Customs - Excise Audit-CCLEC - SG

Centre for Customs & Excise Studies (CCES) CCLEC
Customs & Excise Audit
Study Guide
© Centre for Customs & Excise Studies, University of Canberra, 2009

First prepared in February 2009
Published by the Centre for Customs & Excise Studies
University of Canberra ACT 2601
AUSTRALIA
The Centre for Customs and Excise Studies (CCES), University of Canberra has
developed an academic program leading to an Executive Diploma in Customs
Management for member countries of the Caribbean Customs Law Enforcement
Council (CCLEC).
The program which is to be followed over a period of one year, entails the
following subjects;
Accounting for Managers
Customs Management I
Revised Kyoto Convention I
Intelligence Management in the CCLEC Region
Managing Operational Activities
The study requirement for each subject is 30 hrs through a combination of face to
face and online learning.
Materials development team

Authors: Alan Murray, 2009
Stephen Muller, 2009
Graphic Design: Peter Delgado 2009
Desktop Publishing: Alan Murray, 2009
Copyrighted materials reproduced herein are used under the provisions of the Copyright
Act 1968 as amended, or as a result of application to the copyright holder.
While every effort has been made to contact copyright holders (when relevant), in the
event of accidental infringement, the University of Canberra will be pleased to come to a
suitable arrangement with the rightful owner.
No part of this publication may be reproduced, stored in a retrieval system or transmitted
in any form or by any means electronic, mechanical, photocopying, recording, or
otherwise without prior permission.
This learning package, including its online components, is provided solely for the purpose
of private study and must not be copied or resold or used by anyone not enrolled in the
subject.
Centre for Customs & Excise Studies, CCLEC

2
Introduction
Contents
Bibliography ..........................................................................................6
Topic 1 ...................................................................................................7
Introduction to Customs & Excise Audit ................................................................... 7
What is a Customs or Excise audit?....................................................8

Types of Audit .......................................................................................8
Desk audit approach ................................................................................................ 8
Transaction - based audit approach ....................................................................... 9
Systems - based audit approach............................................................................. 9
Authority to Conduct an Audit .............................................................................. 10
Topic 2 .................................................................................................11
Audit & Risk Management ...................................................................................... 11
Where does audit fit in a risk management plan? ............................12

Topic 3 .................................................................................................13
Alternatives to conducting an Audit ........................................................................ 13
Education Approach ............................................................................................... 14
Support Approach................................................................................................... 14
Certainty & clarity approach.................................................................................... 14
Industry partnership approach................................................................................ 14
Analysis of errors approach .................................................................................... 15
Questionnaire approach ......................................................................................... 15
Bulk mail-out approach ........................................................................................... 16
Topic 4 .................................................................................................17
Use of Sanctions..................................................................................................... 17
Background .........................................................................................18
Retention of Records..........................................................................18
Post-transaction Audit............................................................................................. 18
Use of sanctions .................................................................................18

Topic 5 .................................................................................................21
Selection for an Audit.............................................................................................. 21
Setting the audit objectives and scope .............................................22

Audit Objectives and scope................................................................................... 22
Audit Scope ............................................................................................................ 22
Topic 6 .................................................................................................25
Audit Standards ...................................................................................................... 25
Introduction .........................................................................................26
What are Audit Standards? ................................................................26
Key audit areas to be addressed........................................................................... 26

3
The Engagement: ISA 210 ..................................................................................... 27

Quality Control: ISA 220 ......................................................................................... 27
Documentation: ISA 230......................................................................................... 27
Audit Planning: ISA 300’s ....................................................................................... 27
Obtaining knowledge of the auditee’s business - ISA 310. .................................... 28
Materiality – ISA 320............................................................................................... 28
Internal Controls and Risk Assessment – ISA 400’s. ............................................. 28
Audit evidence: ISA 500’s....................................................................................... 28
Using the work of another auditor: ISA 600’s ......................................................... 28
Considering the work of an internal auditor - ISA 610............................................ 29
Using experts – ISA 620 ......................................................................................... 29
Audit reporting: ISA 700’s ....................................................................................... 30
Topic 7 .................................................................................................31
Audit Techniques .................................................................................................... 31
Introduction .........................................................................................32
Audit risk .............................................................................................32
Inherent Risk........................................................................................................... 32
Control Risk ............................................................................................................ 32
Detection Risk......................................................................................................... 33
Flowcharting........................................................................................33
Introduction to computer assisted audit techniques .......................35
Expertise ................................................................................................................. 35
IT resources............................................................................................................ 35
Cost effectiveness .................................................................................................. 35
Topic 8 .................................................................................................37
Audit Methodology .................................................................................................. 37
Introduction .........................................................................................38
Planning the audit ...............................................................................38
(Refer Stage 1 of the Audit Methodology) .............................................................. 38
What is the auditee’s business? ........................................................................... 38
The Entrance Interview .......................................................................................... 39
Systems verification............................................................................................... 39
The control environment........................................................................................ 39
Analytical procedures ............................................................................................ 40
Materiality................................................................................................................ 40
Testing procedures ................................................................................................ 41
Other considerations ............................................................................................. 41
The Audit Plan document ...................................................................42
Understanding the Business Systems ..............................................42
Identifying and evaluating the company’s controls .........................43
(Refer Stage 2 of the Audit methodology) .............................................................. 43
Testing the company’s controls (Control testing)............................44

4
Introduction

Extent of testing ..................................................................................................... 44
Working papers ...................................................................................................... 45
Testing transactions (Substantive testing) .......................................46
Extent of testing ..................................................................................................... 46
Sampling ................................................................................................................. 47
1. Random selection. .............................................................................................. 47
2. Systematic selection. .......................................................................................... 47
3. Haphazard selection. .......................................................................................... 47
4. Block selection.................................................................................................... 47
Working papers ...................................................................................................... 47
Dealing with issues identified during the audit ................................48
Audit reports .......................................................................................49

Conclusion .............................................................................................................. 50

5
Bibliography
Centre for Customs & Excise Studies (2005), Generic Systems based Audit Methodology,
Canberra.
Federal Financial Institutions Examination Council (2003), Risk Assessment & Risk
Based Auditing Booklet, Washington. Copy available on FFIEC website
<http://www.ffiec.gov/ffiecinfobase/booklets/audit/ >
Flow Charts < http://deming.eng.clemson.edu/pub/tutorials/qctools/flowm.htm >
ICA Australia & CPA Australia (2004) Auditing and Assurance Handbook, Pearson
Education, Australia.
ICA Australia & CPA Australia 2004, Auditing and Assurance Handbook,
Pearson Education, Australia.
Industry Panel on Customs Audit Reforms (1995) Looking to the future – Compliance
Improvement, Canberra.
Institute of Chartered Accountants in Australia & CPA Australia (2004), Auditing and
Assurance Handbook, Technical editors Kemp, S and Knapp, K, Pearson Education,
Australia.
International Federation of Accountants 2004, International Standards on Auditing (ISA).
A copy is available on the IFAC website <http://www.ifac.org/store>
Massachusetts Dept of Revenue, Audit Division Advice to tax payers. A copy is available
on website <http://www.dor.state.ma.us/audit >
World Customs Organization (1999), Revised Kyoto Convention on the Simplification
and Harmonisation of Customs Procedures, Brussels. A copy is available on the WCO
website
<http://www.wcoomd.org/ie/En/Topics_Issues/FacilitationCustomsProcedures/Kyoto_New/C
ontent/content.html >
World Customs Organization 1999, Revised Kyoto Convention on the simplification and
harmonisation of Customs procedures, WCO, Brussels
World Customs Organization 2004, A National Valuation Database as a risk assessment
tool, Brussels <
http://202.121.31.31/cwco/english/files/reference/Letstalk1GB.pdf >
World Customs Organization, Brussels web page: <http://www.wcoomd.org>

