MODULE 12

Overview of Internal Control

NATURE AND PURPOSE OF INTERNAL CONTROL

Internal control  is the process designed and effected by those charged with governance, management and
other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard
to reliability of financial reporting, effectiveness and efficiency of operations and compliance with
applicable laws and regulations. It follows that internal control is designed and implemented to address
identified business risks that threaten the achievement of any of these objectives.
 
Those objectives fall into three categories:

 Reliability of the entity’s financial reporting

 Effectiveness and efficiency of operations
 Compliance with applicable laws and regulations

 
Whether an entity achieves its objectives relating to financial reporting and compliance is determined by
activities within the entity's control. However, achieving its objectives relating to operations will depend not
only on management's decisions but also on competitor's actions and other factors outside the entity.
 
INTERNAL CONTROL SYSTEM DEFINED
Internal control system means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the
orderly and efficient conduct of its business, including adherence to management policies, the safeguarding
of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information.
ELEMENTS OF INTERNAL CONTROL

1. the control environment;

2. the entity's risk assessment process;
3. the information system, including the related business processes, relevant to financial reporting, and
communication;
4. control activities;
5. monitoring of controls.

 
Control Environment
The control environment  which means the overall attitude, awareness and actions of directors and
management regarding the internal control system and its importance in the entity.
Factors reflected in the control environment include:

 The function of the board of directors and its committees;

 Management’s philosophy and operating style;
 The entity’s organizational structure and methods of assigning authority and responsibility;
 Management's control system including the internal audit function, personnel policies and
procedures and segregation of duties.

 
The environment in which internal control operates has an impact on the effectiveness of the specific
control procedures. Several factors comprise the control environment, including:

1. Communication and Enforcement of Integrity and Ethical Values

2. Commitment to Competence
3. Participation by those Charged with Governance
4. Managements Philosophy and Operating Style
5. Organizational Structure
6. Assignment of Authority and Responsibility
7. Human Resources Policies and Procedures

 
Entity’s Risk Assessment Process
An entity’s risk assessment process is its process for identifying and responding to business risks and the
results thereof.
 
Once risks are identified, management considers their significance, the likelihood of their occurrence, and
how they should be managed. Management may initiate plans, programs, or actions to address specific risks
or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to
circumstances such as the following:

 Changes in operating environment. Changes in the regulatory or operating environment can result in

changes in competitive pressures and significantly different risks.
 New personnel. New personnel may have a different focus on or understanding of internal control.
 New or revamped information systems. Significant and rapid changes in information systems can
change the risk relating to internal control.

 Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk
of a breakdown in controls.

 New technology. Incorporating new technologies into production processes or information systems

may change the risk associated with internal control.
 New business models, products, or activities. Entering into business areas or transactions with which
an entity has little experience may introduce new risks associated with internal control.
 Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in
supervision and segregation of duties that may change the risk associated with internal control.
 Expanded foreign operations. The expansion or acquisition of foreign operations carries new and
often unique risks that may affect internal control, for example, additional or changed risks from foreign
currency transactions.
 New accounting pronouncements. Adoption of new accounting principles or changing accounting
principles may affect risks in preparing financial statements.

 
The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size, but
the risk assessment process is likely to be less formal and less structured in small entities than in larger ones.
All entities should have established financial reporting objectives, but they may be recognized implicitly
rather than explicitly in small entities. Management may be aware of risks related to these objectives without
the use of a formal process but through direct personal involvement with employees and outside parties.
 Information System, including the Business Processes, Relevant to Financial Reporting and
Communication
An information system consists of infrastructure (physical and hardware components), software, people,
procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are
exclusively or primarily manual. Many information systems make extensive use of IT.
The Information System, Including Related Business Processes, Relevant to Financial Reporting
The information system relevant to financial reporting objectives, which includes the accounting system,
consists of the procedures and records designed and established to:

 Initiate, record, process, and report entity transactions (as well as events and conditions) and to
maintain accountability for the related assets, liabilities, and equity;
 Resolve incorrect processing of transactions, for example, automated suspense files and procedures
followed to clear suspense items out on a timely basis;
 Process and account for system overrides or bypasses to controls;
 Transfer information from transaction processing systems to the general ledger;
 Capture information relevant to financial reporting for events and conditions other than transactions,
such as the depreciation and amortization of assets and changes in the recoverability of accounts
receivables; and
 Ensure information required to be disclosed by the applicable financial reporting framework is
accumulated, recorded, processed, summarized and appropriately reported in the financial statements.

 
Journal Entries
An entity's information system typically includes the use of standard journal entries that are required on a
recurring basis to record transactions. Examples might be journal entries to record sales, purchases, and cash
disbursements in the general ledger, or to record accounting estimates that are periodically made by
management, such as changes in the estimate of uncollectible accounts receivable.
 
An entity’s financial reporting process also includes the use of non-standard journal entries to record non-
recurring, unusual transactions or adjustments. Examples of such entries include consolidating adjustments
and entries for a business combination or disposal or nonrecurring estimates such as the impairment of an
asset. In manual general ledger systems, non-standard journal entries may be identified through inspection of
ledgers, journals, and supporting documentation. When automated procedures are used to maintain the
general ledger and prepare financial statements, such entries may exist only in electronic form and may
therefore be more easily identified through the use of computer-assisted audit techniques.
 
Related Business Processes
An entity’s business processes are the activities designed to:

 Develop, purchase, produce, sell and distribute an entity’s products and services;
 Ensure compliance with laws and regulations; and
 Record information, including accounting and financial reporting information.

 
Business processes result in the transactions that are recorded, processed and reported by the information
system. Obtaining an understanding of the entity’s business processes, which include how transactions are
originated, assists the auditor obtain an understanding of the entity's information system relevant to financial
reporting in a manner that is appropriate to the entity’s circumstances. Accordingly, an information system
encompasses methods and records that:

 Identify and record all valid transactions.

 Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary value in
the financial statements.
 Determine the time period in which transactions occurred to permit recording of transactions in the
proper accounting period.
 Present properly the transactions and related disclosures in the financial statements.

 
Communication involves providing an understanding of individual roles and responsibilities pertaining to
internal control over financial reporting. It includes the extent to which personnel understand how their
activities in the financial reporting information system relate to the work of others and the means of
reporting exceptions to an appropriate higher level within the entity. Open communication channels help
ensure that exceptions are reported and acted on.
 
Communication takes such forms as policy manuals, accounting and financial reporting manuals, and
memoranda. Communication also can be made electronically, orally, and through the actions of
management.
 
 Control Activities
Control activities are the policies and procedures that help ensure that management directives are carried
out, for example, that necessary actions are taken to address risks that threaten the achievement of the
entity's objectives. Control activities, whether within IT or manual systems, have various objectives and are
applied at various organizational and functional levels.
The major categories of control procedures are:

1. Performance Review
2. Information Processing Controls

1) Proper authorization of transactions and activities

2) Segregation of duties
3) Adequate documents and records
4) Safeguards over access to assets; and
5) Independent checks on performance
6) Physical controls
A brief discussion of these control procedures follows:
 
Performance Review
In a performance review management uses accounting and operating data to assess performance, and it then
takes corrective action. Such reviews include:

 comparing actual performance (or operating results) with budgets, forecasts, prior period
performance, or competitors' data or tracking major initiatives such as cost-containment or cost-
reduction programs to measure the extent to which targets are being met.
 investigating performance indicators based on operating or financial data, such as quantity or
purchase price variances or the percentage of returns to total orders.
 reviewing functional or activity performance, such as relating the performance of a manager
responsible for a bank's consumer loans with some standard, such as economic statistics or targets.
Personnel at various levels in an organization may make performance reviews. Performance reviews
may be used by managers for the sole purpose of making operating decisions. For example, managers
may analyze performance data and base operating decisions on them because the data are consistent with
their expectations. This type of review improves the reliability of the data. However, when managers
follow up on unexpected results determined by a financial reporting system, performance reviews
become a useful control over financial reporting.

