Expense Purchases

Audit: Purchase of expense goods and services
09:38:29 04/12/2015
Audit: Purchasing and payment of expense goods and services
Introduction
Last updated 21 August 2004
Purpose
The purpose of this spreadsheet is to show typical risks, expected controls and
example tests for processes related to the purchasing and payment of expense goods
and services, (excluding personal expenses)
Full details of how to complete and use the database are in the manual which can be downloaded from www.internalau
The database is not complete - it must be changed to suit your organisation

To see how this database fits into the audit universe, download the Risk and Audit
Database from www.internalaudit.biz
Auditing is not about carrying out tests taken from an audit programme, it is about
understanding the objectives of the processes you are auditing, the risks which
treaten them and the controls which actually operate to mitigate them.
The database (Audit programme)

The audit programme is in the form of an Excel database. It can be treated just like a
large "Word" table but can also be sorted and filtered.
The database covers those processes which might be involved in purchases and
payments using a computerised system. Thus it covers not only ordering and invoice
approval, but also staff management and computer controls
Rows with processes which are split down into more detailed processes are coloured
and do not have data in some columns
The processes are only intended as an example. You must change them to those in
your organisation
If you construct audit databases please make them available to other auditors through
AuditNet (http://www.auditnet.org/)
For a full explanation of the content of the columns, go to the "Column key" worksheet
The example controls and monitoring

These examples are suggestions only. They cannot possibly apply to every size of
organisation who might use this database. You must decide on the controls which
mitigate the risks to accepatable levels in your organisation
Remember that the examples are general and therefore rather vague. Your entries
should be much more specific, in particular, noting the names of staff carrying out the
checks
Worksheets
There are 7 worksheets in this spreadsheet:
Introduction
Scope
Copyright D M Griffiths
Introduction
Page1 of 29
Audit: Purchase of expense goods and services
09:38:29 04/12/2015
Process map
Expense purchases database
Column key
Scoring risks
Allocating conclusions
Language
I have used UK english for the risk register. Variations from US english include:
Supplier = Vendor
Purchase = Procure
Cheque = Check
I have used the term "accounts payable" for purchase ledger, since this is now common
in the UK.
All sheets copyright David M Griffiths
Not to be copied or distributed without acknowledging the author, or in conjunction with
a commercial product
Copyright D M Griffiths
Introduction
Page2 of 29
Scope of the audit

Reasons for the audit
The organisations risk analysis has identified significant risks to its objectives from the
processes involved in the purchase of expense goods and services. The audit will
conclude on whether:
Risks threatening the objectives of the processes have been properly identified,
evaluated and managed.
Internal controls are operating properly to mitigate these risks to levels defined as
acceptable by board policy.
Action is being taken to improve controls, where risks are not being properly mitigated
More monitoring, by management, is necessary to ensure proper internal controls into
the future.
A sound system of internal control is maintained for the processes audited
Objectives of the processes being audited

The overall objective of the process (4.5) is to purchase expense goods and services for
the organisation. (That is goods which are not for resale)
The processes covered by this audit are:
Define the objectives for purchasing expenses
Set up suppliers on the computer file
Set up items for purchase on the computer file
Raising requistions
Raising orders
Receive goods/services
Returning of unsatisfactory goods
In addition, the following support functions are covered:
Invoice processing
Payment to suppliers
Accounting for expense purchases
Key risks of the processes being audited

Expense goods/services requested are not needed or are not for the benefit of the
company
Orders are placed with suppliers who do not provide best value (quality/price/delivery)
Payment is made for goods or services which have not been received
Transactions are not correctly entered in the books of account
The processes concerned are not operated efficiently and effectively
Audit work plan

In order to carry out this audit the auditors will:
Take into account any previous audits, noting particularly the issues raised
Obtain organisation charts, procedure manuals, training documentation and any other
documentation which should be being used by the departments involved in the audit
Obtain budgets, actual figures and any other relevant financial information
If appropriate, meet the external auditors and any other parties with an interest in the
processes being auditing
Meet with staff at all levels to understand their responsibilities and concerns
Visit all locations which affect the risks involved (warehouses, factories, outsource
suppliers)
Carry out walkthrough tests to understand the processes involved, including monitoring
controls
Understand the changes made since the last audit
Obtain relevant risk registers, noting when they were last updated
Carry out interviews and risk workshops, as necessary, to ensure all risks have been
identified
Add to the risks in the risk register
Score the inherent risks, according to the risk appetite of the organisation, which have
been approved by the board. (Examples are shown in the "Scoring risks" worksheet)
Carry out the tests necessary to confirm that the controls are operating properly
Score the residual risks, according to the risk appetite of the organisation, which have
been approved by the board. (Examples are shown in the "Scoring risks" worksheet)
Draw conclusions as to whether each risk is properly controlled (see the example)
Submit a report
Diagram of processes with key risks

This diagram shows the key processes for purchasing expenses and is the next level down from the risk register
Key risks are collected in the boxes, prior to putting them on the audit database
It is used to drive the main audit database
Risks
Purchase expense
goods
Define objectives
Set up suppliers
The strategy is not consistent with the overall strategy

The strategy has not been communicated
Supplier of vital services/goodsmay go out of business

Supplier details are not correctly input/modified
New suppliers improperly set up
Item details are not correctly input/modified

Set up items
Requistion goods
and services
Place order
Receive goods
The requistion may be for goods and services not required

The requistion may be incorrect
The order is placed with a supplier not providing the best value
The order is incorrect
Goods/services are not what was ordered

Incorrect quantities received are input
Credit is not obtained for goods returned
Credit is not obtained for goods returned

Return goods
Support purchase
expense goods
Payment is made when goods/services have not been received

