AuditNet: Audit Work Programs

Set 3 Personnel

Set 4 Procurement

Set 5 Stock & Materials Handling

Set 6 Production / Manufacturing

Set 7 Marketing & Sales

Set 8 After Sales Support

Set 9 Research & Development

Set 10 Information Technology

Set 11 Contracting

Set 12 Reputation Management

Building Societies & Home Loans Co.

National Health Service

+ Special comprehensive programs for Information Processing Facilities and Contract Management.

1.2 Each SAPG has been created in Microsoft Word for Windows Version 6 format, and therefore can be edited, updated and maintained like any other word processing document. The relevant system/activity files can be issued to auditors and data relevant to the audit project can be entered as a record of the work undertaken and also subsequently form part of the audit documentation file. Section 4 of this document provides guidance on the use of the SAPG.

1.3 The SAPG document files are compatible for use with later versions of Word, including Word 97 either as a freestanding application or as part of the Microsoft Office suite. However, the default directory structures vary between versions and users should consult Section 3 and their system documentation for further guidance on how to load the files for use.

2. THE SAPG FILES

2.1 The SAPG product is grouped in four main groups of file, the first contains the main group of 181 activity or system-level SAPG files, the second contains the four special comprehensive programs for Contract Management and the Information Processing Facility, the third contains five document files, and the last is a modified Template file which incorporates the macro files. The contents and loading of the main SAPG files are described in sections 2 & 3 of this document. Details of the macros and how to load them are contained in Section 8 of this document.

All the files in the first three groups noted in the preceding paragraph are in Word 6 format with the file extension .DOC.

2.1.1 The first group of 181 files relate to the individual system or activity-level SAPGs. They all have filenames in the form SAPGnnnn.DOC, where nnnn is a unique numeric reference which when used in connection with the index in 2.2 below, identifies the subject matter of the file.

2.1.2 The five document files have very specific purposes, as follows:

Filename Comments

FACTFIND.DOC This is the "Fact Finding Program", which is fully described in section 5 of this document.

HIGHVIEW.DOC This is the "High Level Review Program", which is described in section 6 of this document.

PROCESS.DOC This is the "Business Process" document, which is described in section 7 of this document.

SAPG_NEW.DOC This is a blank SAPG format for your own use in developing new and specific programs.

SAPG_XXX.DOC This is a special format blank SAPG document for use with the supplied macros when copying selected SAPG

contents – See Section 8 for further details.

2.2 The 181 activity or system-level SAPGs are detailed in the following index table. Please note that the "SAPG Ref." noted in the second column can be related to the Word filename (for example number 0105, "Risk Management" relates to filename SAPG0105.doc).

Set 1 – Management & Administration

0101 The Control Environment
0102 Organization
0103 Management Information
0104 Planning
0105 Risk Management
0106 Legal Department
0107 Quality Management
0108 Estates Management & Facilities
0109 Environmental Issues
0110 Insurance
0111 Security
0112 Capital Projects
0113 Industry Regulation & Compliance
0114 Media, Public & External Relations
0115 Company Secretarial Department
0116 Auditing the Board

Set 2 - Financial & Accounting

0201 Treasury
0202 Payroll
0203 Accounts Payable
0204 Accounts Receivable
0205 General Ledger / Management Accounts
0206 Fixed Assets (and Capital Charges)
0207 Budgeting & Monitoring
0208 Bank Accounts & Banking Arrangements
0209 VAT Accounting (where applicable)
0210 Taxation
0211 Inventories
0212 Product / Project Accounting
0213 Petty Cash and Expenses
0214 Financial Information & Reporting
0215 Investments

Set 3 - Personnel

0301 Human Resources Department
0302 Recruitment
0303 Manpower & Succession Planning
0304 Staff Training & Development
0305 Welfare
0306 Pension Scheme (and other benefits)
0307 Health Insurance
0308 Staff Appraisal & Disciplinary Matters
0309 Health & Safety
0310 Labor Relations
0311 Company Vehicles

