0% found this document useful (0 votes)
288 views34 pages

Lesson G - 2 Ch09 2 Rev. Cycle Obj., Control, Test

The document discusses controls over the revenue cycle, including input, process, and output controls. It describes common input controls such as credit authorization procedures and data validation controls. Credit authorization procedures help ensure only valid transactions that meet credit standards are processed. Data validation controls help detect errors in transaction data before processing. The document also discusses process controls, including file update controls, access controls, and physical controls. Revenue cycle audit objectives relate to management assertions, and tests of controls provide evidence about the valuation/allocation and accuracy assertions.

Uploaded by

Blacky Pinky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
288 views34 pages

Lesson G - 2 Ch09 2 Rev. Cycle Obj., Control, Test

The document discusses controls over the revenue cycle, including input, process, and output controls. It describes common input controls such as credit authorization procedures and data validation controls. Credit authorization procedures help ensure only valid transactions that meet credit standards are processed. Data validation controls help detect errors in transaction data before processing. The document also discusses process controls, including file update controls, access controls, and physical controls. Revenue cycle audit objectives relate to management assertions, and tests of controls provide evidence about the valuation/allocation and accuracy assertions.

Uploaded by

Blacky Pinky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Chapter 9 REVENUE CYCLE AUDIT

OBJECTIVES, CONTROLS,
AND TESTS OF CONTROLS
Outline:
Auditing the Revenue Cycle
Revenue Cycle Activities and Revenue Cycle Audit Objectives,
Technologies Controls, and Tests of Controls

• Batch Processing Using • Input Controls


Sequential Files—Manual • Process Controls
Procedures • Output Controls
• Batch Processing Using
Sequential Files—Automated Substantive Tests of Revenue Cycle
Procedures Accounts
• Batch Cash Receipts System with
Direct Access Files • Revenue Cycle Risks and Audit
Concerns
• Real-Time Sales Order Entry and
Cash Receipts • Understanding Data
• Point-of-Sale (POS) Systems • Testing the Accuracy and
Completeness Assertions
• Daily Procedures
• Testing the Existence Assertion
• End-of-day Procedures
• Testing the Valuation/Allocation
Assertion
LEARNING OBJECTIVES
• Recognize the relationship between revenue
cycle audit objectives, controls, and tests of
controls.
REVENUE CYCLE AUDIT OBJECTIVES,
CONTROLS, AND TESTS OF CONTROLS
• The concept of audit objectives for
transactions and account balances are derived
from management assertions about FS.
• Table 9.1 shows how management assertions
translate to specific revenue cycle audit
objectives.
Management Assertions and Revenue Cycle
Audit Objectives
 Existence / Occurrence
 VERIFY AR balance represents amounts actually owed as of Balance Sheet date
 Establish sales represents goods shipped and/or services rendered during period of
financials
 Completeness
 Determine all amounts owed organization are included in AR
 VERIFY shipped goods, services rendered, and/or returns and allowances for period
are included in financials
 Accuracy
 VERIFY revenue transactions are accurately computed, based on correct prices and
quantities
 Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically
correct .. And agree with GL accounts
 Rights & Obligations
 Determine organization has legal right to AR
 VERIFY accounts sold or factored have been removed from AR
 Valuation or Allocation
 Determine AR balance stated in net realizable value
 Establish allocation for uncollectible accounts is appropriate
 Presentation and Disclosure
 VERIFY AR and revenues for period are properly described and classified

