In recent years, information technology (IT) used by firms,
|
|
- Leona Deirdre Garrett
- 7 years ago
- Views:
Transcription
1 Copyright 2003 Information Systems Audit and Control Association. All rights reserved. Impact of SAS No. 94 on Computer Audit Techniques By M. Virginia Cerullo, CPA, CIA, CFE, and Michael J. Cerullo, CPA, CITP, CFE In recent years, information technology (IT) used by firms, large and small, has become increasingly sophisticated and complex. The explosive growth in IT includes computer hardware, databases, networks, telecommunications, the Internet, extranets, electronic commerce, client/server architecture, data warehouses, integrated accounting systems software (such as enterprise resource planning software), automated reasoning systems and neural networks software. The advances in IT have significantly changed the methods firms employ to gather and report information. Thus, auditors encounter many IT environments that maintain data on electronic media rather than paper-based media. Auditors must determine how the firm uses IT systems to initiate, record, process and report transactions or other financial data. 1 This understanding is necessary to plan the audit and to determine the nature, timing and extent of tests to be performed to gain a sufficient understanding of internal controls. SAS No. 94 was recently issued to provide guidance to auditors concerning the proper assessment of internal control 2 activities in IT systems. The auditing standard states that computer-assisted auditing techniques (CAATs) are needed to test automated controls in certain types of IT environments. This paper revisits auditing-through-the-computer techniques, which should become more widely used with the issuance of SAS No. 94, and focuses on the test data technique, which can be applied in almost any audit to test automated programmed controls. This technique is relatively easy to apply and does not require the auditor to have a high degree of computer expertise. An extended illustration of the steps involved in applying this technique is presented. SAS No. 94 and Tests of Controls Under the auditing standards (SAS Nos. 48, 55 and 78) relevant to computer-based systems issued prior to SAS No. 94, a large percentage of auditors assessed control risk at the maximum and performed only substantive tests of account balances and classes of transactions to gather evidence about financial statement assertions. SAS No. 94 recognizes that this approach may not be viable in complex IT environments. When evidence of a firm s initiation, recording and processing of transactions exists only in electronic form, the auditor s ability to obtain the desired assurance only from substantive tests is significantly diminished. SAS No. 94 does not change the requirement to perform substantive tests on significant amounts, but states that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests. 3 When assessing the effectiveness of the design and operation of controls in complex IT environments, it is necessary for the auditor to test these controls. The decision to test controls is not related to the size of the firm but to the complexity of the IT environment. Examples of Situations Requiring Testing of Controls The following are examples of complex IT situations that require the auditor to conduct tests of controls and substantive tests to obtain sufficient evidence about financial statement assertions. They include: IT systems that significantly automate the process of initiating, recording, processing or reporting financial information, such as integrated enterprise resource planning systems Electronic data interchange and payment transfer systems that electronically transmit (paperless) orders and payments from one computer system to another Systems that provide electronic services to customers. In these situations, the IT system automatically initiates bills for the services rendered and processes the billing transactions. Automated reasoning systems (ARS) (e.g., artificial intelligence systems) that employ complex heuristical if/then rules to make decisions (for instance, an ARS system that automatically prepares journal entries for complex transactions or a neural network application that uses financial ratios as independent variables to predict bankruptcy) Computer programs containing algorithms or formulas that make complex calculations, such as automatically computing, allowance for doubtful accounts, reorder points, loan reserves and pension funding calculations Testing of Controls In the above situations, the auditor should identify control activities policies and procedures in place to prevent or detect material misstatements in specific financial statement assertions. Two major categories of control activities related to information processing are general controls and application controls. General controls concern all computer activities and include controls over systems development, access security, program change, data center and networks, and maintenance. Application controls relate to specific tasks performed by individual applications. They include checks performed by IT, such as editorial checks of input data and checks performed by individuals, including the manual follow-up of reconciliations and exception reports.