Settlement discount is not correctly deducted
Payment is not made on the due date
from the risk register
ed
t value
eceived
Audit database
L1
L2
L3
L4
L5
L Ref
Last follow-up results (date)
Process
Process Description
Risk to process
2 4.5
Purchase expense
goods
Purchase goods and services for the organisation
(Summary level)
3 4.5.1
Define objectives
Define the strategy for expense purchases,

communicate and deliver it
(Summary level)
4 4.5.1.1
Define the strategy for

expense purchasing
4 4.5.1.1
Define the strategy for

expense purchasing
4 4.5.1.2
The strategy does not maximise efficiency and

Set down targets for the year(s) ahead, for example,
effectiveness and is not consistent with the
meeting the budget, improving staff efficiency, handling
organisation's strategy
more orders
The strategy has not been updated
Set down targets for the year(s) ahead, for example,
more orders
Communicate the strategy Inform the staff about the targets
Staff are unaware of the strategy
4 4.5.1.3
Deliver the strategy
Form an action plan, with the staff involved, to deliver

the strategy
4 4.5.1.3
4 4.5.1.3
Risk source
IRC IRL
IRS Example control
Example monitoring
Tests
Ref
RRC
RRL
RRS
Cont
score
Issue
Action
By whom
Conclusion Conclusion Conclusion Conclusion

Risks
Controls
Action
Monitoring
Not applicable
Not applicable
The strategy for purchasing expense goods and

services is updated each year, prior to setting targets
and budgets for the areas concerned. These targets and
budgets are approved by management finance.
and budgets for the areas concerned
Directors check the strategy for

departments under their control. The
overall budget is approved by the
board
departments under their control
Staff are briefed by their managers
No action plan exists to deliver the strategy
An action plan to deliver the strategy is part of the

budgeting process

the strategy
The strategy is not built into individuals' targets
Individuals are given their targets based on those of the Directors, or senior managers, check
Examine staff targets for a selection of staff
department
the staff targets for departments under
their control
Not applicable

the strategy
Any member of staff can authorise the purchase of any

goods or services
Rights to place requisitions and orders are in a written

policy
The policy is checked every year to

ensure it is correct
Examine the policy. Check it is up-to-date, appropriate

staff have a copy and know how to use it. As part of other
tests, ensure adherence to the policy
Not applicable
4 4.5.1.3

the strategy
Any member of staff can requisition any goods or

services
Rights to authorise requisitions and orders are in a

written policy


Not applicable
3 4.5.2
Set up Suppliers
Set up new Suppliers on the computer system, or

modify existing details. Includes addresses and
payment terms
Supplier details are not correctly input/modified
Details of all changes to the Supplier master file are

Details of Suppliers and the amount
printed on a report which is checked to supporting
spent with them are printed out every
documentation by staff who are not involved in changing six months for authorisation by the
Supplier details
Purchasing Director
Check individual reports over the last six months for

evidence of checking. Observe the process in action.
Not applicable
3 4.5.2
Set up Suppliers

payment terms
False Suppliers are set up and paid

Supplier details
Purchasing Director

Not applicable
3 4.5.2
Set up Suppliers

payment terms
No settlement discount, or other discounts, are

negotiated

Supplier details
Purchasing Director

Not applicable
3 4.5.4
Departments requisition
goods/services
Expense goods/services requested are not needed or

are not for the benefit of the company
Requisitions are authorised by an appropriate manager
Budgets are maintained for all

expenses with monthly monitoring
against actual
Observe the procedure for electronically authorising

requisitions. If possible, have the computer controls
checked by a competent auditor.
Not applicable
3 4.5.4
Departments requisition
goods/services
Details on the requisition are incorrect
Requisitions are authorised by an appropriate manager

against actual
Observe the procedure for electronically authorising

requisitions. If possible, have the computer controls
checked by a competent auditor.
Not applicable
3 4.5.5
Purchasing order raised

for goods/services
The order is incorrect, that is does not agree to the

approved requisition
Confirmation is required on the order screen before the

order is sent or printed
The requisitioner will query any

difference
Observe the process and try submitting without

confirmation
Not applicable
3 4.5.5

for goods/services
The price on the order does not give the organisation

maximum value
The order is placed by trained purchasing staff using

prices on the computer, or negotiated with the supplier.

against actual
Examine a report which shows the access rights of each

person in purchasing and payables. Confirm that proper
division of duties exists.
Not applicable
3 4.5.5

for goods/services
Orders are placed with suppliers who do not provide

best value (quality/price/delivery)
Orders can only be placed with suppliers previously set Half-yearly report listing suppliers and
up on the computer
spend which is approved by the
Purchasing Director
Examine the input of orders. Try and set up a new

supplier from the order screen
Not applicable
3 4.5.5

for goods/services
Orders are placed late
Computer report showing requisitions not turned into

orders within 2 days is checked by the supervisor
Requistioners will complain if orders

are received late
Examine this report for items older than 2 days
Not applicable
3 4.5.5

for goods/services
Orders have incorrect account codes input
The requisitioner supplies the codes. The computer

checks these exist but cannot check if they are correct.
Budget holders check their expenses

each month for incorrect items
Examine accounts journals and other documentation

used to correct coding errors to judge how frequent they
are
Not applicable
3 4.5.5

for goods/services
Orders are placed for goods not required, without

approved requisitions
All orders have to be placed through the computer.

