Professional Documents
Culture Documents
AUDITING
What does an
auditor
do?
What is AUDITING?
What is AUDITING?
Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria.
12-03-2012
Types of Audits
An independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls. The investigative techniques developed are applied to the analysis of the effectiveness of all parts of an entity's operations and management.
12-03-2012
Review of the safeguarding of assets Review of the implementation of corporate objectives. Identification of significant business and financial risks (Risk management) Special investigations
Types of Audits
Operational/management/efficiency/value for money audit: (monitoring of management's performance at every level) Systems audit: (testing and evaluation of the internal controls) Transactions audit Social audit Management investigations
12-03-2012
Audit tests
Compliance test Substantive test
Compliance Testing
Compliance tests are defined as those test which seek to provide audit evidence on both the effectiveness of the controls and that internal control procedures are being applied as prescribed.
Compliance tests seek evidence that the internal controls are being applied as prescribed
E.g. Internal Control Questionaire
Compliance Testing
Auditors test internal controls in order to establish whether they are operating effectively throughout the period under review. If controls are operating effectively, auditors can reduce the level of substantive testing on transactions and balances that would otherwise be required. In testing internal controls, auditors are checking to ensure that the stated control has been applied.
12-03-2012
Substantive Testing
Substantive tests are defined as those test of transactions and balances, and other procedures such as analytical review which seek to provide audit evidence as to the completeness, accuracy and validity of the information contained in the accounting records or in the financial statements. Substantive tests are concerned with confirming the accuracy of the figures. They are used to discover errors and omissions. They include: -the vouching of transactions, the checking of postings, the checking of casts and calculations - the reconciliation of bank accounts and subsidiary ledgers - the verification by appropriate means of all account balances - analytical review of final account balances
Substantive Testing
Search for unrecorded liabilities Confirm accounts receivable to ensure they are not overstated Determine the correct value of inventory, and ensure they are not overstated Determine the accuracy of accruals for expenses incurred, but invoices not yet received (also revenues if appropriate)
Accountability
IA is accountable to Audit committee and BOD The auditor needs access to all parts of the organisation The auditor should be free to comment on the performance of management The auditor's report may need to be actioned at the highest level to ensure its effective implementation
Independence
Auditor must be and must be seen independent Objectivity, probity and honesty The internal auditor should not install new procedures or systems, neither should he engage in any activity which he would normally appraise, as this might compromise his independence
12-03-2012
External Audit
A periodic examination of the accounting records conducted by an independent third party, to assess whether they have been properly maintained are accurate and comply with established principles, legislation and accounting standards. External auditors will attempt to establish whether the accounts give a true and fair view of the financial state of the organisation. External auditing can act as an additional preventative control measure.
REPORTING TO
May have a number of aims, incl. Internal control systems and management info sys, risk management
RELATING TO
Relates to the operations of the organisation Often the employees Can be outsourced
12-03-2012
Security
If you love something, then you care about it and you protect it Security, in information management terms, means the protection of data from accidental or deliberate threats which might cause unauthorized modification, disclosure or destruction of data, and the protection of the information system from the degradation or non-availability of services.
Physical threats
Physical threats to security may be natural or man made. They include:
Fire: fire alarms to detect and fire extinguishers Water: water proof ceilings Weather: some location are vulnerable Lightening: UPS Terrorist activity Accidental damage
12-03-2012
Security controls
The protection of data from accidental or deliberate threats which might cause unauthorized modification, disclosure or destruction of data, and the protection of the information system from the degradation or non-availability of services Risks to data such as human error, technical error, natural disaster, fraud, and commercial espionage etc
Integrity controls
Data integrity in the context of security is preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed. Systems integrity refers to system operation conforming to the design specification despite attempts (deliberate or accidental) to make it behave incorrectly.
Input controls
Input controls should ensure the accuracy, completeness and validity of input Data verification involves ensuring data entered matches source documents Authorizations enforce managements policies with respect to transactions flowing into the general ledger system
12-03-2012
Data validation involves ensuring that data entered is not incomplete or unreasonable. E.g.:
Check digits: check digit is usually a number included in an account number that is calculated from the other numbers in it Control totals. For example, a batch total totaling the entries in the batch. Hash totals. a sum that is meaningless except for internal control purposes (e.g., sum of customer account numbers)
Processing controls
Processing controls should ensure the accuracy and completeness of processing. Programs should be subject to development controls and to rigorous testing. Periodic running of test data is also recommended.
12-03-2012
Output controls
Output controls should ensure the accuracy, completeness and security of output. The following measures are possible.
Investigation and follow-up of error reports and exception reports Batch controls to ensure all items processed and returned Controls over distribution/copying of output Labeling of disks/tapes
Back-up controls
Back-up controls aim to maintain system and data integrity A back-up and archive strategy should include:
Regular back-up of data (at least daily) Archive plans A disaster recovery plan including off-site storage
Archiving
Archiving data is the process of moving data from primary storage, such as a hard disk, to tape or other portable media for long-term storage. If archived data is needed, it can be restored from the archived tape to a hard disk
10
12-03-2012
Administrative controls
Personnel selection is important as posts such as Computer security officer, Database administrator, Senior systems analyst must be trustworthy. Measures to control personnel:
Careful recruitment Systems logs Job rotation and enforced vacations Review and supervision Segregation of duties among data capture and data entry, system analysis and programming
Audit trail
An audit trail shows who has accessed a system and the operations performed. A clear audit trail is needed to enable individual transactions to be traced, to provide support in general ledger balances, to prepare financial reports and to correct transaction errors or lost data Identifying errors and detecting frauds
11
12-03-2012
Contingency controls
A contingency is an unscheduled interruption of computing services that requires measures outside the day-to-day routine operating procedures. A contingency plan is necessary in case of a major disaster, or if some of the security measures discussed elsewhere fail.
12
12-03-2012
General Controls
General controls concern the overall environment of transaction processing. They comprise the following: the plan of data processing organization general operating procedures equipment control features equipment and data-access controls
General Controls
A company designs general controls to ensure that its overall computer system is stable and well managed. The following are categories of general controls: 1 Developing a security plan 2 Segregation of duties within the systems function
General Controls
3 4 5 6 7 8 9 Project development controls Physical access controls Logical access controls Data storage controls Data transmission controls Documentation standards Minimizing system downtime
10 11
General Controls
Disaster recovery plans Protection of personal computers and client/server networks Internet controls
12
13
12-03-2012
Application Controls
Application controls are specific to individual applications. Application controls pertain directly to the transaction processing systems. The objectives of application controls are to ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported
Application Controls
Application controls may also be classified as follows: preventive detective corrective
14