University Audit Report: BBM Internal Control Evaluation and Analysis
VerifiedAdded on 2023/06/07
|14
|3196
|171
Report
AI Summary
This report analyzes the audit of BBM's internal controls, focusing on deficiencies identified by a junior auditor. The audit covered payroll data access controls, revealing unauthorized access by non-payroll staff, which poses a threat to data integrity. Tests of control regarding related party payments showed that some payments lacked proper CFO approval. The report analyzes the sufficiency and appropriateness of audit evidence, highlighting concerns about a major asset acquisition lacking supporting documentation (invoice) and the acceptance of a photocopy instead of original bank confirmation. It emphasizes the impact of weak internal controls on the need for increased substantive procedures and the reliability of audit evidence. The report concludes that Tom's assessment of internal controls was incorrect due to deficiencies in the internal control framework and the lack of sufficient and appropriate audit evidence. The analysis underscores the importance of reliable audit evidence, proper documentation, and the auditor's professional skepticism.
Audit Assignment
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1
By student name
Professor
University
Date: 4TH Sep 2018.
1 | P a g e
By student name
Professor
University
Date: 4TH Sep 2018.
1 | P a g e
2
Contents
Introduction.................................................................................................................................................4
Analysis........................................................................................................................................................6
Conclusion...................................................................................................................................................8
References.................................................................................................................................................10
2 | P a g e
Contents
Introduction.................................................................................................................................................4
Analysis........................................................................................................................................................6
Conclusion...................................................................................................................................................8
References.................................................................................................................................................10
2 | P a g e
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3
Introduction of the business and the Internal control status of the client and audit procedures
undertaken:
The given situation is about the audit of internal controls of BBM which is engaged in the
business of offering berth services for luxury yachts. A junior auditor has conducted the audit. He has
undertaken tests of controls in two different areas. One area being payroll data. His testing procedure
has revealed deficiencies in the access control mechanisms pertaining to payroll data. It was found out
that some of the non-payroll staff of accounting department had access to the data which basically
showed that there was a pertinent threat to the integrity and confidentiality of the data as possibilities
of tampering and unauthorized access were present.
In addition to the above, test of control relating to payments made to related parties were also
carried out. It was observed that few of the payments were authorized by the Chief financial officer of
the company while a few were passed off stating them as immaterial amounts. Six out of fifteen
transaction did not have any approval. However, Tom was satisfied about the effectiveness and
efficiency of the internal controls (Farmer, 2018).
The audit also revealed that a major asset acquisition pertaining to Plant and equipment did not
have an invoice to support the documentation. The management was yet to provide the same. Tom also
went for third party confirmation of balances namely bank balances. A photocopy of the balance
confirmation was sent by the finance controller to the auditors which means the auditors have not
received a direct original confirmation addressed to them by the bank. Out of all the audit work papers
complied by the audit staff, few of the working papers were not signed off by them. This could mean
that the audit work may or may not have been completed by them.
3 | P a g e
Introduction of the business and the Internal control status of the client and audit procedures
undertaken:
The given situation is about the audit of internal controls of BBM which is engaged in the
business of offering berth services for luxury yachts. A junior auditor has conducted the audit. He has
undertaken tests of controls in two different areas. One area being payroll data. His testing procedure
has revealed deficiencies in the access control mechanisms pertaining to payroll data. It was found out
that some of the non-payroll staff of accounting department had access to the data which basically
showed that there was a pertinent threat to the integrity and confidentiality of the data as possibilities
of tampering and unauthorized access were present.
In addition to the above, test of control relating to payments made to related parties were also
carried out. It was observed that few of the payments were authorized by the Chief financial officer of
the company while a few were passed off stating them as immaterial amounts. Six out of fifteen
transaction did not have any approval. However, Tom was satisfied about the effectiveness and
efficiency of the internal controls (Farmer, 2018).
The audit also revealed that a major asset acquisition pertaining to Plant and equipment did not
have an invoice to support the documentation. The management was yet to provide the same. Tom also
went for third party confirmation of balances namely bank balances. A photocopy of the balance
confirmation was sent by the finance controller to the auditors which means the auditors have not
received a direct original confirmation addressed to them by the bank. Out of all the audit work papers
complied by the audit staff, few of the working papers were not signed off by them. This could mean
that the audit work may or may not have been completed by them.
