ECH7042 - Commencing the Compliance Check: Risk Based Systems Audit (RBSA)


Risk Based Systems Audit is a review methodology that has developed over many years. It has evolved into a process, universally accepted in the accountancy profession that will


  • enable you to deal with the ever increasing size and complexity of the businesses that you visit and
  • reduce the amount of time spent on issues with little or no risk whilst undertaking a compliance check.

You will


  • explore in detail the reasons why specific processes were put in place and how these work in practice
  • by understanding the business needs be better able to understand and advise how best these processes can support the employer/contractor in meeting his statutory obligations
  • be better able to identify any irregularities at an early stage
  • be better able to decide, after discussion with the employer/contractor, the extent of records examination and testing required.

A risk based systems audit approach has at its core the necessity to understand the systems and controls put in place by the employer/contractor to enable the business to function properly and to enable the employer/contractor to meet his statutory obligations.

You need to use effective questioning ( ECH7250) to


  • Understand the overall objectives of the employer/contractor

What does the employer/contractor do, how do they do it and what type of employees/subcontractors do they need to achieve results?

For example


  • weekly paid staff working on production
  • salaried sales representatives who also receive commission (and possibly travelling expenses)
  • directors who receive an annual bonus
  • subcontractors required by trade types
  • Establish what type of systems the employer/contractor has set up to support the business.
  • For example
  • are there weekly / monthly payrolls / separate director payroll?
  • how are the employees paid?
  • what type of expenses are paid and how do the employees make a claim?
  • what are the systems for making statutory returns of P35, P14s, P11Ds, P11D(b), CIS36 (to 5/4/2007), CIS300 (from 6/4/2007)?
  • Understand the systems objectives
  • what is the purpose of each system?
  • how does each system operate?
  • who operates, authorises and controls each system?
  • does the system work?

For example, expenses


  • what can employees claim?
  • how are employees made aware of this?
  • do subcontractors claim?
  • is there a standard claim form?
  • how are they authorised?
  • how are they paid?
  • are they properly returned?

A risk is defined as “something that casts doubt on the figures on the return”. For Employer Compliance these returns include

due to be submitted to HMRC by 19th May each year


  • P35 – employer annual return
  • P38A – employers supplementary return
  • P14 – end of year summary for each employee
  • P38(S) – student declaration
  • CIS36 – contractors end of year return (to 5/4/2007)

due to be submitted to HMRC by 6th July each year


  • P9d – expenses payments for employees
  • P11d – expenses and benefits for employees
  • P11d(b) – employers return of Class 1A NIC due on employee benefits

due to be submitted to HMRC by 19th of each month


  • CIS300 – contractors return of payments made to subcontractors.

But some risks may be inherent to the type of business or system in place,

for example


  • P46 failures within catering/hospitality trades

A risk may be identified at any stage of the compliance check.

See also the attached flowchart.

Home|Main Contents|Manual Contents

Previous Page|Next Page|Top|Menu