Applied Skills, AA 应用技能,AA
Audit and Assurance (AA)
审计与鉴证 (AA)
Section B B 部分
Granstan Co 格兰斯坦公司
(a) Components of a system of internal control
(a) 内部控制制度的组成部分
内部控制控制环境的组成部分
| Component of internal control |
| Control environment |
Component of internal control
Control environment| Component of internal control |
| :--- |
| Control environment | |
描述 控制环境包括治理和管理职能,以及负责治理和管理的人员对实体内部控制制度及其在实体中的重要性的态度、意识和行动。控制环境为组织定下基调,影响其员工的控制意识,并为其他组成部分的运作提供整体基础。
| Description |
| The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's system of internal control and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people and provides the overall foundation for the operation of other components. |
Description
The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's system of internal control and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people and provides the overall foundation for the operation of other components.| Description |
| :--- |
| The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's system of internal control and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people and provides the overall foundation for the operation of other components. | |
|
The control environment encompasses many elements, such as how management's responsibilities are carried out (such as creating and maintaining the entity's culture and demonstrating management's commitment to integrity and ethical values); how those charged with governance demonstrate independence from management and exercise oversight of the entity's system of internal control; how the entity assigns authority and responsibility in pursuit of its objectives; how the entity attracts, develops and retains competent individuals in alignment with its objectives; and how the entity holds individuals accountable for their responsibilities in pursuit of the entity's system of internal control.
控制环境包含许多要素,例如管理层如何履行职责(例如创建和维护实体文化以及展示管理层对诚信和道德价值观的承诺);负责治理的人员如何表现出独立于管理层并对实体的内部控制系统进行监督;实体如何分配权力和责任以实现其目标;该实体如何吸引、培养和留住符合其目标的有能力的人才;以及实体如何让个人对其责任负责,以追求实体的内部控制系统。 |
Entity's risk assessment process
实体的风险评估流程 |
The entity's risk assessment process is an iterative process for identifying and analysing risks to achieve the entity's objectives and forms the basis for determining the risks to be managed. For financial reporting purposes, the entity's risk assessment process includes how management identifies business risks relevant to the preparation of financial statements in accordance with the entity's applicable financial reporting framework. It estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to respond to and manage them and the results thereof.
实体的风险评估过程是识别和分析风险以实现实体目标的迭代过程,并构成确定要管理的风险的基础。出于财务报告目的,实体的风险评估流程包括管理层如何根据实体适用的财务报告框架识别与编制财务报表相关的业务风险。它估计它们的重要性,评估它们发生的可能性,并决定应对和管理它们的行动及其结果。 |
Entity's process to monitor the system of internal control
实体监控内部控制系统的流程 |
Monitoring of controls is a continual process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls and taking necessary remedial actions on a timely basis. Management accomplishes the monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities.
监控是一个持续的过程,用于评估内部控制绩效随时间推移的有效性。它涉及评估控制的有效性并及时采取必要的补救措施。管理层通过正在进行的活动、单独的评估或两者的组合来完成对控制的监控。持续监测活动通常包含在实体的正常经常性活动中,包括定期管理和监督活动。 |
Information system and communication
信息系统和通信 |
与编制财务报表有关的信息系统包括为发起、记录、处理和报告实体交易(以及事件和条件)以及维持对相关资产、负债和权益的问责制而设计和建立的活动、政策和记录。 涉及了解个人角色和职责的沟通可以通过政策、会计和财务报告手册进行。它可以以电子方式、口头方式或通过管理行动进行。
| The information system relevant to the preparation of the financial statements consists of the activities, policies and records designed and established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity. |
| Communication which involves providing an understanding of individual roles and responsibilities may be through policy and accounting and financial reporting manuals. It may be made electronically, orally or through management actions. |
The information system relevant to the preparation of the financial statements consists of the activities, policies and records designed and established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity.
Communication which involves providing an understanding of individual roles and responsibilities may be through policy and accounting and financial reporting manuals. It may be made electronically, orally or through management actions.| The information system relevant to the preparation of the financial statements consists of the activities, policies and records designed and established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity. |
| :--- |
| Communication which involves providing an understanding of individual roles and responsibilities may be through policy and accounting and financial reporting manuals. It may be made electronically, orally or through management actions. | |
"Component of internal control
Control environment" "Description
The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's system of internal control and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people and provides the overall foundation for the operation of other components."
The control environment encompasses many elements, such as how management's responsibilities are carried out (such as creating and maintaining the entity's culture and demonstrating management's commitment to integrity and ethical values); how those charged with governance demonstrate independence from management and exercise oversight of the entity's system of internal control; how the entity assigns authority and responsibility in pursuit of its objectives; how the entity attracts, develops and retains competent individuals in alignment with its objectives; and how the entity holds individuals accountable for their responsibilities in pursuit of the entity's system of internal control.
