Chapter 9 REVENUE CYCLE AUDIT

OBJECTIVES, CONTROLS,
AND TESTS OF CONTROLS
 Outline:
Auditing the Revenue Cycle
Revenue Cycle Activities and
Technologies
• Batch Processing Using
Sequential Files—Manual
Procedures
• Batch Processing Using
Sequential Files—Automated
Procedures
• Batch Cash Receipts System with
Direct Access Files
• Real-Time Sales Order Entry and
Cash Receipts
• Point-of-Sale (POS) Systems
• Daily Procedures
• End-of-day Procedures
Revenue Cycle Audit Objectives,
Controls, and Tests of Controls
• Input Controls
• Process Controls
• Output Controls
Substantive Tests of Revenue Cycle
Accounts
• Revenue Cycle Risks and Audit
Concerns
• Understanding Data
• Testing the Accuracy and
Completeness Assertions
• Testing the Existence Assertion
• Testing the Valuation/Allocation
Assertion
 LEARNING OBJECTIVES
• Recognize the relationship between revenue
cycle audit objectives, controls, and tests of
controls.
 REVENUE CYCLE AUDIT OBJECTIVES,
CONTROLS, AND TESTS OF CONTROLS
• The concept of audit objectives for
transactions and account balances are derived
from management assertions about FS.
• Table 9.1 shows how management assertions
translate to specific revenue cycle audit
objectives.
 Management Assertions and Revenue Cycle
Audit Objectives
 Existence / Occurrence
 VERIFY AR balance represents amounts actually owed as of Balance Sheet date
 Establish sales represents goods shipped and/or services rendered during period of
financials
 Completeness
 Determine all amounts owed organization are included in AR
 VERIFY shipped goods, services rendered, and/or returns and allowances for period
are included in financials
 Accuracy
 VERIFY revenue transactions are accurately computed, based on correct prices and
quantities
 Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically
correct .. And agree with GL accounts
 Rights & Obligations
 Determine organization has legal right to AR
 VERIFY accounts sold or factored have been removed from AR
 Valuation or Allocation
 Determine AR balance stated in net realizable value
 Establish allocation for uncollectible accounts is appropriate
 Presentation and Disclosure
 VERIFY AR and revenues for period are properly described and classified

Hall, 3e 5
 REVENUE CYCLE AUDIT OBJECTIVES,
CONTROLS, AND TESTS OF CONTROLS
• How to achieve these audit objectives?
– requires designing audit procedures to gather evidence
that either corroborates or refutes the management
assertions.
• Audit procedure involves a combination of:
– tests of controls
– substantive tests of details.
• Computer application controls fall into three broad
categories:
– input controls
– process controls
– output controls
 REVENUE CYCLE AUDIT OBJECTIVES,
CONTROLS, AND TESTS OF CONTROLS
• Input controls • Process controls
– Credit Authorization Procedures (Batch & – File Update Controls
real time systems) • Run-to-run controls
• Management assertions: • Transaction Code Controls
– valuation/allocation audit objectives • Sequence Check Control
– accuracy • Management assertions:
– Data Validation Controls – Existence
• Missing data checks, numeric-alphabetic data – Completeness
checks, limit checks, range checks, validity – accuracy
checks, check digit – Access Controls
• Management assertion: • Management assertions:
– accuracy – Existence
– Batch Controls – Completeness
• Management assertion: – Accuracy
– completeness and accuracy. – valuation and allocation
– right and obligations
– Presentation and disclosure
– Physical Controls
• Segregation of Duties, Supervision,
Independent Verification
• Output controls - completeness and accuracy
– AR Change Report, Transaction Logs,
Transaction Listings, Log of Automatic
Transactions, Unique Transaction Identifiers,
Error Listing
 Input Controls
• are designed to ensure that transactions are valid,
accurate, and complete.
• Control techniques vary considerably between batch
and real-time systems.
• The following input controls relate to revenue cycle
operations.
– Credit Authorization Procedures
• Testing Credit Procedures
– Data Validation Controls
• Missing data checks, numeric-alphabetic data checks, limit checks,
range checks, validity checks, check digit
• Testing Validation Controls
– Batch Controls
 Input Controls:
Credit Authorization Procedures
• The purpose of the credit check
– is to establish the creditworthiness of the customer.
• Valid transaction:
– 1) meet the credit standards (credit policy)
• Only customer transactions that meet the organization’s credit
standards are valid and should be processed further.
• Failure to apply credit policy correctly and consistently has
implications for the adequacy of the allowance for uncollectible
accounts.
– 2) transaction authorization
Batch with manual systems use credit dept.
Real-time systems use programmed decision rules
 Exception file (if exceeds limit, credit manager approves)
POS
 validating credit card charges and establishing that the customer is the valid
user of the card.