Set 4 - Procurement

0401 Purchasing

Set 5 - Stock & Materials Handling

0501 Stock Control
0502 Warehousing / Storage
0503 Distribution, Transport & Logistics

Set 6 - Production / Manufacturing

0601 Planning & Production Control
0602 Facilities, Plant & Equipment
0603 Personnel
0604 Materials & Energy
0605 Quality Control
0606 Safety
0607 Environmental Issues
0608 Law & Regulatory Compliance
0609 Maintenance

Set 7 - Marketing & Sales

0701 Product Development
0702 Market Research
0703 Promotion & Advertising
0704 Pricing & Discount Policies
0705 Sales Management
0706 Sales Performance & Monitoring
0707 Distribution
0708 Relationship with Parent Company
0709 Agents
0710 Order Processing

Set 8 - After Sales Support

0801 Warranty Arrangements
0802 Maintenance and Servicing
0803 Spare Parts and Supply

Set 9 - Research & Development

0901 Product Development
0902 Project Appraisal & Monitoring
0903 Plant & Equipment
0904 Development Project Management
0905 Legal & Regulatory Issues

Set 10 - Information Technology
1001 IT Strategic Planning
1002 IT Organization
1003 IT Sites
1004 Processing Operations
1005 Back-up and Media
1006 Systems / Operating Software
1007 System Access Control
1008 Personal Computers
1009 Software Maintenance
1010 Local Area Networks
1011 Databases
1012 Data Protection
1013 Facilities Management
1014 System Development
1015 Software Selection
1016 Contingency Planning
1017 Electronic Data Interchange
1018 Viruses
1019 Electronic Office
1020 User Support
1021 BACS
1022 Spreadsheet Design
1023 Expert Systems
1024 IT Accounting
1025 Millennium Compliance

Set 11 - Contracting
1101 Contract Management Environment
1102 Project Management Framework
1103 Project Assessment and Approval
1104 Engaging, monitoring, & paying consultants
1105 Design
1106 Assessing Viability/Competence of Contractors
1107 Maintaining an Approved List of Contractors
1108 Tendering Procedures
1109 Contract & Tender Documentation
1110 Insurance & Bonding
1111 Selection & Letting of Contracts
1112 Management Information & Reporting
1113 Performance Monitoring
1114 Sub-Contractors & Suppliers
1115 Materials, Plant, and Project Assets
1116 Valuing Work for Interim Payments
1117 Controlling Price Fluctuations
1118 Monitoring & Controlling Variations
1119 Extensions of Time
1120 Controlling Contractual Claims
1121 Liquidations & Bankruptcies
1122 Contractor’s Final Account
1123 Recovery of Damages
1124 Review of Project Outturn & Performance
1125 Maintenance Obligations

Set 12 – Reputation Management
1201 General overview
1202 Financial performance, profitability and long-term investment value
1203 The board, the chief executive and the senior management team
1204 Quality of products and services – brand image
1205 Treatment of staff
1206 Social responsibility
1207 Customer service
1208 Information and communication

Set 13 -Building Societies/Home Loans Companies
BS01 Branch Security
BS02 Branch Operations
BS03 Management
BS04 Treasury Environment
BS05 Treasury Dealing
BS06 Investments – New Accounts
BS07 Investments – Account Maintenance
BS08 Investments – Account Statements
BS09 Secured Personal Loans
BS10 Unsecured Loans
BS11 Commercial Lending – New Business
BS12 Commercial Lending – Account Maintenance
BS13 Check Accounts
BS14 ATM Services
BS15 Credit & Debit Cards
BS16 New Mortgage Business
BS17 Mortgage Account Maintenance
BS18 Mortgage Arrears
BS19 Mortgage Possessions & Sales
BS20 Mortgage Mandates
BS21 Mortgage Annual Statements
BS22 Insurance Products
BS23 Staff Accounts
BS24 Securities

