CIS-496 / I.S. Auditing
Download
Report
Transcript CIS-496 / I.S. Auditing
Chapter 9:
Auditing the Revenue
Cycle
IT Auditing & 2e,
Assurance,
Hall &
IT Auditing & Assurance,
Hall &2e,Singleton
Singleton
MANUAL PROCEDURES
Processing shipping orders
4 copies of Sales Order to warehouse; packing slip, shipping
notice, stock release, file copy
Locate and “pick” goods using Stock Release; package them
with packing slip
Reconcile documents and goods, sign Shipping Notice,
prepare Bill of Lading – multiple copies [Figure 9-3]
Transfer custody of goods (packing slip inside) and 2 copies
of Bill of Lading to carrier
Record shipment in shipping log
Send shipping notice to Billing Dept.
File: Stock Release, 1 BOL, File Copy
IT Auditing & Assurance, 2e, Hall &
Singleton
LEGACY SYSTEM PROCEDURES
Keypunch batch of shipping notices
Edit run program, correct any errors
Sort run on batches by AR account number
Field checks
Limit tests
Range tests
Price times quantity extensions
Legacy systems store records in sequential manner, usually
tape
Next process is to “post” individual shipping notices to
appropriate individual AR accounts
AR update & billing run [Figure 9-4]
Updates AR file becomes new AR file
Billing would be printing invoices to be mailed
Sales journal file or printout
Journal voucher for AR [DR] and sales [CR]
IT Auditing & Assurance, 2e, Hall &
Singleton
LEGACY SYSTEM PROCEDURES
Re-sort by inventory item {why?}
Same reason; but this process is to update Inventory Items
Inventory update run [Figure 9-5]
Reduce quantity on hand for items shipped, generate a new
Inventory file
Compare “On Hand” quantity with “Reorder Point” to identify
items needing replenishment; file or printout
Journal voucher for Cost of Goods Sold [DR] and Inventory
[CR]
Sort journal entries by GL #
Run general ledger update
Management reports
IT Auditing & Assurance, 2e, Hall &
Singleton
BATCH CASH RECEIPTS SYSTEMS
WITH DIRECT ACCESS FILES
See Figure 9-6
Discrete events that naturally fit the batch approach
Update Procedures
Mail Room
Receives checks and Remittance Advices.
Separates checks from Remittance Advices
Prepares a Remittance List – multiple copies
Copy of Remittance List and checks go to Cash
Receipts Dept.
Remittance Advices and copy of Remittance List go
to AR Dept.
Last copy of Remittance List to Controller’s Office
IT Auditing & Assurance, 2e, Hall &
Singleton
REAL-TIME SALES ORDER ENTRY
AND CASH RECEIPTS
See Figure 9-7
Sales procedures
Transactions are processed as they occur, separately
Credit check is performed online by the system
If approved, system checks availability of inventory
If available, system:
Transmits electronic stock release to warehouse
dept
Transmits electronic packing slip to shipping dept
Updates inventory file records for depletion
Records sale in open sales order computer file
IT Auditing & Assurance, 2e, Hall &
Singleton
REAL-TIME SALES ORDER ENTRY
AND CASH RECEIPTS
Warehouse procedures
Produces hard copy of stock release
Clerk picks goods, sends them with a copy of stock release
to shipping dept.
Shipping procedures
Reconciles goods, stock release, packing slip from system.
Online, IS prepares Bill of Lading for shipment, and
shipping notice for DP Dept.
