Customs - Excise Audit-CCLEC - BOR

Centre for Customs & Excise Studies (CCES)
Customs & Excise Audit
Readings
© Centre for Customs & Excise Studies, University of Canberra, 2009

First prepared in February 2009
Published by the Centre for Customs & Excise Studies
University of Canberra ACT 2601
AUSTRALIA
The Centre for Customs and Excise Studies (CCES), University of Canberra has
developed an academic program leading to an Executive Diploma in Customs
Management for member countries of the Caribbean Customs Law Enforcement
Council (CCLEC).
The program which is to be followed over a period of one year, entails the
following subjects;
Accounting for Managers
Customs Management I
Revised Kyoto Convention I
Intelligence Management in the CCLEC Region
Managing Operational Activities
The study requirement for each subject is 30 hrs through a combination of face to
face and online learning.
Materials development team

Author: Stephen Muller, 2009
Graphic Design: Peter Delgado 2009
Desktop Publishing: Alan Murray, 2009
Copyrighted materials reproduced herein are used under the provisions of the Copyright
Act 1968 as amended, or as a result of application to the copyright holder.
While every effort has been made to contact copyright holders (when relevant), in the
event of accidental infringement, the University of Canberra will be pleased to come to a
suitable arrangement with the rightful owner.
No part of this publication may be reproduced, stored in a retrieval system or transmitted
in any form or by any means electronic, mechanical, photocopying, recording, or
otherwise without prior permission.
This learning package, including its online components, is provided solely for the purpose
of private study and must not be copied or resold or used by anyone not enrolled in the
subject.
Centre for Customs and Excise Studies

2
Readings
Contents
Reading 1...............................................................................................5
WCO 1999, Revised Kyoto Convention General Annex Guidelines Chapter
1, General Principals, paragraph 4, Co-operation with the Trade, Brussels. ...... 5
Reading 2...............................................................................................6
WCO 1999, Revised Kyoto Convention Chapter 6, Customs Control
Guidelines, paragraph 9 Customs/Trade Co-operation, Brussels. ...................... 6
Reading 3...............................................................................................8
WCO 2004, A National Valuation Database as a risk assessment tool,
Brussels .................................................................................................................... 8
Reading 4...............................................................................................9
Federal Financial Institutions Examination Council 2003, Risk
Assessment & Risk Based Auditing Booklet, Washington................................... 9
Reading 5.............................................................................................11
CCES 2005, Customs and Excise Compliance Audit Methodology,
Canberra.................................................................................................................. 11
Division 1: Audit Approach and Methodology ....................................1
Introduction............................................................................................................... 1
Customs and Excise Compliance Audit Methodology.............................................. 1
The changing approach to audit activity ................................................................... 1
The Audit Cycle ........................................................................................................ 1
Application of the Audit Methodology .................................................................... 2
Is the company suitable for a systems based audit approach?................................ 2
International Audit Standards ................................................................................... 2
Division 2: Systems Based Audits.......................................................3

Stage 1 – Audit Planning.......................................................................................... 3
Planning and Development of the Audit Plan ........................................................... 3
Understanding the Business..................................................................................... 4
The Entrance Interview............................................................................................. 5
Risk and Materiality .................................................................................................. 6
Understanding and Documenting the Business Systems ........................................ 6
Initial View – Business Systems and Controls/ Suitability for Systems Based
Audit Approach ......................................................................................................... 9
The Audit Plan .......................................................................................................... 9
Stage 2 – Internal Control Identification and Analysis ........................................ 10
Risk and Internal Controls ...................................................................................... 10
Control Risk Matrix ................................................................................................. 11
Understanding the Risk to the Audit ....................................................................... 12
Setting the confidence levels in Internal Controls .................................................. 14
Stage 3 – Control Testing ...................................................................................... 15
How do the internal controls operate?.................................................................... 15
Automated IT Based Controls ................................................................................ 15
Control Testing ....................................................................................................... 16
Sample Size for Control Testing ............................................................................. 17
Documenting the Control Test................................................................................ 18

3
Completion of Control Risk Matrix Form................................................................. 18

Issues in Control Testing ........................................................................................ 19
Stage 4 – Substantive Testing............................................................................... 20
Designing the Substantive Tests ............................................................................ 20
Documenting the Substantive Test......................................................................... 21
Substantive Testing Sample Size Selection ........................................................... 21
How samples are selected from the population ..................................................... 22
Conducting the substantive tests............................................................................ 24
Evaluation of substantive test results ..................................................................... 25
Stage 5 – Dealing with Audit Issues ..................................................................... 27
Outstanding Audit Issues........................................................................................ 27
Response by the company ..................................................................................... 28
Is further action required?....................................................................................... 28
Stage 6 – Audit Reporting...................................................................................... 29
What is the audit report?......................................................................................... 29
Draft Audit Report ................................................................................................... 29
The Exit Interview ................................................................................................... 30
Safe care of audit working papers .......................................................................... 30
Division 3: Working Papers................................................................31

Working Paper Index Page .................................................................................... 31
General Working Paper .......................................................................................... 31
Control Description/Testing Paper.......................................................................... 31
Audit Issues Worksheet .......................................................................................... 32
Substantive Testing Worksheet .............................................................................. 32
Working Paper Index .............................................................................................. 33
General Working Paper .......................................................................................... 34
Control Description / Testing Worksheet ................................................................ 35
Audit Issues Worksheet .......................................................................................... 39
Substantive Testing Worksheet .............................................................................. 40

4
Readings
Reading 1
WCO 1999, Revised Kyoto Convention General Annex
Guidelines Chapter 1, General Principals, paragraph 4, Co-
operation with the Trade, Brussels.
Standard 1.3
The Customs shall institute and maintain formal consultative relationships with
the trade to increase co-operation and facilitate participation in establishing the
most effective methods of working commensurate with national provisions and
international agreements.
To address the rapidly growing volume of international trade, active co-operation and
intensive communication between Customs and the trade are essential to complement
each other’s objectives and responsibilities. Since Customs are an important element in
international trade procedures, it is important that Customs administrations make use of
modern working methods to administer their operations and that they strive to facilitate
trade to the maximum extent possible.
In an ever-changing trading environment, where speed means a trader’s livelihood,
Customs and the trade have to develop modern methods together. To achieve this, a
consultative relationship is indispensable and the use of modern information technology
essential for the efficient and fast exchange of information. Before Customs implement
changes or introduces new procedures or automated systems, Customs should consult
with appropriate representatives of the trade so that both can gear their activities in
consideration of each other’s needs.
In order to develop instruments for co-operation and consultation, Customs has to
establish formal consultative relationships with the different national trade associations.
Co-operation between Customs and the trade can result in formal Memoranda of
Understanding which serve to benefit the accomplishment of both parties’ objectives and
responsibilities.
Further information on such Memoranda of Understanding can be found in the Guidelines
to Chapter 6 of the General Annex on Customs control.

5
Reading 2
WCO 1999, Revised Kyoto Convention Chapter 6, Customs
Control Guidelines, paragraph 9 Customs/Trade Co-operation,
Brussels.
(Standards 6.8, 7.3, 8.5 and Chapter 9)
In a modern Customs administration there are a wide variety of complex control tasks to
undertake and, increasingly, resources are limited. The Customs response has been to
apply selection, targeting and risk management to maximise the effectiveness of these
resources.
The increasing use of risk management techniques coupled with demands for greater
facilitation, good communication, consultation and co-operation between the trade and
Customs administrations is vital to achieve a satisfactory balance between effective
control and facilitation. Customs administrations see legitimate traders as partners in this
process.
It is important that all interested persons should be able to obtain information from
Customs about procedures and control requirements (see General Annex, Chapter 9).
Sources may include the Customs tariff, official gazettes, bulletins and notices. Customs
should therefore ensure that these are readily available at their offices. Additionally
persons may need specific information concerning a particular operation and the Customs
administration should aim to supply this as completely and accurately and as soon as
possible.
Customs administrations should also consider modern techniques for the dissemination of
information, like the Internet with its World-Wide-Web (WWW). As an example under
<http://www.gov.sg/customs/ > the Singapore Customs administration provides
information on duty and tax rates, documentation, valuation, clearance procedures,
security requirements and addresses of Customs offices.
Many Customs administrations now maintain formal consultative committees with
traders, carriers, agents, banks, port and airport operators and their representative
organisations. The role of such committees typically includes the discussion of projected
changes in control requirements, identification of difficulties experienced by declarants in
complying with actual or proposed procedures and arriving at mutually acceptable
solutions. In addition some Customs administrations have introduced the idea of “client-
co-ordinators” who keep contact with individual companies.
There should be continuous collaboration at all levels; at local/regional level between
Customs officials and business and at national level between Customs administrations
and business.
For the Customs administration such collaboration has the advantage of improving its
knowledge of trading practices. Greater familiarity with the conditions of international
trade means more effective risk management. In this spirit Customs administrations may
consider inviting business representatives to spend short periods with the Customs service
as a means of familiarising themselves with the regulations.
Co-operation is particularly valuable to a Customs administration in drug interdiction,
CITES, dangerous goods, and hazardous waste control. It is increasingly encouraged and
sustained through a range of Memoranda of Understanding in which trade organisations,
nationally and internationally, sign general undertakings with the WCO and national
Customs administrations, backed by detailed guidelines, specifying the practical

6
Readings
improvements in information exchange, training and communications arrangements

appropriate to each trade sector.
MOUs are also concluded in Customs-to-company memoranda and guidelines. The
benefits to both Customs administration and the trade organization can be many; for
Customs administrations they provide a further valuable source of information. In
return, traders with a good record of co-operation may expect less Customs
intervention.

7
Reading 3
WCO 2004, A National Valuation Database as a risk
assessment tool, Brussels
This reading may be accessed through the following WCO URL:
< http://202.121.31.31/cwco/english/files/reference/Letstalk1GB.pdf >

8
Readings
Reading 4
Federal Financial Institutions Examination Council 2003, Risk
Assessment & Risk Based Auditing Booklet, Washington
Available on FFIEC website,
<http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_03_risk%20ass_rb_audit.html >.