Orders can only be raised by purchasing staff. Orders
without requisitions must be approved by a senior
manager

Check access to order screens is limited to approved

purchasing staff. Check orders raised without approved
requisitions are approved
Not applicable
3 4.5.6
Contracts raised for

continuing services or
supply of materials
Contracts are not negotiated to ensure the best prices

for ongoing services such as maintenance
Expenditure on services is constantly monitored to

Senior purchasing management
check if contracts should be raised to ensure best prices monitor expenses, and check all
and service. Contracts are tendered, as necessary, to
tenders to confirm the process
ensure best prices.
Check expenditure over X to see if contracts have been

raised. Examine the tendering process, and last
contracts signed, to ensure the process is operating.
(This could done as a separate audit)
3 4.5.7
Goods/services received.
Quantity received input
Goods/services vital to the organisation's operation

become unavailable or too expensive
If possible, have two, or more, sources of supply. Hold

Continuity of supply is written into
sufficient stocks of vital spares. Have contingency plans managers' targets, on which they are
for failure of vital supplies
assessed
Check for the existence of recent, tested contingency

plans
Not applicable
3 4.5.7
Quantities, or service, is not what was ordered
Computer report showing where quantities received

differ from the order
Requistioners should complain if the

goods/services differ from the order
Examine this report and check on the action taken. Note

items which may be old and uncorrected
Not applicable
3 4.5.7
Quantities incorrectly input
The computer warns if the quantity received is different

from that ordered
Requistioners should complain if the

goods/services differ from the order
Observe the process and try submitting a different

quantity
Not applicable
3 4.5.7
Stock records (for example engineers' spares) not

updated
Automatic update with exception reports where this has Periodic physical checks to stock
not occurred
records
Check a sample of items received through to the stock

system
Not applicable
3 4.5.7
Receipt details input when no goods or services have

been received
Division of duties between requisitioners, purchasing

staff and receivers

Examine a report which shows the access rights of each

person in purchasing and payables. Confirm that proper
division of duties exists.
Not applicable
3 4.5.7
Date of receipt input
Quality is not up to standard
Responsibility of the person receiving the

goods/services to complain of poor quality to the
ordering department
No formal monitoring
Ask a sample of staff their opinions on the quality of

goods received
Not applicable
3 4.5.7
Date of receipt input
Goods are lost
All goods are received at one, secure, location, which

inputs their receipt against the order
Requisitioner will complain if goods are Visit the receiving area. Check security and observe the
not received
receipt of goods.
Not applicable
3 4.5.8
Goods/services returned
Credit is not obtained from the supplier
Goods can only be returned on the authority of the

buyer, who raises a "Goods Return Note". One copy
goes with the goods, the other is keyed into the
computer as a debit note. This automatically reduced
the next payment.
Requisition will complain if credit is not Take a sample of Goods Returned Notes and check that
received
the correct credit has been received
Not applicable
3 4.5.8
Support purchasing of
expenses
Raise a request (may be on the computer system, but

could be an e-mail or manual form) for goods or
services to be ordered
Raise a request (may be on the computer system, but
could be an e-mail or manual form) for goods or
services to be ordered
Based on the authorised requisition, purchasing
department raise an order. This may be on an existing
Supplier but might require negotiations with a new
Supplier
Supplier
Supplier
Supplier
Supplier
Supplier
Suitable suppliers are identified to supply
goods/services. Sealed tenders (quotes) are called for
and opened in the presence of an independent person.
The cheapest tender is chosen, if all conditions have
been complied with
Receive the goods and services ordered. Goods may
be received at a central location, and their receipt keyed
into the computer. Some type of confirmation should be
required for the receipt of services
If the goods are not those ordered, are damaged, or too
many are delivered, they will be returned to the
Supplier. If they are found to be faulty after the
processing of an invoice, or payment, a credit note will
be required
4 4.5.8.1
Define objectives for

supporting expense
purchasing
1 5
Define the strategy
2 5
Communicate the strategy Inform the staff about the targets
3 5
3 5
David M Griffiths
Examine the latest strategy document
Not applicable
Not applicable
The strategy is available on notice

boards and the intranet
Examine the latest strategy document. Check that the

budget forms part of the organisation's overall budget.
Examine variances for the current year and ensure
adequate explanations have been made for excessive
Ask
staff to confirm they have been briefed. Determine
variances.
the date of the briefing and attendees
Directors check the action plan for

Examine the action plan Check for progress to

implement it.
Not applicable
(Summary level)
Not applicable
Not applicable
(Summary level)
Set down targets for the year's) ahead, for example,

The strategy has not been updated
more orders
Not applicable

and budgets for the areas concerned

Examine the latest strategy document
Not applicable
Staff are unaware of the strategy
Staff are briefed by their managers
The strategy is available on notice

boards and the intranet
Ask staff to confirm they have been briefed. Determine

the date of the briefing and attendees
Not applicable

the strategy
No action plan exists to deliver the strategy
An action plan to deliver the strategy is part of the

budgeting process
Directors check the action plan for

Examine the action plan
Not applicable

the strategy
The strategy is not built into individuals' targets
Individuals are given their targets based on those of the Directors, or senior managers, check
Examine staff targets for a selection of staff
department
the staff targets for departments under
their control
Not applicable
3 5

the strategy
No limitation is set on the authority of staff to commit

the organisation
Rights to place requisitions and orders are in a written

policy


Not applicable
3 5

the strategy
No limitation is set on the authority of staff to commit

the organisation
Rights to authorise requisitions and orders are in a

written policy


Not applicable
Report
ref
Follow-up
Risks
Follow-up
Controls
Follow-up
Action
Follow-up
Monitoring
1 5 4.5.8.2.1 Purchasing expenses Invoice input
4 4.5.8.2
Process transactions
Process transactions resulting from the purchase of

expenses
services supplied. If it has an order number, match it an

the computer system against the receipt and order, for
quantity and price. Differences outside a pre-defined
tolerance are held and cleared by purchasing. Invoices
with no order have to have senior management
authorisation.
Receive an invoice from the Supplier for the goods and Invoices are input twice

authorisation.
Receive an invoice from the Supplier for the goods and Duplicate invoices are input
authorisation.
Receive an invoice from the Supplier for the goods and Invoice input where no goods or services have been
received.
authorisation.
Receive an invoice from the Supplier for the goods and The tax analysis of invoices is incorrect, for example
"Business entertainment"
authorisation.
After input of the invoice, it is sent for microfiching and Invoices are not filed and microfiched
2 5 4.5.8.2.2 Purchasing expenses Invoice filed
3 5 4.5.8.2.3 Purchasing expenses - no Receive a properly approved cheque requistion, with

invoice received, for
supporting documentation
example tax
4 5 4.5.8.2.4 Purchasing expenses payment
5 5 4.5.8.2.5 Purchase expense

invoices / credit notes
posted to accounts
David M Griffiths
Transactions are not processed completely and

accurately
Receive an invoice from the Supplier for the goods and Invoice input against incorrect supplier
authorisation.
Receive an invoice from the Supplier for the goods and Incorrect values input
the paper copy destroyed
Incorrect payments may be made
Computer payment is made for goods or services which

