QG To IT Audit 9.1

qwertyuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjklzxcvb
nmqwert yuiopasdfghjklzxcvb nmqwer
Quick Guide to Auditing
tyuiopasd fghjklzxcvbnmqwer
in an IT Environment tyuiopas
dfghjklzx cvbnmqwertyuiopas dfghjklzx
cvbnmqw ertyuiopasdfghjklzx cvbnmq
wertyuiopasdfghjklzxcvbnmqwertyuio
pasdfghjklzxcvbnmqwertyuiopasdfghj
klzxcvbnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmqwerty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvbnmrty
uiopasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklzxc
Quick Guide to Auditing in an IT Environment
TABLE OF CONTENTS
Chapter 1: Introduction to Information Technology Audit
 What is an IT Audit? 3
 IT Audit Objectives 3
 IT Audit vs. Financial and Compliance Audit 4
 IT Audit Process 5
 Overview of the 4 Phases of IT Audit 7
Chapter 2: Test of Controls

 Objectives of Internal Control 9
 Modifying Assumptions 9
 Five Components of Internal Control
a. Control Environment 10
b. Risk Assessment 10
c. Information and Communication 10
d. Monitoring 11
e. Control Activities
- Physical Controls 11
- Computer Controls 13
 Testing Computer Application Controls 16
 Five CAATT Approaches to Test Application Controls 17
Chapter 3: Substantive Tests

 Substantive Tests of Revenue Cycle 40
 Substantive Tests of Expenditure Cycle 48
 Substantive Tests of Other Financial Statement Accounts 59
Solutions to Substantive Testing Exercises

 Exercises 10 - 15 70
Chapter 4: IT Audit Report
Page 2
CHAPTER 1:
INTRODUCTION TO INFORMATION TECHNOLOGY
AUDIT
What is an Information Technology (IT) Audit?

 IT audit is the examination and evaluation of an organization's information
technology infrastructure, policies and operations. Information technology audits determine
whether IT controls protect corporate assets, ensure data integrity and are aligned with the
business's overall goals. IT auditors examine not only physical security controls, but also
overall business and financial controls that involve information technology systems.
 It can also be defined as any audit that encompasses review and evaluation of automated
information processing systems, related non-automated processes and the interfaces
among them.
IT Audit Objectives
Because operations at modern companies are increasingly computerized, IT audits are used to
ensure information-related controls and processes are working properly. The primary objectives of
an IT audit include:
 Evaluate the systems and processes in place that secure company data.
 Determine risks to a company's information assets, and help identify methods to minimize
those risks.
 Substantiating that the internal controls exist and are functioning as expected to minimize
business risk.
 Ensure information management processes are in compliance with IT-specific
laws, policies and standards.
 Determine inefficiencies in IT systems and associated management.
Page 3
IT Audit vs. Financial Audit and Compliance Audit
IT Audit is not about ordinary accounting controls or traditional financial auditing. The use of
computers in accounting systems introduced a new source of risk associated with accounting
processes and information (i.e., data). And, it introduced the need for those who understand this
new “thing” to identify and mitigate the risk. Financial Audit is focused on gathering data to ensure
to ensure that the company’s financial statements are free from material misstatements. On the
other hand, IT audit is the examination and evaluation of an organization's information
technology infrastructure, policies and operations. Information technology audits determine
whether IT controls protect corporate assets, ensure data integrity and are aligned with the
business's overall goals. IT Audit is just a part of the overarching process of the Financial Audit.
IT auditing is also not compliance testing. Some believe IT auditors are about making sure people
conform to some set of rules—implicit or explicit—and that what we do is report on exceptions to
the rules. Actually, that is management’s job. It is not the compliance with rules that is of interest to
IT auditors. IT auditors are examining whether the entity’s relevant systems or business processes
for achieving and monitoring compliance are effective. IT auditors also assess the design
effectiveness of the rules—whether they are suitably designed or sufficient in scope to properly
mitigate the target risk or meet the intended objective.
Compliance failures are important to IT auditors, but for reasons beyond the keeping of rules. A
compliance failure can be, and often is, the symptom of a bigger problem related to some risk factor
and/or control, such as a defective system or business process, that can or does adversely affect the
entity. Thus, to the IT auditor, compliance failures are much more about risk (ultimately) than the
rules themselves.
It is also passé to automatically or casually consider IT considerations of an audit to be out of scope

because it is not explicitly related to some stated requirement, or to consider an audit to be a waste
of time. The fact is IT can and does adversely affect business processes or financial data in ways of
which management may not be adequately aware.
Page 4
IT Audit Process
1. Planning the Audit Schedule.
A key part of a good process is having an overall Audit Schedule that is readily available to let
everyone know when each process will be audited over the upcoming cycle (usually a yearly
schedule). If you were not to have a plan and went with surprise audits, the message that is
given from senior management is “We don’t trust our employees.” By publishing the audit
intentions, the message is that this is meant as a support to the process owners and the auditors
are there to help. This can allow the process owners to time the finish of any improvement
projects that they are working on to be before the audit, so that they can gather valuable
information on the implementation, or to request the auditors to focus on helping to gather
information for other planned improvements.
2. Planning the Process Audit.
The first step in planning the individual process audits is to confirm with the process owners
when the audit will take place. The overall plan above is more of a guideline as to how often
processes will be audited, and roughly when, but the confirmation allows the auditor and
process owner to collaborate to determine the best time to review the process. This is when the
auditor can review previous audits to see if any follow-up is required on comments or concerns
previously found, and when the process owner can identify any areas that the auditor can look
at to assist the process owner to identify information. A good audit plan can make sure that the
process owner will get value out of the audit process.
Planning the IT audit involves two major steps. The first step is to gather information and do
some planning the second step is to gain an understanding of the existing internal control
structure. More and more organizations are moving to a risk-based audit approach which is
used to assess risk and helps an IT auditor make the decision as to whether to perform
compliance testing or substantive testing. In a risk-based approach, IT auditors are relying on
internal and operational controls as well as the knowledge of the company or the business.
This type of risk assessment decision can help relate the cost-benefit analysis of the control to
the known risk. In the “Gathering Information” step the IT auditor needs to identify five items:
 Knowledge of business and industry

