1. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. IT Auditing, Hall, 3e

2. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Follow Figure 9-1  Obtaining & recording customers’ orders  Document = SALES ORDER  One copy in “Open Order File”  Approving credit  One copy of sales order went to credit dept.  Returned authorized copy triggers release of sales order into system 1Hall, 3e

3. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Processing shipping orders  4 copies of Sales Order to warehouse; packing slip, shipping notice, stock release, file copy  Locate and “pick” goods using Stock Release; package them with packing slip  Reconcile documents and goods, sign Shipping Notice, prepare Bill of Lading – multiple copies  Transfer custody of goods (packing slip inside) and 2 copies of Bill of Lading to carrier  Record shipment in shipping log  Send shipping notice to Billing Dept.  File: Stock Release, 1 BOL, File Copy 2Hall, 3e

4. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Keypunch batch of shipping notices  Edit run program, correct any errors  Field checks  Limit tests  Range tests  Price times quantity extensions  Sort run on batches by AR account number  Legacy systems store records in sequential manner, usually tape  Next process is to “post” individual shipping notices to appropriate individual AR accounts  AR update & billing run [Figure 9-2] Updates AR file becomes new AR file  Billing would be printing invoices to be mailed  Sales journal file or printout  Journal voucher for AR [DR] and sales [CR] 3Hall, 3e

5. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Re-sort by inventory item {why?}  Same reason; but this process is to update Inventory Items  Inventory update run [Figure 9-3]  Reduce quantity on hand for items shipped, generate a new Inventory file  Compare “On Hand” quantity with “Reorder Point” to identify items needing replenishment; file or printout  Journal voucher for Cost of Goods Sold [DR] and Inventory [CR]  Sort journal entries by GL #  Run general ledger update  Management reports 4Hall, 3e

6. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  See Figure 9-4  Discrete events that naturally fit the batch approach  Update Procedures  Mail Room  Receives checks and Remittance Advices.  Separates checks from Remittance Advices  Prepares a Remittance List – multiple copies  Copy of Remittance List and checks go to Cash Receipts Dept.  Remittance Advices and copy of Remittance List go to AR Dept.  Last copy of Remittance List to Controller’s Office 5Hall, 3e

7. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Cash receipts dept.  Reconciles checks and remittance list  Prepares deposit slip – multiple copies  Using terminal/IS, creates a journal voucher of cash received; Cash [DR] and AR [CR]  End of day, deposit cash and Deposit slips to the bank  File copy of deposit slip 6Hall, 3e

8. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  AR Dept.  Reconciles remittance advices and remittance list  Prepares batch for transactions based on remittance advice data to update AR subsidiary ledger  Files remittance advices and remittance list 7Hall, 3e

9. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  DP Dept.  Accesses the two files created in cash receipts (journal voucher) and AR (batch transaction file of CR)  Reconciles the files  Updates AR-SUB accounts  Updates GL (AR, Cash)  Creates a cash receipts journal  System produces transaction listing that is sent to AR dept. where AR clerk will reconcile against the remittance list of file there  More management reports 8Hall, 3e

10. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  See Figure 9-5  Sales procedures  Transactions are processed as they occur, separately  Credit check is performed online by the system  If approved, system checks availability of inventory  If available, system:  Transmits electronic stock release to warehouse dept  Transmits electronic packing slip to shipping dept  Updates inventory file records for depletion  Records sale in open sales order computer file 9Hall, 3e

11. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Warehouse procedures  Produces hard copy of stock release  Clerk picks goods, sends them with a copy of stock release to shipping dept.  Shipping procedures  Reconciles goods, stock release, packing slip from system.  Online, IS prepares Bill of Lading for shipment, and shipping notice for DP Dept.  Select carrier and prepare goods for shipment, along with packing slip and Bill of Lading  Stock release form is filed 10Hall, 3e

12. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Billing procedures  Record sales invoice and shipment in IS  Print invoice to be sent to customer  Update shipping log and sale invoice files  Delete shipment from open sales order file  Cash receipts procedures  Keypunch cash receipts using the remittance advice into IS,matching it with the specific record in the sales invoice file  Keypunch any credit memos using similar process  Generate a remittance file of posted transactions 11Hall, 3e

13. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Events Database  Traditional accounting does not have to exist in per se (in traditional form)  General Ledger can be derived at any time from a compilation from the events database  Advantages  Greatly shortens the cash cycle of the firm  Can give a firm a competitive advantage (e.g., managing inventory better)  Real-time editing permits the identification of many kinds of errors as they occur, greatly reducing the efficiency and effectiveness of business processes  Reduces the amount of paper documents  Electronic audit trails are possible in real-time computer-based systems 12Hall, 3e

14. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Point of sale systems are used extensively in retail establishments. ◦ Customers pick the inventory from the shelves and take them to a cashier.  The clerk scans the universal product code (UPC). The POS system is connected to an inventory file, where the price and description are retrieved. ◦ The inventory levels are updated and reorder needs can immediately be detected. 13 Hall, 3e

15. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  The system computes the amount due. Payment is either cash, check, ATM or credit card in most cases. ◦ No accounts receivables  If checks, ATM or credit cards are used, an on-line link to receive approval is necessary.  At the end of the day or a cashier’s shift, the money and receipts in the drawer are reconciled to the internal cash register tape or a printout from the computer’s database. ◦ Cash over and under must be recorded 14 Hall, 3e

16. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15 Hall, 3e

17. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Existence / Occurrence  VERIFY AR balance represents amounts actually owed as of Balance Sheet date  Establish sales represents goods shipped and/or services rendered during period of financials  Completeness  Determine all amounts owed organization are included in AR  VERIFY shipped goods, services rendered, and/or returns and allowances for period are included in financials  Accuracy  VERIFY revenue transactions are accurately computed, based on correct prices and quantities  Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically correct.. And agree with GL accounts  Rights & Obligations  Determine organization has legal right to AR  VERIFY accounts sold or factored have been removed from AR  Valuation or Allocation  Determine AR balance stated in net realizable value  Establish allocation for uncollectible accounts is appropriate  Presentation and Disclosure  VERIFY AR and revenues for period are properly described and classified 16Hall, 3e

18. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Purpose  Ensure creditworthiness of customers  Control techniques vary considerably between batch systems and real-time systems  Credit authorization procedures  Credit worthiness of customer  Batch and manual systems use credit dept.  Real-time systems use programmed decision rules  Testing credit procedures  Verify effective procedures exist  Verify information is adequately communicated  Verify effectiveness of programmed decision rules (test data, ITF)  Verify that authority for making credit decisions is limited to authorized credit personnel/procedures  Perform Substantive Tests of Detail  Review credit policy periodically and revise as necessary 17Hall, 3e

19. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Data Validation Controls  To detect transcription errors in data as it is processed  Batch: after shipment of goods Error logs Error correction computer processes Transaction resubmission procedures  Real-Time: Errors handled as they occur  Missing data checks – presence of blank fields  Numeric-Alphabetic data checks – correct form of data  Limit checks – value does not exceed max for the field  Range checks – data is within upper and lower limits  Validity checks – compare actual values against known acceptable values  Check digit – identify keystroke errors by testing internal validity  Testing Data Validation Controls  Verify controls exist and are functioning effectively  Validation of program logic can be difficult  If Controls over system development and maintenance are NOT weak, testing data editing/programming logic more efficient than substantive tests of details (test data, ITF)  Some assurance can be gained through the testing of error lists and error logs (detected errors only) 18Hall, 3e

20. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Batch controls  Manage high volumes of similar transactions  Purpose: Reconcile output produced by system with the original input  Controls continue through all computer (data) processes  Batch transmittal sheet:  Unique batch number  Batch date  Transaction code  Record count  Batch control total (amount)  Hast totals (e.g., account numbers)  Testing data validation controls  Failures of batch controls indicates data errors  Involves reviewing transmittal records of batches processed and reconcile them to the batch control log (batch transmittal sheet)  Examine out-of-balance conditions and other errors to determine cause of error  Review and reconcile transaction listings, error logs, etc. 19Hall, 3e

21. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Computerized procedures for file updating  Restricting access to data  Techniques:  File update controls -- Run-to-run batch control data to monitor data processing steps  Transaction code controls – to process different transactions using different programming logic (e.g., transaction types)  Sequence check controls – sequential files, proper sorting of transaction files required  Testing file update controls – results in errors  Testing data that contains errors (incorrect transaction codes, out of sequence)  Can be performed in ITF or test data  CAATTs requires careful planning  Single audit procedure can be devised that performs all tests in one operation. 20Hall, 3e

22. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Prevent and detect unauthorized and illegal access to firm’s systems and/or assets  Warehouse security  Depositing cash daily  Use safe deposit box, night box, lock cash drawers and safes  Accounting records  Removal of an account from books  Unauthorized shipments of goods using blank sales orders  Removal of cash, covered by adjustments to cash account  Theft of products/inventory, covered by adjustments to inventory or cash accounts  Testing access controls – heart of accounting information integrity  Absence thereof allows manipulation of invoices (i.e., fraud)  Access controls are system-wide and application-specific  Access controls are dependent on effective controls in O/S, networks, and databases Hall, 3e21

23. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Segregation of duties  Rule 1: Transaction authorization separate from transaction processing  Rule 2: Asset custody separate from record-keeping tasks  Rule 3: Organization structured such that fraud requires collusion between two or more people  Supervision  Necessary for employees who perform incompatible functions  Compensates for inherent exposure from incompatible functions  Can be supplement when duties are properly segregated  Prevention vs. detection of fraud and crime is objective: supervision can be effective preventive control Hall, 3e22

24. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Independent verification  Review the work of others at critical points in business processes  Purpose: Identify errors or possible fraud  Examples:  Shipping dept. verifies goods sent from warehouse dept. are correct in type and quantity  Billing dept. reconciles shipping notice with sales notice to ensure customers billed correctly  Testing physical controls  Review organizational structure for incompatible tasks  Tasks normally segregated in manual systems get consolidated in DP systems.  Duties of design, maintenance, and operations for computers need to be separated  Programmers should not be responsible for subsequent program changes. 23Hall, 3e

25. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  PURPOSE: Information is not lost, misdirected, or corrupted; that the system output processes function properly  Controls are designed to identify potential problems  Reconciling GL to subsidiary ledgers  Maintenance of the audit trail – that is the primary way to trace the source of detected errors  Details of transactions processed at intermediate points  AR change report  Transaction logs: permanent record of valid transactions  Transaction listings – successfully posted transactions  Log of automatic transactions  Unique transaction identifiers  Error listings  Testing output controls  Reviewing summary reports for accuracy, completeness,timeliness, and relevance for decisions  Trace sample transactions through audit trails; including transaction listings, error logs, and logs of resubmitted records  ACL is very helpful in this process 24Hall, 3e

26. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  PURPOSE: Determine the nature, timing, and extent of substantive tests using auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and efficiency of the audit.  Concern: Overstatement or understatement of revenues?  Focus on large and unusual transactions, especially near period-end  Recognizing revenues from sales that did not occur  Recognizing revenues BEFORE they are realized  Failing to recognize cutoff points  Underestimating allowance for doubtful accounts  Shipping unsolicited products to customers, subsequently returned  Billings customers for products held by seller  Tests of controls and substantive tests  Credit limit logic may be effective but cut-off of AR may be error  Substantive testing of AR may give assurance about accuracy of total AR but does not offer assurance about collectability 25Hall, 3e

27. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Understanding data  VERIFY data used in CAATTs (e.g., ACL) is accurate  VERIFY adequate setup of files from originals (e.g., ACL and Profile command)  Relationships and data from [see Figure 9-10]:  Customer file  Sales Invoice file  Line item file  Inventory file  Shipping log file  File preparation procedures 26Hall, 3e

28. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Accuracy/completeness assertion  Analytical review of account balances  Overall perspective for trends in sales, cash receipts, sales returns, and AR  Provides first-level assurance that amounts are reasonably stated and reasonably complete  If so, may reduce the extent of substantive testing  Review sales invoices for unusual trends and exceptions  Scanning data files using CAAT (e.g., ACL and stratify and possibly filters - see Figure 9-11) Reveals all errors or raises questions? 27Hall, 3e

29. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Accuracy/completeness assertion  Review sales invoice and shipping log files  Missing and duplicate transactions [see Table 9-2]  Questions/survey: Are procedures in place to document and approve voided invoices? How are gaps in sales invoice numbers communicated to management? What physical controls exist over access to sales invoice source documents? If applicable, are batch totals used to control batch transactions during each processing step? Are transaction listings reconciled and reviewed by management?  Review line item and inventory files for pricing accuracy  ACL allows auditor to compare prices on invoices with inventory – using JOIN [see example on page 413]  Testing unmatched records (complement) 28Hall, 3e

30. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Existence assertion  Confirmation of AR – SAS #67  Not required if: AR is immaterial Assessed Control Risk is low Confirmation process will be ineffective  CAATTs to use for this function? Steps: Select accounts to confirm Consolidate invoices (not AR subsidiary) using CLASSIFY (filter) and SUMMARIZE (amount) [see Tables 9-3 and 9-4] Why? JOIN the CUSTOMER file with the new consolidated invoice file  Prepare confirmation requests [see Figure 9-12] Positive and Negative Confirmations (ACL, EXPORT)  Evaluating and controlling responses Retain custody of the confirmation letters until mailed The letters should be addressed to the auditor, not client org. The replies should be mailed to the auditor, not client org. Discrepancies should be investigated. Non responses to POSITIVE confirmation should be investigated 29Hall, 3e

31. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Valuation/allocation assertion  Corroborate or refute AR is stated at reasonable Net Realizable Value  AGING AR ACL, AGE [see Table 9-7]  Is allowance for doubtful accounts reasonable compared to prior years and based on composition of AR portfolio Confirmation process will be ineffective  Review past-due balances Conference with credit manager to determine collectability Determine if methods used to estimate allowance for doubtful accounts is adequate, not the collectability of each account Determine if overall allowance is, therefore, reasonable 30Hall, 3e

32. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

33. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32 Hall, 3e

34. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33 Hall, 3e

35. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34 Hall, 3e

36. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Begins with a customer placing an order ◦ The sales department captures the essential details on a sales order form.  The transaction is authorized by obtaining credit approval by the credit department.  Sales information is released to: ◦ Billing ◦ Warehouse (stock release or picking ticket) ◦ Shipping (packing slip and shipping notice) 35 Hall, 3e

37. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  The merchandise is picked from the Warehouse and sent to Shipping. ◦ Stock records are adjusted.  The merchandise, packing slip, and bill of lading are prepared by Shipping and sent to the customer. ◦ Shipping reconciles the merchandise received from the Warehouse with the sales information on the packing slip.  Shipping information is sent to Billing. Billing compiles and reconciles the relevant facts and issues an invoice to the customer and updates the sales journal. Information is transferred to: ◦ Accounts Receivable (A/R) ◦ Inventory Control 36 Hall, 3e

38. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  A/R records the information in the customer’s account in the accounts receivable subsidiary ledger.  Inventory Control adjusts the inventory subsidiary ledger.  Billing, A/R, and Inventory Control submits summary information to the General Ledger dept., which then reconciles this data and posts to the control accounts in the G/L. 37 Hall, 3e

39. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38 Hall, 3e

40. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39 Hall, 3e

41. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. G/L posts the following to control accounts: Inventory—Control DR Sales Returns and Allowances DR Cost of Goods Sold CR Accounts Receivable—Control CR 40 Hall, 3e

42. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41 Hall, 3e

43. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42 Hall, 3e

44. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  Customer checks and remittance advices are received in the Mail Room. ◦ A mail room clerk prepares a cash prelist and sends the prelist and the checks to Cash Receipts. ◦ The cash prelist is also sent to A/R and the Controller.  Cash Receipts: ◦ verifies the accuracy and completeness of the checks ◦ updates the cash receipts journal ◦ prepares a deposit slip ◦ prepares a journal voucher to send to G/L 43 Hall, 3e

45. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.  A/R posts from the remittance advices to the accounts receivable subsidiary ledger. ◦ Periodically, a summary of the postings is sent to G/L.  G/L department: ◦ reconciles the journal voucher from Cash Receipts with the summaries from A/R ◦ updates the general ledger control accounts  The Controller reconciles the bank accounts. 44 Hall, 3e