AUI 3702 Notes

The aim of the International Professional Practices Framework (IPPF), developed and published by the Institute of Internal Auditors (IIA) is to ensure
professionalism and consistency in the practice of internal auditing. Internal auditors demonstrate their professionalism by adhering to the IPPF.

This IPPF diagram illustrates that internal auditors must adhere to the stipulations of
The definition of internal auditing, the International Standards and the Code of Ethics,
And that it is strongly recommended that they follow the guidance provided in the
Position Papers, Practice Advisories and Practice Guides.

STUDY UNIT 1.1: IIA CODE OF ETHICS

The IIA Code of Ethics firstly identifies four principles that are relevant to the Profession, Secondly, for each of the principles identified above, the IIA Code
of Ethics stipulates certain rules of conduct which describe behavioural norms expected of internal auditors.

4 Principles Internal auditors are expected to apply and uphold

• Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
Rules of conduct of this principle:
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2 Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the
organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

• Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process
being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or
by others in forming judgments
Rules of conduct of this principle:
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes
those activities or relationships that may be in conflict with the interests of the organization.
2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

• Confidentiality
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there
is a legal or professional obligation to do so.
Rules of conduct of this principle:
Internal auditors:
3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical
objectives of the organization.

• Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.
Rules of conduct of this principle:
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.
4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.
Principle Rules of conduct What you should NOT do What you should do
Perform work with honesty, diligence The internal auditors use an unrevised The internal auditors perform a detailed
and responsibility audit programme, used three years ago, to risk assessment and identify the key
conduct an organisation-wide audit of controls with regard to credit sales before
credit sales. they decide on the tests to be performed.
Observe the law and make disclosures An internal auditor accepts an excuse from After noticing that consideration is not
expected by law or the profession a manufacturing site manager for ignoring given to regulations with regard to the
regulations regarding the treatment of treatment of hazardous waste on a
hazardous waste and mentions nothing in manufacturing site, the internal auditor
his final report. immediately issues a written notification
to a person with sufficient responsibility
within the organisation to take suitable
action and follows up on the actions
Integrity taken. The finding and any actions taken
are included in the final audit report.
Not be part of illegal activity or acts In loyalty to her organisation who is Realising that management intends to
discreditable to the profession or the experiencing financial difficulty, a chief understate taxable income, the internal
organisation audit Auditor expresses her dissatisfaction and
Executive (CAE) ignores the scheduled audit issues an interim report to the directors
of the final tax return for the current tax and audit committee stating that this
year, knowing that management is would be against the law and to the
understating taxable income. detriment of the organisation as severe
penalties could follow.
Respect and contribute to legitimate An internal auditor joins a protest action The internal audit activity publishes an
and ethical objectives of the against an organisation after instituting a informative article on the organisation’s
organisation time management clock-in system for intranet, setting out the advantages of
administrative staff. introducing a time-management clock-in
system for administrative staff.
Not participate in any activity or An internal auditor is assigned to an audit The internal auditor reports his
relationship which may impair of controls in the procurement section, relationship with his father who is
unbiased assessment or which is in which is headed by his father. heading the procurement section and
conflict with the interests of the further assignments of staff are made
organisation with due consideration of this
information.

Not accept anything which may impair An internal auditor fights to be assigned to An internal auditor rejects an offer to go
professional judgement the annual audit of his organisation’s retail hunting with the branch manager on his
outlet in the North West province as he farm, knowing that this could be seen as
Objectivity
loves hunting and always gets an an impairment of his objectivity when
opportunity to hunt on the branch auditing controls at the branch.
manager’s farm during one of the
weekends falling within the audit.
Disclose all known material facts that, Since everyone in the organisation is aware The auditor includes a finding on the lack
if not disclosed, may distort the of the IT department’s inability to arrange of suitable back-up facilities in his audit
reporting of activities under review suitable back-up facilities for the financial report, explaining the possible effect of
systems of the organisation, the internal the shortcoming and recommending the
auditor makes no mention of the fact in his necessary actions to be taken. He also
report following an audit of general IT includes any comments from IT
controls. management in response to the finding.

Be prudent in the use and protection While auditing controls over wage pay- While auditing controls over wage pay-
of information acquired outs, an auditor finds that some controls outs, an auditor finds that some controls
have been circumvented. She discusses her have been circumvented. She discusses
finding and the possibility of fraud with her her finding and the possibility of fraud
colleague in the canteen over lunch. with the internal audit manager in his
office.
Not use any information for personal During an audit of procurement controls an During an audit of procurement controls
gain and/or that is contrary to the law auditor realises that he buys printing an auditor realises that he buys printing
Confidentiality or detrimental to the organisation cartridges for his own private use for 15% cartridges for his own private use for 15%
less than the lowest of three quotes less than the lowest of three quotes
obtained by the organisation. He convinces obtained by the organisation. He
the procurement clerk to obtain a quote mentions the fact to the procurement
from the supplier he buys from and manager to investigate further.
arranges with the supplier to pay him a 5%
commission on all thecartridges sold to the
organisation.
Engage only in those services for which An internal audit activity appoints a An internal audit activity appoints an
they have the necessary knowledge, chartered accountant who has recently experienced IT auditor who has recently
skills and experience completed her articles with an auditing firm become qualified as a Certified
and assigns her to lead an audit of control Information Systems Auditor, and assigns
over the purchasing and implementation of her to lead an audit of control over the
 new IT systems. purchasing and implementation of new IT
systems.
Perform internal audit services in An audit file contains an audit programme, An audit file contains an audit
accordance with the Standards specifically designed for the audit, where a programme, specifically designed for the
third of the procedures have been left audit, where a third of the procedures
undone without any further explanation. have been left undone. Detailed
explanations are provided in all instances
Competency which have been signed off by the audit
supervisor providing the reasons why the
procedures could not be performed and
indicating alternative procedures which
have been carried out.
Continually improve proficiency and An internal auditor assigned to an audit in a To enable continuous supervision of audit
the effectiveness and quality of remote location refuses to attend training assignments, training in the use of
services in the use of automated working papers automated working papers has been
which will enable continuous supervision made compulsory for all internal auditors
over the audit. before they can be assigned to any audit
engagement.

