QG-to-Auditing-in-an-IT-Environment.pdf

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

TABLE OF CONTENTS Chapter 1

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Chapter 2

2

Introduction to Information Technology Audit 

What is an IT Audit?



Basic Components of an Audit



Overview of the 3 Phases of IT Audit

Test of Controls 

Objectives of Internal Control



Modifying Assumptions



Five Components of Internal Control a. Control Environment b. Risk Assessment c. Information and Communication d. Monitoring e. Control Activities - Physical Controls - Computer Controls

Chapter 3



Testing Computer Application Controls



Five CAATT Approaches to Test Application Controls

Substantive Tests 

Substantive Tests of Revenue Cycle



Substantive Tests of Expenditure Cycle



Substantive Tests of Other Financial Statement Accounts

CHAPTER 1: INTRODUCTION TO INFORMATION TECHNOLOGY AUDIT

What is an Information Technology (IT) Audit?

Auditing is a systematic process of objectively obtaining and evaluation evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users. BASIC COMPONENTS OF AN AUDIT SYSTEMATIC PROCESS Conducting an audit is a systematic and logical process that applies to all forms of information systems. While important in all audit settings, a systematic approach is particularly important in the IT environment. The lack of physical procedures that can be visually verified and evaluated injects a high degree of complexity into the IT audit. Therefore, a logical framework for conducting an audit in the IT environment is critical to help the auditor identify all-important processes and data files. MANAGEMENT ASSERTIONS AND AUDIT OBJECTIVES The organization’s financial statements reflect a set of management assertions about the financial health of the entity. The task of the auditor is to determine whether the financial statements are fairly presented. To accomplish this, the auditor establishes audit objectives, designs procedures, and gathers evidence that corroborates or refutes management’s assertions. These assertions fall into five general categories: 1. Existence or Occurrence assertion - affirms that all assets and equities contained in the balance sheet exist and that all transactions in the income statement actually occurred. 2. Completeness assertion - declares that no material assets, equities, or transactions have been omitted from the financial statements. 3. Rights and Obligations - assertion maintains that assets appearing on the balance sheet are owned by the entity and that the liabilities reported are obligations. 4. Valuation or Allocationassertion - states that assets and equities are valued in accordance with generally accepted accounting principles and that allocated amounts such as depreciation expense are calculated on a systematic and rational basis. 5. Presentation and Disclosure assertion - alleges that financial statement items are correctly classified (e.g., long-term liabilities will not mature within one year) and that footnote disclosures are adequate to avoid misleading the users of financial statements.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

An IT audit focuses on the computer-based aspects of an organization’s information system. This includes assessing the proper implementation, operation, and control of computer resources. Since most modern information systems employ information technology, the IT audit is typically a significant component of all external (financial) and internal audits.

Generally, auditors develop their audit objectives and design audit procedures based on the preceding assertions. Audit objectives may be classified into two general categories. The preceding assertions related to transactions and account balances that directly impact financial reporting. The second category

3

pertains to the information system itself. This includes the audit objectives for assessing controls over manual operations and computer technologies used in transaction processing.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

OBTAINING EVIDENCE Auditors seek evidential matter that corroborates management assertions. In the IT environment, this process involves gathering evidence relating to the reliability of computer controls as well as the contents of databases that have been processes by computer programs. Evidence is collected by performing tests of controls, which establish whether internal controls are functioning properly, and substantive tests, which determine whether accounting databases fairly reflect the organization’s transactions and account balances.

4

ASCERTAINING MATERIALITY The auditor must determine whether weaknesses in internal controls and misstatements found in transactions and account balances are material. In all audit environments, assessing materiality is an auditor judgment. In an IT environment, however, this decision is complicated further by technology and a sophisticated internal control structure. COMMUNICATING RESULTS Auditors must communicate the results of their tests to interested users. An independent auditor renders a report to the audit committee of the board of directors or stockholders of a company. The audit report contains, among other things, an audit opinion. This opinion is distributed along with the financial report to interested parties both internal and external to the organization. IT auditors often communicate their findings to internal and external auditors, who can then integrate these findings with the non-IT aspects of the audit. OVERVIEW OF THE 3 PHASES OF IT AUDIT The IT audit is generally divided into three phases: audit planning, tests of controls, and substantive testing.

1. AUDIT PLANNING

The techniques for gathering evidence at this phase include questionnaires, interviewing management, reviewing systems documentation, and observing activities. During this process, the IT auditor must identify the principal exposures and the controls that attempt to reduce these exposures. Having done so, the auditor proceeds to the next phase, where he or she tests the controls for compliance with pre-established standards. 2. TESTS OF CONTROLS The objective of the tests of controls phase is to determine whether adequate internal controls are in place and functioning properly. To accomplish this, the auditor performs various tests of controls. The evidence gathering techniques used in this phase may include both manual techniques and specialized computer audit techniques. At the conclusion of the tests-of-controls phase, the auditor must assess the quality of internal controls. The degree of reliance the auditor can ascribe to internal controls affects the nature and extent of substantive testing that needs to be performed. The relationship between tests of controls and substantive tests is discussed late. 3. SUBSTANTIVE TESTING The third phase of the audit process focuses on financial data. This involves a detailed investigation of specific account balances and transactions through what are called substantive tests. For example, a customer confirmation is a substantive test sometimes used to verify account balances. The auditor selects a sample of accounts receivable balances and traces these back to their source – the customers-to determine if the amount stated is in fact owed by a bona fide customer. By so doing, the auditor can verify the accuracy of each account in the sample. Based on such sample findings, the auditor is able to draw conclusions about the fair value of the entire accounts receivable asset.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

The first step in the IT audit is audit planning. Before the auditor can determine the nature and extent of the tests to perform, he or she must gain a thorough understanding of the client’s business. A major part of this phase of the audit is the analysis of audit risk. The objective of the auditor is to obtain sufficient information about the firm to plan the other phases of the audit. The risk analysis incorporates an overview of the organization’s internal controls. During the review of controls, the auditor attempts to understand the organization’s policies, practices, and structure. In this phase of the audit, the auditor also identifies the financially significant applications and attempts to understand the controls over the primary transactions that are processed by these applications.