6
Topic 1
Introduction to Customs & Excise Audit
What is a Customs or Excise audit?

In this topic we will examine the definition and role of audit in the Customs and Excise
compliance management environment.
We are all familiar with Customs and the role of Customs agencies in terms of border
management, industry protection and revenue management, and of the Excise duties
levied on various locally produced commodities in most economies. So what is audit?
The definitions of audit are many.
The Australian Audit Standards (ICA 2004), which are consistent with the International
Standards for Audit, define an audit as a ‘service’ to ‘provide a high level of assurance’.
These services can include ‘systematic examination using audit based skills’ where such
skills would involve ‘analysis of financial information, knowledge of internal control
structures, problem solving, risk assessment, sample selection, and knowledge of
accounting standards’.
It is important to note the definition of assurance. Within the relevant Australian Standard
- Standard AUS 104 - assurance means the ‘satisfaction as to the reliability of information
provided’. Audit can then be summarised as a process that allows for determining the
reliability of any information that is being provided by an entity.
Returning to the Customs and Excise environment, perhaps a useful definition can be
found in a report prepared after an external review of the Audit procedures of the
Australian Customs Service in 1995 (Industry Panel on Customs 1995). It defines
assurance as:
An evaluation of industry practices and records to assist in forming a
judgement about the integrity of information supplied to Customs and, in
turn, the level of compliance with legislative requirements.
Activity 1
Definitions
Turn to the ‘glossary’ or ‘definitions’ area of either the International Standards for
Audit, or your local Audit Standards. How do the definitions of audit and assurance
differ from those used in your own workplace?
Please post your findings in the Moodle Activity 1 Forum Page..
Types of Audit
There are a number of different audit approaches available to the auditor. The nature of the
risk identified when selecting an importer, exporter or excise manufacturer for audit should
set the type of approach required. There is no ‘set’ rule on the type of audit approach to be
used and in this Section we will look at the differing approach options, including the simple
‘desk audit’, the ‘transaction based audit’ and the ‘system - based audit’.
Desk audit approach

Desk audit can be used when an unusual transaction has been made, perhaps a transaction
that is well outside an established, or normal pattern, for a particular importer, exporter,
or excise manufacturer.
This approach may include establishing simple contact with the company making the
transaction, and asking them to provide certain additional information to support the data
declared in the transaction.

8
Topic 1: Introduction to Customs & Excise Audit
It may be an electronically lodged import declaration in which the valuation appears

unusually low for the importer or the type of goods imported. The auditor may request
inspection of any commercial documentation to support the value, such as invoices,
contracts, and trade catalogues. Likewise, an excise manufacturer may have unusually
large operational losses one month, in which case the auditor may ask for an explanation.
A satisfactory response will return the importer or excise payer to the lower level of risk;
however, an unsatisfactory explanation may elevate the risk status and result in a new
approach, most likely some field audit work.
Desk audit, to be successful, does require a system where these relevant transactions are
regularly monitored, and anomalies quickly identified.
Transaction - based audit approach

Transaction - based auditing comprises the testing of transactions of an entity which may
have come to the notice as a risk.
This audit approach could be used on a small importer, or small project, or small system
where it is possible to test all transactions. The approach may also be used on a medium
to large importer or excise payer, or a project or system where a focussed risk area has
been identified.
The transaction - based audit approach involves the verification of any information
provided by an entity, by referral to all available related documentation. For example, in
the Customs import context, to ensure that the relevant fields on the import declaration
had been accurately reported to Customs, auditors would be comparing, say, import
declarations against documentation such as:
company purchase orders
buying or selling contracts
supplier’s invoices
bills of lading/airway bills
bank statements, guarantees, or transfers.
The identification of an error, or several errors during a transaction based audit could
mean there are systemic problems in the preparation of information about customs or
excise matters. The auditor may need to recommend a systems - based audit approach,
especially for larger entities, to review the systems and controls which produce the
information. The auditor may also need to determine whether others may be making the
same errors in the industry, or other areas of Customs
Systems - based audit approach

Systems - based audit is a move away from the testing of large numbers of individual
transactions in order to gauge compliance by seeking assurance over the systems which
create those transactions. The Systems - based audit approach involves understanding the
business systems and, importantly, testing the internal controls in those systems which
have been developed to ensure compliance.
Systems - based audit is the most efficient way to gauge the compliance levels of a large
business that has a large number and often complex number of transactions. A Systems -
based audit approach is not appropriate, however, for smaller businesses, or businesses
where the auditors can have little or no confidence in the internal controls, e.g. a family
owned and managed company.

9
We will spend the remainder of this course focussed on the conduct of a Systems - based
audit.
Authority to Conduct an Audit

In order to conduct a Customs or Excise audit, the auditor needs to be able to have access
to people and information relevant to the activities being audited. Customs and Excise
law generally provide legislative powers for Customs and Excise Auditors to be able to
perform the following types of basic functions:
enter business premises
inspect relevant records and take copies
access computer files and download data
ask questions of managers and staff
draw samples and take these away for scientific analysis.
There may also be conditions or requirements upon the auditor, and these could include:
written notice in advance of intended audit
authorisation of auditors to conduct audits
identification by auditors
time limits on records to be examined.
Activity 2
Short Research Project
Thinking of your own jurisdiction – what legislation exists to support Customs or
Excise Audit activity? What restrictions are there upon Customs or Excise Auditors?
Please list the important legislative references and provide a brief outline of each.
Please post your findings in the Moodle Activity 2 Forum Page.

10
Topic 2
Audit & Risk Management
Where does audit fit in a risk management plan?

This topic will examine where audit fits in managing risk in the Customs and Excise
environment, building on from Topic 1 where students looked at the different audit
approaches. Importantly, the topic introduces students to some alternative approaches to
treating risk outside of the use of audit, and the understanding that in some situations
there are more effective and efficient approaches to managing compliance.
Readings 1 & 2
WCO 1999, Revised Kyoto Convention General Annex Guidelines Chapter 1, General
principles, paragraph 4 Co-operation with the Trade, Brussels.
WCO 1999, Revised Kyoto Convention Chapter 6, Customs Control Guidelines,
paragraph 9 Customs/Trade Co-operation, Brussels.
Audit is a response by Customs and Excise agencies to the risk of importers and excise
manufacturers failing to comply with various reporting, clearing, licensing and duty
payment obligations. It is a risk treatment, where risk has been assessed as requiring an
intervention by the Customs or Excise authority.
The use of audit can extend beyond the importer, in the case of imported goods, brokers,
agents, and freight forwarding operations, likewise to the suppliers of raw materials to
excise manufacturers.
Audit can also be used to support key trade facilitation initiatives such as ‘self
assessment’ and ‘post transaction compliance’, both of which ensure that imported cargo
and excisable goods are moving efficiently in to, out of, and around the country.
Customs and Excise audit, especially when aimed at systems and controls, is also a means
of recommending to an importer or excise manufacturer ways in which compliance can
be achieved or improved in the most efficient manner. Audit can and should add value to
an auditee’s business.
The Customs and Excise audit report, along with an importer’s, exporter’s, or excise
manufacturer’s own internal and external auditing results, provides an excellent resource
for company managers in understanding the performance of their business.
Activity 3
In your opinion how does a Customs or Excise Audit fit into a risk management plan?
Please post your comments in the Moodle Activity 3 Forum Page.
Reading 3
WCO 2004, A National Valuation Database as a risk assessment tool, Brussels.

12
Topic 3
Alternatives to conducting an Audit
Audit may not always be the best or the most appropriate response to risk. Audit activity,
particularly systems based approaches or transaction based approaches with large sample
sizes, can be timely and costly exercises. This is not just the case for the Customs or
Excise agency; audit activity is also very intrusive and resource intensive for the client.
Often the risk being treated does not warrant a full audit response, whilst in other cases
the risk may have been created by changes to Customs and/or Excise law or
administration, or by a Ruling that has created confusion or uncertainty within an
industry.
Education Approach
Sometimes errors can occur because the importer or excise manufacturer only partially
comprehends their legislative or administrative obligations. Whilst ignorance of the law is
not an acceptable excuse for error, it is understandable in an environment where the law
has recently changed or is unusually complex or, alternatively, vague or subject to
multiple interpretations.
The education - based approach sees Customs and Excise agencies becoming more pro-
active in disseminating detailed information to relevant parties as to their responsibilities
and obligations in certain areas. Production of booklets, web pages, resource links, etc -
making available appropriate information and materials, can reduce risk of errors by the
uninformed or confused.
Support Approach
One question agencies can ask in relation to compliance is ‘how easy is it for the entities
you audit to gain access to information and assistance about their responsibilities and
obligations?’ Customs and Excise agencies cannot give direct advice to an importer or
excise manufacturer about a consignment they have imported, or a product they have just
produced as this may jeopardise future compliance or litigation activity but they can give
general advice and guidance.
As with the education - based approaches, agencies can produce information booklets,
web pages, and resource links, to assist industry understand compliance obligations. The
support approach will also include creation of telephone and e-mail help-lines, where
importers and excise manufacturers can take specific compliance queries. The purpose is
that, rather than ‘guess’ if left on their own to comply, the importer or manufacturer will
turn to the support offered.
Certainty & clarity approach

It is easier to comply, or easier to get it right, when the legislation or administration is
simple to work with. In order to provide a legislative and administrative environment that
is clear and certain, the following aspects need to be present:
‘Plain speak’ drafting of legislation, administrative rules and processes
consistency in applying Customs and Excise law, and in relevant decision - making
binding rulings, interpretations and other decisions, which are freely available
simplification of declarations, forms and other requirements where possible
clear and timely announcements of changes to legislation or industry requirements.
Industry partnership approach

Industry partnerships can be made on three possible levels: with representative bodies of
industry groups; with industry advisor groups such as accountants and lawyers; and with
individual importers and excise manufacturers.

