Professional Documents
Culture Documents
Customs - Excise Audit-CCLEC - BOR
Customs - Excise Audit-CCLEC - BOR
Readings
Customs & Excise Audit
The Centre for Customs and Excise Studies (CCES), University of Canberra has
developed an academic program leading to an Executive Diploma in Customs
Management for member countries of the Caribbean Customs Law Enforcement
Council (CCLEC).
The program which is to be followed over a period of one year, entails the
following subjects;
Accounting for Managers
Customs Management I
Customs & Excise Audit
Revised Kyoto Convention I
Intelligence Management in the CCLEC Region
Managing Operational Activities
The study requirement for each subject is 30 hrs through a combination of face to
face and online learning.
Contents
Reading 1...............................................................................................5
WCO 1999, Revised Kyoto Convention General Annex Guidelines Chapter
1, General Principals, paragraph 4, Co-operation with the Trade, Brussels. ...... 5
Reading 2...............................................................................................6
WCO 1999, Revised Kyoto Convention Chapter 6, Customs Control
Guidelines, paragraph 9 Customs/Trade Co-operation, Brussels. ...................... 6
Reading 3...............................................................................................8
WCO 2004, A National Valuation Database as a risk assessment tool,
Brussels .................................................................................................................... 8
Reading 4...............................................................................................9
Federal Financial Institutions Examination Council 2003, Risk
Assessment & Risk Based Auditing Booklet, Washington................................... 9
Reading 5.............................................................................................11
CCES 2005, Customs and Excise Compliance Audit Methodology,
Canberra.................................................................................................................. 11
Division 1: Audit Approach and Methodology ....................................1
Introduction............................................................................................................... 1
Customs and Excise Compliance Audit Methodology.............................................. 1
The changing approach to audit activity ................................................................... 1
The Audit Cycle ........................................................................................................ 1
Application of the Audit Methodology .................................................................... 2
Is the company suitable for a systems based audit approach?................................ 2
International Audit Standards ................................................................................... 2
Reading 1
WCO 1999, Revised Kyoto Convention General Annex
Guidelines Chapter 1, General Principals, paragraph 4, Co-
operation with the Trade, Brussels.
Standard 1.3
The Customs shall institute and maintain formal consultative relationships with
the trade to increase co-operation and facilitate participation in establishing the
most effective methods of working commensurate with national provisions and
international agreements.
To address the rapidly growing volume of international trade, active co-operation and
intensive communication between Customs and the trade are essential to complement
each other’s objectives and responsibilities. Since Customs are an important element in
international trade procedures, it is important that Customs administrations make use of
modern working methods to administer their operations and that they strive to facilitate
trade to the maximum extent possible.
In an ever-changing trading environment, where speed means a trader’s livelihood,
Customs and the trade have to develop modern methods together. To achieve this, a
consultative relationship is indispensable and the use of modern information technology
essential for the efficient and fast exchange of information. Before Customs implement
changes or introduces new procedures or automated systems, Customs should consult
with appropriate representatives of the trade so that both can gear their activities in
consideration of each other’s needs.
In order to develop instruments for co-operation and consultation, Customs has to
establish formal consultative relationships with the different national trade associations.
Co-operation between Customs and the trade can result in formal Memoranda of
Understanding which serve to benefit the accomplishment of both parties’ objectives and
responsibilities.
Further information on such Memoranda of Understanding can be found in the Guidelines
to Chapter 6 of the General Annex on Customs control.
Reading 2
WCO 1999, Revised Kyoto Convention Chapter 6, Customs
Control Guidelines, paragraph 9 Customs/Trade Co-operation,
Brussels.
(Standards 6.8, 7.3, 8.5 and Chapter 9)
In a modern Customs administration there are a wide variety of complex control tasks to
undertake and, increasingly, resources are limited. The Customs response has been to
apply selection, targeting and risk management to maximise the effectiveness of these
resources.
The increasing use of risk management techniques coupled with demands for greater
facilitation, good communication, consultation and co-operation between the trade and
Customs administrations is vital to achieve a satisfactory balance between effective
control and facilitation. Customs administrations see legitimate traders as partners in this
process.