The computer automatically schedules payments
have not been received
depending on the terms set for each Supplier.
Payments may be made by electronic funds transfer
(home and foreign) or cheque. Non-invoice payments
(for example payments of tax) may be made by entering
details in the computer, or by paying with a manual
cheque.
Incorrect settlement discount is taken
cheque.
Payment is not made on the due date
cheque.
Manual payments made are fraudulent
cheque.
Cheques are altered or forged

cheque.
The payment output file is altered. (This file holds
payment data to be transmitted to the bank, or used to
print cheques)
cheque.
Invoice / credit notes are posted to incorrect accounts
Invoices and payments are posted to the general
(nominal) ledger in the same accounting period
Not applicable
Most invoices are input against an order and the

supplier details are checked. If no order exists there is
no control
The supplier will send a reminder to

pay
Examine transactions which correct mis-postings
Where the invoice is matched to an order, an exception

report is produced for invoices not matching and these
are held until purchasing approve the difference.
Invoices without orders are batch totalled
Monthly check, by management, of the Examine the query report to ensure no queries are
report showing invoices held in query. outstanding for an excessive period of time, and that all
Follow-up of invoices over one month are being actively persued
old
Not applicable
Where the invoice is matched to an order the computer

will not allow the input of another invoice. Invoices are
stamped "input"
Budget holders should check the

Ask a sample of budget holders to provide evidence that
actual expenditure against their budget they have checked the expenses for the previous month
each month
Not applicable
Not applicable
Where the invoice is matched to an order the computer Budget holders should check the
Examine transactions which correct mis-postings
will not allow the input of another invoice. If copy
actual expenditure against their budget
invoices are received, where no orders exist, they are
each month
checked to the supplier account before processing. The
computer will not accept duplicate invoice numbers
Not applicable
Most invoices are matched against approved orders.

Other invoices must be approved by a senior manager
and accountant, who writes the account code on.
Invoices can only be paid to suppliers set up on the
system, for which separate checks apply. Duties are
divided to ensure staff who input invoices do not set up
suppliers or payments
Budget holders should check the

Check a sample of items received through to the stock
actual expenditure against their budget system, or other evidence, to prove that the
each month
goods/services were received Check the access to
computer screens to ensure division of duties is enforced
Not applicable
All purchasing and transaction processing staff have

specific training on the analysis of Value added tax
(VAT). Detailed guidelines are available. The computer
checks for incorrect calculations
Tax department scrutinise certain

nominal codes for exceptional items
Check a sample of invoices to ensure that the tax

treatment is correct
Not applicable
Check a selection of fiche to ensure no numbers are

missing
Not applicable
Invoices are sequentially numbered on input. When

The fiche are checked by staff when
microfiching, the continuity of these numbers is checked received back from the microfiching
department
Computer payments can only be made against invoices Budget holders should check the
Check a sample of cheque requistions, to ensure this
matched to orders, or authorised invoices. Payments
actual expenditure against their budget type of transaction should have been used (that is no
can only be generated by staff who do not have access each month
invoice is available) nad it was properly approved. Check
to order, invoice or supplier master data input. Manual
that the item being paid for is genuine
payments cheques must be supported by the cheque
requistion and signed by two senior managers
Not applicable
Computer payments can only be made against invoices Budget holders should check the
Check a sample of payments taken from the cash sheets
matched to orders, or authorised invoices. Payments
actual expenditure against their budget to proof that the goods/services paid for were received
can only be generated by staff who do not have access each month
to order, invoice or supplier master data input. Manual
payments cheques must be supported by the original
invoices and signed by two senior managers
Not applicable
Payment terms are set up on the supplier account. They Payment terms are checked by buyers For the sample of payments used in the above test,
can only be changed on written instructions for a buyer. every 6 months
check that the correct settlement discount has been
Settlement discount can be overidden for a specific
taken
order, but only a manager
Not applicable
Payment terms are set up on the supplier account. They Payment terms are checked by buyers For the sample of payments used in the above test,
can only be changed on written instructions for a buyer every 6 months
check that the payment was made on the correct date
Not applicable
Cheques are kept in a locked cupboard to prevent theft Bank reconciliation will detect
and subsequent forgery. Overseas payment instructions payments made not correctly entered
are signed by two directors. The bank has instructions to in the books of account
telephone the Chief Financial Officer if payments are
over an agreed amount.
For a sample of manual and overseas payments, ensure

that goods/services were received. Check the bank
understands its instructions to phone the CFO. If
appropriate, carry out a separate audit on foreign
payments
Not applicable
Cheque signing signatures are embossed. Cheques are Bank reconciliation will detect
printed by specialist printers with the latest security
payments made not correctly entered
features
in the books of account
Observe the cheque printing process to ensure it is

physically secure. Check that the signature plates are
stored in a safe with limited access
Not applicable
Access controls on the computer to prevent alteration
Exception reports, checked by