 Prior year’s audit results
 Recent financial information
 Regulatory statutes
 Inherent risk assessments
A side note on “Inherent risks,” is to define it as the risk that an error exists that could be
material or significant when combined with other errors encountered during the audit,
assuming there are no related compensating controls. As an example, complex database
updates are more likely to be miswritten than simple ones, and thumb drives are more likely to
be stolen (misappropriated) than blade servers in a server cabinet. Inherent risks exist
independent of the audit and can occur because of the nature of the business.
Page 5
In the “Gain an Understanding of the Existing Internal Control Structure” step, the IT auditor
needs to identify five other areas/items:
 Control environment
 Control procedures
 Detection risk assessment
 Control risk assessment
 Equate total risk
Once the IT auditor has “Gathered Information” and “Understands the Control” then they are
ready to begin the planning, or selection of areas, to be audited. Remember one of the key
pieces of information that you will need in the initial steps is a current Business Impact Analysis
(BIA), to assist you in selecting the application which support the most critical or sensitive
business functions.
3. Conducting the Audit.
An audit should start with a meeting of the process owner to make sure that the audit plan is
complete and ready. Then there are many avenues for the auditor to gather information during
the audit: reviewing records, talking to employees, analyzing key process data or even
observing the process in action. The focus of this activity is to gather evidence that the process
is functioning as planned in the QMS, and is effective in producing the required results. One of
the most valuable things that an auditor can do for a process owner is not only to identify areas
that do not have evidence that they are functioning properly, but also to point out areas of a
process that may function better if changes are made.
4. Reporting on the Audit.
A closing meeting with the process owner is a necessity to ensure that the flow of information is
not delayed. The process owner will want to know if there are any areas of weakness that need
to be addressed, but will also be interested in knowing if any areas exist that might be
improved. This should be followed with a written record as soon as possible to provide the
information in a more permanent format to enable follow-up of the information. By identifying
not only the non-conforming areas of the process, but also the positive areas and potential
improvement areas, the process owner will get a better value from the Internal Audit, which
will allow for process improvements.
5. Follow-up on Issues or Improvements Found.
As with many areas of the standard, follow-up is a critical step. If problems have been found and
corrective actions taken, making sure that the problem is actually fixed is a key part of fixing it.
If improvement projects have been completed from opportunities identified in the audit, then
seeing how much the process has improved is a great motivator for future improvements.
Page 6
OVERVIEW OF THE 4 PHASES OF AN IT AUDIT
The IT audit is generally divided into three phases: audit planning, tests of controls, and substantive
testing.
1. AUDIT PLANNING
The first step in the IT audit is audit planning. Before the auditor can determine the nature and
extent of the tests to perform, he or she must gain a business. A major part of this phase of the audit
is the analysis of audit risk. The objective of the auditor is to obtain sufficient information about the
firm to plan the other phases of the audit. The risk analysis incorporates an overview of the
organization’s internal controls. During the review of controls, the auditor attempts to understand
the organization’s policies, practices, and structure. In this phase of the audit, the auditor also
identifies the financial attempts to understand the controls over the primary transactions that are
processed by these applications.
The techniques for gathering evidence at this phase include questionnaires, interviewing
management, reviewing systems documentation, and observing activities. During this process, the
IT auditor must identify the principal exposures and the controls that attempt to reduce these
exposures. Having done so, the auditor proceeds to the next phase, where he or she tests t controls
for compliance with pre-established standards.
2. TESTS OF CONTROLS
The objective of the tests of controls phase is to determine whether adequate internal controls are
in place and functioning properly. To accomplish this, the auditor performs various tests of
controls. The evidence gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques.
At the conclusion of the tests controls phase, the auditor must assess the quality of internal
controls. The degree of reliance the auditor can ascribe to internal controls affects the nature and
extent of substantive testing that needs to be performed.
3. SUBSTANTIVE TESTING
The third phase of the audit process focuses on financial data. This involves a detailed investigation
of specific account balances and transactions through what are called substantive tests. For
example, a customer confirmation is a substantive test sometimes used to verify account balances.
The auditor selects a sample of accounts receivable balances and traces these back to their source –
the customers-to determine if the amount stated is in fact owed by a bona fide customer. By doing
so, the auditor can verify the accuracy of each account in the sample. Based on such sample
findings, the auditor is able to draw conclusions about the fair value of the entire accounts
receivable asset.
Some substantive tests are physical, labor-intensive activities such as counting cash, counting
inventories in the warehouse, and verifying the existence of stock certificates in a safe. In an IT
environment, the information needed to perform substantive tests (such as account balances and
names and addresses of individual customers) is contained in data files that often must be
extracted using Computer Assisted Audit Tools and Techniques (CAATTs) software.
Page 7
4. AUDIT REPORT
So what’s included in the audit documentation and what does the IT auditor need to do once
their audit is finished. Here’s the laundry list of what should be included in your audit
documentation:
 Planning and preparation of the audit scope and objectives

 Description and/or walkthroughs on the scoped audit area
 Audit program
 Audit steps performed and audit evidence gathered
 Whether services of other auditors and experts were used and their contributions
 Audit findings, conclusions and recommendations
 Audit documentation relation with document identification and dates (your cross-
reference of evidence to audit step)
 A copy of the report issued as a result of the audit work
 Evidence of audit supervisory review
When you communicate the audit results to the organization it will typically be done at an exit
interview where you will have the opportunity to discuss with management any findings and
recommendations. You need to be absolutely certain of:
 The facts presented in the report are correct

 The recommendations are realistic and cost-effective, or alternatives have been
negotiated with the organization’s management
 The recommended implementation dates will be agreed to for the recommendations
you have in your report.
Your presentation at this exit interview will include a high-level executive summary (as Sgt.
Friday use to say, just the facts please, just the facts). And for whatever reason, a picture is
worth a thousand words so do some PowerPoint slides or graphics in your report.
Your audit report should be structured so that it includes:
 An introduction (executive summary)

 The findings are in a separate section and grouped by intended recipient
 Your overall conclusion and opinion on the adequacy of controls examined and any
identified potential risks
 Any reservations or qualifications with respect to the audit
 Detailed findings and recommendations
Finally, there are a few other considerations which you need to be cognizant of when preparing
and presenting your final report. Who is the audience? If the report is going to the audit
committee, they may not need to see the minutia that goes into the local business unit report.
You will need to identify the organizational, professional and governmental criteria applied
such as GAO-Yellow Book, CobiT or NIST SP 800-53. Your report will want to be timely so as to
encourage prompt corrective action.
And as a final, final parting comment, if during the course of an IT audit, you come across a
materially significant finding, it should be communicated to management immediately, not at
the end of the audit.
Page 8
CHAPTER 2:
TEST OF CONTROLS
What is an Internal Control System?
OBJECTIVES OF INTERNAL CONTROL
The internal control system comprises policies, practices, and procedures employed by the
organization to achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.
The internal control system serves as a shield that protects the firm’s assets from numerous
undesirable events that bombard the organization. These include attempts at unauthorized access
to the firm’s assets (including information), fraud perpetrated by persons both in and outside the
firm, errors due to employee incompetence, faulty computer programs, and corrupted input data,
and mischievous acts such as unauthorized access by computer hackers and threats from computer
viruses that destroy programs and database.
A weakness in internal control may expose the firm to one or more of the following types of risks:
1. Destruction of assets (both physical assets and information)
2. Theft of assets
3. Corruption of information or the information system
4. Disruption of the information system
MODIFYING ASSUMPTIONS
Inherent in these control objectives are four modifying assumptions that guide designers and
auditors of internal control systems.
1. Management Responsibility
This concept holds that the establishment and maintenance of a system of internal control is
a management responsibility.
2. Reasonable Assurance
The internal control system should provide reasonable assurance that the four broad
objectives of internal control are met. This means that no system of internal control is
perfect and the cost of achieving improved control should not outweigh its benefits.
3. Methods of Data Processing

The internal control system should achieve the four broad objectives regardless of the data
processing method used. However, the techniques used to achieve these objectives will vary
with different types of technology.
Page 9
4. Limitations
Every system of internal control has limitations on its effectiveness. These include (1) the
possibility of error – no system is perfect, (2) circumvention – personnel may circumvent
the system through collusion or other means, (3) management override – management is in
a position to override control procedures by personally distorting transactions or by
directing a subordinate to do so, and (4) changing conditions – conditions may change over
time so that existing controls may become ineffectual.
FIVE COMPONENTS OF INTERNAL CONTROL
CONTROL ENVIRONMENT
The control environment is the foundation for the other four control components. The control
environment sets the tone for the organization and influences the control awareness of its
management and employees.
RISK ASSESSMENT
Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to
financial reporting. Risks can arise out of changes in circumstances such as:
 Changes in the operating environment that impose new competitive pressures on the firm.
 New personnel who possess a different or inadequate understanding of internal control.
 New or reengineered information systems that affect transaction processing.
 Significant or rapid growth that strains existing internal controls.
 The implementation of new technology into the production process or information system
that impacts transaction processing.
INFORMATION AND COMMUNICATION

The accounting information system consists of the records and methods used to initiate, identify,
analyze, classify, and record the organization’s transactions and to account for the related assets
and liabilities. The quality of information generated by the AIS impacts management’s ability to
take actions and make decisions in connection with the organization’s operations and to prepare
reliable financial statements. An effective accounting system will:
 Identify and record all valid financial transactions.