It is important that all interested persons should be able to obtain information from
Customs about procedures and control requirements (see General Annex, Chapter 9).
Sources may include the Customs tariff, official gazettes, bulletins and notices. Customs
should therefore ensure that these are readily available at their offices. Additionally
persons may need specific information concerning a particular operation and the Customs
administration should aim to supply this as completely and accurately and as soon as
possible.
Customs administrations should also consider modern techniques for the dissemination of
information, like the Internet with its World-Wide-Web (WWW). As an example under
<http://www.gov.sg/customs/ > the Singapore Customs administration provides
information on duty and tax rates, documentation, valuation, clearance procedures,
security requirements and addresses of Customs offices.
Many Customs administrations now maintain formal consultative committees with
traders, carriers, agents, banks, port and airport operators and their representative
organisations. The role of such committees typically includes the discussion of projected
changes in control requirements, identification of difficulties experienced by declarants in
complying with actual or proposed procedures and arriving at mutually acceptable
solutions. In addition some Customs administrations have introduced the idea of “client-
co-ordinators” who keep contact with individual companies.
There should be continuous collaboration at all levels; at local/regional level between
Customs officials and business and at national level between Customs administrations
and business.
For the Customs administration such collaboration has the advantage of improving its
knowledge of trading practices. Greater familiarity with the conditions of international
trade means more effective risk management. In this spirit Customs administrations may
consider inviting business representatives to spend short periods with the Customs service
as a means of familiarising themselves with the regulations.
Co-operation is particularly valuable to a Customs administration in drug interdiction,
CITES, dangerous goods, and hazardous waste control. It is increasingly encouraged and
sustained through a range of Memoranda of Understanding in which trade organisations,
nationally and internationally, sign general undertakings with the WCO and national
Customs administrations, backed by detailed guidelines, specifying the practical
Reading 3
WCO 2004, A National Valuation Database as a risk
assessment tool, Brussels
Reading 4
Federal Financial Institutions Examination Council 2003, Risk
Assessment & Risk Based Auditing Booklet, Washington
Available on FFIEC website,
<http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_03_risk%20ass_rb_audit.html >.
Reading 5
CCES 2005, Customs and Excise Compliance Audit
Methodology, Canberra
Copyrighted materials reproduced herein are used under the provisions of the Copyright
Act 1968 as amended, or as a result of application to the copyright holder.
While every effort has been made to contact copyright holders (when relevant), in the
event of accidental infringement, the University of Canberra will be pleased to come to a
suitable arrangement with the rightful owner.
No part of this publication may be reproduced, stored in a retrieval system or transmitted
in any form or by any means electronic, mechanical, photocopying, recording, or
otherwise without prior permission.
This learning package; including its online components, is provided solely for the
purpose of private study and must not be copied or resold or used by anyone not enrolled
in the subject.
Contents
Introduction
Customs and Excise Compliance Audit Methodology
The role of audit in the Customs and Excise environment is to provide a high level of
assurance that:
correct revenue is received by Customs or Excise agencies at the time that it falls due
compliance has been achieved against legislative requirements in relation to the
importation, manufacture, storage, usage and movement/sale of products and retention
of adequate records.
The audit methodology developed in this manual has been designed with the specific needs of
the Customs or Excise auditor in mind.
there has been a change to inherent risk within the industry, including changes to
legislation, reporting procedures, tax rates, increased competition, or detection of
common errors within the industry.
information or intelligence that is creditable has been received about the operations of
the company.
Transaction Based
request further information, or access to further information not available during the
early information gathering, for example: sales data, production data, customer data,
product data, systems documentation, job descriptions
agree on administrative issues including:
o timing of commencement of tests
o timing of conduct of tests
o timing of finalisation of tests
o details of relevant contact staff
o use of outside experts and expertise if applicable
o use of computer assisted audit tools if applicable
o details of audit team contacts
o what sites should be visited and when
o estimated time of completing the audit and reporting opinions to the company.
product files – including details of product classification, value, origins, and other
relevant details
packaged stock and deliveries
sales and invoicing (domestic and export), including customer files
reporting (to Customs and Excise) systems
returns and credits.