Obtain details of those staff with access to the computer
management, which detail exceptional files. They should only be senior IT staff with no access
alterations to files
to accounting systems
Not applicable
Invoices are posted to the cost centre and nominal

account set up on the requisition. The computer verifies
that these exist and prevents certain combinations of
cost centre and nominal codes

each month for incorrect items. Plus
Financial Accounts check balances to
the previous month's and investigate
significant discrepancies
For a sample of invoices, check the coding is correct
Not applicable
6 5 4.5.8.2.6 Accounts Payable month- In order to compile month-end accounts, the value of
end processes
goods received not invoiced is calculated by the
computer , from unmatched receipts. Checks are made
to ensure all services received, but not invoiced, are
also accrued. To ensure details have been correctly
passed from the accounts payable system to the
general ledger, the total of the accounts payable ledger
is reconciled to the accounts payable control account in
end processes
end processes
7 5 4.5.8.2.7 Manage the accounts
Ensure the accounts payable ledger is correctly
payable ledger
updated, properly represents amounts owed to creditors
and is correctly included in the accounts of the
organisation
7 5 4.5.8.2.7 Manage the accounts
Ensure the accounts payable ledger is correctly
payable ledger
updated, properly represents amounts owed to creditors
and is correctly included in the accounts of the
organisation
Provide systems, including computer systems to
4 4.5.8.3 Provide systems
support the organisations operations
1 5 4.5.8.3.1 Maintain central systems The proper operation of applications is maintained by a
central IT department
Accruals not calculated
The value of all goods received not invoiced is

calculated by the computer
Comparison made with previous

month's figure. Major differences
investigated
Check the report providing the accruals figure. Check

that large variances from the previous month have been
explained
Not applicable
Accruals not calculated correctly
In major expense service functions (for example

advertising) managers must detail services provided
which have not been invoiced
Major variances from budget are

investigated
Check the composition of the accruals figure. For a

sample of recepts on the report, ensure they are recent
and obtain expalnations why old receipts have not had
invoices processed
Not applicable
Accounts payable ledger total does not represent all

liabilities
Total of supplier balances reconciled to Accounts

Payable control account in the General ledger
Reconciliation is signed by a senior

manager
For a number of months, check this reconciliation has

been properly carried out
Not applicable
Accounts payable ledger total does not represent all

liabilities
Sample check reconciliation of Supplier statements to

the Accounts Payable balance
The check is noted and scrutinised by

a senior manager at month-end
Scrutinise the reconciliations carried out to ensure they

contain no unusual items. If necessary, reperform some
reconciliations to ensure they are correct
Not applicable
Supplier with a debit balance, due to credits issued,

goes out of business
Exception report highlighting large debit balances.

Payment stop put on the account. Systems in place to
request repayment of the amount owing
Management scrutiny of large debit

balances each month, with a progress
report on their recovery
Check the accounts payable list of balances for debit

balances. For a sample of balances, determine why they
arose and the action being taken to recover them
Not applicable
n/a
Not applicable
Data lost through main computer failure, systems

unavailable for a prolonged period
Range of controls maintained by the IT department
Users monitor their output, such as

reconciling the accounts payable
balance with the general ledger
Covered by audits of the IT processes
Not applicable
2 5 4.5.8.3.2 Maintain user systems
User-maintained systems lose data
Data is kept on the network which is backed-up daily
IT management should monitor system Ensure data is backed-up - try retrieving yesterday's files.
reports
If a stand-alone computer, check back-up to discs
Users set up their own computer systems (for example

spreadsheets) to produce data
(Summary level)
Not applicable

User-maintained systems produce inaccurate data

User-maintained systems understood by only the

programmer
4 4.5.8.4
Information is incorrectly analysed and summarised
4 4.5.8.5
4
4
5
5
8
8
6
6
Recruit staff and manage staff policies

4 4.5.8.6 Provide staff
1 5 4.5.8.6.1 Establish job descriptions Job descriptions, in accordance with policy, are written
2 5 4.5.8.6.2 Carry out regular

appraisals
3 5 4.5.8.6.3 Training of staff
3 5 4.5.8.6.3 Training of staff
4 5 4.5.8.6.4 Recruit suitable staff
4 5 4.5.8.6.4 Recruit suitable staff
4 4.5.8.7
10
12
Ensure security
12
Prepare management
Collect the data from processed transactions into
accounts
accounts for management to make decisions
Prepare financial accounts Collect the data from processed transactions into
accounts for statutory or tax purposes
Information is incorrectly analysed and summarised
(Summary level)
Staff competencies required have not been identified
and approved
Targets are set for staff with regular appraisals in
Actual competencies of the staff have not been
accordance with policy
matched with required competencies
Staff are trained in order to achieve their targets with
Training is not provided, or is inadequate. For example
maximum effectiveness and efficiency, within the ethical it omits ethical guidance
guidelines
All important data is checked, or reconciled, to an

independent source to ensure it is correct. If this is not
possible, some manual reperformance of calculations,
or checks of formulas.
Output should be examined for

"reasonableness"
Check formulas are correct. If possible use a

spreadsheet analyser to detect possible problems.
Reperform manually important calculations, if possible.
Not applicable
A user guide has been written and independently tested Manager holds a copy
after each revision
Check all programs have a clearly written user guide.
Not applicable
Totals on the management accounts are reconciled to

totals from the accounts payable system
Each month, or more frequently, the accounts payable
ledger total is reconciled to the accounts payable control
account in the general ledger
Trace figures from the accounts payable system through

to totals in the top level management accounts
Trace figures from the accounts payable system through
to totals in the top level financial accounts
Not applicable
Output should be examined for

"reasonableness"
Manager checks the reconciliation.
Management and financial accounts
are reconciled
Not applicable
Not applicable
All jobs have written job descriptions, which show the

HR and manager sign off job
competencies required
descriptions
The targets take into account the competencies required HR and manager sign off appraisals
Check for job descriptions of all staff levels
Not applicable
Check appraisal files
Not applicable
Training is provided when taking on new responsibilities Managers monitor the training their
Check training materials. Ask staff who have recently
and during a job, to ensure the staff member understand staff receive to ensure it is appropriate changed jobs about their training
how to do the job and the controls which must operate
at all times
Not applicable
Staff are trained in order to achieve their targets with

Staff not allowed to attend training
maximum effectiveness and efficiency, within the ethical
guidelines
Clear policy from the board that training is important.
HR monitor staff not attending training

courses and determine why
Question staff who have been on courses
Not applicable
Recruit staff to fill vacancies
Applicants falsify references
All references and qualifications are checked by HR
Manager can request references if

required
Take a sample of recent joiners and check that

references were supplied. (Other tests are carried out as
part of the audit of HR)
Not applicable
Recruit staff to fill vacancies
Insufficient staff are available to carry out all duties, and

maintain division of duties
HR maintain succession plans for senior key staff.