 Provide timely information about transactions in sufficient detail to permit proper
classification and financial reporting.
 Accurately measure the financial value of transactions so their effects can be recorded in
financial statements.
 Accurately record transaction in the time period in which they occurred.
SAS 78 requires that auditors obtain sufficient knowledge of the organization’s information system
to understand:
 The classes of transactions that are material to the financial statements and how those
transactions are initiated.
 The accounting records and accounts that are used in the processing of material
transactions.
 The transaction processing steps involved from the initiation of an economic event to its
inclusion in the financial statements.
 The financial reporting process used to prepare financial statements, disclosures, and
accounting estimates.
Page 10
MONITORING
Management must determine that internal controls are functioning as intended. Monitoring is the
process by which the quality of internal control design and operation can be assessed. This may be
accomplished by separate procedures or by ongoing activities.
An organization’s internal auditors may monitor the entity’s activities in separate procedures. They
gather evidence of control adequacy by testing controls, and then communicate control strengths
and weaknesses to management. As part of this process, internal auditors make specific
recommendations for improvement to controls.
Ongoing monitoring may be achieved by integrating special computer modules into the information
system that capture key data and/or permit tests of controls to be conducted as part of routine
operations.
Another technique for achieving ongoing monitoring is the judicious use of management reports.
Timely reports allow managers in functional areas such as sales, purchasing, production, and cash
disbursements to oversee and control their operations. By summarizing activities, highlighting
trends, and identifying exceptions from formal performance, well-designed management reports
provide evidence of internal control function or malfunction.
CONTROL ACTIVITIES
Control activities are the policies and procedures used to ensure that appropriate actions are taken
to deal with the organization’s identified risks. Control activities can be grouped into two distinct
categories: computer controls and physical controls. The focus of this module is on the former.
Physical Controls
This class of control activities relates primarily to traditional accounting systems that employ
manual procedures. However, an understanding of these control concepts also gives insights to the
risks and control concerns associated with the IT environment. There are six traditional categories
of Physical Control Activities.
Transaction Authorization
The purpose of transaction authorization is to ensure that all material transactions processed by
the information system are valid and in accordance with management’s objectives. Authorizations
may be general or specific. General authority is granted to operations personnel to perform day-to-
day operations. An example of general authorization is the procedure to authorize the purchase of
inventories from a designated vendor only when inventory levels fall to their predetermined
reorder points. This is called a programmed procedure (not necessarily in the computer sense of
the word). The decision rules are specified in advance, and no additional approvals are required.
On the other hand, specific authorizations deal with case-by-case decisions associated with non-
routine transactions. An example of this is the decision to extend a particular customer’s credit limit
beyond the normal amount. Specific authority is usually a management responsibility.
Page 11
EXERCISE 1: Transaction Authorization
Perform transaction with a programmed procedure
a. Open SAP Business One

- On the desktop, double-click SAP Business One.
- Click the ‘Change Company’ then on the Choose Company window, click the RU Laptops, Co.
Enter the User ID: Lukas Password: 1234
Note: Use the user account of Lukas Ibarra to have the proper authorizations for the transaction
to be made.
b. Create a Sales Order
- Navigate to Sales – A/R Module > Sales Order.
- In the Customer field, choose C1100 Jacob Electronics.
- Click the Logistics Tab, then check the box for Procurement Document by clicking it.
- Type the current date in the delivery date. Posting date is at its default which is the system
date.
- Click the Contents Tab. Add Item S1000 in the Item Field with the Quantity of 20.
- Press Enter. Item Availability Check window will appear as shown below. Choose Continue
and click OK.
- Click Cancel to cancel the document
The Item Availability Check is a programmed procedure to ensure that proper action will be
performed regarding sales order on items that could not be available at the moment.
Page 12
Exercise 2:
Transaction Authorization
Perform transaction with specific authorizations.
You found out in the Company policies that no Purchase Order amounting to more than P200,000
shall be allowed to be posted without the approval of the manager first. Test this kind of control in
the system.
a. Log in to the account of Karla Sy to have the proper authorizations for the transaction to be
made.
Go to Administration > Choose Company > Change User > User ID: Karla then Password: 1234
b. Create a Purchase Order that will qualify for the Approval Procedure
- Navigate to Purchasing – A/P Module > Purchase Order.
- In the Vendor field, choose V1000 Laptop Queen Philippines, Inc.
- Dates are defaults which are the system date.
- In the Contents Tab, add Item S1000 in the Item Field with the Quantity of 10. Enter Unit
Price of P22,000.00 then click Add. Total amount of Purchase Order should be PhP246,400
which should trigger the approval procedure.
- Cancel the document.
Page 13
EXERCISES 3: Segregation of Duties
Business Process Segregation.

Upon reading the Organization Chart, you found out that Lukas Ibarra is designated as a Sales Officer
so he should be able the work on the documents that are related to Sales. While for other documents
such as those relating to Purchasing, he should not have authorization to open it. Test the segregation
of duties as defined in the Authorization Table.
a. Log in to the account of manager to view the authorizations made for Lukas Ibarra.
Go to Administration > Choose Company > Change User > User ID: manager then Password: 1234
b. View the authorizations of Lukas Ibarra.
Go to Administration > System Initialization > Authorizations > General Authorizations
Choose Lukas. You can see that he has Full Authorization in Sales – A/R but No Authorization in
Purchasing A/P.
c. Test the Segregation of Duties by checking if the Authorizations are functioning properly.
- Log in to Lukas account.
Go to Administration > Choose Company > Change User > User ID: Lukas then Password: 1234
- Open Sales Order. Since he has authorization for Sales – A/R, he should be able to open it.
Go to Sales – A/R > Sales Order
- Open Purchase Order. Since he has no authorization for Purchasing – A/P, he should not be
permitted to open it.
Go to Purchasing – A/P > Purchase Order
(Note: If Purchaser Order and other documents in the Purchasing – A/P module is not visible,
click the Form Settings tool in the Toolbar. Then set the documents in the Purchasing A/P as
visible.
Page 14
- Test further the other users based on their authorizations, follow same procedures.
Page 20
Exercise 4: Accounting Records.
Identify which document In SAP Business One that can give simple audit trail.
Log in to Auditor’s account: User Name: Auditor Password: 1234
a. View document trail on marketing documents.
- Open a closed A/R Invoice.
Go to Sales – A/R > A/R Invoice > Switch to Find Mode by pressing Ctrl + F > Type 28 on the No.
field then press Enter.
- On the Remarks Field, you can see the base documents related to the A/R Invoice.
- Another way is to view the relationship map. Right click on any blank part of the A/R Invoice
then choose relationship map.
- You can double click on any document in the relationship map to view the actual document.
Page 21
b. View a list of all transactions posted in SAP Business One or generate transaction log.
- Open a document – A/R Invoice for example. Go to Sales – A/R > A/R Invoice
- In the toolbar, click the Transaction Journal tool.
- Choose All Transactions in the Original Journal field then set the posting date from 01.01.13 to
12.31.13. This is to show all the transaction journal records for the whole fiscal year 2013 that
could be used for analysis.
Page 22
c. Plot SAP Business One to the Accounting Cycle (Still using Auditor’s Account)
Accounting Cycle SAP Business One

1. Journal General Journal Generate Transaction Journal Report (See Previous
Step but change the Original Journal criteria to
Journal Entry to view only the manual journal
entries made.)
Special Journals
a. Sales Journal Sales – A/R
b. Purchases Journal Purchasing – A/P
c. Cash/Check Receipts Banking – Incoming
d. Cash/Check Banking – Outgoing
Disbursements
2. Ledger General Ledger Financials > Financial Reports > Accounting >
General Ledger
- Uncheck the Business Partner Checkbox then
check the Accounts Checkbox to show only
General Ledger Accounts
- Mark ‘X’ the accounts
- Change the Posting Date range ‘From 01.01.13’
‘To 12.31.13’
- Then Click ‘OK’ to show the General Ledger
Page 23
Subsidiary Ledger Financials > Financial Reports > Accounting

>General Ledger
- Check the Business Partner Checkbox then
uncheck the Accounts Checkbox to show only
Subsidiary Accounts
- To view a particular SL, change the BP Code
‘From C1100’ and ‘To C1100’
- Change the Posting Date range ‘From 01.01.13’
‘To 12.31.13’
- Then Click ‘OK’ to show the Subsidiary Ledger
for this Business Partner
Page 24
TrialBalance Financials > Financial Report > Financial > Trial

Balance
(Note: Do the same process with General Ledger)
3. AdjustingEntries Financial > Journal Entry > Click Adjustment Box

(Note: The process given is how to create Adjusting
Entries)
4. FinancialStatements Financials > Financial Report > Financial >Profit &

Loss or Balance Sheet
(Note: Just change to desired period then click OK)
5. ClosingEntries Administration > Utilities > Period End Closing
'
Page 25
6. Post-Closing Trial Balance Financials > Financial Report > Financial > Trial
Balance > Check Add Closing Balances
7. Reversing Entries Financials > Journal Entry > Click Reversal Box
(Note: The process given is how to create Reversing
Entries)
Page 26
EXERCISE 5: General Controls

Have an experience on how to view an actual database in a database management system. This can be
exemplified using the SQL Server Management Studio Express.
1. Open SQL Server Management Studio Express
From your desktop, click the start button, choose All Programs then navigate to SQL Server
Management Studio Express.
Ask assistance from your IT personnel, if you cannot find it. It should look like the one below. On the
left side under the databases folder, you can see a list. For database management purposes, a new
database can be added and an existing database can be deleted. For internal control purposes, this
function should only be given to the database administrator.
2. Perform database backup and store it in another storage device
a. Click Start Button (lower leftmost corner of the screen)

b. Click All Programs > Microsoft SQL Server 2005> SQL Server Management Studio Express
Page 27
c. Click Connect
Note: If connection is unsuccessful, call the attention of your technical support to put in the
correct Server Type and Server Name. Password is B1Admin
d. Click + before the Databases to expand and view all databases > Right Click on the database that
you want to back up > Click Tasks > Click Backup.
Page 28
e. Click OK when Backup Database window appears. Take note of the default location of the
backup. See example below
(c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Backup\)
f. Retrieve the backup database.