The auditor will also be interested in whether any two or more of these systems interface, and
if so, how this occurs and what controls ensure correct data is transferred from one system to
another.
How is the information gathered?
The first step is to ask the company what systems’ documentation is in place and whether that
documentation can be provided to the audit team. The appropriate people within the company
to ask would be company management, or technical staff (e.g. Information Technology
Division), or business managers (e.g. Production, Warehouse Operations, etc), or financial
managers (Tax Returns) as necessary. The types of documentation the auditor should be
requesting would include: procedure manuals (job descriptions), policy statements, operating
instructions, computer system descriptions, and control manuals.
During this stage the auditors should also obtain an understanding of the company's
organisational structure and identify those groups which have a role which is directly or
indirectly relevant to the audit objectives (for example, groups responsible for performing
relevant monitoring activities).
Other possible sources of information which may be available, provided that agreement is
reached with company senior management on access to these sources, are:
relevant internal audit reports and discussions with the company's internal audit staff
relevant risk assessments performed during the annual external financial audit cycle
phase
external audit management letters and reports and, possibly, discussions with the
external auditors.
Documenting the business systems
As mentioned above, the Customs and Excise auditor's understanding of the business systems
needs to be both clear and accurate to enable identification and a detailed analysis of the
existing internal controls. It is therefore important to document adequately an understanding of
the system to support subsequent control analysis and to enable effective quality control of
work undertaken.
Adequate systems documentation may already exist. The auditor should first review any
previous audit working papers (particularly if the company had been subject fully, or partly, to
systems based auditing). If the business systems have already been documented to a
satisfactory level, then the auditor needs only to meet with the relevant areas of the company
and confirm that no material amendments, upgrades or other changes have occurred to any of
those systems.
Where applicable, any material changes that have occurred to business systems, should be
incorporated into existing systems documentation. Further, where those changes are
considered significant, the auditor should then verify that they have properly understood and
documented the change (see Systems Verification below).
In the case that no systems documentation is held by the audit area, the Customs and Excise
auditor may use existing systems documentation as a starting point in understanding the
relevant systems and controls. In conjunction with this company documentation, the auditor
should then set about obtaining an understanding of the systems, by conducting interviews
Centre for Customs and Excise Studies
7
Customs and Excise Audit Methodology Study Guide Supplement
with the users of the systems and those who conduct the processes, as well as by simply
observing what ‘actually happens’.
The level of detail required will be different for each audit, but again must be sufficient to be
able to identify actual internal controls in the system under review. After the auditor has
identified the system processes, and understood the various business systems, these systems
can then be documented in a form suitable for audit.
The form of systems documentation can include a simple narrative of the relevant system,
through to highly complex process flow-charts (or a combination of both). The narrative
approach is most suitable where the business system under review is small or simple in nature.
Flowcharting however, is most appropriate where the system is large and complex in nature. It
is likely that, where such systems are large and complex, the system (or systems) will be
broken down into ‘sub-systems’ for the purposes of flowcharting. Computer software is also
available to assist the auditor in producing large and complex flowcharts, and is useful for easy
amendment or updating as the company makes changes to its business systems. Flowcharting
is discussed in more detail in the Audit Skills section of the methodology.
Systems verification
Systems verification can be achieved by conducting walk-through tests or examining system
documents filed in the permanent files which were identified in flowcharts/narrative.
Walk-through tests are used to confirm the completeness and accuracy of the auditors'
understanding of how a significant transaction is processed, or how product storage and
movement is controlled, and will complement the discussions with management noted above.
The exact technique employed will depend on the nature of the system, type of evidence
available and the audit objectives.
In executing a walk-through, the auditor should trace a transaction through the processes as
documented in the flowcharts and/or narratives. A sample size of one is sufficient to clarify
understanding of any one particular process.
Having walked through each significant process, the auditor will be in a position to assess
whether the systems description is correct. Where audit activity is being undertaken at several
sites, then this walk- through check must be undertaken at each site and local
variations/extensions noted.