2 Tests of controls consist of gathering evidential matter concerning how effectively and consistently the current control procedures function. These tests include inquiries, inspection of documents or electronic files, observation of the application of the control and reprocessing transactions. In designing tests of automated controls, the auditor should consider the need to obtain evidence supporting the effective operation of controls directly and indirectly related to the assertions. The techniques used to test automated controls may differ from the techniques used to test manual controls. 4 Audit techniques to test automated controls are discussed below. Computer-assisted Audit Techniques The auditor may use three broad categories of computerassisted techniques to test controls: Auditing around the computer Auditing with the computer Auditing through the computer Auditing Around the Computer With this technique, auditors test the reliability of computergenerated information by first calculating expected results from the transactions entered into the system. Then, the auditors compare these calculations to the processing or output results. If they prove to be accurate and valid, it is assumed that the system of controls is effective and that the system is operating properly. The auditing around the computer approach is adequate when automated systems applications are relatively simple and straightforward. SAS No. 94 does not eliminate the use of this technique. This approach may be suitable for firms using a variety of accounting software that process applications periodically and, when the audit trail generated is extensive, allow outputs to be traced back to inputs. The major weakness of the auditing around the computer approach is that it does not determine whether the program logic is correct. In addition, this approach does not reveal how the automated controls respond to a wide variety of transactions containing errors. Therefore, in complex IT environments, this approach may overlook potentially significant errors and may be ineffective in restricting detection risk to an acceptable level. Auditing With the Computer The auditing with the computer approach embraces a variety of techniques and often is referred to as computer-assisted audit techniques (CAATs). CAATs involve using computers, often a microcomputer, to aid auditors. Although the utilization of CAATs has radically improved the capabilities and effectiveness of auditors, they are primarily used to perform substantive tests. One widely used CAAT, known as general audit software (GAS), is frequently employed to perform substantive tests and may be used for limited testing of controls. For example, GAS can be used to test the functioning of complex algorithms in computer programs, but it requires extensive experience in using the software. In contrast, the auditing through the computer techniques are designed specifically to test automated controls, and some techniques do not require extensive IT experience. Auditing Through the Computer These techniques focus on testing automated processing steps, programming logic, edit routines and programmed controls. The approach assumes that, if the processing programs are soundly developed and incorporate adequate edit routines and programmed checks, then errors and irregularities are not likely to slip by undetected. If these programs are functioning as designed, the outputs can reasonably be accepted as reliable. The auditing through the computer approach is particularly appropriate for testing controls in the complex IT systems emphasized in SAS No. 94. This approach embraces a family of techniques (see table 1), including test data, parallel simulation, integrated test facility and embedded audit module. In a survey conducted by the authors, only 26 of 91 responding Fortune 500 firms, or 28.6 percent, indicated that auditing through the computer techniques were used in an audit of the purchase function, usually a highly automated and complex IT application. This survey, conducted before SAS No. 94, confirms that a majority of auditors continue to set control risk at the maximum level and rely solely on substantive testing to obtain evidence about the accuracy and completeness of the relevant information. When SAS No. 94 becomes widely adopted, the number of all firms, regardless of size, using auditing through the computer techniques should increase. Table 1 Auditing Through the Computer Approach: A Family of Techniques Test data technique Parallel simulation Integrated test facility (ITF) Embedded audit module Uses a set of hypothetical transactions to audit the programmed checks and program logic in both transaction and nontransaction processing programs. The test data approach requires only a modest investment in time to apply in practice and does not require an extensive background in information technology. Attempts to simulate or duplicate the firm s actual processing results. To employ this technique, the auditor writes a computer program, using an audit software package, or using packaged accounting software, such as BusinessWorks, Oracle Financials, PeopleSoft Financials, M.A.S. 90 Evolution/2 and Sap R/3. The auditor s objective is to use the software to input the firm s actual data for a past period and generate the same output as live production programs. The auditor s simulated results and the actual processing results are compared, and differences noted, investigated and corrected. Enables test data to be continually evaluated when transactions are processed by online systems. The auditor creates fictitious situations, such as a bogus department completing purchasing requisitions or purchase orders being sent to bogus vendors, and performs a wider variety of tests compared to the test data approach. The implementation of ITF is time-consuming and costly, requiring a high-level of computer expertise. Is a programmed module or segment that is inserted into an application program. Its purpose is to monitor and to collect data based on transactions, particularly those processed by online computer-based systems. The data are then used by the auditor in the tests of controls and the evaluation of control risk. The application of this method requires the auditor to have a good working knowledge of computer technology, including computer programming.