Entity's risk assessment process The entity's risk assessment process is an iterative process for identifying and analysing risks to achieve the entity's objectives and forms the basis for determining the risks to be managed. For financial reporting purposes, the entity's risk assessment process includes how management identifies business risks relevant to the preparation of financial statements in accordance with the entity's applicable financial reporting framework. It estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to respond to and manage them and the results thereof.
Entity's process to monitor the system of internal control Monitoring of controls is a continual process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls and taking necessary remedial actions on a timely basis. Management accomplishes the monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities.
Information system and communication "The information system relevant to the preparation of the financial statements consists of the activities, policies and records designed and established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity.
Communication which involves providing an understanding of individual roles and responsibilities may be through policy and accounting and financial reporting manuals. It may be made electronically, orally or through management actions."| Component of internal control <br> Control environment | Description <br> The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's system of internal control and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people and provides the overall foundation for the operation of other components. |
| :--- | :--- |
| | The control environment encompasses many elements, such as how management's responsibilities are carried out (such as creating and maintaining the entity's culture and demonstrating management's commitment to integrity and ethical values); how those charged with governance demonstrate independence from management and exercise oversight of the entity's system of internal control; how the entity assigns authority and responsibility in pursuit of its objectives; how the entity attracts, develops and retains competent individuals in alignment with its objectives; and how the entity holds individuals accountable for their responsibilities in pursuit of the entity's system of internal control. |
| Entity's risk assessment process | The entity's risk assessment process is an iterative process for identifying and analysing risks to achieve the entity's objectives and forms the basis for determining the risks to be managed. For financial reporting purposes, the entity's risk assessment process includes how management identifies business risks relevant to the preparation of financial statements in accordance with the entity's applicable financial reporting framework. It estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to respond to and manage them and the results thereof. |
| Entity's process to monitor the system of internal control | Monitoring of controls is a continual process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls and taking necessary remedial actions on a timely basis. Management accomplishes the monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities. |
| Information system and communication | The information system relevant to the preparation of the financial statements consists of the activities, policies and records designed and established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity. <br> Communication which involves providing an understanding of individual roles and responsibilities may be through policy and accounting and financial reporting manuals. It may be made electronically, orally or through management actions. |
Component of internal control
内部控制组成部分
Control activities 控制活动
(b) Direct controls and tests of controls
(b) 直接控制和控制测试
Direct control 直接控制
A credit check is performed by the credit control department on all new customers applying for a credit account, after which a credit limit is set by the finance director which is regularly reviewed.
信用控制部门对所有申请信用账户的新客户进行信用检查,之后由财务总监设定信用额度,并定期审查。
The credit check helps to ensure that credit is only granted to customers who are likely to pay so that receivables are more likely to be recoverable.
信用检查有助于确保只向可能付款的客户提供信贷,从而更有可能收回应收账款。
Regular review ensures that credit limits are not too high which could lead to irrecoverable debts and overvaluation of receivables.
定期审查确保信用额度不会太高,这可能会导致无法收回的债务和应收账款的高估。
A member of the finance team matches the details on the online order with the goods dispatched note (GDN) before raising sales invoices based on these documents.
财务团队成员在根据这些单据开具销售发票之前,将在线订单上的详细信息与货物发货单 (GDN) 进行匹配。
This will help to ensure that customers are invoiced for all goods dispatched to them and that revenue is complete and accurate.
这将有助于确保客户为发送给他们的所有货物开具发票,并确保收入完整准确。
Customers must show the promotional email at the cash till and have the discount barcode scanned to access special discounts.
客户必须在收银台出示促销电子邮件并扫描折扣条形码才能获得特别折扣。
This ensures that discounts are only given to authorised customers and can only be used once, which reduces the risk of misstatement of revenue through fraud.
这确保了折扣仅提供给授权客户,并且只能使用一次,从而降低了因欺诈而错报收入的风险。
A monthly analysis of revenue is reviewed by the sales director, with any unexpected movements investigated. A report containing this analysis is presented at the next board meeting.
销售总监每月对收入进行分析,并调查任何意外变动。包含此分析的报告将在下一次董事会会议上提交。
Investigation of unusual movements in revenue means that misstatements due to fraud or error will be identified promptly.
对收入异常变动的调查意味着将及时发现因欺诈或错误而导致的错误陈述。
© Control deficiencies and recommendations
© 控制缺陷和建议
Deficiency 缺乏
A monthly exception report of changes made to the supplier master file data is produced but not reviewed.
将生成对供应商主文件数据所做的更改的月度异常报告,但不会进行复查。
This increases the risk of fraud as members of the purchasing department could add fictitious suppliers and then place fraudulent orders without detection, causing loss for the company. Any errors in the changes made to the master file data would also not be identified promptly.