Some substantive tests are physical, labor-intensive activities such as counting cash, counting inventories in the warehouse, and verifying the existence of stock certificates in a safe. In an IT environment, the information needed to perform substantive tests (such as account balances and names and addresses of individual customers) is contained in data files that often must be extracted using Computer Assisted Audit Tools and Techniques (CAATTs) software.

5

CHAPTER 2: TEST OF CONTROLS What is an Internal Control System?

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

OBJECTIVES OF INTERNAL CONTROL The internal control system comprises policies, practices, and procedures employed by the organization to achieve four broad objectives: 1. To safeguard assets of the firm. 2. To ensure accuracy and reliability of accounting records and information. 3. To promote efficiency in the firm’s operations. 4. To measure compliance with management’s prescribed policies and procedures. The internal control system serves as a shield that protects the firm’s assets from numerous undesirable events that bombard the organization. These include attempts at unauthorized access to the firm’s assets (including information), fraud perpetrated by persons both in and outside the firm, errors due to employee incompetence, faulty computer programs, and corrupted input data, and mischievous acts such as unauthorized access by computer hackers and threats from computer viruses that destroy programs and database. A weakness in internal control may expose the firm to one or more of the following types of risks: 1. Destruction of assets (both physical assets and information) 2. Theft of assets 3. Corruption of information or the information system 4. Disruption of the information system MODIFYING ASSUMPTIONS Inherent in these control objectives are four modifying assumptions that guide designers and auditors of internal control systems. 1. Management Responsibility This concept holds that the establishment and maintenance of a system of internal control is a management responsibility. 2. Reasonable Assurance The internal control system should provide reasonable assurance that the four broad objectives of internal control are met. This means that no system of internal control is perfect and the cost of achieving improved control should not outweigh its benefits. 3. Methods of Data Processing The internal control system should achieve the four broad objectives regardless of the data processing method used. However, the techniques used to achieve these objectives will vary with different types of technology.

6

4. Limitations Every system of internal control has limitations on its effectiveness. These include (1) the possibility of error – no system is perfect, (2) circumvention – personnel may circumvent the system through collusion or other means, (3) management override – management is in a

position to override control procedures by personally distorting transactions or by directing a subordinate to do so, and (4) changing conditions – conditions may change over time so that existing controls may become ineffectual. FIVE COMPONENTS OF INTERNAL CONTROL

RISK ASSESSMENT Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to financial reporting. Risks can arise out of changes in circumstances such as:  Changes in the operating environment that impose new competitive pressures on the firm.  New personnel who possess a different or inadequate understanding of internal control.  New or reengineered information systems that affect transaction processing.  Significant or rapid growth that strains existing internal controls.  The implementation of new technology into the production process or information system that impacts transaction processing. INFORMATION AND COMMUNICATION The accounting information system consists of the records and methods used to initiate, identify, analyze, classify, and record the organization’s transactions and to account for the related assets and liabilities. The quality of information generated by the AIS impacts management’s ability to take actions and make decisions in connection with the organization’s operations and to prepare reliable financial statements. An effective accounting system will:    

Identify and record all valid financial transactions. Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting. Accurately measure the financial value of transactions so their effects can be recorded in financial statements. Accurately record transaction in the time period in which they occurred.

SAS 78 requires that auditors obtain sufficient knowledge of the organization’s information system to understand:    

The classes of transactions that are material to the financial statements and how those transactions are initiated. The accounting records and accounts that are used in the processing of material transactions. The transaction processing steps involved from the initiation of an economic event to its inclusion in the financial statements. The financial reporting process used to prepare financial statements, disclosures, and accounting estimates.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

CONTROL ENVIRONMENT The control environment is the foundation for the other four control components. The control environment sets the tone for the organization and influences the control awareness of its management and employees.

7

MONITORING Management must determine that internal controls are functioning as intended. Monitoring is the process by which the quality of internal control design and operation can be assessed. This may be accomplished by separate procedures or by ongoing activities.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

An organization’s internal auditors may monitor the entity’s activities in separate procedures. They gather evidence of control adequacy by testing controls, and then communicate control strengths and weaknesses to management. As part of this process, internal auditors make specific recommendations for improvement to controls. Ongoing monitoring may be achieved by integrating special computer modules into the information system that capture key data and/or permit tests of controls to be conducted as part of routine operations. Another technique for achieving ongoing monitoring is the judicious use of management reports. Timely reports allow managers in functional areas such as sales, purchasing, production, and cash disbursements to oversee and control their operations. By summarizing activities, highlighting trends, and identifying exceptions from formal performance, well-designed management reports provide evidence of internal control function or malfunction. CONTROL ACTIVITIES Control activities are the policies and procedures used to ensure that appropriate actions are taken to deal with the organization’s identified risks. Control activities can be grouped into two distinct categories: computer controls and physical controls. Physical Controls This class of control activities relates primarily to traditional accounting systems that employ manual procedures. However, an understanding of these control concepts also gives insights to the risks and control concerns associated with the IT environment. There are six traditional categories of Physical Control Activities. 1. Transaction Authorization The purpose of transaction authorization is to ensure that all material transactions processed by the information system are valid and in accordance with management’s objectives. Authorizations may be general or specific. General authority is granted to operations personnel to perform day-to-day operations. An example of general authorization is the procedure to authorize the purchase of inventories from a designated vendor only when inventory levels fall to their predetermined reorder points. This is called a programmed procedure (not necessarily in the computer sense of the word). The decision rules are specified in advance, and no additional approvals are required. On the other hand, specific authorizations deal with case-by-case decisions associated with non-routine transactions. An example of this is the decision to extend a particular customer’s credit limit beyond the normal amount. Specific authority is usually a management responsibility.

8

EXERCISE 1: Transaction Authorization Perform transaction with a programmed procedure

b. Create a Sales Order - Navigate to Sales – A/R Module > Sales Order. - In the Customer field, choose C1100 Jacob Electronics. - Click the Logistics Tab, then check the box for Procurement Document by clicking it. - Type the current date in the delivery date. Posting date is at its default which is the system date. - Click the Contents Tab. Add Item S1000 in the Item Field with the Quantity of 20. - Press Enter. Item Availability Check window will appear as shown below. Choose Continue and click OK. - Click Cancel to cancel the document

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

a. Open SAP Business One - On the desktop, double-click SAP Business One. - Click the ‘Change Company’ then on the Choose Company window, click the RU Laptops, Co. Enter the User ID: Lukas Password: 1234 Note: Use the user account of Lukas Ibarra to have the proper authorizations for the transaction to be made.