 
Information Processing Controls
Information processing controls  are policies and procedures designed to require authorization of
transactions and to ensure the accuracy and completeness of transaction processing. Control activities may
be classified according to the scope of the system they affect. General controls are control activities that
prevent or detect errors or irregularities for all accounting systems. General controls affect all transaction
cycles and apply to information processing as a center, hardware and systems software acquisition and
maintenance, and backup and recovery procedures. Application controls are controls that pertain to the
processing of a specific type of transaction, such a payroll, or sales and collections. These controls help
ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed.
Examples of application controls include checking the arithmetical accuracy of records, maintaining and
reviewing accounts and trial balances, automated controls such as input data and numerical sequence checks,
and manual follow-up of exception reports. General IT controls are policies and procedures that relate to
many applications and support the effective functioning of application controls by helping to ensure the
continued proper operation of information systems. General IT-controls commonly include controls over
data center and network operations; system software acquisition, change and maintenance; access security;
and application system acquisition, development, and maintenance. These controls apply to mainframe,
miniframe, and end-user environments. Examples of such general IT-controls are program change controls,
controls that restrict access to programs or data, controls over the implementation of new releases of
packaged software applications, and controls over system software that restrict access to or monitor the use
of system utilities that could change financial data or records without leaving an audit trail.
 
Internal controls relating to the accounting system are concerned with achieving objectives such as:

 Transactions are executed in accordance with management's general or specific authorization.

 All transactions and other events are promptly recorded in the correct amount, in the appropriate
accounts and in the proper accounting period so as to permit preparation of financial statements in
accordance with an identified financial reporting framework.
 Access to assets and records is permitted only in accordance with management’s authorization.
 Recorded assets are compared with the existing assets at reasonable intervals and appropriate action
is taken regarding any differences.

 
Control activities related to the processing of transactions may be grouped as follows: (1) proper
authorization, (2) design and use of adequate documents and records, and (3) independent checks on
performance.
 
Proper authorization of transactions and activities
As suggested earlier, authorization for the execution of transactions flows from the stockholders to
management and its subordinates. Before a transaction is entered into with another party, certain conditions
must usually be met. As part of the evaluation of the potential transaction, documentation will be created.
The auditor uses this documentation to determine whether business transactions are properly authorized. For
example, the purchase of inventory may create a purchase order, a receiving report, and a vendor invoice.
By inspecting these documents and comparing them with company policy, the auditor may be reasonably
satisfied that a business transaction was authorized and executed in a manner consistent with company
policy.
 
Segregation of duties
An important element in designing an internal accounting control system that safeguards assets and
reasonably ensures the reliability of the accounting records is the concept of segregation of responsibilities.
No one person should be assigned duties that would allow that person to commit an error or perpetuate fraud
and to conceal the error or fraud. For example, the same person should not be responsible for recording the
cash received on account and for posting the receipts to the accounting records.
 
Adequate documents and records
The use of adequate documents and records allow the company to obtain reasonable assurance that all valid
transactions have been recorded.
 
Access to assets
The resources of a client can be protected by the establishment of physical barriers and appropriate policies.
For example, inventories may be kept in a storeroom, or negotiable instruments may be placed in a safe
deposit box. Appropriate company policies are adopted so that only authorized persons have access to
company resources. Safeguarding of assets is more than establishing physical barriers. A client should
design its internal accounting control system so that documents authorizing the movement of assets into an
organization or out of an organization are adequately controlled.
 