3 The first two techniques described in table 1 are noncontinuous audit approaches, and the last two are continuous audit approaches. Continuous audit approaches are relevant for firms employing real-time financial reporting of transaction processing applications. Noncontinuous audit techniques are relevant for firms using periodic financial reporting of transaction processing applications. Currently, most firms employ periodic financial reporting. In the future most firms will employ a mix of the two approaches. Thus, both sets of approaches are important in assessing the reliability of the internal controls and the financial reporting information. Of all the auditing through the computer techniques, the test data technique is recommended as a first choice for auditors attempting to meet the requirements of SAS No. 94. The test data technique uses a set of hypothetical transactions to audit the edit checks, programmed checks and program logic in computer programs. It is a relatively inexpensive technique to implement and requires little IT experience on the part of the auditor. This technique is powerful and easy to use in periodic financial reporting applications. Another advantage of the test data technique is that it can be employed in almost any audit to test those segments that constitute the significant risks in computer programs. The remainder of this paper presents a simple illustration of the steps involved in designing test data for a portion of a application that involves calculations of sales. Test Data Illustration The firm in this illustration uses an integrated BusinessWorks ERP accounting software package to automate a variety of accounting applications. All software modules are installed on a server computer. This software package is more sophisticated and complex than the previous software package used by the firm. BusinessWorks can transfer transaction totals automatically to the general ledger and initiate, record and process journal entries and recurring adjustments to the financial statements in the general ledger. The following BusinessWorks modules, or cycles, have been implemented: General ledger and financial reporting, including relevant special journals Accounts receivable Accounts payable Order entry Billing and invoicing Inventory control Payroll Job cost Considering SAS No. 94 requirements, the audit manager decided that it was critical to determine if significant internal controls edit routines and programmed checks had been incorporated into the BusinessWorks software package sufficiently to address the relevant risks associated with initiating, recording and processing journal entries. This illustration is limited to applying the test data technique to selected controls in the application. Before beginning, the auditor must first understand the major objectives of the cycle subsystems. Figure 1 illustrates the steps in applying the test data technique for a application. In the planning phase, the auditor: Obtained and studied the most recent copy of the BusinessWorks documentation Determined the relevant or significant risks that could impede the achievement of the cycle objectives Determined the significant or critical edit routines and programmed checks required to address the relevant risks Tests were performed for control areas considered to be vital to the overall accounting function. These are the areas that have the greatest potential for the control of material financial statement errors. These control areas were identified based upon the potential size or frequency of erroneous transactions. 1 Obtain documentation 2 Evaluate programs to be tested Prepare simulated transactions 5 Auditor s manual pre-computed results from test data Figure 1 The Test Data Technique for a Payroll Application Key 9 10 Exception report A Determine conditions to be tested Payroll computer processing 8 Auditor s summary results from test data The illustration of test data design is limited to testing the program logic in calculating sales. After studying the record layouts and the conditions to be tested, the fourth step shown in figure 1 is to prepare a collection of test transactions. Therefore, the auditor developed simulated test transactions for a past period. The auditor used decision tables to aid the design of the test data. These tables show, in a matrix format, all the rules pertaining to a processing transaction or decision situation. 7 Simulated transactions Payroll program to be tested A 11 Evaluate and analyze exceptions 12 Written recommendations 13 To client
4 A decision table for sales is shown in table 2. Sales expense is considered a material item, therefore the auditor developed test data to test controls over the calculation of sales. A decision table is constructed to aid in developing the test data using the following steps: List all the conditions that apply to the calculation of sales commission. Place those conditions in the condition stub of the decision table. Construct the rules for the decision table by constructing all combinations of condition values. If there are n conditions in the decision table, each of which can take on a yes or no value, the number of conditions will be 2n. Show which actions will be taken under which combination of condition values. The above rules were used to construct the decision table in table 2. In this example, there are three possible conditions stated in the condition stub and, therefore, there are eight rules. The correct actions are shown in the action stub. For instance, rule 1 is If sales are less than US $500, then the salary is equal to the base plus 5 percent of sales. Test data are designed by choosing at least one test transaction for each rule of the decision table. Table 3 shows test data results for the accurate calculation of under rules 1, 5 and 8. Table 2 Decision Logic Table for Commissions Rules Condition Stub Sales < 500 Y Y Y N N N Y N Sales > 500 < 1000 N Y Y Y N N N Y Sales > 1000 N N Y Y Y N Y N Action Stub Salary = base + 5% sales > 0 X base % sales > 500 X base % sales > 10 X Error X X X X X The fifth step in figure 1 is for the auditor to manually precompute the expected results. Table 3 shows the test purpose, test description and expected results for four test data. The sixth step, which creates the simulated transactions, is to enter the test transactions using a PC. The auditor must ascertain that the program used during testing is the actual production program used during normal processing. A convenient way of obtaining this assurance is to arrive unannounced at the processing site during the scheduled time for processing. When the processing is completed, the auditor then requests the operator either to process the test transactions before removing the program or to download them to a laptop. Table 3 Example of Results for Accuracy of Commission Computations Test Test Expected Actual Output Purpose Description Results Results Pass Reference Test for Enter Commis- Commis- Y (Omitted accurate $ in sion of sion of for this calculation of sales field $25 $25 illustrasales tion) with sales less than US $500 Low boundary Enter Commis- Commis- Y test for $ in sion of sion of accurate sales field $25 $25 calculation of sales with sales between US $500 and US $1,000 High boundary Enter Commis- Commis- Y test for $ in sion of sion of accurate sales field $75 $75 calculation of sales with sales between US $500 and US $1,000 Test for Enter Commis- Commis- Y accurate $1,500 in sion of sion of calculation of sales field $150 $150 sales greater than US $1,000 After processing the test transactions, the auditor evaluates the critical control strengths and weaknesses that existed in the pay programs. For the test data illustrated in table 3 (i.e., rules 1, 5 and 8), the precomputed results and the actual results are equal, indicating no error in program logic. In a similar manner, all the test data are designed to test the operation of the internal controls implemented into the module and to determine how the pay programs processed data (i.e., program logic). The simulated transactions and programs are processed to generate the auditor s summary results, which are printed on a summary report (e.g., a weekly register). The eighth step depicted in figure 1 is to compare the register with the auditor s manually computed results. The ninth step is to prepare an exception report listing detected errors. The final steps are to analyze and evaluate the exceptions, and write a letter of reportable conditions to the board of directors covering deficiencies in internal controls.