The Item Availability Check is a programmed procedure to ensure that proper action will be performed regarding sales order on items that could not be available at the moment. Exercise 2: Transaction Authorization Perform transaction with specific authorizations. You found out in the Company policies that no Purchase Order amounting to more than P200,000 shall be allowed to be posted without the approval of the manager first. Test this kind of control in the system.

9

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

a. Log in to the account of Karla Sy to have the proper authorizations for the transaction to be made. Go to Administration > Choose Company > Change User > User ID: Karla then Password: 1234

10

b. Create a Purchase Order that will qualify for the Approval Procedure - Navigate to Purchasing – A/P Module > Purchase Order. - In the Vendor field, choose V1000 Laptop Queen Philippines, Inc.. - Dates are defaults which are the system date. - In the Contents Tab, add Item S1000 in the Item Field with the Quantity of 10. Enter Unit Price of P22,000.00 then click Add. Total amount of Purchase Order should be Php246,400 which should trigger the approval procedure. - Cancel the document.

2. Segregation of Duties One of the most important control activities is the segregation of employee duties to minimize incompatible functions. Segregation of duties can take many forms, depending upon the specific duties to be controlled. However, the following three objectives provide general guidelines applicable to most organizations. Objective 1 The segregation of duties should be such that the authorization for a transaction is separate from the processing of the transaction. For example, purchases should not be initiated by the purchasing department until authorized by the inventory control department. This separation of tasks is a control to prevent the purchase of unnecessary inventory by individuals.

Objective 3 The organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities. In other words, no single individual should have sufficient access to assets and supporting records to perpetrate a fraud. Implementing adequate segregation of duties requires that a firm employ sufficiently large number of employees. Achieving adequate segregation of duties often presents difficulties for small organizations. Obviously, it is impossible to separate five incompatible tasks among three employees. Therefore, in small organizations or in functional areas that lack sufficient personnel, management must compensate for the absence of segregation controls with close supervision. For this reason, supervision is often called a compensating control. EXERCISES 3: Segregation of Duties Business Process Segregation. Upon reading the Organization Chart, you found out that Lukas Ibarra is designated as a Sales Officer so he should be able the work on the documents that are related to Sales. While for other documents such as those relating to Purchasing, he should not have authorization to open it. Test the segregation of duties as defined in the Authorization Table. a. Log in to the account of manager to view the authorizations made for Lukas Ibarra. Go to Administration > Choose Company > Change User > User ID: manager then Password: 1234 b. View the authorizations of Lukas Ibarra. Go to Administration > System Initialization > Authorizations > General Authorizations > Choose Lukas. You can see that he has Full Authorization in Sales – A/R but No Authorization in Purchasing A/P.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Objective 2 Responsibility for the custody of assets should be separate from the recordkeeping responsibility. For example, the department that has physical custody of finished goods inventory (the warehouse) should not keep the official inventory records. Accounting for finished goods inventory is performed by inventory control, an accounting function. When a single individual or department has responsibility for both asset custody and recordkeeping, the potential for fraud exists. Assets can be stolen or lost, and the accounting records falsified to hide the event.

11

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

12

c.

Test the Segregation of Duties by checking if the Authorizations are functioning properly. Log in to Lukas account. Go to Administration > Choose Company > Change User > User ID: Lukas then Password: 1234 - Open Sales Order. Since he has authorization for Sales – A/R, he should be able to open it. Go to Sales – A/R > Sales Order - Open Purchase Order. Since he has no authorization for Purchasing – A/P, he should not be permitted to open it. Go to Purchasing – A/P > Purchase Order (Note: If Purchaser Order and other documents in the Purchasing – A/P module is not visible, click the Form Settings tool in the Toolbar. Then set the documents in the Purchasing A/P as visible. - Test further the other users based on their authorizations, follow same procedures. -

4. Accounting Records The traditional accounting records of an organization consist of source documents, journals, and ledgers. These records capture the economic essence of transactions and provide an audit trail of economic events. The audit trail enables the auditor to trace any transaction through all phases of its processing from the initiation of the event to the financial statements. Exercise 4: Accounting Records. Identify which document In SAP Business One that can give simple audit trail. Log in to Auditor’s account: User Name: Auditor Password: 1234 a. View document trail on marketing documents. - Open a closed A/R Invoice. Go to Sales – A/R > A/R Invoice > Switch to Find Mode by pressing Ctrl + F > Type 28 on the No. field then press Enter. - On the Remarks Field, you can see the base documents related to the A/R Invoice. - Another way is to view the relationship map. Right click on any blank part of the A/R Invoice then choose relationship map. - You can double click on any document in the relationship map to view the actual document.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

3. Supervision Implementing adequate segregation of duties requires that a firm employ a sufficiently large number of employees. Achieving adequate segregation of duties often present difficulties for small organizations. Obviously, it is impossible to separate five incompatible tasks among three employees. Therefore, in small organizations or in functional areas that lack sufficient personnel, management must compensate for the absence of segregation controls with close supervision. For this reason, supervision is often called a compensating control.

13

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

b. View a list of all transactions posted in SAP Business One or generate transaction log. - Open a document – A/R Invoice for example. Go to Sales – A/R > A/R Invoice - In the toolbar, click the Transaction Journal tool.

14

Choose All Transactions in the Original Journal field then set the posting date from 01.01.13 to 12.31.13. This is to show all the transaction journal records for the whole fiscal year 2013 that could be use for analysis.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

-

15

c.

Plot SAP Business One to the Accounting Cycle (Still using Auditor’s Account)

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

1. Journal

16

Accounting Cycle General Journal

Special Journals a. Sales Journal b. Purchases Journal c. Cash/Check Receipts d. Cash/Check Disbursements 2. Ledger

General Ledger

SAP Business One Generate Transaction Journal Report (See Previous Step but change the Original Journal criteria to Journal Entry to view only the manual journal entries made.)