This is an essential component in the system documentation stage, as it is possible that a
location may have adopted ‘local procedures’ which either enhance or detract from the
documented procedures.
Transaction Based
2. Detective Controls – being internal controls designed to identify errors and other types of
non-compliance once they have occurred, so that the company can take immediate remedial
action.
manual processes; medium level taxed and regulated industry in which there are several large
competitors.
LOW RISK Most or all of the following are present: good staff knowledge, experience
and integrity; moderate or lowly competitive industry where staff feels no pressure to perform;
no reliance on highly complicated or highly manual processes, or industry has low rates of tax
and regulation; and the industry has a good compliance record.
The auditor’s assessment as to the level of inherent risk, with evidence, should then be
documented in the audit working papers, including reference in the Control
Identification/Testing form.
Control risk
Control risk is simply the risk that errors and other non-compliance are not prevented or
detected by the internal controls or, where relevant, detected too late to prevent a breach of
legislation. The auditor again must make an assessment as to the level of control risk in terms
of whether the controls are working effectively. This is done by:
use of the auditor’s own skills, knowledge and experience. The auditor is likely to have
seen many companies’ internal control structures, and can ‘benchmark’ against these.
The auditor will also be familiar with the relevant legislation with which the company
must comply, and whether the controls are appropriate for this
the auditor’s specific knowledge of the company, and its systems and controls, as a
result of visiting or auditing the company previously
the results if previously audited and any other information within the agency in relation
to errors or instances of non-compliance
material changes to the business systems and controls since the last audit
review and query of any aspect of relevant user manuals, policy and procedure
statements and job descriptions
observation of processes, systems and controls.
The auditor on using these information sources then needs to make an assessment as to
whether control risk is High, Medium or Low. Remembering that if control risk was or will
now be determined as unacceptably high, or if internal controls are found to be entirely
unreliable, then systems based auditing should be abandoned and a substantive based audit
approach adopted. As a guide to determining the level of control risk, the auditor could
consider the following:
HIGH RISK Internal controls are present, but there are questions in relation to their
effectiveness and their application by staff, and user documentation about performance of the
controls is difficult to comprehend. There have been significant changes to business systems
and controls since any previous audit.
MEDIUM RISK Internal controls are present and seem quite relevant to the process. Staff
are generally applying the controls well, and each control is supported by clear and precise
user documentation. There have been some changes to business systems and controls since any
previous audit.
LOW RISK Internal controls are present and appear to be relevant and effective in their
operation. Staff are well trained and are applying the controls. User documentation to support
the controls is clear and precise. There have been no changes to business systems and controls
since any previous audit.
The auditor’s assessed level of control risk, with evidence, should then be documented in the
audit working papers, including reference in the Control Identification/Testing form.
Analytical review
One way in the Customs and Excise auditor can either determine levels of inherent and control
risk, or confirm their own initial judgements as to the levels of inherent and control risk, is to
conduct analytical procedures. Analytical procedures involve investigating or analysing
various pieces of related data and determining whether there are fluctuations or deviations
from what could have been expected from the analysis. Such fluctuations could represent areas
of risk, or the non-operation of a particular internal control.
For example: where an importer’s domestic sales are compared with its duty payments over
the same period of time, it would be reasonable to expect that in most cases there would be a
relationship between sales and duty – as sales increase so do duty payment amounts. Whilst
there are many valid reasons to explore with the importer for duty payment amounts not to
track domestic sales,, it could also mean that there is some level of higher risk in the controls
which ensure that the correct tariff classification, valuation, origin and/or duty exemption
details are being declared to Customs.
Analytical procedures can be applied at any stage of the audit and as such are described more
fully in the Audit Skills section of the methodology. However, the use of any analytical
procedures, and the results, are to be documented in the general audit working papers.
INHERENT
HIGH LOW LOW MEDIUM
RISK
MEDIUM LOW MEDIUM HIGH
Where both inherent risk and control risk are assessed as High, then the overall confidence
levels in the company’s internal controls will be low. Where inherent risk is Low and Control
risk is Low, the overall confidence level is High, and so on.