14
Topic 3: Alternatives to conducting an Audit
Customs and Excise agencies would be seeking a high level of compliance from an
industry so that they can focus resources away from that industry into higher level risk
industries. The benefits to industry from such a compliance partnership are that the
industry receives minimal intervention from Customs and Excise agencies and increased
certainty over business operations, with resultant gains to productivity and efficiencies.
Customs and excise agencies could develop advisor partnerships with professional
advisor groups such as: industry consultants, industry associations or industry peak
bodies, tax payer associations, freight forwarders, customs brokers, and lawyers, all of
whom have detailed knowledge of Customs and Excise laws. In this type of partnership,
Customs and Excise agencies can seek input into decision making, of specialist
knowledge of laws, of industry, and of industry issues. At the same time professional
advisors are attracted to these relationships because they also have access to information
to increase their own knowledge, they can influence policy development, and they are
able to market to the industry their role and relationship with Customs and Excise policy.
Partnerships can also be made with individual importers and excise manufacturers to
cover performance expectations. Whilst Customs and Excise agencies should be able to
expect a high level of compliance from a company in partnership, such a company could
expect from the agency a ‘hands-off’ compliance program, such as monitoring, allowing
it to get on with business with certainty and security. The incentive to remain at the
expected high level of compliance is the benefit of having Customs and Excise managing
compliance in such a ‘hands-off’ manner.
Analysis of errors approach

This type of approach is best used in conjunction with the industry or professional advisor
partnership and education - based approaches. The approach involves capturing data from
various compliance activities, and analysing the type and nature of errors being detected
and volunteered.
Customs and Excise compliance staff are specifically looking for patterns in error -
making and trying to understand what is behind those errors. From there, it is a case of
devising the most effective means to target, inform and prevent future occurrences of
these types of mistakes.
For example, valuation of motor vehicles and inclusion of warranty cost components may
be showing as a trend from recent audit activity of the motor vehicle import industry.
Using its partnerships with industry and professional advisors, details of the errors and
preventative steps can be quickly communicated to the entire motor vehicle import
industry.
Questionnaire approach
This approach involves the sending of a pre-designed questionnaire relating to a
particular risk issue. This approach also reminds recipients that Customs and Excise
authorities have an interest in the company’s operations even though they might not have
had a visit for some time.
A questionnaire, to be completed and returned, will ask recipients several questions about
their activities, such as:
What is the volume of trade?
What is the description of goods being imported or manufactured?
How have certain goods been classified?
What costs have been included or excluded from the value for duty?
What is the nature and amount of production losses?

15
Are licences and permits current?

Responses can be verified against information held about the company, or against
expected answers, with a view to determining current risk levels and possible further
compliance activity. Responses can be filed for future audit or compliance activity.
Bulk mail-out approach

This approach could be used to target a specific industry or industry sector, for which
there is a need to address an identified risk. All importers or excise manufacturers within
that industry or industry sector could be contacted in the bulk mail-out with the message
that Customs and Excise agencies will be focusing a compliance effort in the sector. It
may be a broad message about compliance levels generally, or it may single out a specific
risk area on which a future compliance would focus.
For example, a mail-out could be sent to all petroleum refineries to indicate that the
petroleum industry will be subject to a comprehensive compliance program in the
forthcoming year. Alternatively, the message could be more targeted in that Excise
compliance efforts will be focused on the delivery of duty free or duty exempt petroleum
products.
The mail-out may be used in conjunction with an audit program, or may be used simply
to remind the industry of Customs and Excise responsibilities. Ideally, such mail-out
activity will lead to in-house examination of records in anticipation of an audit and, where
applicable, voluntary disclosure of any underpayments.
Activity 4
Alternative to an audit
As part of your National Audit Plan, your auditors have targeted the IT sector which
includes over 100 importers. After auditing 4 high volume import companies in this
sector your auditors found systematic mis-classification of computer parts. The
auditors believe the errors are not deliberate and occurred as a result of the complexity
of the HS structure at the sub-heading level. Further desk audits of 15 other importers
in the sector tend to indicate similar HS classification errors are occurring there.
Your manager does not want to audit every importer in the IT sector. Propose an
alternative solution that will recover the revenue short paid.
Please post your solution in the Moodle Activity 4 Forum Page.

16
Topic 4
Use of Sanctions
Background
Customs laws can be quite complex, as we have seen in relation to a variety of topics
over the last few months. They can often lead to disputes about the correct amount of
duty to pay or even about the right to import or export particular goods. A specific
characteristic of the international trading environment and the role of Customs is that
relevant information to do with the import or export of goods is usually in the sole
possession of the importer/exporter and/or their broker. For that reason, many Customs
laws establish and apply strict penalty provisions (that is, penalties that don’t require a
fault element in the offence).
In order to accurately determine duties payable and to prevent avoidance and evasion,
there needs to be a balance of rights and obligations between traders and Customs
administrations. From a policy perspective, Customs officers need to have powers that
enable them to determine compliance (for example, access to relevant information).
Similarly, penalties need to be available in appropriate circumstances, or there would be
little incentive for traders to take care in making timely and accurate declarations. On the
other hand, if such powers are too broad and unconstrained, they add significant costs to
the international trading process.
Retention of Records
Any self-assessment system that relies on post-transaction audit must include a
requirement that necessary documents are kept by traders and their agents for access by
Customs officers. Such documents might include contracts, faxes, invoices, bills of
lading, packing lists, and the like.
The requirement to retain such records will usually indicate that it is necessary ‘to enable
Customs to ascertain the correctness of the particulars shown in the entry’ and of course
the retention requirement doesn’t necessarily mean that the documents have to be kept in
‘hard-copy’ format. Electronic retention will be satisfactory provided that there is ease of
access, and the transaction can be reproduced from the electronic record.
Post-transaction Audit
Customs uses post-transaction audits to examine relevant records and reconcile them with
the information contained in customs declarations and in relation to the goods
themselves. It allows Customs to check compliance subsequent to release of the goods
and facilitates trade flow.
Since the post-audit process covers an extended period of time and not just the specific
importation, it is a more efficient and thorough method of verifying compliance with
Customs-related laws than the review and clearance of individual importations.
As mentioned, they are conducted to determine whether commercial records can be
reconciled with Customs records. If an audit reveals a suspected violation of law, the
matter will be turned over to investigators for action.
Use of sanctions
The use of sanctions, or threatened use of sanctions, can be used for the purposes of
encouraging compliance, or discouraging non-compliance. Sanctions can be in the form
of a series of appropriate administrative penalties for careless and other non-intentional
errors, and include:
financial penalties relating to size of error

18
Topic 4: Use of Sanctions
cancellation of licences and permits, or tight conditional use of licences and permits
impoundment of goods
naming and shaming to industry and consumers
removal from self assessment: where appropriate, prepayment of duties; release of
goods only on application, prior to delivery; or withholding of goods until risk is
mitigated via examination of commercial documents, prior to the transaction.
The use of these types of administrative penalties is primarily for errors which are non-
intentional by nature. Where the compliance officer believes there has been recklessness,
or a deliberate mis-statement to Customs or Excise, then these issues are dealt with via
formal investigation and, where applicable, litigation through the Courts.
Activity 5
Commentary – Self-assessment and strict liability
Source: The trend in revenue control worldwide is to move away from direct consideration
Pryles, of each and every taxpayer’s document and instead, move to self-assessment
Waincymer regimes…and is also now the basis for import control. The essence of self-
& Davies assessment regimes is to put the onus on the importer/taxpayer to accurately assess
2004, p. 961
duty, provide audit powers to customs to meaningfully verify a representative
sample of entries, and impose strict liability and criminal penalties for inaccuracies
in importers’ returns……
The justification for this approach is that the key data is within the control of the
importer. Customs officers sitting in their offices cannot easily see which entries
are accurate and which are not. To properly audit an entry, it is necessary for
officers to at times visit the premises of importers and examine shipping and
banking documentation. Strict liability penalty provisions ensure that all importers
and their advisors spend time and effort ensuring that their conclusions are as
accurate as possible.
On the other hand, such developments are often criticised by taxpayers on the basis
that it shifts the transaction costs of revenue collection to them. Furthermore, strict
liability penalties are considered particularly offensive where some errors are
unavoidable where there are complex documents and a large turnover of
transactions in any year. Once again, there needs to be some happy medium
between these valid competing concerns. One means of effecting some compromise
is to allow for remission of penalties in certain circumstances and advance rulings
in areas where importers are unsure of the true position. These are features of the
new customs regime.
Consider the two positions in the above extract and post your answer in the
Moodle Activity 5 Forum Page.