Select carrier and prepare goods for shipment, along with
packing slip and Bill of Lading
Stock release form is filed
IT Auditing & Assurance, 2e, Hall &
Singleton
FEATURES OF REAL-TIME
PROCESSING
Events Database
Traditional accounting does not have to exist in per se (in
traditional form)
General Ledger can be derived at any time from a compilation from
the events database
Advantages
Greatly shortens the cash cycle of the firm
Can give a firm a competitive advantage (e.g., managing inventory
better)
Real-time editing permits the identification of many kinds of errors
as they occur, greatly reducing the efficiency and effectiveness of
business processes
Reduces the amount of paper documents
Electronic audit trails are possible in real-time computer-based
systems
IT Auditing & Assurance, 2e, Hall &
Singleton
MANAGEMENT ASSERTIONS AND
REVENUE CYCLE AUDIT OBJECTIVES
Existence / Occurrence
VERIFY AR balance represents amounts actually owed as of Balance Sheet date
Establish sales represents goods shipped and/or services rendered during period of
financials
Completeness
Determine all amounts owed organization are included in AR
VERIFY shipped goods, services rendered, and/or returns and allowances for period are
included in financials
Accuracy
VERIFY revenue transactions are accurately computed, based on correct prices and
quantities
Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically correct
.. And agree with GL accounts
Rights & Obligations
Determine organization has legal right to AR
VERIFY accounts sold or factored have been removed from AR
Valuation or Allocation
Determine AR balance stated in net realizable value
Establish allocation for uncollectible accounts is appropriate
Presentation and Disclosure
VERIFY AR and revenues for period are properly described and classified
IT Auditing & Assurance, 2e, Hall &
Singleton
INPUT CONTROLS
Purpose
Ensure creditworthiness of customers
Control techniques vary considerably between batch
systems and real-time systems
Credit authorization procedures
Credit worthiness of customer
Batch and manual systems use credit dept.
Real-time systems use programmed decision rules
Testing credit procedures
Verify effective procedures exist
Verify information is adequately communicated
Verify effectiveness of programmed decision rules (test data, ITF)
Verify that authority for making credit decisions is limited to
authorized credit personnel/procedures
Perform Substantive Tests of Detail
Review credit policy
periodically
and
IT Auditing
& Assurance, 2e,
Hall &revise as necessary
Singleton
INPUT CONTROLS
Data Validation Controls
To detect transcription errors in data as it is processed
Batch: after shipment of goods
•
•
•
Error logs
Error correction computer processes
Transaction resubmission procedures
Real-Time: Errors handled as they occur
Missing data checks – presence of blank fields
Numeric-Alphabetic data checks – correct form of data
Limit checks – value does not exceed max for the field
Range checks – data is within upper and lower limits
Validity checks – compare actual values against known acceptable values
Check digit – identify keystroke errors by testing internal validity
Testing Data Validation Controls
Verify controls exist and are functioning effectively
Validation of program logic can be difficult
If Controls over system development and maintenance are NOT weak, testing
data editing/programming logic more efficient than substantive tests of details
(test data, ITF)
Some assurance can be gained through the testing of error lists and error logs
(detected errors only)
IT Auditing & Assurance, 2e, Hall &
Singleton
INPUT CONTROLS
Batch controls
Manage high volumes of similar transactions
Purpose: Reconcile output produced by system with the original
input
Controls continue through all computer (data) processes
Batch transmittal sheet:
Unique batch number
Batch date
Transaction code
Record count
Batch control total (amount)
Hast totals (e.g., account numbers)
Testing data validation controls
Failures of batch controls indicates data errors
Involves reviewing transmittal records of batches processed and
reconcile them to the batch control log (batch transmittal sheet)
Examine out-of-balance conditions and other errors to determine
cause of error
Review and reconcileITtransaction
listings, error logs, etc.
Auditing & Assurance, 2e, Hall &
Singleton
PROCESS CONTROLS
Computerized procedures for file updating
Restricting access to data
Techniques:
File update controls -- Run-to-run batch control data to
monitor data processing steps
Transaction code controls – to process different transactions
using different programming logic (e.g., transaction types)
Sequence check controls – sequential files, proper sorting of
transaction files required
Testing file update controls – results in errors
Testing data that contains errors (incorrect transaction codes, out
of sequence)
Can be performed in ITF or test data
CAATTs requires careful planning
Single audit procedure can be devised that performs all tests in
one operation.
