Summary AUE3761 AUE202M The Performing Of The Audit Process Notes

AUE202M The Performing of the Audit Process Auditing Theory and Practice (University of South Africa) lOMoARcPSD| 1 Assignment 1 is compulsory and due 5 th March 2010 (study guide topics 1 – 5) - counts 5% towards final module mark Assignment 2 is compulsory and due 1 st April 2010 (study guide topics 6 & 7) - counts 5% towards final module mark Assignment 3 is NOT compulsory and doesn't count towards final mark (self assessment) Exam = 2 hours, consisting of : 30% of paper is application questions and 70% knowledge and comprehension questions. INTRODUCTION TO THE PERFORMING OF THE AUDIT PROCESS lOMoARcPSD| 2 PART A – THEORETICAL ASPECTS STUDY TOPIC 2 THE AUDIT OF FINANCIAL STATEMENTS Study Guide pg 14 ISA 1 states purpose of financials is to provide info about the financial position, performance and cash flows of enterprise that is useful to wide range of users making economic decisions. Directors responsible for preparation and presentation of financials and auditor expresses opinion about the fairness of the financials. Ordinary commercial enterprise = company which buys and sells. Audit of financial statements = performing series of procedures and activities with object of obtaining evidence regarding the ascertains on which the financial information is based Objective of audit = enabling auditor to express an opinion as to whether or not the financials fairly present (in all material respects) the financial position of the entity at a specific date, and the results of its operations and cash flow information for the period ended on that date, in accordance with an identified financial reporting framework and / or statutory requirements. (Achieves objective by performing series of procedures and activities to collect audit evidence) Audit evidence = information obtained by the auditor when arriving at the conclusion on which the audit opinion is based. Comprises of : source documents and accounting records that underlie the financials corroborating information from other sources Materiality – information is material if the omission or misstatement of the information could influence the economic decisions of users of the financials. Audit procedures – either tests of controls or substantive procedures : tests of controls = tests performed to obtain audit evidence regarding suitability of design and effective operation of the accounting and internal control systems and their operation throughout the period substantive procedures = tests performed to obtain audit evidence to detect material misstatements in the financials. Are either :  tests of details of transactions and balances  analytical procedures Assertions by management in financials = assertions that are either explicit or implied that are embodied in the financials. Categories of assertions : completeness – no unrecorded assets, liabilities, transactions or events and no undisclosed items occurrence – transaction or event took place during the period in question existence – asset or liability exists at a given date measurement cut-off classification – transaction or event is recorded at the proper amount and revenue / expense is allocated to the proper period valuation – asset or liability is recorded at the appropriate carrying value rights and obligations – asset or liability pertains to the entity on a given date presentation and disclosure – item is disclosed, classified and described in accordance with the applicable financial reporting framework. Planning steps to determine the nature, extent and timing of substantive procedures : obtain knowledge of the business make provisional assessment of materiality assess the inherent risk obtain understanding of the accounting system and related internal control measures make a provisional estimate of control risks formulate the overall audit plan and accompanying audit procedures which would mean detection risk will be reduced to an acceptable level Factors affecting the scope of audit planning : size of the entity complexity of the operations and complexity of the audit previous experience of the entity and auditor’s knowledge of the business, it’s organisation and operating characteristics number and availability of competent audit personnel, availability of audit manuals or standardised audit programmes and the degree of supervision over audit personnel. Statement of Comprehensive Income = results trading operations achieved during a certain financial period Statement of Financial Position = reflects the financial position of the enterprise at a certain date Jackson & Stent pg 5/12 ISA 500 states that auditor must use assertions for classes of transactions, account balances & presentation and disclosure in sufficient detail to form basis for assessment of risks of material misstatement of further audit procedures. lOMoARcPSD| 3 Assertions are categorised as follows : assertions about classes of transactions and events for period under audit e.g. sales, interest received assertions about account balances at year-end e.g. accounts receivable, property, plant and equipment assertions about presentation and disclosure e.g. notes that support Statement of Financial Position account headings, contingent liabilities Assertions applying to the different categories : Balances Transactions (assets, liabilities Presentation Assertion / Events equity interest) & disclosure Occurrence X X Completeness X X X Accuracy X X Cut-off X Classification X X Existence X Rights & Obligations X X Valuation & Allocation X X Assertions which present risk of material misstatement must have sufficient appropriate evidence gathered and auditor should identify these assertions and then design an audit approach which will allow enough evidence to be gathered that will provide relevant and reliable evidence on which to base an opinion. see example 1 and 2 on pgs 5/13 and 5/14 of text book Study Guide pg 20 Assertions for Statement of Financial Position transactions and balances : Assertion Audit objective - to obtain satisfaction that : Completeness individual transactions and balances in respect of specific kind of asset or liability are fully accounted for in the accounting records and financials Valuation & allocation the balance for the specific asset or liability has been accounted for at the appropriate carrying value and that the transactions have been correctly allocated to the proper period and recorded at the proper amount Existence at a given date the asset or liability did exist and the transactions did take place during the period in question Rights & obligations at a given date the asset or liability pertains to the entity and that the transactions did take place during the period in question Presentation & disclosure the asset or liability was disclosed, classified and described in accordance with the applicable legal requirements and generally accepted accounting practice Transactions and events : Occurrence – have all occurred and pertain to the entity Completeness – anything that should have been recorded has been recorded Accuracy - have been recorded appropriately Cut-off - have been recorded in the correct accounting period Classification - have been recorded in the correct accounts Account balances : Existence – assets, liabilities and equity interest exist Rights and obligations – entity holds and controls rights to assets and obligations are theirs Completeness – have all been recorded Valuation and allocation – included at appropriate amounts and valuation or allocation adjustments are recorded Presentation & disclosure : Occurrence and rights and obligations – have occurred and pertain to entity Completeness – all has been included Classification & understandability – is appropriately presented and described and disclosures