 Input Controls:
Credit Authorization Procedures
• Real-time systems use programmed decision rules
• When credit checks are computerized, the organization’s credit policy is
implemented through decision rules that have been programmed into the
system.
• 1) Current transaction + customer’s current AR bal > preestablished credit
limit
– For routine transactions, this typically involves determining if the current
transaction plus the customer’s current AR balance exceeds a preestablished
credit limit.
• 2) If credit limit exceeds – exception file
– If the credit limit is exceeded by the transaction, it should be rejected by the
program and passed to an exception file, where it can be reviewed by
management.
• 3) Credit manager decides – disapprove or extend the credit limit
– The credit manager will decide either to disapprove the sale or to extend the
credit limit consistent with the manager’s authority.
 Input Controls:
Testing Credit Procedures
Audit Objectives
• The tests provide evidence
pertaining to the
– valuation/allocation audit
objectives
– accuracy objective.
Audit Procedures
 Verify effective procedures exist
 Verify information is adequately
communicated
 Verify effectiveness of programmed
decision rules (test data, ITF)
– Create several dummy customer accounts
with various lines of credit and then
processing test transactions that will exceed
some of the credit limits.
– Then analyze the rejected transactions to
determine if the computer application
correctly applied the credit policy.
 Verify that authority for making credit
decisions is limited to authorized credit
personnel/procedures
 Perform Substantive Tests of Detail
 Review credit policy periodically and
revise as necessary
 Input Controls:
Data Validation Controls
Input validation controls - are intended to detect transcription errors in transaction
data before they are processed.

Batch Real-time and POS

• data validation occurs only • Errors handled as they
after the goods have been occur
shipped.
• error logs, error correction,
and transaction
resubmission procedures
 Input Controls:
Data Validation Controls
• Six Validation tests that are relevant to the revenue cycle include the following:
– Missing data checks  presence of blank fields.
• Error: When the validation program detects a blank where it expects to see a data value, this will be
interpreted as an error.
• Missing product numbers, missing customer account numbers, or incomplete mailing or billing
addresses.
– Numeric-alphabetic data checks  correct form of data.
• Error: an invoice total should not contain alphabetic data; alphabetic data in a numeric field
– Limit checks  value does not exceed maximum for the field.
– Range checks  data is within upper and lower limits.
• For example, the actual sales price charged for a product can be compared to a range of acceptable
prices.
• Purpose of this control: to detect keystroke errors that shift the decimal point one or more places.
– Validity checks  compare actual values against known acceptable values (reference
file)
• verify such things as product codes, shipping company codes, and state abbreviations in customer
addresses.
• Error: If the value in the field does not match one of the acceptable values, the record is determined
to be in error.
– Check digit  identify keystroke errors by testing internal validity.
• control data entry errors that would otherwise cause the wrong customer’s account to be charged
for a transaction.
 Input Controls:
Testing Validation Controls
Audit Objective Audit Procedures
• The tests provide evidence  Verify controls exist and are
functioning effectively
pertaining to the  Validation of program logic can
– Accuracy assertion be difficult
 If Controls over system
development and
maintenance are NOT weak,
testing data
editing/programming logic is
more efficient than
substantive tests of details
(test data, ITF)
 Some assurance can be
gained through the testing of
error lists and error logs
(detected errors only)
 Input Controls:
Batch Controls
• are used to manage high volumes of transaction
data through a system.
 Purpose: Reconcile output produced by system with the original
input
 Controls continue through all computer (data) processes
 Batch transmittal sheet:
 An important element of batch control.
 a separate control record that the system uses to verify the integrity of the
batch.
 which captures relevant information about the batch, such as the following:
 Unique batch number
 Batch date
 Transaction code
 Record count
 Batch control total (amount)
 Hast totals (e.g., account numbers)
 Input Controls:
Batch Controls
• The task of reconciling processing (batch transmittal
sheet) with the control record (batch control log)
provides assurance that:
– All sales invoices and cash receipts records that were
entered into the system were processed.
– No invoices or cash receipts were processed more than
once.
– All invoices and cash receipts entered into the system are
accounted for as either successfully processed or rejected
because of errors.
 Input Controls:
Testing Batch Controls
Audit Objective
• The tests provide the
auditor with evidence
relating to the management
assertions of
– completeness and accuracy.
• Risk:
– The failure of batch controls
to function properly can
result in records being lost or
processed multiple times.
Audit Procedures
 Failures of batch controls
indicates data errors
 Involves reviewing transmittal
records of batches processed
and reconcile them to the batch
control log (batch transmittal
sheet)
 Examine out-of-balance
conditions and other errors to
determine cause of error
 Review and reconcile
transaction listings, error logs,
etc.