这增加了欺诈风险,因为采购部门的成员可能会添加虚构的供应商,然后在不被发现的情况下下欺诈订单,从而给公司造成损失。对主文件数据所做的更改中的任何错误也不会被及时识别。
Description 描述
Control activities are controls that are designed to ensure proper application of policies in all the components of the entity’s system of internal control and include both direct and indirect controls.
控制活动是旨在确保在实体内部控制系统的所有组成部分中正确应用政策的控制,包括直接和间接控制。
Control activities include information processing controls and general IT controls and may be manual or automated in nature. They have various objectives and are applied at various organisational and functional levels. They may include authorisation and approvals, reconciliations, verifications, physical or logical controls, segregation of duties.
控制活动包括信息处理控制和一般 IT 控制,本质上可以是手动的,也可以是自动的。它们有不同的目标,并应用于不同的组织和职能层面。它们可能包括授权和批准、对账、验证、物理或逻辑控制、职责分离。
Test of control 控制测试
Inspect the documentation in the credit application files for a sample of customers to confirm that appropriate credit checks have been performed before giving credit.
在提供信贷之前,请检查信贷申请文件中的客户样本中的文档,以确认已执行适当的信贷检查。
For a sample of new customers accepted in the year, review the authorisation of the credit limit, and ensure that this was performed by the finance director or other responsible official. Review for evidence of regular review by the finance director.
对于当年接受的新客户样本,请审查信用额度的授权,并确保这是由财务总监或其他负责官员执行的。审查财务总监定期审查的证据。
Enquire of the receivables clerks who can set credit limits and whether these limits are reviewed.
询问可以设定信用额度的应收账款职员,以及是否审查这些额度。
For a sample of orders received by the finance department, review for evidence that the order was matched to the GDN and agree the sales invoice details to these documents.
对于财务部门收到的订单样本,请查看订单与 GDN 匹配的证据,并同意销售发票详细信息与这些文档。
Attempt to manually input a discount or amend the discount amount calculated by the system to ensure that the discount level cannot be manipulated.
尝试手动输入折扣或修改系统计算的折扣金额,以确保折扣水平无法纵。
For a sample of the monthly revenue analysis, obtain copies of the source information. Consider the thresholds for sales director investigation and investigate if there is any evidence of a review being performed where applicable.
如需每月收入分析的样本,请获取源信息的副本。考虑销售总监调查的阈值,并调查是否有任何证据表明正在进行审查(如果适用)。
For a sample of board meetings, review the agenda and minutes for evidence of the report being presented to the board and discussed appropriately.
对于董事会会议的样本,请查看议程和会议记录,以获取报告提交给董事会并进行适当讨论的证据。
Recommendation 建议
The monthly exception report of changes should be reviewed by a responsible official on a regular basis and any unusual or unexpected changes investigated. This review should be evidenced.
每月变更异常报告应由负责官员定期审查,并调查任何异常或意外的变化。本综述应得到证据。
Deficiency 缺乏
Goods are delivered directly to a store where an employee checks the quantity of goods received but not the quality. If defective goods are accepted, it will be more difficult to dispute paying for them.
货物直接运送到商店,员工在那里检查收到的货物数量,但不检查质量。如果接受有缺陷的商品,则对付款提出争议将更加困难。
If defective goods are sold on to customers, it will damage customer goodwill.
如果将有缺陷的商品卖给客户,会损害客户的商誉。
Defective goods not sold may need to be discounted for sale or scrapped, affecting inventory valuation.
未售出的缺陷商品可能需要打折出售或报废,从而影响库存估值。
The purchasing department does not have access rights to view completed GRNs, only the stores and the finance department have access rights.
采购部门没有查看已完成的 GRN 的访问权限,只有商店和财务部门具有访问权限。
This means that the purchasing department is unable to monitor whether goods ordered have been received. This could result in stock outs and a loss of sales.
这意味着采购部门无法监控订购的货物是否已收到。这可能会导致缺货和销售损失。
Recommendation 建议
Goods should be inspected for both quantity and quality on receipt. When producing the goods received note (GRN), the store employee should input their initials as evidence of the checks undertaken.
货物应在收到时进行数量和质量检查。在出示收货单 (GRN) 时,商店员工应输入其姓名首字母作为所进行检查的证据。
The purchasing department should be given access rights to view GRNs. On notification of a completed GRN, the purchasing department should agree the details on the GRN to the order and then change the order status to fulfilled.
应授予采购部门查看 GRN 的访问权限。在收到已完成 GRN 的通知后,采购部门应同意订单的 GRN 上的详细信息,然后将订单状态更改为已履行。
The purchasing department should undertake a regular review of unfulfilled purchase orders and follow up those which are outstanding.