Study unit 1.2 - International Standards for the Professional Practice of Internal Auditing (Standards)
The Standards are mandatory requirements consisting of:
- Statements of basic requirements for the professional practice
- Interpretations, which clarify terms or concepts within the statements
ATTRIBUTE STANDARDS
1000 – Purpose, Authority and Responsibility
The internal audit charter
The internal audit charter should clearly state the internal auditor’s responsibility and authority to conduct tests of controls within the
organisation.
The charter should authorise access to records, personnel and physical properties relevant to performing tests of controls. If tests of
controls result in assurances to be provided to parties outside the organisation, the charter must define the nature of these assurances.
Assurance & consulting services
The nature of assurance and consulting services involving tests of controls should be defined in the charter. (For the difference between
assurance and consulting services:
Assurance Services:
- An objective examination of the evidence for the purpose of providing an independent assessment of governance, risk management
and control processes.
Consulting Services:
-Advisory related service activities, the nature and scope of which are agreed with the customer, which are intended to add value and
improve and org governance risk management and control processes.
1100 – Independence and Objectivity
Organisational Independence:
When testing controls, the internal audit activity must be free from interference when determining the scope of such testing, the
procedures applied to do the testing and communicating the results of such testing.
To accomplish this, the chief internal auditor should report to a level within the organisation that allows the internal audit function to
accomplish its responsibilities and have direct interaction with the board and audit committee.
Individual objectivity
An internal auditor should have no conflicting interests that may influence or may appear to be influencing his or her ability to perform
tests of controls objectively.
Impairment to independence or objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment (i.e. conflict of interest, scope limitation,
restriction on access to records, personnel and properties and resource limitations) must be disclosed to appropriate parties.
Internal auditors must refrain from performing tests of controls as part of assurance engagements in areas they were previously
responsible for – at least for one year.
1200 – Proficiency and Due Professional Care
Proficiency:
Internal audit activities and individual internal auditors involved in the testing of controls should possess the knowledge, skills and other
competencies needed to conduct tests of controls.
Practice Advisory 1210-1 elaborates on the proficiency requirements for internal auditors.
Where an internal audit activity lacks competencies to conduct a specific assurance engagement, the competencies should be obtained
elsewhere.
Internal auditors must have sufficient knowledge to evaluate the risk of fraud when performing tests of controls.
Internal auditors should have sufficient knowledge of key information technology risks and controls and available technology-based audit
techniques to perform their assigned work.
Due Professional Care: When performing tests of controls, the internal auditor should exercise due professional care by considering the
- Extent of work needed to achieve the engagement’s objectives
- Relative complexity, materiality or significance of matters to which testing procedures are applied
- Adequacy and effectiveness of governance, risk management and control processes
- Probability of significant errors, fraud or non-compliance
- Cost of controls/assurance provided in relation to the potential benefit

When performing tests of controls the internal auditor must consider the use of technology-based audit and other data analysis
techniques. Internal auditors must be alert to potential risks that might affect objectives, operations or resources when testing controls.
When performing tests of controls as part of a consulting engagement, internal auditors should consider:
- The needs and expectations of clients, including the nature, timing, and communication of engagement results
- Relative complexity and extent of work needed to achieve the engagement’s objectives
- Cost of the consulting engagement in relation to potential benefits
Due Professional Care does not
- Call for detailed analysis of all transactions / extensive examinations
- Call for infallibility or extraordinary performance
- Give absolute assurance that non-compliance does not exist
1300 – Quality Assurance and Improvement Program
The CAE must develop and maintain the Quality Assurance and Improvement Program that covers all aspects of the internal audit and
communicate the results of this programme to senior management and the board and may state that the internal audit conforms to the
international standards for the professional practise of internal auditing. When non-conformance with either of the codes, practises or
standards impacts on the overall scope of the engagement the CAE must disclose this non-conformance and the impact it might have
The Quality Assurance and Improvement Program must include both internal and external assessments.
Internal Assessments:
Ongoing monitoring of the performance of the internal audit
Periodic self-assessments or assessments by people within the org with sufficient knowledge of IA procedures
External Assessments: (must be conducted once every 5 years, by a qualified independent assessor, outside the organisation)
The CAE must discuss with the board:
The form and frequency of the external assessment
The qualifications and independence of the external assessor / team