 Batch control totals, such as those
on the batch transmittal sheet, are
also a valuable tool in doing IT
audits and fraud audits.
 Process Controls
• File Update Controls
– Run-to-run Controls, Transaction Code Controls, Sequence
Check Control
• Access Controls
– Using warehouse security, such as fences, alarms, and guards
– Depositing cash daily in the bank
– Using a safe or night deposit box for cash
– Locking cash drawers and safes in the cash receipts department
– Accounting records
• Physical Controls
– Segregation of Duties, Supervision, Independent Verification
 Process Controls:
File Update Controls
• include computerized procedures for
– file updating
– restricting access to data.
• May also include physical manual tasks.
• File Update Controls: Three control techniques related to file updating.
 Run-to-run controls - batch control data to monitor data processing
steps
 These controls ensure that each run in the system processes the batch correctly and
completely
 Risk: A discrepancy may indicate that a record was lost in processing, a record in the
batch went unprocessed, or a record was processed more than once.
 Transaction code controls – to process different transactions using
different programming logic (e.g., transaction types)
 Risks: Errors in transaction codes, or in the program logic that interprets them, can
cause incorrect processing of transactions and may result in materially misstated sales
and accounts receivable balances.
 Sequence check controls – sequential files, proper sorting of
transaction files required
 An out-of-sequence sales order record in a batch may prevent the remaining
downstream records from being processed. A more serious problem can occur when the
sequencing error is not detected and the downstream records are processed against the
wrong customer accounts.
 Out-of-sequence records should be rejected and resubmitted for subsequent processing
to allow the other records in the batch to be properly processed.
 Process Controls:
File Update Controls
Audit Objective Audit Procedures
• The tests provide the  Testing data that contains
auditor evidence relating to errors (incorrect
transaction codes, out of
the assertions of sequence)
– Existence  Can be performed in ITF
– Completeness or test data
 CAATTs requires careful
– accuracy. planning
 Single audit procedure
can be devised that
performs all tests in one
operation.
 Process Controls:
Access Control
• prevents and detects unauthorized and illegal access to the
firm’s assets.
– Inventories and cash are the physical assets of the revenue
cycle.
• is at the heart of accounting information integrity.
• Techniques used to limit access to these assets include the
following:
– Using warehouse security, such as fences, alarms, and guards
– Depositing cash daily in the bank
– Using a safe or night deposit box for cash
– Locking cash drawers and safes in the cash receipts department
 Process Controls:
Access Controls
Risks Controls
• Invoices can be deleted, added, or falsified.
Individual account balances can be erased, or • The control techniques
the entire AR file can be destroyed.
• An individual with unrestricted access to data includes
can manipulate the physical assets of the
firm and cause FSs to be materially – Passwords
misstated.
• Accounting files stored on magnetic media
– data encryption
are particularly vulnerable to unauthorized
access, whether its cause is accidental, an act
– Firewalls
of malice by a disgruntled employee, or an
attempt at fraud.
– user views
 Accounting records
 Removal of an account from books
 Unauthorized shipments of goods using
blank sales orders
 Removal of cash, covered by adjustments
to cash account
 Theft of products/inventory, covered by
adjustments to inventory or cash accounts
 Process Controls:
Access Controls
Audit Objectives
• Evidence gathered about
the effectiveness of access
controls tests the
management assertions of
– Existence
– Completeness
– Accuracy
– valuation and allocation
– right and obligations
– Presentation and disclosure.
Audit Procedures
 Absence thereof allows
manipulation of invoices
(i.e., fraud)
 Computer Access
controls are system-wide
and application-specific
 Access controls are
dependent on effective
controls in O/S, networks,
and databases
 Process Controls:
Physical Controls
• Segregation of Duties
• Supervision
• Independent Verification
 Process Controls:
Physical Controls – Segregation of Duties
• In general, the following three rules apply:
 Rule 1: Transaction authorization separate from transaction
processing
 The credit department is segregated from the rest of the process, so that the
formal authorization of material transactions is an independent event.
 Rule 2: Asset custody separate from record-keeping tasks
• In the sales order processing system, the inventory warehouse clerk
with custody of the physical assets should not also maintain the
inventory records.
• The cash receipts clerk (with custody of cash) should not record AR.
 Rule 3: Organization structured such that fraud requires collusion
between two or more people
• The record-keeping functions must be carefully divided.
– Specifically, the subsidiary ledgers (AR and inventory), the journals (sales and
cash receipts), and the general ledger should be separately maintained.
• Risk: An individual with total record-keeping responsibility, in
collusion with someone with asset custody, is in a position to
perpetrate fraud.