Set 14 - National Health Service
HS01 Purchaser Contracting
HS02 Provider Contracting
HS03 General Practitioner Fund Holding
HS04 Charitable Funds
HS05 Use of Health Centers
HS06 Private Patients
HS07 Welfare Foods
HS08 Residential Accommodation
HS09 Joint Finance
HS10 Residents’ Monies
HS11 Cashiers
HS12 Family Health Service Authority
HS13 Road Traffic Accidents
HS14 Nursing Homes
HS15 Trading Agencies
HS16 Pharmacy Stores
HS17 Risk Management
HS18 Cash Collection – Car Parks
HS19 Cash Collection – Telephones
HS20 Cash Collection – Prescriptions
HS21 Cash Collection – Shops/Restaurants
HS22 Cash Collection – Staff Meals
HS23 Cash Collection –Vending Machines
HS24 Income Generation
HS25 Staff Expenses
HS26 Losses & Compensations

SPECIAL COMPREHENSIVE PROGRAMS

SAPGCON1 Contract Management
SAPGCON2 Contract Management (Management checklist version with example controls and measures)
SAPGIPF1 Information Processing Facility
SAPGIPF2 Information Processing Facility (Management checklist version with example controls and measures)

GENERAL DOCUMENTS

FACTFIND Fact Finding Program
HIGHVIEW High Level Review Program
PROCESS Business Process Document
SAPG_NEW Blank SAPG Format
SAPG_XXX Special blank SAPG for use with macros – see Section 8 for details of use.

3. HOW TO USE & MAINTAIN THE FILES

3.1 All the files are provided in Word for Windows Version 6 format, and have the file extension .DOC. Individual filenames are described in the previous section (i.e. 2.1.1).

3.2 The files on the CD represent a valuable source of information and they should be adequately protected so that they remain accessible for use. In addition to securing the CD against losses, it is also suggested that you take further back-up copies of those files that you are likely to use and store them securely.

3.3 The supplied files can be regarded as the Source files which can be used as the foundation for creating specific Target files (each with their own unique filename) relevant to a particular audit project or company visit. The file-naming standard adopted by the user is very much a matter of choice, but should aim to uniquely identify the contents to a specific site, company and subject. In order to take these details into account, and also cater for different versions over a period of time to allow for subsequent audit visits, some form of accurate index should be separately maintained to support the prompt identification of individual files. Please note that the filename structure within MS-DOS and Windows has a limit of eight characters, whereas users of versions of Word designed specifically for Windows 95 will have the facility for longer file names upon saving the SAPG documents. However, all the supplied SAPG files have the conventional eight character filenames to ensure universal compatibility.

3.4 In order to access a particular file or combination of files, they should be copied onto the hard disk of the relevant personal or portable computer. Before undertaking this copying of files, the user will have to determine which Directory on the hard disk is normally used by the Word system to store document files. The default directory for version 6 of Word is WINWORD, but your own installation may have been customised and you can establish the relevant directory path by entering the Word system and initiating the File Open option from the File menu (or by clicking on the File Open icon). The dialogue box indicates the default path, which is normally C:\WINWORD. Later versions of Word use different default document directories (for example, Word version 7 for Windows 95 uses the default of C:\MYDOCUMENTS). Your Word documentation and Help system should provide such details. Although you can opt to use the default document directories, you may prefer to segregate the supplied SAPG documents into a separate directory.

3.5 As a general precaution, it is wise to save any amended version of an SAPG file with a different and unique file name, as this avoids overwriting the original version.

4. THE PRACTICAL USE OF THE SAPGs

4.1 The Standard Audit Program Guides (SAPGs) can either be used singly or in various combinations to provide detailed guidance and direction during audit projects and field visits. In following paragraphs we explore the format of the SAPG and how it can be used, but we should start by explaining how the sets of SAPGs are structured and the key contents.