Go to Start > Computer > Local Disk (C:) > Program Files > Microsoft SQL Server > MSSQL.1 >
MSSQL > Backup
g. Copy the backup file with an extension file of .bak and save it to another storage device.
3. Perform Database Restore
a. Follow steps a, b and c, in Number 2.
b. Right-click + before the Databases > Click Restore Database and a new window Restore
Database will appear.
c. Type in the field ‘To database:’ your new database name (in the example below it is Sample).
d. Click ‘From device:’ and the button. A new window Specify Backup will appear. Click Add Button
and locate your backup file. Click Ok. Click Ok.
e. Click box under Restore. Click OK to execute restoration.
f. To check, expand Databases and view the restored database.
g. Refresh databases in SAP B1 to view the restored database by double-clicking the SAP B1
shortcut from your desktop. Click the Change Company button. In the Choose Company screen,
click Refresh.
Page 29
Page 30
Page 31
EXERCISE 6: Source Document Controls
View the list of a particular document to identify if there is any document missing by double checking the
numbering of source documents
Double check if the source documents were used in sequence.
1. Open SAP Business One
- On the desktop, double-click SAP Business One.
- Click the ‘Change Company’ then on the Choose Company window, click the RU Laptops, Co.
Enter the User ID: auditor, Password: 1234
2. See the list of a particular document i.e. Sales Order
- Go to Sales – A/R > Sales Order
- Switch to Find mode by pressing Ctrl + F
- In the No. field, enter an asterisk symbol (*) then press Enter.
- A list of Sales Order will appear where you can examine the sequence of the ocument based on
its numbering.
- You can do this test to other documents as well. To test if the sequence of numbering is correct,
you can sort the list by date then double check if the numbering is still chronological. Any
irregularity will be considered as an exception.
Page 32
EXERCISE 7: Data Coding Controls
1. View the list of Business Partners and examine if the codes used were according to the adapted BP Codes
of the Company
- Go to Business Partners > Business Partner Master Data
- Change the BP Type to Customers.
- Type an asterisk symbol (*) in the code field then press Enter. The list of Business Partners will
appear.
- What is the coding control for Customers BP? Any irregularity will be considered as an exception.
- Do the same process for Vendors BP.
Page 33
EXERCISES 8: Field Interrogation
a. Missing Data Checks. Test if marketing documents in SAP Business One has this control.
(Note: Use Lukas user account)
- Open a Sales Order.
- Insert the following Information in the Sales Order:
Customer: C1100
Name: Jacob Electronics
Item No.: D1000
Unit Price: PhP 32,000
- Click Add. SAP Business One should flag an error message due to missing delivery date.
- Cancel the Sales Order. You can test other documents for this control.
b. Numeric-alphabetic Data Checks. Test if marketing documents in SAP Business One has this control.
- Open a Sales Order.
- Insert the following Information in the Sales Order:
Customer: C1100
Name: Jacob Electronics
Item No.: A1000
Delivery date: Current System date
Quantity: ABC
- Click Add. SAP Business One should flag an error message due to invalid monetary value.
- Cancel the Sales Order. You can test other documents for this control.
Page 34
c. Limit Checks. Test if creating a User Account in SAP Business One has this control.
- Log in to the account of manager to view to see the User Setup window.
Go to Administration > Choose Company > Change User > User ID: manager then Password: 1234
- Go to Administration > Setup > General > Users. Users – Setup window will appear. Make sure
you are in Add mode.
- Insert in the User Code field the word ‘Administrator’. SAP Business One will flag an error
message due to exceeding of character limit.
- Cancel the Users – Setup.
Page 35
d. Validity Checks. Test if Business Partner Master Data has this control.(Use Auditor’s Account)
- Go to Business Partners > Business Partner Master Data. Make sure you are in Find mode (i.e. Ctrl + F)
- In the BP Code field, type ‘L1000’ then press Enter. SAP Business One should flag an error message due
to no matching records.
- Cancel the Business Partner Master Data. You can try this control to other documents with known
values.
Page 36
EXERCISE 9: Audit Trail Controls
View some techniques used to preserve audit trails in SAP Business One.
a. Transaction Logs.
Every transaction successfully processed by the system should be recorded on a transaction log, which serves
as a journal.
View a list of all transactions posted in SAP Business One or generate transaction log.
- Open a document – A/R Invoice for example. Go to Sales – A/R > A/R Invoice
- In the toolbar, click the Transaction Journal tool.
- Choose All Transactions in the Original Journal field then set the posting date from 01.01.13 to 12.31.13.
This is to show all the transaction journal records for the whole fiscal year 2013 that could be use for
analysis.
Page 37
b. Listing of Automatic Transactions

Some transactions are triggered internally by the system. To maintain control over automatic transactions
processed by the system, the responsible end user should receive a detailed listing of all internally
generated transactions.
c. Unique Transaction Identifiers
Each transaction processed by the system must be uniquely identified with a transact on number. This is
the only practical means of tracing a particular transaction through a database of thousands or even
millions of records.
View examples of unique identifiers in SAP Business One.

a. View automatic journal entry created .
- Open a closed A/R Invoice.
Go to Sales – A/R > A/R Invoice > Switch to Find Mode by pressing Ctrl + F > Type 28 on the No. field
then press Enter.
- Click the Accounting Tab then click the Journal Remark link arrow. This will open up the automatic
journal entry created by SAP Business One for this transaction.
b. Take note of the unique identifiers in the A/R Invoice Transaction.

- Take note of the Origin field. The original transaction is navigated when the arrow is clicked. These are
just some of the originating transactions:
IN - AR Invoice
RC - Incoming Payments
PU - AP Invoice
PD - Goods Receipt PO
PS - Outgoing Payments
Page 38
If the entry is entered manually, origin is JE.
Page 39
CHAPTER 3
SUBSTANTIVE TESTS
SUBSTANTIVE TESTS OF REVENUE CYCLE
Revenue Cycle Risks and Audit Concerns

In general, the auditor’s concerns in the revenue cycle pertain to the potential for overstatement of
revenues and accounts receivable rather than their understatement. Overstatement of accounts can
result from material errors in the processing of normal transactions that occur throughout the year. In
addition, the auditor should focus attention on large and unusual transactions at or near period-end.
Testing the Accuracy and Completeness Assertions

Accuracy assertion pertains to management assertions that all transactions were recorded at the
appropriate amount while completeness assertion says that all transactions that should have been
recorded have been recorded. In the Revenue Cycle audit, accuracy and completeness assertions states
that all sales transactions were recorded accurately and completely.
Review Sales Documents and Balances for Unusual Trends and Exceptions
A useful audit procedure for identifying potential audit risks involves scanning data files for unusual
transactions and account balances. For example, scanning accounts receivable for excessively large
balances may indicate that the company’s credit policy is being improperly applied.
Review Sales Invoices and Customer Master Data for Missing and Duplicate Items
Searching for missing and/or duplicate transactions and data entries is another important test that
helps the auditor corroborate or refute the completeness and accuracy assertions. Duplicate and
missing transactions in the revenue cycle may be evidence of over or understated sales and accounts
receivable.
Page 40
EXERCISE 10: Testing the Accuracy and Completeness Assertion (USE AUDITOR’S ACCOUNT)
a. Review Sales Documents and Balances for Unusual Trends and Exceptions
Open a list of Sales Order for examination for any unusual trends and exception using Query.
- Open Query Generator and create a query statement to produce an ad hoc report showing the
list of all sales order
Go to Tools Menu > Queries > Query Generator
- On the Table field, Type ‘ORDR’ then press Tab. The Field names and description will appear.
(Note: ORDR is the table name of Sales Order in the MSSQL where the database used in SAP are
running)
- Double click the following field names: (Tip: You can list the field name alphabetically by double
clicking the name title)
DocNum, DocDate, CardCode, CardName, DocTotal
- Click in the Sort By field then double click DocTotal in the list of Field names.
Page 41
- Then click execute to produce the ad hoc report, “List of Sales Order”
Now you can examine all the Sales Order and scan for any unusual items. For example, a Sales Order
amounting to PhP 894,080 was executed at December 31, 2013 which is considered as a holiday in the
Philippines. Also, the amount is unusually large as compared with other sales order. The auditor should
inquire this to the management of the company and seek for additional information.
You can do the same procedures for other Sales documents. You just need to know the appropriate
Table Name.
(Tip: To get a list of SAP documents and their equivalent table names. Open a blank query generator. In the table
field name, type the asterisk symbol (*) then press tab. The list of table and field names will appear.)
Page 42
b. Review customer balances for unusual trends and exceptions

