10
QUESTION 4 50 marks
You are the audit manager assigned to the 2004 external audit of Burlap Ltd, a company that
assembles and distributes personal computers. The company has a June year end and is listed on
the JSE Securities Exchange South Africa. You have recently completed the interim audit fieldwork,
which focused on updating your knowledge of the risks faced by the business and on validating the
internal control processes implemented by the company to address those risks.
During a meeting Mr Bean, the Financial Director, briefed you on a new governance process being
implemented by the board of directors in order to meet their obligations under the King Code 2002
with regard to internal controls. Of particular concern to the directors is the requirement under the
King Code to report in the annual financial statements that
?? adequate accounting records and an effective system of internal controls and risk management
have been maintained;
?? the system is regularly reviewed for effectiveness; and
?? there is an ongoing process for identifying, evaluating and managing the significant risks faced by
the company, including those relating to business continuity.
Accordingly, the directors have established an Audit Risk and Control Committee whose terms of
reference, amongst others, include ensuring that risks arising in the business are appropriately
identified and managed and, in particular, that significant internal control weaknesses or noncompliance
with laws and regulations identified by management, internal audit or the external auditors
are appropriately addressed.
Mr Bean requested that your firm be present at future meetings of the Audit Risk and Control
Committee in order to assist the committee members with the identification and assessment of risks
and to suggest improvements to internal control and risk management processes. Your firm has
subsequently been provided with committee papers which are to be tabled at the next meeting. The
audit partner has asked you to consider the issues set out in the attached extracts from those papers
and then brief him for that meeting, as he is keen to provide value-added advice to the meeting.
Your overall audit plan does not specifically address the issues in the attached extracts.
BURLAP LTD
AUDIT RISK AND CONTROL COMMITTEE
EXTRACTS FROM PAPERS TO BE TABLED AT THE MEETING
TO BE HELD ON 15 MAY 2004
1 Matters noted by internal audit
1.1 Proposed software upgrade
The sales order processing application software will be upgraded from version 4.1 to
version 4.5 during the first week of June 2004.
1.2 Competition
As part of a price war in the personal computer market, a major competitor has
recently introduced a new range of computer models with specifications significantly
in excess of Burlap Ltds existing products. Management is currently considering a
further reduction in the sale price of its computers, but is concerned that the company
will not be able to recover its overheads unless it can increase sales volumes.
11
2 Matters arising from internal audit work
2.1 Statutory records
Audit finding
The company register for one of the companys subsidiaries has been mislaid.
Background
The company cancelled its contract with Secretarial Services Ltd in October 2003, in
terms of which the statutory records of the company and its subsidiaries had been
maintained by that third party. All company registers of the group in possession of
Secretarial Services Ltd were returned to the company.
Management comment (Mr Bill Evans company secretary)
We will undertake a company records search at the Registrar of Companies and reestablish
the register.
2.2 Warranty repairs
Audit finding
Although technicians document the nature of repairs made to customer equipment,
they do not always specify whether the cause was a manufacturing defect, with the
result that management information regarding warranty repairs may be incomplete.
Background
IT equipment supplied to customers carries a 12-month warranty, in terms of which
the company has to repair the equipment at no cost to the customer if the fault is due
to an inherent manufacturing defect.
Customers have the option of entering into a maintenance contract in terms of which
the company will repair the equipment in return for a fixed monthly fee payment by
the customer. The standard maintenance contract is for three years, which is the
estimated useful life of the equipment.
Management comment (Mr Amyas MacDougall service manager)
We accept that there may be instances where warranty repairs are not specifically
identified by the technician. We will in future ensure that technicians receive
appropriate training in this regard.
2.3 Business continuity planning
Audit finding
Although a disaster recovery plan for the sales and marketing division was drawn up
and tested during 2002, business continuity for the organisation as a whole has not
been addressed.
It should be an organisation policy requirement that a business continuity plan forms
part of normal operational requirements for both the IT function and all other business
units. IT policies and procedures should require the following:
12
?? A consistent philosophy and framework for the development of contingency
plans;
?? Prioritisation of applications with respect to timeliness of recovery and return;
?? Assessment of risk and insurance needs for loss of business in contingency
situations, with regard to both the IT function and IT users;
?? An outline of specific roles and responsibilities for contingency planning, with
specific test, maintenance and update requirements; and
?? Formal contract arrangements with vendors to provide services in the event of a
disaster, including a back-up site facility or relationship, in advance of actual
need.
Management comment (Ms Anna Fischer IT manager)
A three-year plan is in place for the development and testing of disaster recovery plans
for all business units.
2.4 Cheque signing procedures
Audit finding
The validity of supporting documentation should be assessed by both cheque
signatories prior to authorising creditor payments.
Background
Management discovered a fraud in October 2003, in which an employee with a long
service history had managed to accumulate R2,5 million in a personal bank account by
processing invalid creditor payments over a number of years. The employee submitted
payment requisitions in respect of invoices from a fictitious supplier. As the payments
were regular and not individually large, the requisitions were authorised as a matter of
course.
Management comment (Mr Ivan Counter financial manager)
We consider this fraud to be an isolated incident and are satisfied that the companys
cheque signing procedures are adequate.
2.5 IT environment controls
Audit finding
Management should consider the following recommendations for improving its IT
environment controls relating to physical security:
?? There should be no water pipes/drainage pipes or water sprinkler systems in the
server room.
?? Appropriate fire extinguishers should be available for fire fighting.
?? A register of maintenance of the uninterrupted power supply hardware (UPS) and
emergency power generator should be maintained.
Management comment (Mr Mohammed Clay physical security manager)
These recommendations will be investigated and considered and, where appropriate,
they will be implemented.
13
3 Matter raised by the external auditors
3.1 Reconciliation procedures accounts payable
Audit finding
The accounts payable balances in the creditors sub-ledger should be reconciled with
underlying supplier statements and reviewed by the financial manager on a monthly
basis. These balances are at present reconciled with suppliers invoices, but not with
creditors statements.
Management comment (Ms Betty Ndlovu accounts payable supervisor)
We do not view this as a risk as all payments are effected on the basis of approved
creditors invoices. However, individual creditors accounts will in future be reconciled
with the creditors statements on a monthly basis.
REQUIRED
(a) For each of the issues set out in the attached extracts of committee papers
(i) identify the potential risk to the business; and
(ii) list the specific factors that should be considered in assessing the significance of the risk.
(25)
(b) Discuss the effect on the overall audit plan of the issues identified from the attached committee
papers, including any increases in audit scope of which management would have to be
advised. (15)
(c) Discuss the issues that should be considered in accepting of the invitation to attend the Audit
Risk and Control Committee meetings, and arising from the SAICA Code of Conduct. (5)
(d) List ways in which your firm could assist the directors in fulfilling their responsibilities under the
King Code 2002 as required to be reported on in the annual financial statements. (5)
