we've been discussing the various steps for auditing the purchasing process we started out by gaining an understanding of the purchasing process and how it works next we identified significant accounts and relevant assertions then we assessed the risk and material misstatement and now we're going to evaluate the design of the internal controls for the purchasing function so a great way to start this is by doing a walkthrough of the purchasing process we're going to go from the initial request for goods and services all the way through to the cash disbursement updating the accounting records okay we're going to walk through this and we're going to ask ourselves that each step when there's a purchase order when there's a receiving report and so forth has the client designed an internal control that if it were operating effectively would prevent or detect a material misstatement now at this step we're just trying to understand if there is an internal control in place we want to identify any of the internal controls and understand them because in the next step which i'll cover in the next video we'll be testing the effectiveness of the internal controls so right now we're just trying to walk through the process map out all of the internal controls that happen to be in place now first we're going to start with entity level controls okay then we're going to move on to controls related to specific management assertions but first we're going to start with these entity level controls for example we are going to ask ourselves we're going to do some some research we're going to talk to people at the company and we're going to find out does the audit committee play an active role for example if you say yeah the audit committee meets regularly and they're very concerned about internal controls and and strong financial reporting okay that's great if you say well the audit committee hasn't met in a very long time and i don't know how concerned they are about the integrity of this company's financial reporting that would be a bad thing right so is the audit committee actively involved does management have written policies and procedures for the authorization of purchases okay now whether or not those policies and procedures are followed we'll get to that when we're testing the effectiveness of the internal controls but we're just trying to understand do they even have policies in place are they requiring authorized signatures uh when there's a purchase requisition a purchase order are we making sure that only authorized people can make changes to the vendor information things like address of the vendors does management have dollar limits for purchases for example you say like a lower level manager can only make purchases up to two thousand dollars are they cl uh monitoring days payable outstanding so we're going to think about these entity level controls and then we'll get into more specific controls as i said for each management assertion now what do i mean by internal controls for the management assertions so let me give you some examples and then i'll give you a more exhaustive lift a list one really really important internal control with the purchasing function is a three-way match of a purchase order a receiving report and a vendor invoice okay what does that tell us well management is making various assertions okay but related to purchase transactions they're asserting that purchase transactions actually occurred that there was a real purchase by the company and if you can say well look we have a purchase order we have a receiving report showing that we receive the goods and we have a bill from the vendor that's strong evidence that there really was a purchase it does not guarantee there was a purchase because there are ways that employees could commit fraud for example they could steal some purchase orders receiving reports forge them set up a fake company and then have an invoice sent from the fake company uh so it does just because you have the three-way match doesn't mean there was no fraud and everything's fine but that is generally strong evidence that there really was a purchase and that there is that an accounts payable there actually is a liability that that exists uh that this is a real obligation of the company so occurrence and existence assertions we look for that three-way match among other things looking at the dates on these different documents can tell us about cut-off assertion okay was the liability recorded in the right period using pre-numbered documents pre-numbered purchase orders receiving reports is going to give us evidence about the completion completeness assertion were all liabilities recorded the company might have an incentive to understate their liabilities now when we compare these documents we can also verify authorization and accuracy assertions did the company receive the right type of goods the right quantity of goods and was it the right price okay so those are various assertions that management is making they're asserting that accounts payable exists that they were recording the right period that they recorded all the liabilities that they were supposed to and so forth and we want to the auditor is going to go and try and verify these things and but first they need to know does the company even have internal controls in place okay now segregation of duties is a very important internal control and you're going to see it when i have the list of management assertions and different internal controls segregation of duties is going to come up a lot very important for the purchasing process so again i already showed you this before but there's the six steps in the purchasing process and what you don't want okay from a perspective of wanting strong internal controls you don't want the same employee having responsibility for multiple steps here okay if you do that if you allow the same employee for example to have four or five of these steps that they are in charge of that makes it easier for them to commit fraud okay so you want to avoid that that's what we're talking about with segregation of duties uh i'll just give you a couple examples so for example the same person at the company the same employee should not be responsible for approving purchase requisitions uh actually doing the purchasing and then receiving the goods when they show up what why not why wouldn't you like what could go wrong for example if you allowed the same person to do those uh three different functions if you allow that what could happen is this person could basically say hey yeah we're requesting some goods or services uh then they go and then purchase the goods and services and then they make the receiving report as if they received the goods and services but maybe they didn't receive the goods maybe so just because you prepare a receiving port in a purchase order uh that's that makes it look like oh yeah we we have purchase order we have received reports showing that we received 100 units of whatever it is okay so we have this information but maybe that employee set up a fake company okay they set up a fake company and so then invoice comes in from abc incorporated or whatever and that's a company that was set up by that employee at the bank and we say well it looks like because they were in charge of purchasing receiving they made a purchase order they made a receiving report they dummied all this up they for made all these documents to look like we actually received goods and services but the company did not it's just totally a fictitious purchase okay so that's again segregation duties not allowing the same person to do all those functions could help avoid something like that from happening another example segregation doing uh not allowing the same person to choose the vendors approve payment to the vendors there was actually an example you might have seen in the news uh not too long ago from when this video was recorded of a netflix employee so if you google it there was a netflix employee who was taking bribes uh for basically sentenced to prison for taking bribes uh for vendors in order to give them business with with netflix so now we've got these uh various segregation of duties and now another important thing is custody custody of assets and custody of documents by custody of assets i mean the company should restrict access to valuable things like cash and inventory that employees could potentially steal and by custody of blank forms i'm talking about restricting access to things like blank checks blank purchase