Heraklion Co is a manufacturer of footballs and is a new audit client for your firm. You are an audit supervisor of Spinalonga & Co and are currently preparing for the forthcoming interim and final audit for the year ending 31 October 20X6. You are required to document and assess the sales system, recommend control improvements to deal with a specific fraud issue as well as undertake substantive testing of revenue.
Sales ordering, goods despatched and invoicing
Heraklion Co sells footballs to a range of large and small sports equipment retailers in several countries. Sales are made through a network of sales staff employed by Heraklion Co, but new customer leads are generated through a third party company. Sales staff are responsible for assessing new customers’ creditworthiness and proposing a credit limit which is then authorised by the sales director. The sales staff have monthly sales targets and are able to use their discretion in granting sales discounts up to a maximum of 10%. They then record any discount granted in the customer master data file.
The sales staff visit customer sites personally and orders are completed using a two-part pre-printed order form. One copy is left with the customer and the other copy is retained by the sales person. The sales order number is based on the sales person’s own identification (ID) number.
The company markets itself on being able to despatch all orders within three working days. Once the order is taken, the sales person emails the finance department and warehouse despatch team with the customer ID and the sales order details and from this a pick list is generated. Sequentially numbered goods despatched notes are completed and filed in the warehouse.
Sequentially numbered invoices are generated using the pick lists for quantities and the customer master data file for prices. Standard credit terms for customers are 30 days and on a monthly basis sales invoices which are over 90 days outstanding are notified to the relevant sales person to chase payment directly with the customer.
Payroll fraud
The finance director, Montse Mirabelle, has informed you that a significant fraud took place during the year in the payroll department. A number of fictitious employees were set up on the payroll and wages were paid into one bank account. This bank account belonged to two supervisors, who were married, and were employed by Heraklion Co. One had sole responsibility for setting up new joiners in the payroll system and the other processed and authorised bank transfer requests for wages and supplier payments. These employees no longer work for the company and Montse has asked the audit firm for recommendations on how to improve controls in this area to prevent this type of fraud occurring again. Heraklion Co operates a Human Resources department.
Required:
Describe TWO methods for documenting the sales system, and for each explain ONE advantage and ONE disadvantage of using this method.
Documenting the sales system
There are several methods which can be used to document the sales system.
Narrative notes
Narrative notes consist of a written description of the system; they would detail what occurs in the system at each stage and would include any controls which operate at each stage.
Advantages of this method include:
– They are simple to record; after discussion with staff members, these discussions are easily written up as notes.
– They can facilitate understanding by all members of the audit team, especially more junior members who might find alternative methods too complex.
Disadvantages of this method include:
– Narrative notes may prove to be too cumbersome, especially if the system is complex or heavily automated.
– This method can make it more difficult to identify missing internal controls as the notes record the detail but do not identify control exceptions clearly.
Questionnaires
Internal control questionnaires (ICQs) or internal control evaluation questionnaires (ICEQs) contain a list of questions; ICQs are used to assess whether controls exist whereas ICEQs assess the effectiveness of the controls in place.
Advantages of this method include:
– Questionnaires are quick to prepare, which means they are a timely method for recording the system.
– They ensure that all controls present within the system are considered and recorded; hence missing controls or deficiencies are clearly highlighted by the audit team.
Disadvantages of this method include:
– It can be easy for the staff members to overstate the level of the controls present as they are asked a series of questions relating to potential controls.
– A standard list of questions may miss out unusual or more bespoke controls used by the company
Flowcharts
Flowcharts are a graphic illustration of the internal control system for the sales system. Lines usually demonstrate the sequence of events and standard symbols are used to signify controls or documents.
Advantages of this method include:
– It is easy to view the system in its entirety as it is all presented together in one diagram.
– Due to the use of standard symbols for controls, it can be effective in identifying missing controls.
Disadvantages of this method include:
– They can sometimes be difficult to amend, as any amendments may require the whole flowchart to be redrawn.