Independent checks on performance
The objective of a well-designed internal accounting control system is the adoption of procedures that
periodically compare the actual asset with its recorded balance. Regardless of the effectiveness of an internal
control system, some transactions may not be accurately recorded, and some assets may be misappropriated.
An important part of an internal accounting control system is to determine the effectiveness of recording
policies and asset access policies. This is accomplished by periodic counts of assets by the client and
comparing the counts to the balances in the general ledger account. Examples are the count of inventory and
the preparation of monthly bank reconciliation.
 
Physical Controls
Controls that encompass:
 The physical security of assets, including adequate safeguards such as secured facilities over access
to assets and records.
 The authorization for access to computer programs and data files.
 The periodic counting and comparison with amounts shown on control records (for example,
comparing the results of cash, security and inventory counts with accounting records).

 
Monitoring of Controls
Monitoring, the final component of internal control, is the process that an entity uses to assess the quality of
internal control over time. Monitoring involves assessing the design and operation of controls on a timely
basis and taking corrective action as necessary. Management monitors controls to consider whether they are
operating as intended and to modify them as appropriate for changes in conditions. In many entities, internal
auditors evaluate the design and operation of internal control and communicate information about strengths
and weaknesses and recommendations for improving internal control. Some monitoring activities may
include communications from external parties. For example, customers implicitly corroborate sales data by
paying their bills or raising questions. Also, bank regulators, other regulators, and outside auditors may
communicate about the design or effectiveness of internal control.
 
Monitoring activities may include using information from communications from external parties that may
indicate problems are highlight areas in need of improvement. Customers implicitly corroborate billing data
by paying their invoices or complaining about their charges. In addition, regulators may communicate with
the entity concerning matters that affect the functioning of internal control, for example, communications
concerning examinations by bank regulatory agencies. Also, management may consider communications
relating to internal control from external auditors in performing monitoring activities.

