290 likes | 1.17k Views
Chapter 10: Auditing the Expenditure Cycle. IT Auditing & Assurance, 2e, Hall & Singleton. PURCHASES: BATCH PROCESSING. Step 1: Data processing department – inventory control Purchasing Department Step 2: Data processing department – P.O. Receiving Department
E N D
Chapter 10:Auditing the Expenditure Cycle IT Auditing & Assurance, 2e, Hall & Singleton
PURCHASES: BATCH PROCESSING • Step 1: Data processing department – inventory control • Purchasing Department • Step 2: Data processing department – P.O. • Receiving Department • Step 3: Data processing department – batch update of inventory • Accounts Payable • Step 4: Data processing department – validates vendors
CASH DISBURSEMENT: BATCH PROCESSING • Step 5: Data processing department – scans for items due and prints checks for items received • Step 6: Cash disbursements department – reconciles checks, submits checks to management for signature • Step 7: Accounts payable – matches copies of checks with open vouchers, closes them and files documents • Concludes expenditure cycle
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED • Data processing steps performed automatically: • Inventory file scanned for items and reorder points • Purchase requisition record for all items needing replenishment • Consolidate requisitions by vendor • Retrieve vendor mailing information • P.O. prepared and sent to vendor (EDI) • Open P.O. record added for each transaction • List of P.O. sent to purchasing department
CASH DISBURSEMENT: REENGINEERED– FULLY AUTOMATED • Goods arrive at receiving department • Quantities received entered per item
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED • Data processing steps performed automatically: • Quantities keyed matched to open P.O. record • Receiving report file record added • Update inventory subsidiary records • G.L. inventory updated • Record removed from open P.O. file and added to open A.P. file, due date established
CASH DISBURSEMENT:REENGINEERED—FULLY AUTOMATED • Each day, due date filed of A.P. are scanned for items where payment is due
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED • Data processing steps performed automatically: • Checks are printed, signed and distributed to mailroom (unless EDI/EFT) • Payments are recorded in check register file • Items paid are transferred from open A.P. to closed A.P. file • G.L.- A.P. and cash accounts are updated • Appropriate reports are transmitted to A.P. and cash disbursements departments for review
CASH DISBURSEMENT:REENGINEERED—FULLY AUTOMATED • Control implications • General in nature • Similar to those of Chapter 9
BATCH AUTOMATED SYSTEM VS. MANUAL BATCH • Improved inventory control • Better cash management • Less time lag • Better purchasing time management • Reduction of paper documents
REENGINEERED SYSTEM VS.BATCH AUTOMATED SYSTEM • Segregation of duties • Accounting records and access controls
PAYROLL PROCEDURES • Drawbacks to using regular A.P. and cash disbursements systems to do payroll • General expenditure procedures that apply to all vendors will not apply to employees • Writing checks to employees requires special controls • General expenditure procedures are designed to accommodate relatively smooth flow of transactions
REENGINEERED PAYROLL SYSTEM • Often integrated with H.R. • Differs from previous automate system • Operations departments transmit transactions to D.P. electronically • Direct access to files are used for data storage • Many processes are now performed in real time
REENGINEERED PAYROLL SYSTEM • Personnel • Cost accounting • Timekeeping • Data processing • Labor costs are distributed to accounts • Online labor distribution summary • Online payroll register • Employee records are updated • Payroll checks are prepared and signed • Disbursement system generates check to fund the payroll imprest account • G.L. updated
EXPENDITURE CYCLE AUDIT OBJECTIVES • Input controls • Data validation controls • Testing validation controls • Batch controls • Testing batch controls • Purchases authorization controls • Testing purchases authorization controls • Employee authorization • Testing employee authorization procedures
EXPENDITURE CYCLE AUDIT OBJECTIVES • Process controls • File update controls • Sequence check control • Liability validation control • Valid vendor file • Testing file update controls • Access controls • Warehouse security • Moving assets promptly when received • Paying employees by check vs. cash • Risks • Employees with access to A.P. subsidiary file • Employees with access to attendance records • Employees with access to both cash and A.P. records • Employees with access to both inventory and inventory records • Testing access controls
EXPENDITURE CYCLE AUDIT OBJECTIVES • Process controls • Physical controls • Purchase system controls • Segregation of inventory control from warehouse • Segregation of G.L. and A.P. from cash disbursements • Supervision of receiving department • Inspection of assets • Theft of assets • Reconciliation of supporting documents: P.O., receiving report, supplier’s invoice • Payroll System controls • Verification of timecards • Supervision • Paymaster • Payroll imprest account • Testing of physical controls
EXPENDITURE CYCLE AUDIT OBJECTIVES • Process controls • Output controls • A.P. change report • Transaction logs • Transaction listing • Logs of automatic transactions • Unique transaction identifiers • Error listing • Testing output controls
EXPENDITURE CYCLE SUBSTANTIVE TESTS • Risks and audit concerns • Understanding data • Inventory file • Purchase order file • Purchase order line item file • Receiving report file • Disbursement voucher file • File preparation procedures
EXPENDITURE CYCLE SUBSTANTIVE TESTS • Testing accuracy and completeness assertions • Review disbursement vouchers for unusual trends and exceptions • Accurate invoice prices • Testing completeness, existence, rights and obligations assertions • Searching for unrecorded liabilities • Searching for unauthorized disbursement vouchers • Review of multiple checks to vendors • Auditing payroll and related records
Additional Cybercrime Info • The following slides are not in the text!
Incident Response Mandates Gramm-Leach-Bliley Financial Institutions must … • Establish incident response capability • Perform prompt and reasonable investigation when sensitive customer info is accessed • Notify customers if misuse of info has or is likely to occur
Incident Response Requirements ISO 17799 • ISO 17799 is international standard for IS best practices • Security framework must contain an effective incident response approach • In 2002, 22% companies with sales over $500 million had implemented ISO 17799 • Must collect information for three purposes … • Internal problem analysis • Use as evidence • Negotiation for compensation from software/service vendors
Incident Response Requirements ISO 17799 • Response procedures should cover … • Analysis and identification of cause of incident • Planning and implementation of remedies • Collection of audit trails and similar evidence • Communication with those affected or involved with recovery • Reporting the action to the appropriate authority
Best Practices • Imaging hard drive of employees who resign or are terminated (proactive) • Avoid “patch and proceed” response • Implement network forensics analysis with tools like EnCase • Focus on insider threats • Companies face increasing cyberliability claims stemming from security breaches
Chapter 10:Auditing the Expenditure Cycle IT Auditing & Assurance, 2e, Hall & Singleton