12-03-2012

AUDITING

What does an
auditor

do?

What is AUDITING?

What is AUDITING?

Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria.

12-03-2012

Types of Audits

Definition of Internal Auditing

Several definitions
a systematic process of objectively obtaining and evaluating assertions about economic actions and events to ascertain the degree of correspondence between these assertions and established criteria and communicating the results to interested users . an independent activity, established by management to examine and evaluate the organizations risk management processes and systems of control, and to make recommendation for the achievement of company objectives.

Two broad categories of audits

Internal Audit External Audit

An independent appraisal activity established within an organisation as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls. The investigative techniques developed are applied to the analysis of the effectiveness of all parts of an entity's operations and management.

The need for internal audit

The scale, diversity and complexity of the company's activities The number of employees Cost-benefit considerations Changes in the organizational structures, reporting processes or underlying information systems Changes in key risks Problems with internal control systems An increased number of unexplained or unacceptable events

12-03-2012

Objectives of internal audit

Review of the accounting and internal control systems Examination of financial and operating information Review of the economy, efficiency and effectiveness of operations. Review of compliance with laws, regulations and other external requirements

Review of the safeguarding of assets Review of the implementation of corporate objectives. Identification of significant business and financial risks (Risk management) Special investigations

Features of internal audit

Independence Appraisal

Types of Audits
Operational/management/efficiency/value for money audit: (monitoring of management's performance at every level) Systems audit: (testing and evaluation of the internal controls) Transactions audit Social audit Management investigations

12-03-2012

Audit tests
Compliance test Substantive test

Compliance Testing
Compliance tests are defined as those test which seek to provide audit evidence on both the effectiveness of the controls and that internal control procedures are being applied as prescribed.

Compliance tests seek evidence that the internal controls are being applied as prescribed
E.g. Internal Control Questionaire

Compliance Testing
Auditors test internal controls in order to establish whether they are operating effectively throughout the period under review. If controls are operating effectively, auditors can reduce the level of substantive testing on transactions and balances that would otherwise be required. In testing internal controls, auditors are checking to ensure that the stated control has been applied.

Compliance Testing Example

For example, auditors may check that there is a grid stamp on a sales invoice with various signatures inside it that show that the invoice has been approved by the credit controller, that it has been checked for arithmetical accuracy, that the price has been checked, and that it has been posted to the sales ledger. The signatures provide audit evidence that the control has been applied. Auditors are not checking to ensure that the invoice is, in fact, correct. This would be a substantive test. Nevertheless, it is possible to perform tests of control and substantive tests on the same document at the same time.

12-03-2012

Substantive Testing
Substantive tests are defined as those test of transactions and balances, and other procedures such as analytical review which seek to provide audit evidence as to the completeness, accuracy and validity of the information contained in the accounting records or in the financial statements. Substantive tests are concerned with confirming the accuracy of the figures. They are used to discover errors and omissions. They include: -the vouching of transactions, the checking of postings, the checking of casts and calculations - the reconciliation of bank accounts and subsidiary ledgers - the verification by appropriate means of all account balances - analytical review of final account balances

Substantive Testing
Search for unrecorded liabilities Confirm accounts receivable to ensure they are not overstated Determine the correct value of inventory, and ensure they are not overstated Determine the accuracy of accruals for expenses incurred, but invoices not yet received (also revenues if appropriate)

Accountability
IA is accountable to Audit committee and BOD The auditor needs access to all parts of the organisation The auditor should be free to comment on the performance of management The auditor's report may need to be actioned at the highest level to ensure its effective implementation

Independence
Auditor must be and must be seen independent Objectivity, probity and honesty The internal auditor should not install new procedures or systems, neither should he engage in any activity which he would normally appraise, as this might compromise his independence

12-03-2012

Limitations of internal audit

Independence Resources

External Audit
A periodic examination of the accounting records conducted by an independent third party, to assess whether they have been properly maintained are accurate and comply with established principles, legislation and accounting standards. External auditors will attempt to establish whether the accounts give a true and fair view of the financial state of the organisation. External auditing can act as an additional preventative control measure.

INTERNAL VS EXTERNAL AUDIT

INTERNAL REASON Activity designed to add value and improve an organ. Operations BOD / people charged with governance such as Audit Committee EXTERNAL To enable auditors to express an opinion on the financial statements To shareholders or members of the Co on the true and fairness of the accounts Relates to the FS concerned with the financial records that underlie these. Independent of the Co. and its management Appointed by the shareholders

INTERNAL VS EXTERNAL AUDIT

INTERNAL SCOPE - extent of work carried out AIM Laid by Management EXTERNAL Determined by statute (co. act 1965) Primarily interest in the truth and fairness of the accounts and to express an opinion on his audit work.

REPORTING TO

May have a number of aims, incl. Internal control systems and management info sys, risk management

RELATING TO

Relates to the operations of the organisation Often the employees Can be outsourced

RELATIONSHIP WITH THE CO

12-03-2012

Security
If you love something, then you care about it and you protect it Security, in information management terms, means the protection of data from accidental or deliberate threats which might cause unauthorized modification, disclosure or destruction of data, and the protection of the information system from the degradation or non-availability of services.

IT systems security and safety

Security can be subdivided into a number of aspects.

Prevention Detection Deterrence Recovery procedures Correction procedures Threat avoidance

Physical threats
Physical threats to security may be natural or man made. They include:
Fire: fire alarms to detect and fire extinguishers Water: water proof ceilings Weather: some location are vulnerable Lightening: UPS Terrorist activity Accidental damage

12-03-2012

Physical Access Controls

How can physical access security be achieved? placing computer equipment in locked rooms and restricting access to authorized personnel having only one or two entrances to the computer room requiring proper employee ID requiring that visitors sign a log installing locks on PCs Intruder Alarms

Security controls
The protection of data from accidental or deliberate threats which might cause unauthorized modification, disclosure or destruction of data, and the protection of the information system from the degradation or non-availability of services Risks to data such as human error, technical error, natural disaster, fraud, and commercial espionage etc

Integrity controls
Data integrity in the context of security is preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed. Systems integrity refers to system operation conforming to the design specification despite attempts (deliberate or accidental) to make it behave incorrectly.

