Professional Documents
Culture Documents
IT Audit
IT Audit
opasdfghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnmqwer
Quick Guide to Auditing
tyuiopasdfghjklzxcvbnmqwertyuiopas
in an IT Environment
dfghjklzxcvbnmqwertyuiopasdfghjklzx
cvbnmqwertyuiopasdfghjklzxcvbnmq
wertyuiopasdfghjklzxcvbnmqwertyuio
pasdfghjklzxcvbnmqwertyuiopasdfghj
klzxcvbnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmqwerty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvbnmrty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
Quick Guide to Auditing in an IT Environment
TABLE OF CONTENTS
Chapter 1: Introduction to Information Technology Audit
What is an IT Audit?
Audit? 3
Basic Components of an Audit
Audit 3
Overview of the 3 Phases of IT Audit
Audit 5
Page 2
Quick Guide to Auditing in an IT Environment
CHAPTER 1:
INTRODUCTION TO INFORMATION TECHNOLOGY AUDIT
Auditing is a systematic process of objectively obtaining and evaluation evidence regarding assertions
about economic actions and events to ascertain the degree of correspondence between those
assertions and established criteria and communicating the results to interested users.
SYSTEMATIC PROCESS
Conducting an audit is a systematic and logical process that applies to all forms of information systems.
While important in all auditudit settings, a systematic approach is particularly important in the IT
environment. The lack of physical procedures that can be visually verified and evaluated injects a high
degree of complexity into the IT audit. Therefore, a logical framework for cond
conducting
ucting an audit in the IT
environment is critical to help the auditor identify all
all-important
important processes and data files.
1. Existence or Occurrence assertion - affirms that all assets and equities contained in the balance sheet
exist and that all transactions in the income statement actually occurred.
2. Completeness assertion - declares that no material assets, equities, or transactions have been
omitted from the financial statements.
3. Rights and Obligations - assertion maintains that assets appearing on the balance sheet are owned
by the entity and that the
he liabilities reported are obligations.
Page 3
Quick Guide to Auditing in an IT Environment
Generally, auditors develop their audit objectives and design audit procedures based on the preceding
assertions.
Audit objectives may be classified into two general categories. The preceding assertions related to
transactions
ransactions and account balances that directly impact financial reporting. The second category pertains
to the information system itself. This includes the audit objectives for assessing controls over manual
operations and computer technologies used in tra
transaction processing.
OBTAINING EVIDENCE
Auditors seek evidential matter that corroborates management assertions. In the IT environment, this
process involves gathering evidence relating to the reliability of computer controls as well as the
contents of databases that have been processes by computer programs. Evidence is collected by
performing tests of controls, which establish whether internal controls are functioning properly, and
substantive tests, which determine whether accounting databases fairly rreflect
eflect the organization’s
transactions and account balances.
ASCERTAINING MATERIALITY
The auditor must determine whether weaknesses in internal controls and misstatements found in
transactions and account balances are material. In all audit environments, assessing materiality is an
auditor judgment. In an IT environment, however, this decision is complicated further by technology and
a sophisticated internal control structure.
COMMUNICATING RESULTS
Auditors must communicate the results of their tests to iinterested
nterested users. An independent auditor
renders a report to the audit committee of the board of directors or stockholders of a company. The
audit report contains, among other things, an audit opinion. This opinion is distributed along with the
financial report
port to interested parties both internal and external to the organization. IT auditors often
communicate their findings to internal and external auditors, who can then integrate these findings with
the non-IT aspects of the audit.
Page 4
Quick Guide to Auditing in an IT Environment
1. AUDIT PLANNING
The first step in the IT audit is audit planning. Before the auditor can determine the nature and
extent of the tests to perform, he or she must gain a thorough understanding of the client’s
business. A major part of this phase of the audit is the analysis of audit risk. The objective of the
auditor is to obtain sufficient information about the firm to plan the other phases of the audit. The
risk analysis incorporates an overview of the organization’s internal controls. During the review of
controls, the auditor attempts to understand the organization’s policies, practices, and structure. In
this phase of the audit, it, the auditor also identifies the financially significant applications and
attempts to understand the controls over the primary transactions that are processed by these
applications.
The techniques for gathering evidence at this phase include questionnaires,
questionna interviewing
management, reviewing systems documentation, and observing activities. During this process, the
IT auditor must identify the principal exposures and the controls that attempt to reduce these
exposures. Having done so, the auditor proceed
proceedss to the next phase, where he or she tests the
controls for compliance with pre
pre-established standards.
2. TESTS OF CONTROLS
The objective of the tests of controls phase is to determine whether adequate internal controls are
in place and functioning properly
properly.. To accomplish this, the auditor performs various tests of
controls. The evidence gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques.
At the conclusion of the tests
tests-of-controls phase, the auditor must assess the quality of internal
controls. The degree of reliance the auditor can ascribe to internal controls affects the nature and
extent of substantive testing that needs to be performed. The relationship between tests of
controls and substantive
antive tests is discussed late.
Page 5
Quick Guide to Auditing in an IT Environment
3. SUBSTANTIVE TESTING
The third phase of the audit process focuses on financial data. This involves a detailed investigation
of specific account balances and transactions through what are called substantive tests. For
example,, a customer confirmation is a substantive test sometimes used to verify account balances.
The auditor selects a sample of accounts receivable balances and traces these back to their source
– the customers-toto determine if the amount stated is in fact owed by a bona fide customer. By so
doing, the auditor can verify the accuracy of each account in the sample. Based on such sample
findings, the auditor is able to draw conclusions about the fair value of the entire accounts
receivable asset.
Page 6
Quick Guide to Auditing in an IT Environment
CHAPTER 2:
TEST OF CONTROLS
A weakness in internal control may expose the firm to one or more of the following types of risks:
1. Destruction of assets (both physi
physical assets and information)
2. Theft of assets
3. Corruption of information or the information system
4. Disruption of the information system
MODIFYING ASSUMPTIONS
Inherent in these control objectives are four modifying assumptions that guide designers and auditors
audito of
internal control systems.
1. Management Responsibility
This concept holds that the establishment and maintenance of a system of internal control is a
management responsibility.