9

10
Readings
Reading 5
CCES 2005, Customs and Excise Compliance Audit
Methodology, Canberra
Centre for Customs & Excise Studies
Study Guide Supplement
Customs and Excise Audit Methodology

11
© University of Canberra, 2004

First prepared in January for Semester 1, 2005.
Published by the Flexible Delivery Development Unit
Centre for the Enhancement of Learning, Teaching, and Scholarship (CELTS)
University of Canberra ACT 2601
AUSTRALIA
Materials development team

Author/s: Rob Preece, 2004
Instructional designer: Wendy Myers, 2004
Editor: Gillian Ferguson, 2005
Graphic Design: Peter Delgado, 2004
Desktop Publishing: Leigh Eveille, 2005
Copyrighted materials reproduced herein are used under the provisions of the Copyright
Act 1968 as amended, or as a result of application to the copyright holder.
While every effort has been made to contact copyright holders (when relevant), in the
event of accidental infringement, the University of Canberra will be pleased to come to a
suitable arrangement with the rightful owner.
No part of this publication may be reproduced, stored in a retrieval system or transmitted
in any form or by any means electronic, mechanical, photocopying, recording, or
otherwise without prior permission.
This learning package; including its online components, is provided solely for the
purpose of private study and must not be copied or resold or used by anyone not enrolled
in the subject.

12
Readings
Contents
Division 1: Audit Approach and Methodology ....................................1

Introduction............................................................................................................... 1
Application of the Audit Methodology .................................................................... 2
Division 2: Systems Based Audits.......................................................3
Stage 1 – Audit Planning.......................................................................................... 3
Stage 2 – Internal Control Identification and Analysis ........................................ 10
Stage 3 – Control Testing ...................................................................................... 15
Stage 4 – Substantive Testing............................................................................... 20
Stage 5 – Dealing with Audit Issues ..................................................................... 27
Stage 6 – Audit Reporting...................................................................................... 29
Division 3: Working Papers................................................................31
Working Paper Index Page .................................................................................... 31

13
Division 1: Audit Approach and Methodology
Division 1: Audit Approach and Methodology
Introduction
Customs and Excise Compliance Audit Methodology
The role of audit in the Customs and Excise environment is to provide a high level of
assurance that:
correct revenue is received by Customs or Excise agencies at the time that it falls due
compliance has been achieved against legislative requirements in relation to the
importation, manufacture, storage, usage and movement/sale of products and retention
of adequate records.
The audit methodology developed in this manual has been designed with the specific needs of
the Customs or Excise auditor in mind.
The changing approach to audit activity

With the world wide growth of commerce, Customs and Excise agencies are finding that the
importers and manufacturers they deal with are increasing their volumes of trade and duty
liabilities. Similarly, in response to their growth, businesses are moving to automating a lot of
their operations, in particular the systems which create and transmit the transactions relevant to
Customs and Excise.
In order to meet these developments in business, Customs and Excise auditors charged with
assuring compliance will need to move increasingly towards systems-based approaches to the
conduct of an audit. Auditors will need to start forming opinions as to the adequacy of business
systems, in particular the internal controls operating within those systems to ensure ongoing
levels of compliance. This is achieved through a series of tests performed over the relevant
internal controls, and confirmed by further tests over the resultant transactions with Customs
and Excise.
Audit should no longer be seen as adversarial in nature but, for Customs and Excise agencies
as an opportunity, and for industry, as creating efficiencies in complying with the legislation.
Mutual benefits can arise from systems-based audit approaches – cheaper and more effective
compliance by business and increased confidence in levels of compliance for Customs and
Excise agencies.
Audit can recommend ways in which to improve compliance, and suggest enhancements
which make current compliance practices more effective.
The Audit Cycle

One benefit of systems-based auditing is that large revenue-paying companies for which the
audit opinion is ’low risk’ or ’high confidence‘ may not need further audit field work for many
years. This leaves Customs and Excise compliance teams able to focus resources on the
smaller or less visited companies whose risk is largely unknown.
Risk at ’high confidence‘ companies can change quickly, however, and the use of systems-
based audit reviews does not mean that monitoring and analysis of the company’s operations
should not cease. Such companies may need more frequent audit activity in the event of the
company’s risk rating being changed by the following situations:
in-office monitoring or analysis of company returns, declarations, statements or duty
payments indicates an anomaly or unexpected variance.
the company notifies Customs or Excise that a material change has occurred to its
business systems or internal control structure.
1
Customs and Excise Audit Methodology Study Guide Supplement
there has been a change to inherent risk within the industry, including changes to
legislation, reporting procedures, tax rates, increased competition, or detection of
common errors within the industry.
information or intelligence that is creditable has been received about the operations of
the company.
Application of the Audit Methodology

Is the company suitable for a systems based audit approach?
Whilst a systems and control based approach to audit is becoming the preferred audit approach
by Customs and Excise agencies around the world, and is the audit approach outlined in
Division 2 of this methodology, it may not always be appropriate. There are several situations
where systems based auditing should not be applied to a company, but rather the Customs and
Excise auditor should conduct a series of relevant substantive tests (or tests of transactions) to
ascertain the level of compliance. Such situations where systems based approaches should not
be used include:
internal controls cannot be relied upon as the key personnel in the internal control
structure have a vested financial interest in the company;
internal controls are found to be non-existent, grossly inadequate or irrelevant;
companies with limited transactions with the Customs and Excise agency, and where it
is likely, or possible for the audit to test 100% of those transaction; or
the company has refused the Customs and Excise auditor access to one or more of the
relevant internal controls.
A decision as to whether a systems based audit approach will be used is made during the audit
planning phase (See Stage 1 of the methodology) after certain information has been gathered
in relation to the company selected for audit and its business systems, including visits to the
company and interviews with key personnel.
International Audit Standards

The methodology outlined below is consistent with the Auditing Standards as set out in the
International Standards for Audit (ISA) insofar as they could be applied in the context of a
Customs and Excise compliance audit. It should be remembered that the ISA’s have been
developed primarily for the financial statement audit context.
ISA’s have been developed through the work of the International Auditing and Assurance
Board (ISAAB), a standing body of the International Federation of Accountants (IFAC). Most
countries, through local accounting and auditing peak body groups have membership with
IFAC, and where this exists, local auditing standards issued by such bodies should be
consistent with the ISA’s.
Prior to turning to the audit methodology below, it is recommended you consult with your
national auditing or accounting peak body group to discuss membership of IFAC, and the
publication of local auditing standards which may be relevant to the conduct of your own
Customs and Excise compliance audit.

2
Division 2: Systems Based Audits
Stage 1 – Audit Planning
Transaction Based
(1) (2) (3) (4) (5) (6)
Audit Identify Control Substantiv Dealing Audit

Planning and Testing e Testing with Audit Reporting
Analyse Issues
the
Internal
Systems Based Approach
Planning and Development of the Audit Plan

Audit planning is the key to an effective audit. The initial step for the Customs and Excise
auditor is to properly set the audit scope and objectives. This will come primarily from the
reasons for which the importer or excise manufacturer was selected for audit, the expectations
of Customs and Excise management, and from the legislation which governs the companies’
operations.
In terms of likely sets of audit scopes and objectives in the customs or excise context, the
auditor will be looking to document the following types of activities:
conduct of a comprehensive systems based audit in relation to the production, storage
and duty payment of excisable goods;
conduct of a systems based audit on recent amendments to company systems and/or
internal controls as they relate to the reporting to Customs of imported goods;
conduct of a focussed audit relating to the use of tariff concession arrangements; or
conduct of a follow-up audit to ensure recommended remedial action has been
implemented from the previous audit.
The scope and objectives of the audit then feed into the Audit Plan. The Audit Plan is an
important output of Stage 1, and is a document which will co-ordinate the aspects which are
central to the conduct of an audit, including:
audit scope and objectives (as discussed above)
program of audit procedures to be carried out to form an opinion about compliance
sites to be visited, persons to be interviewed, and processes to be observed as part of
conducting the audit procedures
start dates, testing dates, and reporting time lines for the audit
audit team resources required
3
any other matters relevant to the audit.

Furthermore, audit planning will also need to have addressed the following key issues that are
to be identified, discussed and documented:
identification and understanding of Customs & Excise senior management expectations
from the audit, including how specific concerns will be addressed
communication with the company about the intention of Customs or Excise to conduct
an audit of their operations, and to begin building a trusting and co-operative
relationship with both the company’s management, and with those staff in the company
who will be important to the conduct of the audit
acquiring an overview of the business systems in use by the company which are relevant
to the import or excise manufacturing processes subject to the audit
setting of materiality levels for the audit (see discussion on Risk and Materiality, below).
In summary, at the end of Stage 1, the auditor should have produced the following key outputs:
a letter to the company indicating they have been selected for audit, and details of the
scope and objectives of that audit
an ‘Entrance Interview’ with the company in which the audit scope, audit objectives and
audit approach has been agreed (see section The Entrance Interview, below)
descriptions of the company’s relevant business systems and internal control structure
(see section Understanding and Documenting the Business Systems, below)
an initial view as to the confidence levels that may be placed in the company’s internal
controls (see section Initial View, below)
a decision about errors and materiality.
Understanding the Business