Hall, 3e 5
REVENUE CYCLE AUDIT OBJECTIVES,
CONTROLS, AND TESTS OF CONTROLS
• How to achieve these audit objectives?
– requires designing audit procedures to gather evidence
that either corroborates or refutes the management
assertions.
• Audit procedure involves a combination of:
– tests of controls
– substantive tests of details.
• Computer application controls fall into three broad
categories:
– input controls
– process controls
– output controls
REVENUE CYCLE AUDIT OBJECTIVES,
CONTROLS, AND TESTS OF CONTROLS
• Input controls • Process controls
– Credit Authorization Procedures (Batch & – File Update Controls
real time systems) • Run-to-run controls
• Management assertions: • Transaction Code Controls
– valuation/allocation audit objectives • Sequence Check Control
– accuracy • Management assertions:
– Data Validation Controls – Existence
• Missing data checks, numeric-alphabetic data – Completeness
checks, limit checks, range checks, validity – accuracy
checks, check digit – Access Controls
• Management assertion: • Management assertions:
– accuracy – Existence
– Batch Controls – Completeness
• Management assertion: – Accuracy
– completeness and accuracy. – valuation and allocation
– right and obligations
– Presentation and disclosure
– Physical Controls
• Segregation of Duties, Supervision,
Independent Verification
• Output controls - completeness and accuracy
– AR Change Report, Transaction Logs,
Transaction Listings, Log of Automatic
Transactions, Unique Transaction Identifiers,
Error Listing
Input Controls
• are designed to ensure that transactions are valid,
accurate, and complete.
• Control techniques vary considerably between batch
and real-time systems.
• The following input controls relate to revenue cycle
operations.
– Credit Authorization Procedures
• Testing Credit Procedures
– Data Validation Controls
• Missing data checks, numeric-alphabetic data checks, limit checks,
range checks, validity checks, check digit
• Testing Validation Controls
– Batch Controls
Input Controls:
Credit Authorization Procedures
• The purpose of the credit check
– is to establish the creditworthiness of the customer.
• Valid transaction:
– 1) meet the credit standards (credit policy)
• Only customer transactions that meet the organization’s credit
standards are valid and should be processed further.
• Failure to apply credit policy correctly and consistently has
implications for the adequacy of the allowance for uncollectible
accounts.
– 2) transaction authorization
Batch with manual systems use credit dept.
Real-time systems use programmed decision rules
 Exception file (if exceeds limit, credit manager approves)
POS
 validating credit card charges and establishing that the customer is the valid
user of the card.
Input Controls:
Credit Authorization Procedures
• Real-time systems use programmed decision rules
• When credit checks are computerized, the organization’s credit policy is
implemented through decision rules that have been programmed into the
system.
• 1) Current transaction + customer’s current AR bal > preestablished credit
limit
– For routine transactions, this typically involves determining if the current
transaction plus the customer’s current AR balance exceeds a preestablished
credit limit.
• 2) If credit limit exceeds – exception file
– If the credit limit is exceeded by the transaction, it should be rejected by the
program and passed to an exception file, where it can be reviewed by
management.
• 3) Credit manager decides – disapprove or extend the credit limit
– The credit manager will decide either to disapprove the sale or to extend the
credit limit consistent with the manager’s authority.
Input Controls:
Testing Credit Procedures
Audit Objectives Audit Procedures
 Verify effective procedures exist
• The tests provide evidence  Verify information is adequately
communicated
pertaining to the  Verify effectiveness of programmed
decision rules (test data, ITF)
– valuation/allocation audit – Create several dummy customer accounts
with various lines of credit and then
objectives processing test transactions that will exceed
some of the credit limits.
– accuracy objective. – Then analyze the rejected transactions to
determine if the computer application
correctly applied the credit policy.

 Verify that authority for making credit


decisions is limited to authorized credit
personnel/procedures
 Perform Substantive Tests of Detail
 Review credit policy periodically and
revise as necessary
Input Controls:
Data Validation Controls
Input validation controls - are intended to detect transcription errors in transaction
data before they are processed.