2. Reasonable Assurance
The internal control system should provide reasonable assurance that the four broad objectives of
internal control are met. This means that no system of internal control is perfect and the cost of
achieving improved control should not outweigh its benefits.
3. Methods of Data Processing
The internal control system should achieve the four broad objectives regardless of the data processing
method used. However, the techniques used to achieve these objectives will vary with different types of
technology.
4. Limitations
Every system of internal control has limitations on its effectiveness. These include (1) the possibility of
error – no system is perfect, (2) circumvention – personnel may circumvent the system through
collusion or other means, (3) management override – management is in a position to override control
procedures by personally distorting transactions or by directing a subordinate to do so, and (4) changing
conditions – conditions may change over time so that existing controls may become ineffectual.
Page 7
Quick Guide to Auditing in an IT Environment
Control
Monitoring
Activities
CONTROL ENVIRONMENT
The control environment is the foundation for the other four control components. The control
environment sets the tone for the organization and influences the control awareness of its management
and employees.
RISK ASSESSMENT
Organizations
tions must perform a risk assessment to identify, analyze, and manage risks relevant to financial
reporting. Risks can arise out of changes in circumstances such as:
Changes in the operating environment that impose new competitive pressures on the firm.
New w personnel who possess a different or inadequate understanding of internal control.
New or reengineered information systems that affect transaction processing.
Significant or rapid growth that strains existing internal controls.
The implementation of new technology into the production process or information system that
impacts transaction processing.
Page 8
Quick Guide to Auditing in an IT Environment
SAS 78 requires that auditors obtain sufficient knowledge of the organization’s information system to
understand:
The classes of transactions that are material to the financial statements and how those transactions
are initiated.
The accounting records and accounts that are used in the processing of material transactions.
transaction
The transaction processing steps involved from the initiation of an economic event to its inclusion in
the financial statements.
The financial reporting process used to prepare financial statements, disclosures, and accounting
estimates.
MONITORING
Management
agement must determine that internal controls are functioning as intended. Monitoring is the
process by which the quality of internal control design and operation can be assessed. This may be
accomplished by separate procedures or by ongoing activities.
Ann organization’s internal auditors may monitor the entity’s activities in separate procedures. They
gather evidence of control adequacy by testing controls, and then communicate control strengths and
weaknesses to management. As part of this process, inter
internal
nal auditors make specific recommendations
for improvement to controls.
Ongoing monitoring may be achieved by integrating special computer modules into the information
system that capture key data and/or permit tests of controls to be conducted as part of routine
operations.
Another technique for achieving ongoing monitoring is the judicious use of management reports. Timely
reports allow managers in functional areas such as sales, purchasing, production, and cash
disbursements to oversee and control the their
ir operations. By summarizing activities, highlighting trends,
and identifying exceptions from formal performance, well well-designed
designed management reports provide
evidence of internal control function or malfunction.
CONTROL ACTIVITIES
Control activities are thee policies and procedures used to ensure that appropriate actions are taken to
deal with the organization’s identified risks. Control activities can be grouped into two distinct
categories: computer controls and physical controls.
A. Physical Controls
Thiss class of control activities relates primarily to traditional accounting systems that employ manual
procedures. However, an understanding of these control concepts also gives insights to the risks and
control concerns associated with the IT environment. TThere here are six traditional categories of Physical
Control Activities.
1. Transaction Authorization
The purpose of transaction authorization is to ensure that all material transactions processed by
the information system are valid and in accordance with management’s objectives. Authorizations
may be general or specific. General authority is granted to operations personnel to perform day-
day
to-day
day operations. An example of general authorization is the procedure to authorize the purchase
of inventories from a designated vendor only when inventory levels fall to their predetermined
reorder points. This is called a programmed procedure (not necessarily in the computer sense of
the word). The decision rules are specified in advance, and no additional approvals are required.
Page 9
Quick Guide to Auditing in an IT Environment
2. Segregation of Duties
One of the most important control activities is the segregation of employee duties to minimize
incompatible functions. Segregation of duties can take many forms, depending upon the specific
duties
ties to be controlled. However, the following three objectives provide general guidelines
applicable to most organizations.
Objective 1
The segregation of duties should be such that the authorization for a transaction is separate
from the processing of the transaction. For example, purchases should not be initiated by
the purchasing department until authorized by the inventory control department. This
separation of tasks is a control to prevent the purchase of unnecessary inventory by
individuals.
Objective 2
Responsibility for the custody of assets should be separate from the recordkeeping
responsibility. For example, the department that has physical custody of finished goods
inventory (the warehouse) should not keep the official inventory records. Accounting
Acco for
finished goods inventory is performed by inventory control, an accounting function. When a
single individual or department has responsibility for both asset custody and recordkeeping,
the potential for fraud exists. Assets can be stolen or lost, and the accounting records
falsified to hide the event.
Objective 3
The organization should be structured so that a successful fraud requires collusion between
two or more individuals with incompatible responsibilities. In other words, no single
individual should have sufficient access to assets and supporting records to perpetrate
p a
fraud.
Implementing adequate segregation of duties requires that a firm employ sufficiently large number
of employees. Achieving adequate segregation of duties often presents difficulties for small
organizations. Obviously, it is impossible to separate five incompatible tasks among three
employees. Therefore, in small organizations or in functional areas that lack sufficient personnel,
management must compensate for the absence of segregation controls with close supervision. For
this reason, supervision is often called a compensating control.
3. Supervision
Implementing adequate segregation of duties requires that a firm employ a sufficiently large number
of employees. Achieving adequate segregation of duties often present difficulties for small
organizations. Obviously, it is impossible to separate five incompatible tasks among three
employees. Therefore, in small organizations or in functional areas that lack sufficient personnel,
management must compensate for the absence of segregation contro controls
ls with close supervision. For
this reason, supervision is often called a compensating control.
4. Accounting Records
The traditional accounting records of an organization consist of source documents, journals, and
ledgers. These records capture the economic essence of transactions and provide an audit trail of
economic events. The audit trail enables the auditor to trace any transaction through all phases of its
processing from the initiation of the event to the financial statements.