Sales – A/R Purchasing – A/P Banking – Incoming Banking – Outgoing Financials > Financial Reports > Accounting > General Ledger - Uncheck the Business Partner Checkbox then check the Accounts Checkbox to show only General Ledger Accounts - Mark ‘X’ the accounts - Change the Posting Date range ‘From 01.01.13’ ‘To 12.31.13’ - Then Click ‘OK’ to show the General Ledger

Financials > Financial Reports > Accounting >General Ledger - Check the Business Partner Checkbox then uncheck the Accounts Checkbox to show only Subsidiary Accounts - To view a particular SL, change the BP Code ‘From C1100’ and ‘To C1100’ - Change the Posting Date range ‘From 01.01.13’ ‘To 12.31.13’ - Then Click ‘OK’ to show the Subsidiary Ledger for this Business Partner

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Subsidiary Ledger

17

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

3. TrialBalance

Financials > Financial Report > Financial > Trial Balance (Note: Do the same process with General Ledger)

4. AdjustingEntries

Financial > Journal Entry > Click Adjustment Box (Note: The process given is how to create Adjusting Entries)

5. FinancialStatements

Financials > Financial Report > Financial >Profit & Loss or Balance Sheet (Note: Just change to desired period then click OK)

6. ClosingEntries

Administration > Utilities > Period End Closing (Note: The process given is how to create closing entries. Use manager account to view this)

18 7. Post-Closing Trial Balance

Financials > Financial Report > Financial > Trial Balance > Check Add Closing Balances

Financials > Journal Entry > Click Reversal Box (Note: The process given is how to create Reversing Entries)

5. Access Controls The purpose of access controls is to ensure that only authorized personnel have access to the firm’s assets. Unauthorized access exposes assets to misappropriation, damage, and theft. Therefore, access controls play an important part in safeguarding assets. Access to assets can be direct or indirect. Physical security devices, such as locks, safes, fences, and electronic and infrared alarm systems, control against direct access. Indirect access to assets is achieved by gaining access to the records and documents that control their use, ownership, and disposition. 6. Independent Verification Verification procedures are independent checks of the accounting system to identify errors and misrepresentations. Verification differs from supervision because it takes place after the act, by an individual who is not directly involved with the transaction or task being verified. Examples of independent verifications include:  Comparing physical assets with accounting records.  Reconciling subsidiary accounts with control accounts Computer Controls Computer controls constitute a body of material that is of primary concern to us. These controls, which relate specifically to the IT environment and IT auditing, fall into two broad groups: general controls and application controls. General Controls Pertain to entity-wide concerns such as controls over the data center, organization databases, systems development, and program maintenance.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

8. Reversing Entries

EXERCISE 5: General Controls Have an experience on how to view an actual database in a database management system. This can be exemplified using the SQL Server Management Studio Express. 1. Open SQL Server Management Studio Express From your desktop, click the start button, choose All Programs then navigate to SQL Server Management Studio Express. Ask assistance from your IT personnel, if you cannot find it. It should look like the one below. On the left side under the databases folder, you can see a list. For database management

19

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

purposes, a new database can be added and an existing database can be deleted. For internal control purposes, this function should only be given to the database administrator.

20

2. Perform database backup and store it in another storage device a. Click Start Button

(lower leftmost corner of the screen)

b. Click All Programs > Microsoft SQL Server 2005> SQL Server Management Studio Express

c. Click Connect Note: If connection is unsuccessful, call the attention of your technical support to put in the correct Server Type and Server Name.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

d. Click + before the Databases to expand and view all databases > Right Click on the database that you want to back up > Click Tasks > Click Backup.

e. Click OK when Backup Database window appears. Take note of the default location of the backup. See example below (c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Backup\)

21

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

f. Retrieve the backup database. Go to Start > Computer > Local Disk (C:) > Program Files > Microsoft SQL Server > MSSQL.1 > MSSQL > Backup g. Copy the backup file with an extension file of .bak and save it to another storage device. 3. Perform Database Restore a. Follow steps a, b and c, in Number 2. b. Right-click + before the Databases > Click Restore Database and a new window Restore Database will appear. c.

Type in the field ‘To database:’ your new database name (in the example below it is Sample).

d. Click ‘From device:’ and the button. A new window Specify Backup will appear. Click Add Button and locate your backup file. Click Ok. Click Ok. e. Click box under Restore. Click OK to execute restoration. f.

To check, expand Databases and view the restored database.

g. Refresh databases in SAP B1 to view the restored database by double-clicking the SAP B1 shortcut from your desktop. Click the Change Company button. In the Choose Company screen, click Refresh.

22

23

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

24 QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Application Controls Application controls are programmed procedures designed to deal with potential exposures that threaten specific applications, such as payroll, purchases, and cash disbursements systems. Application controls fall into three broad categories: input controls, processing controls, and output controls. Input Controls

Source document input requires human involvement and is prone to clerical errors. Some types of errors that are entered on the source documents cannot be detected and corrected during the data input stage. Dealing with these problems may require tracing the transaction back to its source (such as contacting the customer) to correct the mistake. Direct input, on the other hand, employs real-time editing techniques to identify and correct errors immediately, thus significantly reducing the number of errors that enter the system. Classes of Input Control  Source document controls  Data coding controls  Batch controls  Validation controls  Input error correction These control classes are not mutually exclusive divisions. Some control techniques that we shall examine could fit logically into more than one class. Source Document Controls Source document fraud can be used to remove assets from the organization. To control this type of exposure, the organization must implement control procedures over source documents to account for each document, as describe below: a. Use of pre-numbered source documents b. Use of source documents in sequence c. Periodically audit source documents EXERCISE 6: Source Document Controls  View the list of a particular document to identify if there is any document missing by double checking the numbering of source documents  Double check if the source documents were used in sequence. 1. Open SAP Business One - On the desktop, double-click SAP Business One. - Click the ‘Change Company’ then on the Choose Company window, click the RU Laptops, Co. Enter the User ID: auditor, Password: 1234 2. See the list of a particular document i.e. Sales Order - Go to Sales – A/R > Sales Order

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

The data collection component of the information system is responsible for bringing data into the system for processing. Input controls at this stage are designed to ensure that these transactions are valid, accurate, and complete. Data input procedures can be either source document-triggered and direct input.