are clearly expressed Accuracy and valuation – disclosed fairly & at appropriate amounts. Downloaded by Thomas Mboya () lOMoARcPSD| 4 Assertions for Statement of Comprehensive Income transactions and balances : Assertion Audit objective - to obtain satisfaction that the specific revenue or expenditure : Completeness transactions and balances are fully accounted for in the accounting records and financial statements Occurrence  transactions actually took place during the period in question (occurrence)  transactions pertain to the entity (validity) Cut-off / accuracy / classification transactions are recorded in the proper period, are correctly allocated and are recorded at the proper amount Presentation & disclosure balances are disclosed, classified and described in accordance with the applicable legal requirements and generally accepted accounting practice. Assertions relating to the Statement of Comprehensive Income and Statement of Financial Position : Income Statement Income statement Balance Sheet Assertion Balances Transactions Balances Completeness X X X Occurrence X Accuracy X Cut-off X Classification X Existence X Valuation & Allocation X Rights & Obligations X Presentation & disclosure X X Without correctly formulated audit objectives there will be no clarity on exactly what the auditor must achieve when conducting the audit. Audit objectives represent what the auditor wants to achieve when performing an audit of financial statements and the objectives are formulated as such (formulation of objectives begins with “to obtain satisfaction that …”) see do 3 on pg 23 of study guide Procedures used by auditor to obtain audit evidence : Analysis of objectives Procedures of auditor Completeness : All transactions were recorded at the time when they took place All transactions have been reported in the accounting records - check date on the supporting documentation - check sequential numbering of transactions Occurrence : Transactions reordered in records did actually take place Transactions recorded in the accounting records pertain to the entity - investigate existence of valid documents - compare entries in accounting records with supporting documents - check that transactions have been authorised - check supporting document to ensure that entity was party in the transaction Existence : Assets and liabilities did actually exist on given date - perform physical inspection of assets and compare it with the accounting record - examine supporting documentation - obtain supporting evidence from 3rd parties Downloaded by Thomas Mboya () lOMoARcPSD| 5 Accuracy / cut-off / classification : All transactions have been recorded at the proper amount All transactions have been correctly allocated All transactions have been recorded in the correct financial period - compare the amount from supporting documents with the amount in the accounting records - compare the allocation with the particulars in the supporting documents - compare the date of the transaction with the date on the supporting documentation Valuation : Assets and liabilities have been recorded at an appropriate carrying value Assess value by physical inspection Assess the reasonable of the amounts claim for reduction / increase or write-off of assets - obtain external valuation or confirmation from 3rd parties - compare value by referring to supporting documentation Rights and obligations : Assets and liabilities pertain to the entity at a given date - examine supporting documentation - obtain evidence from 3rd parties in support of rights or obligations - obtain sufficient information to make sure that the state of affairs was applicable at given date Presentation and disclosure : Items in financials have been correctly disclosed, classified and described - examine financials and obtain satisfaction that there has been proper disclosure, classification and description in terms of the Companies Act and generally accepted accounting practice see do 4 on pg 26 of study guide see questions in 2.1 of tutorial letter 102 and answers in 2.1 of tutorial letter 103 STUDY TOPIC 3 CONTROL ACTIVITIES Jackson & Stent pgs 5/3 to 5/9 Internal Controls Before carrying out effective audit must have thorough understanding of the client’s internal control systems cos accounting system and internal controls produce the balances and totals reflected in financials, so if the controls and accounting system are “good” then the information will also be “good” (i.e. valid, accurate, complete and timeously produced.) Internal controls = process effected by the company’s directors, management and staff and is designed to provide reasonable assurance regarding the achievement of objectives in : economy, efficiency and effectiveness of operations internal financial control compliance with applicable laws and regulations. Important aspects of internal control : internal control is a process – a means to an end and NOT the end itself – simply a collection of policies and procedures adopted by management to achieve certain goals and is not the goal itself internal control is effected by people – people at every level involved in various tasks (not just policies and procedure manuals) internal control provides only reasonable, not absolute assurance that management’s goals will be achieved – has inherent build in limitations so things can go wrong internal controls set out to achieve objectives (economy, efficiency and effectiveness of operations, internal financial control & compliance with applicable laws and regulations) which are separate but interlinked – so together will assist in running an efficient and effective business. Downloaded by Thomas Mboya () lOMoARcPSD| 6 Internal controls consist of : control environment – entity’s governance and management functions and the attitudes, awareness and actions of those responsible for governance entity’s risk assessment process – process for identifying the business risks relevant to the financial reporting objectives and how they are addressed (what controls are in place to ensure all cash sales are recorded and the cash is adequately protected) information system – procedures and records established by the entity to initiate, record, process and report transactions control activities – policies and procedures that ensure controls are in place to achieve internal control objectives (e.g. authorisation, segregation of duties, reconciliation, physical controls) monitoring of controls – process in place to assess the effectiveness of internal controls over time (e.g. management may set up an Internal Audit Department). Internal control objectives – to ensure : management polices are adhered to in all aspects of the business (i.e. applicable laws and regulations) safeguarding of assets such as stock, cash and equipment against theft / damages prevention and detection of fraud and error accuracy and completeness of accounting records, timely preparation of reliable financial and other information necessary to run the business. Limitations of internal controls Control procedures and policies do not provide absolute assurances that the objectives of the internal controls will be met – management may design perfect control system, but because of inherent limitations absolute assurances that the objectives will be achieved is not possible. Limitations are : cost / benefit - requirement that the cost of internal control does not exceed the expected benefit to be derived internal controls are directed at routine transactions rather then non-routine transactions potential for human error due to carelessness, distraction, mistakes of judgment and misunderstanding of instructions possibility of circumvention of internal controls through collusion of management or employee with other parties either inside or out of the company