3 | P a g e
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4
An Analysis of the scenarios:
A) Sufficient appropriate audit evidence primarily means audit evidence of such nature that is
worthy enough for the auditor to form an opinion on the aspects of financial position. The
whole objective of obtaining sufficient appropriate audit evidence is to provide the auditor with
some reasonable assurance that the financial statements are free from material miss-
statements and the audit risk is at an acceptable low level.
Sufficiency can be considered with regards to the following:
- a measure of the quantum of the audit evidence available
- it’s an outcome of the risk assessment procedure adopted by the auditor.
Appropriateness can be looked as:
- It is a measurement of the quality of the evidence obtained
- Significant emphasis is on the reliability as well as the relevance of the audit evidence procured
- Appropriateness is also influenced by the source from where the audit evidence is obtained
which could be either internal or external or both (Erik & Jan, 2017).
The four major factors that affect the reliability of audit evidence are as under:
1) Source of information: It is one of the driving factors in determining the reliability of audit
evidence. Sources of information can be of two types. One is internal source and the other is
external source. A critical thing about information obtained internally is that its reliability
increases by multiple times when the related controls of the organization pertaining to the
preparation and reporting of financial information including the controls relating to the
maintenance of information are operating in an effective manner.
Also, there is a general perception about externally obtained audit evidence which is that
audit evidences which are obtained from sources outside the organization are more reliable
as they are independent from the entity whose audit is being conducted.
4 | P a g e
An Analysis of the scenarios:
A) Sufficient appropriate audit evidence primarily means audit evidence of such nature that is
worthy enough for the auditor to form an opinion on the aspects of financial position. The
whole objective of obtaining sufficient appropriate audit evidence is to provide the auditor with
some reasonable assurance that the financial statements are free from material miss-
statements and the audit risk is at an acceptable low level.
Sufficiency can be considered with regards to the following:
- a measure of the quantum of the audit evidence available
- it’s an outcome of the risk assessment procedure adopted by the auditor.
Appropriateness can be looked as:
- It is a measurement of the quality of the evidence obtained
- Significant emphasis is on the reliability as well as the relevance of the audit evidence procured
- Appropriateness is also influenced by the source from where the audit evidence is obtained
which could be either internal or external or both (Erik & Jan, 2017).
The four major factors that affect the reliability of audit evidence are as under:
1) Source of information: It is one of the driving factors in determining the reliability of audit
evidence. Sources of information can be of two types. One is internal source and the other is
external source. A critical thing about information obtained internally is that its reliability
increases by multiple times when the related controls of the organization pertaining to the
preparation and reporting of financial information including the controls relating to the
maintenance of information are operating in an effective manner.
Also, there is a general perception about externally obtained audit evidence which is that
audit evidences which are obtained from sources outside the organization are more reliable
as they are independent from the entity whose audit is being conducted.
4 | P a g e
5
2) Technical methods to gather audit evidence: This is another important aspect affecting the
reliability of audit evidence. For example, if an auditor is evaluating the application of a
control, gathering evidence through observation and/or inspection of the application of that
control would be far more effective than inquiring about it. This basically means that a
more direct approach towards gathering evidence is more beneficial than an indirect one.
3) Verifiability of the evidences obtained: This is something that determines the ultimate value
of the material at hand of the auditor. An audit evidence should ideally be in a documented
form. It can either be in electronic or paper or any other medium (Goldmann, 2016). A well-
documented audit evidence has more value than an audit evidence that has been obtained
in an oral form. A documented evidence will be numbered, bearing date, about the balances
and nature of transaction which could provide far more compelling view of the scenarios
(Jefferson, 2017).
4) Knowledge and skill sets of the auditor/s: Not only the qualification possessed by the auditor
but also his/her knowledge about the nature of operations of the client, its clientele and
suppliers, his understanding of the internal control mechanisms and the effectiveness of
those will determine how persuasive the audit evidences obtained are (Das, 2017).