25

-

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

-

Switch to Find mode by pressing Ctrl + F In the No. field, enter an asterisk symbol (*) then press Enter. A list of Sales Order will appear where you can examine the sequence of the document based on its numbering. You can do this test to other documents as well. To test if the sequence of numbering is correct, you can sort the list by date then double check if the numbering is still chronological. Any irregularity will be considered as an exception.

Data Coding Controls Coding controls are checks on the integrity of data codes used in processing. A customer’s account number, an inventory item number, and a chart of accounts number are all examples of data codes.

26

EXERCISE 7: Data Coding Controls 1. View the list of Business Partners and examine if the codes used were according to the adapted BP Codes of the Company - Go to Business Partners > Business Partner Master Data - Change the BP Type to Customers.

-

Type an asterisk symbol (*) in the code field then press Enter. The list of Business Partners will appear. What is the coding control for Customers BP? Any irregularity will be considered as an exception. Do the same process for Vendors BP.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

-

27

Validation Controls Input validation controls are intended to detect errors in transaction data before the data are processed. Validation procedures are most effective when they are performed as close to the source of the transaction as possible. However, depending on the type of CIS in use, input validation may occur at various points in the system.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

There are three levels of input validation controls: 1. Field interrogation 2. Record interrogation 3. File interrogation

28

Field Interrogation Field interrogation involves programmed procedures that examine the characteristics of the data in the field. The following are some common types of field interrogation: a. Missing data checks are used to examine the contents of a field for the presence of blank spaces. When the validation program detects a blank where it expects to see a data value, this will be interpreted as an error. b. Numeric-alphabetic data checks determine whether the correct form of data is in a field. c. Limit checks determine if the value in the field exceeds an authorized limit. d. Validity checks compare actual values in a field against known acceptable values. This control is used to verify such things as transaction codes, state abbreviations, or employee job skill codes. If the value in the field does not match one of the acceptable values, the record is determined to be in error. EXERCISES 8: Field Interrogation a. Missing Data Checks. Test if marketing documents in SAP Business One has this control. (Note: Use Lukas user account) - Open a Sales Order. Go to Sales – A/R > Sales Order - Insert the following Information in the Sales Order: Customer: C1100 Name: Jacob Electronics Item No.: D1000 Unit Price: Php32,000 - Click Add. SAP Business One should flag an error message due to missing delivery date. - Cancel the Sales Order. You can test other documents for this control. b. Numeric-alphabetic Data Checks. Test if marketing documents in SAP Business One has this control. - Open a Sales Order. Go to Sales – A/R > Sales Order - Insert the following Information in the Sales Order: Customer: C1100 Name: Jacob Electronics Item No.: A1000 Delivery date: Current System date Quantity: ABC - Click Add. SAP Business One should flag an error message due to invalid monetary value. - Cancel the Sales Order. You can test other documents for this control.

29

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

c.

Limit Checks. Test if creating a User Account in SAP Business One has this control. -

-

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

-

30

Log in to the account of manager to view to see the User Setup window. Go to Administration > Choose Company > Change User > User ID: manager then Password: 1234 Go to Administration > Setup > General > Users. Users – Setup window will appear. Make sure you are in Add mode. Insert in the User Code field the word ‘Administrator’. SAP Business One will flag an error message due to exceeding of character limit. Cancel the Users – Setup.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

d. Validity Checks. Test if Business Partner Master Data has this control.(Use Auditor’s Account) - Go to Business Partners > Business Partner Master Data. Make sure you are in Find mode (i.e. Ctrl + F) - In the BP Code field, type ‘L1000’ then press Enter. SAP Business One should flag an error message due to no matching records. - Cancel the Business Partner Master Data. You can try this control to other documents with known values.

Record Interrogation Record interrogation procedures validate the entire record by examining the interrelationship of its field values. Some typical tests are discussed below. a. Reasonableness checks determine if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with other data fields in the record. b. Sign checks are tests to see if the sign of the field is correct for the type of record being processed. For example, in a sales order processing system, the dollar amount field must be positive for sales

31

orders but negative for sales return transactions. This control can determine the correctness of the sign by comparing it with the transaction code field.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Processing Controls After passing through the data input stage, transactions enter the processing stage of the system. Processing controls are divided into three categories: run-to-run controls, operator intervention controls, and audit trail controls. 1. Run-to-Run Controls 2. Operator Intervention Controls 3. Audit Trail Controls

32

The preservation of an audit trail is an important objective of process control. In an accounting system, every transaction must be traceable through each stage of processing from its economic source to its presentation in financial statements. In a CBIS environment, the audit trail can become fragmented and difficult to follow. It thus becomes critical that each major operation applied to a transaction be thoroughly documented. The following examples of techniques used to preserve audit trails in a CBIS. EXERCISE 9: Audit Trail Controls View some techniques used to preserve audit trails in SAP Business One. a. Transaction Logs. Every transaction successfully processed by the system should be recorded on a transaction log, which serves as a journal. View a list of all transactions posted in SAP Business One or generate transaction log. - Open a document – A/R Invoice for example. Go to Sales – A/R > A/R Invoice - In the toolbar, click the Transaction Journal tool.

Choose All Transactions in the Original Journal field then set the posting date from 01.01.13 to 12.31.13. This is to show all the transaction journal records for the whole fiscal year 2013 that could be use for analysis.

b. Listing of Automatic Transactions Some transactions are triggered internally by the system. To maintain control over automatic transactions processed by the system, the responsible end user should receive a detailed listing of all internally generated transactions. c. Unique Transaction Identifiers Each transaction processed by the system must be uniquely identified with a transaction number. This is the only practical means of tracing a particular transaction through a database of thousands or even millions of records. View examples of unique identifiers in SAP Business One. a. View automatic journal entry created . - Open a closed A/R Invoice. Go to Sales – A/R > A/R Invoice > Switch to Find Mode by pressing Ctrl + F > Type 28 on the No. field then press Enter. - Click the Accounting Tab then click the Journal Remark link arrow. This will open up the automatic journal entry created by SAP Business One for this transaction.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

-

33

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

b. Take note of the unique identifiers in the A/R Invoice Transaction. - Take note of the Origin field. The original transaction is navigated when the arrow is clicked. These are just some of the originating transactions: IN AR Invoice RC Incoming Payments PU AP Invoice PD Goods Receipt PO PS Outgoing Payments If the entry is entered manually, origin is JE.