Managers have plans for other key staff
Senior managers should monitor their

managers to ensure succession plans
exist
Examine staff budgets to ensure staff numbers are being

maintained at levels which ensure controls are operated
Not applicable
Provide legal services
Advise all areas of the company concerning action to

be taken on legislation
Staff involved in expense purchasing are not aware of

legislation which affects them, thus threatening the
organisation with prosecution
There is a clear, preferably written, understanding that

Senior management check that
legal services will update the appropriate managers with important legislation is understood by
legislation which affects them. The managers will brief
the functions under their control
their staff
Determine when the last update from legal services was

received and how it was briefed to staff. If you are aware
of any legislation affecting the processes being audited
(for example competition legislation), make sure it has
been briefed in. These processes will also be covered by
audit BS
Not applicable
4 4.5.8.8
Provide tax services
Advise all areas of the company concerning action to

be taken on tax legislation
Staff involved in expense purchasing are not aware of

tax legislation which affects them, thus threatening the
organisation with fines or the loss of tax credits
Regular briefings from tax department to all staff

concerned. Induction training to include the relevant
aspects of tax
Ask staff about their induction. Do they understand the

tax implications of their work? Check invoices for correct
treatment of taxes (for example VAT)
Not applicable
4 4.5.8.9
Ensure health & safety
Ensure the organisation complies with legislation and

good practice to ensure the safety of staff and
customers
Suppliers provide services without observing safety

procedures, resulting in injury to staff
Audit of suppliers to ensure they understand health and Qualified staff check suppliers working
safety legislation. Orders and contracts contain clause
to ensure suppliers comply with regulations
Examine documents given to suppliers and their written

agreement. Attend, with qualified staff, the suppliers
working on-site
Not applicable
Ensure the operations of the organisation obey all

environmental laws and good practice
Goods purchased, for example cleaning solvents, may

create an unsafe environment for employees
Purchasing staff have training on general health and

safety topics, with specific training for staff ordering
chemicals and other potentially hazardous items
Check training records, and H & S audit documentation
Not applicable
The physical security of tangible and intangible assets,

and staff and customers, is maintained at all times to
ensure the continued operation of the organisation
(Summary level)
1 5 4.5.8.12. Provide security

1
All assets, including physical assets, stock and

information, are physically secure
Loss of the organisation's assets
12
2 5 4.5.8.12. Identify documents

2
required to achieve the
objective of these
processes
Decide on the documents, paper or electronic, which

Documents essential to operations (such as cheques)
are essential to the operation of expense purchases, or may be lost in a fire
for tax reasons. These may include paper orders,
supplier invoices, cash sheets and cheques
Supplies of paper documents, such as orders and

cheques, are stored in a separate building. Documents
which must be kept for tax purposes are microfiched,
and these are stored in a fireproof safe
It is the responsibility of the

departmental manager to ensure
documents are retained and securely
stored for as long as necessary
12
3 5 4.5.8.12. Decide on arrangements

3
to safeguard these
For each document, decide on the appropriate storage

medium
Level of protection may not be sufficient
A formal process has been carried out to identify the

documents used and their method of storage
It is the responsibility of the

departmental manager to ensure
documents are retained and securely
stored for as long as necessary
13
4 4.5.8.13 Communicate
Inform internal and external stakeholders of the

organisation's policies and intentions
Reputation of the company suffers because the press

are mis-informed about the organisation's policy of not
using suppliers who might use child labour
A documented ethical policy, which includes purchasing The Ethical Committee ensures a
Examine the policy and check specifically for purchasing
policy
complete policy is communicated to all policy
stakeholders
14
4 4.5.8.14 Manage risks threatening
14
1 5 4.5.8.14. Identify risks

1
Risk workshops and interviews are held to determine

the risks threatening the objectives of the expense
purchasing function
Risks are not known
Quarterly examination of the risk register by

management, with written confirmation to Internal Audit
of changes, or confirmation that no changes are
necessary
Internal Audit maintain the risk register, Examine processes to set up the risk register and
and ensure each function provides a
examine the register. Ensure all types of risk, including
list of scored risks with controls
external risks, have been considered
Not applicable
14
2 5 4.5.8.14. Evaluate risks

2
Score the risks on the organisation's likelihood and

consequence scales
Significant risks are not understood
Quarterly examination of the risk register by

management, with written confirmation to Internal Audit
of changes, or confirmation that no changes are
necessary
Internal Audit maintain the risk register, Examine the process which score the risks
Not applicable
14
3 5 4.5.8.14. Control risks

3
For all risks, decide on a cost-effective control to reduce Significant risks are not controlled
the risk to the risk appetite of the organisation
Controls are put into operation which reduce residual

risks to the risk appetite of the organisation
Internal Audit maintain the risk register, Check controls as part of the audit
Not applicable
David M Griffiths
4 4.5.8.10 Manage the environment
Senior manager to check that new tax

legislation has been briefed to staff
Periodic audits by health and safety

department
Not applicable
All buildings have entry restricted by card operated gates Periodic audits, by security
department, of the access to buildings
During audit, observe security precautions. Otherwise

the test of physical security are carried out in audit group
BX
Check the existence of the paper documents kept offsite. Check that all microfiche are stored in the fireproof
safe, with none left out at night.
Not applicable
Check for evidence of the formal process, and that it is

being followed
Not applicable
(Summary level)
expense purchasing
processes
Not applicable
Not applicable
Not applicable
Column key:
L1
L2
L3
L4
L5
L
Ref
Process
Process Description
Risk to process
Risk source
IRC
IRL
IRS
Example control
Example monitoring
Tests
Ref
RRC
RRL
RRS
Cont score
Issue
Action
By whom
Conclusion Risks
Conclusion Controls
Conclusion Action
Conclusion Monitoring
Report ref
Follow-up Risks
Follow-up Controls
Follow-up Action
Follow-up Monitoring
nd payment of expense goods and services
Level 1 risk number. Corresponds to the Risk database