Knowledge the auditor has about the functioning of the entity and attitude of the
management in delivering clean and transparent reporting will also go a long way in
obtaining relevant audit evidence.
5 | P a g e
2) Technical methods to gather audit evidence: This is another important aspect affecting the
reliability of audit evidence. For example, if an auditor is evaluating the application of a
control, gathering evidence through observation and/or inspection of the application of that
control would be far more effective than inquiring about it. This basically means that a
more direct approach towards gathering evidence is more beneficial than an indirect one.
3) Verifiability of the evidences obtained: This is something that determines the ultimate value
of the material at hand of the auditor. An audit evidence should ideally be in a documented
form. It can either be in electronic or paper or any other medium (Goldmann, 2016). A well-
documented audit evidence has more value than an audit evidence that has been obtained
in an oral form. A documented evidence will be numbered, bearing date, about the balances
and nature of transaction which could provide far more compelling view of the scenarios
(Jefferson, 2017).
4) Knowledge and skill sets of the auditor/s: Not only the qualification possessed by the auditor
but also his/her knowledge about the nature of operations of the client, its clientele and
suppliers, his understanding of the internal control mechanisms and the effectiveness of
those will determine how persuasive the audit evidences obtained are (Das, 2017).
Knowledge the auditor has about the functioning of the entity and attitude of the
management in delivering clean and transparent reporting will also go a long way in
obtaining relevant audit evidence.
5 | P a g e
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6
B) Test of Control pertaining to payroll data:
The auditor tested the access control mechanisms of payroll systems for his audit purposes.
Testing of access control mechanism is only aspect of the audit of payroll systems. Timely and
accurate reporting, validity of the transactions, its classification is some of the other aspects
which the auditor also needs to consider before forming an opinion on the effectiveness and
efficiency of payroll systems (Kim, Schmidgall, & Damitio, 2017). On the access control front, the
auditor tested that three out of the six non-payroll staff in the accounting department could
access the payroll data. Ideally the auditor should have also checked whether non- payroll staff
from any department other than accounting department can also access the data or not to
assess the degree of deficiency in the mechanism. This would have helped in better planning of
the substantive audit techniques. Maintaining the confidentiality and integrated of payroll data
is of paramount importance from the perspective of employer as well as employees as any
leakage of information or tampering of it could seriously impact the morale of the staff affected
the reputation of the employer as well. Therefore, there is a requirement for detailed auditing in
this regard. Basically, the deficient access control signifies that there is a severe lack of internal
control and thus it warrants additional substantive testing procedures (Grenier, 2017).
Test of control pertaining to approval of related party payments:
In general parlance, sampling testing enables an auditor to obtain an understanding about the
existence of controls and that the controls are operating efficiently and effectively. The selection
of samples is based on the results of the various sampling techniques and in some cases, it also
6 | P a g e
B) Test of Control pertaining to payroll data:
The auditor tested the access control mechanisms of payroll systems for his audit purposes.
Testing of access control mechanism is only aspect of the audit of payroll systems. Timely and
accurate reporting, validity of the transactions, its classification is some of the other aspects
which the auditor also needs to consider before forming an opinion on the effectiveness and
efficiency of payroll systems (Kim, Schmidgall, & Damitio, 2017). On the access control front, the
auditor tested that three out of the six non-payroll staff in the accounting department could
access the payroll data. Ideally the auditor should have also checked whether non- payroll staff
from any department other than accounting department can also access the data or not to
assess the degree of deficiency in the mechanism. This would have helped in better planning of
the substantive audit techniques. Maintaining the confidentiality and integrated of payroll data
is of paramount importance from the perspective of employer as well as employees as any
leakage of information or tampering of it could seriously impact the morale of the staff affected
the reputation of the employer as well. Therefore, there is a requirement for detailed auditing in
this regard. Basically, the deficient access control signifies that there is a severe lack of internal
control and thus it warrants additional substantive testing procedures (Grenier, 2017).