 Process Controls:
Physical Controls – Supervision
• Is a compensating control for some firms that
have too few employees to achieve an
adequate separation of functions.
– Necessary for employees who perform incompatible functions
– Compensates for inherent exposure from incompatible functions.
• Can be supplement or provide control when duties are
properly segregated
• Can provide an effective preventive control.
 Process Controls:
Physical Controls – Independent Verification
 Review the work of others at critical points in business
processes
 Purpose: Identify errors or possible fraud
 Examples:
 Shipping dept. verifies goods sent from warehouse dept.
are correct in type and quantity
 Billing dept. reconciles shipping notice with sales notice to
ensure customers billed correctly
 Process Controls:
Testing Physical Controls
Risks
• Fraud and material errors
– Inadequate segregation of
duties, the lack of effective
supervision and independent
verification can result in fraud
and material errors.
• Collusion
– The purpose of collusion is to
achieve unauthorized access
to assets as well as the
information needed to
conceal the crime.
Audit Procedures
 Review organizational
structure for incompatible
tasks
 Tasks normally segregated
in manual systems get
consolidated in DP systems.
 Duties of design,
maintenance, and
operations for computers
need to be separated
 Programmers should not be
responsible for subsequent
program changes.
 Output Controls
 PURPOSE: Information is not lost, misdirected, or corrupted; that the
system output processes function properly
 Controls are designed to identify potential problems
 Reconciling GL to subsidiary ledgers
 Maintenance of the audit trail – that is the primary way to trace the source
of detected errors
 Details of transactions processed at intermediate points
 AR change report
 Transaction logs: permanent record of valid transactions
 Transaction listings – successfully posted transactions
 Log of automatic transactions
 Unique transaction identifiers
 Error listings
 Testing output controls
 Reviewing summary reports for accuracy, completeness, timeliness, and
relevance for decisions
 Trace sample transactions through audit trails; including transaction
listings, error logs, and logs of resubmitted records
 ACL is very helpful in this process
Hall, 3e 29
 Output Controls
• are designed to ensure that information is not lost,
misdirected, or corrupted and that system processes
function as intended.
– For example: Managers receive daily summaries of sales
orders placed by customers, goods shipped, and cash
received, and use such data to monitor the status of their
operations.
• can be designed to identify potential problems.
– For example, an exception report derived from the
customer open order file listing end-of-day open sales
orders can identify orders placed but not shipped.
– Such a report can help management assess the operational
performance of the shipping process.
 Output Controls
Risks
• transaction processing
errors
• The absence of adequate
output controls has adverse
implications for operational
efficiency and financial
reporting.
Controls
• Reconciling the GL
• Maintenance of an audit
trail
– Details of transaction
processing produced at
intermediate points can
provide an audit trail that
reflects activity through every
stage of operations.
 Output Controls
• Six examples of audit trail output controls.
o 1) AR Change Report
o is a summary report that shows the overall change to AR from sales orders and cash receipts.
o should reconcile with total sales, total cash receipts (on account), and the GL.
o 2) Transaction Logs
o should contain only successful transactions.
o is a permanent record of valid transactions
o 3) Transaction Listing
o Is a hard copy of all successful transactions produced to be given to the appropriate users to
facilitate reconciliation with input.
o For example, a listing of cash receipts processed will go to the controller to be used for a bank
reconciliation.
o 4) Log of Automatic Transactions
o Is an audit trail of transactions that are triggered internally by the system.
o must be placed in a transaction log, and a listing of these transactions should be sent to the
appropriate manager.
o For example, EDI sales orders are accepted and processed without human authorization.
o 5) Unique Transaction Identifiers
o Is a means of uniquely identifying each transaction processed by the system with a transaction number.
o Is a control in tracing a particular transaction through a database of thousands or even millions of records.
o 6) Error Listing
o Is a listing of all error records that should go to the appropriate user to support error correction
and resubmission.
 Testing Output Controls
Audit Objective
• Evidence gathered through
tests of output controls
relates to the
– completeness and accuracy
assertions.
Audit Procedures
• Reviewing summary reports for
accuracy, completeness,
timeliness, and relevance to the
decisions that they are intended
to support.
– Data extraction software such as
ACL can be used to search log files
for specific records to verify the
completeness and accuracy of
output reports.
• Tracing sample transactions
through audit trail reports,
including transaction listings,
error logs, and logs of
resubmitted records.
– The auditor can use ITF.
 Summary
• The topic presented revenue cycle audit
objectives and controls.
• In this section, we examined the tests of
controls that an auditor may perform.
• Evidence gathered from tests of controls
contributes to audit objectives and may
permit the auditor to limit the scope, timing,
and extent of substantive tests.