5 Conclusion IT, which is becoming ever more complex and sophisticated, is revolutionizing businesses. A larger percentage of firms, large and small, rely on IT to initiate, record, process and report financial data. Audit techniques must take into account the impact of this reliance in a financial statement audit, or in an audit of the internal control structure. Prior to the issuance of SAS No. 94, many financial audits of IT systems bypassed testing of controls. In these situations, the auditor often assessed control risk at a maximum level and performed only substantive tests to gather evidence about management s financial statement assertions. SAS No. 94 provides specific guidance when a significant amount of financial information supporting one or more financial statement assertions is automated by complex electronic IT. In these situations, the auditor must assess control risk by performing tests of controls, regardless of firm size. Auditing through the computer techniques, such as test data, parallel simulation or embedded audit module, should be used to test controls when a firm has sophisticated IT systems. The test data technique is recommended for auditors with little IT experience. M. Virginia Cerullo, CPA, CIA, CFE is a professor of accounting at Southwest Missouri State University, Springfield, Missouri, USA. She is the coordinator of the Institute of Internal Auditor s Endorsed Internal Audit Program at Southwest Missouri State. She received her doctorate from Louisiana State University. She has published about 40 articles in professional and academic journals. Michael J. Cerullo, CPA, CITP, CFE is a professor of accounting at Southwest Missouri State University. He specializes in teaching accounting information systems and information systems auditing. He has published about 150 articles in professional and academic journals. He received his doctorate from Louisiana State University. Endnotes 1 Statement on Auditing Standards No. 94, The Effect of Information Technology on the Auditor s Consideration of Internal Control in a Financial Statement Audit, AICPA, New York, USA, May (Amends Statement on Auditing Standards No. 55, Consideration of Internal Control in A Financial Statement Audit, AICPA, New York, USA, April 1988.) SAS No. 94 is effective for audits of financial statements beginning on or after 1 June 2001, although earlier implementation is allowed. 2 In this paper, internal control and the internal control structure will be used interchangeably 3 SAS No. 94, paragraph No Ibid, paragraphs No. 77 and 79 Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCA TM Information Systems Control Association TM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass , to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN ( ), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
Continuous auditing: the audit of the future
Zabihollah Rezaee Professor of Accounting, Middle Tennessee State University, Murfreesboro, Tennessee, USA Rick Elam Reynolds Professor of Accountancy, University of Mississippi, Oxford, Mississippi, USA
More informationPerforming Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
Performing Audit Procedures in Response to Assessed Risks 1781 AU Section 318 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Supersedes SAS No. 55.)
More informationIT Governance and Outsourcing
Copyright 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. IT Governance and Outsourcing By Hugh Parkes, CISA, FCA is a subset of corporate governance. It refers
More informationWhile Microsoft Access database is not an enterprise
Copyright 2006 ISACA. All rights reserved. www.isaca.org. Important, But Often Dismissed: Internal Control in a Microsoft Access Database By John H. White, Ph.D., CISA, CPA While Microsoft Access database
More information2. Auditing. 2.1. Objective and Structure. 2.2. What Is Auditing?
- 4-2. Auditing 2.1. Objective and Structure The objective of this chapter is to introduce the background information on auditing. In section 2.2, definitions of essential terms as well as main objectives
More informationINTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT CONTENTS
INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph
More informationInformation security governance has become an essential
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Developing for Effective John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP Information security governance has become an essential element of overall
More informationModule 7: Computer auditing
Module 7: Computer auditing Module 7: Computer auditing Overview In this module, you learn about the effects that computer processing has on both the control environment and the audit of financial systems.
More informationNeural networks (NNs) are becoming more commonplace
Copyright 2006 ISACA. All rights reserved. www.isaca.org. Using Neural Network Software as a Forensic Accounting Tool By Michael J. Cerullo, Ph.D., CPA, CITP, CFE, and M. Virginia Cerullo, Ph.D., CPA,
More informationOBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES
More informationFeature. Log Management: A Pragmatic Approach to PCI DSS
Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who
More informationReporting on Control Procedures at Outsourcing Entities
Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation
More informationINTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS
INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING (Effective for audits of financial statements for periods beginning on or after December 15, 2004) CONTENTS Paragraph Introduction...
More informationINTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS
INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS Paragraph Introduction... 1-2 Definitions... 3-12 Audit Evidence... 13-17 Risk Considerations
More informationThis release of the FISCAM document has been reformatted from the January 1999 version.
United States General Accounting Office This release of the FISCAM document has been reformatted from the January 1999 version. It includes only formatting changes, refers to several different GAO documents,
More informationPerforming Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
Performing Audit Procedures in Response to Assessed Risks 327 AU-C Section 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained Source: SAS No. 122.