Batch Real-time and POS


• data validation occurs only • Errors handled as they
after the goods have been occur
shipped.
• error logs, error correction,
and transaction
resubmission procedures
Input Controls:
Data Validation Controls
• Six Validation tests that are relevant to the revenue cycle include the following:
– Missing data checks  presence of blank fields.
• Error: When the validation program detects a blank where it expects to see a data value, this will be
interpreted as an error.
• Missing product numbers, missing customer account numbers, or incomplete mailing or billing
addresses.
– Numeric-alphabetic data checks  correct form of data.
• Error: an invoice total should not contain alphabetic data; alphabetic data in a numeric field
– Limit checks  value does not exceed maximum for the field.
– Range checks  data is within upper and lower limits.
• For example, the actual sales price charged for a product can be compared to a range of acceptable
prices.
• Purpose of this control: to detect keystroke errors that shift the decimal point one or more places.
– Validity checks  compare actual values against known acceptable values (reference
file)
• verify such things as product codes, shipping company codes, and state abbreviations in customer
addresses.
• Error: If the value in the field does not match one of the acceptable values, the record is determined
to be in error.
– Check digit  identify keystroke errors by testing internal validity.
• control data entry errors that would otherwise cause the wrong customer’s account to be charged
for a transaction.
Input Controls:
Testing Validation Controls
Audit Objective Audit Procedures
• The tests provide evidence  Verify controls exist and are
functioning effectively
pertaining to the  Validation of program logic can
– Accuracy assertion be difficult
 If Controls over system
development and
maintenance are NOT weak,
testing data
editing/programming logic is
more efficient than
substantive tests of details
(test data, ITF)
 Some assurance can be
gained through the testing of
error lists and error logs
(detected errors only)
Input Controls:
Batch Controls
• are used to manage high volumes of transaction
data through a system.
 Purpose: Reconcile output produced by system with the original
input
 Controls continue through all computer (data) processes
 Batch transmittal sheet:
 An important element of batch control.
 a separate control record that the system uses to verify the integrity of the
batch.
 which captures relevant information about the batch, such as the following:
 Unique batch number
 Batch date
 Transaction code
 Record count
 Batch control total (amount)
 Hast totals (e.g., account numbers)
Input Controls:
Batch Controls
• The task of reconciling processing (batch transmittal
sheet) with the control record (batch control log)
provides assurance that:
– All sales invoices and cash receipts records that were
entered into the system were processed.
– No invoices or cash receipts were processed more than
once.
– All invoices and cash receipts entered into the system are
accounted for as either successfully processed or rejected
because of errors.
Input Controls:
Testing Batch Controls
Audit Objective Audit Procedures
• The tests provide the  Failures of batch controls
indicates data errors
auditor with evidence  Involves reviewing transmittal
relating to the management records of batches processed
and reconcile them to the batch
assertions of control log (batch transmittal
– completeness and accuracy. sheet)
 Examine out-of-balance
conditions and other errors to
determine cause of error
• Risk:  Review and reconcile
transaction listings, error logs,
– The failure of batch controls etc.
to function properly can  Batch control totals, such as those
result in records being lost or on the batch transmittal sheet, are
also a valuable tool in doing IT
processed multiple times. audits and fraud audits.
Process Controls
• File Update Controls
– Run-to-run Controls, Transaction Code Controls, Sequence
Check Control
• Access Controls
– Using warehouse security, such as fences, alarms, and guards
– Depositing cash daily in the bank
– Using a safe or night deposit box for cash
– Locking cash drawers and safes in the cash receipts department
– Accounting records
• Physical Controls
– Segregation of Duties, Supervision, Independent Verification
Process Controls:
File Update Controls
• include computerized procedures for
– file updating
– restricting access to data.
• May also include physical manual tasks.
• File Update Controls: Three control techniques related to file updating.
 Run-to-run controls - batch control data to monitor data processing
steps
 These controls ensure that each run in the system processes the batch correctly and
completely
 Risk: A discrepancy may indicate that a record was lost in processing, a record in the
batch went unprocessed, or a record was processed more than once.