- Open a Blank Master Data. Go to Business Partners > Business Partner Master Data
- Change the BP Type to Customer then insert an anterisk symbol (*) in the code field then press
Enter. A List of Business Partners for customers will appear.
Upon examination of the list of customers and their balances, you noticed that the balance of
Lappy Trading is negative. This is unusual considering that customer balances are normally debit
or positive. The auditor can investigate further this exception. List your finding below and your
propose adjusting entry:
Page 43
Review List of Customers for any duplicate items
- Open a Blank Master Data. Go to Business Partners > Business Partner Master Data
- Change the BP Type to Customer then insert an anterisk symbol (*) in the code field then press
Enter. A List of Business Partners for customers will appear.
- List alphabetically the list of customers by double clicking the BP Name Header.
As you scan the list of business partners, some of the customer names look familiar. You can further
investigate this issue by comparing the master data. Open two business partner master data, one for Jacob
Electrics and one for Jacob Electronics. Do the same for the other two then list your finding here:
_
_
_
Page 44
Testing the Existence Assertion

Existence assertion pertains to management assertions that the assets, liabilites and equity balances
exist. For the revenue cycle audit, existence assertion declares that the customer balances recorded in
the system really exist.
Send Confirmation to Customers to Confirm Balances

One of the most widely performed tests of existence is the confirmation of accounts receivable. This
test involves direct written contact between the auditors and the client’s customers to confirm
account balances and transactions.
Testing the Valuation and Allocation Assertion

Valuation and Allocation assetion pertains to management assertions that the assets, liabilities and
equity balances are included in the financial statements at appropriate amounts and any resulting
valuation or allocation adjustments are appropriately recorded. For the revenue cycle audit, valuation
and allocation assertion states that the customer balances recorded are in their proper values.
Aging Accounts Receivable

The auditor’s objective regarding proper valuation and allocation is to corroborate or refute that
accounts receivable are stated at net realizable value. This objective rests on the reasonableness of
the allowance for doubtful accounts, which is derived from aged accounts receivable balances. To
achieve this objective, the auditor needs to review the accounts receivable aging process to
determine that the allowance for doubtful accounts is adequate. As accounts age, the probability
that they will ultimately be collected is decreased. Therefore, as a general rule, the larger the
number of older accounts that are included in an company’s accounts receivable file, the larger the
allowance for doubtful accounts needs to be to reflect the risk.
Page 45
Exercise 11:Testing the Valuation and Allocation Assertion
View the Aging of Accounts Receivable and provide for Allowance for Doubtful Accounts based on Company’s
policies.
- Open the Aging Report of the company’s customer balances
Go to Financials > Financial Reports > Accounting > Aging > Customer Receivables Aging
- In the Selection Criteria insert the following information:
Code: From C1100 To C2200
Aging Date: 03.31.14
Then click OK
- SAP Business One will generate Customer Receivables Aging showing the age of receivables from the
customers.
- Now the auditor can perform his analysis based on this aging and compute the appropriate amount of
Allowance for Doubtful Accounts based on the Company’s policies.
- Compute the amount of Allowance for Doubtful Accounts
According to the industry experiences, the collectability of accounts are as follow:
0 – 1 month = 100%
Over one month not over two months = 98%
Over two months not over three months = 95%
Over three months not over four months = 92%
Over four months = 90%
How much is the proposed Allowance for Doubtful Accounts? _
Page 46
Page 47
SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
Expenditure Cycle Risks and Audit Concerns

Taking the most narrow attest-function view, external auditors are concerned primarily with the
potential for understatement of liabilities and related expenses. Susbstantive tests of expenditure cycle
accounts are therefore directed toward gathering evidence of understatement and omission of material
items rather than their overstatement.
Testing the Accuracy Assertion

Accuracy assertion pertains to management assertions that all transactions were recorded at the
appropriate amount In the Expenditure Cycle audit, accuracy states that all expense transactions were
recorded accurately.
Review Purchasing Documents and Balances for Unusual Trends and Exceptions
A useful audit procedure for identifying potential audit risks involves scanning data files for unusual
transactions and account balances. For example, scanning accounts payable for excessively large
balances may indicate abnormal dependency on a particular supplier.
Page 48
EXERCISE 12:Testing the Accuracy Assertion (USE AUDITOR’S ACCOUNT)

a. Review A/P Invoices for Unusual Trends and Exceptions
Open a list of A/P Invoices for examination for any unusual trends and exception using Query.
- Open Query Generator and create a query statement to produce an ad hoc report showing the
list of all A/P Invoice
- On the Table field, Type ‘OPCH’ then press Tab. The Field names and description will appear.
(Note: OPCH is the table name of A/P Invoice in the MSSQL where the database used in SAP are
running)
- Click in the Sort By field then double click DocNum in the list of Field names.
- Then click execute to produce the ad hoc report, “List of A/P Invoice”
Page 49
Now you can examine all the A/P Invoice and scan for any unusual items. To have further examination,
you can click the small graph icon to see an analysis of AP Invoice depicted on a graph.
You can do the same procedures for other Purchasing documents. You just need to know the
appropriate Table Name.
Testing the Completeness Assertion
Completeness assertion says that all transactions that should have been recorded have been recorded.
In the Expenditure Cycle audit, completeness declares that all expense transactions were completely
recorded.
Searching for Unrecorded Liabilities
The search for unrecorded liabilities involves matching the records used by the warehouse department
such as a receiving report to indicate receipt of inventory with the billing invoice from supplier which is
used to record liabilities. A receiving report with no matching billing invoice might indicate that a liability
was not recorded.
Page 50
Exercise 13:Testing the Completeness Assertion
a. Scan for any open Goods Receipt PO which could indicate that no liabilities has yet been created for
this account.
Open the Open Items List report to view any open GRPO
- Go to Reports > Sales and Purchasing > Open Items List. Then on the Open Documents drop down
menu, choose Goods Receipts POs.
- The auditor will see that there are two open GRPOs meaning, no A/P Invoice has yet been
recorded in this account thus understating the vendor balances.
Double check the findings made by comparing the list of GRPO and A/P Invoice. Open a list of
GRPO and a list of A/P Invoice.
- Go to Purchasing – A/P > Goods Receipt PO. Make it Find mode by pressing Ctrl + F.
- On the No. field, type the asterisk symbol (*) then press Enter.
- Upon pressing Enter, a list of GRPOs will appear.
- Do the same procedure for A/P Invoice to see the list of A/P Invoice then compare the list.
Page 51
- Now, the auditor can compare the list of A/P Invoices available against the GRPO. Note your findings
below and your proposed adjusting entries:
_
_
Page 52
(Tip: To see the original entry made by SAP for the Goods Receipt PO documents, open the unmatched
GRPOs then go to Accounting tab. Beside the Journal Remark, click the link arrow to know the original

Existence assertion pertains to management assertions that the assets, liabilites and equity balances
exist. For the expenditure cycle audit, existence assertion declares that the vendor balances recorded in
the system really exist.
Examine Subsequent Payments to Suppliers