4.2 Each SAPG covers a particular business system or activity (for example Accounts Payable or Staff Training & Development). The current SAPGs are divided into nine sets of related subjects (such as Management & Administration or Marketing & Sales). A full index of all the SAPGs is provided in section 2.2 of this document.

4.3 The scope and nature of each audit project may be different. This variability is driven by such practical aspects as availability of resources, the relative scale of the target business operations, logistical considerations, areas of specific management concern, etc. SAPGs can be used in combinations to match the audit coverage to the specified business systems and activities. Although each SAPG can be used in a "free-standing" context, they can also be linked in a number of ways to support the objectives established by audit management:

4.3.1 Most SAPGs cover systems that have interfaces with other systems (for example there are linkages between Purchasing, Accounts Payable and Stock Control). It follows therefore that perceived weaknesses in one system/activity may have implications for issues in another related system or activity. Each SAPG is provided with a table of such interrelationships so that the user can promptly determine the knock-on effects of any noted concerns (see 4.10);

4.3.2 The principal activities of an operating unit or overseas subsidiary can also be flexibly related to a number of individual SAPGs;

4.3.3 Away from the use of individual SAPGs to support the examination of discrete activities, there is the alternative view of a business expressed in terms of "Business Processes" (or alternatively "Cycles" although not every process is actually cyclic in form). These "Business Processes" can be described as being a series of related or interlinked economic events. The structure of individual SAPGs can also be used as the basis of using them in combinations supporting auditing on a Business Process basis. This approach is further discussed in Section 7 of these notes and we have provided a supporting document (i.e. PROCESS.DOC) which provides an analysis of SAPGs into the Process approach;

4.3.4 In any event, it is likely that most audit visits will be the subject of some prior research and preparation in order to ensure that the audit time spent on site is optimized for efficiency and direction, and that the auditors are focused upon the worthwhile investigations. In order to assist with such deliberations, we have supplied two further documents, namely "The Fact Finding Program" and the "High Level Review Program” These documents are discussed in sections 5 and 6 of these notes respectively.

4.4 The critical contents of each SAPG are a number of Risk or Control Issues relevant to the specific system. These are expressed in the form of questions which raise the issues in the context of what is being done to either achieve a desired outcome or to avoid an unwanted one.

4.5 The Risk and Control Issues are further divided into two groups, namely Key Issues and Detailed Issues. The former are the more significant and crucial points about the system under review and the aim should be to always take them into account during the audit. The latter category of issues take the user into more of the underlying system considerations, and would only be utilized if there was a potential weakness revealed as a consequence of considering the Key Issues. (We will return to the context of this division of issues later in these notes - see 4.9.1).

4.6 The purpose of the SAPG is to guide the auditor through an examination of the issues specific to the system or activity with the intention of recording the nature of measures and controls in place to either ensure that business objectives are achieved or that risks and exposures are successfully avoided. The auditor will need to record not only the nature of measures and controls in place, but also consider their effectiveness, and dependent upon that interpretation record the nature and results of any audit testing applied as a determinant in whether or not the situation needs to be reported to management for their consideration, etc. In subsequent pages, we examine in detail the format of the SAPG and how this information is recorded and interpreted.

4.7 SAPG is divided into three distinct sections (as noted below), the format and use of which are described in following paragraphs.

- A Title Page (see 4.8 overleaf);

- The Risk/Control Issues (See 4.9); and

- System Interfaces (See 4.10).

Please note that in all the examples that follow, the text in italics relates to that entered by the user, whereas the normal text is that included in the supplied form of the SAPG.