采购部门应定期审核未履行的采购订单,并跟进未履行的采购订单。
On a monthly basis, supplier statement reconciliations should be undertaken with all reconciling items fully investigated.
应每月进行供应商对账单对账,并全面调查所有对账项目。
The supplier statement reconciliations should be reviewed by a responsible official who should evidence this review by way of signature.
供应商对账单对账应由负责官员审查,该官员应通过签名来证明这种审查。
Supplier statement reconciliations are no longer performed.
不再执行供应商对账单对账。
Failing to undertake these reconciliations increases the risk of errors in the individual supplier accounts not being identified promptly which would result in misstatement of payables and could lead to suppliers being under or overpaid.
不进行这些对账会增加个别供应商账户错误未被及时识别的风险,这将导致应付账款错报,并可能导致供应商少付或多付。
Joiner forms are not completed when temporary employees are required at short notice. Instead, the temporary employees are added to payroll following email notification from the relevant store manager.
当临时员工在短时间内需要时,不会填写 Joiner 表格。相反,临时员工会在相关商店经理的电子邮件通知后添加到工资单中。
The store managers may not carry out all the required procedures for new joiners, or record all the necessary information, as they do not complete the joiner form. This could result in temporary employees not being set up in the payroll system correctly. This would result in incorrect or incomplete payroll records.
商店经理可能不会为新加入者执行所有必需的程序,或记录所有必要的信息,因为他们没有填写加入者表格。这可能会导致临时员工无法在工资系统中正确设置。这将导致工资记录不正确或不完整。
The addition of employees to payroll without authorisation from HR also increases the risk of fictitious individuals being added.
未经人力资源授权将员工添加到工资单中也会增加添加虚构个人的风险。
Store managers review and approve the payroll report before the payment dates but are only required to report back to the payroll department if errors are found.
商店经理在付款日期之前审查和批准工资报告,但只有在发现错误时才需要向工资部门报告。
The payroll department may interpret a lack of response as indicating that there are no errors when in fact the store manager has failed to check, or a negative response has gone missing. This could lead to errors not being identified resulting in misstated payroll costs.
工资部门可能会将缺少回复解释为表明没有错误,而实际上商店经理没有检查,或者缺少负面回复。这可能会导致错误未被识别,从而导致工资成本虚报。
When employees collect their pay packets, they state their name but are not required to show identification.
当员工领取工资包时,他们会说出自己的姓名,但不需要出示身份证明。
Employees may falsely assume the identity of another employee in order to access their wages. This would result in fraud and may increase payroll costs if the company has to pay twice.
员工可能会错误地冒充另一名员工的身份以获取他们的工资。这将导致欺诈,如果公司必须支付两次费用,可能会增加工资成本。
A joiner form should be completed and authorised by HR for all new employees.
应为所有新员工填写一份入职表格并由人力资源部授权。
If it is not possible for the HR department to complete the joiner forms due to time pressures, the store manager should complete the joiner form and a member of the HR team should review and authorise the details prior to it being sent to payroll. Payroll should then sign the form as being actioned.
如果人力资源部门由于时间压力而无法填写加入表格,商店经理应填写加入表格,人力资源团队成员应在将详细信息发送到工资单之前审查并授权详细信息。然后,工资单应在表格上签名为正在采取行动。
The payroll department should be notified not to add new employees to payroll without a joiner form approved by a member of HR .
应通知薪资部门,在没有人力资源部成员批准的加入表格的情况下,不要将新员工添加到工资单中。
Store managers should be required to report back to the payroll department whether or not errors are found. They should sign the payroll as evidence that it has been checked.
商店经理应被要求向薪资部门报告是否发现错误。他们应该在工资单上签名,作为已检查的证据。
The payroll department should follow up on any non-replies prior to processing the payroll.
薪资部门应在处理工资单之前跟进任何未回复的情况。
(d) Substantive procedures - revenue
(d) 实质性程序——收入
- Cast a breakdown of revenue and agree to the general ledger, trial balance and draft financial statements.
对收入进行明细,并同意总账、试算表和财务报表草案。
- Select a sample of daily sales reports and agree to the sales account in the general ledger.
选择每日销售报表的样本,并同意总账中的销售科目。
- Compare total revenue and monthly revenue to prior year and budget. Discuss any unusual fluctuations with management.
将总收入和月收入与上一年和预算进行比较。与管理层讨论任何异常波动。
- Compare the final gross profit margin to the prior year. Discuss any unusual fluctuations with management.
将最终毛利率与上一年进行比较。与管理层讨论任何异常波动。
- Compare revenue analysed by product/store/type of customer for each month to prior year and budget. Discuss any unusual fluctuations with management.
将每个月按产品/商店/客户类型分析的收入与上一年和预算进行比较。与管理层讨论任何异常波动。