person responsible for exercising the internal control could abuse the responsibility (e.g. management overriding an internal control) procedures become inadequate due to changes in conditions and so compliance with procedure may deteriorate Accounting system Is the foundation that enables management to achieve the objectives of internal financial control – series of tasks and records by which transactions are processed to create financial records. Accounting system identifies, assembles, analyses, calculates, classifies, records, summaries and reports transactions and other events. Main elements of accounting system are : people – who carry out the procedures and or can use computer system paper – which facilitates the recording of the transactions. to replace people and paper Accounting system alone CANNOT achieve internal financial control – need control procedures to ensure that financial information is valid, accurate, complete and timeously produced. Internal control for the business as a whole Operations : internal compliance with - economy financial laws and - efficiency control regulations - effectiveness accounting control systems plus procedures Characteristics of good internal controls Management interested and involved in ALL categories of internal control - responsible for running the business Internal auditors interested in ALL categories and perform audits and investigations for every part (internal audit is an internal control procedure) External auditor mainly interested in accounting system and related control procedures. Must have knowledge of operations of business but not concerned if operations is most efficient or strategies are correct. Also concerned with laws and regulations that have a direct effect on the company’s financial reporting Downloaded by Thomas Mboya () lOMoARcPSD| 7 Control environment – sets the tone of the organisation and influences the control consciousness of its staff. Attitude and awareness of the directors and managers to internal controls and their importance to the entity (directors and managers should promote an environment where adherence to controls is very important by their actions and behaviour) Good control environment characterised by : communication and enforcement of integrity and ethical values throughout the organisation commitment by management to employ competent staff positive influence generated by those charged with governance of the entity – (e.g. non-executive directors and chairman – do they display integrity and ethical commitment?) management philosophy and operating style that includes leadership. Sound judgement, ethical behaviour etc organisational structure which provides clear framework for proper planning, execution control and reviews policies, procedures and an organisation structure that clearly defines authority, responsibility and reporting relationships throughout the entity sound human resource policies and practices which result in the employment of competent ethical staff, provide training and development as well as fair compensation and benefits. Competent, trustworthy staff – achieved through implementation of proper recruiting, training and personnel policies. Segregation of duties – most important objective of internal control is safeguarding company’s assets. Segregation of duties ensures that different people have access to different procedures. Transaction has 4 stages : Authorising (can be combined with executing) Executing (can be combined with authorising) Custody of the asset (should be separated from recording) Recording (should be separated from custody) Companies cycles (e.g. acquisitions and payments) should be divided into functions and then duties within the functions should be separated further. Isolation of responsibility – for internal control to work effectively people involved in the system must be fully aware of their responsibilities and must be accountable for their performances. Staff should acknowledge in writing that they have performed the task or control procedure (sign it off) or should transfer responsibility from one person to another (e.g. signing to receive goods to signify acknowledgment of physical transfer and also to isolate responsible person). Access / custody controls – designed to : prevent damage to or deterioration of physical assets (e.g. proper storage and treatment of assets) prevent deterioration of non-physical book assets (e.g. controls to ensure debtors don’t get behind in their payments) prevent unauthorised use / theft / loss of physical assets (e.g. security measures) prevent unauthorised use / theft or loss of non-physical book assets (e.g. limiting number of personnel who have signing powers to transfer cash or sell investments or preventing debtor’s ledger from being altered or destroyed.) Source document design – paper controls should promote accuracy and completeness of recorded transactions by being : pre-printed in a format that leaves minimum amount of information to be manually filled in pre-numbered – identifies missing documents multi-copied, carbonised and designed for multiple use designed in manner that is logical and simple to complete contain blank blocks or girds which can be used for authorizing or approving the document – facilitates isolation of responsibility. Comparison and reconciliation – good control system should be frequently and timeously compared and reconciled by different staff then the one who completed functions and recorded the transactions. Must compare and reconcile : stock and fixed assets (physical) to the records (theoretical) bank and investment records to external bank statements records of creditors to supplier statements subsidiary ledgers to the general ledger (e.g. debtors ledger to general ledger) Reconciliations should be reviewed by senior personnel and reconciling items followed up Jackson & Stent pgs 7/9 to 7/13 Components of entity’s internal control : Should all be separate duties (i.e. different people) Downloaded by Thomas Mboya () lOMoARcPSD| 8 Component - control environment – sets the tone of the organisation and influences the control consciousness of its staff. Attitude and awareness of the directors and managers to internal controls and their importance to the entity (directors and managers should promote an environment where adherence to controls is very important by their actions and behaviour) Good control environment characterised by : communication and enforcement of integrity and ethical values throughout the organisation commitment by management to employ competent staff positive influence generated by those charged with governance of the entity – (e.g. non-executive directors and chairman – do they display integrity and ethical commitment?) management philosophy and operating style that includes leadership. Sound judgement, ethical behaviour etc organisational structure which provides clear framework for proper planning, execution control and reviews policies, procedures and an organisation structure that clearly defines authority, responsibility and reporting relationships throughout the entity sound human resource policies and practices which result in the employment of competent ethical staff, provide training and development as well as fair compensation and benefits. Evidence about control environment gathered by observation of management and employees, inquiry of management and employees and inspection of documents Component - entity’s risk assessment process Process entity has in place for identifying business risks estimating the significance of each risk assessing the likelihood of its occurrence responding to the risk Information about the risk assessment process gathered mainly by inquiry and inspection of documents Comonent - information system Auditor needs to obtain an