PERFORMANCE STANDARDS
2000 – Managing the Internal Audit Activity

2100 – Nature of Work

2200 – Engagement Planning

Go Over again…
2300 – Performing the Engagement

2400 – Communicating Results

2500 – Monitoring Progress

2600 – Resolution of Senior Management’s Acceptance of Risks

Study unit 1.3 - Other internal auditing guidance impacting on conducting tests of controls
Corporate governance summarised notes
Define corporate governance
Corporate governance is a system or process whereby companies are directed or controlled. It is about companies being good corporate citizens and all
that this entails.
Why is it important?
Companies are integral part of the modern society and it therefore follows responsible controlled companies will improve the quality of modern society
2 Basis of the code:
 Comply or Else
 Comply or explain:
Comply or Else: companies must adhere to the code if they don’t, they will be punished.
Comply or Explain: Companies must comply with the code, however if directors feel that a particular recommendation is not in the company’s best
interest, the directors need not comply but they must explain the reason why. King III follows a non-legislated approach
Apply or explain does not mean directors can separate corporate governance and the law. Governance should be achieved within the framework of the
law.
--------------------------------------------------------------- Additional Info -------------------------------------------------------------------------------------------------
Key aspects of the King III report
1. Leadership-good governance is about effective leadership. Leadership is characterized by ethical values of responsibility, accountability, fairness
and transparency and is based on moral duties that find expression in concept of Ubuntu
2. Sustainability - .to understand the term “ sustainability” we need to understand that companies don’t operate in a vacuum , they are part and
parcel of the society and must address , and be part of , the social , ethical and environmental issues which arise out of society.
3. Corporate citizenship – the concept of corporate citizenship flows from the fact that the company is a person and should operate in a
sustainable manner. It is about the ethical relationship between the company and the society it operates in.
Three important aspects of sustainability
1. Inclusivity of stakeholders – to achieve sustainability, the legitimate interest and expectations of all stakeholders must be taken into account in
decision making strategy.
2. Innovation, fairnessand collaboration– these are key aspects in achieving sustainability. Innovation provide new ways of achieving
sustainability, fairness is vital because of social injustice is unsustainable and collaboration is required if business is going to embrace the
principle of sound corporate gov proposed by King III.
3. Social transformation – to achieve sustainability, social transformation must be part and parcel of the company’s performance.This will benefit
both company and society.
Four important issues incorporated into the king III report
1. Alternative dispute resolution (ADR) - it is an emerging trend in international business, that where disputes arise in business dealings,
mediation/arbitration as opposed to going to court is an acceptable way of resolving the dispute.
2. Risk-based internal audit- King III favours risk based internal audit over compliance based internal audit. The latter has internal audit checking
that the company has complied with its internal controls, legislation. The risk-based approach places more emphasis on internal audit
understanding the risks associated with strategic direction of the company and determining whether internal controls, processes and
procedures, adequately address these risks
3. IT governance –If you think about the international banking system, electronic banking, use of internet banking by business, it is very easy to
understand that issues such as confidentiality, integrity, functionality of the system are paramount of importance in the management of the
company.
4. Business recue- Rescuing a business means that the business has been sustained, and is clearly in the interest of all business’s stakeholders.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Section 76 of companies Act – Standards of Directors Conduct
 A director of the company must not use his position or any information obtained to gain advantage for himself or knowingly cause harm to
company
 Must communicate to the board any info, unless he reasonable believes the information is
 Immaterial to the company or generally available to public or directors
 Or he is legally bound not to disclose the info
 Exercise his powers in good faith and proper purpose, in the best interest of the company, with the degree of care, skill and diligence
reasonably expected of a director.
Section 77 of companies Act – Liability of Directors and Prescribed officers
 A director may be held liable :
 in terms of common law for a breach of fiduciary duty for any loss or costs sustained by the company in respect of the director failing to
 Disclose a personal financial interest
 Avoid a conflict of interest
 Act in good faith and for proper purpose
 Act in the best interests of the company
 In terms of the common law relating to delict for any loss or costs sustained by the company as a result of any breach of the director to:
 Act with necessary degree of care, skill and diligence;
 Any provision of the memorandum of incorporation (MOI)
 Any provision of the Act
 A director may also be held liable for any loss arising from the direct or indirect consequence of the director:
 Acting for the company despite knowing that he lacked authority.
 Agreeing to carry on business knowing it was reckless to do so
  Being part of an act of omission knowing it will defraud someone (creditor;shareholder;employee)
 Having signed a document knowing it was false, misleading which is about to be published (e.g. company’s FS)
 Being present at a meeting and failing to vote against:
 The issuing of unauthorized shares
 The provision of financial assistance to any person whilst knowing it in contravention of the act
 A resolution approving a distribution in contravention of the act
 An acquisition by a company of its own shares in contradiction to the act
 An allotment whilst knowing the allotment is contradictory to the act

Section 78 - indemnity of insurance

 Any provision of an agreement, the MOI or rules, or a resolution of a company, is void if it directly seeks to relieve a director of any of that
director’s duties in respect of – Personal financial interest or the standard of director’s conduct or liability arising from fiduciary duty, breach of
good faith, or any provision in the act.
 Any agreement which limits any legal consequence from omission or misconduct or breach of trust will also be void.
 A company may not pay a fine imposed on a directors who has been convicted of an offense in terms of the national legislation.
 Except if the MOI provides otherwise, a company may cover litigation expenses of its directors, to defend proceedings arising out of the
directors service to the company
 Except if the MOI provides otherwise, A company may protect a director in respect of any liability except where the director
 Acted in the name of a company despite knowing he lacked the authority to do so
 Committed wilful misconduct or wilful breach of trust,
 Agreed in the carrying on of the business recklessly, with gross negligence, with intent to defraud any person
 Trading under insolvent circumstances or Intended to defraud a creditor, employee or shareholder.
Audit Committee:
Each company that has decided to have an audit committee must elect at least 3 members, unless such company is a subsidiary of another company who
has an audit committee who will perform such audit on behalf of its subsidiary.
 Each member of the audit committee must :
 Be a director of the company
 Satisfy a minimum qualifications the minister may prescribe
 Must not be:
 Involved in the day to day management of the company’s business
 A prescribed officer , or full –time executive employee of the company
 A material supplier or customer of the company,
 A related person to any person subject to the above prohibitions.

Section94 - Main duties of the audit committee

 To nominate an auditor of the company, a registered auditor who, is independent of the company.
 To determine the fees to be paid to the auditor and the auditor’s terms of engagements.
 To ensure that the appointment of the auditor complies with the provisions of this act,
 To determine the nature and extent of any non-audit services
 To pre-approve any proposed agreement with the auditor for the provision of non-audit services to the company.
 To prepare a report to be included in the annual financial statements for that financial year.
 To receive and deal appropriately with any concerns complaints.
 To make submissions to the board on any matter concerning the company’s accounting policies, financial controls, records and reporting.
 To perform such other oversight functions as determined by the board.

STUDY UNIT 1.3

Ethical leadership and Corporate Citizenship:
Ethical leadership is about effective responsible leadership, building sustainable businesses, reflecting on the role of business in society, doing business
ethically, not compromising the natural environment and embracing a shared future.
All decisions and actions of the board should be based on 4 ethical values:
1. Responsibility – the board should assume responsibility for the assets and actions of the company and should take corrective action to keep
the company on its correct path.
2. Accountability – the board should be able to justify its decisions and actions to all stakeholders.
3. Fairness – in its decisions and actions, the board should ensure it givs fair consideration to the interest of all stakeholders.
4. Transparency – the board should disclose information in a manner that enables all stakeholders to make informed analysis of the company’s
performance.
Each director has to adhere to the above 4 ethical values, However they should also adhere to the following 5 moral duties:
Moral duties that should be exercised by a director
1. Conscience – a director should act with an intellectual honesty, in the best interest of the company, avoid conflicts of interest and remain
independent in mind and action.
2. Care – a director should pay careful attention to affairs of the company, a carefree of careless attitude is not acceptable.
3. Competence – a director should have necessary knowledge and skills to exercise his/her duties and should continuously “upgrade” knowledge.
Keep abreast with IT development.
4. Commitment – a director should be diligent and prepared to put in necessary time and effort.
5. Courage – a director should have courage to act with integrity, even when there is pressure on him to act otherwise, or be unpopular.