– There is still the need for narrative notes to accompany the flowchart and hence it can be a time-consuming method.
Note: Full marks will be awarded for describing TWO methods for documenting the sales system and explaining ONE advantage and ONE disadvantage for each method.
Identify and explain SEVEN deficiencies in the sales system of Heraklion Co and provide a recommendation to address each of these deficiencies.
Note: Prepare your answer using two columns headed Control deficiency and Control recommendation respectively
Deficiencies and controls over the sales system
Control deficiency
New customers’ creditworthiness is assessed by a salesperson who sets the credit limit, which is authorised by the sales director.
The sales staff have sales targets, and hence may suggest that new customers are creditworthy simply to meet their targets. This could result in sales being made to poor credit risks.
Sales staff have discretion to grant sales discounts to customers of up to 10%. This could result in a loss of revenue as they may award unrealistic discounts simply to meet sales targets.
The discounts granted by sales staff are not being reviewed and could result in unauthorised discounts allowed.
Sales staff are able to make changes to the customer master data file, in order to record discounts allowed and these changes are not reviewed.
There is a risk that these amendments could be made incorrectly resulting in a loss of sales revenue or overcharging of customers. In addition, the sales staff are not senior enough to be given access to changing master file data as this could increase the risk of fraud.
Inventory availability does not appear to be checked by the sales person at the time the order is placed. In addition, Heraklion Co markets itself on being able to despatch all orders within three working days.
There is a risk that where goods are not available, the customer would not be made aware of this prior to placing their order, leading to unfulfilled orders and customer dissatisfaction, which would impact the company’s reputation.
Customer orders are recorded on a two-part pre-printed form, one copy is left with the customer and one with the sales person.
The sales department of Heraklion Co does not hold these orders centrally and hence would not be able to monitor if orders are being fulfilled on a timely basis. This could result in a loss of revenue and customer goodwill.
Customer orders are given a number based on the sales person’s own identification (ID) number. These numbers are not sequential. Without sequential numbers, it is difficult for Heraklion Co to identify missing orders and to monitor if all orders are being despatched in a timely manner, leading to a loss of customer goodwill.
The sales person emails the warehouse despatch team with the customer ID and the sales order details, rather than a copy of the sales order itself, and a pick list is generated from this.
There is a risk that incorrect or insufficient details may be recorded by the sales person and this could result in incorrect orders being despatched, orders being despatched late or orders failing to be despatched at all, resulting in a loss of customer goodwill and revenue.
Sequentially numbered goods despatched notes (GDNs) are completed and filed by the warehouse department. If the finance department does not receive a copy of these GDNs, they will not know when to raise the related sales invoices. This could result in goods being despatched but not being invoiced, leading to a loss of revenue.
The sales person is given responsibility to chase customers directly for payment once an invoice is outstanding for 90 days. This is considerably in excess of the company’s credit terms of 30 days which will lead to poor cash flow.
Further, as the sales people have sales targets, they are more likely to focus on generating sales orders rather than chasing payments. This could result in an increase in bad debts and reduced profit and cash flows.
Control recommendation
New customers should complete a credit application which should be checked through a credit agency with a credit limit set. Once authorised by the sales director, the limit should be entered into the system by a credit controller.
All discounts to be granted to customers should be authorised in advance by a responsible official, such as the sales director. If not practical, then the supervisor of the sales staff should undertake this role.
Sales staff should not be able to access the master data file to make amendments. Any such amendments to master file data should be restricted so that only supervisors and above can make changes.
An exception report of changes made should be generated and reviewed by a responsible official.
Prior to the salesperson finalising the order, the inventory system should be checked in order for an accurate assessment of the availability of goods to be notified to customers.
The order form should be amended to be at least four-part. The third part of the order should be sent to the warehouse department and the fourth part sent to the finance department.
The copy the sales person has should be stored centrally in the sales department. Upon despatch, the goods despatch note should be matched to the order; a regular review of unmatched orders should be undertaken by the sales department to identify any unfulfilled orders.