understanding of the information system relevant to financial reporting and communication, must have thorough understanding of : classes of transactions in the client’s operations that are significant to the financial statements (e.g. sales, wages) procedures of how both IT and manual systems record, process, correct and transfer transactions to the GL and financials related accounting records, supporting information and special accounts in the financials how info system captures events and conditions financial reporting process used to prepare entity’s financials including significant accounting estimates and disclosures control over the passing of non-standard journal entries used to record non-recurring unusual transactions or adjustments manner in which financial information is conveyed to management, board, audit committee and external bodies see text book pg 7/11 & 7/12 for specific examples of IT information and risks Details of information system gathered by : inspection of flowcharts of the system observation of the system in action inquiry of staff and the completion of internal control questionnaires discussions with prior year audit staff, management and outsiders (e.g. software suppliers) discussions with internal audit staff and review of internal audit workpapers tracing information through the information system. Component - control activities Policies and procedures that are implemented to ensure management’s objectives are carried out – e.g. : authorisation of transactions segregation of duties physical control over assets comparison and reconciliation access controls custody controls over blank / unused documents good document design sound general and application controls in IT systems Component - monitoring of controls Auditor must find out how client monitors the control activities and how problems are identified and resolved. Normally regulated by internal audit departments but can include employee performance reviews (important control activity) Information about monitoring can be gathered by enquiring of management and staff, working with internal audit and inspecting documentation related to monitoring process or performance reviews. Downloaded by Thomas Mboya () lOMoARcPSD| 9 AUDITOR’S OBJECTIVE IS TO TEST THE INTERNAL CONTROL SYSTEM IN ORDER TO ASSESS CONTROL RISK Study Guide pg 34 Control activities as a componet of internal control aspects – policies and procedures established by management in response to internal and external risks Management’s task to design and implement effective systems of internal control to manage the risks of the business and to ensure that all aspects of control are addressed. Large-scale high-volume transactions must have efficient internal control measures. Auditor evaluates the effectiveness and consistent operation of internal controls in order to assess control risk and takes that into account when deciding on the nature, scope and timing of substantive procedures, BUT identifying weaknesses in the internal control or risk management process is NOT main purpose of the audit. Jackson & Stent pgs 5/15 to 5/16 Auditor’s Toolbox Auditor has two sets of tests or procedures that can be used to gather sufficient appropriate evidence for financial statement assertions : tests of control – used to test whether the control procedures relating to the accounting system have been complied with and substantive procedures – used to verify (substantiate) transactions and balances. Transactions flow through accounting system : accounting system & balances Transactions related control procedures totals If the accounting systems and related control procedures are ok, then the balances and totals produced will be ok and so auditor who is interested in the fair presentation of balances and totals can test the accounting system and control procedures to find out if they will produce reliable balances and totals. These are tests of controls. If these tests reveal that the accounting system and related controls are sound then auditor will be confident that balances and totals are fair and will spend less time substantiating / verifying the balances and totals. Tests of controls are performed to obtain evidence of : if controls are suitable designed to prevent or detect and correct material misstatements if these controls operated effectively throughout the period that is being audited. Satisfactory results from tests of controls reduce control risk and hence audit risk. CANNOT ONLY PERFORM TESTS OF CONTROLS! Even if accounting system and related control procedures are excellent : internal control systems have inherent limitations which mean they are not totally efficient internal control system may have been excellent at the time that auditor performed the tests, but not at other times during the year there is still the inherent risk to consider. Successful tests of controls will reduce the extent and maybe change the nature of substantive tests, but CANNOT eliminate the need to perform substantive tests. Categories of tests of controls : reperformance – auditor repeats (either wholly or in part) the same internal control procedures that were previously performed by the client (e.g. reperforming the reconciliation of a bank account) inspection of records or documents supporting transactions and other events will provide audit evidence if internal controls have operated effectively (e.g. verifying if a transaction has been authorised – by checking if signed) enquiry by seeking information from people who use the internal controls to determine if they are operating effectively. (e.g. determining who actually performs each function and precisely what they do – NOT just getting the information from management as to what functions are supposed to be performed) observation – looking at process or procedure being performed by employee (e.g. what receiving clerk does when supplier delivers goods) Substantive procedures Financial statements consisting of collection of balances (Statement of Financial Position) and summary of totals (Statement of Comprehensive Income) and accompanying notes – tests of control cannot provide auditor with sufficient appropriate evidence pertaining to balances, totals and disclosures, so auditor must perform procedures of a substantive nature. Substantive procedures can be performed on balances and totals themselves or on the individual transactions which make up the balance or total. Either tests of detail or analytical procedures. tests will substantiate the reliability here and fairness of these lOMoARcPSD| 10 Substantive procedures seek to provide evidence to support the financial statement assertions : balances – completeness, existence, valuation, rights and obligations, presentation and disclosure transactions – completeness (totals), occurrence, measurement, presentation and disclosure Categories of substantive procedures : reperformance – auditor repeats (either wholly or in part) the same internal control procedures that were previously performed by the client (e.g. reperforming the age analysis of stock and debtors) recalculation checks the arithmetical accuracy of source documents and accounting records (e.g. checking depreciation totals) auditor can also compute figures which have not been computed by client. inspection of records or documents or tangible assets (e.g. inspecting fixed assets to confirm their existence or inspecting a confirmation of balance certificate from a long term loan creditor) analytical procedures - analysing significant ratios and trends and investigating fluctuations and relationships that are inconsistent with other relevant information or which deviate from permitted amounts. enquiry and confirmation by seeking information from knowledgeable persons inside or outside the entity. Enquiries might be