The Business and affairs of a company must be managed by a board of directors and Section 84 provides that every public and state owned company must
in addition appoint an audit committee King III recommends that all companies also appoint an audit committee
King 3 and JSE requirements:
Audit committee and a Remuneration committee AND if required, Nomination and Risk Committee
The Board of Directors must:
 Meet 4 times a year
 Have a charter setting out its functions and responsibilities
 Have a minimum of 2 executive directors one which MUST be the CEO and the other the head of finance.
 The majority should be non executive directors of which, most should be independent.
 At least a 1/3 of the directors should rotate each year
 Have a chairman who is an independent nonexecutive director, and is not the CEO. He should also not be a member of the audit committee or
chair the risk and remuneration committee. But he may be a member or chair the nomination com
5 responsibilities of the board
 The board is responsible for corporate governance and has two main functions:
 it is responsible for determining the company’s strategic direction and
 it is responsible for the control of the company
 The board is responsible to ensure that management actively cultivates a culture of ethical conduct and sets the values to which the company
will adhere.
 The board is responsible to ensure that integrity permeates all aspects of the company and its operations and that the company’s vision,
missions and objectives are ethically sound.
 The board is responsible to align its conduct and the conduct of management with the values that drive the company’s business.
 The board is responsible for considering the legitimate interest and expectations of the company’s stakeholders in its deliberations, decisions
and actions.
An executive director:
A director who is involved in the management of the company and or is a full time salaried employee of the company.
A Non-executive Director:
A director who is not involved in the management of the company, he provides independent judgement and advise on issues facing the company based on
their broad knowledge of the industry, business and economic environments.
An independent non-executive director is a director who:
1. Is not a representative of a shareholder who has the ability to influence management
2. Does not have a direct or indirect interest in the company.
3. Has not been employed by the company in executive capacity in the last 3 financial years.
4. Is not a family member of (3) above
5. Is not a professional advisor to the company
6. Is free from any business or relationship which could lead him to act un independently.
7. Does not receive remuneration contingent upon the performance of the company

Board committees
Remuneration committee Nomination committee Risk committee Audit Committee

Chairman  Independent non-  Independent non-  Independent non  Independent non executive director
executive director executive director executive Director  not the chairman of the board or a
 not the chairman of  BOD chairman may be  not the chairman of the member of another audit comittee)
the board) the board)
chairman/member
here

Membership  Majority of members  Majority of members Executive & non-executive  Each member must be a director of the
should be non- should be non- directors company
executive directors of executive directors of  Independent non executive directors
which majority should which majority should  Each member must be suitably
be independent. be independent. qualified
 Not the CEO
 Not the chairman of the board

Members Not specified in king III. Not specified in king III. Atleast 3 Atleast 3

Meetings Not specified in king III. Not specified in king III. Meet at least twice a year  Atleast twice a year
  Should meet with internal and external
auditors at least once a year

Functions Should assist the board in Should assist with the Should consider the risk  Should oversee integrated reporting
setting and administering process of identifying management policy and  Should ensure that a combined
remuneration policies. suitable members of the plan and monitor risk assurance model is applied
board. management process.  Should satisfy itself of the expertise,
resources and experience of the
company’s finance function.
 Should oversee internal audit
 Should be an integral component of the
risk management process.
 Should recommend the appointment of
the external auditor and oversee the
external audit process.
 Should report to the board and
shareholders on how it has discharged
its duties.

The CEO should:

 Not be the chairman of the board
 Should not be a member of the remuneration, audit and nomination committee.
 Not be a chairman of other companies outside the group

List functions of the CEO

1) Recommending or appointing the executive team & ensuring proper succession planning & performance appraisals.
2) Developing the company’s for consideration and approval by the board.
3) Developing & recommending to the board yearly business plans and budgets that support the company’s long-term strategy.
4) Monitoring and reporting to the board the performance of the company and its conformance with compliance imperatives.
5) Establishing an organisational structure for the company which is necessary to enable execution of its strategic planning.
6) Setting the tone in providing ethical leadership and creating an ethical environment.
7) Ensuring that the company complies with all relevant laws and corporate governance principles, and
8) Ensuring thatthe company applies all recommended best practices and, if not, that the failure to do so is justifiable explained.

Why should the CEO not fulfil the role of the chairman of the board?
 Given the strategic and operational role of the CEO, and to prevent too much power vesting in one person, this appointment should be
separate from that of the chairman of the board.

Governance of Risk:
The board should exercise leadership to prevent risk management from become a series of activities that are detached from the realities of the
company’s business
The board is responsible for:
 The management/governance of risk
 To determine the levels of risk tolerance
 That risk assessments are carried out on a continual basis
 Ensuring that frameworks and methodogies are implemented to increase the probability of anticipating risks
 Ensuring that management considers and implements appropriate risk responses.
 Ensuring continual risk monitoring by management.
 Receiving assurance regarding the effectiveness of risk management.
  The board should ensure that there are processes in places enabling complete, timely, relevant, accurate and accessible risk
disclosure to stakeholders.
Management is responsible for:
 Assurance being given to the board regarding the effectiveness of risk management processes.
 Continual risk monitoring
 Considers and implements appropriate risk responses.
 The board should delegate to management the responsibility to design, implement and monitor the risk management plan.

WHAT WHO

Governance of risk management

Design, implement, and monitoring of risk management plan The board should delegate to management

Monitoring the risk management process The board, risk committee and audit committee

Performing an objective assessment of the effectiveness of risk Internal audit

management

The responsibility of Management and CEO in the risk management process.

1. The board risk strategy should be executed by management in accordance with the board- approved risk management policy and plan.
2. The management is accountable to the board for designing, implementing and monitoring the system and process of risk management and
integrating into day to day activities of the company.
3. The board’s delegation of authority to management should incorporate risk management requirements.
4. Although the CEO may appoint a chief risk officer to assist with the execution of the risk management process, the accountability to the board
remains with the CEO.
5. The CRO should be a suitable experienced person who should have access to, and interact regularly on, strategic risk matters with the board
and appropriate board committee and executive management.
6. The board should satisfy itself that insurance, indemnification and remuneration practices do not prejudice risk management decision-making.
7. Risk management should be intrusive: its methodology and techniques should be embedded within strategy setting, planning and business
processes to safeguard performance and sustainability.