MODULE 13

Introduction to Fraud and Error

In the previous modules, corporate governance has been described as the process by which the owners and
various of stakeholders of an organization exert control through requiring accountability for the resources
entrusted to the organization.
This module introduces fraud risk and errors and how they can be reduced if not totally avoided by having
effective internal control - a tool of good corporate
governance.
Fraud is an intentional act involving the use of deception that results in a material misstatement of the
financial statements. Two types of misstatements are relevant to auditors’ consideration of fraud: (a)
misstatements arising from misappropriation of assets, and (b) misstatements arising from fraudulent
financial reporting.
Intent to deceive is what distinguishes fraud from errors. Auditors routinely find financial errors in their
client’s books, but those errors are not intentional.
THE FRAUD TRIANGLE
The Fraud Triangle characterizes incentives, opportunities and rationalizations that enable fraud to exist.
The three elements of the fraud triangle are:
• Incentive to commit fraud
• Opportunity to commit and conceal the fraud
• Rationalization — the mindset of the fraudster to justify committing the fraud.
Incentives or Pressures to Commit Fraud
Incentives relating to asset misappropriation include:
• Personal factors, such as severe financial considerations
• Pressure from family, friends, or the culture to live a more lavish lifestyle than one's personal earnings
allow for
• Addictions to gambling or drugs
The incentives include the following for fraudulent financial reporting:
• Management compensation schemes
• Other financial pressures for either improved earnings or an improved balance sheet
• Debt covenants
• Pending retirement or stock option expirations
• Personal wealth tied to either financial results or survival of the company
• Greed — for example, the backdating of stock options was performed by individuals who already had
millions of pesos of wealth through stock
Opportunities to Commit Fraud
One of the most fundamental and consistent findings in fraud research is that there must be an opportunity
for fraud to be committed. Although this may sound obvious — that is, "everyone has an opportunity to
commit fraud" — it really conveys much more. It means not only that an opportunity exists, but either there
is a lack of controls or the complexities associated with a transaction are such that the perpetrator assesses
the risk of being caught as low. Some of the opportunities to commit fraud that the top management should
consider include the following:
• Significant related-party transactions
• A company's industry position, such as the ability to dictate terms or conditions to suppliers or customers
that might allow individuals to structure fraudulent transactions
• Management’s inconsistency involving subjective judgments regarding assets or accounting estimates
• Simple transactions that are made complex through an unusual recording process
• Complex or difficult to understand transactions, such as financial derivatives or special-purpose entities
• Ineffective monitoring of management by the board, either because the board of directors is not
independent or effective, or because there is a domineering manager
• Complex or unstable organizational structure
• Weak or nonexistent internal controls
Rationalizing the Fraud
For asset misappropriation, personal rationalizations often revolve around mistreatment by the company or a
sense of entitlement (such as, ’’the company owes me!”) by the individual perpetrating the fraud. Following
are some common rationalizations for asset misappropriation:
• Fraud is justified to save a family member or loved one from financial crisis.
• We will lose everything (family, home, car and so on) if we don’t take the money.
• No help is available from outside.
• This is "borrowing”, and we intend to pay the stolen money back at some point.
• Something is owed by the company because others are treated better.
• We simply do not care about the consequences of our actions or of accepted notions of decency and trust;
we are for ourselves.
For fraudulent financial reporting, the rationalization can range from "saving the company” to personal
greed, and may include the following:
• This is one-time thing to get us through the current crisis and survive until things get better.
• Everybody cheats on the financial statements a little; we are just playing the same game.
• We will be in violation of all our debt covenants unless we find a way to get this debt off the financial
statements.
• We need a higher stock price to acquire company XYZ, or to keep our employees through stock options,
and so forth.
Risk Factors Contributory to Misappropriation of Assets
Misappropriation of assets involves the theft of an entity’s assets and is often perpetrated by employees in
relatively small and immaterial amounts. However, it can also involve management who are usually more
able to disguise or conceal
misappropriations in ways that are difficult to detect.
Misappropriation of assets is often accompanied by false or misleading records or documents in order to
conceal the fact that the assets are missing or have been pledged without proper authorization.
A. Incentives / Pressures
1. Personal financial obligations may create pressure on management or employees with access to cash or
other assets susceptible to theft to misappropriate those assets.
2. Adverse relationships between the entity and employees with access to cash or other assets susceptible to
theft may motivate those
employees to misappropriate those assets.
B. Opportunities
1. Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation.
For example, opportunities to misappropriate assets increase when following situations exist:
(a) large amounts of cash on hand or processed.
(b) inventory items that are small in size, of high value, or in high demand.
(c) fixed assets which are small in size, marketable, or lacking observable identification of ownership.
2. Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets.
C. Attitudes / Rationalizations
1. Disregard for the need for monitoring or reducing risks related to misappropriation of assets.
2. Disregard for internal control over misappropriation of assets by overriding existing controls or by failing
to correct known internal control deficiencies.
3. Behavior indicating displeasure or dissatisfaction with the entity or its treatment of the employee.
4. Changes in behavior or lifestyle that may indicate assets have been misappropriated.
5. Tolerance of petty theft.
Risk Factors Contributory to Fraudulent Financial Reporting
Fraudulent financial reporting involves intentional misstatements including omissions of amounts or
disclosures in financial statements to deceive financial statement users. It can be caused by the efforts of
management to manage earnings in order to deceive financial statement users by influencing their
perceptions as to the entity’s performance and profitability. Such earnings management may start out with
small actions or inappropriate adjustment of assumptions and changes in judgments by management.
Pressures and incentives may lead these actions to increase to the extent that they result in fraudulent
financial reporting. Such a situation could occur when, due to pressures to meet market expectations or a
desire to maximize compensation based on performance, management intentionally takes positions that lead
to fraudulent financial reporting by materially misstating the financial statements. In some entities,
management may be motivated to reduce earnings by a material amount to minimize tax or inflate earnings
to secure-bank financing.
A. Incentive / Pressure
Incentive or pressure to commit fraudulent financial reporting may exist when management is under
pressure, from sources outside or inside the entity, to achieve an expected (and perhaps unrealistic) earnings
target or financial outcome — particularly since the consequences to management for failing to meet
financial goals can be significant.
B. Opportunities
A perceived opportunity to commit fraud may exist when an individual believes internal control can be
overridden, for example, because the individual is in a position of trust or has knowledge of specific
weaknesses in internal control.
Fraudulent financial reporting often involves management override of controls that otherwise may appear to
be operating effectively.
Responsibility for the Prevention and Detection of Fraud
The primary responsibility for the prevention and detection of fraud rests with both those charged with
governance of the entity and management. It is important that management, with the oversight of those
charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for
fraud to take place, and fraud deterrence, which could persuade individuals not to
commit fraud because of the likelihood of detection and punishment. This involves a commitment to
creating a culture of honesty and ethical behavior which can be reinforced by an active oversight hy those
charged with governance. In exercising oversight responsibility, those charged with governance consider the
potential for override of controls or other inappropriate influence over the financial reporting process, such
as efforts by management to manage earnings in order to influence the perceptions of analysts as to the
entity's performance and profitability.
C. Rationalizations
Individuals may be able to rationalize committing a fraudulent act. Some individuals possess an attitude,
character or set of ethical values that allow them knowingly and intentionally to commit a dishonest act.
However, even otherwise honest individuals can commit fraud in an environment that imposes sufficient
pressure on them.