Page 10
Quick Guide to Auditing in an IT Environment
5. Access Controls
The purpose of access controls is to ensure that only authorized personnel have access to the firm’s
assets. Unauthorized access exposes assets to misappropriation, damage, and theft. Therefore,
access controls play an important part in safeguarding assets. Ac Access
cess to assets can be direct or
indirect. Physical security devices, such as locks, safes, fences, and electronic and infrared alarm
systems, control against direct access. Indirect access to assets is achieved by gaining access to the
records and documentss that control their use, ownership, and disposition.
6. Independent Verification
Verification procedures are independent checks of the accounting system to identify errors and
misrepresentations. Verification differs from supervision because it takes place after the act, by
an individual who is not directly involved with the transaction or task being verified. Examples of
independent verifications include:
Comparing physical assets with accounting records.
Reconciling subsidiary accounts with control account
accounts
B. Computer Controls
Computer controls constitute a body of material that is of primary concern to us. These controls, which
relate specifically to the IT environment and IT auditing, fall into two broad groups: general controls and
application controls.
1. General Controls
Pertain to entity-wide
wide concerns such as controls over the data center, organization databases,
systems development, and program maintenance.
2. Application Controls
Application controls are programmed procedures designed to deal with potential exposures that
threaten specific applications, such as payroll, purchases, and cash disbursements systems.
Application controls fall into three broad categories: input controls, processing controls, and output
controls.
Page 11
Quick Guide to Auditing in an IT Environment
INPUT CONTROLS
The data collection component of the information system is responsible for bringing data into the
system for processing. Input controls at this stage are designed to ensure that these transactions are
valid, accurate, and complete. Data input procedu
procedures
res can be either source document-triggered
document and
direct input.
Source document input requires human involvement and is prone to clerical errors. Some types of
errors that are entered on the source documents cannot be detected and corrected during the data
input stage. Dealing with these problems may require tracing the transaction back to its source (such as
contacting the customer) to correct the mistake. Direct input, on the other hand, employs real-time
real
editing techniques to identify and correct errors iimmediately,
mmediately, thus significantly reducing the number of
errors that enter the system.
Classes of Input Control
These control classes are not mutually exclusive divisions. Some control techniques that we shall
examine could fit logically into more than one class.
Source Document Controls
Source document fraud can be used to remove assets from the organization. To control this type of
exposure, the organization must implement control procedures over source documents to account for
each document, as describe
ibe below:
a. Use of pre-numbered
numbered source documents
b. Use of source documents in sequence
c. Periodically audit source documents
Validation Controls
Input validation controls are intended to detect errors in transaction data before the data are
processed. Validation procedures are most effective when they are performed as close to the source of
the transaction as possible. However, depending on the type of CIS in use, input validation may occur at
various points in the system.
Page 12
Quick Guide to Auditing in an IT Environment
Record Interrogation
Record interrogation procedures validate the entire record by examining the interrelationship of its field
values. Some typical tests are discussed below.
a) Reasonableness checks determine if a value in one field, which has already passed a limit check and a
range check, is reasonable when considered along with oother data fields in the record.
b) Sign checks are tests to see if the sign of the field is correct for the type of record being processed.
For example, in a sales order processing system, the dollar amount field must be positive for sales
orders but negative for sales return transactions. This control can determine the correctness of the
sign by comparing it with the transaction code field.
PROCESSING CONTROLS
After passing through the data input stage, transactions enter the processing stage of the system.
Processing controls are divided into three categories: run
run-to-run
run controls, operator intervention
controls, and audit trail controls.
1. Run-to-Run Controls
2. Operator Intervention Controls
3. Audit Trail Controls
The preservation of an audit trail is an important objective of process control. In an accounting system,
every transaction must be traceable through each stage of processing from its economic source to its
presentation in financial statements. In a CBIS environment, the audit trail can become fragmented and
difficult
ult to follow. It thus becomes critical that each major operation applied to a transaction be
thoroughly documented. The following examples of techniques used to preserve audit trails in a CBIS.
Page 13
Quick Guide to Auditing in an IT Environment
OUTPUT CONTROLS
Output controls ensure that system output is not lost, misdirected, or corrupted and that privacy is not
violated.
Accuracy tests, which ensure that the system processes only data values that conform to specified
tolerances. Examples include range tests, field tests, and limit tests.
Completeness tests, which identify missing data within a single record and entire records missing
from a batch.
Access tests, which ensure that the application prevents authorized users from unauthorized access
to data. Access controls include passwords, authority tables, user user-defined
defined procedures, data
encryption, and inference controls.
Rounding error tests, which verify the correctness of rounding procedures. Rounding errors occur in
accounting information when the level of precision used in the calculation is greater than that used
in the reporting.
Page 14
Quick Guide to Auditing in an IT Environment
To perform the test data technique, the auditor must obtain a copy of the current version of the
application. In addition, test transaction files and test master files must be created. Results from the test
run will be in the form of routine output reports, transacti
transaction
on listings, and error reports. In addition, the
auditor must review the updated master files to determine that account balances have been correctly
updated. The test results are then compared with the auditor’s expected results to determine if the
application
tion is functioning properly. This comparison may be performed manually or through special
computer software. Any deviations between the actual results obtained and those expected by the
auditor may indicate a logic or control problem.
Tracing
Another type of the test data technique is ccalledalled tracing performs an electronic walkthrough of the
application’s internal logic. The tracing procedure involves three steps:
1. The application under review must undergo a special compilation to activate the trace option.
2. Specific transactions or types oof transactions are created as test data.
3. The test data transactions are traced through all processing stages of the program, and a listing is
produced of all programmed instructions that were executed during the test
test.
Page 15
Quick Guide to Auditing in an IT Environment
ITF audit modules are designed to discriminate between ITF transactions and routine production data.
This may be accomplished in a number of ways. One of the simplest and most commonly used is to
assign a unique range of key values exclusively to ITF transactions. For example, in a sales order
processing system, account numbers between 2000 and 2100 can be reserved for ITF transactions and
will not be assigned to actual customer accounts. By segregating ITF transactions from f legitimate
transactions in this way, routine reports produced by the application are not corrupted by ITF test data.
Test results are produced separately on storage media or hard copy output and distributed directly to
the auditor. Just as with the testt data techniques, the auditor analyzes ITF results against expected
results.