Output Controls Output controls ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. TESTING COMPUTER APPLICATION CONTROLS Control testing techniques provide information about the accuracy and completeness of an application’s processes. These tests follow two general approaches: (1) the black box (around the computer) approach and (2) the white box (through the computer) approach.

34

Black Box Approach With an understanding of what the application is supposed to do, the auditor tests the application by reconciling production input transactions processed by the application with output results. The output results are analyzed to verify the application’s compliance with its functional requirements.



Authenticity tests, which verify that an individual, a programmed procedure, or a message (such as EDI transmission) attempting to access a system is authentic. Authenticity controls include user Ids, passwords, valid vendor codes, and authority tables.



Accuracy tests, which ensure that the system processes only data values that conform to specified tolerances. Examples include range tests, field tests, and limit tests.



Completeness tests, which identify missing data within a single record and entire records missing from a batch.



Access tests, which ensure that the application prevents authorized users from unauthorized access to data. Access controls include passwords, authority tables, user-defined procedures, data encryption, and inference controls.



Audit trail tests, which ensure that the application creates an adequate audit trail. This includes evidence that the application records all transactions in a transaction log, posts data values to the appropriate accounts, produces complete transaction listings, and generates error files and reports for all exceptions.



Rounding error tests, which verify the correctness of rounding procedures. Rounding errors occur in accounting information when the level of precision used in the calculation is greater than that used in the reporting.

FIVE CAATT APPROACHES TO TEST APPLICATION CONTROLS 1. Test Data Method 2. Base Case System Evaluation 3. Tracing 4. Integrated Test Facility 5. Parallel Simulation

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

White Box Approach The white box approach relies on an in-depth understanding of the internal logic of the application being tested. The white box approach includes several techniques for testing application logic directly. Some of the more common types of tests of controls include the following:

Test Data Method The test data method is used to establish application integrity by processing specially prepared sets of input data through production applications that are under review. The results of each test are compared to predetermined expectations to obtain an objective evaluation of application logic and control effectiveness. To perform the test data technique, the auditor must obtain a copy of the current version of the application. In addition, test transaction files and test master files must be created. Results from the test run will be in the form of routine output reports, transaction listings, and error reports. In

35

addition, the auditor must review the updated master files to determine that account balances have been correctly updated. The test results are then compared with the auditor’s expected results to determine if the application is functioning properly. This comparison may be performed manually or through special computer software. Any deviations between the actual results obtained and those expected by the auditor may indicate a logic or control problem.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Creating Test Data When creating test data, auditors must prepare a complete set of both valid and invalid transactions. If test data are complete, auditors might fail to examine critical branches of application logic and errorchecking routines. Test transactions should test every possible error, logical process, and irregularity.

36

Base Case System Evaluation When the set of test data in use is comprehensive, the technique is called the base case system evaluation (BSCE). Tracing Another type of the test data technique is called tracing performs an electronic walkthrough of the application’s internal logic. The tracing procedure involves three steps: 1. The application under review must undergo a special compilation to activate the trace option. 2. Specific transactions or types of transactions are created as test data. 3. The test data transactions are traced through all processing stages of the program, and a listing is produced of all programmed instructions that were executed during the test. The Integrated Test Facility The integrated test facility (ITF) approach is an automated technique that enables the auditor to test an application’s logic and controls during its normal operation. The ITF is one or more audit modules designed into the application during the systems development process. In addition, ITF databases contain “dummy” or test master file records integrated with legitimate records. During normal operations, test transactions are merged into the input stream of regular (production) transactions and are processed against the files of the dummy company. ITF audit modules are designed to discriminate between ITF transactions and routine production data. This may be accomplished in a number of ways. One of the simplest and most commonly used is to assign a unique range of key values exclusively to ITF transactions. For example, in a sales order processing system, account numbers between 2000 and 2100 can be reserved for ITF transactions and will not be assigned to actual customer accounts. By segregating ITF transactions from legitimate transactions in this way, routine reports produced by the application are not corrupted by ITF test data. Test results are produced separately on storage media or hard copy output and distributed directly to the auditor. Just as with the test data techniques, the auditor analyzes ITF results against expected results. Parallel Simulation Parallel simulation requires the auditor to write a program that simulates key features or processes of the application under review. The simulated application is then used to reprocess transactions that were previously processed by the production application. The results obtained from the simulation are reconciled with the results of the original production run to establish a basis for making inferences about the quality of application processes and controls.

CHAPTER 3 SUBSTANTIVE TESTS SUBSTANTIVE TESTS OF REVENUE CYCLE

Testing the Accuracy and Completeness Assertions Accuracy assertion pertains to management assertions that all transactions were recorded at the appropriate amount while completeness assertion says that all transactions that should have been recorded have been recorded. In the Revenue Cycle audit, accuracy and completeness assertions states that all sales transactions were recorded accurately and completely. Review Sales Documents and Balances for Unusual Trends and Exceptions A useful audit procedure for identifying potential audit risks involves scanning data files for unusual transactions and account balances. For example, scanning accounts receivable for excessively large balances may indicate that the company’s credit policy is being improperly applied. Review Sales Invoices and Customer Master Data for Missing and Duplicate Items Searching for missing and/or duplicate transactions and data entries is another important test that helps the auditor corroborate or refute the completeness and accuracy assertions. Duplicate and missing transactions in the revenue cycle may be evidence of over or understated sales and accounts receivable. EXERCISE 10: Testing the Accuracy and Completeness Assertion (USE AUDITOR’S ACCOUNT) a. Review Sales Documents and Balances for Unusual Trends and Exceptions Open a list of Sales Order for examination for any unusual trends and exception using Query. -

Open Query Generator and create a query statement to produce an ad hoc report showing the list of all sales order Go to Tools Menu > Queries > Query Generator

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Revenue Cycle Risks and Audit Concerns In general, the auditor’s concerns in the revenue cycle pertain to the potential for overstatement of revenues and accounts receivable rather than their understatement. Overstatement of accounts can result from material errors in the processing of normal transactions that occur throughout the year. In addition, the auditor should focus attention on large and unusual transactions at or near period-end.