formal written enquires addressed to 3 rd parties or informal oral enquires to staff. Enquires will either give the auditor new information or will corroborate audit evidence that he already has. Confirmation is procedure of obtaining a response to an enquiry to corroborate information contained in accounting records (e.g. auditor seeks confirmation of the existence of a debtor by direct confirmation with the debtor). Jackson & Stent pgs 8/6 to 8/39 Internal control in computerised accounting systems 7 characteristics of internal control and if they are helped or hindered by introducing computers : control environment – attitude and awareness of the need for controls by management and also example set by management HELPED BY COMPUTERS competent / trustworthy staff – very important in computer environment. All employees will need to be computer literate and also will need technical staff to run system (IT department). Need trustworthy staff cos can manipulate or destroy data and also damage to equipment can be costly segregation of duties – could be a danger using computers cos means that authorising, executing and recording control procedures can all be done by one data capturer and can also be risk of one person having access to the system for assessing records but also ability to change records so therefore will have access to custody of the asset and access to the asset records (e.g. storeman who can change stock records and also controls stock). Can be HELPED BY COMPUTERS if have proper controls – e.g. :  access to specific programmes and data files can be restricted to authorised PC’s  access to specific programmes and data files restricted to authorised uses (based on functional responsibilities)  level of access can be controlled (e.g. ready or write only)  computer logs all entries and provides audit trail of who made / tried to make changes. isolation of responsibilities – HELPED BY COMPUTERS cos can use log-ons and passwords to identify which specific person dealt with transaction access / custody controls – very important to have control access to companies assets (e.g. debtor’s ledger) and if computerised then must be protected files. Also must have control of internet banking and other cash facilities. If computerised system produces comprehensive and timely information about physical assets (stock) then HELPED BY COMPUTERS source document design – if not good controls built into programmes then won’t be able to identify inaccuracies and incomplete information (system will only process what it is given so if source data is incorrect then reports etc will be incorrect). HELPED by on-screen capturing if use :  mandatory fields (e.g. account numbers)  alpha-numerical checks – can’t punch in letters if it should be a number  screen dialogue – prompts to operator (e.g. have you confirmed method of payment?)  as little data keyed in as possible – should be able to use codes to bring up all computer info or to use F1 screen  select and click / drop-down keys – gives all available options without requiring any typing Screen documents MUST be automatically sequenced and if printed out then all the necessary details must appear on the hardcopy. comparison and reconciliation – control can be HELPED BY COMPUTERS if timely and comprehensive accounting information means that can perform frequent and regular reconciliations (e.g. reconciliations of input with output and theoretical figures with actual figures) Problems in computerised system that auditor should be aware of (that might hinder auditor) : lack of audit trail (transaction trail) – might exist only in machine readable form or may only exist for a short time lack of segregation of duties – individual may have uncontrolled access and could perform incompatible functions potential for errors / irregularities – because :  development, maintenance and operation of computerised systems requires skill and increased risk of human error  unauthorised access or alteration to data without any visible evidence  less human involvement means less chance to identify or observe errors or irregularities Downloaded by Thomas Mboya () lOMoARcPSD| 11  errors or irregularities in system design / application can be undetected for long time or can be exploited by someone who knows how to do so initiation or execution of transactions can be automatic in computerised system with no actual or visible authorisation of transaction dependence of other controls on computer processing – system can produce report or other data which is then used to implement another control procedure. If the computer generated info is incorrect then any following manual control is not effective uniform processing of transactions – if errors in programme instructions then every transaction will have the same error, BUT if the system is correct then everything will be processed correctly (without common human error) potential for increased management supervision – reports / analyses etc can assist management to control the business with the correct software. GENERAL CONTROLS Jackson & Stent pg 8/10 Controls in computerised environment are either : general controls – establish an overall framework for control for computer activities (should be in place before any processing of transactions stars and should span across all applications) application controls – relevant to a specific task within the accounting system (e.g. foreman has to authorise all overtime) Categories of general controls : control environment and security policy organisational structure and personnel practices standards and standard operating procedures systems development controls Control environment and security policy Control environment – management should lead by example (their attitudes, control awareness and actions sets level for other staff). Factors promoting a strong control environment for IT ; should have steering committee for IT or strong representation of all IT matters on the board. (Steering committee = people who are computer knowledgeable and knowledgeable about the business and so all major computer issues should be referred to them) management philosophy and operating style which communicates and enforces importance of good controls organisational structure that promotes organisational structure and personnel practices sound management control system including internal audit with sound internal control characteristics. Security policy Security standards needed to maintain the integrity of the hardware and software – should be documented and not detailed but rather based in principles such as : least privilege – all employees should only have access to the parts of the system that they need to perform their duties and if no access needed then should not have a log-on fail safe – if possible if there is a control that “fails” then whatever the control is protecting should remain “safe” defense in depth – protection is not left up to only one control but rather to a combination of controls logging – use must be made of the computer’s ability to log attempts to gain access to the system (only effective if the logs are regularly and frequently review and followed up) Organisational structure and personnel practices Organisational structure – 2 main objectives, should : establish clear reporting lines / levels of authority and lay the foundation for segregation of duties (no staff should perform incompatible functions) Should segregate IT and other departments as well as the segregation of duties in the IT department itself. IT department should consist of following departments, reporting directly to the IT manager : application development (business / systems analysts) and programming technical / administration (database / operating system / network administrators) help desk / operations (solving easy