Professional Documents
Culture Documents
Auditing Summary
Auditing Summary
Risk of Outsourcing 5
Access Controls / Controls to ensure customers only have access to their own accounts 8
General IT Controls 9
Master file 13
Data CAATS 14
Substantive Procedures: 16
General 16
Inventory 16
Expense Accruals 17
Website 17
Development Costs 18
Leasing 18
Variances 19
Deferred Revenue 19
1
Provision for restoration costs 20
Protect on-line orders from fraudulent customers or those who don’t pay 20
Imported Machinery 21
Hedging Positions 22
Expert 22
Going Concern 23
Key Controls 24
Audit Plan impact from management claiming for work they did not do 27
2
CORPORATE GOVERNANCE
Corporate Governance/King Report Issues
3
Risks at the Overall F/S Level
Management override
Bribery – management integrity
Audit deadline increases risk of undetected error
Newly acquired sub – risks related to acquisition accounting i.t.o. IFRS3
Changes/updates to IFRS = management lack of familiarity/not being up to date
Going Concern risk due to difficult trading conditions, operating losses, high debt,
possible claims against the company
Going concern is an automatic impairment indicator
Weak corporate governance principles lead to weak control environment and risk of
management override
New client – do not have benefit of previous auditor. Not fully familiar with
enterprise. Opening balances may be misstated (detection risk)
Systems and controls may not have coped with expansion (control risk)
Staff overworked and underpaid
Subsidiary of company listed in US and London. Sarbanes Oxley Legislation will apply,
making flaws in governance structures more important. Group reporting difficult
Disputes with previous auditor
Related party transactions may not be accounted for correctly
Company dependent on computer systems – risk of incorrect recording of
transactions and creating need to evaluate computer controls
Privately owned enterprises often lack formal internal controls and proper
segregation of duties and are dominated by one individual
Accounting records that are inadequate may result in material misstatement
Outsourcing could result in possible undue reliance on third parties
Manufacturer
Subsidiary
4
Inaccurate elimination of intercompany profits
Inappropriate disclosure of related party transactions
Importer
Branches
Deferred revenue
Derivatives
Development costs
5
Inflating amount of costs capitalised
Incorrect computation or allocation of labour and overhead components
PPE
High technology industry or PPE becoming unsuitable for use increases risk of
unrecognised impairment of PPE
Amount spent on purchasing the PPE might not all relate to the capital asset and
thus may need to be treated as an expense
Inventories
Accounts receivable
Lease
Provision
6
Accounting for the debit as a depreciable part of PPE
Determination and measurement of provisions may require expert
Investment Property
Goodwill
With new acquisition there may be risks with appropriate measurement of goodwill
taking into account fair values of net assets and liabilities
Possible impairment of goodwill
Complex requirements of IFRS3 may lead to goodwill being misstated
Risk of Outsourcing
Risk Consequence
Reliance on outsourcer for continuity of Can jeopardise going concern ability
business operations
Breach of confidentiality Our ability to price deals competitively may
be compromised
Negative reputational consequences
Risk of litigation
Availability. Outsourcer may fail to deliver We may be unable to comply with reporting
timeously deadlines
Negative reputational consequences
Negative publicity from failure to settle
claims timeously
Inability to write further new business
Potential litigation
Economy. Increased cost of outsourced Savings from outsourcing could be
services compromised
May have to start hiring staff and deal with
own division again. Could lead to delays
Integrity. Possible errors in validity and Our decision making may be incorrect as it’s
completeness of commissions based on inaccurate info
Reputational risk
Cash flow implications
Effectiveness. May compromise long term Lag in achieving long term strategy as not
strategy developed in-house expertise
Compliance with legislation Unnecessary costs/fines
7
Advantages and Disadvantages of Outsourcing IT
Advantages Disadvantages
Access to wider pool of IT skills Management has less control over IT
Cost savings as not necessary to employ IT IT operations and support further removed
staff with experience from the business
Access to latest technology and research Possible risk of being locked into absolute
technology
No need to attract and retain IT specialists Risk that the outsourcer did not implement
the same level of controls as the company
Less investment in research and Exposed to policies and procedures of
development of IT and training of staff service provider
Frees management time to focus more on Poor definition of service levels resulting in
strategic issues unsatisfactory service delivery
Can be costly and synergy or benefits are
seldom achieved
Going concern at risk if service provider
ceases operations
Staffing
Review selection procedures for staff
Ensure adequate training
Setting of policies
Acceptance criteria for new suppliers
Pricing policy
Quality specifications
Goods return policy
Trade/bulk discount terms
Early settlement discount
Supervisory functions
Regular walk-through of activities
Unannounced visits to staff