Parallel Simulation
Parallel simulation requires the auditor to write a program that simulates key features or processes of
the application under review. The simulated application is then used to reprocess transactions that were
previously processed by the production application. The results obtained from the simulation are
reconciled with the results of the original production run to establish a basis for making inferences
inferen
about the quality of application processes and controls.
Page 16
Quick Guide to Auditing in an IT Environment
The Item Availability Check is a programmed procedure to ensure that proper action will be
performed regarding sales order on items that could not be available at the moment.
Page 17
Quick Guide to Auditing in an IT Environment
Exercise 2:
Transaction Authorization
Perform transaction with specific authorizations.
You found out in the Company policies that no Purchase Order amounting to more than P200,000
shall be allowed to be posted without the approval of the manager first. Test this kind of control in
the system.
a. Log in to the account of Karla Sy to have the proper authorizations for the transaction to be
made.
Go to Administration > Choose Company > Change User > User ID: Karla then Password: 1234
b. Create a Purchase Order that will qualify for the Approval Procedure
- Navigate to Purchasing – A/P Module > Purchase Order.
- In the Vendor field, choose V1000 Laptop Queen Philippines, Inc..
- Dates are defaults which are the system date.
- In the Contents Tab, add Item S1000 in the Item Field with the Quantity of 10. Enter Unit
Price of P22,000.00 then click Add. Total amount of Purchase Order should be PhP246,400
which should trigger the approval procedure.
- Cancel the document.
Page 18
Quick Guide to Auditing in an IT Environment
a. Log in to the account of manager to view the authorizations made for Lukas Ibarra.
Go to Administration > Choose Company > Change User > User ID: manager then Password: 1234
b. View the authorizations of Lukas Ibar
Ibarra.
Go to Administration > System Initialization > Authoriza
Authorizations
tions > General Authorizations
Choose Lukas. You can see that he has Full Authorization in Sales – A/R but No Authorization in
Purchasing A/P.
c. Test the Segregation of Duties by checking if the Authorizations are functioning properly.
- Log in to Lukas account.
Go to Administration > Choose Company > Change User > User ID: Lukas then Password: 1234
- Open Sales Order. Since he has authorization for Sales – A/R, he should be able to open it.
Go to Sales – A/R > Sales Order
- Open Purchase Order. Since he has no authorization for Purchasing – A/P, he should not be
permitted to open it.
Go to Purchasing – A/P > Purchase Order
(Note: If Purchaser Order and other documents in the Purchasing – A/P module
modul is not visible,
click the Form Settings tool in the Toolbar. Then set the documents in the Purchasing A/P as
visible.
Page 19
Quick Guide to Auditing in an IT Environment
- Test further the other users based on their authorizations, follow same procedures.
Page 20
Quick Guide to Auditing in an IT Environment
Identify which document In n SAP Business One that can give simple audit trail.
Log in to Auditor’s account: User Name: Auditor Password: 1234
a. View document trail on marketing documents.
- Open a closed A/R Invoice.
Go to Sales – A/R > A/R Invoice > Switch to Find Mode by pressing Ctrl + F > Type 28 on the No.
field then press Enter.
- On the Remarks Field, you can see the base documents related to the A/R Invoice.
- Another way is to view the relationship map. Right click on any blank part of the A/R Invoice
In
then choose relationship map.
- You can double click on any document in the relationship map to view the actual document.
Page 21
Quick Guide to Auditing in an IT Environment
- Choose All Transactions in the Original Journal field then set the posting date from 01.01.13 to
12.31.13. This is to show all the transaction journal records for the whole fiscal year 2013 that
could be use for analysis.
Page 22
Quick Guide to Auditing in an IT Environment
c. Plot SAP Business One to the Accounting Cycle (Still using Auditor’s Account)
Special Journals
a. Sales Journal Sales – A/R
b. Purchases Journal Purchasing – A/P
c. Cash/Check Receipts Banking – Incoming
d. Cash/Check Banking – Outgoing
Disbursements
2. Ledger General Ledger Financials > Financial Reports > Accounting >
General Ledger
- Uncheck the Business Partner Checkbox then
check the Accounts Checkbox to show only
General Ledger Accounts
- Mark ‘X’ the accounts
- Change the Posting Date range ‘From 01.01.13’
‘To 12.31.13’
- Then Click ‘OK’ to show the General Ledger
Page 23
Quick Guide to Auditing in an IT Environment
Page 24
Quick Guide to Auditing in an IT Environment
'
Page 25
Quick Guide to Auditing in an IT Environment
6. Post-Closing
Closing Trial Balance Financials > Financial Report > Financial > Trial
Balance > Check Add Closing Balances
7. Reversing Entries Financials > Journal Entry > Click Reversal Box
(Note: The process given is how to create Reversing
Entries)
Page 26
Quick Guide to Auditing in an IT Environment
Ask assistance from your IT personnel, if you cannot find it. It should look like the one below. On the
left side under the databases folder, you can see a list. For database management purposes, a new
database can be added and an existing database can be deleted. For internal control purposes, this
function should only be given to the database administrator
administrator.
Page 27
Quick Guide to Auditing in an IT Environment
c. Click Connect
Note: If connection is unsuccessful, call the attention of your technical support to put in the
correct Server Type
ype and Server Name.
d. Click + before the Databases to expand and view all databases > Right Click on the database that
you want to back up > Click Tasks > Click Backup.
Page 28
Quick Guide to Auditing in an IT Environment
e. Click OK when Backup Database window appears. Take note of the default location of the
backup. See example below
(c:\Program Files\Microsoft
Microsoft SQL Server
Server\MSSQL.1\MSSQL\Backup\)
Page 29
Quick Guide to Auditing in an IT Environment
Page 30
Quick Guide to Auditing in an IT Environment
Page 31
Quick Guide to Auditing in an IT Environment
View the list of a particular document to identify if there is any document missing by double checking the
numbering of source documents
Double check if the source documents were used in sequence.
1. Open SAP Business One
- On the desktop, double--click SAP Business One.
- Click the ‘Change Company’ then on the Choose Company window, click the RU Laptops,
Laptops Co.