More informationThis article describes the history of the Payment Card
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Achieving Compliance With the PCI Data Security Standard By Alex Woda, CISA, QDSP, QPASP This article describes the history of the Payment Card
More informationModule 2 IS Assurance Services
Module 2 IS Assurance Services Chapter 2: IS Audit In Phases Phase 2: Part: 2 of 3 CA A.Rafeq 1 Chapter 2: Agenda Chapter 2: IS Audit in Phases Phase1: Plan Phase 2: Execute Phase 3: Report 2 Phase 2:
More informationJanuary 2004 5(1) CHAPTER 5. Table of Contents
January 2004 5(1) Paragraph CHAPTER 5 Table of Contents 5-000 Audit of Policies, Procedures, and Internal Controls Relative to Accounting and Management Systems Page 5-001 Scope of Chapter... 501 5-100
More informationTechnology plays a key role in today s business
Copyright 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. Implementation of ERP Systems: Accounting and Auditing Implications By Benjamin B. Bae, Ph.D., and
More informationauditing in a computer-based
auditing in a computer-based RELEVANT TO cat paper 8 and ACCA QUALIFICATION PAPERs f8 The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit papers reflect
More informationNavigating the Standards for Information Technology Controls
Navigating the Standards for Information Technology Controls By Joseph B. O Donnell and Yigal Rechtman JULY 2005 - Pervasive use of computers, along with recent legislation such as the Sarbanes- Oxley
More informationJournal Online. Impact of Security Awareness Training Components on Perceived Security Effectiveness. Do you have something to say about this article?
Journal Online Impact of Security Awareness Training Components on Perceived Security Effectiveness Karen Quagliata, Ph.D., PMP, has worked in the IT field for more than 10 years in diverse capacities.
More informationAudit Sampling. AU Section 350 AU 350.05
Audit Sampling 2067 AU Section 350 Audit Sampling (Supersedes SAS No. 1, sections 320A and 320B.) Source: SAS No. 39; SAS No. 43; SAS No. 45; SAS No. 111. See section 9350 for interpretations of this section.
More informationAgreed-Upon Procedures Engagements
Agreed-Upon Procedures Engagements 1323 AT Section 201 Agreed-Upon Procedures Engagements Source: SSAE No. 10; SSAE No. 11. Effective when the subject matter or assertion is as of or for a period ending
More informationInternal Controls, Fraud Detection and ERP
Internal Controls, Fraud Detection and ERP Recently the SEC adopted Section 404 of the Sarbanes Oxley Act. This law requires each annual report of a company to contain 1. A statement of management's responsibility
More informationInspection Observations Related to PCAOB "Risk Assessment" Auditing Standards (No. 8 through No.15)
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org Inspection Observations Related to PCAOB "Risk Assessment" Auditing Standards (No. 8 through
More informationOctober 14, 2015 5(1)
October 14, 2015 5(1) Paragraph CHAPTER 5 Table of Contents 5-000 Audit of Policies, Procedures, and Internal Controls Relative to Accounting and Management Systems Page 5-001 Scope of Chapter... 501 5-100
More informationHKSA 500 Issued July 2009; revised July 2010, May 2013, February 2015
HKSA 500 Issued July 2009; revised July 2010, May 2013, February 2015 Effective for audits of financial statements for periods beginning on or after 15 December 2009 Hong Kong Standard on Auditing 500
More informationINTERNATIONAL STANDARD ON AUDITING 620 USING THE WORK OF AN AUDITOR S EXPERT CONTENTS
INTERNATIONAL STANDARD ON AUDITING 620 USING THE WORK OF AN AUDITOR S EXPERT (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction
More informationISSAI 1300. Planning an Audit of Financial Statements. Financial Audit Guideline
The International Standards of Supreme Audit Institutions, ISSAI, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more information visit www.issai.org. Financial
More informationControl Matters. Computer Auditing. (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising)
Computer Auditing Control Matters (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising) The introduction of a computerized or electronic data processing (EDP) accounting system has
More informationRisk Assessment Standards
Risk Assessment Standards Virginia Government Finance Officer's Association Spring Conference May 23, 2008 P R C P KMPG LLP J M P C B H H H T M AICPA Presentation Objectives 1. Discuss background of risk
More informationChapter 15 Auditing the Expenditure Cycle
Chapter 15 Auditing the Expenditure Cycle Expenditure cycle consists of activities related to the acquisition of and payment for plant assets and goods and services. Two major transaction classes: 1 purchases
More information2012 AICPA Newly Released Questions Auditing
Following are multiple choice questions recently released by the AICPA. These questions were released by the AICPA with letter answers only. Our editorial board has provided the accompanying explanation.
More informationINTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS CONTENTS
INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction
More informationAuditing Standard ASA 330 The Auditor's Responses to Assessed Risks
ASA 330 (October 2009) Auditing Standard ASA 330 The Auditor's Responses to Assessed Risks Issued by the Auditing and Assurance Standards Board Obtaining a Copy of this Auditing Standard This Auditing
More informationAccounting 408 Test 3a Section Row
Accounting 408 Test 3a Name Section Row I. Multiple Choice. (2.5 points each) Read the following questions carefully and indicate your one best answer to the questions by placing an X over the appropriate
More informationU S I N G D A T A A N A L Y S I S T O M E E T T H E R E Q U I R E M E N T S O F R I S K B A S E D A U D I T I N G S T A N D A R D S
U S I N G D A T A A N A L Y S I S T O M E E T T H E R E Q U I R E M E N T S O F R I S K B A S E D A U D I T I N G S T A N D A R D S A C a s e W a r e I D E A R e s e a r c h R e p o r t CaseWare IDEA Inc.