1.3.5 The Governance of information technology

The board should be responsible for IT governance and delegate to management the responsibility to implement a IT governance Framework
Explain the role information technology plays in the company’s risk management
1. IT risks should form part of the company’s risk management activities and considerations.
2. Management should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for
disaster recovery.
3. IT legal risk arises from possession, ownership and operational use of technology that may result in the company becoming a party to
legal proceedings.
4. When considering the company’s compliance with applicable laws, rules, codes and standards, the board should ensure that IT related
laws, rules, codes and standards are considered.
5. The board should consider how IT could be used to aid the company in its managing of risk and its compliance with laws, rules, codes and
standards.
6. The risk committee should ensure that IT risks are adequately addressed through its risk management, monitoring and assurance
processes.
7. The risk committee should consider IT risk as a crucial element of the effective oversight risk management of the company.
8. Areas that are more dependent on IT are more exposed if IT risks are not appropriately governed.
9. IT as it relates to financial reporting and the going concern of the company should be the responsibility of the audit committee.
10. Audit committee should also consider the use of technology and related techniques to improve audit coverage and audit efficiency.
1.3.6 – Complaince with Laws, Rules,Codes and standards
The board should ensure that the company complies with applicable laws and considers adherence to non binding rules, codes and
standards.
 -compliance with acts made in parliament, various legislation and JSE requirements.
  -exceptions, shortcomings and loopholes in the law should be handles ethically and the company should not seeks ways
around the law.
 -The board should monitor the companies compliance with the law regularly and it it should be a regular item on the boards
agenda.
 -There should be an integrated report which shows the company’s compliance.
 The board and each individual director should have a working understanding of the applicable laws that affect the company.
 Compliance risk should form an integral part of the companies risk management process
 The board should delegate to management the implementation of an effective compliance framework and process

1.3.7 – Internal Audit

 Risk – based internal auditing (RBIA) is the methodology which provides assurance that risks are being managed within the organisation’s risk
appetite.
Internal audit should perform the following functions:
 Systematically analyse and evaluate business pro-cesses and associated controls
 Perform an objective assessment of the effectiveness of risk management and the internal control framework
 Evaluate the company’s governance processes
 Provide a source of information as appropriate, regarding instances of fraud, corruption, unethical behaviour and irregularities
Define the term “Stakeholder” according to King III
 Stakeholders can be considered to be any group that can effect the company’s operations, or be effected by company’s operations.
Stakeholders include shareholders, institutional investors, creditors, lenders, suppliers customers, regulators, employees, society in general,
communities, auditors and potential investors.

Discuss how frequently a company should report to its stake holders on sustainability and other issues.
 Effective reporting should take place at least once a year, but there is no fixed number of times that it should take place. The objective is to
keep all stakeholders informed in a manner that satisfies the needs the needs of each stakeholder groupings.
Name an discuss each stakeholder:
1. Suppliers of goods and services without whom the company cannot operate effectively.
2. Creditors arising from supply of goods, sevices and finance , for example loan porviders.These parties are owed money and therefore have
direct stake in the company.
3. Employees are most important asset of the company, at all levels and in all activities- skilled, unskilled and administrative.
4. Government and important parties of in respect of other legislative matters, for example granting of forestry licences.
5. Customers, who may range from individual to large corporations to government and who are lifeblood of the company.
6. External auditors who require co-operations to fulfil their functions
7. Industry at large – The company does not operate in a vacuum. It is part of of the broader economic community. Co-operation and
participation are key to sustainability of industry as a whole.
8. Local communities – Companies are part of the wider society .The company depends on these communities vice versa.
9. Media- Financial, industrial and human interest journalists write about the company and can enhance or damage a company’s reputation and
image as a good corporate citizen.
10. Regulators the King III defines a regulator as body which seeks compliance either on a mandatory or voluntary basis, with a set of
rules ,regulations or codes.
 TOPIC 2 - Internal Control
Internal control is a process effected by the companies board of directors, management and other personnel,and designed to provide reasonable
assurance regarding the achievement of objectives in the following 3 categories:
 Economy ,efficiency and effectiveness of operations
 Internal financial control
 Compliance with laws and regulations

Who is responsible for internal controls?

• Board of Directors - overall responsibility and accountability
• Management - identify risks - design and implement policies and procedures to address risks - maintaining processes ensure policies &
procedures are carried out
• Employees - execution of Internal Controls procedures - success depends on them

6 characteristics of internal control:

1. Internal control is a process, its a means to an end, not an end itself.(not the goal itself, its the process of achieving the goal)
2. Internal control is affected by people.
3. Internal control provides only reasonable, NOT absolute assurance that management’s goals will be achieved.
4. Internal control is not the sole responsibility of management.
5. Internal control is not static, its needs to evolve to changing conditions
6. Internal control sets out to achieve objectives in 3 categories that are separate but interlinked.
The objectives of internal control:
Internal controls are put in place to ensure:
 Adherence to management policies for all aspects of the business
 To safeguard the assets of the company against theft/damage
 The prevention and detection of fraud and error
 The accuracy and completion of accounting records
 The timely preparation of reliable financial and other information necessary to run the business.
Limitations of internal control:
 Management’s usual requirement that internal controls cost does not exceed the expected benefit to be derived there from.
 The tendency for internal controls to be directed to routine transactions rather than non routine transactions.
 The potential for human error due to carelessness, distraction, mistakes of judgement and misunderstanding the instructions,
 The possibility of circumventing the internal controls through collusion with management, or a employee with parties outside of the org
 The possibility that the person responsible for exercising internal controls could abuse that responsibility . eg management.
 The possibility that procedures may become inadequate due to changed in conditions. And as a result compliance deteriorates.
Managements Assertions/internal control objectives for financial reporting:
Assertions: management’s representation about the companies assets, equity and liabilities, transactions and events in their financial reports.
The aim of reliable financial reporting is to enable management to ensure that transactions that are reported are valid.accurate and complete
A valid transaction means it has occurred, been authorized and pertains to the entity.
Internal controls & objectives Assertions
Valid Occurrence
Existence
Rights and obligations
Accurate Accuracy
Classification
Valuation and allocation
Complete Completeness and Cut Off

Management thereby Assures the below:

Occurrence: a recorded transaction took place and does pertain to the entity
Existence: Assets, Liabilities and Equity interests exist at the Given date
Rights and Obligations: the entity holds or controls the rights to their Assets and have obligations to their liabilities
Accuracy: amounts and other data relating to recorded transactions and events have been recorded appropriately.
Classification: transactions and events have been recorded in proper accounts.
Valuation and Allocation: Assets, Liabilities and equity interests are included in their financial statements and the appropriate amounts and any resulting
valuation or allocation adjustments are appropriately recorded
Completeness: All assets, Liabilities transactions or events which should of been recorded, have been recorded.
Cut Off: transactions and events have been recorded in the correct accounting period

Components of internal control:

