FINAL,

FORMAL COMMUNICATION EXAMPLE (AUDIT REPORT)

TO: Chief Accounting Officer, Books 2 Buy Holding Corp.

FROM: Audit Director/Manager, Books 2 Buy Holding Corp.
Books 2 Buy Holding Corp. Cash Disbursements Audit
SUBJECT:
Report SATISFACTORY RATING
DATE: April 27, 20XX
The Books 2 Buy internal audit function completed an internal control review of the cash
disbursements function on March 24, 20XX. The scope of the review, performed as of Feb.
10, 20XX, was to evaluate the design adequacy and operating effectiveness of the system
of internal controls within the cash disbursements process. The review included verification
procedures to ensure proper authorization, validity, accuracy, timeliness, completeness,
existence, classification, confidentiality, integrity, and availability of books, records, and
other relevant documentation supporting cash disbursements processed during the fiscal
year ended Dec. 31, 20XX.
The scope of the review included, but was not limited to, documenting, evaluating, and
testing:

• Procedures for receiving and validating requests for disbursements.

• Procedures for approving and processing disbursements (wires or checks).

• Procedures for validating disbursements for distribution.

• Procedures for recording and balancing cash disbursements.

• Procedures for reconciling detailed records to general ledger cash disbursements

control accounts.
CONCLUSION
In our opinion, the cash disbursements process is reasonable and the system of internal
controls is acceptable, resulting in a SATISFACTORY audit rating. This rating indicates that
overall internal controls are acceptable to safeguard assets and minimize exposure to loss.
This rating also indicates that there are relatively few deficiencies and that an appropriate
level of management attention exists. The internal control environment rating definitions are
included as Attachment A.
MANAGEMENT’S ACTION PLAN
Management has established a satisfactory action plan to resolve the observation
presented in this report. A detailed explanation of our findings and recommendations,
together with management’s response, is provided in the attached report.
Copies to:

Chairman of the
Audit Committee General Counsel
Board
CEO Independent Outside Chief Administrative
Auditor Officer
Chief Compliance
CFO Controller
Officer
Page 2
1. Enhance cash disbursement review and approval procedures.
Our testing of the cash disbursements system confirmed that the system appropriately
rejects all duplicate invoice entries based on invoice number. However, the system edit is
not comparing other invoice information for potential duplicates. Our testing indicated the
system accepts invoices when a digit or symbol is added to the end of the invoice number,
creating the opportunity for a duplicate payment. The receipt of goods or services should be
recorded and processed only once.
As a result, we expanded our testing to include all invoices processed for payment from
Jan. 1, 20XX through Dec. 31, 20XX for possible duplicate payments. Using generalized
audit software, we selected all cash disbursement payments of equal amounts for a given
vendor, regardless of the invoice number or payment date. Our query revealed several
instances (14 invoices totaling $357,782) in which the A/P clerks possibly entered certain
invoices a second time when a duplicate invoice was submitted by the vendor. Follow up
with the clerks indicated they are not recognizing that these invoices may have been
received before and were adding a digit to the end to facilitate processing. In other
instances, the vendor issued a duplicate invoice with a different invoice number (typically
one higher than the last one) and the A/P clerks did not detect that these were potentially
duplicate invoices. As a result, liabilities, and the corresponding assets or expenses, were
overstated by $357,782 and the same amount of funds were disbursed inappropriately. A
budget-to-actual analysis is performed monthly by all department heads and cost center
owners, but is not designed to detect insignificant errors such as these.
We recommend that a query routine be developed that matches the vendor name, invoice
amount, invoice date, and any other key invoice characteristics considered appropriate by
A/P and compares these characteristics to previously processed invoices before processing
each cash disbursements batch. The results of this query should be reviewed by the A/P
supervisor for potentially duplicative invoices. Any suspect transactions should be removed
from the batch and investigated before processed for payment.
Management Response:
A query routine will be written that compares “key” invoice characteristics (invoice dollar
amount, vendor description, invoice number, and invoice date) to previously processed
invoices flagging the invoice as a potential duplicate if any characteristics are a match. This
routine will be run before a batch is processed and reviewed by the A/P supervisor. If there
are any potentially duplicate invoices identified, these transactions will be removed from the
batch and researched before processed for payment.
Accountability: Chief Accounting Officer
Responsibility: Accounts Payable Supervisor
Implementation Date: June 30, 20XX
Attachment A
 Books 2 Buy audit reports include an overall rating of controls based on the objectives,
scope, and conclusions of detailed work performed. The control ratings are defined as
follows:
SATISFACTORY
Overall, controls are designed adequately and operating effectively to mitigate the
underlying risk to an acceptable level. This rating indicates that there are relatively few
minor deficiencies and that an appropriate level of management attention exists.
NEEDS IMPROVEMENT
Overall, controls need improvement to consistently mitigate the underlying risk to an
acceptable level. This rating indicates that the number and nature of deficiencies require
prompt management attention to reduce exposure to a more acceptable level.
UNSATISFACTORY
Overall, controls are not designed adequately and/or operating effectively to mitigate the
underlying risk to an acceptable level. This rating indicates that the number and nature of
deficiencies are of critical importance and require substantial management attention.
Immediate corrective action is essential to prevent further deterioration.

Additional Assurance Engagement Communication

Standards
The Standards offers guidance regarding the quality of assurance
engagement communications as well as what is required in the event of
an error or omission. The relevant standards supplemental guidance are
included here.

