Internal controls in the acquisition and expenditure cycle are critical for reducing control risk, which influences the nature, timing, and extent of substantive audit procedures. The primary accounts discussed are accounts payable and various expenses, with controls designed to address the relevant assertions identified in LO 8-2 (completeness, cutoff, existence, presentation, valuation for accounts payable; completeness, cutoff, accuracy, classification for expenses). The document emphasizes that a well-designed system mitigates risks of material misstatement (RMM) by ensuring proper authorization, separation of duties, and error-checking activities.
The internal control activities are summarized in Exhibit 8.5 on Page 11 (331), linking each significant account and relevant assertion to specific controls that address the "what could go wrong?" (WCGW) risks from LO 8-3. Below is a detailed breakdown:
Completeness (Liabilities are not recorded):
Control Activity: Receiving reports should be prenumbered and used sequentially, with all reports completed by period-end accounted for in that period.
Mitigation: Ensures all goods/services received are recorded as liabilities, preventing omissions due to unmatched documents.
Cutoff (Liabilities are recorded in the incorrect period):
Control Activity: Payables recorded in the first weeks of a period should be compared to receiving reports and invoices to verify the correct recording period.
Mitigation: Prevents shifting liabilities across periods by confirming timing aligns with receipt.
Existence (Liabilities may not represent actual obligations):
Control Activity: Voucher packages for vendor payments should include purchase orders and receiving reports; vendors must be on an approved vendor list; a three-way match (purchase order, receiving report, vendor invoice) should be performed.
Mitigation: Verifies that liabilities are legitimate by requiring documented evidence of purchase and receipt, reducing fictitious or unauthorized entries.
Presentation (Liabilities are not recorded in proper accounts or disclosed):
Control Activity: A chart of accounts should be used for classifying purchase transactions.
Mitigation: Ensures proper account allocation and footnote disclosure, avoiding misclassification.
Valuation (Payables recorded at an incorrect amount):
Control Activity: Prices on vendor invoices should be agreed to an approved price list, and invoices should be tested for mathematical accuracy.
Mitigation: Confirms that recorded amounts reflect actual costs, preventing over- or understatement.
Completeness (Not all expenses are recorded):
Control Activity: Use prenumbered vouchers, receiving reports, purchase orders, and checks, with verification of the numerical sequence.
Mitigation: Ensures all expense transactions are captured by tracking document continuity, reducing unrecorded expenses.
Cutoff (Expenses recorded in the incorrect period):
Control Activity: Managers should compare actual expenses with budgeted amounts.
Mitigation: Identifies timing discrepancies by aligning expenses with expected periods, catching premature or delayed recordings.
Accuracy (Expenses recorded at an incorrect amount):
Control Activity: Expenses should be matched with vendor invoices or work orders to verify the proper cost of items or services.
Mitigation: Ensures recorded amounts are accurate by tying them to source documents, reducing calculation errors or fraud.
Classification (Expenses recorded in the wrong account):
Control Activity: Expenses should be reviewed to ensure they are recorded in the proper account.
Mitigation: Prevents misclassification (e.g., capitalizing operating expenses) through oversight and review processes.
Management should continuously review expenses against budgets and forecasts, establish authorization policies for expenditures, communicate ethical standards to suppliers, and provide a reporting mechanism for misconduct (e.g., bribes or kickbacks).
Security of blank purchase orders and receiving reports, along with proper safeguarding of received materials, enhances overall control effectiveness.
Responsibilities for authorization (e.g., purchasing), custody (e.g., inventory, cash), recording (e.g., accounts payable), and reconciliation should be segregated across different individuals or departments (see Exhibit 8.1 referenced on Page 12).
Examples:Â
Persons authorizing purchases should not record them.
Those receiving goods should not authorize or account for them.
Check signers should not prepare vouchers or mail checks.
Mitigation: Reduces the risk of errors or fraud by preventing any single individual from controlling multiple aspects of a transaction.
Purchase requisitions and orders should be signed by authorized personnel, with system-generated orders restricted to authorized changes in master files.
Automated systems often use a three-way match to record expenses, generating exception reports (e.g., unmatched receiving reports or invoices) for management review.
Mitigation: Enhances accuracy and completeness by enforcing approval and matching processes.
Auditing Insight ("That must have been a LONG drive!"): A case from Chattanooga illustrates how manual input errors (e.g., a $44,000 paycheck instead of $400 due to a mis-keyed reimbursement) can occur when controls weaken (e.g., during COVID-19). A secondary control check failed, highlighting the need for robust verification processes.
Automation: Systems like robotic process automation (RPA) can reduce risks if properly controlled, but poor design can amplify errors, reinforcing the need for effective controls.
A properly designed system includes prenumbered documents, three-way matches, approved vendor lists, price verifications, and expense reviews to address completeness, cutoff, existence, presentation, valuation, and accuracy/classification assertions.
Separation of duties and entity-level oversight (e.g., budget comparisons, ethics policies) are foundational to mitigating RMM across all assertions.
Controls must be both preventive (e.g., authorization) and detective (e.g., exception reports) to catch errors or fraud early.