Professional Documents
Culture Documents
Expense Purchases
Expense Purchases
09:38:29 04/12/2015
Introduction
Last updated 21 August 2004
Purpose
The purpose of this spreadsheet is to show typical risks, expected controls and
example tests for processes related to the purchasing and payment of expense goods
and services, (excluding personal expenses)
Full details of how to complete and use the database are in the manual which can be downloaded from www.internalau
Worksheets
There are 7 worksheets in this spreadsheet:
Introduction
Scope
Copyright D M Griffiths
Introduction
Page1 of 29
09:38:29 04/12/2015
Process map
Expense purchases database
Column key
Scoring risks
Allocating conclusions
Language
I have used UK english for the risk register. Variations from US english include:
Supplier = Vendor
Purchase = Procure
Cheque = Check
I have used the term "accounts payable" for purchase ledger, since this is now common
in the UK.
All sheets copyright David M Griffiths
Not to be copied or distributed without acknowledging the author, or in conjunction with
a commercial product
Copyright D M Griffiths
Introduction
Page2 of 29
If appropriate, meet the external auditors and any other parties with an interest in the
processes being auditing
Meet with staff at all levels to understand their responsibilities and concerns
Visit all locations which affect the risks involved (warehouses, factories, outsource
suppliers)
Carry out walkthrough tests to understand the processes involved, including monitoring
controls
Understand the changes made since the last audit
Obtain relevant risk registers, noting when they were last updated
Carry out interviews and risk workshops, as necessary, to ensure all risks have been
identified
Add to the risks in the risk register
Score the inherent risks, according to the risk appetite of the organisation, which have
been approved by the board. (Examples are shown in the "Scoring risks" worksheet)
Carry out the tests necessary to confirm that the controls are operating properly
Score the residual risks, according to the risk appetite of the organisation, which have
been approved by the board. (Examples are shown in the "Scoring risks" worksheet)
Draw conclusions as to whether each risk is properly controlled (see the example)
Submit a report
Risks
Purchase expense
goods
Define objectives
Set up suppliers
Requistion goods
and services
Place order
Receive goods
The order is placed with a supplier not providing the best value
The order is incorrect
Support purchase
expense goods
ed
t value
eceived
Audit database
L1
L2
L3
L4
L5
L Ref
Process
Process Description
Risk to process
2 4.5
Purchase expense
goods
(Summary level)
3 4.5.1
Define objectives
(Summary level)
4 4.5.1.1
4 4.5.1.1
4 4.5.1.2
4 4.5.1.3
4 4.5.1.3
4 4.5.1.3
Risk source
IRC IRL
Example monitoring
Tests
Ref
RRC
RRL
RRS
Cont
score
Issue
Action
By whom
Not applicable
Individuals are given their targets based on those of the Directors, or senior managers, check
Examine staff targets for a selection of staff
department
the staff targets for departments under
their control
Not applicable
Not applicable
4 4.5.1.3
Not applicable
3 4.5.2
Set up Suppliers
Not applicable
3 4.5.2
Set up Suppliers
Not applicable
3 4.5.2
Set up Suppliers
Not applicable
3 4.5.4
Departments requisition
goods/services
Not applicable
3 4.5.4
Departments requisition
goods/services
Not applicable
3 4.5.5
Not applicable
3 4.5.5
Not applicable
3 4.5.5
Orders can only be placed with suppliers previously set Half-yearly report listing suppliers and
up on the computer
spend which is approved by the
Purchasing Director
Not applicable
3 4.5.5
Not applicable
3 4.5.5
Not applicable
3 4.5.5
Not applicable
3 4.5.6
3 4.5.7
Goods/services received.
Quantity received input
Not applicable
3 4.5.7
Goods/services received.
Quantity received input
Not applicable
3 4.5.7
Goods/services received.
Quantity received input
Not applicable
3 4.5.7
Goods/services received.
Quantity received input
Automatic update with exception reports where this has Periodic physical checks to stock
not occurred
records
Not applicable
3 4.5.7
Goods/services received.
Quantity received input
Not applicable
3 4.5.7
Goods/services received.
Date of receipt input
No formal monitoring
Not applicable
3 4.5.7
Goods/services received.
Date of receipt input
Requisitioner will complain if goods are Visit the receiving area. Check security and observe the
not received
receipt of goods.