37

-

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

-

38

-

On the Table field, Type ‘ORDR’ then press Tab. The Field names and description will appear. (Note: ORDR is the table name of Sales Order in the MSSQL where the database used in SAP are running) Double click the following field names: (Tip: You can list the field name alphabetically by double clicking the name title) DocNum, DocDate, CardCode, CardName, DocTotal

Click in the Sort By field then double click DocTotal in the list of Field names. Then click execute to produce the ad hoc report, “List of Sales Order”

Now you can examine all the Sales Order and scan for any unusual items. For example, a Sales Order amounting to Php894,080 was executed at December 31, 2013 which is considered as a holiday in the Philippines. Also, the amount is unusually large as compared with other sales order. The auditor should inquire this to the management of the company and seek for additional information.

b. Review customer balances for unusual trends and exceptions - Open a Blank Master Data. Go to Business Partners > Business Partner Master Data - Change the BP Type to Customer then insert an anterisk symbol (*) in the code field then press Enter. A List of Business Partners for customers will appear.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

You can do the same procedures for other Sales documents. You just need to know the appropriate Table Name. (Tip: To get a list of SAP documents and their equivalent table names. Open a blank query generator. In the table field name, type the asterisk symbol (*) then press tab. The list of table and field names will appear.)

39

Upon examination of the list of customers and their balances, you noticed that the balance of Lappy Trading is negative. This is unusual considering that customer balances are normally debit or positive. The auditor can investigate further this exception. List your finding below and your propose adjusting entry: ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

c.

40

Review List of Customers for any duplicate items - Open a Blank Master Data. Go to Business Partners > Business Partner Master Data - Change the BP Type to Customer then insert an anterisk symbol (*) in the code field then press Enter. A List of Business Partners for customers will appear. - List alphabetically the list of customers by double clicking the BP Name Header.

As you scan the list of business partners, some of the customer names look familiar. You can further investigate this issue by comparing the master data. Open two business partner master data, one for Jacob Electrics and one for Jacob Electronics. Do the same for the other two then list your finding here: ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________

Testing the Existence Assertion Existence assertion pertains to management assertions that the assets, liabilites and equity balances exist. For the revenue cycle audit, existence assertion declares that the customer balances recorded in the system really exist.

Testing the Valuation and Allocation Assertion Valuation and Allocation assetion pertains to management assertions that the assets, liabilities and equity balances are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. For the revenue cycle audit, valuation and allocation assertion states that the customer balances recorded are in their proper values. Aging Accounts Receivable The auditor’s objective regarding proper valuation and allocation is to corroborate or refute that accounts receivable are stated at net realizable value. This objective rests on the reasonableness of the allowance for doubtful accounts, which is derived from aged accounts receivable balances. To achieve this objective, the auditor needs to review the accounts receivable aging process to determine that the allowance for doubtful accounts is adequate. As accounts age, the probability that they will ultimately be collected is decreased. Therefore, as a general rule, the larger the number of older accounts that are included in an company’s accounts receivable file, the larger the allowance for doubtful accounts needs to be to reflect the risk.

Exercise 11: Testing the Valuation and Allocation Assertion View the Aging of Accounts Receivable and provide for Allowance for Doubtful Accounts based on Company’s policies. - Open the Aging Report of the company’s customer balances Go to Financials > Financial Reports > Accounting > Aging > Customer Receivables Aging - In the Selection Criteria insert the following information: Code: From C1100 To C2200 Aging Date: 03.31.14 Then click OK - SAP Business One will generate Customer Receivables Aging showing the age of receivables from the customers. - Now the auditor can perform his analysis based on this aging and compute the appropriate amount of Allowance for Doubtful Accounts based on the Company’s policies. - Compute the amount of Allowance for Doubtful Accounts According to the industry experiences, the collectability of accounts are as follow: 0 – 1 month = 100% Over one month not over two months = 98% Over two months not over three months = 95% Over three months not over four months = 92% Over four months = 90%

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Send Confirmation to Customers to Confirm Balances One of the most widely performed tests of existence is the confirmation of accounts receivable. This test involves direct written contact between the auditors and the client’s customers to confirm account balances and transactions.

41

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

How much is the proposed Allowance for Doubtful Accounts? ____________

42

SUBSTANTIVE TESTS OF EXPENDITURE CYCLE Expenditure Cycle Risks and Audit Concerns Taking the most narrow attest-function view, external auditors are concerned primarily with the potential for understatement of liabilities and related expenses. Susbstantive tests of expenditure cycle accounts are therefore directed toward gathering evidence of understatement and omission of material items rather than their overstatement.

Review Purchasing Documents and Balances for Unusual Trends and Exceptions A useful audit procedure for identifying potential audit risks involves scanning data files for unusual transactions and account balances. For example, scanning accounts payable for excessively large balances may indicate abnormal dependency on a particular supplier. EXERCISE 12: Testing the Accuracy Assertion (USE AUDITOR’S ACCOUNT) a. Review A/P Invoices for Unusual Trends and Exceptions Open a list of A/P Invoices for examination for any unusual trends and exception using Query. - Open Query Generator and create a query statement to produce an ad hoc report showing the list of all A/P Invoice Go to Tools Menu > Queries > Query Generator - On the Table field, Type ‘OPCH’ then press Tab. The Field names and description will appear. (Note: OPCH is the table name of A/P Invoice in the MSSQL where the database used in SAP are running) - Double click the following field names: (Tip: You can list the field name alphabetically by double clicking the name title) DocNum, DocDate, CardCode, CardName, DocTotal - Click in the Sort By field then double click DocNum in the list of Field names. - Then click execute to produce the ad hoc report, “List of A/P Invoice”

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Testing the Accuracy Assertion Accuracy assertion pertains to management assertions that all transactions were recorded at the appropriate amount In the Expenditure Cycle audit, accuracy states that all expense transactions were recorded accurately.