This test involves involves scanning the payments made in the subsequent period and check if the
payables recorded in the last period were paid.
Page 53
Exercise 14:
a. Scan the payments made in the subsequent period using Query
Open a list of Outgoing Payments for the month of January 2014 (Subsequent Period) for
examination of subsequent payments.
- Open Query Generator and create a query statement to produce an ad hoc report showing the list
of Outgoing Payments for the month of January 2014.
- On the Table field, Type ‘OVPM’ then press Tab. The Field names and description will appear.
(Note: OVPM is the table name of Outgoing Payments in the MSSQL where the database used in
SAP are running)
- Click in the Where field to enter the condition. Double click DocDate in the list of field names
then click Conditions button. Conditions pane will appear.
- Click again in the Where field, make sure that the cursor is on the end of T0.[DocDate]. Then
double click the condition ‘Greater or Equal’ followed by a double click on any variable. For
example [%0]
- Another condition will be added so scroll down in the list of condition then double click ‘And’.
Continue the condition by double clicking again the DocDate in the list fo field names followed
by a double click on the condition ‘Smaller or Equal’ then double click again on any variable
except the one used before. For example, use [%1]
- Click in the Sort By field then double click DocDate in the list of Field names.
- Then click execute.
Page 54
- Query – Selection Criteria window will appear where we can enter our condition. Insert 01.01.14
in the Greater or Equal field and 01.31.14 in the Smaller or Equal field to show only the Outgoing
Payments made in January 2014. Then click OK.
- Now, the auditor can trace the payments to existing liabilities as of December 31, 2013. List your
findings here and your proposed adjusting entries:
_
Page 55
Testing the Valuation and Allocation Assertion

Valuation and Allocation assertion pertains to management assertions that the assets, liabilities and
equity balances are included in the financial statements at appropriate amounts and any resulting
valuation or allocation adjustments are appropriately recorded. For the expenditure cycle audit,
valuation and allocation assertion states that the customer balances recorded are in their proper values.
Send Confirmation to Vendors to Confirm Balances

One of the most widely performed tests of existence is the confirmation of accounts payable. This test
involves direct written contact between the auditors and the client’s vendors to confirm account
balances and transactions.
Exercise 15: Testing the Valuation and Allocation Assertion
View the Aging of Accounts Payable as a basis for sending the confirmation to the vendors.
- Open the Aging Report of the company’s vendor balances
Go to Financials > Financial Reports > Accounting > Aging > Vendor Liabilities Aging
- In the Selection Criteria insert the following information:
Code: From V1000 To V900
Aging Date: 12.31.13
Then click OK
SAP Business One will generate Vendor Liabilities Aging showing the age of payables to the
vendors. This aging could be the basis of the auditor in sending his confirmation of the balances to
the company’s vendors.
Page 56
SUBSTANTIVE TEST OF OTHER FINANCIAL STATEMENT ACCOUNTS
Audit of Cash
Perform manual bank reconciliation to know the correct balance of cash that should be reported by
the Company. Reconcile the Balance per SAP records and Balance per Bank Statement.
The accountant showed the auditor the Bank Statement sent by the bank for the month of
December as shown below:
Beginning Balance, December 1, 2013 PhP 112,171.20

Date Remarks Deposit Withdrawal
December 1, 2013 Debit Advice 93,000.00 19,171.20
December 7, 2013 Deposit 190,000.00 209, 171.20
December 8, 2013 Encashment 25,000.00 184, 171.20
December 31, 2013 Interest 1,200.00 185, 371.20
December 31, 2013 Bank Charge 500.00 184,871.20

*** Nothing Follows ***
Page 57
a. Open the General Ledger of the Cash Account in SAP Business One to reconcile it with the Bank
Statement.
- Go to Financials > Financial Reports > Accounting > General Ledger
- In the General Ledger – Selection Criteria, uncheck the Business Partner Box and check the
accounts box. Make sure that no accounts are marked with ‘x’.
- Change the level of accounts to 5.
- Mark ‘x’ the CA201 – Metrobank Account No. 9021
- For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions
for the whole fiscal year 2013 for this account.
- Then press Ok.
Page 58
Page 59
Balance per Bank Ref. No. 184,871.20

Add: Deposits in Transit
Less: Outstanding Checks
Total adjustments
Adjusted Balance
Balance per Book 1,101,550.40

Add:
Less:
Total Adjustments
Adjusted Balance
The deposit in the bank statement amounting to PhP 190,000.00 was traced to a deposit slip
sent by Solid Electrics on January 2014. Upon inquiry by the client, the deposit pertains to a
partial payment made by Solic Electrics regarding its amount due to the client.
Now the auditor can perform his bank reconciliation by comparing the records per bank and the
records per SAP Business One. Write below your findings and proposed adjusting entries:
Page 60
Audit of Inventories
Ensure that inventories are stated at lower of cost or net realizable value.
The company’s manager told the auditor that on December 20, the compartment where the laptops
are being stored caved in resulting in some exterior damages on the units. The laptops are still
working properly however the physical appearance have been damage and they fear that they might
not sell it on their intended prices so they decide to hire someone to compute the net realizable
values of the laptops. This list of net realizable values were given to the auditor
Acer Laptops PhP28,000.00

Dell Laptops PhP25,000.00
Lenovo Laptops PhP28,000.00
Samsung Laptops PhP30,000.00
a. Compare the recorded costs of the inventories with their NRV and compute for the necessary
adjustment to recognize inventory loss (use Manager’s Account).
- Open the Inventory Audit Report
Go to Inventory > Inventory Reports > Inventory Audit Report
- On the Selection Criteria insert the following information in the specified field.
Change to Posting Date
From 01.01.13, To 12.31.13 to include the transactions for the whole fiscal year 2013.
Item Code: From A1000 To S1000
Then click OK.
Page 61
- The Inventory Audit Report will appear. If you click on the black arrow beside the yellow arrow, the
details of a particular item will expand. Now the auditor can know the actual cost recorded per
system and compare it with its net realizable value. Take note that the valuation method used for
the laptops is First In, First Out (FIFO).
Enter your Inventory Cost and NRV analysis here:
Laptops Cost NRV Difference
Write down your findings and proposed adjusting entries below:
Page 62
Audit of Prepayments
Check if prepayments were representative its actual prepaid amount. If not, make necessary
adjustments to recognize the expense.
Upon checking the Trial Balance of the company, the auditor noted two items that are considered as
prepayments. The auditor examine the SAP Business One documents used to record the prepayments
and also the journal entry. He also examined any third party document related to that asset
b. View the Trial Balance as a basis of selecting accounts to audit

- Open Trial Balance in SAP Business One
Go to Financials > Financial Reports > Financial > Trial Balance
In the Selection Criteria, enter the following information:
- Uncheck BP Box
- Change the level to 5
- Check G/L Accounts Box
- Mark ‘x’ all G/L accounts
- Date is Posting Date
- From 01.01.13 To 12.31.13
Then click OK.
Change the Level to Level 5 to see a more detail Trial Balance
Page 63
Upon seeing the contents of the Trial Balance, the auditor decided to audit the Office Supplies account
and Insurance Expense account. He wants to see the SAP Business One documents used to record
these accounts as well as any third party documents.
Open the SAP Business One document used to record Office Supplies.
- In the General Ledger – Selection Criteria, uncheck the Business Partner Box and check the accounts box.
Make sure that no accounts are marked with ‘x’.
- Mark ‘x’ the CA500 – Office Supplies
- For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions for the
whole fiscal year 2013 for this account.
- Then press Ok.
- The General Ledger for Office Supplies will appear.
- To view the SAP Business One document used, click the link arrow on the Doc. No. Column (i.e. PS 8)
- To view the journal entry, click the link arrow on the posting date column (i.e. 02.14.13)
Page 64
Page 65
Page 66
According to company’s personnel, the estimated remaining Office Supplies is 20% of the
original purchased amount.
As for the insurance, upon examination of the Insurance Contract, it is for 2 years starting on its
purchase date which is also the posting date. Do the same procedure for Insurance Expense.
(Hint: The insurance premium is recorded using Expense Method)
Note your findings below and your proposed adjusting entries:

_
_
_
Page 67
Audit of Fixed Assets

Determine the correct amount of depreciation that should be recorded for the year.
Upon checking the Trial Balance, the auditor noted that depreciation expenses were yet to be entered in
the accounting records so the auditor examine the SAP Business One documents used to record the
acquisition of the asset as well as any third party document to properly know the start date of
depreciation then compute the depreciation expense based on the company’s policy on depreciating
fixed assets.
Depreciation Method: Straight Line