Monitor organisational structure to ensure adequate segregation of duties
Approval of reconciliations
8
Review reconciliations between ledger and control account
Review recon between ledger and supplier statements
Review recon between bank statement and cash book
Review theoretical and physical inventory
Review internal audit reports
Review and follow up on following exception reports:
Integrity of Info
Unauthorised access/activity
Changes to access rights
Changes to standing data
Large/unusual orders or variances
Missing sequence numbers
Review of common customer complaints
Periodic review of master file and standing data
Efficiency and Effectiveness of Operations
Stock out situations
Review of economic order quantities
Age analysis
Discounts taken
Reasons for goods being returned to suppliers
Hedging activity
Legislation
Monitor stock levels so that orders will not lead to contravention of insurance
provisions
Overall review of results
Trend analysis
Average days purchases in accounts payable
Stock turnover
GP%
Control Environment
Risk assessment
9
Continually monitor risk factors relating to possibility of fraud/breach of
confidentiality in changes in economic, social and technological environment
Information System
Identify all points in the information process at which info can be compromised:
point of entry, transmission, storage of info
Control Activities
Point of entry:
Have unique registered domain name
Digital certificate
Ensure improper links/content not added to company website
Input screens include warnings i.r.o. protecting info
Customers should only be required to provide minimum info
Transmission:
Info encrypted across network
Firewall
One-time password
Custody:
Highly confidential info should be encoded and decoding requires appropriate keys
Allocation of responsibilities done with segregation of duties
Review logs of access
Repeat customers should be allocated logon Ids so they can change personal info
Monitoring of Controls
Access Controls / Controls to ensure customers only have access to their own accounts
Firewall
Anti-virus
Encryption
Assurance logos
Log-on ID’s for identification
Edit checks to ensure no duplicate ID’s
Password linked to log-on ID
Automatic change of passwords every few weeks
Passwords never appear on the screen
10
Access rights restricted according to segregation of duties
Security matrices, different levels of user access
Rights disabled when customer no longer complies to agreed terms or no longer a
customer
Access disabled after number of log-in attempts/ period of inactivity
Unauthorised access attempts automatically logged and followed up
Password file protected from unauthorised users
EFT specific
Dropdown list of approved suppliers
Restrict link to bank to one terminal
Special passwords to allow users into EFT-client base
Use of one-time passwords
General IT Controls
Organisational controls
Continuity of operations
11
There must be strict segregation of duties
Strict physical security over specified terminals
Access to desktop/laptop computers should be limited
Proper safekeeping of all electronic media and user manuals
Routine linkage procedures: visual confirmation of closed padlock and https
Firewall and antivirus software
Digital signatures and one-time passwords
Controls over changes to software that manages payments
All adjustments to accounts payable should be authorised by at least 2 senior staff
members
Special authorisation from 2 senior members for the electronic transfer of funds
Specify max amount of any individual fund transfer
Limit EFT transactions to an agreed schedule with the bank
Bank should request confirmation of EFT transactions prior to transfer of funds
Regular review of accounts payable master file for EFT payments
Monitor access to payments module and terminal link
Computer validation checks on pending payments
Exception report for transfers or refusals of transfers to accounts payable
Regular independent reconciliation of supplier’s and bank statements to accounts
balances
Details of bank transfers to be printed regularly and compared with accounts
payable register
Regular review of supplier complaints
Regular comparison of expenditure to budget
Regular analysis of accounts for unusual items
Management to do regular supervision and spot checks on payment process and
policies
Nature
Perform substantive procedures on systems where general IT or application controls
is subject to management override
Review integrity of any changes in accounting policies/estimates
Place less reliance on representations by management
Timing
Procedures concentrated on year end activities
Extent
Extend audit tests in areas where significant account balances require judgement
Extend audit tests on adjusting journal entries
12
Possibility of using combined Audit Approach for valuation of inventory
NATURE
Necessity
Possibility
Desirability
13
For computer controls, clearance must be obtained from client for processing
dummy data through the system
Nature and extent of evidence of the strength of general IT controls obtained in prior
years that have not changed and do not address significant risks
TIMING
EXTENT
14
Application Controls for ordering and receiving inventory
Master file
Validity
15
Restrict access to update function
Require log-on ID and authentication before amendment
Senior management authorisation for overrides to any policies
Identify any duplicated entries
Accuracy
Completeness
General
Data CAATS
16
