Discuss effect on the overall audit plan of issues
Discuss effect on the overall audit plan of issues
You are the audit manager assigned to the 2004 external audit of Burlap Ltd, a company that assembles and distributes personal computers. The company has a June year end and is listed on the JSE Securities Exchange South Africa. You have recently completed the interim audit fieldwork, which focused on updating your knowledge of the risks faced by the business and on validating the internal control processes implemented by the company to address those risks. During a meeting Mr Bean, the Financial Director, briefed you on a new governance process being implemented by the board of directors in order to meet their obligations under the King Code 2002 with regard to internal controls. Of particular concern to the directors is the requirement under the King Code to report in the annual financial statements that
– adequate accounting records and an effective system of internal controls and risk management have been maintained;
– the system is regularly reviewed for effectiveness; and
– there is an ongoing process for identifying, evaluating and managing the significant risks faced by the company, including those relating to business continuity.
Accordingly, the directors have established an Audit Risk and Control Committee whose terms of reference, amongst others, include ensuring that risks arising in the business are appropriately identified and managed and, in particular, that significant internal control weaknesses or noncompliance with laws and regulations identified by management, internal audit or the external auditors are appropriately addressed.
Mr Bean requested that your firm be present at future meetings of the Audit Risk and Control Committee in order to assist the committee members with the identification and assessment of risks and to suggest improvements to internal control and risk management processes. Your firm has subsequently been provided with committee papers which are to be tabled at the next meeting. The audit partner has asked you to consider the issues set out in the attached extracts from those papers and then brief him for that meeting, as he is keen to provide value-added advice to the meeting.
Your overall audit plan does not specifically address the issues in the attached extracts.
AUDIT RISK AND CONTROL COMMITTEE
EXTRACTS FROM PAPERS TO BE TABLED AT THE MEETING
TO BE HELD ON 15 MAY 2004
1 Matters noted by internal audit
1.1 Proposed software upgrade
The sales order processing application software will be upgraded from version 4.1 to version 4.5 during the first week of June 2004.
As part of a price war in the personal computer market, a major competitor has recently introduced a new range of computer models with specifications significantly in excess of Burlap Ltd’s existing products. Management is currently considering a further reduction in the sale price of its computers, but is concerned that the company will not be able to recover its overheads unless it can increase sales volumes.
2 Matters arising from internal audit work
2.1 Statutory records
The company register for one of the company’s subsidiaries has been mislaid.
The company cancelled its contract with Secretarial Services Ltd in October 2003, in terms of which the statutory records of the company and its subsidiaries had been maintained by that third party. All company registers of the group in possession of Secretarial Services Ltd were returned to the company.
Management comment (Mr Bill Evans – company secretary)
We will undertake a company records search at the Registrar of Companies and reestablish the register.
2.2 Warranty repairs
Although technicians document the nature of repairs made to customer equipment, they do not always specify whether the cause was a manufacturing defect, with the result that management information regarding warranty repairs may be incomplete.
IT equipment supplied to customers carries a 12-month warranty, in terms of which the company has to repair the equipment at no cost to the customer if the fault is due to an inherent manufacturing defect.
Customers have the option of entering into a maintenance contract in terms of which the company will repair the equipment in return for a fixed monthly fee payment by the customer. The standard maintenance contract is for three years, which is the estimated useful life of the equipment.
Management comment (Mr Amyas MacDougall – service manager)
We accept that there may be instances where warranty repairs are not specifically identified by the technician. We will in future ensure that technicians receive appropriate training in this regard.
2.3 Business continuity planning
Although a disaster recovery plan for the sales and marketing division was drawn up and tested during 2002, business continuity for the organisation as a whole has not been addressed.
It should be an organisation policy requirement that a business continuity plan forms part of normal operational requirements for both the IT function and all other business units. IT policies and procedures should require the following:
– A consistent philosophy and framework for the development of contingency plans;
– Prioritisation of applications with respect to timeliness of recovery and return;
– Assessment of risk and insurance needs for loss of business in contingency situations, with regard to both the IT function and IT users;
– An outline of specific roles and responsibilities for contingency planning, with specific test, maintenance and update requirements; and
– Formal contract arrangements with vendors to provide services in the event of a disaster, including a back-up site facility or relationship, in advance of actual need.
Management comment (Ms Anna Fischer – IT manager)
A three-year plan is in place for the development and testing of disaster recovery plans for all business units.
2.4 Cheque signing procedures
The validity of supporting documentation should be assessed by both cheque signatories prior to authorising creditor payments.
Management discovered a fraud in October 2003, in which an employee with a long service history had managed to accumulate R2,5 million in a personal bank account by processing invalid creditor payments over a number of years. The employee submitted payment requisitions in respect of invoices from a fictitious supplier. As the payments were regular and not individually large, the requisitions were authorised as a matter of course.
Management comment (Mr Ivan Counter – financial manager)
We consider this fraud to be an isolated incident and are satisfied that the company’s cheque signing procedures are adequate.
2.5 IT environment controls
Management should consider the following recommendations for improving its IT environment controls relating to physical security:
– There should be no water pipes/drainage pipes or water sprinkler systems in the server room.
– Appropriate fire extinguishers should be available for fire fighting.
– A register of maintenance of the uninterrupted power supply hardware (UPS) and emergency power generator should be maintained.
Management comment (Mr Mohammed Clay – physical security manager)
These recommendations will be investigated and considered and, where appropriate, they will be implemented.
3 Matter raised by the external auditors
3.1 Reconciliation procedures – accounts payable
The accounts payable balances in the creditors sub-ledger should be reconciled with underlying supplier statements and reviewed by the financial manager on a monthly basis. These balances are at present reconciled with suppliers’ invoices, but not with creditors’ statements.
Management comment (Ms Betty Ndlovu – accounts payable supervisor)
We do not view this as a risk as all payments are effected on the basis of approved creditors’ invoices. However, individual creditors accounts will in future be reconciled with the creditors’ statements on a monthly basis.
(a) For each of the issues set out in the attached extracts of committee papers –
(i) identify the potential risk to the business; and
(ii) list the specific factors that should be considered in assessing the significance of the risk.
(b) Discuss the effect on the overall audit plan of the issues identified from the attached committee papers, including any increases in audit scope of which management would have to be advised.
(c) Discuss the issues that should be considered in accepting of the invitation to attend the Audit Risk and Control Committee meetings, and arising from the SAICA Code of Conduct.
(d) List ways in which your firm could assist the directors in fulfilling their responsibilities under the King Code 2002 as required to be reported on in the annual financial statements.