10% Salvage Value
5 year Useful Life – Office Equipment and Office Furniture
10 year Useful Life – Delivery Truck
20 year Useful Life – Leasehold Improvements
a. View SAP Business One document used to record Office Equipment
Open the SAP Business One document used to record Office Equipment.
- In the General Ledger – Selection Criteria, uncheck the Business Partner Box and check the accounts
box. Make sure that no accounts are marked with ‘x’.
- Mark ‘x’ the NC101 – Office Equipment
- For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions for
the whole fiscal year 2013 for this account.
- Then press Ok.
- The General Ledger for Office Equipment will appear.
- To view the SAP Business One document used, click the link arrow on the Doc. No. Column
- To view the journal entry, click the link arrow on the posting date column (i.e. 03.29.13)
Do the same for Office Furniture, Delivery Truck and Leasehold Improvemen s. Just make sure
that you use the correct date of acquisition.
b. Compute the depreciation expense for the fixed assets. Use the table below for your computation.
Acquisition Acquisition Salvage Yearly 2013

Fixed Asset Date Cost Value Depreciation Depreciation
Office Equipment
Office Furniture
Delivery Truck
Leasehold Improvements
TOTAL DEPRECIATION FOR 2013
Note your findings below and your proposed adjusting entries:
Page 68
SOLUTIONS
TO THE SUBSTANTIVE TESTING EXERCISES
(Exercises 10 - 15)
Page 69
Exercise 10-b
Review customer balances for unusual trends and exceptions.
Upon examination of the list of customers and their balances, you noticed that the balance of Lappy Trading
is negative. This is unusual considering that customer balances are normally debit or positive. The auditor can
investigate further this exception.
1. Choose LappyTrading on the list of business partners to open the Business Partner Master Data.
2. Click the ‘link arrow’ beside the Account Balance field.
3. Account balance details of Lappy Trading will open. Change the Posting Date from ’01.01.13’ to
’12.31.13’. Then click the ‘link arrow’ beside the origin number. (ie. 25)
4. Incoming Payment document will open. If you examine the document, no invoice has been selected
for payment which is not typical for an incoming payment of A/R Invoice.
Page 70
4. This could be due to a wrong application of collection from a different customer. Examine the
balances of the customer to see if there is a similar amount. You will see that Zebra Computers has the
same balance with the wrong payment.
> Go to Business Partner Master Data.
> Go to Find mode (Ctrl + F).
> Put an asterisk on the code field then press enter.
> List of Business Partners will appear.
Proposed Adjusting Journal Entry:

Dr. Accounts Receivable – Lappy Trading 368,808.00
Cr. Accounts Receivable – Zebra Computers 368,808.00
Page 71
Exercise 10-c
Review list of customers for any duplicated items
1. Open both the Business Partner Master Data for Jacob Electrics and Jacob Electronics.
Go to Business Partners > Business Partner Master Data.
Go to Find mode (Ctrl + F).
Put an asterisk on the code field then press enter.
List of Business Partners will appear.
Select first Jacob Electrics. Then repeat the process for Jacob Electronics.
2. Upon comparison and examination of both the Business Partner Master Data, we can conclude that
Jacob Electrics and Jacob Electronics pertain to one customer only.
3. Transfer the balance of Jacob Electrics to Jacob Electronics. Then set the Business Partner Master Data
of Jacob Electrics to ‘Inactive’. However, you can only do this once all the open invoices for Jacob
Electrics are closed.
4. Do the same process for New World Dot Net and New World Dot Net Co.
Exercise 11: Testing the Valuation and Allocation Assertion
Page 72
View the Aging of Accounts Receivable and provide for Allowance for Doubtful Accounts based on Company’s
policies.
IMPORTANT: Before you compute the Allowance, make sure that you use the correct balances of the
customer. Consider the previous exercises.
Unadjusted
Balance of Adjusted
Customer Invoices Adjustments Balance 0 - 30 31 - 60 61 - 90 91 - 120 121 +
Jacob - - 241,401.60
Electronics 201,168.00 496,214.40 697,382.40 254,812.80 201,168.00
Zebra - - -
Computers 368,808.00 (368,808.00) - - -
Lappy - - -
Trading (145,288.00) 368,808.00 223,520.00 223,520.00 -
New World - 458,216.00 -
Dot Net, Co 469,392.00 726,440.00 1,195,832.00 469,392.00 268,224.00
Solid - 424,688.00 -
Electrics,
Inc. 424,688.00 - 424,688.00 - -
Jacob - - -
Electrics 496,214.40 (496,214.40) - - -
New World - - -
Dot Net 726,440.00 (726,440.00) - - -
TOTAL 2,541,422.40 - 2,541,422.40 947,724.80 469,392.00 - 882,904.00 241,401.60
Percentage 2% 5% 8% 10%
Doubtful - 70,632.32 24,140.16
Accounts 9,387.84
Provision for Doubtful Accounts 104,160.32
Dr. Doubtful Accounts Expense 104,160.32

Cr. Allowance for Doubtful Accounts 104,160.32
Page 73
EXERCISE 13: Testing the Completeness Assertion

It was noted that there were no A/P Invoices yet recorded for the Goods Receipt PO. This means that
the particular vendor subsidiary ledgers were not yet updated. You need to create an adjusting entry to
update the vendors’ subsidiary ledgers.
1. See the journal entry created for the GRPO to create a proper adjusting entry.
Go to Purchasing A/P > Goods Receipt PO
Go to Find mode (Ctrl + F).
Put an asterisk on the vendor field then press enter.
List of GRPO will appear.
Select GRPO No. 27. Goods Receipt PO No. 27 will open.
2. Inside the GRPO No. 27, go to Accounting Tab then click the link arrow beside t e journal remark.
Automatic journal entry created will open. Use the journal entry created as the basis for the adjusting
entry.
Page 74
3. Do the same process for GRPO No. 26 to get the total amount of adjustment neede .

Dr. Goods Received Not Invoiced 477,120
Dr. Input Tax 60,480
Cr: PC Express 224,000.00
Cr: Hexagon Computer Shop 313,600.00
Page 75
EXERCISE 14: Testing the Existence Assertion

You should check the payments made in January 2014 of those liabilities pertaining to the year 2013 and
make sure that it is recorded in the proper period.
1. Click the link arrows beside each Document number to open the Outgoing Payment, each document
should have a related A/P Invoice set up.
2. Open the Relationship Map of each Outgoing Payment document. Right click anywhere inside the
Outgoing Payment then choose Relationship Map.
Page 76
3. Do this for all Outgoing Payment documents. Those documents with no A/P Invoice mean that no
liabilities have been recorded for 2013.
Without A/P Invoice: OP No. 63, 64, 65
With A/P Invoice: OP No. 66 and 67
4. To double check if there were really no A/P Invoices recorded for the noted Outgoing Payments. Do
this for Salaries Payable.
Go to Financials > Chart of Accounts
Click the Liabilities drawer then select Salaries Payable.
Click the link arrow beside the Balance to open the General Ledger of Salaries Payable
Change the Posting Date: ‘From’: 01.01.13 ‘To’: 12.31.13
Upon scrolling down, you will see that there is no balance as of December 31, 2013.
Page 77

Salaries and Wages 93,000
Utilities Expense 77,000
Salaries Payable 93,000
Utilities Payable 77,000
Page 78
SUBSTANTIVE OF OTHER FINANCIAL STATEMENT ACCOUNTS
Audit of Cash
1. Perform the Bank Reconciliation.
DEPOSITS IN TRANSIT – Examine the deposit documents created for the month of December then
compare this with the deposits reflected in the bank statement.
Go to Banking >Deposits > Deposit
Go to Find mode (Ctrl + F). Type an asterisk (*) on the Deposit No. field then press ‘Enter’
Examine the deposits created for December then traced it to the Bank Statement. If it is not
present in the Bank Statement, those will be considered as reconciling items for Balance per
Bank as Deposits in Transit.
Page 79
OUTSTANDING CHECKS – Examine the checks that were issued for the month of December then
compare this with the checks reflected in the bank statement
Go to Banking >Outgoing Payments > Checks for Payment
Go to Find mode (Ctrl + F). Type an asterisk (*) on the Internal ID field then press ‘Enter’
Examine the checks created for December then traced it to the Bank Statement. If it is not
present in the Bank Statement, those will be considered as reconciling items for Balance per
Bank as Outstanding Checks.
Page 80
RECONCILING ITEMS FOR BALANCE PER BOOKS

Credit Memo: Partial collection from amount due from Solid Electrics (P190,000.00)
Credit Memo: Interest income for the year (P1,200.00)
Debit Memo: Bank charges for the month (P500.00)
Balance perBank Ref.No. 5 4,657.60