The Customs and Excise auditor needs to gain a sound knowledge of the importer or excise
payer’s business. This means that the auditor should gather sufficient information about the
company so that all events, transactions, and practices concerning compliance with
importation, manufacture or duty payment processes, etc, as they relate to the audit scope and
objectives, can be properly identified and understood.
The sources for such data can be either from outside the Customs or Excise agency or, where
such data exists, from within the agency itself. If looking outside of the agency for
information, the auditor should consider the following useful external sources:
procedure manuals and policy documents as issued by the importer, exporter or excise
manufacturer for internal use by its staff
articles in newspaper, trade journals and other industry press
discussions with customers and suppliers
Stock Exchange announcements (public companies)
discussions with company management and staff.
Where data is being sourced from within the Customs or Excise agency, the type of data
available will depend upon the information the agency captures and records from industry by
way of lodgement of returns, declarations, statements or reports. However, it would be
expected that Customs and Excise authorities would require from companies the following
types of information on either a transaction-by-transaction, or periodic reporting basis:
import declarations for imported goods and duty payment
export declarations for export of goods
excise payment declarations
4
requests for refund, rebates, remissions, or drawbacks of duty and taxes

production statements
operational statements relating to packaging, storing, and delivering imported or
excisable goods, including receipts, deliveries, losses, gains and other movements
other statements or periodic returns which are required by legislation or as part of
import/excise licensing conditions, for example: duty exemptions, concessional end
uses.
The Customs or Excise agency may also generate its own information about individual
importers, exporters and excise manufacturers, for which the data will be useful to the auditor.
It is expected that the Audit or Compliance area itself will at least have historical records about
some companies and some industries, gathered from earlier audit work. The auditor should
also be looking for the following types of internal information where relevant:
import, export or excise licensing files where application and current status details will
be held
permit or permission details
import, export or excise statistical data for areas such as duty, values, refunds,
exemptions, and volumes; and as mentioned above (query)
previous audit working papers and audit reports.
Finally, and where permitted under local legislation, it may be possible to request relevant
information from other Government agencies who hold data about the company. The sort of
information useful to the auditor may include:
movement of import and export cargo from Port Authorities
company registration and ownership details from Business Registration Authorities
other relevant business activity details from an industry, trade, economics, or finance
type agency
other taxation information from Inland Revenue or Taxation Authorities or
where import or export licences or permits are required, details from the relevant licence
or permit issuing authority.
The Entrance Interview

At this stage, the importer, exporter, or excise manufacturer to be audited will have been
contacted by a letter outlining the Customs and Excise intention to audit, and will have been
contacted for a mutually convenient time for the conduct of an ‘Entrance Interview’. With the
knowledge of the company that has been gained from Step 2, under Control Risk Matrix, it is
time to talk to the company more formally about the audit, about the company and its systems,
and about any issues which have been highlighted by the in-office research.
The Entrance Interview should be conducted with relevant senior management staff, those
company staff with whom the auditors will deal directly during the audit, and possibly the
company’s professional advisors. During the Entrance Interview, the audit team will look to:
discuss and document any concerns regarding relevant business systems and internal
controls
have the company volunteer any issues or concerns about its own Customs and/or
Excise compliance. This may include findings of internal or external auditing
commissioned by the company as part of its own internal control structure, or it may be
issues in dealing with Customs or Excise agencies such as disagreements on
classifications or values
outline audit scope and objectives and discuss reasons for audit selection
5
request further information, or access to further information not available during the
early information gathering, for example: sales data, production data, customer data,
product data, systems documentation, job descriptions
agree on administrative issues including:
o timing of commencement of tests
o timing of conduct of tests
o timing of finalisation of tests
o details of relevant contact staff
o use of outside experts and expertise if applicable
o use of computer assisted audit tools if applicable
o details of audit team contacts
o what sites should be visited and when
o estimated time of completing the audit and reporting opinions to the company.
Risk and Materiality

Materiality can be defined as being the potential to affect the auditor’s opinion in terms of their
judgement of the level of compliance against the audit scope and objectives. Where the
Customs or Excise auditor sees an error, omission or other form of mis-statement, they need to
ask themselves whether such an error, omission or mis-statement will impact on their opinion
as to compliance.
Materiality can be measured in two different ways. Firstly, it can be measured ‘quantitatively’,
or in set/fixed amounts. For example, if the valuation of goods for duty purposes is within 1%
or within $50.00 on any line of any import consignment, then this will not impact upon the
auditor’s opinion.
Alternatively, materiality can also be measured ‘qualitatively’, or in a more descriptive
fashion. For example, if a spelling error has occurred in a ‘goods description’ field and the
description has become somewhat vague, then again this will not impact on the auditor’s
opinion.
The Customs and Excise auditor however, must keep one significant issue in mind when
applying materiality decisions during audit testing. Finding a small % deviation on a small
value line could well be considered immaterial by the auditor and not affect the audit outcome.
However, had the same small % deviation occurred on a very high value line, the error would
then most likely be considered material, and would certainly impact on the audit opinion.
In such cases, the auditor would need to analyse the error and assess how likely or how
possible it is that the same error could occur on a high value line. This issue will be discussed
in the testing and sampling sections of the methodology.
Once determined by the auditor and audit manager, materiality levels should be documented in
working papers as materiality will form part of the design and conduct of audit testing.
Understanding and Documenting the Business Systems

A systems based approach to audit requires the Customs and Excise auditor to acquire
sufficient information about relevant business systems so that internal controls can be both
identified and assessed. Therefore, the first requirement of the auditor is to gain the necessary
knowledge of the business systems to be covered by the audit scope and objectives. These
business systems will generally relate to areas such as:
records of receipts of goods, or receipts of raw materials
production records – including raw materials into production, production into inventory,
and efficiency reports (losses/gains)

6
product files – including details of product classification, value, origins, and other
relevant details
packaged stock and deliveries
sales and invoicing (domestic and export), including customer files
reporting (to Customs and Excise) systems
returns and credits.
The auditor will also be interested in whether any two or more of these systems interface, and
if so, how this occurs and what controls ensure correct data is transferred from one system to
another.
How is the information gathered?
The first step is to ask the company what systems’ documentation is in place and whether that
documentation can be provided to the audit team. The appropriate people within the company
to ask would be company management, or technical staff (e.g. Information Technology
Division), or business managers (e.g. Production, Warehouse Operations, etc), or financial
managers (Tax Returns) as necessary. The types of documentation the auditor should be
requesting would include: procedure manuals (job descriptions), policy statements, operating
instructions, computer system descriptions, and control manuals.
During this stage the auditors should also obtain an understanding of the company's
organisational structure and identify those groups which have a role which is directly or
indirectly relevant to the audit objectives (for example, groups responsible for performing
relevant monitoring activities).
Other possible sources of information which may be available, provided that agreement is
reached with company senior management on access to these sources, are:
relevant internal audit reports and discussions with the company's internal audit staff
relevant risk assessments performed during the annual external financial audit cycle
phase
external audit management letters and reports and, possibly, discussions with the
external auditors.
Documenting the business systems
As mentioned above, the Customs and Excise auditor's understanding of the business systems
needs to be both clear and accurate to enable identification and a detailed analysis of the
existing internal controls. It is therefore important to document adequately an understanding of
the system to support subsequent control analysis and to enable effective quality control of
work undertaken.
Adequate systems documentation may already exist. The auditor should first review any
previous audit working papers (particularly if the company had been subject fully, or partly, to
systems based auditing). If the business systems have already been documented to a
satisfactory level, then the auditor needs only to meet with the relevant areas of the company
and confirm that no material amendments, upgrades or other changes have occurred to any of
those systems.
Where applicable, any material changes that have occurred to business systems, should be
incorporated into existing systems documentation. Further, where those changes are
considered significant, the auditor should then verify that they have properly understood and
documented the change (see Systems Verification below).
In the case that no systems documentation is held by the audit area, the Customs and Excise
auditor may use existing systems documentation as a starting point in understanding the
relevant systems and controls. In conjunction with this company documentation, the auditor
should then set about obtaining an understanding of the systems, by conducting interviews
7
with the users of the systems and those who conduct the processes, as well as by simply
observing what ‘actually happens’.
The level of detail required will be different for each audit, but again must be sufficient to be
able to identify actual internal controls in the system under review. After the auditor has
identified the system processes, and understood the various business systems, these systems
can then be documented in a form suitable for audit.
The form of systems documentation can include a simple narrative of the relevant system,
through to highly complex process flow-charts (or a combination of both). The narrative
approach is most suitable where the business system under review is small or simple in nature.
Flowcharting however, is most appropriate where the system is large and complex in nature. It
is likely that, where such systems are large and complex, the system (or systems) will be
broken down into ‘sub-systems’ for the purposes of flowcharting. Computer software is also
available to assist the auditor in producing large and complex flowcharts, and is useful for easy
amendment or updating as the company makes changes to its business systems. Flowcharting
is discussed in more detail in the Audit Skills section of the methodology.
Systems verification
Systems verification can be achieved by conducting walk-through tests or examining system
documents filed in the permanent files which were identified in flowcharts/narrative.
Walk-through tests are used to confirm the completeness and accuracy of the auditors'
understanding of how a significant transaction is processed, or how product storage and
movement is controlled, and will complement the discussions with management noted above.
The exact technique employed will depend on the nature of the system, type of evidence
available and the audit objectives.
In executing a walk-through, the auditor should trace a transaction through the processes as
documented in the flowcharts and/or narratives. A sample size of one is sufficient to clarify
understanding of any one particular process.
Having walked through each significant process, the auditor will be in a position to assess
whether the systems description is correct. Where audit activity is being undertaken at several
sites, then this walk- through check must be undertaken at each site and local
variations/extensions noted.
This is an essential component in the system documentation stage, as it is possible that a
location may have adopted ‘local procedures’ which either enhance or detract from the
documented procedures.

