality under review.  The auditor then identified the compilation dates of the programs and agreed them to the original installation date of the application.  The compilation date of the report code was agreed to documentation held within the information technology department relating to the last change made to that report (a change in formatting).
5. Identified the objectives of the programs to be tested.  The auditor wanted to determine whether appropriate items are received (for example, match a valid purchase order), appropriate purchase invoices are posted (for example, match a valid receipt and purchase order, non-duplicate reference numbers) and unmatched items (for example, receipts, orders or invoices) are listed on the exception report.  The auditor then reperformed all those variations in the packages on a test-of-one basis to determine that the programs operated as described.

In addition, the auditor had evaluated and tested general computer controls, including program changes (for example, confirmation that no unauthorized changes are undertaken to the functionality and that changes to reports are appropriately authorized, tested, and approved before being applied) and logical access (for example, user access to the inventory and accounts payable modules and access to the area on the system where report code is maintained), and concluded that they were operating effectively.  (Since the computer is deemed to operate in a systematic manner, the auditor concluded that it was sufficient to perform a walkthrough for only the one item.)  

To determine whether the programmed control was operating effectively, the auditor performed a walkthrough in the month of July.  As a result of the walkthrough, the auditor performed and documented the following items:

1. Receiving cannot record the receipt of goods without matching the receipt to a purchase order on the system.  The auditor tested that control by attempting to record the receipt of goods into the system without a purchase order.  However, the system did not allow the auditor to do that.  Rather, the system produced an error message stating that the goods could not be recorded as received without an active purchase order. 
2. An invoice will not be paid unless the system can match the receipt and vendor invoice to an approved purchase order.  The auditor tested that control by attempting to approve an invoice for payment in the system.  The system did not allow the auditor to do that.  Rather, it produced an error message indicating that invoices could not be paid without an active purchase order and receiver.
3. The system disallows the processing of invoices with identical vendor and identical invoice numbers.  In addition, the system will not allow two invoices to be processed against the same purchase order unless the sum of the invoices is less than the amount approved on the purchase order.  The auditor tested that control by attempting to process duplicate invoices.  However, the system produced an error message indicating that the invoice had already been processed. 
4. The system compares the invoice amounts to the purchase order.  If there are differences in quantity/extended price, and such differences fall outside a pre-approved tolerance, the system does not allow the invoice to be processed.  The auditor tested that control by attempting to process an invoice that had quantity/price differences outside the tolerance level of 10 pieces, or $1,000.   The system produced an error message indicating that the invoice could not be processed because of such differences. 
5. The system processes payments only for vendors established in the vendor master file.  The auditor tested that control by attempting to process an invoice for a vendor that was not established in the vendor master file.  However, the system did not allow the payment to be processed.
6. The auditor tested user access to the vendor file and whether such users can make modifications to such file by attempting to access and make changes to the vendor tables.  However, the system did not allow the auditor to perform that function and produced an error message stating that the user was not authorized to perform that function. 
7. The auditor verified the completeness and accuracy of the Unmatched Items Report by verifying that one unmatched item was on the report and one matched item was not on the report. 

   Note: It is inadvisable for the auditor to have uncontrolled access to the company's systems in his or her attempts described above to record the receipt of goods without a purchase order, approve an invoice for payment, process duplicate invoices, etc.  These procedures ordinarily are performed in the presence of appropriate company personnel so that they can be notified immediately of any breach to their systems.

To test the detect control of review and follow up on the Unmatched Items Report, the auditor performed the following procedures in the month of July for the period January to July:

1. Made inquiries of company personnel.  To gain an understanding of the procedures in place to ensure that all unmatched items are followed-up properly and that corrections are made on a timely basis, the auditor made inquiries of the employee who follows up on the weekly-unmatched items reports.  On a weekly basis, the control required the employee to review the Unmatched Items Report to determine why items appear on it.  The employee's review includes proper follow-up on items, including determining whether:
   • All open purchase orders are either closed or voided within an acceptable amount of time.
   • The requesting party is notified periodically of the status of the purchase order and the reason for its current status.
   • The reason the purchase order remains open is due to incomplete shipment of goods and, if so, whether the vendor has been notified.
   • There are quantity problems that should be discussed with purchasing.
2. Observed the performance of the control.  The auditor observed the employee performing the control for the Unmatched Items Reports generated during the first week in July.
3. Reperformed the control.  The auditor selected five weekly Unmatched Items Reports, selected several items from each, and reperformed the procedures that the employee performed.  The auditor also scanned other Unmatched Items Reports to determine that the control was performed throughout the period of intended reliance.

To determine that the company had not made significant changes in their controls from interim to year-end, the auditor discussed with company personnel the procedures in place for making such changes.  Since the procedures had not changed from interim to year-end, the auditor observed that the controls were still in place by scanning the weekly Unmatched Items Reports to determine that the control was performed on a timely basis during the interim to year-end period.

Based on the auditor's procedures, the auditor concluded that the employee was clearing exceptions in a timely manner and that the control was operating effectively as of year-end.