Process Controls

Process Controls
include computerized procedures for
updating files and restricting access to
data.

Process
Controls
File
Update
Controls

Access
Controls

Physical
Controls

File Update
Controls
Sequence
Check
Control

Liability
Validation
Control

Valid
Vendor
File

These controls ensure that each run

in the system processes the batch
correctly and completely.

Sequence Check Control A sequence check control needs

Liability Validation Control

The process involves reconciling
supporting documents including
the purchase order, receiving
report, and suppliers invoice.
When these documents agree as to
the items and quantities ordered
and received, and the prices
charged match the expected
prices, then a liability (account
payable) should be recognized and
recorded. At a future date, cash
will be disbursed to pay the
liability.

to be in place to compare the

sequence of each record in the
batch with the previous record
to ensure that proper sorting
took place. Out-of-sequence
records should be rejected and
resubmitted, thus allowing the
other records in the batch to be
processed.

This file consists of a list of vendors

with whom the organization
normally does business.
Fraudulent transactions in the
expenditure cycle often culminate
in a payment to someone posing
as a legitimate vendor. Before
payment, the recipient of the cash
disbursement should be validated
against the valid vendor file. Any
record that does not match
Valid Vendor File should be rejected and
investigated by management.

Testing File Update Controls

Tests of file update controls provide the
auditor with evidence relating to the
management assertions of existence,
completeness, rights and obligations,
and accuracy.
Failure of file update controls to
function properly can result in
transactions
o not being processed (liabilities are not
recognized and recorded),
o being processed incorrectly (i.e., payments
are approved for unauthorized recipients),
or
o being posted to the wrong suppliers
account.

Test of Sequence Checks It can be performed using either

Testing the Liability Validation Logic

It requires understanding the
decision rule for matching
supporting documents. By creating
test purchase orders, receiving
reports, and supplier invoices, the
auditor can verify whether decision
rules are being correctly applied.

ITF or the test data approach.

The auditor should create test
data that contain records that
are out of sequence in the
batch and verify that each was
handled correctly. In addition,
the auditor needs to verify the
mathematical correctness of
the procedure.

The ITF and test data methods can

be used to test the effectiveness of
valid vendor control. This testing
involves creating a reference file of
valid vendors and a file of supplier
invoices (accounts payable) to be
paid. Invoice records with vendor
numbers that do not match a valid
vendor record should be rejected
by the program and passed to an
Test of Valid Vendor File error file for management review.

Access Controls
prevent and detect
unauthorized and illegal access
to the firms assets.
Traditional techniques used to
limit access to these assets
include:
Warehouse security, such as
fences, alarms, and guards.
Moving assets promptly from the
receiving dock to the warehouse.
Paying employees by check rather
than cash.

The following are examples of risks specific to

the expenditure cycle:
1. An individual with access to the AP subsidiary
ledger (and supporting documents) could add
his or her account (or someone elses) to the
file. Once recognized by the system as a
legitimate liability, the account will be paid
even though no purchase transaction
transpired.
2. Access to employee attendance cards may
enable an unauthorized individual to trigger an
unauthorized pay check.
3. An individual with access to both cash and
accounts payable records could remove cash
from the firm and record the act as a
legitimate disbursement.
4. An individual with access to physical inventory
and inventory records can steal products and
adjust the records to cover the theft.

Testing Access Controls

Since payments to false vendors
carries such potential for material loss,
the auditor is concerned about the
integrity of the valid vendor file. By
gaining access to the file, a computer
criminal can place his or her name on it
and masquerade as an authorized
vendor. The auditor should therefore
assess the adequacy of access controls
protecting the file. These include
password controls, restricting access
to authorized managers, and using
data encryption to prevent the file
contents from being read or changed.

Physical Controls
Purchases System Controls
Segregation of inventory control from the warehouse.
Segregation of the general ledger and accounts payable
from cash disbursements.
Supervision of receiving department.
Inspection of assets.
Theft of Assets
Reconciliation of supporting documents
The purchase order
The receiving report
The suppliers invoice

Payroll System Controls

Verification of time cards

Supervision
Paymaster
Payroll imprest account

Testing Physical Controls

The auditors review of organizational
structure should disclose the more
egregious examples of incompatible
tasks, such as one individual opening
and approving timecards, authorizing
employee payments, and receiving
and distributing the paychecks.
Covert relationships that may lead to
collusion may not be apparent from an
organizational chart.
In automated environments, the
auditors concern should focus on the
integrity of the computer programs
that perform these tasks.

Output Controls

Output Controls
Output controls
are designed to
ensure that
information is not
lost, misdirected,
or corrupted and
that system
processes
function as
intended.

Output control can

be designed to
identify operational
and internal control
problems.

Another
important
element of
output control
is the
maintenance of
an audit trail.

Reconciling the
general ledger can
detect certain types
of transaction
processing errors.
Output, however, is
not limited to endof-day reporting.

Audit Trail
Output Controls
Examples

Accounts
Payable
Change Report
Transaction
Logs
Transaction
Listings
Log of
Automatic
Transactions
Unique
Transaction

Testing Output Controls

It involves reviewing summary reports for accuracy,

completeness, timeliness, and relevance to the decision
that they are intended to support. In addition the auditor
should trace sample transactions through audit trail
reports, including transaction listings, error logs, and logs
of resubmitted records. Gathering such evidence, however,
may involve sorting through thousands of transactions.
In modern systems, audit trails are usually stored online as
text files that can be read by word processing and
spreadsheet programs. Data extraction CAATTs such as
ACL are capable of searching log files for specific records
to verify completeness and accuracy of the output reports.
Alternatively, the auditor can test output controls directly
using ITF. A well-designed ITF system will permit the
auditor to produce a batch of sample transactions,
including some error records, and trace them through all
phases of processing, error detection, and output

SUBSTANTIV
E TESTS OF
EXPENDITU
RE CYCLE
ACCOUNTS

Expenditure Cycle Risks and

Audit Concerns
Substantive tests of expenditure
cycle accounts are therefore
directed toward gathering evidence
of understatement and omission of
material items rather than their
overstatement. Broader operational
audit concerns, however, include
process efficiency, fraud, and losses
due to errors. Within this context,
overstatement of liabilities and
related expenses are also important

Understanding Data
It involves extracting data from
accounting files for analysis. To do
this task, the auditor needs to
understand the systems and
controls that produced the data as
well as the physical characteristics
of the files that contain them.
Much of this chapter was devoted
to explaining various expenditure
cycle configurations and their
control implications.

auditor must verify that he or she is

working with the correct version of
the file to be analyzed

ACL can read most sequential files

and relational database tables
directly, but esoteric and/or
complex file structures may require
flattening before they can be
analyzed.

If the organizations systems

personnel perform the flattening
process, the auditor must verify
that the correct version of the
original file was used and that all
relevant records from the original
were transferred to the copy for
analysis.