IT Auditing & Assurance, 2e, Hall &
Singleton
ACCESS CONTROLS
Prevent and detect unauthorized and illegal access to firm’s
systems and/or assets
Warehouse security
Depositing cash daily
Use safe deposit box, night box, lock cash drawers and safes
Accounting records
Removal of an account from books
Unauthorized shipments of goods using blank sales orders
Removal of cash, covered by adjustments to cash account
Theft of products/inventory, covered by adjustments to inventory or
cash accounts
Testing access controls – heart of accounting information integrity
Absence thereof allows manipulation of invoices (i.e., fraud)
Access controls are system-wide and application-specific
Access controls are dependent on effective controls in O/S, networks,
and databases
IT Auditing & Assurance, 2e, Hall &
Singleton
PHYSICAL CONTROLS
Segregation of duties
Rule 1: Transaction authorization separate from transaction
processing
Rule 2: Asset custody separate from record-keeping tasks
Rule 3: Organization structured such that fraud requires
collusion between two or more people
Supervision
Necessary for employees who perform incompatible
functions
Compensates for inherent exposure from incompatible
functions
Can be supplement when duties are properly segregated
Prevention vs. detection of fraud and crime is objective:
supervision can be effective preventive control
IT Auditing & Assurance, 2e, Hall &
Singleton
PHYSICAL CONTROLS
Independent verification
Review the work of others at critical points in business processes
Purpose: Identify errors or possible fraud
Examples:
Shipping dept. verifies goods sent from warehouse dept. are correct in
type and quantity
Billing dept. reconciles shipping notice with sales notice to ensure
customers billed correctly
Testing physical controls
Review organizational structure for incompatible tasks
Tasks normally segregated in manual systems get consolidated in
DP systems.
Duties of design, maintenance, and operations for computers need
to be separated
Programmers should not be responsible for subsequent program
changes.
IT Auditing & Assurance, 2e, Hall &
Singleton
OUTPUT CONTROLS
PURPOSE: Information is not lost, misdirected, or corrupted; that the
system output processes function properly
Controls are designed to identify potential problems
Reconciling GL to subsidiary ledgers
Maintenance of the audit trail – that is the primary way to trace the source
of detected errors
Details of transactions processed at intermediate points
AR change report
Transaction logs: permanent record of valid transactions
Transaction listings – successfully posted transactions
Log of automatic transactions
Unique transaction identifiers
Error listings
Testing output controls
Reviewing summary reports for accuracy, completeness,timeliness, and
relevance for decisions
Trace sample transactions through audit trails; including transaction
listings, error logs, and logs of resubmitted records
ACL is very helpful in this
process
IT Auditing
& Assurance, 2e, Hall &
Singleton
SUBSTANTIVE TESTS OF REVENUE
CYCLE ACCOUNTS
PURPOSE: Determine the nature, timing, and extent of substantive tests
using auditor’s assessment of inherent risk, unmitigated control risk,
materiality considerations, and efficiency of the audit.
Concern: Overstatement or understatement of revenues?
Focus on large and unusual transactions, especially near period-end
Recognizing revenues from sales that did not occur
Recognizing revenues BEFORE they are realized
Failing to recognize cutoff points
Underestimating allowance for doubtful accounts
Shipping unsolicited products to customers, subsequently returned
Billings customers for products held by seller
Tests of controls and substantive tests
Credit limit logic may be effective but cut-off of AR may be error
Substantive testing of AR may give assurance about accuracy of
total AR but does not offer assurance about collectibility
IT Auditing & Assurance, 2e, Hall &
Singleton
SUBSTANTIVE TESTS OF REVENUE
CYCLE ACCOUNTS
Understanding data
VERIFY data used in CAATTs (e.g., ACL) is accurate
VERIFY adequate setup of files from originals
(e.g., ACL and Profilecommand)
Relationships and data from [see Figure 9-10]:
Customer file
Sales Invoice file
Line item file
Inventory file
Shipping log file
File preparation procedures
IT Auditing & Assurance, 2e, Hall &
Singleton
SUBSTANTIVE TESTS OF REVENUE
CYCLE ACCOUNTS
Accuracy/completeness assertion
Analytical review of account balances
Overall perspective for trends in sales, cash receipts,
sales returns, and AR
Provides first-level assurance that amounts are
reasonably stated and reasonably complete
If so, may reduce the extent of substantive testing
Review sales invoices for unusual trends and
exceptions
Scanning data files using CAAT
(e.g., ACL and stratify and possibly filters - see Figure
9-11)
•
Reveals all errors or raises questions?