 Transaction code controls – to process different transactions using
different programming logic (e.g., transaction types)
 Risks: Errors in transaction codes, or in the program logic that interprets them, can
cause incorrect processing of transactions and may result in materially misstated sales
and accounts receivable balances.
 Sequence check controls – sequential files, proper sorting of
transaction files required
 An out-of-sequence sales order record in a batch may prevent the remaining
downstream records from being processed. A more serious problem can occur when the
sequencing error is not detected and the downstream records are processed against the
wrong customer accounts.
 Out-of-sequence records should be rejected and resubmitted for subsequent processing
to allow the other records in the batch to be properly processed.
Process Controls:
File Update Controls
Audit Objective Audit Procedures
• The tests provide the  Testing data that contains
auditor evidence relating to errors (incorrect
transaction codes, out of
the assertions of sequence)
– Existence  Can be performed in ITF
– Completeness or test data
 CAATTs requires careful
– accuracy. planning
 Single audit procedure
can be devised that
performs all tests in one
operation.
Process Controls:
Access Control
• prevents and detects unauthorized and illegal access to the
firm’s assets.
– Inventories and cash are the physical assets of the revenue
cycle.
• is at the heart of accounting information integrity.
• Techniques used to limit access to these assets include the
following:
– Using warehouse security, such as fences, alarms, and guards
– Depositing cash daily in the bank
– Using a safe or night deposit box for cash
– Locking cash drawers and safes in the cash receipts department
Process Controls:
Access Controls
Risks Controls
• Invoices can be deleted, added, or falsified.
Individual account balances can be erased, or • The control techniques
the entire AR file can be destroyed.
• An individual with unrestricted access to data includes
can manipulate the physical assets of the
firm and cause FSs to be materially – Passwords
misstated.
• Accounting files stored on magnetic media
– data encryption
are particularly vulnerable to unauthorized
access, whether its cause is accidental, an act
– Firewalls
of malice by a disgruntled employee, or an
attempt at fraud.
– user views
 Accounting records
 Removal of an account from books
 Unauthorized shipments of goods using
blank sales orders
 Removal of cash, covered by adjustments
to cash account
 Theft of products/inventory, covered by
adjustments to inventory or cash accounts
Process Controls:
Access Controls
Audit Objectives Audit Procedures
• Evidence gathered about  Absence thereof allows
the effectiveness of access manipulation of invoices
controls tests the (i.e., fraud)
management assertions of  Computer Access
– Existence controls are system-wide
– Completeness and application-specific
– Accuracy  Access controls are
– valuation and allocation dependent on effective
– right and obligations controls in O/S, networks,
– Presentation and disclosure. and databases
Process Controls:
Physical Controls
• Segregation of Duties
• Supervision
• Independent Verification
Process Controls:
Physical Controls – Segregation of Duties
• In general, the following three rules apply:
 Rule 1: Transaction authorization separate from transaction
processing
 The credit department is segregated from the rest of the process, so that the
formal authorization of material transactions is an independent event.
 Rule 2: Asset custody separate from record-keeping tasks
• In the sales order processing system, the inventory warehouse clerk
with custody of the physical assets should not also maintain the
inventory records.
• The cash receipts clerk (with custody of cash) should not record AR.
 Rule 3: Organization structured such that fraud requires collusion
between two or more people
• The record-keeping functions must be carefully divided.
– Specifically, the subsidiary ledgers (AR and inventory), the journals (sales and
cash receipts), and the general ledger should be separately maintained.
• Risk: An individual with total record-keeping responsibility, in
collusion with someone with asset custody, is in a position to
perpetrate fraud.
Process Controls:
Physical Controls – Supervision
• Is a compensating control for some firms that
have too few employees to achieve an
adequate separation of functions.
– Necessary for employees who perform incompatible functions
– Compensates for inherent exposure from incompatible functions.
• Can be supplement or provide control when duties are
properly segregated
• Can provide an effective preventive control.
Process Controls:
Physical Controls – Independent Verification
 Review the work of others at critical points in business
processes
 Purpose: Identify errors or possible fraud
 Examples:
 Shipping dept. verifies goods sent from warehouse dept.
are correct in type and quantity