8
Initial View – Business Systems and Controls/ Suitability for Systems

Based Audit Approach
At this stage in the audit planning process, with relevant business systems understood and
documented, early impressions formed from initial research and visits to the company where
management and staff have been interviewed and systems verified, confirmation that a systems
based audit approach needs to be made. The alternative is not to proceed with such an audit
approach, and continue with a more traditional substantive testing based audit approach.
Several key factors will determine whether or not an importer, exporter or excise manufacturer
is suitable for a systems based audit. These will include situations where the auditor believes
that:
internal controls cannot be relied upon, as the key personnel in the internal control
structure have a vested financial interest in the company
internal controls are non-existent, not documented or understood, grossly inadequate or
irrelevant
the company has only limited transactions with the Customs and Excise agency, and
where it is likely or possible for the audit to test 100% of those transaction
the company has refused the Customs and Excise auditor access to one or more of the
relevant internal controls.
If a systems based audit approach is found not be appropriate, then this fact should be
documented in the working papers with the reasons to support this decision. At this point the
matter should be referred to the audit manager for sign-off and, dependent upon the reasons for
the decision, the auditor may need to consider whether the company is a higher risk than first
believed.
The audit will now primarily test relevant transactions or records to allow the audit scope and
objectives to be met. The audit methodology now moves directly to Stage 4 ‘Substantive
Testing’ as this will now be the audit approach.
The Audit Plan

The Audit Plan should now be ready for completion. The auditor is aware of the scope and
objectives, and importantly the audit approach, which allows for confirmation of what will be
tested, and where and when. The Audit Plan can be released in draft form for review and
alteration by the Audit Manager, remembering that it is better to invest time in developing a
good Audit Plan than to create the potential for duplication, lack of co-ordination, and other
issues which detract from an efficient audit.
The Audit Plan when finalised will bring together the following areas of the audit procedures:
audit scope
objectives of the audit
program of procedures (analytical procedures, testing, etc.), including use of computer
assisted audit tools
sites to be visited, persons to be interviewed, and processes to be observed
proposed timing of such visits and tests, and for completion of the audit
audit team leaders and members, and where applicable, use of outside professional
expertise
any other matters that are relevant to the audit such as outstanding audit related issues,
industry complaints to check, or queries generated during company research, etc.

9
Stage 2 – Internal Control Identification and Analysis
Transaction Based
(1) (2) (3) (4) (5) (6)

Analyse Issues
the
Internal
Risk and Internal Controls

At this stage in the audit process the Customs and Excise auditor begins to work with the
information gathered during the audit planning stage, in particular, the information and initial
opinions that relate to the company’s internal controls. At the minimum, the auditor should
have an opinion as to the ‘control environment’. The control environment can be defined as the
company management’s position and commitment to the operation of the relevant internal
controls. It is assumed that internal controls are in place, otherwise the audit would have
moved directly to a substantive testing based approach, and therefore this consideration is
about what level of importance management has put into ensuring internal controls are
properly utilised.
Has the company identified Customs and Excise compliance as a priority, and does such
compliance include value statements and staff training/operational documentation as a
goal or objective in company mission statements?
Does the company have internal or external audit review of Customs and Excise
compliance?
Alternatively, has the company engaged professional advisors to set up compliant
systems and controls, or assist with ensuring compliance on various transactions?
What are internal controls?
Internal controls are company policies and procedures which are designed to give effect to the
control environment. They are established to prevent errors, omissions, mis-statements, non-
compliance, and internal fraud from occurring. There are two types of internal controls to
identify within a business process or system:
1. Preventative Controls – being internal controls designed to prevent errors and other non-
compliance;

10
2. Detective Controls – being internal controls designed to identify errors and other types of
non-compliance once they have occurred, so that the company can take immediate remedial
action.
Control Risk Matrix

For each business system, or each sub-system which has been identified and documented, it is
now time to begin identification and documentation of the risks to compliance for each area of
the company, and the controls in place to mitigate that risk. The matrix style approach enables
the Customs and Excise auditor to link the relevant system (or sub-system), the risk to
compliance in that system, the potential errors which comprise the risk, and the company
controls which have been established to ensure compliance.
The auditor is assisted by use of two pro-forma working paper documents:
Control Risk Matrix Form
This working paper document is required for each system or sub-system to be reviewed. The
auditor should complete the name of the system or sub-system, and then describe the risk to
compliance from the processes within that system.
For example: in a production system, a real risk is that there will be undeclared production for
which duties will not be paid, and these details are written into the heading areas of the Form.
The next step is for the auditor to list all potential errors or problems across the top of the
matrix, and then complete the company’s relevant internal controls (and allocate a reference
number) within the system down the left of the matrix.
To continue the example: one potential error might be that a particular packaging run is not
captured in the company’s inventory system – this potential error is written along the top fields
of the matrix. One (of possibly several) company controls to mitigate this risk may be to
conduct daily stock-takes of packaged stock to the inventory system – this control is recorded
along the left hand side of the matrix. Finally the auditor plots within the matrix the relevant
control for each risk. For each control, where appropriate, provide some comment, such as
initial assessment of that control, whether it is preventative or detective, whether it is relevant
or redundant, etc.
Control Description/Testing Form
For each control listed in the Control Risk Matrix Form, there should be a Control Description/
Testing Form. The relevant internal control documented in the Control Description/Testing
should link to the Control Risk Matrix Form by way of the allocated reference number. The
form is completed by the auditor writing the name of the internal control, and then cross
referencing the control to a particular system’s Control Risk Matrix Form, including the
allocated reference number. A full description of how the internal control operates is then
made, as well as an indication of the auditor’s initial views of the control. Again, continuing
the above production risk example, the control may be called ‘Daily Stock-take of Packaged
Stock’, and this would appear in heading along with the relevant reference number and cross
referring to the Production System. A description of how the control operates then follows:
after the final packaging run of the day, floor stock is compared to balances within the
inventory system. The count is conducted by the warehouse manager and a warehouse
assistant who both sign the stock-take report. The remainder of the Control
Description/Testing Form is completed during Stage 3 of the audit, as relevant control tests are
designed and undertaken.

11
Understanding the Risk to the Audit

Evaluating the operation and effectiveness of the importer’s, exporter’s or excise
manufacturer’s internal controls is critical when using a systems based audit approach. Where
such controls are sound and are being applied appropriately, then it is likely that the auditor
will form an opinion that the company is compliant. Therefore, at this point in the audit, the
auditor has to start assessing whether the controls they have identified are effective and
properly utilised.
This is achieved by:
confirming any initial views about internal controls formed during audit planning
(understanding and documenting the business systems) and during the documenting of
controls in the process of completing the Control Risk Matrices and Control
Identification/Testing forms
review of inherent risk from information gathered during audit planning
review of control risk; and/or
conduct of analytical procedures (see Audit Skills section of this methodology).
Inherent risk
Using any initial assessment about internal controls, the Customs and Excise auditor should
now look at the level of inherent risk. Inherent risk is also known as the ‘business risk’, and is
best described as the risk of errors and other non-compliance by the importer, exporter or
excise manufacturer if no internal controls were in place. Inherent risk can be assessed from
information which is generally gathered during the audit planning stage, but which can also be
gathered at this point in the audit.
What is the level of integrity of the management and staff at the company? Have any
persons been in trouble for Customs and Excise matters, taxation, or any other financial
matters generally?
What is the level of knowledge and experience of management and staff at the company
– both in terms of working in the industry, and in working with Customs and Excise
legislation?
Has any undue pressures been placed on management or staff of the company to ‘cut
corners’, take risks, or increase profitability?
What is the nature of the business systems and controls – are they complex, or highly
manual with large reliance on human input, or simply unclear?
What is the nature of the industry the company operates within – is it highly
competitive, does it have high duty rates, or is it highly regulated where any Customs or
Excise related non-compliance can deliver substantial competitive advantages?
Is there a poor industry wide compliance history, with lots of common errors occurring
across the sector?
The auditor on answering these types of questions needs to make an assessment as to whether
inherent risk is High, Medium or Low.
As a guide, and based on the above questions:
HIGH RISK Any of the following are present: poor or uncertain staff knowledge,
experience and/or integrity; highly competitive industry where staff feel under pressure to
perform; reliance on highly complicated or highly manual processes, or highly taxed and
regulated industry in which there are many competitors who have been found to be not
complying.
MEDIUM RISK Any of the following are present: some staff knowledge and experience but
can be accessed by all; competitive industry; some reliance on highly complicated or highly
12
manual processes; medium level taxed and regulated industry in which there are several large
competitors.
LOW RISK Most or all of the following are present: good staff knowledge, experience
and integrity; moderate or lowly competitive industry where staff feels no pressure to perform;
no reliance on highly complicated or highly manual processes, or industry has low rates of tax
and regulation; and the industry has a good compliance record.
The auditor’s assessment as to the level of inherent risk, with evidence, should then be
documented in the audit working papers, including reference in the Control
Identification/Testing form.
Control risk
Control risk is simply the risk that errors and other non-compliance are not prevented or
detected by the internal controls or, where relevant, detected too late to prevent a breach of
legislation. The auditor again must make an assessment as to the level of control risk in terms
of whether the controls are working effectively. This is done by:
use of the auditor’s own skills, knowledge and experience. The auditor is likely to have
seen many companies’ internal control structures, and can ‘benchmark’ against these.
The auditor will also be familiar with the relevant legislation with which the company
must comply, and whether the controls are appropriate for this
the auditor’s specific knowledge of the company, and its systems and controls, as a
result of visiting or auditing the company previously
the results if previously audited and any other information within the agency in relation
to errors or instances of non-compliance
material changes to the business systems and controls since the last audit
review and query of any aspect of relevant user manuals, policy and procedure
statements and job descriptions
observation of processes, systems and controls.
The auditor on using these information sources then needs to make an assessment as to
whether control risk is High, Medium or Low. Remembering that if control risk was or will
now be determined as unacceptably high, or if internal controls are found to be entirely
unreliable, then systems based auditing should be abandoned and a substantive based audit
approach adopted. As a guide to determining the level of control risk, the auditor could
consider the following:
HIGH RISK Internal controls are present, but there are questions in relation to their
effectiveness and their application by staff, and user documentation about performance of the
controls is difficult to comprehend. There have been significant changes to business systems
and controls since any previous audit.
MEDIUM RISK Internal controls are present and seem quite relevant to the process. Staff
are generally applying the controls well, and each control is supported by clear and precise
user documentation. There have been some changes to business systems and controls since any
previous audit.
LOW RISK Internal controls are present and appear to be relevant and effective in their
operation. Staff are well trained and are applying the controls. User documentation to support
the controls is clear and precise. There have been no changes to business systems and controls
since any previous audit.
The auditor’s assessed level of control risk, with evidence, should then be documented in the
audit working papers, including reference in the Control Identification/Testing form.