Level 2 risk number. Corresponds to the Risk database
Level 3 risk number
Level 4 risk number
Level 5 risk number
Level of the process on this row (1 to 5)
Reference number of the process (L1.L2.L3.L4.L5). This is a unique number which defines this
process throughout the organisation
Title of the process
A brief description of what the process does. Any more details should be filed in the audit file
The threat to the process. There may be several risks to one process, or one risk may threaten
several processes
Who identified the risk (management, risk workshop, auditor, meeting)
Inherent risk consequence score. See "Scoring risks" worksheet
Inherent risk likelihood score score. See "Scoring risks" worksheet
Inherent risk scores multiplied to give significance
An example of a control which might mitigate the risks
An example of a monitoring control which might check the operation of the control
An example of a test which might confirm the operation of the control
Reference to the schedule giving more details of the test
Residula risk consequence score. See "Scoring risks" worksheet
Residual risk likelihood score score. See "Scoring risks" worksheet
Residual risk scores multiplied to give significance
Control score = IRS - RRS. The higher it is the more important the control
Details where the risk is not mitigated to the acceptable level ("Risk appetite")
Action which management is taking to reduce the risk
The job title and name of the person responsible for ensuring the action takes place
Conclusion on risk management (see "Allocating conclusions" worksheet)
Conclusion on the adequacy of internal controls (see "Allocating conclusions" worksheet)
Conclusion on any action required to reduce risks (see "Allocating conclusions" worksheet)
Conclusion on the adequacy of processes to monitor the correct operation of controls(see
"Allocating conclusions" worksheet)
The paragraph number in the report where the issue is reported
Conclusion on risk management from the last follow-up audit (see "Allocating conclusions"
worksheet)
Conclusion on the adequacy of internal controls from the last follow-up audit (see "Allocating
conclusions" worksheet)
Conclusion on any action required to reduce risks from the last follow-up audit (see "Allocating
conclusions" worksheet)
Conclusion on the adequacy of processes to monitor the correct operation of controls from the
last follow-up audit (see "Allocating conclusions" worksheet)
Advice on scoring risks (inherent and residual)

1 to 3 scale
If the consequence when the OR the likelihood of
risk occurs is:
the risk occurring is:
Then the measure

is defined to be:
To prevent the organisation

Almost certain
achieving all, or a major part, of its
objectives for a long time.
High (3)
Cash at risk> 100,000

To stop the organisation achieving Possible
its objectives for a limited period.
Medium (2)
Cash at risk <100,000 >5,000

To cause minor inconvenience,
not affecting the achievement of
objectives
Unlikely
Low (1)
Cash at risk <5,000

Values are an example
only. They should be
agreed at board level as
part of setting the risk
appetite of the
organisation
High (3)
Medium (2)
Low(1)
Likelihood of residual risk
Grading individual risks (residual)

Supplementary
Issue
3
3
Acceptable
2
Acceptable
1
Acceptable
6
Unacceptable
risk
9
Unacceptable
risk
4
Issue
risk
6
Unacceptable
risk
2
Acceptable
Supplementary
Issue
3
3
Acceptable
Low(1)
Likelihoo
1
Acceptable
Low(1)
2
Acceptable
Medium (2)
Supplementary
Issue
3
3
Acceptable
High (3)
Consequence of residual risk
Risk score = Likelihood sco
Unacceptable: Immediate action r

Issue: Action required to control th
Supplementary issue
Acceptable: No action required
esidual)
Almost certain
Cash at risk> 1,000,000

To prevent the organisation
Probable
achieving all, or a major part, of its
objectives for a long time.
Cash at risk <1,000,000
>100,000
To stop the organisation achieving Possible
Cash at risk <100,000 >30,000
To stop the organisation achieving Unlikely
Cash at risk <30,000 >5,000
To cause minor inconvenience,
not affecting the achievement of
objectives
Rare
5
Supplementary
Issue
10
Issue
4
Acceptable
Supplementary
Issue
15
20
25
Unacceptable
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
Possible (3)
Probable (4)Almost certain (5)
Cash at risk <5,000
3
Acceptable
Supplementary
Issue
9
Issue
12
Issue
Unacceptable
Unlikely (2)
ementary
ssue
3
A catastrophic impact on the

organisation, threatening its
existence
2
Acceptable
4
Acceptable
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
Supplementary
Issue
are(1)
table
If the consequence when the OR the likelihood of

risk occurs is:
the risk occurring is:
Likelihood of residual risk
table
1 to 5 scale
15
P
Unlikely (2)
Rare(1)
(3)
Likelihood o
ementary
ssue
3
Issue
2
Acceptable
4
Acceptable
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
Supplementary
Issue
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
Catastrophic (5)
Consequence of residual risk
ore = Likelihood score X Consequence score
able: Immediate action required to control the risk

on required to control the risk
entary issue: Action is advisable if it is cost-effective
e: No action required
ble
ary
ble
Then the measure is

defined to be:
Catatrophic (5)
Major (2)
Moderate (2)
Minor (2)
Insignificant (1)
20
25
Unacceptable
Unacceptable
16
20
Unacceptable
Unacceptable
12
Issue
Unacceptable
15
Supplementary
Issue
10
Issue
4
Acceptable
Supplementary
Issue
8
Supplementary
Issue
10
Issue
ble
4
Acceptable
Supplementary
Issue
(3)
Major (4)
ary
Catastrophic (5)
residual risk
Advice on allocating conclusions