Identify from the accounts payable master file all payments 3 days before and after
year end and compare details to cash payment files records before and after year
end (completeness, cut-off)
Perform ARP: extract monthly trends, quick ratio, current ratio, gross profit % (all)
Extract list of all account payable accounts with debit balances (presentation)
Schedule of total value of inventory broken into Raw material, WIP and FG
Samples of high value items for verification
Reports listing inventory items and total for inventory
Report listing items not counted by staff for a period
Details of standard quantities of a sample of items
Details of slow-moving stock by reference to last purchase and sale date
Age analysis
List of finished goods where cost exceeds selling price
Abnormal items: negative quantities or purchase prices, missing fields
List of significant variances between actual materials issued and standard
List of items where cost or quantity has varied significantly over the period
List of significant adjustments to cost
Comparison between current year and prior year for inventory quantities and values
for major items
Schedule of movements in inventory: Opening, Purchases, Cost of sales, other
movements, Closing balance
Computation of total raw materials issued to production
17
Substantive Procedures:
General
Inventory
18
Review payrolls and GL accounts to ensure all production related costs included
Obtain schedule of overheads allocated and agree to GL
Review basis of allocation for compliance with GAAP
Consider client’s determination of normal capacity
Reperform computations per client’s schedule
Reperform allocation of labour and overheads taking into account normal capacity
Inspect contracts to ascertain terms of the sale whether or not risks have passed
Inspect cash book to ascertain full payment has been made
Request client to confirm in writing that the inventory is the property of the client
Inspect correspondence relating to client’s request to store goods
Inspect storage invoices to ensure rental is charged
Inspect invoices to ensure sales have been properly recorded
Review delivery costs to ensure that they are minimal
Inspect insurance documentation to ascertain who bears insurable risk
Inspect inventory sheets to ensure items not included in inventories
Expense Accruals
Compare accruals list to list for previous year and investigate missing/unusual items
Review cash book payments for period after year end and check items accrued to list
Enquire of management and staff about possible accruals
Review general ledger expense accounts for missing items which may be accrued
Compare expenditure to budgets to identify possible accruals
Review all long term agreements (insurances, leases, pension schemes, royalties) to
determine whether provision has been made for all accruals
Cut-off of supplier accounts:
Obtain last goods received note number from inventory count
Select sample of goods received notes and trace details to supplier invoices
Trace invoices to purchase records to ensure purchase recorded in correct period
Review year end reconciliations for major suppliers to supplier statements for any
outstanding invoices which may require accrual
Review any invoices still to be processed
Website
19
Check times worked on websites for a sample of employees to time records,
ensuring correct hours are recorded
Enquire of employees whether they actually worked on the websites
Check rates per hour to payroll to ensure correct cost used
Recompute cost of time worked
Review schedule of allocated overheads to ensure only production related
overheads relevant to websites included
Reperform computation of overheads
Compare actual costs of website to budget and investigate differences
Review and reperform amortisation calculation
Development Costs
Leasing
Equipment (Asset):
Check cost by inspecting suppliers invoice
Ensure VAT is excluded by reperformance of arithmetical accuracy of cost
Reperform present value computations
Depreciation
Establish useful life of equipment by enquiry of technical personnel
Enquire from client and inspect supplier documentation for residual value
Compare depreciation rates to rates used for similar assets in previous years
Reperform depreciation calculations
Impairment
Consider possible signs of impairment and whether FEB exceed CV
If CV exceeds FEB, check impairment charge reducing CV to recoverable amount
Completeness
Physically inspect sample of equipment and trace to accounting records
20
Analyse lease expense account to identify any finance lease which was treated as
operating lease
Liability
Reperform present value of future payments and interest expense
Inspect bank documentation to check appropriateness of market related interest
rate used
General
Perform ARP comparing depreciation as % of cost and ratios of fixed assets to
turnover
Variances
Deferred Revenue
21
Obtain client’s workings and check to supporting documentation
Enquire of client staff concerning basis of estimation
Assess validity of assumptions regarding estimate
Consider use of expert in determining fair value
Protect on-line orders from fraudulent customers or those who don’t pay
Existence
Perform a physical inspection of the building
22
Inspect title deeds noting description of the property and that its registered in the
client’s name
Measurement
Check cost of the property to audited financial statements
Inspect formal written valuation certificates for various valuations and agree