13
Analytical review
One way in the Customs and Excise auditor can either determine levels of inherent and control
risk, or confirm their own initial judgements as to the levels of inherent and control risk, is to
conduct analytical procedures. Analytical procedures involve investigating or analysing
various pieces of related data and determining whether there are fluctuations or deviations
from what could have been expected from the analysis. Such fluctuations could represent areas
of risk, or the non-operation of a particular internal control.
For example: where an importer’s domestic sales are compared with its duty payments over
the same period of time, it would be reasonable to expect that in most cases there would be a
relationship between sales and duty – as sales increase so do duty payment amounts. Whilst
there are many valid reasons to explore with the importer for duty payment amounts not to
track domestic sales,, it could also mean that there is some level of higher risk in the controls
which ensure that the correct tariff classification, valuation, origin and/or duty exemption
details are being declared to Customs.
Analytical procedures can be applied at any stage of the audit and as such are described more
fully in the Audit Skills section of the methodology. However, the use of any analytical
procedures, and the results, are to be documented in the general audit working papers.
Setting the confidence levels in Internal Controls

Prior to moving to the Control Test Design stage of the audit, the auditor needs to set the level
of confidence in the company’s internal controls. This assessment will be required for control
test design, in particular the number of samples to be selected for each control test.
This opinion as to confidence can be expressed as:
LOW Little, if any confidence
MEDIUM Reasonable level of confidence but with some reservations
HIGH Good level of confidence.
To assist in reaching this overall level of confidence position, the following table has been
produced, and is to be read with the auditor’s results in terms of inherent risk and control risk
as assessed in 'Control Testing' – Stage 3.
CONTROL RISK
HIGH MEDIUM LOW
INHERENT
HIGH LOW LOW MEDIUM
RISK
MEDIUM LOW MEDIUM HIGH
LOW MEDIUM HIGH HIGH
Where both inherent risk and control risk are assessed as High, then the overall confidence
levels in the company’s internal controls will be low. Where inherent risk is Low and Control
risk is Low, the overall confidence level is High, and so on.
Once the overall confidence level has been documented in the general audit working papers,
stage 2 of the audit has been completed.

14
Stage 3 – Control Testing
Transaction Based
(1) (2) (3) (4) (5) (6)

Analyse Issues
the
Internal
How do the internal controls operate?

The audit is now at the point where the company’s, the importer’s, exporter’s or excise
manufacturer’s business systems have been documented, the risks to Customs and Excise
legislation have been identified, and the relevant internal controls to mitigate those risks which
have been identified and documented. It is now time to test the internal controls to confirm our
initial judgments, and ensure they are operating effectively.
Selecting a systems or sub-system, first select a control from the relevant Control Risk matrix,
and the Control Identification/Testing Forms. For each control, now review the audit working
papers once again to ensure that the following aspects of its actual operation are fully
understood:
What transactions are relevant?
Where and when, and how often is it applied – was it designed as a preventative or
detective control?
Who performs the control?
What is the nature of the errors and non-compliance that can occur in the identified
transactions?
What was the initial view of the effectiveness of the control?
Automated IT Based Controls

It is possible that many of the relevant internal controls in the business systems are likely to be
computerised controls. These are controls carried out by a computer program or dependent
upon computer produced information. Examples of such controls are:
computer processes that perform significant calculations (e.g. import duty liabilities for
transaction details)
computer controls (e.g. edit checks ensuring reasonableness when data is input

15
computer produced exception reports that are subsequently followed up manually (e.g.
receipts from once tank do not match with deliveries from source tank and are outside
the company’s permitted tolerances) (Rob, this sentence doesn’t make sense)
computer produced management information (e.g. export sales)
controls to prevent or detect access to standing data files by unauthorised staff, (e.g.
update tariff classifications or duty rates).
The auditors need to identify reliance on programmed controls to determine the nature and
extent of audit work to be carried out in the computer environment so that they are satisfied
that the programmed controls are operating as designed.
The audit team may require specialist assistance for an IT expert at this point, and this would
have been highlighted during audit planning in Stage 1. Such specialists are skilled in
determining whether the company’s computer controls are operating, and are operating as per
the systems documentation that may have been provided by the company during the
information gathering process. IT specialists will need to work with the audit team here in
developing appropriate control testing.
It is also likely that the audit team can make use of relevant computer- assisted verification
techniques at this point. The use of such techniques is covered more fully in the Audit Skills
section of this methodology.
The audit team needs to know how company management satisfies itself that the computerised
controls are operating as intended, for example:
manual controls to confirm the adequacy of computer processing (e.g. reasonableness
checks or clerical checks of a sample of calculations made by the computer). However,
this may be inefficient, given the nature of the control; and/or
the underlying general controls over the computer environment (e.g. program/data
change controls such as the testing of a program, the control over changes to that
program and control over access to the master file containing standing data used within
the program.
The auditor will need to liaise with the company's information systems auditors and computing
staff in order to derive the most efficient audit approach for each audit.
Control Testing
From the information confirmed during the audit in relation to systems and controls, the
auditor now develops and conducts the control tests. The nature of each test will depend on
what the control is supposed exactly to do. The auditor will look at each control and determine
what the control entails, ensuring that the control is being performed by the appropriate person
or by the appropriate computer program. The primary purpose is simply to gauge whether the
internal controls being applied by the importer, exporter or excise manufacturer to ensure they
make no errors and comply, are in fact being utilised.
Examples:
1. Preventative type control - To ensure that the company has imported what they have
declared to Customs, the warehouse manager supervises the unpacking of the shipping
container and compares the contents of the shipping container with the customs import
declaration. At the completion, the warehouse manager completes and signs a company
document called Container Unpack Report. One of the unpack crew also signs the document,
and any discrepancies are noted for action by the Customs Manager and Accounts Payable. In
order to ensure this control is working, the auditor could take a sample of customs import
declarations and ask to see the relevant Container Unpack Report. The auditor would then look
for the 2 signatures – warehouse manager and unpack crew member. Where discrepancies
were found in a container unpack, the auditor could also follow up with the Customs Manager

16
to ensure that appropriate amendments were made to the customs import declaration
concerned.
2. Detective type control – To help ensure that excisable goods have been properly recorded in
inventory from production, and out of inventory as deliveries, the company undertakes a
monthly stock-take. (Rob – this sentence is confusing) The stock take is undertaken by the
Stock Control Manager and the Bond-store Manager, and details recorded on the company’s
Monthly Stock-take Summary. On completion, both managers sign and stamp the Summary,
and any discrepancies are followed up by both managers. In order to ensure this control is
working, the auditor could take a sample of months and ask to see the relevant Monthly Stock-
Take Summary. The auditor would then look for the 2 signatures and 2 stamps – Stock Control
Manager and Bond-store Manager. Where discrepancies were found in a stock-take, the
auditor could also follow up with both managers that appropriate investigations were made to
find and correct the discrepancy, and appropriate additional excise duties were volunteered.
Sample Size for Control Testing

The extent of testing may be different for each of the compliance tests generated. It will
depend on the level of confidence that the auditor has been able to obtain from various
information gathering processes and the initial assessment of the levels of risk as follows:
Control Risk (High, Medium or Low)
Inherent Risk (High, Medium, or Low)
As a guide, based on this level of confidence, the auditor will decide which of the following
levels of testing is appropriate for each procedure being tested:
High Confidence Light testing The auditor is confident that the control
(30 items) procedure is working and is only looking
to confirm this.
Medium Medium testing The auditor is reasonably confident that
Confidence (65 items) the control procedure is working but is not
sure.
Low Confidence High testing The auditor is not confident that the
(100 items) control procedure is working and is
looking to get some feel for the extent of
non-compliance. In this case the auditor
may choose not to proceed with testing of
the control at all and assess the control as
being unreliable.
The above suggested sample sizes apply to manual processing and manual controls. In a
computerised processing and computerised control environment, one, two or three samples for
every type of transaction may be sufficient, provided that the Automated Data Processing
controls are adequate.
If the light testing finds an error the auditor may choose to extend the testing to the medium or
high level. Alternatively, the auditor could decide not to place any reliance on the control. The
auditor is expected to discuss the errors and the proposed action with the audit manager. The
final decision regarding the appropriate action lies with the manager.
Note: The sample size adjustment formula (Finite Correction Factor) can be applied if the
determined population size is less than 2,000. For population sizes above this its effect is
marginal.
Adjusted sample size = sample size
1 + sample size
population size

17
After determining the sample size for control testing, the auditor must then decide which
samples from the total population to test. Where sampling is to occur in control testing, the
auditor should refer to Section Stage 4, Conducting the Substantive Tests, for the four main
methods of drawing samples for testing (random number, systematic, block, and haphazard
sampling).
A more detailed discussion on sampling is conducted in Customs & Excise Audit II, a short
course designed primarily to assist audit managers.
Documenting the Control Test

The full details of the actual control testing to be conducted are to be documented in the
relevant areas of the Control Identification/Testing Form. As a minimum, control test
documentation should contain the following:
objective of the procedure
description of the testing procedures
type of test to be completed
level and extent of testing
basis for sample selection and sample sizes
the total sampling population
guidance as to the expected results of the work undertaken.
Completion of Control Risk Matrix Form