Enter the User ID: auditor
auditor, Password: 1234
2. See the list of a particular document i.e. Sales Order
- Go to Sales – A/R > Sales Order
- Switch to Find mode by pressing Ctrl + F
- In the No. field, enter an asterisk symbol (*) then press Enter.
- A list of Sales Order will appear where you can examine tthehe sequence of the document based on
its numbering.
- You can do this test to other documents as well. To test if the sequence of numbering is correct,
you can sort the list by date then double check if the numbering is still chronological. Any
irregularity will be considered as an exception.
Page 32
Quick Guide to Auditing in an IT Environment
1. View the list of Business Partners and examine if the codes used were according to the adapted BP Codes
of the Company
- Go to Business Partners > Business Partner Master Data
- Change the BP Type to Customers.
- Type an asterisk symbol (*) in the code field then press Enter. The list of Business Partners will
appear.
- What is the coding control for Customers BP? Any irregularity will be considered as an exception.
- Do the same process for V Vendors BP.
Page 33
Quick Guide to Auditing in an IT Environment
a. Missing Data Checks. Test if marketing documents in SAP Business One has this control.
(Note: Use Lukas user account)
- Open a Sales Order.
Go to Sales – A/R > Sales Order
- Insert the following Information in the Sales Order:
Customer: C1100
Name: Jacob Electronics
Item No.: D1000
Unit Price: PhP 32,000
- Click Add. SAP Business One should flag an error message due to missing delivery date.
- Cancel the Sales Order. You can test other documents ffor this control.
b. Numeric-alphabetic
alphabetic Data Checks. Test if marketing documents in SAP Business One has this control.
- Open a Sales Order.
Go to Sales – A/R > Sales Order
- Insert the following Information in the Sales Order:
Customer: C1100
Name: Jacob Electronics
ronics
Item No.: A1000
Delivery date: Current System date
Quantity: ABC
- Click Add. SAP Business One should flag an error message due to invalid monetary value.
value
- Cancel the Sales Order. You can test other documents for this control.
Page 34
Quick Guide to Auditing in an IT Environment
c. Limit Checks.. Test if creating a User Account in SAP Business One has this control.
- Log in to the account of manager to view to see the User Setup window.
Go to Administration > Choose Company > Change User > User ID: manager then Password: 1234
- Go to Administration > Setup > General > Users. Users – Setup window will appear. Make sure
you are in Add mode.
- Insert in the User Code field the word ‘‘Administrator’. SAP Business One will flag an error
message due to exceeding of characte
character limit.
- Cancel the Users – Setup.
Page 35
Quick Guide to Auditing in an IT Environment
d. Validity Checks. Test if Business Partner Master Data has this control.
control.(Use
(Use Auditor’s Account)
- Go to Business Partners > Business Partner Master Data. Make sure you are in Find mode (i.e. Ctrl + F)
- In the BP Code field, d, type ‘L1000’ then press Enter. SAP Business One should flag an error message due
to no matching records.
- Cancel the Business Partner Master Data. You can try this control to other documents with known
values.
Page 36
Quick Guide to Auditing in an IT Environment
View some techniques used to preserve audit trails in SAP Business One.
a. Transaction Logs.
Every transaction successfully processed by the system should be recorded on a transaction log, which serves
as a journal.
View a list of all transactions posted in SAP Business One or generate transaction log.
- Open a document – A/R Invoice for example. Go to Sales – A/R > A/R Invoice
- In the toolbar, click the Transaction Journal tool.
- Choose All Transactions in the Original Journal field then set the posting date from 001.01.13
1.01.13 to 12.31.13.
This is to show all the transaction journal records for the whole fiscal year 2013 that could be use for
analysis.
Page 37
Quick Guide to Auditing in an IT Environment
Page 38
Quick Guide to Auditing in an IT Environment
Page 39
Quick Guide to Auditing in an IT Environment
CHAPTER 3
SUBSTANTIVE TESTS
Review Sales Documents and Balances for Unusual Trends and Exceptions
A useful audit procedure for identifying potential audit risks involves scanning data files for unusual
transactionss and account balances. For example, scanning accounts receivable for excessively large
balances may indicate that the company’s credit policy is being improperly applied.
Review Sales Invoices and Customer Master Data for Missing and Duplicate Items
Searching
ching for missing and/or duplicate transactions and data entries is another important test that
helps the auditor corroborate or refute the completeness and accuracy assertions. Duplicate and
missing transactions in the revenue cycle may be evidence of ove
overr or understated sales and accounts
receivable.
Page 40
Quick Guide to Auditing in an IT Environment
EXERCISE 10: Testing the Accuracy and Completeness Assertion (USE AUDITOR’S ACCOUNT)
a. Review Sales Documents and Balances for Unusual Trends and Exceptions
Open a list of Sales Order for examination for any unusual trends and exception using Query.
- Open Query Generator and create a query statement to produce an ad hoc report showing the
list of all sales order
Go to Tools Menu > Queries > Query Generator
- On the Table field, Type ‘ORDR’ then press Tab. The Field names and description will appear.
(Note: ORDR is the table name of Sales Order in the MSSQL where the database used in SAP are
running)
- Double click the following field names: (Tip: You can list the field name alphabetically by double
clicking the name title)
DocNum, DocDate, CardCode, CardName, DocTotal
- Click in the Sort Byy field then double click DocTotal in the list of Field names.
Page 41
Quick Guide to Auditing in an IT Environment
- Then click execute to produce the ad hoc report, “List of Sales Order”
Now you can examine all the Sales Order and scan for any unusual items. For example, a Sales Order
amounting to PhP 894,080 was executed at December 31, 2013 which is considered as a holiday in the
Philippines. Also, the amount is unusually large as compared with other sales order. The auditor should
inquire this to the management of the company and seek for additional information.
You can do the same procedures for other Sales documents. You just need to know the appropriate
Table Name.
(Tip: To get a list of SAP documents and their equivalent table names. Open a blank query generator. In the table
field name, type the asterisk symbol (*) then press tab. The list of table and field names will appear.)