Once the overall confidence level has been documented in the general audit working papers,
stage 2 of the audit has been completed.
Transaction Based
computer produced exception reports that are subsequently followed up manually (e.g.
receipts from once tank do not match with deliveries from source tank and are outside
the company’s permitted tolerances) (Rob, this sentence doesn’t make sense)
computer produced management information (e.g. export sales)
controls to prevent or detect access to standing data files by unauthorised staff, (e.g.
update tariff classifications or duty rates).
The auditors need to identify reliance on programmed controls to determine the nature and
extent of audit work to be carried out in the computer environment so that they are satisfied
that the programmed controls are operating as designed.
The audit team may require specialist assistance for an IT expert at this point, and this would
have been highlighted during audit planning in Stage 1. Such specialists are skilled in
determining whether the company’s computer controls are operating, and are operating as per
the systems documentation that may have been provided by the company during the
information gathering process. IT specialists will need to work with the audit team here in
developing appropriate control testing.
It is also likely that the audit team can make use of relevant computer- assisted verification
techniques at this point. The use of such techniques is covered more fully in the Audit Skills
section of this methodology.
The audit team needs to know how company management satisfies itself that the computerised
controls are operating as intended, for example:
manual controls to confirm the adequacy of computer processing (e.g. reasonableness
checks or clerical checks of a sample of calculations made by the computer). However,
this may be inefficient, given the nature of the control; and/or
the underlying general controls over the computer environment (e.g. program/data
change controls such as the testing of a program, the control over changes to that
program and control over access to the master file containing standing data used within
the program.
The auditor will need to liaise with the company's information systems auditors and computing
staff in order to derive the most efficient audit approach for each audit.
Control Testing
From the information confirmed during the audit in relation to systems and controls, the
auditor now develops and conducts the control tests. The nature of each test will depend on
what the control is supposed exactly to do. The auditor will look at each control and determine
what the control entails, ensuring that the control is being performed by the appropriate person
or by the appropriate computer program. The primary purpose is simply to gauge whether the
internal controls being applied by the importer, exporter or excise manufacturer to ensure they
make no errors and comply, are in fact being utilised.
Examples:
1. Preventative type control - To ensure that the company has imported what they have
declared to Customs, the warehouse manager supervises the unpacking of the shipping
container and compares the contents of the shipping container with the customs import
declaration. At the completion, the warehouse manager completes and signs a company
document called Container Unpack Report. One of the unpack crew also signs the document,
and any discrepancies are noted for action by the Customs Manager and Accounts Payable. In
order to ensure this control is working, the auditor could take a sample of customs import
declarations and ask to see the relevant Container Unpack Report. The auditor would then look
for the 2 signatures – warehouse manager and unpack crew member. Where discrepancies
were found in a container unpack, the auditor could also follow up with the Customs Manager
to ensure that appropriate amendments were made to the customs import declaration
concerned.
2. Detective type control – To help ensure that excisable goods have been properly recorded in
inventory from production, and out of inventory as deliveries, the company undertakes a
monthly stock-take. (Rob – this sentence is confusing) The stock take is undertaken by the
Stock Control Manager and the Bond-store Manager, and details recorded on the company’s
Monthly Stock-take Summary. On completion, both managers sign and stamp the Summary,
and any discrepancies are followed up by both managers. In order to ensure this control is
working, the auditor could take a sample of months and ask to see the relevant Monthly Stock-
Take Summary. The auditor would then look for the 2 signatures and 2 stamps – Stock Control
Manager and Bond-store Manager. Where discrepancies were found in a stock-take, the
auditor could also follow up with both managers that appropriate investigations were made to
find and correct the discrepancy, and appropriate additional excise duties were volunteered.
After determining the sample size for control testing, the auditor must then decide which
samples from the total population to test. Where sampling is to occur in control testing, the
auditor should refer to Section Stage 4, Conducting the Substantive Tests, for the four main
methods of drawing samples for testing (random number, systematic, block, and haphazard
sampling).