The Control Risk Matrices are used to record the nature of controls in place and address each
specific potential error. Consequently, all types of relevant controls should be documented
(preventive and detective, computer and manual, general Information Technology controls)
where they play a part in addressing a particular potential error.
The advantage of documenting all types of controls is that it allows the auditor to analyse an
efficient combination of controls. Through the documentation process, the auditor can identify
weak control structures which can influence the quantity of testing subsequently conducted.
Accordingly, this information can also be used as the basis of recommendations to the
company.
It is important to ensure that descriptions of relevant IT based controls (such as program
change and data file access controls) are properly documented on the relevant Control Risk
Matrix Form. For example ‘Updates to the stock availability program are applied only by
authorised staff’, or ‘Access to sales contract quantities on the master file is restricted to the
sales accounting staff’, may together ensure that final stock availability for any particular stock
line is properly calculated. This detail ensures that the result is complete and gives the auditor
additional insight into the existing controls.
The auditor must determine whether the identified controls, taken together, are adequate to
address each potential error. A preliminary evaluation is recorded in the bottom rows of the
relevant Control Risk Matrix Form.
The evaluation is dependent on ‘auditor judgement’ taking account of:
the significance of the identified potential errors
the quality of the identified controls
materiality levels and Customs and Excise management’s levels of acceptable error.
Check Control Risk Matrix Forms have been completed
Has the Control Risk Matrix Form for each sub-system been completed? Has the auditor:
identified potential errors and areas of non-compliance and described them
18
identified internal controls in the business systems and described them

examined the manner in which the controls prevent (P) or detect (D) the potential errors,
and placed a P or a D in the box where the control affects the error
made an assessment of the impact of the controls on each potential error
designed control tests and tested the controls and cross referenced the test number
based on the results of the testing, made an assessment of the adequacy of the controls as
they affect each potential error
noted the post test assessment
noted any risk remaining in post testing assessment
determined whether substantive testing will be carried out?
Issues in Control Testing

The Customs and Excise auditor should now have an opinion as to the effectiveness of internal
controls, in particular those key controls that relate directly to ensuring compliance with
Customs and Excise legislation. The confidence level, in terms of the internal controls, is now
expressed as either High, Medium or Low, as it was prior to testing. This opinion should be
documented in the appropriate Control Identification/Testing Form and the appropriate Control
Risk Matrix Form.
Are there any issues, or compromises to controls, which have arisen during control testing and
which will be recorded in the audit report?
Are there any recommendations that need to be considered in terms of enhancing or improving
current internal controls?

19
Stage 4 – Substantive Testing
Transaction Based
(1) (2) (3) (4) (5) (6)

Analyse Issues
the
Internal
Note:
Even with very high levels of confidence in the business systems and controls of a
company, the Customs and Excise auditor has to confirm those opinions with a level of
substantive testing of the relevant transaction. The aim of substantive testing is to
obtain direct evidence as to the accuracy, completeness and authenticity of the
company's own records and transactions.
Designing the Substantive Tests

Substantive testing includes any verification, inquiry, observation, inspection, confirmation,
re-calculation or analytical review procedures. Examples of substantive tests could be:
Import Declarations - tariff classification, valuation, origin, duty rate, and tariff
concessions are all correct when compared and reviewed against relevant commercial
documents
Excise Production Returns – quantities reported of finished goods are correct when
reviewed against receipts of raw materials, production schedules, volume transfer
meters, etc.
Export Declarations – classification, destination, valuation, etc. ─ are all correct when
compared against commercial documentation.
The Customs and Excise auditor should establish which sub-systems have direct risks to
compliance with Customs and Excise legislation and devise relevant tests for each of these
activities to:
identify specific data processing (transaction) errors or
identify physical product on hand accounting errors or
establish that records are within acceptable tolerances.

20
Such substantive tests could be based on complete verification of all activity/transaction

occurrences or on the use of sampling techniques. If sampling is being used, this may include
stratification of the population of items to be checked so that testing is biased towards
verification of the higher value or higher risk items.
For example, when testing import declaration compliance, a sample of entry lines may be
selected and checked against relevant commercial documentation to verify such issues as tariff
classification, duty rates, tariff concession eligibility, valuation, origin, etc.
When testing under-bond and duty free deliveries from a petroleum refinery it may be decided
to undertake a complete analysis of ship deliveries in the audit period to verify that all
recipients were entitled to under-bond or duty free deliveries. In this case a single incorrect
delivery or incorrectly recorded delivery transaction could have very significant revenue
implications.
Consideration should be given to the use of Computer Assisted Verification techniques (CAV)
when determining the substantive testing approach to be taken. For example CAV could be
used to identify all computer records relating to the under-bond and duty free ship deliveries
from a refinery, if available, and produce a list of recipients, rather than the auditor searching
through the manual records of deliveries to identify ship deliveries and then compiling a list of
recipients for these deliveries.
Care must be taken to ensure that the prime computer records, from Customs and Excise
perspective, are used. For example, in the above CAV example, if sales records are used for
the CAV but these records are not the source for Excise duty payment calculation purposes,
the auditor may be misled by the CAV result. A sale may be recorded as duty paid in the sales
system but as duty free in the system being used for duty liability calculation.
A more detailed discussion on CAV techniques is conducted in Customs & Excise Audit II, a
short course designed primarily to assist audit managers.
Documenting the Substantive Test

The detailed substantive tests should now be cross-referenced back to the Control Risk Matrix
Form, for which a particular sub-system will be tested. The auditor should now also complete a
Substantive Test Form, again cross referenced back to the Control Risk Matrix and Control
Identification/Testing Forms.
As a minimum, the Substantive Test when documented should include the following:
objective of the test
description of the testing procedures
level and extent of testing
basis for sample selection and sample sizes and stratification definitions (if relevant)
the total sampling population.
Substantive Testing Sample Size Selection

Where sample testing is to be undertaken, it will be necessary to establish the extent of testing
to be performed; that is the number of test cases to be checked for each test. This will depend
on a number of factors:
the overall level of ‘audit risk’ which the auditor is prepared to accept (where audit risk
is the risk that material errors, mis-statements or omission will not be detected by the
audit procedures)

21
the auditor's initial level of confidence after business systems and controls have been
understood, documented and analysed, and this view after control testing has been
performed.
These confidence levels are expressed as High, Medium or Low, as to whether the company
has the systems and control to comply with Customs and Excise legislative requirements.
Based on this approach, the following table provides a guide to sample size selection where a
high (that is in the order of 95%) overall confidence level is required:
Initial Confidence Post Control Test Substantive Testing

Level Confidence Sample Size
Not using SBA* Not using SBA* 200
Low or Medium Low 200
Low Medium 200
Low High 100
Medium Medium 150
Medium High 50
High Low 100
High Medium 50
High High 30
*Systems Based Audit
Note: The sample size adjustment formula (Finite Correction Factor) can be applied if the
determined population size is less than 2,000. For population sizes above this its effect is
marginal.
The formula is:
Adjusted sample size = sample size
1 + sample size
population size
The above recommended sample sizes apply to manual processing and may be flexible.
Sample sizes can be tailored to the actual audit and company, but must always ensure that the
audit objectives are adequately achieved. As with all audit procedures, how the sample size is
arrived at and how and why it is adjusted must all be documented in the appropriate working
papers.
How samples are selected from the population

The auditor will need to determine how to select the samples from the audit population,
keeping in mind the need to ensure that objectives of the audit will be met. The key factor to
be borne in mind is that the method of sampling should ensure that the sample is representative
of the total population being examined. This means that, to the maximum extent practicable,
all items in the population should have an equal opportunity to be selected.
This is achieved by sampling techniques known as ‘attribute sampling’, including:
random-number sampling
systematic sampling
block sampling
haphazard sampling.

22
These techniques are fine when they are used for compliance testing, as the test is being
performed only to establish whether the control has, or has not, been applied.
Where these techniques are used for substantive testing, care must be taken not to attempt to
place any significance on the value of the ‘sampling unit’ in error.
All errors must be given equal significance. For example, where a tariff classification is
incorrect on a low value line and only a minimal amount of revenue has been understated, this
does not mean that the classification error can be ignored. It must be considered that it is
indicative of an unacceptable error rate, and that the same tariff classification error could
equally have occurred on a large value line causing significant revenue loss.
Following are more detailed discussions of these suggested ‘attribute’ sampling techniques.
Random Number Sampling
Random number sampling is based on the use of a random number generator or random
number tables to select the items to be tested.
It is first necessary to establish the start and end numbers for the population to be sampled.
This method assumes that:
the units in the population, i.e. the ‘sampling unit’, are sequentially numbered
the units are stored in sequential number order.
If these two assumptions are not met, then this technique will require a large amount of effort
to allocate or locate sequential numbers. It is, in any case, unlikely that auditors will find
instances of consecutively numbered documents which are filed consecutively.
Systematic Sampling
Systematic sampling involves selecting every ‘X’ number of items in a population, where X is
the determined sampling interval. Systematic sampling is based on the officer:
determining the population size and sample size
establishing a sampling interval by dividing the sampling size into the population size
randomly selecting a start point in the first sampling interval
selecting the ‘sampling units’ located at the start point and at subsequent sampling
intervals from the start point.
One of the key steps is determining the population size. This may not always be easy; for
example if the officer is faced with a number of filing cabinets of documents.
In such cases, the officer should not attempt to count all of the documents. Using measurement
techniques, or at worst simply guessing, the officer should obtain an estimate of the size of the
population.
In some cases it may be appropriate to use a combination of the systematic and
random-number sampling techniques.
For example, when selecting a sample of import declarations on which country of origin will
be checked, the ‘sampling unit’ is a line on an import declaration. Rather than estimating the
number of lines over the period and counting lines to select the population, use the following
technique:
determine the population size for the population of documents
select a sample of documents using the systematic sampling technique
select a ‘starting’ line from the document.
Block Sampling
Block sampling involves the selection of a number of grouped ‘sampling units’, for example
checking all transactions for selected dates.
23
However, even with judgemental sampling, care needs to be taken with the use of block
sampling to ensure that sufficient blocks are selected to be able to reach a reasonable audit
conclusion for the total period being audited. Selecting one or two small blocks over a large
period will not achieve this, e.g. one or two weeks over a twelve month period.
Examples of block sampling would be:
a number of days/weeks in the audit period
all lines over a certain value
all duty free deliveries
all exports
any combination of the above points.
Adjustments could be made to the block during the test process to avoid major over- or
under-sampling.
Haphazard Sampling
Haphazard sampling is defined as ‘sampling units selected without any conscious bias. The
units should be selected in a manner that can be expected to be representative of the
population. However, it does not require any form of systematic selection.
This is probably best explained by an example. Suppose the auditor is faced with a filing
cabinet of export declarations or refund application forms. The auditor could choose to:
estimate/guess the population size for the number of forms
establish a sampling interval
estimate/guess the boundary of the first sampling interval ─ the forms to be included ─
pick a form in this interval and pick a line in the selected form
repeat the above step until the end of the forms is reached.
During sampling, adjustments may have to be made to the sampling interval boundaries to
avoid over- or under-sampling.
However, care must be taken to avoid distorting the sample by selecting, for example, only
unusual or physically small items or omitting items such as the first or last items. This
technique must not be used as a way of avoiding ‘difficult’ items.
It is possible to use any of the above techniques or any combination of them. Whichever
technique is used, it should achieve the goal of representation of the total population.
Conducting the substantive tests