Internal control consists of 5 components:
1. The control environment
 2. The entities risk assessment process
3. The information system including related business processes
4. The control activities
5. Monitoring of controls

1.The control environment:

The control environment sets the tone of the organization and influences the control consciousness of its staff.
The desirable mindset is of doing things the right way

Characteristics of good internal control:

 Communication and enforcement of integrity and ethical values
 Commitment to competence
 A positive influence generated by those with governance of the entity (BOD)
 A management philosophy and leadership style which encompasses leadership sound judgement and ethical behaviour
 An org structure which provides a clear framework within which proper planning, execution , control and review can take place
 Policies procedures and an org structure which clearly define authority, responsibility and reporting relationships
 Sound HR policies and practises
2.Risk Assessment:
Risk assessment process involves assessing the likelihood and frequency of risks identified and estimating the potential impact if the risk where to occur.
Risk categories to be identified:
Strategic risk: risks associated with adopting or changing a company’s strategy, eg entering a new market
Operating risk: risks associated if a company operates, eg chemical manufacturers risk on the environment
Financial risk: risks associated with cash flow, cash management, borrowing etc
Financial reporting risk: risk that the info in the financial reports are not accurate, complete and valid
Information risk: risk associated with implementing IT or electronic processes
Compliance risk: risk of non compliance with legislation, contracts, laws,etc

3. The information system including related business processes:

The objective of the information system is to produce information that is valid, accurate and complete, when initiate, recording, processing and reporting
on transactions
Procedures that deal with IT transactions for financial reporting:
 Initiate, record, process and report transactions
 Capture events, and conditions other than transactions like depreciation.
 Accumulate, record, process and summarize info for the preparation of financial statements.

4. Control activities
The control objectives of financial reporting, valid, accurate and complete can only be achieved with the implementation of certain control activities.
Control activities are the actions which are carried out to manage and reduce risks and achieve the entities internal control objectives.
Types of internal control activities:
 Approval, Authorization
 Segregation of duties (different employees should have different tasks, e.g. AP and AR. If there is just one finance clerk in charge of everything
their is way too much power in one persons hands.)
 Isolation of responsibilities (NB signing, acknowledgement of responsibility on documents.)
 Access/ custody (security)
 Comparison and reconciliation ( frequent and timely, and remedy action taken on any differences.
 - It is important to recon bank statements with internal records
- Inventory and fixed assets records with physical counts
- Subsidiary ledgers to the general ledger, where they carried over correctly
 Performance reviews

Good source document design:

-pre printed
-per numbered
-multi copied, carbonised
-Designed in a manner which is logical to complete
-Have blocks to be signed

Controls in a computerized environment

General controls: those controls which establish an overall frame work of control for computer activities (eg: it Policies, logins)
Application controls: any control activities WITHIN an application which contributes to the accurate and complete recording and processing of
transactions which have actually occurred and have been authorized.(eg oracle transfer process, negatives in correct places or you get an error)
GENERAL CONTROLS
Categories of General Controls:
1.Control Environment: management emphasis on strong it policies and controls & strong representation of IT matters on the Board
Systems development and implementation: significant change relating to computerized systems, eg changing the system to electronically manage a
payroll system which was previously manual or to allow online shopping... such changed require significant changed in hardware, software and internal
controls.
2.Access Control: designed to ensure that only authorized users are able to gain access to the computer facilities and data that these users agve access
only on a need to know basis..ie. in order to their jobs.
Physical access control Logical access control
Access to IT department by privileges only, ie if your swipe card won’t open Identification of users: eg username and profile
the door if you don’t work for IT
IT policies requiring you to secure your laptops to your desk at all times via Authentication of users: eg password
cable tie
Closed circuit TV cameras in the IT store room Authorization of privileges usually set in your user profile
No access to server room without privileges Encryption of data : making it illegible if obtained in the wrong hands
It cables hidden in walls to prevent line tapping Logging : recording and monitoring who accessed what

Supplementary general access controls:

Automatic account lock out if incorrect password entered more than 3 times
Time out facilities if your computer goes unused for a certain period of time
Sensitive info/changes require more security by 2 passwords having being entered to make the change. E.g PRICE change on system

3.Continuity of operations: aimed at protecting computer facilities form natural disasters, eg surge protectors, generators etc.
And destruction from unauthorized people. E.g secure access control mechanisms. should be air conditioned. Risk assessment should be done when
choosing its location in the building.
4.System software and operating controls: controls of the use of add on hardware on the system and controls of the use of unauthorized end user
software on the system, which may have spyware or malware hidden, and makes the system open to attacks once installed.
5.Documentation: all aspects of the computer system should be clearly documented. And access given to only restricted personnel.

Application controls:
A transaction follows 3 stages:
– Input - read in sales transaction
– Processing - calculation of VAT on sales transaction
– Output - printout of invoice on sales transaction

Therefore these controls ensure that e.g:

· Only authorised personnel have access to certain programs – you can’t have the janitor fiddling with the accounting programs.
· That input (e.g loading invoice details on your Pastel programme) is accurate and valid – what controls would you implement to ensure that this is done
accurately.
· That the processing of information is correct – e.g. what controls would you have in place to ensure that e.g. the VAT is correctly dealt with by the
computer.
· That the output is accurate and valid – e.g. how would you ensure that the logs kept by the computer is not tampered with.
· That the masterfile is accurate – e.g. what controls would you implement to ensure that only valid changes are made to the masterfiles.
· Etc.

Topic 3 - Business cycles:

It is the accounting system which provides the foundation for achieving reliable financial reporting (valid, accurate and complete)
 And internal financial control.
An accounting system is a series or collection of tasks and records by which transactions are processed to create financial records
The major elements of an accounting system are people who carry out procedures and paper such as order forms, ledgers and lists which facilitate the
initiation, execution, and recording of the transaction.