valuation amounts to adjusting entries
Consider valuator’s (expert) objectivity, independence etc
Assess valuation assumptions used by valuator
Reperform any calculations performed by valuator
Consider reasonableness of the valuations in relation to market related rentals
Valuation
Inspect condition of building for signs of impairment
Reperform depreciation calculations
Completeness
Enquire of client concerning any improvements, additions, alterations and inspect
building for any such improvements
Consider possibility of alterations or improvements debited to maintenance account
in error
General
Check tax computation to ensure that depreciation is added back
Reperform all computations including adjusting entries to the fair value adjustment
and related deferred tax amounts
Imported Machinery
Inspect the contract to ascertain validity, amounts involved and terms of the sale
Inspect shipping documentation to ascertain date machine was received and
when risks and rewards passed as well as the other costs such as shipping,
import duties etc
Confirm liability at year end, including confirmation that there is no interest
Inspect invoices for the cost of installation
Inspect bank documentation to support exchange rates provided
Inspect forward contracts for the dates and amount
Consider appropriateness of discount rate used in arriving at cost of machine
Assess company policy for hedging transactions
Reperform computations of
- present value at year end and transaction date
- cost of machine at spot rate at transaction date
- total cost plus shipping and installation charges
- year-end liability at year end spot rate
- fair value of FEC at transaction date and year end
23
- gains and losses on foreign currency translations
- hedging gains and losses
- amounts taken to P+L and amounts taken to OCI
Hedging Positions
Obtain a schedule of open positions at year end and select a sample of items for
detailed audit
Consider adequacy of the system for recording open positions
Obtain written confirmations from counter parties setting out details of all open
positions at year end
Inspect correspondence for any changes in the terms and conditions
Agree market values of the positions to the supporting documentation
Where there is no active market, obtain client’s valuation models for determining
fair values of positions
Assess assumptions (financial, economic, commercial) used in the valuation models
Check detail per the valuation model to the contract terms
Consider appropriateness of the discount rates used and whether appropriate risk
premiums are included
Where future cash flows form the basis of the estimates: consider whether previous
forecasts have been reliable, check arithmetical accuracy and perform analytical
review of the forecasts
Reperform computations of the valuations
Consider using an expert or independent valuation model to assess model and
assumptions
Where hedge is in-the-money consider impairment of the financial instruments in
light of the credit risk and issuer’s ability to honour the contract
Expert
24
Form and content of their reports
Evaluate adequacy of the expert’s work, including
Relevance and reasonableness of findings
Consistency of findings with other audit evidence
Relevance, completeness and accuracy of any source data used by expert
Going Concern
25
How comprehensive was the testing? (sufficient sample size?)
What effect does it have on other systems
Should audit work be extended or what audit procedures should be employed?
Audit Risk
Audit Approach
Less work will be necessary on understanding systems and controls as these have
been documented by internal audit
Combined audit approach is possible as controls are effective
Approach is cost effective as controls already tested by internal audit
If controls not changed, testing controls on three year cycle based on internal audit
work will be cost effective
Key Controls
26
invoices to orders and GRNs and check match invoices details to orders and check
arithmetical accuracy arithmetic computations
Inventory records, general ledger are Use audit software to test systems ability to
updated automatically and account process accounting entries
allocations are done by the computer
Completeness and Accuracy
System produces daily exception reports Use audit software to test systems ability to
that lists all discrepancies generate exception reports
Daily audit trails are produced and reviewed Inspect audit trails for signature
by manager and signed
Incoming goods are checked for quantity and Observe and enquire
agreed to suppliers delivery notes
27
invoices and output lists of uninvoiced Inspect list of outstanding items
deliveries
Despatch staff member checks goods packed Observe and enquire
to orders. Packer and checker should sign
Goods leaving premises should be agreed to Inspect order and delivery notes for
delivery notes signature
System retrieves selling prices and discounts Use audit software to validate this
from standing data
System should restrict any price overrides to Attempt to illegally access override facility
a certain limited range. Special password for
overrides outside a range
All overrides should be printed for review Inspect override reports for evidence
Sales director should authorise changes in Inspect price amendment document for
prices evidence of authorisation
Prices on computer files should be checked Enquire about this. Inspect documents
to manual records and errors corrected