Test of control pertaining to approval of related party payments:
In general parlance, sampling testing enables an auditor to obtain an understanding about the
existence of controls and that the controls are operating efficiently and effectively. The selection
of samples is based on the results of the various sampling techniques and in some cases, it also
6 | P a g e
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
depends on the auditor’s judgement. When a few samples are selected out of a host of data, it
basically represents a general view of the whole of the information to the auditor. Therefore, to
assess the internal controls results of all the samples and not just a few of them will be
considered. In the given case, for testing of controls relating to payments made to related
parties, 15 of such transactions have been selected as samples. The results show that nine out of
the fifteen do not near CFO approval (Sithole, Chandler, Abeysekera, & Paas, 2017). Those nine
EFT forms only contain a notation stating that the amounts were not material and hence the
approval was not taken. An important thing to be considered here is that material weakness in
internal control is different from a material amount in financial statements. Even in situation
when financial statements are not materially misstated, a material weakness in the internal
control might still exist (Goldmann, 2016).
Hence, in this case the auditor will not be able to say that whether an internal control exists to
monitor the payments made to related party or if it exists, whether it is efficient and operating
effectively. Therefore, in this case the conclusion made by Tom that internal controls are
operating satisfactorily and substantive procedures are not required does not hold ground and is
incorrect.
C) Because of the lack of internal controls observed in the above two scenarios the quantum of
substantive procedures required to be undertaken will be needed to be increased.
Consequently, larger sample sizes need to be taken to be able to form an opinion. The lack of
internal controls will also have a significant impact on audit evidences being obtained. The audit
evidences obtained up to the current stage of audit need to be re-looked into. They need to be
more corroborative and substantial in nature. The degree of the persuasiveness of the evidence
needs to be greater. Given the fact that there are material weaknesses in the internal control
7 | P a g e
depends on the auditor’s judgement. When a few samples are selected out of a host of data, it
basically represents a general view of the whole of the information to the auditor. Therefore, to
assess the internal controls results of all the samples and not just a few of them will be
considered. In the given case, for testing of controls relating to payments made to related
parties, 15 of such transactions have been selected as samples. The results show that nine out of
the fifteen do not near CFO approval (Sithole, Chandler, Abeysekera, & Paas, 2017). Those nine
EFT forms only contain a notation stating that the amounts were not material and hence the
approval was not taken. An important thing to be considered here is that material weakness in
internal control is different from a material amount in financial statements. Even in situation
when financial statements are not materially misstated, a material weakness in the internal
control might still exist (Goldmann, 2016).
Hence, in this case the auditor will not be able to say that whether an internal control exists to
monitor the payments made to related party or if it exists, whether it is efficient and operating
effectively. Therefore, in this case the conclusion made by Tom that internal controls are
operating satisfactorily and substantive procedures are not required does not hold ground and is
incorrect.
C) Because of the lack of internal controls observed in the above two scenarios the quantum of
substantive procedures required to be undertaken will be needed to be increased.
Consequently, larger sample sizes need to be taken to be able to form an opinion. The lack of
internal controls will also have a significant impact on audit evidences being obtained. The audit
evidences obtained up to the current stage of audit need to be re-looked into. They need to be
more corroborative and substantial in nature. The degree of the persuasiveness of the evidence
needs to be greater. Given the fact that there are material weaknesses in the internal control
7 | P a g e
8
framework audit evidences in addition to the ones already obtained, need to be gathered.
Generally, when the internal controls are operating effectively and efficiently, auditors can rely
on the representations made by the management to some extent. But in cases of weak internal
controls, it is no longer feasible for the auditors to rely on management representations.
Because of elaborate and exhaustive audit methods being adopted, the auditor might begin
facing time and budget constraints as well (Jefferson, 2017).