4.8 SAPG Title Page The title page has three separate areas, as follows:

4.8.1 Firstly an area which records the details of the subject matter covered by the SAPG and a reference number, for example

4.8.2 Secondly, an area used to record details about the specific audit project, for example

Company: XXX Inc.	Division: Orthopaedics	Country: USA	Site: Warsaw, IN
Audit Ref.: USA012-98	Date: 24 February 1998	Completed by: John Brown	Reviewed by: G. V. Rand

4.8.3 Lastly a section which describes the Control Objectives for the relevant system, for example

Control Objective(s):

(a) To ensure that the organizational structure is appropriate to the business and the achievement of strategic objectives; (b) To ensure that the organizational structure is determined by the business and operational needs and avoids needless sub-divisions and excessive levels; (c) To ensure that the structure enables the flow of key information upwards and outwards within the organization and across all the business activities; (d) To ensure that relevant responsibilities, authorities and functional terms of reference are defined and in place; (e) To ensure that responsibilities and authorities are adequately segregated in order to avoid conflicts of interest and the potential for fraudulent practices; (f) To ensure that the structure is periodically reviewed and any changes are agreed and authorized at a senior level; (g) To ensure that each manager's span of control is optimized and avoids either over or under-utilization; (h) To ensure that adequate staff resources are determined, authorized and provided in order to achieve the functional and business objectives;

(i) To ensure that the prevailing organizational structure is suitably documented and communicated to all relevant staff; and (j) To ensure that the organizational structure and the related functional divisions of responsibility are accurately and adequately reflected in the accounting and management information systems

Of course, the text in the last section of the page can be edited and updated whenever necessary by the user.

4.9 The Risk/Control Issues

This is the main part of the SAPG and consists of a table based on the headings noted below. It should be noted that all the cells in these tables are capable of expanding down the page as text is entered. Within Word (in default mode) if the text in a cell reaches the bottom of a page, the cell is divided and the text will span both pages. On this and subsequent pages, the use of each column is discussed.

Seq.	Risk/Control Issue	Current Control/Measure	WP Ref.	Effective Yes/No	Compliance Testing	Substantive Testing	Weakness to Report
1	Key Issues
1.1	What measures are in place to ensure that management are kept informed of production activities as the basis for their decision making?

2	Detailed Issues
2.1	How can management be assured that production downtime caused by plant breakdown is minimised?

4.9.1 The "Seq." column contains a sequential number used to identify each Risk/Control Issue. These issues are divided into two groups, Key Issues which are identified by being both in the sequence starting 1.1 and printed in bold text, and Detailed Issues which are in the sequence starting at 2.1. The Key Issues reflect the top-level and critical aspects of the system/activity under review and should always be considered by the auditor. There are normally between six and ten Key Issues noted on each system/activity SAPG. The Detailed Issues examine the relevant subject in greater elemental detail and should only be addressed by the auditor if the responses obtained in relation to the Key Issues suggest that there could be further inherent weaknesses in control. There can be any number of Detailed Issue recorded within an SAPG dependent upon the complexity and relevance of the system/activity.

4.9.2 The "Current Control/Measure" column is used by the auditor to record a brief description of any Controls or Measures that are in place to address the issues raised in the Risk/Control Issue column. Try to avoid going into too much detail in this column. This type of information can be obtained in a number of ways, for example, as a result of discussion with departmental staff, from a review of documented procedures, or from previous audit working papers. In practice there may be more than one control or measure in place which has an effect on the issue raised; any number of these can be noted in the Current Control/Measure cell.

The "WP Ref." column can be used to note any Working Paper cross-reference, such as a system flowchart or procedure manual.

Seq.	Risk/Control Issue	Current Control/Measure	WP	Effective	Compliance	Substantive	Weakness
			Ref.	Yes/No	Testing	Testing	to Report
1	Key Issues
1.1	What measures are in place to ensure that management are kept informed of production activities as the basis for their decision making?	Regular management report (type PRO78X) produced and circulated to unit managers. Contents are reviewed, discussed, and signed off at weekly team meetings.	Flow chart PRD04 page 8	YES

