Internal Audit Checklist: Sales, Invoicing and Credit Management (SICM) Cycle

Sales AuditIn general, the objective of an internal audit is to assess the risk of material misstatement in financial reporting. Material misstatements can arise from inadequacies in internal controls and from inaccurate management assertions. As such, testing the validity of various implicit managerial assertions is a key objective of an internal auditor.

While this applies to all financial cycles, in this article we’ll focus on the General Control Activities for the Sales, Invoicing and Credit Management (SICM) cycle. The most important general controls for SICM include:


  • Organization
  • Sales Planning and Target Setting
  • Customer Acquisition
  • Client Acceptance and Sales Agreements
  • Management Client Relationships
  • Order Processing
  • Invoicing
  • Sales Returns and Credit Notes
  • Credit Management
  • Customer Master Data

Sales and Marketing Organization

When having a sales and marketing activity, there are a few important goals for the business which include:

  • Effectiveness of the sales and marketing organization
  • Adequacy in the definition & communication of authority limits
  • Appropriate segregation of duties in the sales and marketing department

When conducting the audit of Sales and Marketing Organization look out for the following controls/best practices:

  • Organization structure is adequately designed to achieve the objectives, is available to all staff, and is updated regularly.
  • Relevant business unit policies and directives have been communicated to all relevant staff, and a copy of the local policies is stored in a shared location for easy reference.
  • Authority limit schedules are in place and available to all staff. This is regularly reviewed for appropriateness, staff changes, and to ensure alignment with the corporate authority schedule. This should also be stored in a shared location for easy reference.
  • Roles and responsibilities are documented within staff job descriptions and task/processes are reviewed on a regular basis to ensure adequate management oversight and to ensure that conflicting tasks are avoided (supporting ERP access is also reviewed for SOD conflicts).

Segregation of Duties

Businesses should be aware of employee responsibilities to ensure adequate Segregation of Duties (SOD) whenever possible. The risk of not doing so includes inadvertently processing unauthorized transactions.

When conducting the audit look out for the following controls/best practices:

  • Roles and responsibilities are documented within staff job descriptions and task/processes are reviewed on a regular basis to ensure adequate management oversight and to ensure that conflicting task are avoided (supporting ERP access should also reviewed for SOD conflicts).
  • SOD between authorization, custody of assets, recording of transaction and control activities (e.g. sales / order handling).

IT/ERP Systems and Applications

IT infrastructure and applications must adequately support the activities of the business. A poor infrastructure results in a variety of inefficiencies and poor decisions, plus a plethora of security risks and legal risks.

When conducting the audit look out for the following controls/best practices:

  • IT landscape maintained with all applications.
  • Licenses for all applications stored on central server to ensure backup.
  • Regular backups of laptops to server (forced where possible).
  • Access to internet/externa lines through business global gateways.
  • Management information reporting from IT systems allows for complete, accurate and timely management information suitable for management oversight and decision making processes.

Sales and Marketing Strategy

Sales and Marketing Strategy supports the business goals and objectives. When conducting the audit look out for the following controls/best practices:

  • Sales and Marketing strategy is considered and decided during discussion on business strategy
  • Sales Strategy includes: sales goals, task and activities that are required to deliver the business plan, performance metrics are identified, developed, agreed and deployed.
  • Marketing Strategy includes: Priority market, channel and product segments; Brand Portfolio strategy; Innovation Strategy; Communication and Activation Strategy; Pricing Strategy; and Channel Strategy.

Policies and Procedures

Clear Policies and Procedures should be documented for key aspects of the cycle. Not having clear policies and procedures will lead to insufficient guidance for sales and marketing staff and controls will not be executed as designed.

When conducting the audit look out for the following controls/best practices:

  • Policies and procedures for key processes and tasks are documented and communicated to all relevant staff, including providing staff with timely updates on changes.
  • Owners for policies and procedures are identified and charged with keeping procedures up to date
  • Policies and procedures stored in a shared location. Reminder sent to owners for review automatically by system.

In conclusion, auditing standards require that auditors test basic underlying management assertions implicit in the financial statements. Key objectives to these assertions are; Existence and Completeness, Rights and Obligations, Valuation or Allocation, and Presentation and Disclosure.