The sample can now be selected from the total population based on the most appropriate
sampling technique for the audit and the company being audited. The substantive tests
designed at Stage 4, are now conducted by the auditor. Any errors, omissions or mis-
statements that are found should be documented on an Issues Worksheet.
If the sample size has been determined using the above table and no errors are detected, the
auditor is able to reach a conclusion that, with a confidence level of 95%, no more than about
1.5% of the records in the total population being sampled are incorrect. There is a 5% chance
that the actual number of records containing errors is more than 1.5% of the total population.
If any errors are found in the substantive tests performed, and these cannot be shown to be
isolated cases due to special circumstances which are not likely to affect the rest of the records,
then it must be assumed that there is an unacceptable error rate, and further action will need to
be considered. This is because the sample sizes in the table above have been determined.
24
Discovery sampling means that the auditor is to assume that if any errors are detected during
the testing process, then there is likely to be a greater problem across the entire population of
records. Alternatively, if no errors are detected during the testing process, then the auditor can
have a 95% confidence level that no errors exist across the entire population of records.
The main principle that must be understood when conducting these tests is that there is no
acceptable error rate in relation to detected errors. It is also important to consider the material
consequences of the errors when deciding on what follow-up action is appropriate.
Where the substantive test results have highlighted errors that are, or could be, indicative of a
significant problem relating to a major non-compliance issue, then further action will be
required. The initial consideration could be increasing the sample size to the next highest
sample on the substantive testing sample size chart, or possibly 100% depending upon the
circumstances.
Evaluation of substantive test results

Can the auditor form an opinion as to compliance?
What is the result of substantive testing? Were material errors found? If so, then the auditor
should move to the ‘nature of the error’ sub-section below. Where the auditor believes there
are no material errors and has filled in all relevant testing documentation, and gathered and
noted any other appropriate evidence, then it may be possible to form an opinion that the
company is compliant – subject, or not, to any issues that have to be addressed (see ‘Dealing
With Audit Issues’ below). The other types of evidence, over and above the substantive results,
could include copies of commercial documents, copies of company reports, or results of
analytical procedures, all of which support a level of compliance.
At this point, testing documentation and other evidence should be discussed with the audit
manager, with a view to ensuring that the audit manager comes to the same opinion as the
auditor, based on the same evidence. It is possible that the audit manager may require further
testing or further evidence to support the auditor’s opinion at this stage of the audit.
The nature of the error
Where errors have been detected during substantive testing certain judgements have to be
made by the auditor in consultation with the audit manager, in summary, addressing the
following questions:
Are the errors material (as set in the Audit Plan)?
Are the errors common indicating, perhaps, just one breakdown of the system, (for
which the audit can recommend remedial action)?
Are the errors all different, representing possibly several ‘breakdowns’ in the system
(for which the audit can recommend remedial action, and possibly sanctioning)?
Are the errors of a more serious nature in terms of frequency and size, indicating
perhaps a failure of management and of controls (for which the company will have to
take immediate corrective action and, possibly, sanctioning)?
Are the errors of such a nature that it appears the management of the company has been
careless and reckless in its control approach to Customs and Excise compliance?
Where it is determined that errors are not of an isolated nature, and, indeed, management and
controls are not being diligent in their operation, then this will need to be brought immediately
to the attention of the company. Communicating errors is discussed more fully in the ‘Dealing
With Audit Issues Section below, however, in terms of substantive testing the main question is
whether the sample size will have to made larger, perhaps to 100% of the population. Does
sufficient evidence exist for the auditor to form an opinion, prepare an Audit Report, and
recommend both sanctions and remedial action. Perhaps 100% of the population needs to be
sampled in order to identify and collect any short paid duties. This decision should be taken by

25
the Audit Manager, who will balance these competing priorities, especially where 100%
verification in a large company will utilise large amounts of compliance resources.
Accident Vs Fraud
The above actions are based on an assessment that non-compliance is related to accidental
error, or carelessness on the part of the company management. There is also the possibility that
fraud has been committed either against the Customs or Excise agency by those in the
company, or by individuals within the company against the company itself. In either situation,
the result will be the same: loss of revenues and mis-reporting to the Customs or Excise
agency concerned.
If it is the opinion of the auditor that the non-compliance detected may be due to fraudulent
activity on the part of the company or individuals within the company, then this fact should be
reported to the audit manager immediately. Internal fraud will be treated differently, and will
involve working with the company to redress of the relevant internal controls to ensure future
protection of revenue and future compliance, as well as recovery of any lost revenues. The
matter will then become an issue for the individual, the company and local Police.
Suspected fraud against the Customs or Excise agency should be handed over to the relevant
investigation authority either within or external to the agency. Fraud is a crime, and its
investigation and prosecution involves skills very different to those of the Customs and Excise
auditor. The auditor should remember, however, that they will be prosecution witnesses, and
their audit working papers will be evidence in any prosecution case. As such, all audit papers
should be properly completed, filed, and stored securely.

26
Stage 5 – Dealing with Audit Issues
Transaction Based
(1) (2) (3) (4) (5) (6)

Analyse Issues
the
Internal
Outstanding Audit Issues

At this point in the audit, it is likely that control and substantive testing has been fully
completed, and issues arising from that testing, or from audit procedures generally, have been
identified and documented on an Audit Issues Form.
Audit issues should be discussed with company management and staff. This can be done
informally, as issues arise and are documented, or more formally through the creation and
handing-over of a document such as an ‘Audit Issues Log’. Companies subject to audit should
not be surprised or ambushed at the end of an audit with a range of issues involving possible
non-compliance that may proceed to some form of sanctioning. Auditors should be looking to
work closely with company management to work through any issue. There may need to be
several meetings, several reviews of evidence of non-compliance (Rob evidence what?) and
several discussions with audit managers to resolve any particular audit issue.
Sharing all audit issues with the company at this point also ensures that the auditor has
properly understood:
the business system or business process under review
the operation of the relevant internal controls
the transactions under review.
It would be disadvantageous for the audit opinion if it were found that the auditor had formed
that opinion without properly understanding what they were reviewing.
Prior to issuing any ‘Audit Issue Log’ type document to the company, the auditor should
discuss each issue with the audit manager and determine the materiality of each issue in
respect of its impact on the audit opinion. This assessment should be noted on the respective
Audit Issues Form.

27
Response by the company

The auditor should allow a short period of time (e.g. one week) for the company to respond to
any audit issues. Responses can be expected to take the form of one of the following:
acceptance and immediate resolution, prior to audit completion, to be incorporated in
the final audit report
acceptance and undertaking to implement remedial action as will be recommended in
the final audit report
acceptance but disagreement that issue is material
disagreement.
The auditor needs to document these responses on the appropriate Audit Issues Form, and
review them with the audit manager. Dependent upon this review, the issue or the materiality
may change for the final audit report. Any changes again are endorsed on the appropriate
Audit Issues Form.
Is further action required?

Where specific errors, and certain audit issues are not resolved during the audit, it may be that
legislation requires either a recovery of short paid, recovery of over-paid refunds, or
suspension of a licence or permit. The auditor should refer to the relevant legislation, and
review any relevant licensing and permission conditions and restrictions.
Such recommendations need to be documented in the audit working papers so that referrals
can be made to the appropriate areas of the agency for action. Such recommendations will also
appear in the final audit report.

28
Stage 6 – Audit Reporting
Transaction Based
(2) (3) (4) (5) (6)
Identify Control Substantiv Dealing Audit

and Testing e Testing with Audit Reporting
Analyse Issues
the
Internal
What is the audit report?