Not applicable
3 4.5.8
Goods/services returned
Requisition will complain if credit is not Take a sample of Goods Returned Notes and check that
received
the correct credit has been received
Not applicable
3 4.5.8
Support purchasing of
expenses
4 4.5.8.1
1 5
2 5
3 5
3 5
David M Griffiths
Not applicable
Not applicable
Not applicable
(Summary level)
Not applicable
Not applicable
(Summary level)
Not applicable
Not applicable
Not applicable
Not applicable
Individuals are given their targets based on those of the Directors, or senior managers, check
Examine staff targets for a selection of staff
department
the staff targets for departments under
their control
Not applicable
3 5
Not applicable
3 5
Not applicable
Report
ref
Follow-up
Risks
Follow-up
Controls
Follow-up
Action
Follow-up
Monitoring
4 4.5.8.2
Process transactions
David M Griffiths
Receive an invoice from the Supplier for the goods and Invoice input against incorrect supplier
services supplied. If it has an order number, match it an
the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
Receive an invoice from the Supplier for the goods and Incorrect values input
Not applicable
Monthly check, by management, of the Examine the query report to ensure no queries are
report showing invoices held in query. outstanding for an excessive period of time, and that all
Follow-up of invoices over one month are being actively persued
old
Not applicable
Not applicable
Not applicable
Where the invoice is matched to an order the computer Budget holders should check the
Examine transactions which correct mis-postings
will not allow the input of another invoice. If copy
actual expenditure against their budget
invoices are received, where no orders exist, they are
each month
checked to the supplier account before processing. The
computer will not accept duplicate invoice numbers
Not applicable
Not applicable
Not applicable
Not applicable
Computer payments can only be made against invoices Budget holders should check the
Check a sample of cheque requistions, to ensure this
matched to orders, or authorised invoices. Payments
actual expenditure against their budget type of transaction should have been used (that is no
can only be generated by staff who do not have access each month
invoice is available) nad it was properly approved. Check
to order, invoice or supplier master data input. Manual
that the item being paid for is genuine
payments cheques must be supported by the cheque
requistion and signed by two senior managers
Not applicable
Computer payments can only be made against invoices Budget holders should check the
Check a sample of payments taken from the cash sheets
matched to orders, or authorised invoices. Payments
actual expenditure against their budget to proof that the goods/services paid for were received
can only be generated by staff who do not have access each month
to order, invoice or supplier master data input. Manual
payments cheques must be supported by the original
invoices and signed by two senior managers
Not applicable
Payment terms are set up on the supplier account. They Payment terms are checked by buyers For the sample of payments used in the above test,
can only be changed on written instructions for a buyer. every 6 months
check that the correct settlement discount has been
Settlement discount can be overidden for a specific
taken
order, but only a manager
Not applicable
Payment terms are set up on the supplier account. They Payment terms are checked by buyers For the sample of payments used in the above test,
can only be changed on written instructions for a buyer every 6 months
check that the payment was made on the correct date
Not applicable
Cheques are kept in a locked cupboard to prevent theft Bank reconciliation will detect
and subsequent forgery. Overseas payment instructions payments made not correctly entered
are signed by two directors. The bank has instructions to in the books of account
telephone the Chief Financial Officer if payments are
over an agreed amount.
Not applicable
Cheque signing signatures are embossed. Cheques are Bank reconciliation will detect
printed by specialist printers with the latest security
payments made not correctly entered
features
in the books of account
Not applicable
Not applicable
Not applicable
6 5 4.5.8.2.6 Accounts Payable month- In order to compile month-end accounts, the value of
end processes
goods received not invoiced is calculated by the
computer , from unmatched receipts. Checks are made
to ensure all services received, but not invoiced, are
also accrued. To ensure details have been correctly
passed from the accounts payable system to the
general ledger, the total of the accounts payable ledger
is reconciled to the accounts payable control account in
6 5 4.5.8.2.6 Accounts Payable month- In order to compile month-end accounts, the value of
end processes
goods received not invoiced is calculated by the
computer , from unmatched receipts. Checks are made
to ensure all services received, but not invoiced, are
also accrued. To ensure details have been correctly
passed from the accounts payable system to the
general ledger, the total of the accounts payable ledger
is reconciled to the accounts payable control account in
6 5 4.5.8.2.6 Accounts Payable month- In order to compile month-end accounts, the value of
end processes
goods received not invoiced is calculated by the
computer , from unmatched receipts. Checks are made
to ensure all services received, but not invoiced, are
also accrued. To ensure details have been correctly
passed from the accounts payable system to the
general ledger, the total of the accounts payable ledger
is reconciled to the accounts payable control account in
7 5 4.5.8.2.7 Manage the accounts
Ensure the accounts payable ledger is correctly
payable ledger
updated, properly represents amounts owed to creditors
and is correctly included in the accounts of the
organisation
7 5 4.5.8.2.7 Manage the accounts
Ensure the accounts payable ledger is correctly
payable ledger
updated, properly represents amounts owed to creditors
and is correctly included in the accounts of the
organisation
Provide systems, including computer systems to
4 4.5.8.3 Provide systems
support the organisations operations
1 5 4.5.8.3.1 Maintain central systems The proper operation of applications is maintained by a
central IT department
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
n/a
Not applicable
Not applicable
IT management should monitor system Ensure data is backed-up - try retrieving yesterday's files.