The accounting system consists of various business cycles:

The revenue and receipts cycle
The acquisitions and payments cycle
The inventory and production cycle
The payroll and personnel cycle
The finance and investment cycle

Cycles and how they tie up to various items on the financial statements:
Business cycle Statement of financial position Statement of comprehensive income
The revenue and receipts cycle (AR) Accounts receivable Sales , returns, credit losses , discounts , interest
Cash and cash equivalents received , all other receipts
The acquisitions and payments cycle (AP) Accounts payable Credit and cash purchases , discount received,
interest paid, expenses, all other payments
The inventory and production cycle inventory Cost of sales
The payroll and personnel cycle Bank and cash Wages and salaries NETT of deductions
AP for leave, wages, salaries, unions, pensions,
SARS, medical aid etc.
The finance and investment cycle Property plant and equipment Dividends paid
Investments Retained earnings, interest paid, profit on sale of
Loans and borrowings assets / investments
Share capital
reserves

TOPIC 4 – Revenue and Receipts cycle:

Revenue is income that arises in the course of ordinary activities of an entity.
Major Activities / Associated documents RISKS Mitigate the RISKS
functions (in order)
1. Receiving  Customer order  Order may be accepted form a  No orders to be accepted without a valid
customer  Internal sales non-account holder account number
orders order (ISO)  Orders may not be acted upon  Record all orders on sequentially numbered
 Price list timeously resulting in lack of sales order forms
and goodwill  Order clerk to sign all ISO’s
 Inaccurate and incomplete orders  Phone orders: order clerk to confirm order
may be accepted resulting in item and quantity, customer account number
incorrect deliveries, returns and and reference number
customer satisfaction  On a regular basis ISO’s to be sequenced and
checked and matched to delivery notes.
2. Authorizing  Credit application  A sale could be made to a  Before processing order, checks should be
the sale  Debtors ledger customer who is not credit worthy carried out to ensure customer has not
supplied fake details and that the customer’s
credit status is satisfactory
 ISO’s to be authorized by credit controllers
signature before being sent to warehouse.
 When the order is from a new customer a
credit application must be made before the
order is filled
 Limits must also be set by the credit manager
and approved by the financial manager.
3. Processing  Picking slip  Valid picking slips not acted on  Picker to initial the picking slip and identify all
the order /  Delivery note  Goods removed from picking for items which cannot be supplied on the picking
warehouse  Back order note fraudulent purposes slip
 Incorrect items and quantities  Supervisory checks to be carried out by the
picked warehouse foreman to ensure that all goods
 Inaccurate and incomplete that are picked are supported by picking slips
delivery notes  Stores clerk to check goods picked by picking
 Out of stock items identified on slip, and prepair delivery note from picking
the picking slip slip.and prepair back order note from picking
 Customer not notified of out of slip if necessary and send back to ordering
stock items department to notify customer and buying
department
 Delivery notes and picking slips to be matched
and filed numerically
4. dispatch  Delivery note  Theft may be facilitated by  On receipt of goods,picking note and delivery
 List of deliveries uncontrolled dispatch note, dispatch clerk should check quantities
 Dispatch errors may occur, being and descriptions
delivered to incorrect customer  Sign picking slip and delivery note
 Customer may deny having  The picked goods should be checked against
 received goods slips when packed into box and address on box
 Goods released from warehouse checked against delivery note address
never dispatched  Delivery staff should supervise loading the
truck and sign a copy of the delivery receipt
acknowledging receipt of the items and
delivery notes
 Gate controls should check all goods to be
delivered match delivery notes
 Upon delivery a customer should sign 2
delivery notes accepting receipt of the goods,
1 kept by customer and 1 given back to the
driver.
5. Invoicing  Sales invoice  Goods supplied may not be  A copy of the ISO should be held in numerical
 Price list invoiced order for processing by the invoicing clerk
 Invoices may be inaccurately  On a regular basis, ISO’s not invoiced should
prepared / misstated be investigated
 The invoice clerk should compare details on
the ISO, and delivery notes, check prices
quoted to the customer per the price lists and
current discounts
And prepare a numerically sequenced invoice
and cross reference it to the delivery
note/customer order
A second invoice clerk should check invoice
and check prices, discounts, vat calculated and
customer details and sign.
6. Recording  Invoice / credit  Invoices are omitted from sales  Invoices to be entered in the sales journal in
the sale note journal numerical sequence
 Statement  Invoices are duplicated in the  Independent staff member to check sales
 Goods returned sales journal journal entries by sequence and follow up on
voucher  Invoices inaccurately entered in any missing invoices.
the sales journal  Compare customer name and amount entered
 Invoices entered against incorrect in sales journal to the invoice for accuracy
debtor  Check posting from sales journal to debtors
ledger
 Reconciliation of debtors ledger to debtors
control account on a regular basis
7. raising  Receipts  Payments received not being  All post to be opened by 2 people
debtors /  Customer banked due to carelessness or  All payments received by post to be recorded
receiving Remittance advise theft in a remittance register
payments /  Remittance  Pre-numbered receipts should be issued for all
cashier register payments received via post
 Bank deposit slip  All receipts should be banked daily
 Deposit slip to be made out by cashier, not be
employee opening the post
 Cashier to reconcile cheques and cash to
remittance register before accepting them for
banking
 Bank deposits should be reviewed regularly
and gaps in daily banking investigated by
management

8. recording  Bank deposit slip  Deposits may never be recorded  Cash receipts journal should be written up
payment or not recorded timeously daily by date and receipt number
from debtors  Recorded deposits may be  Supervisory staff should review cash receipts
inaccurate, overstated or credited journal for missing dates and gaps in sequence
to the incorrect debtor or receipts
 The cash book should be reconciled to the
bank statement every month by an
independent staff member
 Queries from debtors should be investigated
by someone independent from the AR and AP
functions
9. Goods  Goods returned  Description or quantity of goods  All goods returned must be received by the
returned by voucher returned may be incorrect company’s returns department
customer  Credit note resulting in an incorrect credit  The goods receiving clerk must count and
note. check the goods returned, make out a good
 Credit notes could be passed for returns voucher cross referencing it to
good never returned customer documentation & sign and retain a
 Credit notes may be inaccurately copy of the goods return voucher
recorded or credit to the incorrect  Credit notes to be made out by the account
debtor department and cross referenced to the
original invoice
10. Credit  Debtors age  Debtors do not pay at all, or they  Monthly statements to be sent promptly to
management analysis pay late debtors
  Credit Berea info  Debtors are prematurely written  Monthly age analysis and immediate follow up
 Customer off by phone or email if terms exceeded
statements  Debts are written off without  A credit manager should also personally try to
authority contact the customer, and perhaps
renegotiate the credit terms.
 If still no success the debtor must be handed
over
 If debt must be written off it should be done
by the credit manager and senior financial
employee

Minimum requirements that should reflect on sales documentation/ invoices:

1. the supplier’s full name, or registered business name, and VAT registration number, if any;
2. the address of the premises at which, or from which, the goods or services were supplied;
3. the date on which the transaction occurred;
4. a name or description of any goods or services supplied or to be supplied;
5. the unit price of any particular goods or services supplied or to be supplied;
6. the quantity of any particular goods or services supplied or to be supplied;
7. the total price of the transaction, before any applicable taxes;
8. the amount of any applicable taxes; and
9. the total price of the transaction, including any applicable taxes.

