Session 2 Overview
advertisement
Session 2 Overview Tut Letter 103 Test 2 topics Testing & evaluating accounting systems Advanced CIS environments Manual & CIS environments My approach Review the key principles Develop frameworks for answering questions Apply frameworks to questions Auditing Slides – Session 2 (Tut letter 103) 1 Learning objectives (Pg 5) Understand transaction processing Revenue & receipts Payroll & personnel Acquisition & expenditure Inventory & production Finance & investment Understand internal control & it’s components Be able to design systems of internal control Understand why we need to understand accounting systems and related internal control during planning Auditing Slides – Session 2 (Tut letter 103) 2 Learning objectives (cont.) Evaluate effectiveness of internal control (weaknesses / recommendations) Formulate tests of control Evaluate findings & report weaknesses Consider & evaluate risk related to accounting systems Define audit objectives related to transactions Identify “significant deficiencies” in internal control Describe the impact of controls on the audit approach Auditing Slides – Session 2 (Tut letter 103) 3 1 Learning objectives (cont.) Computer auditing specifically… Understand the various methods of info processing Be able to evaluate the general controls and specific computerised application controls Understand and know how to use CAATs Understand advanced computer technology & it’s effect on systems of control Understand how the audit approach should be adapted when using advanced computer technology Auditing Slides – Session 2 (Tut letter 103) 4 Learning objectives (cont.) IT governance specifically… Understand and be able to apply the principles of King 3… Auditing Slides – Session 2 (Tut letter 103) 5 How is this tut letter tested? List the weaknesses… State the control objectives… Discuss / describe the programmed / automated / application controls… Identify the risks and discuss the controls to address these risks… Discuss the business risks relating to the new system / the changes that have been made… Describe an audit procedure (use of CAATs?) you could perform to test the operating effectiveness of the identified key controls… Controls over internet based systems… Controls over database information… Auditing Slides – Session 2 (Tut letter 103) 6 2 Open book opportunities? Very limited… ISA402 – Entities using service organisations Outsourced functions (payroll / accounting / EFT payments)? Para 10 (A12) – need to understand user entity controls IAPS1013 – E-commerce Para 19 – business risks (& possible responses)… Para 28 – addressing security risks… Para 31 – controls over transaction integrity… Auditing Slides – Session 2 (Tut letter 103) 7 Open book opportunities? ISA315 – Understanding the entity A55 – benefits of the use of IT in controls A56 – risks in the use of IT in controls Appendix 2 – Internal control components Nice summary of each of the 5 elements of internal control… Auditing Slides – Session 2 (Tut letter 103) 8 Studying this tut letter… There is going to have to be a lot of “learning! General controls? Computerised application controls? Specific concerns in advanced IT applications? “Dynamic Auditing” is critical for this TL… Must understand how it all fits together… Must focus on developing frameworks to help you apply what you have learnt Auditing Slides – Session 2 (Tut letter 103) 9 3 The need to understand info systems Our objective is to identify risk of material misstatement (fraud or error) so that we can design procedures to respond to it. Information systems (computerised or manual) present vast opportunities for misstatement… Bottom line: We need to understand systems well enough so that we can identify what could go wrong (the risk of material misstatement) so that we can design procedures to see that it hasn’t gone wrong! Auditing Slides – Session 2 (Tut letter 103) 10 Key elements of this tut letter… Knowing how to identify what could go wrong / the risks… Knowing what to suggest to prevent / detect these errors Understanding the impact of this on the audit process / approach Auditing Slides – Session 2 (Tut letter 103) 11 Testing & Evaluating Accounting Systems (Pg 16) No specific coverage of the basic manual transaction cycles in the tut letter… You are assumed to have this knowledge from your undergrad studies!!! Do you??? Not much in “Dynamic Auditing”… A lot more detailed in “Auditing Notes”… How should you study these transaction cycles? Auditing Slides – Session 2 (Tut letter 103) 12 4 NB, NB, NB! One of the most important frameworks for you to understand… There are basically only 3 things that can go wrong in any info system (3 broad risk areas…) Doing something that shouldn’t be done Not doing something that should be done Doing something that should be done, but getting it wrong Auditing Slides – Session 2 (Tut letter 103) 13 The 3 control objectives These aim to prevent these 3 errors from happening or to detect if they have happened (so they can be corrected) Validity to ensure that we only do what we are supposed to do Completeness Accuracy To ensure that we do everything we are supposed to do To ensure we do everything at the right amounts / details Auditing Slides – Session 2 (Tut letter 103) 14 Where do we look for these potential errors / risks? At every point in the information (accounting) system where things may go wrong… Where something new happens / something is changed / something is created… “Functions” / “Activities” / “Stages” / ???? Auditing Slides – Session 2 (Tut letter 103) 15 5 What are the activities performed in the Revenue & Receipts cycle? Receive & record customer order Deliver goods Invoice customer Record sale Receive payment Record payment Auditing Slides – Session 2 (Tut letter 103) 16 What could go wrong? What could go wrong (the risks) with the receipt of the customer order (stage 1) We document an order that we shouldn’t have! (Validity control objective) We don’t document an order that we should have! (Completeness control objective) We document an order that we should have, but we get the details on it wrong! (Accuracy control objective) Auditing Slides – Session 2 (Tut letter 103) 17 What could go wrong? What could go wrong (the risks) with the delivery of the goods to the customer (stage 2) We deliver goods that we shouldn’t have (was no order)! (Validity control objective) We don’t deliver goods that we should have! (Completeness control objective) We don’t deliver the correct goods (what was actually ordered)! (Accuracy control objective) Auditing Slides – Session 2 (Tut letter 103) 18 6 What could go wrong? What could go wrong (the risks) with the invoicing of the goods to the customer (stage 3) We invoice customers for goods that were never delivered! (Validity control objective) We don’t invoice customer s for goods that were delivered (Completeness control objective) We don’t invoice the customer at the correct amount! (Accuracy control objective) Auditing Slides – Session 2 (Tut letter 103) 19 Attaching controls? Once you have understood the control objectives that apply to each activity / stage, then you ask this… “How does the client prevent that from happening?” AND “Can the client detect whether that did happen, so that they can correct it?” The answers to these 2 questions are the internal control activities (or the weaknesses!) Auditing Slides – Session 2 (Tut letter 103) 20 So then… Studying the cycles… What not to do… Don’t try and memorise the “ideal system” for each cycle! The problems: You don ‘t understand the principles What if you don’t get a client that “fits” the ideal system? Football club? Travel agency? Soccer stadium? Auditing Slides – Session 2 (Tut letter 103) 21 7 So then… Studying the cycles… What should you do? Only thing you really need to know is the activities / stages / functions within each cycle… You then attach the control objectives to each activity… If you understand the control objective, logically thinking up a control activity then isn’t too difficult? Auditing Slides – Session 2 (Tut letter 103) 22 The mind maps Use them as a mechanism to understand how the “normal” cycles work – but be able to be flexible when applying this knowledge to questions! Revenue system Purchases system Payroll system You need to do maps for: Inventory & Production Finance & investment Auditing Slides – Session 2 (Tut letter 103) 23 Approaching CIS… It is still an information system – it is just that a computer is now involved… The control objectives do not change – the same possible errors are still there… Control activities become more complex as we start to use computerised controls to address the control objectives… Auditing Slides – Session 2 (Tut letter 103) 24 8 Internal control Characteristics of good internal control: (Page 22 of TL) D ocument design I solation of responsibility S egregation of duties C ontrol environment C ompetent, trustworthy staff C ustody of assets C omparison & reconciliation Auditing Slides – Session 2 (Tut letter 103) 25 General vs Application controls? General controls are established to govern and operate over all applications Acquisitions application Revenue application Each application has it’s own controls over the input, processing & output of it’s data Payroll application Auditing Slides – Session 2 (Tut letter 103) 26 General controls… Dynamic Auditing… Refer mind-map summaries of these categories My recommendation is that you create more detailed maps for the individual categories? An understanding of these general controls can often help generate ideas in an application based question – just look at required carefully… Auditing Slides – Session 2 (Tut letter 103) 27 9 Critical general control frameworks Common general control areas that are tested / examined… 1. Access controls (often linked in to an applications controls question) 2. System development (new) / maintenance (change control) 3. Business continuity You must create frameworks from your text books in the above areas at a minimum… Auditing Slides – Session 2 (Tut letter 103) 28 Application controls – key frameworks… Transaction flow (stages) Input Processing Output Master file amendments Control objectives (attach to the stages) Validity Accuracy Completeness Types of control (address risks / what could go wrong) Preventative Detective (& Corrective) Auditing Slides – Session 2 (Tut letter 103) 29 Applications control