19

20
Topic 5
Selection for an Audit
Setting the audit objectives and scope

An importer or excise manufacturer may have been selected for audit for many varied
reasons, but generally each reason will in some way be linked to the level of risk posed
by the company. A company may appear on a Customs and Excise annual compliance
plan for auditing, for the following types of reasons:
a very significant duty payer has not been visited for some time
the last audit left several outstanding issues to be followed up and remedial activity
to be undertaken
monitoring of performance, e.g. duty payment, losses, use of concessions, refunds,
indicates that established patterns and trends within the company, or between the
company and the industry, are altered to the point that revenue is at risk
there have been changes to legislation or administration within the industry the
company operates
there has been adverse information or intelligence relating to the operations of the
company
the industry as a whole, in which the company operates, has come to notice as a
significant risk of non-compliance.
The reason for the importer or excise manufacturer being selected for an audit, will
largely determine the audit objectives and, to some extent, the audit scope or the period
for which the audit will review transactions.
Audit Objectives and scope

The Customs or Excise audit will need to address the areas of risk that have been
identified, and these areas of risk will establish audit objectives. Excessive annual
liabilities in customs or excise duty puts a company on an ‘audit cycle’ with other
significant payers poses a risk: audit objectives will probably be broad, for example,
establishing that ‘duty payable has been paid and is compliant with al other appropriate
legislation’.
A company with deviations from expected operations, as detected by monitoring and
analysing data such as duty payments, declarations, operating statements and returns, may
attract a more focused set of audit objectives, for example; determining that ‘All goods
delivered under duty free or duty concession provisions are entitled to such concessional
treatment’.
It is important to identify and document audit objectives right at the commencement of
audit planning. This way the Customs and Excise auditor can stay focused on issues such
as the information to gather; the systems to be identified; the relevant controls; and the
nature, and location or resting.
Audit Scope
Audit scope simply relates to the period of time the Customs and Excise audit will cover.
The audit scope could include financial year, calendar year, half year, quarter, or month.
Together with the audit objectives, all parties can be aware of the time frame for the
audit. For example, ‘acceptability of manufacturing losses for financial year 08/09’
indicates that at the completion of the audit, the Customs and Excise auditor will be
forming an opinion as to whether the auditee’s losses for production runs between 1 July
2008 and 30 June 2009 were within relevant legislative or administrative rules.

22
Topic 5: Selection for an audit
Like audit objectives, audit scope may often be set by the initial reasons for audit
selection. The same monitoring and analysis of industry data can often highlight those
points in time at which an importer or excise manufacturer began to show signs that
‘things weren’t right’. The start of an unusual or unexpected pattern, or a period of time
in which data were not normal, should be fully incorporated within the audit scope.
Again it is important to identify and document the audit scope at the commencement of
audit planning. Audit scope will also assist in estimating audit populations (or total
transactions to come under the audit) and sample sizes, again important in determining
issues such as audit testing.
Audit objectives and the audit scope are to be set out clearly for the importer or excise
manufacturer subject to audit, and this is done in both initial correspondence in which the
company is advised of the intention to conduct the audit, and in the Entrance Interview.
Case Study
Audit Objectives and Scope
Source: The Australian National Audit Office conducted a performance audit in the Australian
ANAO Customs Service in 2005 titled Customs Compliance Assurance Strategy for
webpage International Cargo. The report stated clearly the objectives and scope of the audit:
<http://www.
anao.gov.au/u The objective of the audit was to assess the administrative effectiveness of the Customs
ploads/docum Compliance Assurance Strategy. The audit focused on the following key areas:
ents/2005-
06_Audit_Re targeting non-compliance
port_18.pdf>
real time compliance activity
post transaction compliance activity; and
planning and performance evaluation.
[The scope was then limited by the following statement.]As the imports phase of the
Integrated Cargo System (ICS) was only introduced in October 2005, this system was
not reviewed as part of the audit. Our audit programme for 2005–06 includes ICS as a
potential audit topic.

23

24
Topic 6
Audit Standards
Introduction
This topic will introduce students to the International Standards on Auditing and how
these relate to auditing standards within their own jurisdiction. This topic will outline
those auditing standards most relevant to the conduct of a Customs or Excise audit, and
identify aspects of those standards to which Customs and Excise auditors should adhere
so that their audits are considered both professional and creditable.
Reference Material
International Standards on Auditing (ISA) or local Audit Standards complying with ISA.
Available on IFAC website
<http://www.ifac.org/Members/DownLoads/2008_IAASB_Handbook_Part_I-
Compilation.pdf >.
What are Audit Standards?

Audit standards govern the work of auditors. They set out the principles and procedures
to be followed throughout all stages of the audit.
International auditing standards are developed through the work of International Auditing
and Assurance Standards Board (IAASB), a standing Board of the International
Federation of Accountants (IFAC). Accounting bodies all over the world, as members of
IFAC, develop local auditing standards to cover the topics in international standards, and
comply with those standards.
Activity 6
IFAC
Does your country have a professional organisation which has membership of IFAC? If
so, what is it called?
Consider the two positions in the above extract and post your answer in the
Moodle Activity 6 Forum Page.
Key audit areas to be addressed

The main headings found within the ISA include the following:
introductions (ISA 100s)
responsibilities (ISA 200s)
planning (ISA 300s)
internal controls (ISA 400s)
audit evidence (ISA 500s)
using the work of others (ISA 600s)
audit conclusions and reporting (ISA 700s).
Many of the standards under each of these headings are largely applicable to annual or
regular external audits of financial statements. However, equally many are directly
relevant to the conduct of any audit, including those conducted to ensure compliance with
Customs and Excise laws, and compliance with reporting and paying Customs and Excise
duty liabilities. We will now look at the content of some of these relevant standards to
provide an indication of the kinds of expectations required of Customs and Excise

26
Topic 6: Audit Standards
auditors to ensure their work and their findings can be considered both professional in
standard and creditable under any scrutiny.
The Engagement: ISA 210

The standards as they apply to engagements relate primarily to the acceptance of an audit
assignment by a private accounting / auditing company. However, of significance to any
audit is the fact that there should be some understanding and agreement put in writing as
to the intended scope and objectives of the audit. All parties to the audit should have
clarity and certainty as to why the audit is being conducted, how it will be conducted and
for what period of time.
For example, the audit will examine customs duty payments for the financial year 02/03,
with the objective of determining whether all duties payable were paid and paid within
prescribed periods. Or a more focused example may include: an examination of all losses
from the packaging of excisable beer for the first quarter 2004, with the objective of
determining whether all such losses were permissible and have been properly accounted for.
Quality Control: ISA 220

Quality control is applied at two levels – by the agency over its own operations, and by
the agency over the conduct of individual. At the Customs and Excise departmental level,
the agency should ensure the following aspects are considered prior to the
commencement of an audit:
independence, in particular that there are no financial, emotional or family
relationships between audit team members and the auditee
qualification of audit staff, particularly those in key roles, to conduct such audit
activities
adequate supervision.
In terms of the individual auditor level, the following structures should be in place and
occur throughout the audit as appropriate:
allocation of resources against audit plan
review of delegated work for performance and consistency with audit program
resolution of any audit issues as they arise
monitored outcomes.
Documentation: ISA 230

All matters contributing to the auditor’s overall opinion of compliance, or any evidence to
support this opinion, should be captured and filed in audit working papers for review.
Audit papers should incorporate the following:
a record of planning
the testing that has been undertaken, including what is tested, how it is tested and
sampling procedures
results from testing
audit conclusions.
Audit Planning: ISA 300’s

The Audit Plan is the key to an effective audit.

27
The Audit Plan is the output from audit planning and is a document bringing together
audit scope and objectives, matters for consideration, and a program of the procedures to
implement the Plan. Audit planning involves several key stages, each covered by
individual audit standards.
Obtaining knowledge of the auditee’s business - ISA 310.

The audit standards require the auditor to gain business knowledge sufficient to be able to
identify and understand the events, transactions, and practices which may have a
significant effect on the audit, or audit report.
Materiality – ISA 320

As well as forming an initial judgement about the level of risk, a judgement about
materiality is required for the Audit Plan. Materiality can be defined as being:
information which if omitted, misstated, or not disclosed has the potential to
adversely affect decisions…(Aus 306)
Materiality will affect the Audit Plan in terms of the nature of the testing to occur. For
planning purposes, materiality can be measured either, as ‘quantitatively’ e.g. dollars or
percentages, or ‘qualitatively’ e.g. inadequate or weak policies, or lack of integrity. This
will be determined by the nature of the auditee’s business and the expectations of agency
in its compliance responsibilities.
Internal Controls and Risk Assessment – ISA 400’s.