IT Auditing & Assurance, 2e, Hall &
Singleton
SUBSTANTIVE TESTS OF REVENUE
CYCLE ACCOUNTS
Accuracy/completeness assertion
Review sales invoice and shipping log files
Missing and duplicate transactions [see Table 9-2]
Questions/survey:
•
Are procedures in place to document and approve voided invoices?
•
How are gaps in sales invoice numbers communicated to
management?
•
What physical controls exist over access to sales invoice source
documents?
•
If applicable, are batch totals used to control batch transactions
during each processing step?
•
Are transaction listings reconciled and reviewed by management?
Review line item and inventory files for pricing accuracy
ACL allows auditor to compare prices on invoices with inventory –
using JOIN [see example on page 413]
Testing unmatched records (complement)
IT Auditing & Assurance, 2e, Hall &
Singleton
SUBSTANTIVE TESTS OF REVENUE
CYCLE
ACCOUNTS
Existence assertion
Confirmation of AR – SAS #67
Not required if:
•
•
•
CAATTs to use for this function?
•
•
•
•
•
Steps:
Select accounts to confirm
Consolidate invoices (not AR subsidiary) using CLASSIFY (filter) and
SUMMARIZE (amount) [see Tables 9-3 and 9-4]
Why?
JOIN the CUSTOMER file with the new consolidated invoice file
Prepare confirmation requests [see Figure 9-12]
•
AR is immaterial
Assessed Control Risk is low
Confirmation process will be ineffective
Positive and Negative Confirmations (ACL, EXPORT)
Evaluating and controlling responses
•
•
•
•
•
Retain custody of the confirmation letters until mailed
The letters should be addressed to the auditor, not client org.
The replies should be mailed to the auditor, not client org.
Discrepancies should be investigated.
Non responses to POSITIVE confirmation should be investigated
IT Auditing & Assurance, 2e, Hall &
Singleton
SUBSTANTIVE TESTS OF REVENUE
CYCLE ACCOUNTS
Valuation/allocation assertion
Corroborate or refute AR is stated at reasonable Net
Realizable Value
AGING AR
•
Is allowance for doubtful accounts reasonable compared to prior
years and based on composition of AR portfolio
•
ACL, AGE [see Table 9-7]
Confirmation process will be ineffective
Review past-due balances
•
•
•
Conference with credit manager to determine collectibility
Determine if methods used to estimate allowance for doubtful
accounts is adequate, not the collectibility of each account
Determine if overall allowance is, therefore, reasonable
IT Auditing & Assurance, 2e, Hall &
Singleton
IS Controls
Access Controls
Site
System
File
Record
Rights and privileges
IT Auditing & Assurance, 2e, Hall &
Singleton
Controls for Automated Systems
General and application controls for IS
Transaction tags
Transaction logs
Increased supervision
Online validation and authentication
Rotation of duties
Authorizations and automated rules
Continuous auditing techniques
IT Auditing & Assurance, 2e, Hall &
Singleton
IT Auditing & Assurance, 2e, Hall &
Singleton
IT Auditing & Assurance, 2e, Hall &
Singleton
IT Auditing & Assurance, 2e, Hall &
Singleton
IT Auditing & Assurance, 2e, Hall &
Singleton
IT Auditing & Assurance, 2e, Hall &
Singleton
IT Auditing & Assurance, 2e, Hall &
Singleton
Chapter 9:
Auditing the Revenue
Cycle
IT Auditing 2e,
& Assurance,
2e, Hall &
IT Auditing & Assurance,
Hall & Singleton
Singleton