problems received via help desk) / backing-up company data and rotation of the back-up tapes) security (control procedures for access to the system and follow up on security violations) IT department MUST be separate from user departments – no IT staff member should be able to authorise transactions or have access to / custody of company’s assets (stock or debtor’s masterfile) IT staff should be divided into different divisions and technical administrators MUST be segregated from programmers and business analysts. Only security department should be able to deal with security issues (e.g. unauthorised log-on etc). Physical access controls should also be used to enforce division of duties. programme change controls continuity of operations access controls documentation lOMoARcPSD| 12 Personal practices Staff should be honest, competent and trustworthy and company should also : have proper recruiting policies to check applicant’s background and competence ensure that if employee is dismissed his password and user privileges are cancelled enforce compulsory leave train and develop staff continually and use ongoing evaluation of their suitability and competence for their job have written formalisation of personnel practices to provide terms of reference or guidelines institute rotation of duties Standards and standard operating procedures Standards Should use predetermined conventions, protocols and industry wide standards. Benefits of standards : reduce compatibility problems of hardware and software (in company and with 3 rd parties – i.e. client) communicates clear requirements for good and consistent practices for IT management Standard operating procedures Procedures put into place for ‘day to day’ operations – including : scheduling of jobs – timetable established by management to control various processes equipment operation and maintenance – must adhere to hardware and software manufacturers’ instruction and correct procedures must be followed machine servicing – must be done as specified and any machine failures must be recorded and analysed job run procedures – computer operators must follow instructions when running a specific job activity logs – used to monitor the activity of the computer. Unauthorised activity must be followed up by senior personnel (including private jobs performed after hours on company’s facilities) personnel habits and tidiness – risk of data loss and / or compromising confidentiality of information on things like flash drives is increased if the environment and standards are lax physical library – all discs, tapes and documents must be stored in a library and must be subjected to sound library and file controls, including :  restricted access to library  clear and accurate labeling of all discs / tapes  issue of library items to authorised staff only  keeping record of all library items and their movements  inspection of discs and tapes for obvious damage and wear  segregation of duties between the librarian and computer operators All standards and standard operating procedures should be frequently reviewed to ensure that the company remains protected and up to date. Systems development controls Any major change in the computer system MUST be done with controls or problems may occur, such as : development costs may get out of control system design may not suit user requirements programmes in the system may contain bugs or errors important account practice requirements may not be incorporated into the system or may not be correctly understood by the business analyst / programmer new system may not incorporate enough controls to ensure the integrity of its programmes and data (e.g. unauthorised personnel may be able to make changes to masterfiles) excellent system may be useless if no-one knows how to use it information transferred form old system to new one could be erroneous, invalid or incomplete Following controls must be implanted to avoid these risks : standards  all systems development should be in accordance with pre-defined standards for all phases as detailed below  compliance must be strictly monitored and deviations followed up by management project approval  feasibility study should be carried out and either an in-house system developed or off-the-shelf software purchased  feasibility study should include cost / benefit analysis with money value for all requirements as well as all benefits arising from the project  steering committee must give approval prior to commencement of the project project management  project team should be formed by steering committee to manage project  development project should be planned in all stages  responsibility for each specific task must be allocated to appropriate staff members  deadlines must be set for completion of each stage  progress must be monitored at regular intervals to identify any problems  regular progress reports should be submitted to the steering committee Downloaded by Thomas Mboya () lOMoARcPSD| 13 user requirements  all user requirements relating to the system should be carefully determined and documented  internal and external auditors must be consulted regarding their requirements and recommendations for internal controls  management of each user department should sign approval of specifications for their individual departments systems specifications and programming  programme specifications should be clearly documented  programming should take place in accordance with standard programming conventions and procedures  programmers should only work in a development environment and should have no access to live data / environment testing  programme coding of the programs should be tested using standard debugging procedures and should be tested with test data (programme tests and string tests)  must test system as a whole to ensure all programmes integrating properly - normally business analysts in test environment (systems tests)  tested on output level by management, users and auditors to establish if satisfying requirements of users (user acceptance tests) final approval  results of testing must be reviewed to ensure necessary changes have been made and errors corrected  project team must obtain final approval from management, users, internal audit and IT personnel and then go ahead with final conversion procedures training  formal programme must be devised setting out details of all personnel to be trained  user procedure manuals and updated job descriptions should be compiled and used in the training exercise conversion  controls necessary to ensure that programmes and information taken onto the new system are complete, accurate and valid. Controls such as :  conversion project – conversion itself is a project  data cleanup – data that is to be converted should be thoroughly checked and discrepancies resolved prior to conversion  conversion method – conversion method must be selected  preparation and entry – controls should include the use of a data control group that will : o perform file comparisons between old and new files and resolve discrepancies o reconcile from old to new files using record counts and control totals o follow up exception reports of any problems identified through the use of programmed checks (e.g. limit checks) o obtain user approval for data converted in respect of each user department o obtain direct confirmation from customers or suppliers of balances reflected on the new system post-implementation review  all users should review the system after several months to determine if the :  system is operating as intended  system development exercise was effective  all aspects of the new system are adequately documented in accordance with the predetermined standards Programme change controls Normally ongoing need to modify applications to meet changed user requirements or