orders receiving reports you don't want blank purchase orders and receiving reports just laying around where any employee can just go and take them if you did that an employee who was dishonest could steal a blank purchase order forge it make it look like the company made a purchase then go and steal a receiving report fill it out forge it make it look like the company actually received goods then go and set up a fake company send an invoice to the company the company pays it thinking oh we got a purchase order a receiving report similar to the scam i mentioned earlier so that's just called a fictitious company scam right so there's there's no actual purchase involved or anything like that so you can't just leave these purchase orders receiving reports or or blank checks right that the employee can just go steal and write a check you can't just leave those things around they need to be restricted to authorized personnel okay now next we're going to look at examples of specific internal controls for purchase transactions cash disbursement transactions and accounts payable i'm going to show you a list of assertions for each of these and then i'm going to talk about specific internal controls that a company could have for that assertion so we're gonna start out we're gonna start out with purchase transactions right here so i've got a list here's a column of assertions right so management's asserting that occurrence okay that this purchase actually occurred and then again it's the auditor's job to see well did it in fact occur okay but there's going to be internal controls hopefully in place right the auditor's checking to see does the client have any internal controls in place to to make sure that this to verify occurrence right so the auditor is checking because if if they don't have any internal control for occurrence it could be that there was a purchase recorded but actually there were never goods or services received there actually really wasn't a purchase similar to the fictitious transactions i was talking about earlier so a current assertion did the purchase actually occur completeness were all the purchases recorded okay how do we go about setting up an internal control to make sure all purchases were recorded well one of the things is very important similar to so segregation of duties i said is very important but also using pre-numbered documents if you use if the company uses pre-number purchase orders receiving reports then the company and the auditor could then go through and say oh wait uh number 97 is missing what happened here was there a liability that was not recorded a purchase transaction that was not recorded what happened okay also the company should be taking pains to try and match receiving reports uh to vendor invoices um and now when we get to authorization we're thinking about okay was the purchase even authorized or maybe the purchase was authorized but not at this price or terms okay so is there an internal control in place does the company have something in place to see to make sure that purchases are actually being authorized okay so one thing they could do and this comes back to the example i gave about fictitious vendors and employees setting that up so the company should ensure that there's only purchases made from approved vendors so there should be a list of approved vendors and not just anybody should be able to go and make changes to this list of approved vendors okay so then they show oh oh some company xyz incorporated they said you know what that's not even on the list of approved vendors they go there look into it and see okay this is a fictitious company right now the accuracy assertion was the price correct was the amount of goods or services that were purchased was that correct uh the vendor information is that correct okay so what what things can the company be doing in terms of internal controls well if they check the prices they verify the mathematical accuracy on any purchase orders um the cut off assertion what kind of internal controls can we have here well again cutoff is just basically saying that purchase is recorded in the wrong period so what the management the company could do in terms of internal control the receiving reports remember when a receiving report comes in the companies receive the goods so that's the point where they should be recording a liability so the forwarding those receiving ports every single day daily basis to the accounts payable department okay so that would be a thing that could prevent uh purchases being recorded in the wrong period either accidentally or on purpose in terms of classification assertion uh was this purchase was this purchase properly classified okay now they would use hopefully you've got the company using a chart of accounts almost all companies are using a chart of accounts so you have them using a chart of accounts and then checking to make sure they're properly classifying these purchase transactions this is not an exhaustive list of every single internal control for purchase transactions i'm just trying to give you specific examples okay and so here are some examples for cash disbursement transactions again i've got a column i've got the different assertions i got a potential misstatement and then i've got examples of internal controls for example to see okay so there was a cash disbursement recorded but not actually made so if they're verifying the occurrence assertion for cash disbursement one thing you do prepare a monthly bank reconciliation also again i've got segregation of duties segregation duty segregation duties i'm telling you segregation of duties very important for the purchasing function okay now when it comes to accounts payable right so if we're thinking about the assertions uh that management is making about accounts payable balances again i've got the assertions here and potential misstatement and the internal controls over here so we'll take a look at uh for example existence okay so the management so we've got accounts payable here normally management you don't have to worry about management trying to overstate their liabilities because why would a company try to overstate their liabilities but as i said you've got employees who might set up a fictitious company or something like that or try and pay personal expenses so it might be that there's a liability that doesn't actually represent the op true obligations of the company like it's not a real obligation of that company it's either a fictitious obligation or it's an obligation of that specific employee so in testing the existence assertion see is this really a liability of this company uh again you know only allowing uh vendors from the approved vendor list uh checking for that three-way match the purchase order receiving report and an invoice okay again that doesn't guarantee there wasn't any fraud but that's that's very helpful terms of completeness assertion again the danger is the company did not record all of its liabilities right they understate their liabilities so the auditor wants to know that this company has internal controls in place to try and check whether all liabilities are being recorded so if the company's using uh pre-numbered documents uh if they're reviewing unmatched receiving reports and invoices to see hey what happened here in terms of verifying the cut off assertion i want to make sure that liabilities are recorded in the correct period so an internal control will be the com making basically have the company look at the payables that are recorded right at the beginning of the next period right and then check those against the dates from the receiving reports and invoices basically long story short if you see so let's say the fiscal year end is december 31st and then all of a sudden the first week of january so like january 1st 2nd 3rd all sudden there's a bunch of accounts payable uh that are recorded here like a disproportionately high number you might say well actually maybe those were supposed to be recorded in the prior fiscal year uh and for some reason you know somebody tried to postpone them or whatever and they all got pushed in the next period improperly so again the auditor is checking these different assertions and they're going and seeing going through a walk through understanding the purchasing process and seeing what kind of internal controls does management have in place and then the auditor's next step which we'll discuss in the next video is to test the effect test the effectiveness of those internal controls you