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More information; ; ; ; MICROSOFT BUSINESS SOLUTIONS NAVISION STANDARD
; ; ; ; MICROSOFT BUSINESS SOLUTIONS NAVISION STANDARD MICROSOFT BUSINESS SOLUTIONS NAVISION STANDARD Microsoft Navision Standard is an integrated business management solution designed for organizations
More information10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process
10-1 Auditing Business Process Auditing Business Process Objectives Understand the Auditing of the Enteties Business Process Identify the types of transactions in different Business Process Asses Control
More informationWEEK 6. Objective 1: Sales Transaction Cycle Risks
WEEK 6 CSA ch4 & GS ch10: pp457-488 Objective 1: Sales Transaction Cycle Risks The major assertions of interest to the auditor in ST of balances for account receivable are existence and valuation and allocation.
More informationPlanning an Audit 255
Planning an Audit 255 AU-C Section 300 Planning an Audit Source: SAS No. 122; SAS No. 128. Effective for audits of financial statements for periods ending on or after December 15, 2012. Introduction Scope
More informationKnowledge Management Series. Internal Audit in ERP Environment
Knowledge Management Series Internal Audit in ERP Environment G BALU ASSOCIATES Knowledge Management Series ISSUE-5 ; VOL 1 Internal Audit in ERP Environment APRIL/2012 Editorial Greetings..!!! Raja Gopalan.B
More informationInformation for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More informationTHE AUDITOR S RESPONSES TO ASSESSED RISKS
SINGAPORE STANDARD ON AUDITING SSA 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS This revised Singapore Standard on Auditing (SSA) 330 supersedes SSA 330 The Auditor s Procedures in Response to Assessed
More informationArticle: Control Systems and Controls Testing: General Review
Article: Control Systems and Controls Testing: General Review By: Paul Lydon, BA, CPA, MBS (Hons), PGCLTHE, FHEA Current Examiner in P1 Auditing The main duty of auditors is to report to the members on
More informationISA 620, Using the Work of an Auditor s Expert. Proposed ISA 500 (Redrafted), Considering the Relevance and Reliability of Audit Evidence
International Auditing and Assurance Standards Board Exposure Draft October 2007 Comments are requested by February 15, 2008 Proposed Revised and Redrafted International Standard on Auditing ISA 620, Using
More informationEnterprise Resource Planning Analysis of Business Intelligence & Emergence of Mining Objects
Enterprise Resource Planning Analysis of Business Intelligence & Emergence of Mining Objects Abstract: Build a model to investigate system and discovering relations that connect variables in a database
More informationAudit Evidence and Documentation AN AUDIT: SUMMARY CHAPTER PCAOB ONE-UP S THE AICPA MANAGEMENT S ASSERTIONS
Audit Evidence and Documentation CHAPTER 5 AN AUDIT: SUMMARY Plan the engagement: Identify risks and areas where internal controls may be relied upon NET : Nature, extent and timing of audit procedures
More informationRisk Management Advisory Services, LLC Capital markets audit and control
Risk Management Advisory Services, LLC Capital markets audit and control November 14, 2003 Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C., 20006-2803
More informationCommission Accounting User Manual
Commission Accounting User Manual Confidential Information This document contains proprietary and valuable, confidential trade secret information of APPX Software, Inc., Richmond, Virginia Notice of Authorship
More informationIT Enabled System : Opportunities & Challenges for Assurance Professionals
IT Enabled System : Opportunities & Challenges for Assurance Professionals Acknowledgements: - ISACA - ITGI - Wikipedia - The Economist - ICMAB - SCB March 31, 2011; ICAB (Chartered Accountant Bhaban)
More informationSESSION 3 AUDIT PLANNING
SESSION 3 AUDIT PLANNING Learning Objectives: identify and explain the need for planning an audit identify and describe the contents of the overall audit strategy and the audit plan explain the difference
More informationISSAI 1501. Audit Evidence Specific Considerations for Selected Items. Financial Audit Guideline
The International Standards of Supreme Audit Institutions, ISSAI, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more information visit www.issai.org. Financial
More informationActivity Code 12500 Material Management and Accounting System (MMAS) Version 9.10, dated September 2015 B-1 Planning Considerations
Activity Code 12500 Material Management and Accounting System (MMAS) Version 9.10, dated September 2015 B-1 Planning Considerations Audit Specific Independence Determination Members of the audit team and
More informationPart II. Audit process by phase 3. Testing and evidence
Part II. Audit process by phase 3. Testing and evidence Quiz 1: The quality of audit evidence depends on whether it is relevant and reliable in supporting the conclusions of the auditor, and normally the
More informationTHE EXPENDITURE CYCLE Part I
CHAPTER THE EXPENDITURE CYCLE Part I Businesses need resources in order to conduct their business to produce and sell a product or to provide a service. The expenditure cycle is concerned with the acquisition
More informationSuccessWare 21 Online Class Curriculum
SuccessWare 21 Online Class Curriculum The following is a list of the classes that we currently offer our users in an online format. Each of the class consists of the stated number of 90 minute sessions.