 Billing dept. reconciles shipping notice with sales notice to
ensure customers billed correctly
Process Controls:
Testing Physical Controls
Risks Audit Procedures
• Fraud and material errors  Review organizational
– Inadequate segregation of structure for incompatible
duties, the lack of effective tasks
supervision and independent  Tasks normally segregated
verification can result in fraud in manual systems get
and material errors. consolidated in DP systems.
 Duties of design,
• Collusion maintenance, and
– The purpose of collusion is to operations for computers
achieve unauthorized access need to be separated
to assets as well as the
information needed to  Programmers should not be
conceal the crime. responsible for subsequent
program changes.
Output Controls
 PURPOSE: Information is not lost, misdirected, or corrupted; that the
system output processes function properly
 Controls are designed to identify potential problems
 Reconciling GL to subsidiary ledgers
 Maintenance of the audit trail – that is the primary way to trace the source
of detected errors
 Details of transactions processed at intermediate points
 AR change report
 Transaction logs: permanent record of valid transactions
 Transaction listings – successfully posted transactions
 Log of automatic transactions
 Unique transaction identifiers
 Error listings
 Testing output controls
 Reviewing summary reports for accuracy, completeness, timeliness, and
relevance for decisions
 Trace sample transactions through audit trails; including transaction
listings, error logs, and logs of resubmitted records
 ACL is very helpful in this process
Hall, 3e 29
Output Controls
• are designed to ensure that information is not lost,
misdirected, or corrupted and that system processes
function as intended.
– For example: Managers receive daily summaries of sales
orders placed by customers, goods shipped, and cash
received, and use such data to monitor the status of their
operations.
• can be designed to identify potential problems.
– For example, an exception report derived from the
customer open order file listing end-of-day open sales
orders can identify orders placed but not shipped.
– Such a report can help management assess the operational
performance of the shipping process.
Output Controls
Risks Controls
• transaction processing • Reconciling the GL
errors • Maintenance of an audit
• The absence of adequate trail
output controls has adverse – Details of transaction
implications for operational processing produced at
efficiency and financial intermediate points can
provide an audit trail that
reporting. reflects activity through every
stage of operations.
Output Controls
• Six examples of audit trail output controls.
o 1) AR Change Report
o is a summary report that shows the overall change to AR from sales orders and cash receipts.
o should reconcile with total sales, total cash receipts (on account), and the GL.
o 2) Transaction Logs
o should contain only successful transactions.
o is a permanent record of valid transactions
o 3) Transaction Listing
o Is a hard copy of all successful transactions produced to be given to the appropriate users to
facilitate reconciliation with input.
o For example, a listing of cash receipts processed will go to the controller to be used for a bank
reconciliation.
o 4) Log of Automatic Transactions
o Is an audit trail of transactions that are triggered internally by the system.
o must be placed in a transaction log, and a listing of these transactions should be sent to the
appropriate manager.
o For example, EDI sales orders are accepted and processed without human authorization.
o 5) Unique Transaction Identifiers
o Is a means of uniquely identifying each transaction processed by the system with a transaction number.
o Is a control in tracing a particular transaction through a database of thousands or even millions of records.
o 6) Error Listing
o Is a listing of all error records that should go to the appropriate user to support error correction
and resubmission.
Testing Output Controls
Audit Objective Audit Procedures
• Evidence gathered through • Reviewing summary reports for
accuracy, completeness,
tests of output controls timeliness, and relevance to the
relates to the decisions that they are intended
to support.
– completeness and accuracy – Data extraction software such as
assertions. ACL can be used to search log files
for specific records to verify the
completeness and accuracy of
output reports.
• Tracing sample transactions
through audit trail reports,
including transaction listings,
error logs, and logs of
resubmitted records.
– The auditor can use ITF.
Summary
• The topic presented revenue cycle audit
objectives and controls.
• In this section, we examined the tests of
controls that an auditor may perform.
• Evidence gathered from tests of controls
contributes to audit objectives and may
permit the auditor to limit the scope, timing,
and extent of substantive tests.

You might also like