Implement access controls to ensure only Enquire and observe
authorised persons can input and authorise
data
Input data subject to edit/validation checks Use audit software to check this
Cost effective
Necessary regarding volume of data and complexity of system
Compatibility between ARS and client’s hardware, software and layout
Availability of generalised ARS
Availability of computer time
28
Timing of procedures due to data retention period of one month
Timing of procedures owing to tight deadline
Ability of audit staff to run ARS and whether computer audit specialist required
Adequacy of client’s general controls to ensure integrity of software
Competent staff
Adequate instructions
Supervision
Review
Independent
Audit Plan impact from management claiming for work they did not do
Test run program on dummy file and check results against pre-determined results
Review program logic
Check that no specific account is mentioned in the program
Observe computer run to determine whether correct master file was used and
correct operating instructions were followed
Review activity and access logs to determine correct master file was accessed
Reconcile number of records accessed to number of records in acc payable master
file
Requests for changes should be written on pre-numbered change request forms and
recorded in a register
Changed forms authorised in writing by CIS manager for operating system, and by
CIS manager and user manager for changes to application software
Significant changes must be authorised by computer steering committee
29
Users to be involved in definition of system requirements
Functions of system analysts and programmers to be defined
Procedures and techniques to be standardised
Analysts design the system
Programmers write new programs
Changes made only to test versions, not live versions
Users to review and authorise every phase of development or change
CIS manager should approve logs of all changes
Staff to be adequately trained
Systems backed up to prevent loss
Documentation of all changes
Post-implementation review
Economic
Basis on which fees will be charged
Liability for loss of data
Efficiency
Exact responsibilities of both parties
Methods of communication
Content and format of input and how it will be delivered to service provider
Effectiveness
Content and format of output
Confidentiality
Safeguarding of clients info
Availability/ continuity/safeguarding of assets
Termination conditions
Arrangements for recovery of records from loss or destruction
Ownership of data and programs
List of controls/changes to be applied by service provider
Compliance with legislation
Comply with industry legislation and international legislation
Integrity of info
Viruses
Unauthorised access to network, use of utilities, changes to programs or changes to
data
30
Accuracy and completeness
Incomplete transmission due to inexperience of users with technology
Confidentiality of Info
Unauthorised use of info
Availability
Interruption due to hacking or technological breakdown
Destruction of data or programs
Efficiency and effectiveness
Staff resistance to change
Risk of loss/theft of laptops
Legal exposure
Non-compliance with licensing arrangements
In terms of ISA 500, the onus is on external auditor to obtain sufficient appropriate
audit evidence to draw reasonable conclusions to base the audit opinion
If external auditor places reliance on work of internal audit he must be satisfied that
work constitutes appropriate audit evidence
ISA 610
Objectivity
This can be compromised by:
Financial director reviewing and table internal audit findings at board meetings
No audit committee which will compromise independent non-executives to ensure
no restrictions placed on work of internal audit
Internal audit department become involved in the operations of the company by
designing systems of internal control
Staff members assisting on the internal audit who was previously employed at Head
Office
Technical Competence
The fact the internal audit has permitted the above to take place points to concerns
about the technical competence of the staff of the internal audit department
Raises concerns about training internal auditors receives
Experience and qualifications of staff involved
Scope of function
The relevance of the work by the internal auditor on the external audit is likely to be
limited
External audit work
Reviewing company policies and procedures for completeness and appropriateness
and identifying areas for improvement may assist in improving effective operation of
internal control systems, but will only reduce time spent on audit if auditor intends
31
testing operating effectiveness of the internal financial control systems and areas
were remedied as to reduce risk that system will fail to prevent or detect and correct
material misstatements
Assessment of internal auditor’s work
Internal auditor’s work will be tested by:
Performing review of their working papers
Reperformance of items already tested by internal audit
Performing tests on similar items
Observation and enquiry of internal audit procedures
The auditor will consider whether:
Work was performed by persons with adequate training and proficiency
Conclusions are supported by audit evidence and are appropriate
Exceptions, errors and abnormal items were properly resolved
32
Reportable irregularity
Report would be modified to draw attention to the fact that a reportable irregularity
has been reported to IRBA
33