to improve a system and these modifications require strong controls such as : programme change standards should be adhered to requests for programme changes should be documented on prenumbered, preprinted change control forms programme change requests should be evaluated and approved by user department and IT manager programme changers should only be effected by programmers (not operators) change should be managed as a mini project changes should be made to a development programme not the production programme changes should be tested by programmer and senior programmer using standard debugging techniques programme changes should be discussed with users and a change control form should be signed all documentation affected by the change should be updated amended programme should be copied to the live environment by independent technical administrator and all programme changes automatically logged by the computer IT manager should review the log of programme changes and reconcile it to the programmed change forms Continuity of operations Controls are aimed at protecting computer facilities from natural disasters (floods, fires) and also from destruction or abuse by unauthorised staff. Consist of : Downloaded by Thomas Mboya () lOMoARcPSD| 14 physical security :  physical location – away from obvious hazards and within a secure area of the building with adequate access control devices  fire & flood – automatic CO 2 release, smoke detectors, extinguishers etc and should be situated above ground level and away from water mains  power surges – use of UPS’s and back up generators  heat and humidity – air-conditioning on its own electrical circuit.  access controls disaster recovery controls to minimise disruption as result of disaster :  disaster recovery plan – tested written document that is widely available which lists and plans the priorities of procedures. Should also detail alternative processing arrangements and should state the order in which files and programmes are to be reconstructed  back-up strategies – should be made frequently and regularly (specifically individual PC’s) and at least 3 generations of backups should be maintained (grandfather, father and son). Most recently backed up info should be stored off-site and in fireproof safes and away from the computer facilities. Critical data and programmes should be copied in real time to a ‘mirror site’ and copies of all user and operations documentation should be kept off-site other measures used to assist in preventing or alleviating disaster :  use of duel power supplies an disk mirroring (applying the concept of redundancy)  regular maintenance and servicing of equipment to prevent failure  adequate insurance cover for equipment replacement  avoidance of reliance on key personnel by maintaining complete and appropriate documentation and training of junior staff  arrangements for support from suppliers of equipment and software Access controls Only authorised users should be able to gain access to the computer facilities and date and access should be on a privilege or need-to-know basis for performace of employee duties and should require : identification authentication authorisation encryption logging Access control methods : physical controls over servers – only for authorised personnel and using authorised entry method (card access). Cables should be shielded or built into walls to prevent line tapping logical access / authorised users – use of passwords and user names for authorised users and restricted to the functions required for that specific level critical access control considerations – unlimited access to the system should only be given to limited very senior IT staff and access tables should be used to control access (computer is given a profile based on information in a ‘table’ and that restricts staff access – e.g. could be set by time of day so bank tellers would only be able to log in during banking hours) user identification controls – identity of user must be in access table controls over passwords – random mix of letters / numbers and user ID’s for terminated staff should be removed or disabled immediately upon termination. Passwords should not be displayed on PC’s and should change regularly supplementary access controls – automatic lock-out in case of a violation (e.g. incorrect password entered more then 3 times). Time-out facilities and automatic logging, review and follow up of access violations. Encryption of confidential and critical information and very sensitive functions should be given extra protection by requiring 2 passwords to gain access. Documentation All aspects of the computer system should be clearly documented and access to documentation should be restricted to authorised personnel. Documentation improves overall operating efficiency and provides audit evidence for computer related controls. Documentation should be promptly updated if there are any changes and backup copies should be stored off-site. Access should be restricted to authorised personnel and should include standards such as : general systems descriptions detailed descriptions of program logic operator and user instructions including error recovery procedures back-up and disaster recovery procedures security procedures / policies user training, implementation and conversion of new systems Downloaded by Thomas Mboya () lOMoARcPSD| 15 Auditor required to evaluate internal control of company when planning the audit so general controls are fundamental part of overall internal control and are evaluated and tested using inspection, enquiry, observation and reperformance. APPLICATION CONTROLS Jackson & Stent pg 8/24 Framework for application controls in computerised environment = masterfile amendments input, processing and output validity, accuracy and completeness prevention, detection and correction. Ideal to have distinctive input, processing and output phases with manual controls combined with program controls, but if fewer people involved and if no real distinction between these phases then must place more reliance on : access controls and programmed controls rather then manual controls preventative rather then detective and corrective controls Vital that the information that is being processed is valid, accurate and complete. Application = set of procedures and programmes that satisfy all users associated with a specific task. Application controls = controls over input, processing and output of financial information relating to specific application, that ensures that the information is valid, accurate and complete. Consist of both automated (computerised) and manual controls. Transaction files = files uses to store all details of an individual transaction Masterfiles = files used to store only standing information (debtor’s names, addresses and credit limits) and latest balances. Masterfile amendments = changes to standing data on masterfiles – MUST be tightly controlled Objective of controls in computerised accounting environment is generally centered around the validity, accuracy and completeness of data and information processed by and stored on the system. Validity = ensures that the transactions and data : aren’t fictitious or fraudulent and are in accordance with activities which have been properly authorised by management Accuracy = minimising errors to ensure that data and transactions are correctly captured, processed and allocated Completeness – ensuring data and transactions are not omitted or incomplete Terms relating to the stage at which controls are implemented to achieve the objectives explained above : prevention = controls designed to identify errors and problems in source data and how it is captured BEFORE it is accepted for input, processing and output by the system detection = controls which identify errors and