The Audit Plan also requires the auditor to gain an understanding of the internal control
environment and to have begun forming an opinion as to their level of confidence in the
auditee.
The ‘control environment’ can be defined as the management’s attitude and actions
towards controls (Aus 402).
Audit evidence: ISA 500’s

The standards require audit evidence to be ‘sufficient’ and ‘appropriate’ to support the
audit opinion. Audit evidence can be described as the information by which the auditors
came to their conclusions in order to provide their audit opinions.
It will comprise copies of documents, records, and other information from the auditee;
information from within the Customs or Excise agency such as duty payments, refunds,
production statements; and other internal or external documentation analysed by the
auditor. Audit evidence is also generated during the audit itself - for example, audit
working papers relating to observations, interviews, and tests performed.
Using the work of another auditor: ISA 600’s

Can Customs and Excise auditors use the work of another auditor – most likely the
auditee’s own internal auditor, or external auditor at year-end sign off of financial
statements? The answer is ‘Yes’, within the standards, as long as certain issues can be
clarified, such as:
Was the auditor independent (see ISA210, ISA220)?
Was the auditor competent (see ISA 220)?
Can you review the audit evidence?
Are your initial views different?

28
Considering the work of an internal auditor - ISA 610.

Internal audit can be defined as:
An appraisal activity within an entity as a service to the entity. It is
independent within the entity and its functions include … examining
evaluating and monitoring the adequacy and effectiveness of the internal
control structure (Aus 610).
Internal audit and some specific audit engagements form part of the internal control
structure of an entity and if appropriate and relevant, these audit programs may decrease
the auditee’s level of control risk. However, given the greater perceived level of
independence, external audit results take precedence over internal audit or the work of
any other ad-hoc auditors, where these services overlap.
Internal audit has the same objectives as external audit, i.e. seeking a level of assurance
over company operations; however, internal and external audits have different purposes
within the organisation. Internal audit is more a management tool, and there is certainly
reduced independence given that internal auditors are generally the company’s own
employees. There is also a greater possibility of management ‘influencing’ the results of
internal audit before those results reach the Board.
If a Customs and Excise auditor is to rely on internal audit work, then that work should
still be tested to some degree in the actual audit. However, the extent of testing will be
based upon the auditor’s confidence in internal audit, and this can be gauged by asking
the following types of questions:
Were internal audits conducted by trained personnel?
Were the audits properly supervised?
If there were audit conclusions, were these conclusion based on audit evidence?
Are internal audit conclusions consistent with work performed?
Were identified issues raised by internal audit followed up?
These same types of questions could be asked if the Customs and Excise auditor decides
to use the work of an external auditor; for example the audit company conducting the year
end financial statement audit.
Using experts – ISA 620

An expert could mean a person or business with a special skill, knowledge or experience
outside of auditing and accounting. For example, a Customs and Excise audit may need
the expert services of a chemist for classifying chemicals in the tariff, or an Intellectual
Property rights valuer to determine the customs value of certain rights. Experts are used
when the audit could miss some material error without the assistance of professional
knowledge.
When selecting an expert, the auditor needs to ensure that the proposed expert is:
properly certified from a relevant institution or association
currently certified in that certification has not expired
qualified in accordance with professional references
independent (or has no business or financial type relationship with the auditee).
NB: Independence is an important issue in small industry specialisations where experts
are in limited supply. It may be that the auditee has used or intends to use the same expert
at some point.

29
The auditor must always remember that an expert is not an auditor, and so there is a
further need to ensure that:
the audit objectives, scope and expectations are clear to the expert
confidentiality is maintained
the expert is obtaining supporting evidence which the audit can also use
the expert’s work is also being reviewed – by a peer if possible, but at least by the
auditor and audit manager.
Finally, experts have a reputation of sometimes being ‘inconclusive’ and such output
needs to be managed so that their work usefully contributes to the audit.
Audit reporting: ISA 700’s

The standards relating to audit reporting are largely based on providing an audit in
relation to financial statements. However, of note to the Customs and Excise auditor is
that the Audit Report needs to be:
relevant to those who will use the report
reliable, being based on audit evidence
identifying and discussing material issues
issued in a timely fashion
able to be understood by the reader
consistent to allow comparisons.
The actual content, style and format of the Audit Report will be determined by the needs
of Customs and Excise compliance area.

30
Topic 7
Audit Techniques
Introduction
This topic will introduce students to some of the skills that can be applied in systems -
based audits. Possession of these particular types of audit skills will greatly enhance the
effectiveness of any systems - based audit approach.
Audit risk
Managing audit risk is central to the conduct of a professional standard audit. Audit risk
is the risk of the audit failing to meet its objectives and is reviewed primarily during the
audit-planning phase of the audit, in particular where the auditee’s business and business
systems and controls are being assessed. Audit risk comprises three separate components:
inherent risk
control risk
detection risk.
Inherent Risk
Inherent risk is the reason internal controls are designed and implemented. Inherent risk is
sometimes referred to as the ‘business risk’. To understand an inherent risk, a good
question for auditors to ask ‘what could go wrong, or what could happen if there were no
internal controls?’
The sort of factors the auditor needs to consider in determining the level of inherent risk
are:
integrity of management and staff
knowledge and experience of staff
undue expectations of management and staff
nature of procedures – manual, automated, many transactions, complex
transactions, etc
nature of the industry – competition, regulations, level of duty rates, and import
tariffs.
The auditor is looking to make, and indeed is required to make, an early assessment to
whether the inherent risk of the auditee is high, medium or low.
Control Risk
Internal controls are those procedures (and policies) additional to creating a control
environment designed to prevent errors, omissions, mis-statement, and fraud.
Internal controls can be described as either:
preventative – to stop errors occurring
detection – to find errors if they have occurred.
Control risk relates to how effective the internal controls are working, the internal
controls being those procedures designed by the business to mitigate the inherent risk.
Again the auditor needs to be asking – ‘are the internal controls working properly, and are
they effective in preventing or detecting the relevant errors?’
Assessment of control risk can be made from:

32
experience of the auditor

knowledge of the auditee
knowledge of the systems used by the auditee
review of manuals, policies and procedures documents
analytical procedures
observation of controls being performed.
As with inherent risk, the auditor is looking to make an assessment that control risk is
high, medium or low.
Detection Risk
The aim in determining initial views of inherent and control risk is to find an acceptable
level of detection risk.
Detection risk – is the risk that material errors, omissions, mis-statement, or fraud will not
be detected by the auditor’s substantive testing (Aus 402).
An acceptable level of detection risk needs to be established, so that testing can be
devised accordingly. Detection risk levels are determined by reference to inherent risk
and control risk. For example, where control risk and inherent risk are both high, only a
low level of detection risk is acceptable – the audit will have a heavy focus on substantive
testing. Similarity; where control risk and inherent risk are low, a higher level of
detection risk is acceptable – the audit can be completed with less testing required.
Reading 4
Federal Financial Institutions Examination Council 2003, Risk Assessment & Risk Based
Auditing Booklet, Washington. Available on FFIEC website,
<http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_03_risk%20ass_rb_audit.html
>.
Flowcharting
Flowcharting can be the most efficient means of describing larger more complex business
systems, including the internal controls. Flowcharting allows the auditor to break down a
business process into individual events, allowing for easier analysis of issues such as risk.
It is most likely that an auditor will need to create several flowcharts during the audit –
one for each business system relevant to the audit. Once drafted, however, the flowchart
will be in place for all future audit activity and, importantly, future auditors. Although
potentially quite time-consuming in the first instance, subsequent audit activity will be
greatly enhanced in terms of efficiency, with future auditors needing only to confirm
there have been no changes to the system flowcharted since the previous audit.
The process of flowcharting involves the use of universal symbols designed to represent
each type of usual business event. ‘Flow lines’, indicating the order in which each event
occurs, subsequently join individual events.
New business events and transactions are continually being designed to reflect the
changes to technology and business processes, and symbols are similarly being created to
reflect these changes. For example, flowcharting now recognises ‘connect to internet’ and
‘download from internet site’.
Flowcharting software is available from many different suppliers. Flowcharting symbols are
also available on basic or common presentation programs such as Microsoft PowerPoint.