Page 42
Quick Guide to Auditing in an IT Environment
Upon examination of the list of customers and their balances, you noticed that the balance of
Lappy Trading is negative. This is unusual considering that customer balances are normally debit
or positive. The auditor can investigate further this exception. List your finding below and your
propose adjusting entry:
________________________________________________________________________
________________________________________________________________________
___________________________________________________
________________________________________________________________________
_____________________
Page 43
Quick Guide to Auditing in an IT Environment
As you scan the list of business partners, some of the customer names look familiar. You can further
investigate this issue by comparing the master data. Open two business partner master data, one for Jacob
Electrics and one for Jacob Electronics. Do the same for the other two then list your finding here:
__________________________________________________
________________________________________________________________________
______________________
________________________________________________________________________
________________________________________________________________________
Page 44
Quick Guide to Auditing in an IT Environment
Page 45
Quick Guide to Auditing in an IT Environment
View the Aging of Accounts Receivable and provide for Allowance for Doubtful Accounts based on Company’s
policies.
- Open the Aging Report of the company’s customer balances
Go to Financials > Financial Reports > Accounting > Aging > Customer Receivables Aging
- In the Selection Criteriaa insert the following information:
Code: From C1100 To C2200
Aging Date: 03.31.14
Then click OK
- SAP Business One will generate Customer Receivables Aging showing the age of receivables from the
customers.
- Now the auditor can perform his analysis based on this aging and compute the appropriate amount of
Allowance for Doubtful Accounts based on the Company’s policies.
- Compute the amount of Allowance for Doubtful Accounts
According to the industry experiences, the collectability of accounts are as follow:
0 – 1 month = 100%
Over one month not over two months = 98%
Over two months not over three months = 95%
Over three months not over four months = 92%
Over four months = 90%
How much is the proposed Allowance for Doubtful Accounts? ____________
Page 46
Quick Guide to Auditing in an IT Environment
Page 47
Quick Guide to Auditing in an IT Environment
Page 48
Quick Guide to Auditing in an IT Environment
- Then click execute to produce the ad hoc report, “List of A/P Invoice”
Page 49
Quick Guide to Auditing in an IT Environment
Now you can examine all the A/P Invoice and scan for any unusual items. To have fu further
rther examination,
you can click the small graph icon to see an analysis of AP Invoice depicted on a graph.
You can do the same procedures for other Purchasing documents. You just need to know the
appropriate Table Name.
Page 50
Quick Guide to Auditing in an IT Environment
Page 51
Quick Guide to Auditing in an IT Environment
a. Scan for any open Goods Receipt PO which could indicate that no liabilities has yet been created for
this account.
Open the Open Items List report to view any open GRPO
- Go to Reports > Sales and Purchasing > Open Items List. Then on the Open Documents drop down
menu, choose Goods Receipts POs.
- The auditor will see that there are two open GRPOs meaning, no A/P Invoice
Invoic has yet been
recorded in this account thus understating the vendor balances.
Double check the findings made by comparing the list of GRPO and A/P Invoice. Open a list of
GRPO and a list of A/P Invoice.
- Go to Purchasing – A/P > Goods Receipt PO. Make it Find mode by pressing Ctrl + F.
- On the No. field, type the asterisk symbol (*) then press Enter.
- Upon pressing Enter, a list of GRPOs will appear.
- Do the same procedure for A/P Invoice to see the list of A/P Invoice then compare the list.
Page 52
Quick Guide to Auditing in an IT Environment
- Now, the auditor can compare the list of A/P Invoices available against the GRPO. Note your findings
below and your proposed adjusting entries:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
(Tip: To see the original entry made by SAP for the Goods Receipt PO documents, open the unmatched
GRPOs then n go to Accounting tab. Beside the Journal Remark, click the link arrow to know the original
Page 53
Quick Guide to Auditing in an IT Environment
Page 54
Quick Guide to Auditing in an IT Environment
Exercise 14:
Testing the Existence Assertion
a. Scan the payments made in the subsequent period using Query
Open a list of Outgoing Payments for the month of January 2014 (Subsequent Period) for
examination of subsequent payments.
- Open Query Generator and create a query statement to produce an ad hoc report showing the list
of Outgoing Payments for the month of January 2014.
Go to Tools Menu > Queries > Query Generator
- On the Table field, Type ‘‘OVPM’ then press Tab. The Field names and description will appear.
(Note: OVPM is the table name of Outgoing Payments in the MSSQL where the database used in
SAP are running)
- Double click the following field names: (Tip: You can list the field name alphabetically by double
clicking the name title)
DocNum, DocDate, CardCode, CardName, DocTotal
- Click in the Where field to enter the condition. Double click DocDate in the list of field names
then click Conditions button. Conditions pane will appear.
- Click again in the Where fieldfield, make sure that the cursor is on the end of T0.[DocDate].
T0.[DocDate] Then
double click the condition ‘Greater or Equal’ followed by a double click on any variable. For
example [%0]
- Another condition will be added so scroll down in the list of condition then double click ‘And’.
Continue the condition by double clicking again the DocDate in the list fo field names followed
by a double click on the condition ‘Smaller or Equal’ then double click again on any variable
except the one used before. For example, use [%1]
- Click in the Sort Byy field then double click DocDate in the list of Field names.
- Then click execute.
Page 55
Quick Guide to Auditing in an IT Environment
- Query – Selection Criteria window will appear where we can enter our condition. Insert 01.01.14
in the Greater or Equal field and 01.31.14 in the Smaller or Equal field to show only the Outgoing
Payments made in January 2014. Then click OK.
- Now, the auditor can trace the payments to existing liabilities as of December 31, 2013. List your
findings here and your proposed adjusting entries:
________________________________________________________________________
__________________________________________
________________________________________________________________________
______________________________
________________________________________________________________________
Page 56
Quick Guide to Auditing in an IT Environment
Page 57
Quick Guide to Auditing in an IT Environment
SAP Business One will generate Vendor Liabilities Aging showing the age of payables to the
vendors. This aging could be the basis of the auditor in sending his confirmation of the balances to
the company’s vendors.
Page 58
Quick Guide to Auditing in an IT Environment
Audit of Cash
Perform manual bank reconciliation to know the correct balance of cash that should be reported by
the Company. Reconcile the Balance per SAP records and Balance per Bank Statement.