problems with data that has been entered onto the system (i.e. errors that weren’t caught by prevention controls). Detection is worthless unless problems are followed up on and resolved correction = controls that are implemented to resolved errors and problems which have been identified using detection controls. Input, processing and output Hardware makes use of all masterfiles, transaction files and programmes to do processing so if the system is going to produce valid, accurate and complete data then all of these need controls. Transactions / input MUST be valid, accurate and complete. Computer will only process what it is given so need to use : general controls – competent staff, properly designed source documentation, restriction of access to the system or application controls – either manual or computerised Hardware must function properly – most modern computer equipment has numerous build in controls and is very reliable. General controls (for continuity of operations) consists of proper servicing and treatment of equipment, so hardware support is important to the auditor. How controls and phases fit together in computerised accounting system : Masterfiles Contain standing data and balances and must be controlled against unauthorised changes or the information that is produced by processing may not be valid. Control of the masterfiles is essential. Can be controlled by combination of manual and computerised controls. Output Product of processing and can be converted to hardcopy (reports etc) or saved electronically. Output MUST be protected. Controls have 3 primary purposes :  to preserve integrity of data  ensure effective use of reports  ensure confidentiality of sensitive information Processing Information captured during the input phase is used to update existing information on the masterfile. Application programmes contain instructions that the system follows in order to carry out this processing. Controls are implemented during this phase to maintain data integrity during processing and are necessary cos :  system programme processing the data may have logical errors  hardware / software faults may cause data to be processed incorrectly Downloaded by Thomas Mboya () lOMoARcPSD| MUST all have controls to produce valid, accurate and complete data 16 Processing methods 3 methods of processing and each has different application controls at input phase : batch entry / batch processing / batch update  transaction data is initially on manual prepared source documents (e.g. sales invoices)  the source documents are collected into batches and then punched in these batches and transaction information is then converted into machine readable form and held in transaction file on system  relevant masterfiles are then updated with the batch information online entry / batch processing / batch update  transaction data is entered by PC when it happens (i.e. reservation keyed directly into PC when client phones)  transaction is then converted into machine readable form as it occurs and is held in transactions file on system  transactions are then processed as a batch to update masterfiles when it is convenient (i.e. at end of each day) online entry / real-time processing / update  transaction data is entered by PV as soon as it occurs  masterfiles are updated immediately and so each individual transaction shows on the masterfile balances at once. VERY important that access controls are restricted Application control framework – Masterfile amendments Objective Control techniques to achieve objective Validity Accuracy Completeness  authorisation  access to source documentation  access controls  independent checks  programme checks  logs and reports  source document design  screen aids  independent checks  independent checks  logs and reports Application control framework – Input Batch input – preparing source data Batch input – enter source data by keyboard Objective Control techniques to for objective Objective Control techniques to for objective Validity Accuracy access to source documentation authorisation of transactions source document design batch independent checks Validity Accuracy access to application and specific module (programme function) batch screen aids batch programme checks Programmes MUST be controlled as computer will follow all instructions whether they are correct or not. Programme controls are achieved by implementing sound systems development and programme maintenance controls Input (transactions) During this phase information relating to transactions is captured onto the computer system either directly or off source documents. Capturing can be by :  manually prepared source documents  PC / keystroke entry  bar-coded scanning Transactions that have been captured are stored on a file Downloaded by Thomas Mboya () lOMoARcPSD| 17 Completeness independent checks batch Completeness programme checks batch screen aids Application control framework – Input Batch input – on line input (entering transaction directly via keyboard – no source documents) Objective Control techniques to achieve objective Validity Accuracy Completeness  access to application and specific module (programme function)  program checks (including line validation)  screen aids  program checks  screen aids  program checks  post entry batch control Application control framework – Processing Takes place in computer system with no manual intervention. Major components : hardware (and system software) and also programs that make the hardware work transactions which have been inputted masterfiles programmes Can only have accurate, complete and valid processing if all the components are controlled. Hardware controls that are “built in” : parity checks – an additional bit is added to data and then the sum of the bits in data is checked to see if it is even parity or odd parity (i.e. if it is odd could indicate that there has been an error in processing or transmission) valid operation code – processor checks if the instructions is executing is a valid set of instructions echo check - used to detect corruption of messages in transit by bouncing the signal back from the recipient of the message to the sender so that the sender can check against the original message to see is the same or if any errors occurred during transmission equipment check – input / output devices are activated prior to operation to make sure that they are working properly Objective Control techniques to achieve objective Validity Accuracy Completeness  program controls (processing)  logs and report  program controls  logs and reports  reconciliation and review  program controls  logs and reports  reconciliation and review Application control framework – Output Objective Control techniques to achieve objective Correct and confidential distribution Accuracy Completeness  output handling controls  access controls (output in electronic form)  reconciliation and review  logs and reports  reconciliation and review  logs and reports Downloaded by Thomas Mboya () lOMoARcPSD| 18 Must also ensure that all by-products of printing relating to confidential information are destroyed (printer ribbon or carbon paper) Description of various controls Control Authorisation Access to source documents Source document design Independent checks Screen Aids Logs & Reports Access Controls signature of supervisor on source document and batch forms restricting access to input to only authorised people programmed computer checks preventing preset parameters (e.g. on-line loan application that is automatically granted if income is at certain level) override only available to supervisor level staff and all overrides should be logged and checked by superior and reviewed by management unused source documents kept locked up by independent person (i.e. stock controller) source documents se