reports
If a stand-alone computer, check back-up to discs
(Summary level)
Not applicable
4 4.5.8.4
4 4.5.8.5
4
4
5
5
8
8
6
6
4 4.5.8.7
10
12
Ensure security
12
Prepare management
Collect the data from processed transactions into
accounts
accounts for management to make decisions
Prepare financial accounts Collect the data from processed transactions into
accounts for statutory or tax purposes
(Summary level)
Staff competencies required have not been identified
and approved
Targets are set for staff with regular appraisals in
Actual competencies of the staff have not been
accordance with policy
matched with required competencies
Staff are trained in order to achieve their targets with
Training is not provided, or is inadequate. For example
maximum effectiveness and efficiency, within the ethical it omits ethical guidance
guidelines
Not applicable
A user guide has been written and independently tested Manager holds a copy
after each revision
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Training is provided when taking on new responsibilities Managers monitor the training their
Check training materials. Ask staff who have recently
and during a job, to ensure the staff member understand staff receive to ensure it is appropriate changed jobs about their training
how to do the job and the controls which must operate
at all times
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
4 4.5.8.8
Not applicable
4 4.5.8.9
Audit of suppliers to ensure they understand health and Qualified staff check suppliers working
safety legislation. Orders and contracts contain clause
to ensure suppliers comply with regulations
Not applicable
Not applicable
(Summary level)
12
12
13
4 4.5.8.13 Communicate
A documented ethical policy, which includes purchasing The Ethical Committee ensures a
Examine the policy and check specifically for purchasing
policy
complete policy is communicated to all policy
stakeholders
14
14
Internal Audit maintain the risk register, Examine processes to set up the risk register and
and ensure each function provides a
examine the register. Ensure all types of risk, including
list of scored risks with controls
external risks, have been considered
Not applicable
14
Internal Audit maintain the risk register, Examine the process which score the risks
and ensure each function provides a
list of scored risks with controls
Not applicable
14
For all risks, decide on a cost-effective control to reduce Significant risks are not controlled
the risk to the risk appetite of the organisation
Internal Audit maintain the risk register, Check controls as part of the audit
and ensure each function provides a
list of scored risks with controls
Not applicable
David M Griffiths
Not applicable
All buildings have entry restricted by card operated gates Periodic audits, by security
department, of the access to buildings
Not applicable
Not applicable
(Summary level)
expense purchasing
processes
Not applicable
Not applicable
Not applicable
Column key:
L1
L2
L3
L4
L5
L
Ref
Process
Process Description
Risk to process
Risk source
IRC
IRL
IRS
Example control
Example monitoring
Tests
Ref
RRC
RRL
RRS
Cont score
Issue
Action
By whom
Conclusion Risks
Conclusion Controls
Conclusion Action
Conclusion Monitoring
Report ref
Follow-up Risks
Follow-up Controls
Follow-up Action
Follow-up Monitoring
Conclusion on the adequacy of processes to monitor the correct operation of controls from the
last follow-up audit (see "Allocating conclusions" worksheet)
High (3)
Medium (2)
Unlikely
Low (1)
High (3)
Medium (2)
Low(1)
2
Acceptable
1
Acceptable
6
Unacceptable
risk
9
Unacceptable
risk
4
Issue
risk
6
Unacceptable
risk
2
Acceptable
Supplementary
Issue
3
3
Acceptable
Low(1)
Likelihoo
1
Acceptable
Low(1)
2
Acceptable
Medium (2)
Supplementary
Issue
3
3
Acceptable
High (3)
esidual)
Almost certain
Rare
5
Supplementary
Issue
10
Issue
4
Acceptable
Supplementary
Issue
15
20
25
Unacceptable
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
Possible (3)
3
Acceptable
Supplementary
Issue
9
Issue
12
Issue
Unacceptable
Unlikely (2)
ementary
ssue
3
2
Acceptable
4
Acceptable
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
Supplementary
Issue
are(1)
table
table
1 to 5 scale
15
P
Unlikely (2)
Rare(1)
(3)
Likelihood o
ementary
ssue
3
Issue
2
Acceptable
4
Acceptable
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
Supplementary
Issue
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Catastrophic (5)
ble
ary
ble
Catatrophic (5)
Major (2)
Moderate (2)
Minor (2)
Insignificant (1)
20
25
Unacceptable
Unacceptable
16
20
Unacceptable
Unacceptable
12
Issue
Unacceptable
15
Supplementary
Issue
10
Issue
4
Acceptable
Supplementary
Issue
8
Supplementary
Issue
10
Issue
ble
4
Acceptable
Supplementary
Issue
(3)
Major (4)
ary
Catastrophic (5)
residual risk
Criteria
Current levels of
No more monitoring is
monitoring are sufficient necessary than is done at
present
Score (1 to 3 scale)
Score 0,1,2 or 3
Score: 4 (possibly 3)
Score (1 to 5 scale)
Score =<8
Colour:
green
amber
Grading:
Acceptable
Issues
Report as
Key issue
a
Inadequate, or no, processes have
been used
Score
Score
0,1,2 or 3 =<8
green
acceptable
Score: 4 Score:
(possibly >9 <14
3)
amber issue
Score: 6
or 9
Score: 6 or 9
Score:>14
red
Unacceptable
Score:> red
14
unacceptable
Key issue
t another way:
Risks have been
identified, evaluated and
managed
No action is being
taken, OR insufficient
action is being taken to
mitigate risks
Major
improvements are
required to the
monitoring of
controls
Report as
Supplementary issue,
if cost effective
controls can reduce
the risk further,
otherwise do not
report
Key issue
Key issue