A more detailed discussion on sampling is conducted in Customs & Excise Audit II, a short
course designed primarily to assist audit managers.
Transaction Based
Note:
Even with very high levels of confidence in the business systems and controls of a
company, the Customs and Excise auditor has to confirm those opinions with a level of
substantive testing of the relevant transaction. The aim of substantive testing is to
obtain direct evidence as to the accuracy, completeness and authenticity of the
company's own records and transactions.
the auditor's initial level of confidence after business systems and controls have been
understood, documented and analysed, and this view after control testing has been
performed.
These confidence levels are expressed as High, Medium or Low, as to whether the company
has the systems and control to comply with Customs and Excise legislative requirements.
Based on this approach, the following table provides a guide to sample size selection where a
high (that is in the order of 95%) overall confidence level is required:
These techniques are fine when they are used for compliance testing, as the test is being
performed only to establish whether the control has, or has not, been applied.
Where these techniques are used for substantive testing, care must be taken not to attempt to
place any significance on the value of the ‘sampling unit’ in error.
All errors must be given equal significance. For example, where a tariff classification is
incorrect on a low value line and only a minimal amount of revenue has been understated, this
does not mean that the classification error can be ignored. It must be considered that it is
indicative of an unacceptable error rate, and that the same tariff classification error could
equally have occurred on a large value line causing significant revenue loss.
Following are more detailed discussions of these suggested ‘attribute’ sampling techniques.
Random Number Sampling
Random number sampling is based on the use of a random number generator or random
number tables to select the items to be tested.
It is first necessary to establish the start and end numbers for the population to be sampled.
This method assumes that:
the units in the population, i.e. the ‘sampling unit’, are sequentially numbered
the units are stored in sequential number order.
If these two assumptions are not met, then this technique will require a large amount of effort
to allocate or locate sequential numbers. It is, in any case, unlikely that auditors will find
instances of consecutively numbered documents which are filed consecutively.
Systematic Sampling
Systematic sampling involves selecting every ‘X’ number of items in a population, where X is
the determined sampling interval. Systematic sampling is based on the officer:
determining the population size and sample size
establishing a sampling interval by dividing the sampling size into the population size
randomly selecting a start point in the first sampling interval
selecting the ‘sampling units’ located at the start point and at subsequent sampling
intervals from the start point.
One of the key steps is determining the population size. This may not always be easy; for
example if the officer is faced with a number of filing cabinets of documents.
In such cases, the officer should not attempt to count all of the documents. Using measurement
techniques, or at worst simply guessing, the officer should obtain an estimate of the size of the
population.
In some cases it may be appropriate to use a combination of the systematic and
random-number sampling techniques.
For example, when selecting a sample of import declarations on which country of origin will
be checked, the ‘sampling unit’ is a line on an import declaration. Rather than estimating the
number of lines over the period and counting lines to select the population, use the following
technique:
determine the population size for the population of documents
select a sample of documents using the systematic sampling technique
select a ‘starting’ line from the document.
Block Sampling
Block sampling involves the selection of a number of grouped ‘sampling units’, for example
checking all transactions for selected dates.
Centre for Customs and Excise Studies
23
Customs and Excise Audit Methodology Study Guide Supplement
However, even with judgemental sampling, care needs to be taken with the use of block
sampling to ensure that sufficient blocks are selected to be able to reach a reasonable audit
conclusion for the total period being audited. Selecting one or two small blocks over a large
period will not achieve this, e.g. one or two weeks over a twelve month period.
Examples of block sampling would be:
a number of days/weeks in the audit period
all lines over a certain value
all duty free deliveries
all exports
any combination of the above points.
Adjustments could be made to the block during the test process to avoid major over- or
under-sampling.
Haphazard Sampling
Haphazard sampling is defined as ‘sampling units selected without any conscious bias. The
units should be selected in a manner that can be expected to be representative of the
population. However, it does not require any form of systematic selection.