Add:DepositsinTransit
Lappy Trading IP No. 25 368,808.00
Lexxus Computer Shop IP No. 24 223,520.00
Jacob Electronics IP No. 23 321,868.80
EZ Electronics and Gadgets IP No. 22 357,632.00 1,271,828.80
Less:OutstandingChecks
MeralSa Ck No. 1048 45,000.00
Asiatique Computers Ck No. 1049 156,800.00
Computer Man Enterprises Ck No. 1050 302,400.00 504,200.00
Total adjustments 767,628.80
Adjusted Balance 1,292,250.40
Balance perBook 1,101,550.40

Add:
Partial collection from Solid 190,000.00
Interest Income 1,200.00 191,200.00
Less: Bank Charge (500.00)

Adjusted Balance 1,292,250.40

Dr.Metrobank Account No. 9021 190,700.00
Dr. Bank Charge 500.00
Cr. Accounts Receivable – Solid Electrics 190,000.00
Cr. Interest Income 1,200.00
Page 81
Audit of Inventories
1. Use the First-In, First-Out (FIFO) method in computing the inventory value. To compute, here is an
example using ACER Laptop inventory using the Inventory Audit Report
According to the report, there are 20 units of Acer Laptops on the day when the compartment
collapsed.
If FIFO has been used, these units are composed of the latest purchases made.
Count backwards from the latest purchase which is December 11 until you have 20 units.
So the cost of Acer Laptops using FIFO is computed as follows:

Date Units Purchase Price Total
12.11.13 7 27,000.00 189,000.00
11.25.13 5 26,000.00 130,000.00
10.11.13 8 24,000.00 192,000.00
TOTAL 20
2. Compare the cost computed with the net realizable value. According to standards, the inventories
should be valued at lower of cost or net realizable value (NRV). If NRV is lower, that would be the
new value of inventory and an inventory loss should be recorded. So for Acer Laptop, this would be
the computation.
Date Units Cost NRV Write Down
12.11.13 8 27,000.00 28,000.00 -
11.25.13 5 26,000.00 28,000.00 -
10.11.13 8 24,000.00 28,000.00 -
TOTAL 20
3. Since NRV is higher than cost, no write down is needed.

4. Do the same for other inventory items.
Page 82
Date Units Cost NRV Write Down TOTAL
DELL (27 units)
11.11.13 15 27,000.00 25,000.00 (2,000.00) 30,000.00
09.09.13 12 25,000.00 25,000.00 - -
LENOVO (15 units)
11.28.13 8 29,000.00 28,000.00 (1,000.00) 8,000.00
10.30.13 7 27,000.00 28,000.00 - -
SAMSUNG (No units as of -

12.20.13) - - - -
TOTAL 38,000.00

Dr. Inventory Losses 38,000.00
Cr. Inventories 38,000.00
Page 83
Audit of Prepayments
It is duly noted that both prepayments, Office Supplies and Insurance Expense should be adjusted.
1. For Office Supplies, 80% should be recorded as expense. That is P16,000.00.

Dr. Office Supplies Expense 16,000.00
Cr. Office Supplies 16,000.00
2. As for the Insurance, it was initially recorded using expense method so the unexpired portion should
be recognized as asset.
Go to Financials > Chart of Accounts
Click the Operating Costs drawer then select ‘Insurance Expense’
Click the link arrow beside the balance to open the ledger of Insurance Expense. Change the dates:
From: 01.01.13; To: 12.31.13
Take note of the date of transaction which indicates the start of the insurance period.
3. Compute the unexpired portion of insurance based on the posting date of the transaction
Total Amount of Insurance Premium P50,000.00
Ratio of Unexpired Period (14 months) 14/24
Unexpired Portion P29,166.67

Dr. Prepaid Insurance 29,166.67
Cr. Insurance Expense 29,166.67
Page 84
Audit of Fixed Assets

1. Obtain the date of purchase of the various fixed assets to properly compute depreciation.
(Instructions on the Quick Guide)
Acquisition Acquisition Salvage Depreciable Useful Yearly Period 2013

Fixed Asset Date Cost Value Cost Life Depreciation for 2013 Depreciation
OfficeEquipment 03.29.13 240,000.00 24,000.00 216,000.00 5 43,200.00 9 months 32,400.00
OfficeFurniture 01.15.13 200,000.00 20,000.00 180,000.00 5 36,000.00 11.5 months 34,500.00
DeliveryTruck 02.28.13 1,000,000.00 100,000.00 900,000.00 10 90,000.00 10 months 75,000.00
Leasehold 01.31.13 1,500,000.00 150,000.00 1,350,000.00 20 67,500.00 11 months 61,875.00
TOTAL DEPRECIATION FOR2013 203,775.00

Dr. Depreciation Expense 203,775.00
Cr. Accumulated Depreciation – Office Equipment 32,400.00
Cr. Accumulated Depreciation – Office Furniture 34,500.00
Cr. Accumulated Depreciation – Delivery Truck 75,000.00
Cr. Accumulated Depreciation – Leasehold Improvements 61,875.00
Page 85
CHAPTER 4:
IT Audit Report
1. Based on the procedures (exercises) performed, form a conclusion and opinion on
the adequacy of controls and any identified potential risks.
Are the controls established by the company well designed and properly
implemented? If yes, then were those controls able to mitigate the risks associated
to them to an acceptable level?
2. State the findings and the recommendations for each finding.
Page 86

QG To IT Audit 9.1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QG To IT Audit 9.1

Uploaded by

Copyright:

Available Formats

qwertyuiopasdfghjklzxcvbnmqwertyui

Chapter 2: Test of Controls

Chapter 3: Substantive Tests

Solutions to Substantive Testing Exercises

Chapter 4: IT Audit Report

What is an Information Technology (IT) Audit?

It is also passé to automatically or casually consider IT considerations of an audit to be out of scope

1. Planning the Audit Schedule.

2. Planning the Process Audit.

 Knowledge of business and industry

3. Conducting the Audit.

4. Reporting on the Audit.

5. Follow-up on Issues or Improvements Found.

 Planning and preparation of the audit scope and objectives

 The facts presented in the report are correct

Your audit report should be structured so that it includes:

 An introduction (executive summary)

OBJECTIVES OF INTERNAL CONTROL

3. Methods of Data Processing

FIVE COMPONENTS OF INTERNAL CONTROL

INFORMATION AND COMMUNICATION

 Identify and record all valid financial transactions.

EXERCISE 1: Transaction Authorization

Perform transaction with a programmed procedure

a. Open SAP Business One

EXERCISES 3: Segregation of Duties

Business Process Segregation.

Exercise 4: Accounting Records.

Accounting Cycle SAP Business One

Subsidiary Ledger Financials > Financial Reports > Accounting

TrialBalance Financials > Financial Report > Financial > Trial

3. AdjustingEntries Financial > Journal Entry > Click Adjustment Box

4. FinancialStatements Financials > Financial Report > Financial >Profit &

5. ClosingEntries Administration > Utilities > Period End Closing

EXERCISE 5: General Controls

2. Perform database backup and store it in another storage device

a. Click Start Button (lower leftmost corner of the screen)

f. Retrieve the backup database.

EXERCISE 6: Source Document Controls

EXERCISE 7: Data Coding Controls

EXERCISES 8: Field Interrogation

EXERCISE 9: Audit Trail Controls

b. Listing of Automatic Transactions

View examples of unique identifiers in SAP Business One.

b. Take note of the unique identifiers in the A/R Invoice Transaction.

If the entry is entered manually, origin is JE.

SUBSTANTIVE TESTS OF REVENUE CYCLE

Revenue Cycle Risks and Audit Concerns

Testing the Accuracy and Completeness Assertions

b. Review customer balances for unusual trends and exceptions

Review List of Customers for any duplicate items

Testing the Existence Assertion

Send Confirmation to Customers to Confirm Balances

Testing the Valuation and Allocation Assertion

Aging Accounts Receivable

Exercise 11:Testing the Valuation and Allocation Assertion

SUBSTANTIVE TESTS OF EXPENDITURE CYCLE

Expenditure Cycle Risks and Audit Concerns

Testing the Accuracy Assertion

EXERCISE 12:Testing the Accuracy Assertion (USE AUDITOR’S ACCOUNT)

Testing the Completeness Assertion

Exercise 13:Testing the Completeness Assertion