4.9.3 The "Effective Yes/No" column is used to note whether the recorded Current Control or Measure is likely to be effective in either supporting the required objective or counteracting any underlying risk posed by the issue. This judgment, which may need to be applied by the audit manager or supervisor, is an opinion on likely effectiveness. The responses recorded in this column can be used to determine those areas which should be subject to audit testing. The decision whether or not to apply audit testing will, of course, be relative to the user's own auditing standards, but a number of logical tactics could apply. For example, the consideration that a particular control or measure would be effective

(i.e. a YES response), may obviate the need for any testing, however, at this stage, the auditor does not know whether the control is actually being applied either correctly or consistently. This suggests that some limited Compliance Testing is desirable to ascertain if the control is actually being applied in an appropriate manner in every instance. In order to contain the amount of audit time spent on compliance testing, it is often desirable to identify the key controls and measures which represent the greatest potential and target these for compliance tests. The "Compliance Testing" column can be used to record the test applied and a summary outcome. Because space is limited, the user can elect just to record a working paper cross-reference to the detailed testing schedules rather than a full explanation.

4.9.4 In instances where either the compliance testing revealed an inadequate application of the measure or the control/measure was judged unlikely to be effective, further substantive testing may be justified to evaluate if a potential weakness has been exploited. Summary details of such substantive testing can be noted in the "Substantive Testing" column. By way of illustration, the following extract SAPG table incorporates example entries in the Compliance and Substantive Testing columns.

Seq.	Risk/Control Issue	Current Control/Measure	WP	Effective	Compliance	Substantive	Weakness
			Ref.	Yes/No	Testing	Testing	to Report
1	Key Issues
1.1	What measures are in place	Regular management report	Flow	YES	WP: Test No. 23	WP: Test No. 54	Recommend to
	to ensure that management	(type PRO78X) produced and	chart				management that
	are kept informed of production activities as the basis for their decision making?	circulated to unit managers. Contents are reviewed, discussed, and signed off at weekly team meetings.	PRD04 page 8		Reports for October 1997 examined - no evidence of examination or review by management	October & November reports examined in detail - 13 instances of production shortfall reported with no apparent follow-up action.	they ensure that this control is applied as defined in the procedures manual and that all reports are monitored for evidence of action taken to address reported problems. Discussed & agreed with Production Manager 01.03.98

4.9.5 The last column ("Weakness to Report") can be used to note that any points of audit concern arising from the audit review and testing which should either be discussed further with management or formally reported to them as a recommendation for action. The contents of this column can be interfaced with the reporting processes utilized by the audit function.

4.9.6 The completed SAPG file can be saved as a Word document file and printed out to form part of the audit working papers and permanent file.

4.10 System Interfaces

4.10.1 This page of the SAPG is intended to alert auditors to the likely interfaces between the system and activity being addressed in the SAPG and any others. Where weakness and control problems have been revealed during the system review, there may be consequences or implications for other systems either "downstream" or "upstream" of the system under review. The System Interfaces Table is intended to draw auditors’ attention to systems with either input or output connections. These connections may be based solely upon data flow or have additional operational implications. The example Systems Interface Table on the following page is provided for illustrative purposes and is related to an Accounts Receivable system.

EXAMPLE ONLY

SYSTEM INTERFACES FOR ACCOUNTS RECEIVABLE

It is unlikely that any activity or system will operate in complete isolation, but will need to interact with other data and systems in order to be fully effective. At a simple level, such interaction could relate to the input of data from a source system and the generation of amended or enhanced data which can be output to the next process. For example, taking coded transactions from an accounts payable system into the general ledger as the basis for subsequently producing management accounts information.

It is often at the point of interaction between systems where controls are critical. Auditors should be satisfied that the data moving between systems is consistent, complete and accurate, in order that the subsequent processes are undertaken upon a reliable basis.

The following table aims to plot, for the subject system of this Standard Audit Program Guide, the potential interfaces with other systems which may require audit attention. Indicators are provided to differentiate between those interfaces which act as input sources to the subject system and those which are potential output targets. The "SAPG Ref." column records the reference number of the Program Guide which addresses the issues for the related system

System

Sponsored by