Sales orders should be sequentially numbered. On a regular basis, a sequence check of orders should be undertaken to identify any missing orders.
The third part of the sales order as mentioned previously should be forwarded directly to the warehouse department.
The pick list should be generated from the original order form and the warehouse team should check correct quantities and product descriptions are being despatched, as well as checking the quality of goods being despatched to ensure they are not damaged.
Upon despatch of goods, a four-part GDN should be completed, with copies to the customer, warehouse department, sales department to confirm despatch of goods and a copy for the finance department. Upon receipt of the GDN, once matched to the fourth part of the sales order form, a clerk should raise the sales invoices in a timely manner, confirming all details to the GDN and order.
A credit controller should be appointed and it should be their role, rather than the salesperson, to chase any outstanding sales invoices which are more than 30 days old.
In relation to the payroll fraud, identify and explain THREE controls Heraklion Co should implement to reduce the risk of this type of fraud occurring again and, for each control, describe how it would mitigate the risk.
Controls to reduce risk of payroll fraud
Control
Proof of identity checks should be undertaken by the Human Resources (HR) department and recorded on individuals’ personnel files for all new employees set up on the payroll system.
A count should be undertaken of the number of employees in each department of Heraklion Co; this should be reconciled to the number of employees on the payroll system.
The HR department should initiate the process for setting up new joiners by asking new employees to complete a joiner’s form which will be approved by the relevant manager and HR. This request should then be forwarded to the payroll department, who should set up the employee.
All new joiners should be only be set up by payroll on receipt of a joiner’s form and any additions to the system should be authorised by the payroll director. An edit report should be generated and reviewed by HR.
Where possible, employees who are related should not be allowed to undertake processes which are interrelated whereby they can breach segregation of duty controls for key transaction cycles. A regular review of job descriptions of related employees should be carried out by HR.
The payroll system should be amended to run an exception report which identifies any employees with the same bank account name or number and this should be reviewed by HR.
All bank transfer requests should be authorised by a senior responsible official, who is independent of the processing of payments; they should undertake spot checks of payments to supporting documentation, including employee identification cards/records.
Mitigate risk
This should reduce the risk of fictitious employees being set up, as in order to be set up on the system a fictitious set of identification would be required which would be an onerous process.
This would identify if there are extra employees on the payroll system, which could then be investigated further.
This control introduces segregation of duties as in order to set up employees both the HR and payroll departments are involved. Without collusion with an HR employee, the payroll supervisor would be unable to set up fictitious employees.
As all new joiners would be authorised by the payroll director, it is unlikely that payroll employees would risk establishing fictitious joiners. A further review by the HR department would also detect any employees without an authorised joiner form.
This should reduce the risk of related staff colluding and being able to commit a fraud.
Identifying the same bank account name or number will prevent multiple fraudulent payments being made to the same employees.
This would introduce an additional layer of segregation of duties, which would reduce the risk of fraud occurring. In addition, the spot checks to employee identification cards/records would confirm the validity of payments.
Describe substantive procedures the auditor should perform to obtain sufficient and appropriate audit evidence in relation to Heraklion Co’s revenue.
Revenue substantive procedures
– Compare the overall level of revenue against prior years and budgets and investigate any significant fluctuations.
– Obtain a schedule of sales for the year broken down into the main product categories and compare this to the prior year breakdown and for any unusual movements discuss with management.
– Calculate the gross profit margin for Heraklion Co and compare this to the prior year and investigate any significant fluctuations.
– Select a sample of sales invoices for customers and agree the sales prices back to the price list or customer master data information to ensure the accuracy of invoices.
– Select a sample of credit notes raised, trace through to the original invoice and ensure the invoice has been correctly removed from sales.
– Select a sample of customer orders and agree these to the despatch notes and sales invoices through to inclusion in the sales ledger and revenue general ledger accounts to ensure completeness of revenue.
– Select a sample of despatch notes both pre and post year end and follow these through to sales invoices in the correct accounting period to ensure that cut-off has been correctly applied.