MODULE 14

Sales and Collections Cycle

1. Errors in Recording Sales and Collections Transactions

Errors in recording sales include mechanical errors, such as using a wrong piece or wrong quantity,
recording sales in the wrong period (cutoff errors), a bookkeeper’s failure to understand proper accounting
for a transaction, and so on. Internal controls are designed to prevent or detect many of these kinds of errors.
2. Frauds in Sales and Collections
Frauds in sales generally relate to fraudulent financial reporting. In contrast, frauds in cash collections relate
to misappropriation of assets, typically accomplished by clerks or management-level employees.
a. Fraudulent Financial Reporting
Fraudulent financial reporting involving sales typically results in overstated sales or understated sales
returns and allowances.
Managers under pressure to achieve high profits may inflate sales to meet target profits established by senior
managers, to obtain bonuses, to retain the respect of senior managers, or even to keep their jobs. The
following methods can be used to increase sales fraudulently:
• Recording fictitious sales (creating fictitious shipping documents, sales invoices, and so on)
• Recording valid transactions twice
• Recording in the current period sales that occurred in the succeeding period (improper cutoff)
• Recording operating leases as sales
• Recording deposits as sales
•Recording consignments as sales
• Recording sales when the chance of a return is likely
• Following revenue recognition practices that are not in accordance with PFRS
• Recognizing revenue that should be deferred
b. Misappropriation of Assets: Withholding Cash Receipts
1. Skimming
This refers to the act of withholding cash receipts without recording them. An example is when a cashier in a
retail store does not ring up a transaction and takes the cash. Another example is when an employee who has
access to cash receipts and maintains accounts receivable records can record a sale at an amount lower than
the invoice amount. When the customer pays, the employee takes the difference between the invoice and the
amount recorded as a receivable. Detection of unrecorded cash receipts is very difficult; however,
unexplained changes in the gross profit percentage or sales volume may indicate that cash receipts have been
withheld.
2. Lapping
This technique is used to conceal the fact that cash has been abstracted; the shortage in one customer's
account is covered with a subsequent payment made by another customer. An employee who has access to
cash receipts and maintains accounts receivable can engage in lapping. Routine testing of details of
collections compared with validated bank deposit slips should uncover this fraud.
3. Kiting
This is another technique used to cover cash shortage or to inflate cash balance. Kiting involves counting the
cash twice by using the float in the banking system. {Float is the gap between the time the check is
deposited or added to an
account and the time the check clears or is deducted from the account it was written on). Analyzing and
verifying cash transfers during the days surrounding year-end should reveal this type of fraud.