More information3. Current Auditing Computerized Tools
- 17-3. Current Auditing Computerized Tools 3.1. Objective and Structure The objective of this chapter is to provide information about technological tools and techniques currently used by auditors. Section
More informationNew Audit Standards: How Will They Impact the Audit
New Audit Standards: How Will They Impact the Audit Process? Presented by Robinson, Farmer, Cox Associates The Commonwealth s premier source of financial expertise since 1953. Presentation Objectives Discuss
More informationCUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 OFFICE OF INFORMATION TECHNOLOGY
IT-1 Contracts/ Software Licenses/ Use Agreements General 6[6] IT-2 CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 CUNY-CIS Information Security Procedures Attestation Forms
More informationORACLE FUSION ACCOUNTING HUB
ORACLE FUSION ACCOUNTING HUB THE NEW STANDARD FOR FINANCIAL REPORTING AND INTEGRATION KEY FEATURES Reporting platform with embedded Essbase Centralized reporting center to deliver and access reports Proactive
More informationAccounting 408 Test 3b Section Row
Accounting 408 Test 3b Name Section Row Multiple Choice. (2 points each) Read the following questions carefully and indicate the one best answer to each question by placing an X (do not circle) over the
More informationCONTINUOUS AUDITING: A STRATEGIC APPROACH TO IMPLEMENTATION. A CaseWare IDEA Research Report
CONTINUOUS AUDITING: A STRATEGIC APPROACH TO IMPLEMENTATION A CaseWare IDEA Research Report CaseWare IDEA Inc. is a privately held software development and marketing company, with offices in Toronto and
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationImpact of Computer-Assisted Audit Techniques on Sarbanes-Oxley Act Sections 404 and 409. Scarlett Choi ACC 626
Impact of Computer-Assisted Audit Techniques on Sarbanes-Oxley Act Sections 404 and 409 Scarlett Choi ACC 626 INTRODUCTION In order to restore the declining investors confidence in the capital markets
More informationWashington County, NC REQUEST FOR PROPOSAL. Financial, Revenue Collection, and Personnel ERP System
Washington County, NC REQUEST FOR PROPOSAL Financial, Revenue Collection, and Personnel ERP System INTRODUCTION The County of Washington is issuing this Request for Proposal (RFP) to solicit vendor proposals
More informationAnalytical Procedures
Analytical Procedures 1889 AU Section 329 Analytical Procedures (Supersedes section 318.) Source: SAS No. 56; SAS No. 96. Effective for audits of financial statements for periods beginning on or after
More informationFS Regulatory Brief SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule
SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule Amendments call for brokerdealers assertion of compliance with the Financial Responsibility Rules, new reviews by independent auditors,
More informationAudit Evidence. AU Section 326. Introduction. Concept of Audit Evidence AU 326.03
Audit Evidence 1859 AU Section 326 Audit Evidence (Supersedes SAS No. 31.) Source: SAS No. 106. See section 9326 for interpretations of this section. Effective for audits of financial statements for periods
More informationConnecting the dots: IT to Business
Connecting the dots: IT to Business Jason Wood, CPA, CISA, CIA, CITP, CFF April 2015 1 Speaker Bio Jason Wood Over 18 years of international business experience in planning, conducting, and quality reviewing
More informationA REPORT FROM THE OFFICE OF INTERNAL AUDIT
A REPORT FROM THE OFFICE OF INTERNAL AUDIT PRESENTED TO THE CITY COUNCIL CITY OF BOISE, IDAHO AUDIT / TASK: #12-06 / Training Division AUDIT CLIENT: Boise Fire Department REPORT DATE: March 21, 2013 AUDIT
More informationAuditing Derivative Instruments, Hedging Activities, and Investments in Securities 1
Auditing Derivative Instruments 1915 AU Section 332 Auditing Derivative Instruments, Hedging Activities, and Investments in Securities 1 (Supersedes SAS No. 81.) Source: SAS No. 92. See section 9332 for
More informationthree TESTS OF CONTROLS AND TESTS OF DETAILS
TESTS OF CONTROLS AND TESTS OF DETAILS P A R T three Part 3 covers the major evidence-gathering procedures of the assurance services engagements. Chapter 9 covers tests of controls for the control risk
More informationComparison of ISA 330 with AS-402 Objectives and Requirements Only
Comparison of ISA 330 with AS-402 Objectives and Requirements Only International Standard on Auditing 330 (Redrafted): The Auditor s INTRODUCTION Scope of this ISA 1. This International Standard on Auditing
More informationHow To Use A Bank Service On A Bank System
Sage 300 ERP 2014 Bank Services User's Guide This is a publication of Sage Software, Inc. Copyright 2014. Sage Software, Inc. All rights reserved. Sage, the Sage logos, and the Sage product and service
More information3.B METHODOLOGY SERVICE PROVIDER
3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting
More informationQuestions from GAQC Conference Call The Impact of SAS 112 on Governmental Financial Statement Audits January 4, 2007