Conclusion on:
Criteria
Risks have been

Thorough processes have
identified, evaluated and been used and all significant
managed
risks should have been
identified
Processes have been used, but

there are some deficiencies
Internal controls reduce The risk is being mitigated to

risks to acceptable levels an acceptable level by the
control(s)
The risk is not being mitigated to

an acceptable level by the
control(s), although the
consequence from the risk
occurring, or likelihood of the risk
occurring, is not considered
significant. There is the possibility
that some objectives will not be
achieved
Action being taken to

promptly remedy
significant failings or
weaknesses
The action being taken will result in

some reduction in risk but not to
acceptable levels
The action being taken will

result in all risks being
mitigated
Current levels of
No more monitoring is
monitoring are sufficient necessary than is done at
present
Some additional monitoring is

required
Score (1 to 3 scale)
Score 0,1,2 or 3
Score: 4 (possibly 3)
Score (1 to 5 scale)
Score =<8
Score: >9 <14
Colour:
green
amber
Grading:
Acceptable
Issues
Report as
Supplementary issue, if cost

effective controls can reduce
the risk further, otherwise do
not report
Key issue
Looking at it another way:
a
Inadequate, or no, processes have
been used
Score (1 Score (1 Colour

to 3
to 5
Grading
scale)
scale)
The risk is not being mitigated to

an acceptable level by the
control(s) and it is probable that
some objectives will not be
achieved, with significant
(material) results (red) or The risk
is not being mitigated to an
acceptable level by the control(s)
and objectives are not being
achieved, with significant results
Score
Score
0,1,2 or 3 =<8
green
acceptable
No action is being taken, OR

insufficient action is being taken to
mitigate risks
Score: 4 Score:
(possibly >9 <14
3)
amber issue
Major improvements are required

to the monitoring of controls
Score: 6
or 9
Score: 6 or 9
Score:>14
red
Unacceptable
Score:> red
14
unacceptable
Key issue
t another way:
Risks have been
identified, evaluated and
managed
Internal controls reduce Action being taken to Current levels of

risks to acceptable
promptly remedy
monitoring are
levels
significant failings or sufficient
weaknesses
Thorough processes have

The risk is being mitigated The action being taken No more monitoring
been used and all significant to an acceptable level by will result in all risks
is necessary than is
risks should have been
the control(s)
being mitigated
done at present
identified
The risk is not being

mitigated to an acceptable
level by the control(s),
although the consequence
from the risk occurring, or
likelihood of the risk
occurring, is not considered
significant. There is the
possibility that some
objectives will not be
achieved

level by the control(s),
although the consequence
from the risk occurring, or
likelihood of the risk
occurring, is not
considered significant.
There is the possibility
that some objectives will
not be achieved
The action being taken Some additional

will result in some
monitoring is
reduction in risk but not required
to acceptable levels

level by the control(s) and it
is probable that some
(material) results (red) or
level by the control(s) and
objectives are not being
results

it is probable that some
(material) results (red) or
objectives are not being
results
No action is being
taken, OR insufficient
action is being taken to
mitigate risks
Major
improvements are
required to the
monitoring of
controls
Report as
Supplementary issue,
if cost effective
controls can reduce
the risk further,
otherwise do not
report
Key issue
Key issue

Expense Purchases

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Expense Purchases

Uploaded by

Copyright:

Available Formats

Audit: Purchase of expense goods and services

Audit: Purchasing and payment of expense goods and services

The database is not complete - it must be changed to suit your organisation

The database (Audit programme)

The example controls and monitoring

Audit: Purchase of expense goods and services

Audit: Purchasing and payment of expense goods and services

Scope of the audit

Objectives of the processes being audited

Key risks of the processes being audited

Audit work plan

Audit: Purchasing and payment of expense goods and services

Diagram of processes with key risks

The strategy is not consistent with the overall strategy

Supplier of vital services/goodsmay go out of business

Item details are not correctly input/modified

The requistion may be for goods and services not required

Goods/services are not what was ordered

Credit is not obtained for goods returned

Credit is not obtained for goods returned

Payment is made when goods/services have not been received

from the risk register

Audit: Purchasing and payment of expense goods and services

Last follow-up results (date)

Purchase goods and services for the organisation

Define the strategy for expense purchases,

Define the strategy for

Define the strategy for

The strategy does not maximise efficiency and

Deliver the strategy

Form an action plan, with the staff involved, to deliver

Deliver the strategy

IRS Example control

Conclusion Conclusion Conclusion Conclusion

The strategy for purchasing expense goods and

Directors check the strategy for

Staff are briefed by their managers

No action plan exists to deliver the strategy

An action plan to deliver the strategy is part of the

Form an action plan, with the staff involved, to deliver

The strategy is not built into individuals' targets

Deliver the strategy

Form an action plan, with the staff involved, to deliver

Any member of staff can authorise the purchase of any

Rights to place requisitions and orders are in a written

The policy is checked every year to

Examine the policy. Check it is up-to-date, appropriate

Deliver the strategy

Form an action plan, with the staff involved, to deliver

Any member of staff can requisition any goods or

Rights to authorise requisitions and orders are in a

The policy is checked every year to

Examine the policy. Check it is up-to-date, appropriate

Set up new Suppliers on the computer system, or

Supplier details are not correctly input/modified

Details of all changes to the Supplier master file are

Check individual reports over the last six months for

Set up new Suppliers on the computer system, or

False Suppliers are set up and paid

Details of all changes to the Supplier master file are

Check individual reports over the last six months for

Set up new Suppliers on the computer system, or

No settlement discount, or other discounts, are

Details of all changes to the Supplier master file are