33
Let’s look at some of the more common flowchart symbols in use.
Start/end of Step or action

process taken
Decision
Connection
Input or Document created

Output
Flow line Multi-copies of

document

34
Activity 7
Create a flowchart
Create a flowchart to describe filling your car with petrol.
Your start point should be the ‘low fuel’ warning light. Your finishing point is driving
off from the petrol station.
Record tour findings in your personal notebook.
Introduction to computer assisted audit techniques

It is now widely recognised that IT systems are central to an organisation’s accounting
and reporting procedures. Today, many significant internal controls to the audit operate
‘inside’ automated computerised processes, and audit techniques need to test these
controls in an effective manner. Some of these techniques include ‘computer assisted
audit techniques’, or CAATs.
CAATs have the capacity to greatly enhance efficiency and effectiveness of the audit.
CAATs can also assist the auditor with tools that can be used to:
select audit samples
perform control tests – e.g. determining who signed into IT system and when,
overriding of controls, testing functions
select transactions and re-calculate for substantive testing
conduct analytical procedures – comparing data; and
assist the auditor where there is a lack of manual records, or an overwhelming
number of manual records (also held electronically) to test.
CAAT programs can be designed by the audit team, if the team has the necessary
expertise. Otherwise CAAT programs can be purchased ‘off the shelf’ and will generally
come with relevant training, user manuals and ‘help desk’ support.
Before utilising a CAAT, there are several considerations for the Audit Manager:
Expertise
Does the audit team have IT expertise to:
design or run the CAAT program
find and extract the data from the auditee’s IT systems
analyse the results.
IT resources
Are there sufficient IT related resources for the audit team to run the CAAT program? As
a minimum the audit team will require a Laptop / Notebook or PC with sufficient
memory to run a CAAT program, and to manipulate large amounts of data.
Cost effectiveness
There are benefits to operating a CAAT program and these benefits can include:
access to more transactions in large audit population

35
larger sample sizes if desirable

reduced likelihood of human error in actual testing
enhanced analytical procedures.
These benefits then need to be compared with the following issues for the audit manager:
costs – IT equipment, time to design or set up CAAT, possible technical support,
etc
size of auditee - risk levels and numbers of transactions
ease and availability of manual records.
In some cases in may be simpler and more cost effective not to pursue use of CAATs.
The audit documentation should describe the relevant use of CAAT, with the following
information recorded in the audit working papers:
the reason for using CAATs and what were they used on – controls, transactions, or
both
details of the tests performed by the CAATs
the audit evidence produced by the CAATs.

36
Topic 8
Audit Methodology
Introduction
This topic will outline a generic systems-based approach to conducting audit.
Accompanying this module is a generic systems-based audit methodology for students to
work through. Each section of this module relates to, and serves to guide students
through, the relevant component of the methodology. This module also introduces
students to output of the audit, including working papers and audit reporting.
Reading 4
CCES 2005, Customs & Excise Compliance Audit Methodology, Canberra.
Each component of this Module has been cross referenced with the relevant stage of
the audit within the methodology.
Planning the audit

(Refer Stage 1 of the Audit Methodology)
The Audit Plan is the key to an effective audit. The Audit Plan is the output from this
stage of the audit and is a document bringing together areas such as:
audit scope and objectives
matters for consideration
a program of the procedures to implement the Plan.
What is the auditee’s business?

Audit standards require the auditor to obtain knowledge of the auditee’s business
sufficient to identify and understand the events, transactions, and practices which may
have a significant effect on the audit, or audit report.
There are numerous ways in which this knowledge can be gained. As a guide, the
following are useful source documents for the auditor to obtain in relation to the auditee’s
business operations:
policy documents and Procedure manuals
files and past historical records
newspapers, trade journals, customers, suppliers
stock Exchange announcements.
In addition, the auditor may find it useful to visit the site and talk to people.
Activity 8
Information on Importers and Excise Payers
What other information is readily available about an importer or excise payer who you
may need to audit?
Your answers should be included on the relevant audit working papers as per the audit
methodology.
Post your answer in the Moodle Activity 8 Forum Page.

38
Topic 8: Audit Methodology
The Entrance Interview

After completion of information gathering within the office, it is time to start gathering
the necessary information from the auditee. This is performed ‘on site’ at the auditee’s
business premises, and commences with a formal ‘Entrance Interview’ between senior
management of the relevant Customs or Excise compliance area, and the auditee. The
objectives of the Entrance Interview would include:
building a relationship between audit management and company management
confirming audit scope, nature of audit objective, timetables, and any other
administrative issues;
raising any concerns about the business from information gathering to date,
including previous audit activity
allowing the auditee to volunteer any areas of concern or potential concern.
Systems verification
Once the nature of the business is understood, it is time to gather information about the
business systems. Has the company been audited previously? If so, there may be an
existing description of the relevant business systems on Departmental files, or held by the
business itself.
If existing systems descriptions are in existence, the auditor simply needs to ask whether
there have been any changes to those systems since they were documented – and if so,
have these changes been included in the system description? Importantly, have there been
any other factors that require systems to be updated, for example changes to legislation or
administrative arrangements?
If no systems documentation exists, or if unreliable systems documentation exists, then
the business systems may have to be documented by the auditor. Systems documentation
is discussed in detail in the following section; however, there are a number of options for
documenting a system; these include:
flowcharting (see Topic 7)
systems narratives
a combination of narrative and flowcharting.
The control environment

From the knowledge of the business gained, the auditor needs to start thinking about:
the nature of the risks
the type of internal controls in operation
management’s attitude to these controls
the reliability of these controls
whether anything appears unusual to the auditor.
At the same time, the auditor should also be thinking about the resources they will need
to address these risks, and where these resources will come from.
At this point in audit planning, the auditor needs to begin forming an initial impression of
the integrity of the business systems and effectiveness of the relevant internal controls.
Further judgements will be made, but at this early stage the auditor should be forming an

39
opinion as to the levels of control risk and inherent risk, and considering factors
such as:
audit scope, objectives and expectations
nature and size of the business
nature and sizes of potential errors
records of past errors in the business or industry.
Analytical procedures
The use of analytical procedures will assist in confirming or otherwise an auditor’s
opinion as to the integrity of systems and controls. Analytical procedures can be applied
at any or all stages of the audit but will greatly assist with any risk assessment and audit
planning activities.
Such procedures can include high-level analysis of comparable data sets, with a view to
identifying fluctuations or deviations from any expected patterns. For example, the
auditor could review the company’s duty payments with those of the industry as a whole
in which they operate. Or, the auditor could review the duty payments of the company
against business inputs. In both cases it would be reasonable for the auditor to see a
certain correlation between the two sets of data.
Activity 9
Industry Audit Activity
Select an industry subject in which you expect that you will soon be conducting audit
activity.
What data is available internally within your organisation, and what data is available
externally? Which sets of data identified as being available either internally or
externally could be analysed? What would expect to see from such analysis?
Materiality
Materiality is the ‘…information which if omitted, misstated, or not disclosed has the
potential to adversely affect decisions …(Aus 306). Some errors may be tolerated, and if
detected by the auditor would not, or should not influence the overall opinion as to the
level of compliance. In the Customs and Excise context, errors that may be tolerated
could include the miscalculation of very small amounts of duty, especially if they relate
to over-payments. Of course, there may be very small errors in relation to some Customs
import procedures, for example, which can not be tolerated.
Some issues the auditor will need to address in the Audit Plan:
Has there been a history of material errors?
What is the likelihood of there being material errors?
Should materiality be measured ‘quantitatively’ e.g. in monetary or percentage
amounts or ‘qualitatively’ e.g. for inadequate or weak policies, or lack of integrity.
Materiality will affect the Audit Plan in terms of the nature and extent of the testing
which needs to occur.

40
Testing procedures
Using the auditor’s view on the levels of inherent risk, control risk and materiality,
consideration now needs to be given to the conduct of the actual testing which is to occur.
The main questions here for the auditor includes:
What offices, sites or location will need to be visited?
Which managers and staff will need to be interviewed?
What records should be made available for review?
Approximately when will these visits and interviews need to occur?
Other considerations
The final pieces of information to be gathered in the preparation of the Audit Plan will
include the following types of issues:
Are there any audit issues from previous audit activity that need to be followed up,
as per the Audit Reports from those earlier audits?
Is there specific information or intelligence about the business which needs to be
examined, perhaps a complaint from the industry, or another business, or a
customer?
Who will be in the audit team and what are their respective roles?
Does the necessary expertise exist in the audit team, e.g. IT, supervisory
experience?
Does the audit require engagement of an external expert, e.g. chemist, lawyer,
valuation expert, industry expert?
Will there be use of computer - assisted audit tools, and, again, is there the
equipment and expertise available for this?