The accountant showed the auditor the Bank Statement sent by the bank for the month of
December as shown below:
Page 59
Quick Guide to Auditing in an IT Environment
Page 60
Quick Guide to Auditing in an IT Environment
Total adjustments
Adjusted Balance
Less:
Total Adjustments
Adjusted Balance
The deposit in the bank statement amounting to PhP 190,000.00 was traced to a deposit slip
sent by Solid Electrics on January 2014. Upon inquiry by the client, the deposit pertains to a
partial payment made by Solic Electrics regarding its amount due to the client.
Now the auditor can perform his bank reconciliation by comparing the records per bank and the
records per SAP Business One. Write below your findings and proposed adjusting entries:
____________________________________________________________________________
______________________________________________________________
____________________________________________________________________________
______________
____________________________________________________________________________
Page 61
Quick Guide to Auditing in an IT Environment
Audit of Inventories
Ensure that inventories are stated at lower of cost or net realizable value.
The company’s manager told the auditor that on December 20, the compartment where the laptops
are being stored caved in resulting in some exterior damages on the units. The laptops are still
working properly however the physical appearance have been damage and they fear that they might
not sell it on their intended prices so they decide to hire someone to compute the net realizable
values of the laptops. This list of net realizable values were given to the auditor
a. Compare the recorded costs of the inventories with their NRV and compute for the necessary
adjustment to recognize inventory loss (use Manager’s Account).
- Open the Inventory Audit Report
Go to Inventory > Inventory Reports > Inventory Audit Report
- On the Selection Criteria insert the following information in the specified field.
Change to Posting Date
From 01.01.13, To 12.31.13 to include the transactions for the whole fiscal year 2013.
Item Code: From A1000 To S1000
Then click OK.
Page 62
Quick Guide to Auditing in an IT Environment
- The Inventory Audit Report will appear. If you click on the black arrow beside the yellow arrow, the
details of a particular item will expand. Now the auditor can know the actual cost recorded per
system and compare it with its net realizable value. Take note that the valuation method used for
the laptops is First In, First Out (FIFO).
Page 63
Quick Guide to Auditing in an IT Environment
Audit of Prepayments
Check if prepayments were representative its actual prepaid amount. If not, make necessary
adjustments to recognize the expense.
Upon checking the Trial Balance of the company, the auditor noted two items that are considered as
prepayments. Thee auditor examine the SAP Business One documents used to record the prepayments
and also the journal entry. He also examined any third party document related to that asset
Page 64
Quick Guide to Auditing in an IT Environment
Upon seeing the contents of the Trial Balance, the auditor decided to audit the Office Supplies account
and Insurance Expense account. He wants to se see
e the SAP Business One documents used to record
these accounts as well as any third party documents.
Open the SAP Business One document used to record Office Supplies.
- Go to Financials > Financial Reports > Accounting > General Ledger
- In the General Ledger – Selection Criteria, uncheck the Business Partner Box and check the accounts box.
Make sure that no accounts are marked with ‘x’.
- Change the level of accounts to 5.
- Mark ‘x’ the CA500 – Office Supplies
- For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions for the
whole fiscal year 2013 for this account.
- Then press Ok.
- The General Ledger for Office Supplies will appear.
- To view the SAP Business One document used, click the link arrow on the Doc. No. Column (i.e. PS 8)
- To view the journal entry, click the link arrow on the posting date column (i.e. 02.14.13)
Page 65
Quick Guide to Auditing in an IT Environment
Page 66
Quick Guide to Auditing in an IT Environment
Page 67
Quick Guide to Auditing in an IT Environment
According to company’s personnel, the estimated remaining Office Supplies is 20% of the original
purchased amount.
As for the insurance, upon examination of the Insurance Contract, it is for 2 years starting on its
purchase date which is also the posting date. Do the same procedure for Insurance Expense.
(Hint: The insurance premium is recorded using Expense Method)
Page 68
Quick Guide to Auditing in an IT Environment
Upon checking the Trial Balance, the auditor noted that depreciation expenses were yet to be entered in
the accounting records so the auditor examine the SAP Business One documents used to record the
acquisition of the asset as well as any third party document to properly know the start date of
depreciation then compute the depreciation expense based on the company’s policy on depreciating
fixed assets.
Depreciation Method:
10% Salvage Value
5 year Useful Life – Office Equipment, Office Furniture
20 year Useful Life – Leasehold Improvements
Page 69
Quick Guide to Auditing in an IT Environment
SOLUTIONS
TO THE SUBSTANTIVE TESTING EXERCISES
(Exercises 10 - 15)
Page 70
Quick Guide to Auditing in an IT Environment
Exercise 10-b
Review customer balances for unusual trends and exceptions.
Upon examination of the list of customers and their balances, you noticed that the balance of Lappy Trading
is negative. This is unusual considering that customer balances are normally debit or positive. The auditor can
investigate further this exception.
1. Choose Lappy Trading on the list of business partners to open the Business Partner Master Data.
3. Account balance details of Lappy Trading will open. Change the Posting Date from ’01.01.13’ to
’12.31.13’. Then click the ‘link arrow’ beside the origin number. (ie. 25)
4. Incoming Payment document will open. If you examine the document, no invoice has been selected
for payment which is not typical for an incoming payment of A/R Invoice.
Page 71
Quick Guide to Auditing in an IT Environment
4. This could be due to a wrong application of collection from a different customer. Examine the
balances of the customer to see if there is a similar amount. You will see that Zebra Computers has the
same balance with the wrong payment.
> Go to Business Partner Master Data.
> Go to Find mode (Ctrl + F).
> Put an asterisk on the code field then press enter.
> List of Business Partners will appear.
Page 72
Quick Guide to Auditing in an IT Environment
Exercise 10-c
Review list of customers for any duplicated items
1. Open both the Business Partner Master Data for Jacob Electrics and Jacob Electronics.
Go to Business Partners > Business Partner Master Data.
Go to Find mode (Ctrl + F).
Put an asterisk on the code field then press enter.
List of Business Partners will appear.
Select first Jacob Electrics. Then repeat the process for Jacob Electronics.
2. Upon comparison and examination of both the Business Partner Master Data, we can conclude that
Jacob Electrics and Jacob Electronics pertain to one customer only.