Quality of Communications
Standard 2420: Quality of Communications states “communications must
be accurate, objective, clear, concise, constructive, complete, and
timely.” The interpretation to Standard 2420 defines these terms.

Rating Definitions
It is important to ensure readers of an audit communication understand what the
ratings used by the internal audit function mean.

■ Accurate communications are free from errors and distortions and

are faithful to the underlying facts.
■ Objective communications are fair, impartial, and unbiased and are
 the result of a fair-minded and balanced assessment of all relevant
facts and circumstances.
■ Clear communications are easily understood and logical, avoiding
unnecessary technical language and providing all significant and
relevant information.
■ Concise communications are to the point and avoid unnecessary
elaboration, superfluous detail, redundancy, and wordiness.
■ Constructive communications are helpful to the engagement client
and the organization and lead to improvements where needed.
■ Complete communications lack nothing that is essential to the target
audience and include all significant and relevant information and
observations to support recommendations and conclusions.

Quality Communications
must be:
— Accurate
— Objective
— Clear
— Concise
— Constructive
— Complete
— Timely

EXHIBIT 14-12
FINAL, INFORMAL COMMUNICATION EXAMPLE (MANAGEMENT
DISCUSSION MEMORANDUM)

Chief Accounting Officer, Books 2 Buy Holding

TO:
Corporation
Audit Director/Manager, Books 2 Buy Holding
FROM:
Corporation
Management Discussion Findings – Cash
SUBJECT:
Disbursements Process
DATE: April 27, 20XX
The internal audit function performed a review of the cash disbursements process to
evaluate the design adequacy and operating effectiveness of the system of internal controls
within the cash disbursements process. During the course of the review, the following
observation came to our attention that affects the operational efficiency of your area. In our
opinion, this observation does not constitute a reportable control deficiency and, as a result,
is not included in the formal audit report.
We recommend management evaluate the impact the observation has on operational
efficiency and the cost/benefit of implementing corrective action, if any.
Enhance the process for updating and maintaining the delegation of authority policy.
Our review of the delegation of authority policy indicated there were seven individuals listed
with disbursement authority in the policy who are no longer employed by the company and
nine individuals acting with disbursement authority that are not identified in the policy as
having such authority. Authority over the disbursing of funds should be limited to individuals
currently employed by the company, individuals authorized to perform cash disbursements
under the policy, and individuals whose job responsibilities justify such authority. The
absence of such limits creates the risk disbursements might be made by individuals not
authorized by the policy.
Upon further investigation, we determined the delegation of authority policy is only updated
semiannually. Currently, no updates are made when there is a change in personnel or a
change in responsibilities affected by the policy. For individuals acting with disbursement
authority, but not listed in the policy, all were appropriately approved to perform
disbursements and required such to perform assigned job responsibilities. Additionally, our
testing revealed that access rights to the cash disbursements system are eliminated upon
an individual leaving the company. Therefore, even though individuals who have left the
company remain in the policy as authorized signers, they could not access the system to
approve disbursement transactions. In all seven cases noted during our review, system
access had been disabled at termination of the individuals. Finally, we noted that a budget-
to-actual analysis is performed monthly by all department heads and cost center owners.
Any unauthorized disbursements of consequence would be identified and investigated
immediately.
We recommend management consider enhancing procedures for updating the delegation of
authority policy. Individuals named with disbursement authority should be incorporated into
the policy via an exhibit that would list individuals with disbursement authority. The exhibit
could be updated and maintained as part of the new employee on-boarding and terminated
employee exit processes in a similar manner as system access rights are added or deleted,
allowing for the policy to be updated as changes occur.
Management’s Response:
Management believes the risk of an inappropriately authorized disbursement is minimal
and, therefore, is willing to live with the current level of risk as identified between policy
updates. However, management does see value in separating the list of individuals with
disbursement authority from the policy itself, as well as incorporating the maintenance of
this list as part of the processing of new and terminated employees. Management will
evaluate the cost/benefit of making these changes to the process for updating and
maintaining the delegation of authority policy.
Accountability: Chief Financial Officer
 Responsibility: Chief Accounting Officer
Implementation Date: Not Applicable

■ Timely communications are opportune and expedient, depending on

the significance of the issue, allowing management to take appropriate
corrective action.
The following steps outline how internal auditors can ensure
communications meet the criteria of Standard 2420:
1. Gather, evaluate, and summarize data and evidence with care and
precision.
2. Derive and express observations, conclusions, and
recommendations without prejudice, partisanship, personal
interests, and the undue influence of others.
3. Improve clarity by avoiding unnecessary technical language and
providing all significant and relevant information in context.
4. Develop communications with the objective of making each
element meaningful but succinct.
5. Adopt useful, positive, and well-meaning content and tone that
focuses on the organization’s objectives.
6. Ensure communication is consistent with the organization’s style
and culture.
7. Plan the timing of the presentation of engagement results to avoid
undue delay.

Errors and Omissions

Although a lot of attention is spent on accuracy and completeness in an
engagement communication, there will be times when an error or
omission will occur. The Standards has accounted for that with Standard
2421: Errors and Omissions: “If a final communication contains a
significant error or omission, the chief audit executive must
communicate corrected information to all parties who received the
original communication.” An error is defined as an unintentional
misstatement or omission of significant information in the final