41
The Audit Plan document

There is no set Audit Plan ‘template’ as such; however, as a minimum it is recommended
that the document should contain the following information (Aus 306). You will note that
it is the information we have been building throughout this Module to date:
details of the audit scope, objectives and focus
the period of operations covered by the audit
what is known of the business
assessment of risk and setting of materiality
the premises that will be visited, including persons who should be present at the
time
use of external assistance where appropriate
any significant matters or issued to be reviewed.
At this point, the Audit Plan does not need to be specific in terms of dates, times or
details of the tests to be conducted, but should provide a useful guide to audit team
members and the auditee.
The Audit Plan can and should be released as a ‘draft’ in the first instance. It is worth
investing time in getting the Audit Plan right, and the ‘draft’ can be amended several
times before being issued as ‘final’. A small amount of time invested upfront can be
invaluable in delivering efficient and effective audit outcomes as the audit progresses.
Understanding the Business Systems

The business systems of the auditee need to be described sufficiently to allow the auditor
to identify and analyse the internal controls. It is likely that some systems documentation
will be in existence already, and will be commonly found in places such as:
procedure statements/manuals held by the company for use by staff
reviews of systems by external consultants Internal audit reports
external audit reports, e.g. financial statements
working papers from previous audits.
Where existing systems descriptions are being used, the auditor should interview staff
and ‘walk through’ the systems to ensure the descriptions are current. The process of
‘walk through’ systems verification is described in detail below. However, the important
question in using existing systems documentation is whether there have been any updates
to company procedures, staff duties, computer systems, etc and whether such updates
have been incorporated in the system documentation.
Where no systems description or insufficient systems description exists, the auditor is
required to gather this information as part of the audit-planning phase. The auditor will
gather this information through:
interviews of management and staff
observation of procedures and duties
review any available internal documentation
As stated above, the description of the business system is to be sufficient for the
identification of internal controls.

42
There are three common approaches to systems description used by auditors:

systems narrative, or a written description of each business system
use of Flowcharting to show in a logical and diagrammatic fashion each system
(and sub-system)
a combination of both the narrative and flowchart (diagrammatic) approaches.
The systems narrative approach is most common where the system is relatively small or
simple. On the other hand, flowcharting is most commonly used where the system is large
and complex, and most likely comprising several sub-systems. However, only those
systems relevant to the audit should be documented, otherwise documenting an entire
business will become an unwieldy exercise.
When documented, the systems description should be verified by the auditor in one of
two ways:
selecting a transaction and conducting a ‘walk through’ the system to ensure the
transaction is processed as per the systems description
sampling a very small number of processes within the system to establish that
information created, and checks performed, are occurring as per the systems
description.
Having gained an understanding of the business systems, documented those systems, and
identified the relevant internal controls, the auditor should start to form a judgement
about the reliability of those systems and controls. At this point of the audit, the auditor’s
judgement as to the systems and controls is important, in terms not only of preparing to
analyse and test the internal controls, but, significantly of deciding whether the auditee is
suitable for a systems - based audit. If the auditor has great concerns about the reliability
of systems and controls, then a systems - based approach will no longer be the most
appropriate audit approach.
Identifying and evaluating the company’s controls

(Refer Stage 2 of the Audit methodology)
As previously stated, the Audit Plan requires the auditor to have an understanding of the
internal control environment and to have begun forming an opinion as to level of inherent
and control risk.
As we saw in Module 4, the ‘control environment’ is defined as being the management’s
attitude and actions towards its controls. Internal controls are then those procedures (and
policies) additional to creating the control environment, designed to prevent errors,
omissions, mis-statement and fraud. Internal controls can be either preventative (stop
errors) or detective (find errors).
This stage in the methodology is about identifying all potential errors using the auditor’s
information gathering and experience within the industry, and documenting these in audit
working papers. Similarly, the auditor, in the same working papers, should also be
documenting the relevant internal controls within the system designed to prevent or detect
these potential errors.
It is likely, especially in a large company, that the Customs or Excise functions will cover
many systems throughout the organization. Within a particular system or process, there
may be two or more sub-systems. Whichever, auditors should be compiling a list of
potential errors and internal controls for each system or sub-system.
Thus the auditor has created a ‘checklist’ of potential errors and associated internal
controls for each systems (and sub-system where appropriate) that will form the basis of
upcoming audit testing.

43
Activity 10
Inherent Risks
Think of a large importer or excise payer in your country. Looking at the industry in
which they do business, what are the inherent risks for that entity and what type of
internal controls would you expect to see in operation to mitigate those risks?
Testing the company’s controls (Control testing)

The first step in designing and performing tests of internal controls is to have documented
and fully understood the potential errors and non-compliance that can occur within the
system being audited. The internal controls that have been identified should be preventing
errors or making timely detection, and testing should take this requirement into account.
From the documented list of potential errors and relevant internal control, for each control
designing a suitable test involves working through the following questions:
What transactions are relevant?
What is the nature of the errors or fraud that can occur with these transactions?
What does the internal control do, or how does it work to detect errors or fraud?
What can you do to see if the control is reliable?
The auditor can find the information relevant to answering these questions in designing
the control tests from the following types of sources:
user Manuals
job descriptions
interview staff
systems overviews and flowcharts
observation.
For example, if either a user Manual or a Job Description says that a particular person on
checking a document places a ‘stamp’ upon the document and initials the document, then
the control test would be to ensure that all those types of document possess both a stamp
and an initial.
Extent of testing
The next step in control test design is determining the extent of testing the controls, or
how many times the control will be tested to see if it is working. The extent of testing is
based upon the initial judgements made during audit planning.
The greater the level of confidence in the controls, the lighter (or fewer) the tests will be.
Auditors are seeking only to confirm their high level of confidence in their testing.
Alternatively, if the confidence levels are lower, there will be heavier (or more) tests.
The auditor may change their level of confidence during testing and adjust the testing
level accordingly. Testing may even result in the auditor recommending that no reliance
can be placed on a particular internal control.

44
Working papers
Audit working papers are to be maintained during testing, and as a minimum should
include, for each control tested:
the objective of the control
details of the test performed
the extent of testing
the results.
From time to time, the auditor will see internal controls failing in their objectives, or not
meeting expectations. Typical reasons for internal control failing include:
cost (especially where exceeds perceived benefit)
application to routine transactions only
human error
fraud
redundancy.
In determining the results of control testing, the auditor should be considering the
following questions:
Did you find controls working as expected?
Have you changed your level of:
• reliance on the controls
• confidence in the controls
Any drop in confidence will mean that a greater focus will need to be placed on
substantive testing.
Activity 11
Inherent Controls
Based on the same common examples of internal controls described in the last activity
– design relevant control tests.

45
Testing transactions (Substantive testing)

Substantive testing is the testing of relevant records and transactions. Even with the
highest level of confidence in internal controls, some substantive testing is required to
both confirm audit opinions and provide audit evidence.
In the Customs and Excise audit context, auditors would be comparing, for example,
excise production returns against documentation such as:
raw material purchases
raw material receipts
records of production runs
records of production losses
stock-takes.
Or import declarations against commercial documentation such as:
supplier’s invoices
bills of Lading or Airway Bills
sales contracts
bank transfers; and Trade catalogues.
Substantive testing involves the verification of the accuracy of information on a particular
transaction relevant to the complying business. This transaction could be an excise
operations return, an excise duty payment return, an import or export declaration.
In designing the substantive test, the auditor would be looking at the material information
supplied on the transaction and how and where the information in those fields can be
verified. In looking at an import declaration, the material information would include:
origin
value
tariff classification
end-use by-laws or tariff concessions
duty calculations.
These data fields declared by the importer would then be reviewed against relevant types
of commercial documentation listed above, with the auditor determining whether the
importer has accurately supplied information to Customs in the import declaration.
Extent of testing
As with control testing, there is also a need to determine the extent of substantive testing,
or how many transactions are to be examined. The first question is ‘what was the level of
confidence in the systems and controls formed during planning?, and what is the level of
confidence after control testing?’
Where confidence levels were high and remained high after control tests, then testing can
be light, perhaps limited to several transactions. Alternatively, if confidence levels were
low and remained low, then heavier levels of testing will be required, perhaps several
hundred transactions.

46
Where audit risk has become unacceptable, then the audit will move towards a transaction
based approach, and reliance solely on full substantive testing.
Once the number of transactions to be tested has been determined, the next step is to then
determine which transactions from the total population of transactions are to be tested.
Selecting the transactions for testing is known as sampling. There are several
methodologies available for selecting the audit sample.
Sampling
Once sample size has been determined, the sample must be drawn from the audit
population. There are several methods for selecting a sample; in this Module we will look
at four. There are no right or wrong methods, but, for the most appropriate selection
method, it is best to look at the context of risk, auditee’s systems and auditee’s controls:
1. Random selection.
The audit sample selected entirely at random from the audit population. The auditor may
wish to use a computer program, or random number tables to make the selection.
2. Systematic selection.
This involves dividing the audit population by the sample size, using this number to
select the sample. Example: Where the audit population is 10,000 invoices, and sample
size is 200, the sample is every fiftieth invoice within the audit population
(10,000 / 200 = 50).
3. Haphazard selection.
This method involves selecting the audit sample from the total audit population without
any structured technique.
4. Block selection.
This involves selecting a start and finish point within the audit population, and sampling
every transaction between these points.
Working papers
Audit working papers are to be completed for substantive testing, and should include for
each substantive test the following details:
objective of the test
details of the test performed
extent of testing
total population of transactions
sampling method and reasons
results.