framework Controls need to be in place to address the control objectives (V, A, C) over Input (data capture) Processing (data manipulation) Master file changes, and Output of information There will be standard computerised control activities that achieve the control objectives at each of these stages in any system… Auditing Slides – Session 2 (Tut letter 103) 30 10 Applications control framework Refer text books and mind-maps for further guidance… (TL Page 27 and 28) These frameworks need to be learnt! You must understand the computerised control activity… Need to know what edit checks are, for example… Understanding them will make them easier to apply in answering questions… Auditing Slides – Session 2 (Tut letter 103) 31 Effect on Audit approach? Under what circumstance should we choose to rely on, and test, internal controls (combined approach vs. wholly substantive approaches)? Refer Pg 9-57 of Dynamic Auditing… If it is necessary If it is possible If it is feasible Might have to rely on controls… Might not be physically able to test controls… Might not be cost-effective… This is an important framework to address questions that require a discussion around the impact on the audit approach (quite a common “add-on” to a question...) Auditing Slides – Session 2 (Tut letter 103) 32 Understanding CAATs Around the computer Through the computer Reconciling output to input “system orientated” Used for tests of control mainly Test data (capture false info into “copy” of live system and see what happens?) Programme code analysis (examination of programme coding) Simulation (client’s info run through auditor’s programme and results are compared) Embedded audit routines (audit module inside client’s programme to monitor and report) Integrated test facility (create dummy records to run test data against) With the computer (next slide…) Auditing Slides – Session 2 (Tut letter 103) 33 11 CAATs With the computer “data orientated” Used for substantive tests mainly Generalized audit software (standard packaged programmes – e.g. ACL) Purpose-written audit software (programmes to suit a specific client need) On-line audit (using client’s own utility and report writing programmes) Auditing Slides – Session 2 (Tut letter 103) 34 Using CAATs Summary of functions typically performed by CAATs: (Page 32) Examination of records for exceptions (Investigations & analysis) Casts and calculations Sample selection Summaries Comparisons Auditing Slides – Session 2 (Tut letter 103) 35 Q’s involving CAATs CAATs do not involve performing “new” procedures – they simply automate existing ones… You could almost take this approach: “Using CAATs, insert desired normal procedure”… Can not be used to test controls performed by people! Auditing Slides – Session 2 (Tut letter 103) 36 12 Advanced CIS environments Typically more complex environments with an absence of clear audit trails… Characteristics… No input source docs Authorisation controlled by computer On-line, real time update Multiple file update Automated controls are extensive Little output or audit trails Complex programs Exchange of info across entities Auditing Slides – Session 2 (Tut letter 103) 37 What to emphasize? Refer “Study material” overview on page 34 NB sections: E-Commerce Internet trading Protection against viruses Use of service organisations All detail is from Dynamic Auditing! Auditing Slides – Session 2 (Tut letter 103) 38 Electronic business transactions IAPS1013 “Electronic commerce – effect on audit” – not much detail in here though? Risks and controls to address these risks General controls – refer page 10-13 DA - Page 10-10/11/12/13 Note the constant reference back to “normal” general controls! There are just additional controls in these environments Consider summarising them together (and just create specific considerations here?) Application controls – refer page 10-17 As with general controls, original frameworks apply but with added controls Note the breakdown into controls around initiation / transmission & receipt at destination.. (Pg 10-19) Also in TL on page 29 Auditing Slides – Session 2 (Tut letter 103) 39 13 Trading via the Internet Risks of… (Page 10-25) Security Data Privacy Business continuity Payment via credit card Accounting issues Taxation & regulation Outsourcing Same controls as electronic business transactions but with additional specific issues (Page 10-29) Auditing Slides – Session 2 (Tut letter 103) 40 Use of service providers… Outsourced processing (accounting / payroll / etc…) Considerations for and against… – Pg 10-34 Audit implications – Pg 10-35 Service level agreements – Pg 10-38 Auditing Slides – Session 2 (Tut letter 103) 41 IT Governance New section King 3… Open book makes it much easier: Summary – page 39 – 41 Detail – Ch 5; page 82 – 87 Need to go through but shouldn’t be difficult to apply to answering a question? Auditing Slides – Session 2 (Tut letter 103) 42 14 And lastly… A big week for frameworks and a lot of summarising and note taking to be done! Don’t forget to test yourself though – you need to know that you can use the frameworks! Assignment Q’s are very conducive to high level summaries… That’s it!!! Auditing Slides – Session 2 (Tut letter 103) 43 15