D) Detailed analysis of the matters that raise of the matters that raise a concern about the
sufficiency and appropriateness of the audit evidences obtained are as under:
1) Even though many other items selected had supporting documentation, if a major asset
acquisition cannot be vouched with an appropriate supporting, it raises a serious question
on the authenticity of transaction being undertaken. Both in terms of financial prudence and
authenticity perspective a major amount should have a supporting document. Especially in
case of a capital items acquired during the year, the management should provide the
auditors with original invoice to support the acquisition (Werner, 2017). Without the
invoice, the auditor should form an opinion that sufficient appropriate audit evidences have
not been provided by the client and since in this case it relates to a capital item, auditor can
also issue a qualified report if they don’t receive the supporting till the time of signing of the
audit report. Lack of proper audit documentation cannot be replaced by the any sort of
representation by the management. Without a supporting, it would be difficult for the
auditor to assume that the acquisition was appropriately authorized. Also, many other
questions as to whether the items are capital in nature or not. If the items that are
purchased are done so on credit terms, it would result in a payable balance. Without the
invoice, the authenticity of the payable balance can also not be verified (Trieu, 2017).
8 | P a g e
framework audit evidences in addition to the ones already obtained, need to be gathered.
Generally, when the internal controls are operating effectively and efficiently, auditors can rely
on the representations made by the management to some extent. But in cases of weak internal
controls, it is no longer feasible for the auditors to rely on management representations.
Because of elaborate and exhaustive audit methods being adopted, the auditor might begin
facing time and budget constraints as well (Jefferson, 2017).
D) Detailed analysis of the matters that raise of the matters that raise a concern about the
sufficiency and appropriateness of the audit evidences obtained are as under:
1) Even though many other items selected had supporting documentation, if a major asset
acquisition cannot be vouched with an appropriate supporting, it raises a serious question
on the authenticity of transaction being undertaken. Both in terms of financial prudence and
authenticity perspective a major amount should have a supporting document. Especially in
case of a capital items acquired during the year, the management should provide the
auditors with original invoice to support the acquisition (Werner, 2017). Without the
invoice, the auditor should form an opinion that sufficient appropriate audit evidences have
not been provided by the client and since in this case it relates to a capital item, auditor can
also issue a qualified report if they don’t receive the supporting till the time of signing of the
audit report. Lack of proper audit documentation cannot be replaced by the any sort of
representation by the management. Without a supporting, it would be difficult for the
auditor to assume that the acquisition was appropriately authorized. Also, many other
questions as to whether the items are capital in nature or not. If the items that are
purchased are done so on credit terms, it would result in a payable balance. Without the
invoice, the authenticity of the payable balance can also not be verified (Trieu, 2017).
8 | P a g e
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9
2) As a support for the balance confirmation of its bank account, the client has furnished a
photocopy of the confirmation. Third party balance confirmation are always considered to
be one of the most reliable audit tools to form an opinion on the financial position of the
company. One of the main reason for this is that the third party is independent and not a
part of the company and it could portray the true picture of a balance. However, third party
confirmations must always be addressed to the auditor and not the client and thereby it has
to be in original form. The communication could be sent in both physical or electronic mode
whichever is feasible for the third party. Hence, a photocopy obtained from the client is as
good as no evidence being obtained. Without those, the auditor cannot confirm the bank
balances standing in the books of accounts of the company (Choy, 2018).
3) For a reviewer to begin reviewing the audit work performed, the primary requirement is
that the audit must have been completed up to the stage of the work that needs to be done
by the audit staff. A reviewer can only know if audit work has been completed by the fact
that whether the audit workpapers have been signed off by the audit staff member.
Absence of a signoff would seem to suggest to the reviewer that the staff has either not
performed some of the audit work or some documents pertaining to the audit are yet to be
included in the working papers. This would mean that if the auditor undertakes review
without the signoff, he may be looking at audit evidences that are insufficient or incomplete
and thus he cannot base his opinion on that.
E) Recommendations on good internal control for the company can be divided into the following
categories:
Controls of Payroll Access System:
- To have a better control environment for access control, the organization should establish
responsibility, structure and authority.
9 | P a g e
2) As a support for the balance confirmation of its bank account, the client has furnished a
photocopy of the confirmation. Third party balance confirmation are always considered to
be one of the most reliable audit tools to form an opinion on the financial position of the
company. One of the main reason for this is that the third party is independent and not a
part of the company and it could portray the true picture of a balance. However, third party
confirmations must always be addressed to the auditor and not the client and thereby it has
to be in original form. The communication could be sent in both physical or electronic mode
whichever is feasible for the third party. Hence, a photocopy obtained from the client is as
good as no evidence being obtained. Without those, the auditor cannot confirm the bank
balances standing in the books of accounts of the company (Choy, 2018).