Input controls
Input controls should ensure the accuracy, completeness and validity of input Data verification involves ensuring data entered matches source documents Authorizations enforce managements policies with respect to transactions flowing into the general ledger system

12-03-2012

Data validation involves ensuring that data entered is not incomplete or unreasonable. E.g.:
Check digits: check digit is usually a number included in an account number that is calculated from the other numbers in it Control totals. For example, a batch total totaling the entries in the batch. Hash totals. a sum that is meaningless except for internal control purposes (e.g., sum of customer account numbers)

Examples of Edit Tests (Programmed Checks)

Validity Check (e.g., M = male, F = female) Limit Check (e.g., hours worked do not exceed 40 hours) Reasonableness Check (e.g., increase in salary is reasonable compared to base salary) Field Check (e.g., numbers do not appear in fields reserved for words) Sequence Check (e.g., successive input data are in some prescribed order) Range Check (e.g., particular fields fall within specified ranges - pay rates for hourly employees in a firm should fall between $8 and $20) Relationship Check (logically related data elements are compatible - employee rated as hourly gets paid at a rate within the range of $8 and $20)

Processing controls
Processing controls should ensure the accuracy and completeness of processing. Programs should be subject to development controls and to rigorous testing. Periodic running of test data is also recommended.

Examples of Processing Controls

Manual Cross-Checks - include checking the work of another employee, reconciliations and acknowledgments File and Program Changes - to ensure that transactions are posted to the proper account, master files should be checked for correctness, and programs should be validated

12-03-2012

Output controls
Output controls should ensure the accuracy, completeness and security of output. The following measures are possible.
Investigation and follow-up of error reports and exception reports Batch controls to ensure all items processed and returned Controls over distribution/copying of output Labeling of disks/tapes

Examples of Asset Accountability Controls

Subsidiary ledgers provide a cross-check on the accuracy
of a control account (e.g. Debtors Ledger)

Reconciliations compare values that have been computed

independently(e.g. Debtors Ledger against Debtors control AC in the GL) Acknowledgment procedures transfer accountability of goods to a certain person Logs and Registers help account for the status and use of assets Reviews & Reassessments are used to re-evaluate measured asset values

Back-up controls
Back-up controls aim to maintain system and data integrity A back-up and archive strategy should include:
Regular back-up of data (at least daily) Archive plans A disaster recovery plan including off-site storage

Archiving
Archiving data is the process of moving data from primary storage, such as a hard disk, to tape or other portable media for long-term storage. If archived data is needed, it can be restored from the archived tape to a hard disk

10

12-03-2012

Passwords and logical access systems

A password is a set of characters which may be allocated to a person, a terminal or a facility which is required to be keyed into the system before further access is permitted. A logical access system can prevent access to data and program files, by measures such as Identification of the user, Checks on user authority and Authentication of user identity

Administrative controls
Personnel selection is important as posts such as Computer security officer, Database administrator, Senior systems analyst must be trustworthy. Measures to control personnel:
Careful recruitment Systems logs Job rotation and enforced vacations Review and supervision Segregation of duties among data capture and data entry, system analysis and programming

Audit trail
An audit trail shows who has accessed a system and the operations performed. A clear audit trail is needed to enable individual transactions to be traced, to provide support in general ledger balances, to prepare financial reports and to correct transaction errors or lost data Identifying errors and detecting frauds

Systems integrity with a PC

Password protected Use additional passwords for important files Physical access controls, for example door locks activated by swipe cards or PIN numbers, to prevent access into the room(s) where the computers are kept.

11

12-03-2012

Systems integrity with a LAN and WAN

Viruses Must be protected with anti-virus software Dedicated land lines for data transfer and encryption software may be required (WAN).

Contingency controls
A contingency is an unscheduled interruption of computing services that requires measures outside the day-to-day routine operating procedures. A contingency plan is necessary in case of a major disaster, or if some of the security measures discussed elsewhere fail.

Disaster Recovery Plan

Every organization should have a disaster recovery plan so that data processing capacity can be restored as smoothly and quickly as possible in the event of a major disaster. What are the objectives of a recovery plan? 1 Minimize the extent of the disruption, damage, and loss. 2 Temporarily establish an alternative means of processing information.

Disaster Recovery Plan

3 Resume normal operations as soon as possible. 4 Train and familiarize personnel with emergency operations.

12

12-03-2012

General Controls
General controls concern the overall environment of transaction processing. They comprise the following: the plan of data processing organization general operating procedures equipment control features equipment and data-access controls

General Controls
A company designs general controls to ensure that its overall computer system is stable and well managed. The following are categories of general controls: 1 Developing a security plan 2 Segregation of duties within the systems function

General Controls
3 4 5 6 7 8 9 Project development controls Physical access controls Logical access controls Data storage controls Data transmission controls Documentation standards Minimizing system downtime
10 11

General Controls
Disaster recovery plans Protection of personal computers and client/server networks Internet controls

12

13

12-03-2012

Application Controls
Application controls are specific to individual applications. Application controls pertain directly to the transaction processing systems. The objectives of application controls are to ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported

Application Controls
Application controls may also be classified as follows: preventive detective corrective

Application controls are categorized as follows: input processing output

General vs Application Controls

A company designs general controls to ensure that its overall computer system is stable and well managed. Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.

14