The Audit Report is the formal communication from the audit team to the importer, exporter or
excise manufacturer as to the findings of the audit. The Audit Report will discuss the auditor’s
opinion as to the level of compliance, outline the main issues which were identified by the
audit procedures, and make certain recommendations as to how the company can improve its
compliance where appropriate.
The Audit Report should also be seen by both the Customs and Excise agency and by the
company, as an opportunity for adding value to the business. Discussion and recommendations
about compliance should address the most efficient means of complying, and where possible,
enable the company to save those costs in the area of Customs and Excise compliance
activities.
Significantly, the Audit Report will be one of the key starting points in any subsequent
Customs and Excise audit activity. The Report may also be used the company’s own internal
or external auditors.
Draft Audit Report

The Audit Report is issued in ‘draft’ form in the first instance. The company is then given the
opportunity to comment, in particular, in relation to the audit opinion, audit issues and
recommendations. The company should not be ambushed at this late point in the audit with
significant or material issues, or an opinion that suggests a very low level of compliance has
been assessed.
In terms of the formatting of the draft audit report, the auditor should be including the
following types of basic heading detail:
titles of the Audit Report (draft)
the name of the company being audited
the audit scope and objectives
the audit manager who is signing off on the audit
29
a date.
These basic details are then followed by the specific details as they relate to the audit just
conducted:
main audit findings
audit issues for resolution and follow-up
opinion as to the level of compliance
qualifications or caveats to this opinion.
The draft Audit Report is then handed to the company. The company will review the draft
report and make a formal written response in relation to opinions, issues and
recommendations. The auditor again should work with the company to resolve any disputes in
the findings so that the final report, when issued, is acceptable to all parties. Of course, where
an issue cannot be resolved, the auditor’s findings prevail and will appear in the final version
of the report.
The company’s responses, when finalised, will be added to the draft report, as with any further
amendments by the auditor arising from any consultation about the draft report. The draft
Audit Report is now a final Audit Report and ready for distribution to the company and to
relevant Customs and Excise agency executives.
The Exit Interview

At the completion of the Final Report, the Customs and Excise auditors will arrange for an
Exit Interview with the Audit Manager, the audit contact officer at the company, and the
management of the company – as with the Entrance Interview. The final Audit Report can be
presented to company management at the interview.
The main purposes for the Exit Interview include:
formal agreement with company management as to the audit findings
formal commitment by company management to implement or act on recommendations
the continuation of a co-operative compliance partnership with the company.
Minutes or notes should be taken at the Exit Interview, particularly details of commitments to
recommendations and relevant timetables for implementation. These notes should then be filed
away with working papers for the audit. Future auditors will not only review the Audit Report,
but will have an interest in the plans of the company to implement any recommendations.
Safe care of audit working papers

All audit working papers and reports should generally be accorded ‘audit-in-confidence’
status. They may be kept in an ordinary steel cabinet or compactus under lock and key. Where
one or more documents of a higher security classification are included in the working papers or
audit report, the file or report requires the higher classification.

30
Division 3: Working Papers
Working Paper Index Page
This index should remain on top of the audit working paper file. A reference letter for
each section (i.e. A, B, C, D, etc) should be noted when the auditor starts this section in
the working papers.
The detailed numbering for each section should be added on completion of that part of the
audit.
General Working Paper

The General Working Paper is virtually ‘blank note paper‘, which can be used in
situations where general note taking is occurring or none of the specific worksheets are
suitable. For example, where an auditor is taking notes while reading from a company
document or interviewing a staff member at the company, these notes can be made on this
type of paper.
Alternatively, word processing tools or lined pads may be used to generate these working
papers.
Control Description/Testing Paper

This worksheet is commonly used in a risk matrix approach, as outlined in the
methodology of Division 2. It is used to describe in more detail the internal controls
which have been identified. At the bottom of the worksheet is an area for details of
subsequent testing and assessment of that control, for completion when the audit returns
to the identified controls for testing. Here the auditor is determining whether the control
described is a good control, adequate control or inadequate/ineffective control. Results of
control and/or substantive tests should be included in the 'findings'. With the observation
and finding sections completed, the auditor is now ready to prepare his/her
recommendations.
Control Risk Matrix

The Control Risk Matrix is central to the systems-based audit. One of these matrices
should be used for each group of risks (i.e. those that relate to a sub-system) in the audit.
The auditor should start by filling in the details of the sub-system under review in the
header fields on the worksheet. Various risk lists should have been formulated early in
the audit.
A brief description of each risk (or associated exposure) should be included in the
appropriated boxes at the top of the matrix. The inherent risk of these exposures should
be noted in the darker row immediately below - these would normally be categorised as H
(high), M (medium) or L (low).
During an earlier stage of the audit, the system should have been documented and some
actual controls identified - these should have been described on the Control
Description/Testing worksheet above. If it is found that some key internal controls are
missing, the auditor returns to the Control Description/Testing worksheet process, and
completes the required additional worksheets.
The main body of the matrix can then be filled in - these cells can be filled in when the
identified controls are entered, or afterwards. With each identified control, the auditor
should consider its impact on each of the potential errors, and whether it reduces the risk
for that potential error.
It should be remembered that a control is a feature of a system which prevents or detects

an error. If it does not do this, it is simply a process and not a control. The cell is marked
’P‘ or ’D‘, depending on whether it is a preventative or detective control for this
exposure. The P or D is circled in cases where the identified control is a key control for
reducing the risks of the exposure. The impact of each control in reducing the risk
identified is also rated as S (strong), M (medium) or W (weak).
After completing the body of the Control Risk Matrix, the auditor needs to make an
assessment of each potential error to see whether the controls identified are adequate at
reducing the risk to an acceptable level. This is noted in the appropriate row at the bottom
of the matrix with an S (strong), M (medium) or W (weak), and the risk remaining should
be assessed as H (high), M (medium) or L (low).
The controls which have been identified as key controls for an exposure would be those
subject to further control testing - if this leads to any deficiencies being identified, the
’risk remaining‘ may need to be modified. Any potential errors where the risk remaining
is higher than ’Low‘ are areas of potential deficiency and could be written up on issues
sheets or recommendations noted directly in the reporting process.
Audit Issues Worksheet

The Issues worksheet should be used when significant issues arise during an audit. In
some situations, copies of these worksheets may be provided to the company contact
officer for comment and could form the basis for discussions prior to the formal exit
interview. These worksheets should be filled in progressively as an issue is logged,
discussed and cleared.
When an issue is first identified, it should be described in detail in the ’Description‘ box.
Any suggested recommendations to help solve this issue could also be included at this
point.
As the issue is progressed, further details are added to the appropriate boxes. When the
issue is raised with company management for comment, this should be noted in the
appropriate box, along with the date in the box on the right hand side. The nature of how
it is issued (copy of this form, summary report of issues etc) and the company contact
officer to which it is given should be noted in this box, along with any other working
paper references.
When company management responds, a summary of their response should be noted in
the appropriate box, together with the date noted and the working paper reference of the
response documents (if any). Follow-up action and the closure of this issue should also be
noted in a similar way.
Substantive Testing Worksheet

This worksheet is intended to be used for recording the details of transactions tested and
the test outcomes.
Sufficient details should be recorded to enable a reviewer to reach the same conclusion as
the person who carried out the audit. If, for example, the test is to ensure that tariff items
are correct, a list of the lodgement numbers and line numbers would be appropriate.
Centre for Customs & Excise Studies, CCLEC

32
Readings
Working Paper Index
Auditee Audit Manager
Section Ref
Planning A
Information Gathering B
Analytical Checks and Initial Assessment C
Systems Documentation D
Internal Controls – Descriptions, Risk Matrices and Testing E
Compliance Testing and Control Assessment F
Substantive Testing G
Prepared by Reviewed by Index
/ / / /

33
General Working Paper
/ / / /

34
Readings
Control Description / Testing Worksheet
Control Description: System / subsystem:
Notes:
Preliminary assessment:
Description of control test:
Sampling:
size
selection method
period
population size
Summary of Test Findings:
Control Assessment after test:

[Effective/Not Effective/Undecided]
Prepared Reviewed Index

by by
/ / / /

35
Control Risk Matrix

36
Readings

37

38
Readings
Audit Issues Worksheet
Issue Description: Priority:
Logged
Issued
Response
Follow-up
Closed
Company Response:
Follow-up:
Closed:
/ / / /

39
Substantive Testing Worksheet
Sub-system___________________Transaction__________________
Description___________________
Transaction Details Test Results
/ / / /

40

Customs - Excise Audit-CCLEC - BOR

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Customs - Excise Audit-CCLEC - BOR

Uploaded by

Copyright:

Available Formats

Centre for Customs & Excise Studies (CCES)

Customs & Excise Audit

© Centre for Customs & Excise Studies, University of Canberra, 2009

Materials development team

Centre for Customs and Excise Studies

Division 2: Systems Based Audits.......................................................3

Centre for Customs and Excise Studies

Completion of Control Risk Matrix Form................................................................. 18

Division 3: Working Papers................................................................31

Centre for Customs and Excise Studies

Centre for Customs and Excise Studies

Centre for Customs and Excise Studies

improvements in information exchange, training and communications arrangements

Centre for Customs and Excise Studies

This reading may be accessed through the following WCO URL:

< http://202.121.31.31/cwco/english/files/reference/Letstalk1GB.pdf >

Centre for Customs and Excise Studies

Centre for Customs and Excise Studies

Centre for Customs and Excise Studies

Centre for Customs & Excise Studies

Study Guide Supplement

Customs and Excise Audit Methodology

Centre for Customs and Excise Studies

© University of Canberra, 2004

Materials development team

Centre for Customs and Excise Studies

Division 1: Audit Approach and Methodology ....................................1

Centre for Customs and Excise Studies

Division 1: Audit Approach and Methodology

The changing approach to audit activity

The Audit Cycle

Application of the Audit Methodology

International Audit Standards

Centre for Customs and Excise Studies

Division 2: Systems Based Audits

Stage 1 – Audit Planning

(1) (2) (3) (4) (5) (6)

Audit Identify Control Substantiv Dealing Audit

Systems Based Approach

Planning and Development of the Audit Plan

any other matters relevant to the audit.

Understanding the Business

requests for refund, rebates, remissions, or drawbacks of duty and taxes

The Entrance Interview

Risk and Materiality

Understanding and Documenting the Business Systems

Centre for Customs and Excise Studies

Centre for Customs and Excise Studies

Initial View – Business Systems and Controls/ Suitability for Systems

The Audit Plan

Centre for Customs and Excise Studies

Stage 2 – Internal Control Identification and Analysis

(1) (2) (3) (4) (5) (6)

Audit Identify Control Substantiv Dealing Audit

Systems Based Approach

Risk and Internal Controls

Centre for Customs and Excise Studies

Control Risk Matrix

Centre for Customs and Excise Studies

Understanding the Risk to the Audit

Centre for Customs and Excise Studies

Setting the confidence levels in Internal Controls

HIGH MEDIUM LOW