3) For a reviewer to begin reviewing the audit work performed, the primary requirement is
that the audit must have been completed up to the stage of the work that needs to be done
by the audit staff. A reviewer can only know if audit work has been completed by the fact
that whether the audit workpapers have been signed off by the audit staff member.
Absence of a signoff would seem to suggest to the reviewer that the staff has either not
performed some of the audit work or some documents pertaining to the audit are yet to be
included in the working papers. This would mean that if the auditor undertakes review
without the signoff, he may be looking at audit evidences that are insufficient or incomplete
and thus he cannot base his opinion on that.
E) Recommendations on good internal control for the company can be divided into the following
categories:
Controls of Payroll Access System:
- To have a better control environment for access control, the organization should establish
responsibility, structure and authority.
9 | P a g e
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10
- It should enforce accountability of the payroll staff so that they are careful about handling
passwords. They are aware and report to the appropriate person if any violation is noticed.
- IT systems should be upgraded to issue alerts when any attempt is being to gain access by
personnel who are not permitted (Arnott, Lizama, & Song, 2017).
Controls relating to Approval of related party transactions:
- Establishing a clear-cut threshold for amount of payment below which CFO approvals are not
required
- For the transactions not requiring approval, ensure that a maker-checker control is in place
- Ensure the stated policy is not subverted through multiple small payments below the
threshold. To avoid this scenario, a monitoring mechanism should be established.
In addition to the above, it is the responsibility of the management to keep adequate records of
asset acquisitions. There should be proper authorization mechanism to safeguard the assets of
the organization.
Conclusion of all the above audit findings:
It can be stated that the entity lacks a sound internal control system because of which the risk of
material misstatements in the financial statements of the company exist. The management
needs to be more committed towards providing a healthy control environment. A sound
internal control mechanism will not only help the organization in safeguarding the assets of the
entity but will also help in achieving a better financial compliance framework (Alexander, 2016).
10 | P a g e
- It should enforce accountability of the payroll staff so that they are careful about handling
passwords. They are aware and report to the appropriate person if any violation is noticed.
- IT systems should be upgraded to issue alerts when any attempt is being to gain access by
personnel who are not permitted (Arnott, Lizama, & Song, 2017).
Controls relating to Approval of related party transactions:
- Establishing a clear-cut threshold for amount of payment below which CFO approvals are not
required
- For the transactions not requiring approval, ensure that a maker-checker control is in place
- Ensure the stated policy is not subverted through multiple small payments below the
threshold. To avoid this scenario, a monitoring mechanism should be established.
In addition to the above, it is the responsibility of the management to keep adequate records of
asset acquisitions. There should be proper authorization mechanism to safeguard the assets of
the organization.
Conclusion of all the above audit findings:
It can be stated that the entity lacks a sound internal control system because of which the risk of
material misstatements in the financial statements of the company exist. The management
needs to be more committed towards providing a healthy control environment. A sound
internal control mechanism will not only help the organization in safeguarding the assets of the
entity but will also help in achieving a better financial compliance framework (Alexander, 2016).
10 | P a g e
11
Form the auditor’s perspective, the auditor will have to spend more time on planning the audit
objectives. As the internal control framework is weak, the testing of controls needs to be
effectively planned. The Sample size needs to be greater for a better understanding.
Also, the audit evidences gathered need to be more corroborative. Proper closure procedures of
audit files such as signing off should be adhered to.
11 | P a g e
Form the auditor’s perspective, the auditor will have to spend more time on planning the audit
objectives. As the internal control framework is weak, the testing of controls needs to be
effectively planned. The Sample size needs to be greater for a better understanding.
Also, the audit evidences gathered need to be more corroborative. Proper closure procedures of
audit files such as signing off should be adhered to.
11 | P a g e
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 14
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.