Chapter 10: Auditing the Expenditure Cycle IT Auditing & Assurance, 2e, Hall & Singleton PURCHASES: BATCH PROCESSING Step 1: Data processing department – inventory control Step 2: Data processing department – P.O. Receiving Department Step 3: Data processing department – batch update of inventory Purchasing Department Accounts Payable Step 4: Data processing department – validates vendors CASH DISBURSEMENT: BATCH PROCESSING Step 5: Data processing department – scans for items due and prints checks for items received Step 6: Cash disbursements department – reconciles checks, submits checks to management for signature Step 7: Accounts payable – matches copies of checks with open vouchers, closes them and files documents Concludes expenditure cycle CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED Data processing steps performed automatically: 1. 2. 3. 4. 5. 6. 7. Inventory file scanned for items and reorder points Purchase requisition record for all items needing replenishment Consolidate requisitions by vendor Retrieve vendor mailing information P.O. prepared and sent to vendor (EDI) Open P.O. record added for each transaction List of P.O. sent to purchasing department CASH DISBURSEMENT: REENGINEERED– FULLY AUTOMATED Goods arrive at receiving department Quantities received entered per item CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED Data processing steps performed automatically: 1. 2. 3. 4. 5. Quantities keyed matched to open P.O. record Receiving report file record added Update inventory subsidiary records G.L. inventory updated Record removed from open P.O. file and added to open A.P. file, due date established CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED Each day, due date filed of A.P. are scanned for items where payment is due CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED Data processing steps performed automatically: 1. 2. 3. 4. 5. Checks are printed, signed and distributed to mailroom (unless EDI/EFT) Payments are recorded in check register file Items paid are transferred from open A.P. to closed A.P. file G.L.- A.P. and cash accounts are updated Appropriate reports are transmitted to A.P. and cash disbursements departments for review CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED Control implications General in nature Similar to those of Chapter 9 BATCH AUTOMATED SYSTEM VS. MANUAL BATCH Improved inventory control Better cash management Less time lag Better purchasing time management Reduction of paper documents REENGINEERED SYSTEM VS. BATCH AUTOMATED SYSTEM Segregation of duties Accounting records and access controls PAYROLL PROCEDURES Drawbacks to using regular A.P. and cash disbursements systems to do payroll General expenditure procedures that apply to all vendors will not apply to employees Writing checks to employees requires special controls General expenditure procedures are designed to accommodate relatively smooth flow of transactions REENGINEERED PAYROLL SYSTEM Often integrated with H.R. Differs from previous automate system Operations departments transmit transactions to D.P. electronically Direct access to files are used for data storage Many processes are now performed in real time REENGINEERED PAYROLL SYSTEM Personnel Cost accounting Timekeeping Data processing 1. 2. 3. 4. 5. 6. 7. Labor costs are distributed to accounts Online labor distribution summary Online payroll register Employee records are updated Payroll checks are prepared and signed Disbursement system generates check to fund the payroll imprest account G.L. updated EXPENDITURE CYCLE AUDIT OBJECTIVES Input controls Data validation controls Testing validation controls Batch controls Testing batch controls Purchases authorization controls Testing purchases authorization controls Employee authorization Testing employee authorization procedures EXPENDITURE CYCLE AUDIT OBJECTIVES Process controls File update controls Sequence check control Liability validation control Valid vendor file Testing file update controls Access controls Warehouse security Moving assets promptly when received Paying employees by check vs. cash Risks • • • • Employees with access to A.P. subsidiary file Employees with access to attendance records Employees with access to both cash and A.P. records Employees with access to both inventory and inventory records Testing access controls EXPENDITURE CYCLE AUDIT OBJECTIVES Process controls Physical controls Purchase system controls Segregation of inventory control from warehouse Segregation of G.L. and A.P. from cash disbursements Supervision of receiving department • • • Payroll System controls • • • • Inspection of assets Theft of assets Reconciliation of supporting documents: P.O., receiving report, supplier’s invoice Verification of timecards Supervision Paymaster Payroll imprest account Testing of physical controls EXPENDITURE CYCLE AUDIT OBJECTIVES Process controls Output controls A.P. change report Transaction logs Transaction listing Logs of automatic transactions Unique transaction identifiers Error listing Testing output controls EXPENDITURE CYCLE SUBSTANTIVE TESTS Risks and audit concerns Understanding data Inventory file Purchase order file Purchase order line item file Receiving report file Disbursement voucher file File preparation procedures EXPENDITURE CYCLE SUBSTANTIVE TESTS Testing accuracy and completeness assertions Review disbursement vouchers for unusual trends and exceptions Accurate invoice prices Testing completeness, existence, rights and obligations assertions Searching for unrecorded liabilities Searching for unauthorized disbursement vouchers Review of multiple checks to vendors Auditing payroll and related records Additional Cybercrime Info The following slides are not in the text! Incident Response Mandates Gramm-Leach-Bliley Financial Institutions must … Establish incident response capability Perform prompt and reasonable investigation when sensitive customer info is accessed Notify customers if misuse of info has or is likely to occur Incident Response Requirements ISO 17799 ISO 17799 is international standard for IS best practices Security framework must contain an effective incident response approach In 2002, 22% companies with sales over $500 million had implemented ISO 17799 Must collect information for three purposes … Internal problem analysis Use as evidence Negotiation for compensation from software/service vendors Incident Response Requirements ISO 17799 Response procedures should cover … Analysis and identification of cause of incident Planning and implementation of remedies Collection of audit trails and similar evidence Communication with those affected or involved with recovery Reporting the action to the appropriate authority Best Practices Imaging hard drive of employees who resign or are terminated (proactive) Avoid “patch and proceed” response Implement network forensics analysis with tools like EnCase Focus on insider threats Companies face increasing cyberliability claims stemming from security breaches Chapter 10: Auditing the Expenditure Cycle IT Auditing & Assurance, 2e, Hall & Singleton