Acquisitions and Payments Cycle

1. Errors in the Acquisitions and Payments Cycle

The following may occur in the acquisitions and payments cycle:
• Failing to record a purchase in the proper period (cutoff errors)
• Recording goods accepted on consignment as a purchase
• Misclassifying purchases of assets and expenses
• Failing to record a cash payment
• Recording a payment twice
• Failing to record prepaid expenses as assets
Entities normally design controls to prevent these errors from occurring or to detect errors if they do occur.
When such controls exist, auditors test the controls to assess their effectiveness. If the controls are not
effective, auditors should perform substantive tests to determine that the financial statements do not contain
material misstatements that arose because of possible errors.
2. Frauds in the Acquisitions and Payments Cycle
a. Paying for Fictitious Purchases
This involves the perpetrator creating a fictitious invoice (and sometimes a receiving report, purchase order
and so forth) and processing the invoice for payment. Alternatively, the perpetrator can pay the invoice
twice.
b. Receiving Kickbacks
In this scheme, a purchasing agent may agree with a vendor to receive a kickback (refund payable to the
purchasing person on goods or services acquired from the vendor). This is usually done in return for the
agent’s ensuring that the particular vendor receives an order from the firm. Often a check is made payable to
the purchasing agent and mailed to the agent at a location other than his or her place of employment.
Sometimes the purchasing agent splits the kickback with the vendor's employee for approving and paying it.
Detecting kickbacks is difficult because the buyer's records do not reflect their existence. However, when
vendors are required to submit bids for goods or services, the likelihood of kickbacks is reduced.

c. Purchasing Goods for Personal Use

Goods or services for personal use may be purchased by executive or purchasing agents and charged to the
company's account. To execute such a purchase, the perpetrator must have access to blank receiving reports
and purchase approvals or must connive with another employee. Fraud involving the purchase of goods for
personal use is more likely to go unnoticed when perpetual records are not maintained.

Payroll and Personnel Cycle

Historically, errors and irregularities involving payroll have been reported to occur frequently and are
largely undetected.
1. Errors
The most errors that can occur in the payroll and personnel cycle are
a) paying employees at the wrong rate,
b) paying employees for more hours than they worked,
c) charging payroll expense to the wrong accounts, and
d) keeping terminated employees on the payroll.
Good internal control can be established to prevent these errors from occurring and to detect them if they do
occur.
2. Frauds involving Payroll
The major payroll-related frauds include
a. Fictitious Employees
Adding fictitious employees to the payroll is one of the most common defalcations. Detecting fictitious
employees on the payroll is very difficult; but auditors do sometimes perform a surprise payoff as a deterrent
to this form of defalcation. Alternatively, the auditor may turn the check distribution over to an official not
associated with preparing payroll, signing checks, or supervising workers. Personnel files and the
employees’ completed time cards and time tickets may also be examined to substantiate the existence of
absent employees.
b. Excess Payments to Employees
Increasing the rate above that approved or paying employees for more hours than they worked are the most
common ways of paying employees more than they are entitled to receive. These practices can be
substantially reduced by requiring personnel department officials to authorize changes in pay rates and by
monitoring total hours worked and paid for. Analytical procedures that focus on cost per unit of actual
production can also be helpful in detecting excess payments to employees.
c. Failure to Record Payroll
Companies having difficulty meeting profit targets or not-for-profit entities having difficulty managing costs
and expenses might fail to record a payroll. The omission of payroll can be difficult to hide unless a similar
amount of revenues or receipts has been omitted. Analytical procedures can be performed to test the
reasonableness of payroll cost.
d. Inappropriate Assignment of Labor Costs to Inventory
A company having difficulty meeting profit targets might assign to inventory labor cost that should have
been charged to expense. Analytical procedures such as comparing costs incurred to budgeted cost and
verification of valuation of inventory are some of the useful techniques in detecting such fraud.