Computerized controls:
What is a Masterfile? The masterfile contains the “Permanent” or “Semi-permanent” info.
e.g. Debtors masterfile would contain inter alia:
•The customer’s name
•The customer’s account number
•The customer’s ID number / Company registration number
•The customer’s physical and postal address
•The customer’s credit limit as determined by credit controller / manager
•The customer’s repayment terms (E.g. 30 days, 60 days etc.)
Cash sales:
Things that could go wrong Internal control
1. Cash sales could be recorded without the The cash in the cash register should be
cash being put in the cash register drawer. Reconciled with the total daily cash sales entered on the cash register roll. The cash register roll should not be
alterable.
2. Cash could be received from customers Physical safeguards should be in place,
without the cash sales transaction being for example signage encouraging customers to request a receipt. Cash receipts should be sequentially numbered.
recorded.
3. Cash could be stolen after the cash register Whenever cash is transferred from the custody of one person to another, it should be counted, reconciled,
has been “cashed up” for the day. documented and signed for by both parties in a safe location.
Cash should not be allowed to accumulate and should be banked daily.
4. Customers could leave without paying for Physical safeguards should be in place.
goods that they have taken. For example, there should be limited entry and exit points with security guards at the exit points to sign off the
cash sale receipts.
5. An armed robbery could take place, Physical safeguards should be in place, for example security guards and surveillance cameras.
resulting in cash being stolen from cash Cash should not be allowed to accumulate and should be banked daily so that the minimum amount of cash is
registers. exposed to the risk of theft.

TOPIC 5 - ACQUISITIONS And Payments Cycle

The acquisitions and payments cycle (AP) Accounts payable Credit and cash purchases , discount received,
interest paid, expenses, all other payments

Function Documents Risks Mitigate the risks

1. Ordering of goods  Requisitions  Ordering of incorrect  Order clerks should not place orders
 Purchase order forms goods/quantities resulting without the required permission and
in unnecessary returns or authorization
wastage  Prior to requision being made out
 Fraudulently ordering production should confirm that the goods
unauthorized goods are actually needed
 Requisitions not acted upon  Before the order is place a supervisor
or orders not placed in time should check the order and the requision
 Obtaining inferior quality for accuracy. And review the reasonability
goods or price and quantity ordered.
 Paying unnecessarily high  The company should prefibly have an
prices for goods approved supplier list
  Order forms misused by  The ordering department should file
placing orders for private requisitions sequentially by department
usage  Blank order forms should be subject to
sound stationary controls
2. Receiving of goods  Suppliers delivery note  Acceptances of: short  Delivery notes should be checked against
 Goods received note deliveries as full deliveries purchase order forms, and actual goods
Damaged and broken goods received before any signature made
Items not ordered accepting the goods.
Goods not of the required  Goods received should be done in a secure
type or quality location which is access controlled
 Goods received notes not  Perform a superficial test of the goods
made out accurately received to inspect if they are broken or
 No goods received note damaged
made out  Reject all incorrect deliveries and clearly
 Defalcations or theft by identify them on the delivery note
employees  Ensure that the suppliers also sign the
delivery note including any amendments
made
3. Recording of  Purchase invoice  The recording of incorrect  The purchase invoice received from the
purchases  Credit note amounts arising from supplier should be matched to the
 Creditors statement incorrect purchase corresponding goods received note, delivery
 Purchases Journal invoices(e.g. incorrect note and purchase order to check quantity
Totals, or VAT added) and prices match
 The raising of fake creditors  Reviewed to check that the amounts on the
by the introduction of invoice have been allocated against the
invoices of goods never correct account
received/ordered by the  All calculations on the invoice should be
company performed
 Delays, misallocation and
posting errors in the
journals
4. Payment  Creditors statements  Payment to fictitious  The monthly creditors statement received
preparation  Cheque/payment creditors should be reconciled to the supporting
requisitions  Payment of incorrect documentation before being recorded
amounts  A creditors clerk should identify which
 Unauthorized payments creditors should be paid at month end to
 Discounts lost due to late comply with their credit terms
payments  Cheque requisitions should be pre-printed
and sequenced
 Cheque requisitions should include required
info and be authorized by the preparer and
presented with the supporting
documentation to the relevant signatories
5. Actual payment  Remittance advise  Cheques may be incorrectly  There should be two signatories for all
and recording  Cheque or electronic made out cheque payments
thereof payment receipt  Invalid payments may be  And they should cancel all documents so
made that it cannot be presented again for
 Payments may be recorded payment.
inaccurately  All cheques should be made out to least
facilitate any tapering..eg..no gaps...not
transferable, write out payee’s name in
full..etc..
 All cheques in strict numerical order. And if
possible only one being used.
 All cheques recorded in numerical sequence
in CPJ

Controls that should be implemented over changes to the creditors and debtors master files in a computerized environment:

1. Restrict write access to the debtor's/supplier master file to a specific member of the section by the use of user ID and passwords. (1½)
2. All master file amendments should be automatically logged by the computer on sequenced logs. (1½)
3. These sequenced logs should be reviewed for accuracy and completeness. (1½)
4. There should be no write access to these logs. (1½)
5. To enhance the accuracy and completeness of the keying in of masterfile amendments and to detect invalid conditions, screen aids and programme
checks can be implemented.(1½)
Screen aids and related features
6. Minimum keying in of information (1½)
7. Screen formatting: screen looks like the master file amendment form (MAF), screen dialogue (1½)
8. The account number for a new debtor is generated by the system. (1½)
Programme checks
9. Verification/matching checks to validate a debtor account number against the debtors masterfile (1½)
10. Alpha numeric checks on data entered, such as a debtor’s name should only use letters of the alphabet (1½)
11. Range and/or limit/data approval checks on terms and credit limit field (1½)
12. Field size check and mandatory/missing data checks (1½)
13. Sequence check on MAFs entered to ensure that no MAF’s were left out (1½)
14. Dependency check, e.g. the credit limit granted may depend upon the credit terms granted, e.g. a 90 days up to a limit of R2 000 (1½)