This is probably best explained by an example. Suppose the auditor is faced with a filing
cabinet of export declarations or refund application forms. The auditor could choose to:
estimate/guess the population size for the number of forms
establish a sampling interval
estimate/guess the boundary of the first sampling interval ─ the forms to be included ─
pick a form in this interval and pick a line in the selected form
repeat the above step until the end of the forms is reached.
During sampling, adjustments may have to be made to the sampling interval boundaries to
avoid over- or under-sampling.
However, care must be taken to avoid distorting the sample by selecting, for example, only
unusual or physically small items or omitting items such as the first or last items. This
technique must not be used as a way of avoiding ‘difficult’ items.
It is possible to use any of the above techniques or any combination of them. Whichever
technique is used, it should achieve the goal of representation of the total population.
A more detailed discussion on sampling is conducted in Customs & Excise Audit II, a short
course designed primarily to assist audit managers.
Discovery sampling means that the auditor is to assume that if any errors are detected during
the testing process, then there is likely to be a greater problem across the entire population of
records. Alternatively, if no errors are detected during the testing process, then the auditor can
have a 95% confidence level that no errors exist across the entire population of records.
The main principle that must be understood when conducting these tests is that there is no
acceptable error rate in relation to detected errors. It is also important to consider the material
consequences of the errors when deciding on what follow-up action is appropriate.
Where the substantive test results have highlighted errors that are, or could be, indicative of a
significant problem relating to a major non-compliance issue, then further action will be
required. The initial consideration could be increasing the sample size to the next highest
sample on the substantive testing sample size chart, or possibly 100% depending upon the
circumstances.
the Audit Manager, who will balance these competing priorities, especially where 100%
verification in a large company will utilise large amounts of compliance resources.
Accident Vs Fraud
The above actions are based on an assessment that non-compliance is related to accidental
error, or carelessness on the part of the company management. There is also the possibility that
fraud has been committed either against the Customs or Excise agency by those in the
company, or by individuals within the company against the company itself. In either situation,
the result will be the same: loss of revenues and mis-reporting to the Customs or Excise
agency concerned.
If it is the opinion of the auditor that the non-compliance detected may be due to fraudulent
activity on the part of the company or individuals within the company, then this fact should be
reported to the audit manager immediately. Internal fraud will be treated differently, and will
involve working with the company to redress of the relevant internal controls to ensure future
protection of revenue and future compliance, as well as recovery of any lost revenues. The
matter will then become an issue for the individual, the company and local Police.
Suspected fraud against the Customs or Excise agency should be handed over to the relevant
investigation authority either within or external to the agency. Fraud is a crime, and its
investigation and prosecution involves skills very different to those of the Customs and Excise
auditor. The auditor should remember, however, that they will be prosecution witnesses, and
their audit working papers will be evidence in any prosecution case. As such, all audit papers
should be properly completed, filed, and stored securely.
Transaction Based
Transaction Based
a date.
These basic details are then followed by the specific details as they relate to the audit just
conducted:
main audit findings
audit issues for resolution and follow-up
opinion as to the level of compliance
qualifications or caveats to this opinion.
The draft Audit Report is then handed to the company. The company will review the draft
report and make a formal written response in relation to opinions, issues and
recommendations. The auditor again should work with the company to resolve any disputes in
the findings so that the final report, when issued, is acceptable to all parties. Of course, where
an issue cannot be resolved, the auditor’s findings prevail and will appear in the final version
of the report.
The company’s responses, when finalised, will be added to the draft report, as with any further
amendments by the auditor arising from any consultation about the draft report. The draft
Audit Report is now a final Audit Report and ready for distribution to the company and to
relevant Customs and Excise agency executives.
Section Ref
Planning A
Information Gathering B
Analytical Checks and Initial Assessment C
Systems Documentation D
Internal Controls – Descriptions, Risk Matrices and Testing E
Compliance Testing and Control Assessment F
Substantive Testing G
/ / / /
/ / / /
Notes:
Preliminary assessment:
Sampling:
size
selection method
period
population size
/ / / /
Logged
Issued
Response
Follow-up
Closed
Company Response:
Follow-up:
Closed:
/ / / /
Sub-system___________________Transaction__________________
Description___________________
/ / / /