3. Transfer the balance of Jacob Electrics to Jacob Electronics. Then set the Business Partner Master Data
of Jacob Electrics to ‘Inactive’. However, you can only do this on once
ce all the open invoices for Jacob
Electrics are closed.
4. Do the same process for New World Dot Net and New World Dot Net Co.
Page 73
Quick Guide to Auditing in an IT Environment
Unadjusted
Balance of Adjusted
Customer Invoices Adjustments Balance 0 - 30 31 - 60 61 - 90 91 - 120 121 +
Jacob - - 241,401.60
Electronics 201,168.00 496,214.40 697,382.40 254,812.80 201,168.00
Zebra - - -
Computers 368,808.00 (368,808.00) - - -
Lappy - - -
Trading (145,288.00) 368,808.00 223,520.00 223,520.00 -
New World - 458,216.00 -
Dot Net, Co 469,392.00 726,440.00 1,195,832.00 469,392.00 268,224.00
Solid - 424,688.00 -
Electrics,
Inc. 424,688.00 - 424,688.00 - -
Jacob - - -
Electrics 496,214.40 (496,214.40) - - -
New World - - -
Dot Net 726,440.00 (726,440.00) - - -
TOTAL 2,541,422.40 - 2,541,422.40 947,724.80 469,392.00 - 882,904.00 241,401.60
Percentage 2% 5% 8% 10%
Doubtful - 70,632.32 24,140.16
Accounts 9,387.84
Provision
for
Doubtful
Accounts 104,160.32
Page 74
Quick Guide to Auditing in an IT Environment
1. See the journal entry created for the GRPO to create a proper adjusting entry.
Go to Purchasinging A/P > Goods Receipt PO
Go to Find mode (Ctrl + F).
Put an asterisk on the vendor field then press enter.
List of GRPO will appear.
Select GRPO No. 27. Goods Receipt PO No. 27 will open.
2. Inside the GRPO No. 27, go to Accounting Tab then click the link arrow beside the journal remark.
Automatic journal entry created will open. Use the journal entry created as the basis for the adjusting
entry.
Page 75
Quick Guide to Auditing in an IT Environment
3. Do the same process for GRPO No. 26 to get the total amount of adjustment needed.
Page 76
Quick Guide to Auditing in an IT Environment
1. Click the link arrows beside each Document number to open the Outgoing Payment, each document
should have a related A/P Invoice set up.
2. Open the Relationship Map of each Outgoing Payment document. Right click anywhere inside the
Outgoing Payment then choose Relationship Map.
Page 77
Quick Guide to Auditing in an IT Environment
3. Do this for all Outgoing Payment documents. Those documents with no A/P Invoice mean that no
liabilities
abilities have been recorded for 2013.
Without A/P Invoice: OP No. 63, 64, 65
With A/P Invoice: OP No. 66 and 67
4. To double check if there were really no A/P Invoices recorded for the noted Outgoing Payments. Do
this for Salaries Payable.
Go to Financials
ials > Chart of Accounts
Click the Liabilities drawer then select Salaries Payable.
Click the link arrow beside the Balance to open the General Ledger of Salaries Payable
Change the Posting Date: ‘From’: 01.01.13 ‘To’: 12.31.13
Upon scrolling down, you wil willl see that there is no balance as of December 31, 2013.
Page 78
Quick Guide to Auditing in an IT Environment
Page 79
Quick Guide to Auditing in an IT Environment
Audit of Cash
1. Perform the Bank Reconciliation.
DEPOSITS IN TRANSIT – Examine the deposit documents created for the month of December then
compare this with the deposits reflected in the bank statement.
Go to Banking >Deposits > Deposit
Go to Find mode (Ctrl + F). Type an asterisk (*) on the Deposit No. field then press ‘Enter’
Examine the deposits created for December then traced it to the Bank Statement. If it is not
present in the Bank Statement, those will be considered as reconciling items for Balance per
Bank as Deposits in Transit.
Page 80
Quick Guide to Auditing in an IT Environment
OUTSTANDING CHECKS – Examine the checks that were issued for the month of December then
compare this with the checks reflected in the bank statement
Go to Banking >Outgoing Payments > Checks for Payment
Go to Find mode (Ctrl + F). Type an asterisk (*) on the Internal ID field then press ‘Enter’
Examine the checks created for December then traced it to the Bank Statement. If it is not
present in the Bank Statement, those will be considered as reconreconciling
ciling items for Balance per
Bank as Outstanding Checks.
Page 81
Quick Guide to Auditing in an IT Environment
Page 82
Quick Guide to Auditing in an IT Environment
Audit of Inventories
1. Use the First-In, First-Out
Out (FIFO) method in computing the inventory value. To compute, here is an
example using ACER Laptop inventory using the Inventory Audit Report
According to the report, there are 20 units of Acer Laptops on the day when the compartment
collapsed.
If FIFO has been used, these units are composed of the latest purchases made.
Count backwards from the latest purchase which is December 11 until you have 20 units.
TOTAL 20
2. Compare the cost computed with the net realizable value. According to standards, the inventories
should be valued at lower of cost or net realizable value (NRV). If NRV is lower, that would be the
new value of inventory and an inventory loss should be recorded. So for Acer Laptop, this would be
the computation.
Date Units Cost NRV Write Down
TOTAL 20
Page 83
Quick Guide to Auditing in an IT Environment
Page 84
Quick Guide to Auditing in an IT Environment
Audit of Prepayments
It is duly noted that both prepayments, Office Supplies and Insurance Expense should be adjusted.
2. As for the Insurance, it was initially recorded using expense method so the unexpired portion should
be recognized as asset.
Go to Financials > Chart of Accounts
Click the Operating Costs drawer then select ‘Insurance Expense’
Click the link arrow beside the balance to open the ledger of Insurance Expense. Change the dates:
From: 01.01.13; To: 12.31.13
Take note of the date of transaction which indicates the start of the insurance period.
3. Compute the unexpired portion of insurance based on the posting date of the transaction
Total Amount of Insurance Premium P50,000.00
Ratio
o of Unexpired Period (14 months) 14/24
Unexpired Portion P29,166.67
Page 85
Quick Guide to Auditing in an IT Environment
Page 86