47
In terms of any errors found during substantive testing, the auditor will need to consider
the following issues:
materiality levels as set in the audit planning stage
the frequency at which errors were found
whether the errors are common in nature
an opinion as to whether the errors appear to be as a result of an accident, a control
failure, or fraud.
An important question for the Customs and Excise auditor on finding errors at this point
is ‘could the errors that have been found be common to other businesses in the same
industry?’
Activity 12
Substantive Tests
Continuing with the same internal controls identified and tested in the previous two
activities, design appropriate substantive tests for the transactions that are processed
through these controls.
Dealing with issues identified during the audit

Any errors discovered during control and substantive testing need to be brought to the
attention of management of the auditee prior to audit completion. Communication can be
both formal and informal, but it is likely that there will be continuous dialogue between
audit team members and the auditee throughout the duration of the audit, and such
discussions can be used to communicate the nature and frequency of errors being detected
by the audit program.
More formally, issues can be provided to the auditee in the form of an ‘Audit Issues Log’,
or a document outlining any issues in a format including:
issue Number or reference
name or heading covering issue
summary or description of concerns
the reasons for such concerns, (likely to be errors or unexpected findings)
remedial action that can be taken to correct the situation.
Where issues are logged formally, they generally are more serious and require some form
of formal response and follow - up by the auditee. An Audit - issues Log is helpful in this
situation, allowing the audit team and the auditee to track the review, and respond to each
issue. It is usually in the best interest of the auditee to respond quickly and positively to
issues raised by the audit team.
Unresolved issues, or issues not addressed will form an important part of the final Audit
Report (discussed further below).

48
Activity 13
Audit Issues
Continuing with the same internal controls identified and tested, and the transactions
verified in the substantive tests above, describe a possible audit issue that may have
arisen, and document it. Perhaps it could be a common error that your agency finds in
audit activity.
Continuing with the same internal controls identified and tested, and the transactions
verified in the substantive tests above, describe a possible audit that may have arisen, and
document it. Perhaps it could be a common error that your agency finds in audit activity.
Your answers should be included on the relevant audit working papers as per the audit
methodology.
Audit reports
There is no ‘standard’ form of Audit Report, and generally the format, style and content
of such a report will be based on the needs of the individual Customs or Excise collection
agency. However, there are some guiding principles available through Auditing Standards
(Aus 306). As a guide, the Audit Report should:
be relevant to those who will use the report
be reliable, being based on audit evidence
have material issues identified and properly discussed
be issued in a timely fashion
be comprehensible to the reader
be consistent to allow comparisons.
In terms of actual format, the Audit Report should address the following basic headings:
title of report
auditee and address
details of scope and objectives
signature of responsible person for the audit
date.
From these basic headings, the other areas to be addressed will be unique to each audit,
and unique to the requirements of each agency conducting the audit. However, it is
expected that the following areas would need to be addressed in any audit activity:
main audit findings
audit issues for resolution and follow-up
opinion as to compliance
qualifications or caveats to those opinions if applicable.
It is important that the auditee is not ‘ambushed’ by adverse findings in the final Audit
Report. There should be on-going discussions with management of the auditee in relation

49
to findings that suggest a break-down of controls has occurred. This communication can
be simple verbal advice as testing is occurring and/or more formally where required,
through documenting issues, creating issues logs, and providing these to management of
the business prior to moving to preparation of the Audit Report.
The Audit Report should be issued as ‘Draft Report’ in the first instance. From here, the
auditee should have the opportunity to respond to the findings – either support and
commitment to correct any issues, or alternatively to dispute the findings. It is important
to review the auditee’s responses to any issues logs or the draft Audit Report, as indeed
the auditor may have actually misunderstood some aspect of the business or a transaction.
It is more complicated, withdrawing and re-issuing a final Audit Report where the auditor
has erred.
The final Audit Report is provided to the auditee in an ‘Exit Interview’ format. The
interview will generally comprise executives from the audit area and management of the
business subject to the audit, and will most likely be the same persons as involved in the
initial ‘Entrance Interview’.
The objectives of the Exit Interview would include:
full acceptance of the Audit Report including its findings
commitment to undertake remedial activity as recommended to address areas of
non-compliance, or potential non-compliance concern
commitment to a timetable to implement the recommended remedial activity
a procedure for Custom and Excise compliance staff to review such progress of
remediation, for example quarterly update meetings.
Despite Customs and Excise audits being focussed on compliance with relevant
legislation and duty liabilities, the actual audit and final Audit Report should also be seen
as adding value to the import’s or excise payer’s business. Recommendations to systems
and controls should have considered the most efficient manner to deliver compliance, and
will be drafted in consultation with the relevant personnel within the business.
Activity 14
Audit Report
Using the audit evidence gathered during this Topic, including example Working
Papers, compile a draft Audit Report.
The draft Report should outline your findings as to the opinion you have formed over
the compliance of the auditee.
The draft Report should cross-reference relevant Working Papers to support your
findings.
The draft Report should meet auditing standards.
Conclusion
Audit is a proven technique that enables Customs administrations to assess compliance
levels, establish a context for further investigation, identify needs for compliance
improvements and work areas that need attention in order to improve compliance.
As we have discussed there are different types of audits and audit techniques. The most
important point is that all approaches are systematic approach and take a holistic view
rather than a micro or minute view. Further, audit plays a critical role in the risk
assessment process.

50

Customs - Excise Audit-CCLEC - SG

Uploaded by

Copyright:

Available Formats

You might also like

Customs - Excise Audit-CCLEC - SG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Customs - Excise Audit-CCLEC - SG

Uploaded by

Copyright:

Available Formats

Centre for Customs & Excise Studies (CCES) CCLEC

Customs & Excise Audit

© Centre for Customs & Excise Studies, University of Canberra, 2009

Materials development team

Centre for Customs & Excise Studies, CCLEC

What is a Customs or Excise audit?....................................................8

Where does audit fit in a risk management plan? ............................12

Use of sanctions .................................................................................18

Setting the audit objectives and scope .............................................22

Centre for Customs & Excise Studies, CCLEC

The Engagement: ISA 210 ..................................................................................... 27

Testing the company’s controls (Control testing)............................44

Centre for Customs & Excise Studies, CCLEC

(Refer Stage 3 of the Audit Methodology) .............................................................. 44

Audit reports .......................................................................................49

Centre for Customs & Excise Studies, CCLEC

Centre for Customs & Excise Studies, CCLEC

What is a Customs or Excise audit?

Desk audit approach

Centre for Customs & Excise Studies, CCLEC

It may be an electronically lodged import declaration in which the valuation appears

Transaction - based audit approach

Systems - based audit approach

Centre for Customs & Excise Studies, CCLEC

Authority to Conduct an Audit

Centre for Customs & Excise Studies, CCLEC

Where does audit fit in a risk management plan?

Centre for Customs & Excise Studies, CCLEC

Certainty & clarity approach

Industry partnership approach

Centre for Customs & Excise Studies, CCLEC

Analysis of errors approach

Centre for Customs & Excise Studies, CCLEC

Are licences and permits current?

Bulk mail-out approach

Centre for Customs & Excise Studies, CCLEC

Centre for Customs & Excise Studies, CCLEC

Centre for Customs & Excise Studies, CCLEC

Centre for Customs & Excise Studies, CCLEC

Setting the audit objectives and scope

Audit Objectives and scope

Centre for Customs & Excise Studies, CCLEC

Centre for Customs & Excise Studies, CCLEC

Centre for Customs & Excise Studies, CCLEC

What are Audit Standards?

Key audit areas to be addressed

Centre for Customs & Excise Studies, CCLEC

The Engagement: ISA 210

Quality Control: ISA 220

Documentation: ISA 230

Audit Planning: ISA 300’s

Centre for Customs & Excise Studies, CCLEC

Obtaining knowledge of the auditee’s business - ISA 310.

Materiality – ISA 320

Internal Controls and Risk Assessment – ISA 400’s.

Audit evidence: ISA 500’s

Using the work of another auditor: ISA 600’s

Centre for Customs & Excise Studies, CCLEC