Questions from GAQC Conference Call The Impact of SAS 112 on Governmental Financial Statement Audits January 4, 2007 Preparing Financial Statements Q1. During a recent AICPA Webcast, a panelist indicated
More informationSage 300 ERP 2012. Bank Services User's Guide
Sage 300 ERP 2012 Bank Services User's Guide This is a publication of Sage Software, Inc. Copyright 2014. Sage Software, Inc. All rights reserved. Sage, the Sage logos, and the Sage product and service
More informationGeneral Ledger User Guide
General Ledger User Guide Version 9.0 February 2006 Document Number GLUG-90UW-01 Lawson Enterprise Financial Management Legal Notices Lawson does not warrant the content of this document or the results
More informationKPMG LLP Suite 12000 1801 K Street, NW Washington, DC 20006 Independent Auditors Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements
More informationAUD. Auditing & Attestation. Roger Philipp, CPA
AUD Auditing & Attestation Roger Philipp, CPA AUDIT Written By: Roger Philipp, CPA Roger CPA Review 1288 Columbus Ave #278 San Francisco, CA 94133 www.rogercpareview.com 415-346-4CPA (4272) AUDIT Table
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationChapter 9 The Study of Internal Control and Assessment of Control Risk
Review Questions Chapter 9 The Study of Internal Control and Assessment of Control Risk 9-1 There are seven parts of the planning phase of audits: preplan, obtain background information, obtain information
More informationChapter 8--Materiality, Risk and Preliminary Audit Strategies
Chapter 8--Materiality, Risk and Preliminary Audit Strategies Materiality AU section 312 requires the auditor to consider materiality in (1) planning the audit and (2) assessing whether the financial statements,
More informationAudit Risk, Complex technology, & Auditing Processes
Audit Risk, Complex technology, & Auditing Processes Dr. Jagdish Pathak Assistant Professor of Accounting Systems & IT Auditing Accounting & Auditing Area Suite # 411 Odette School of Business University
More informationJOB READY ASSESSMENT BLUEPRINT ACCOUNTING-BASIC - PILOT. Test Code: 4100 Version: 01
JOB READY ASSESSMENT BLUEPRINT ACCOUNTING-BASIC - PILOT Test Code: 4100 Version: 01 Specific Competencies and Skills Tested in this Assessment: Journalizing Apply the accounting equation to journalize
More informationCOSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting
in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL
More informationIncreasing the Productivity and Efficiency of Business Transactions with Microsoft Business Solutions Navision Intercompany Postings
Increasing the Productivity and Efficiency of Business Transactions with Microsoft Business Solutions Navision Intercompany Postings White Paper Published: May 2004 Contents Introduction...1 Streamlining
More informationElectronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014
Electronic Audit Evidence (EAE) and Application Controls Tulsa ISACA Chapter December 11, 2014 Agenda Recent IT-related PCAOB inspection themes: Internal control over financial reporting Multi-location
More informationIAASB Main Agenda (June 2010) Agenda Item. April 28, 2009
Agenda Item 8-B Statement of Position 09-1 April 28, 2009 Performing Agreed-Upon Procedures Engagements That Address the Completeness, Accuracy, or Consistency of XBRL-Tagged Data Issued Under the Authority
More informationCase Study Top-Down, Risk-Based Approach Purchase to Pay Process
Top-Down, Risk-Based Approach Purchase to Pay Process Overview This case study describes the flow of a Top-Down Risk, Based Approach for an example Purchase to Pay process. This case study is not all-inclusive
More informationin THE WAKE OF FIRST-YEAR FILINGS FOR SECTION 404 a guide to Section 404 project management
S A RB A N E S - OX LE Y: A SPE C IAL R E P O RT As organizations look toward year two of Sarbanes-Oxley, there are several steps they can take to ensure a more effective and efficient documentation process.
More informationMicrosoft Navision Axapta Project
Microsoft Navision Axapta Project enables efficient project management with full financial overview and control Microsoft Navision Axapta Project Microsoft Navision Axapta Project gives you a strong platform
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationNew, changed, or deprecated features
Microsoft Dynamics AX 7 New, changed, or deprecated s This document provides a summary of new and changed s that have been implemented in Microsoft Dynamics 'AX 7'. It also includes deprecated notices
More informationINTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS
INTERNATIONAL PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (This Statement is effective) CONTENTS Paragraph Introduction... 1 5 Skills and Knowledge... 6 7 Knowledge
More informationGeneral Accounting Applications (As featured in this pdf document) Licensing Applications. Additional Applications
SOFTWARE PRODUCTS LIST General Accounting Applications (As featured in this pdf document) MSI-Accounts Payable...pg 2,3 MSI-Accounts Receivable...pg 4,5 MSI-Budget Planning...pg 6,7 MSI-Cash Register...pg
More information