43

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

44

Now you can examine all the A/P Invoice and scan for any unusual items. To have further examination, you can click the small graph icon to see an analysis of AP Invoice depicted on a graph. You can do the same procedures for other Purchasing documents. You just need to know the appropriate Table Name.

Testing the Completeness Assertion Completeness assertion says that all transactions that should have been recorded have been recorded. In the Expenditure Cycle audit, completeness declares that all expense transactions were completely recorded.

Exercise 13: Testing the Completeness Assertion a. Scan for any open Goods Receipt PO which could indicate that no liabilities has yet been created for this account. Open the Open Items List report to view any open GRPO - Go to Reports > Sales and Purchasing > Open Items List. Then on the Open Documents drop down menu, choose Goods Receipts POs.

-

-

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Searching for Unrecorded Liabilities The search for unrecorded liabilities involves matching the records used by the warehouse department such as a receiving report to indicate receipt of inventory with the billing invoice from supplier which is used to record liabilities. A receiving report with no matching billing invoice might indicate that a liability was not recorded.

The auditor will see that there are two open GRPOs meaning, no A/P Invoice has yet been recorded in this account thus understating the vendor balances. Double check the findings made by comparing the list of GRPO and A/P Invoice. Open a list of GRPO and a list of A/P Invoice. Go to Purchasing – A/P > Goods Receipt PO. Make it Find mode by pressing Ctrl + F. On the No. field, type the asterisk symbol (*) then press Enter. Upon pressing Enter, a list of GRPOs will appear. Do the same procedure for A/P Invoice to see the list of A/P Invoice then compare the list.

45

46 QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

(Tip: To see the original entry made by SAP for the Goods Receipt PO documents, open the unmatched GRPOs then go to Accounting tab. Beside the Journal Remark, click the link arrow to know the original entry made as a basis for the adjusting entry.) Testing the Existence Assertion Existence assertion pertains to management assertions that the assets, liabilites and equity balances exist. For the expenditure cycle audit, existence assertion declares that the vendor balances recorded in the system really exist. Examine Subsequent Payments to Suppliers This test involves involves scanning the payments made in the subsequent period and check if the payables recorded in the last period were paid. Exercise 14: Testing the Existence Assertion a. Scan the payments made in the subsequent period using Query Open a list of Outgoing Payments for the month of January 2014 (Subsequent Period) for examination of subsequent payments. - Open Query Generator and create a query statement to produce an ad hoc report showing the list of Outgoing Payments for the month of January 2014. Go to Tools Menu > Queries > Query Generator

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

- Now, the auditor can compare the list of A/P Invoices available against the GRPO. Note your findings below and your proposed adjusting entries: ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________

47

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

48

- On the Table field, Type ‘OVPM’ then press Tab. The Field names and description will appear. (Note: OVPM is the table name of Outgoing Payments in the MSSQL where the database used in SAP are running) - Double click the following field names: (Tip: You can list the field name alphabetically by double clicking the name title) DocNum, DocDate, CardCode, CardName, DocTotal - Click in the Where field to enter the condition. Double click DocDate in the list of field names then click Conditions button. Conditions pane will appear. - Click again in the Where field, make sure that the cursor is on the end of T0.[DocDate]. Then double click the condition ‘Greater or Equal’ followed by a double click on any variable. For example [%0] - Another condition will be added so scroll down in the list of condition then double click ‘And’. Continue the condition by double clicking again the DocDate in the list fo field names followed by a double click on the condition ‘Smaller or Equal’ then double click again on any variable except the one used before. For example, use [%1] - Click in the Sort By field then double click DocDate in the list of Field names. - Then click execute.

-

Query – Selection Criteria window will appear where we can enter our condition. Insert 01.01.14 in the Greater or Equal field and 01.31.14 in the Smaller or Equal field to show only the Outgoing Payments made in January 2014. Then click OK.

Testing the Valuation and Allocation Assertion Valuation and Allocation assertion pertains to management assertions that the assets, liabilities and equity balances are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. For the expenditure cycle audit, valuation and allocation assertion states that the customer balances recorded are in their proper values. Send Confirmation to Vendors to Confirm Balances One of the most widely performed tests of existence is the confirmation of accounts payable. This test involves direct written contact between the auditors and the client’s vendors to confirm account balances and transactions. Exercise 15: Testing the Valuation and Allocation Assertion View the Aging of Accounts Payable as a basis for sending the confirmation to the vendors. - Open the Aging Report of the company’s vendor balances Go to Financials > Financial Reports > Accounting > Aging > Vendor Liabilities Aging - In the Selection Criteria insert the following information: Code: From V1000 To V900 Aging Date: 12.31.13 Then click OK SAP Business One will generate Vendor Liabilities Aging showing the age of payables to the vendors. This aging could be the basis of the auditor in sending his confirmation of the balances to the company’s vendors.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

- Now, the auditor can trace the payments to existing liabilities as of December 31, 2013. List your findings here and your proposed adjusting entries: ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________

49

50 QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

SUBSTANTIVE TEST OF OTHER FINANCIAL STATEMENT ACCOUNTS Audit of Cash Perform manual bank reconciliation to know the correct balance of cash that should be reported by the Company. Reconcile the Balance per SAP records and Balance per Bank Statement. The accountant showed the auditor the Bank Statement sent by the bank for the month of December as shown below: Php112,207.20 Deposit

Withdrawal

December 1, 2013

Debit Advice

93,000.00

December 7, 2013

Deposit

December 8, 2013

Encashment

December 20, 2013

Deposit

339,750.40

523,957.60

December 31, 2013

Interest

1,200.00

525,157.60

December 31, 2013

Bank Charge

190,000.00

19,207.20 209,207.20

25,000.00

500.00

184,207.20

524,657.60

*** Nothing Follows *** a. Open the General Ledger of the Cash Account in SAP Business One to reconcile it with the Bank Statement. - Go to Financials > Financial Reports > Accounting > General Ledger - In the General Ledger – Selection Criteria, uncheck the Business Partner Box and check the accounts box. Make sure that no accounts are marked with ‘x’. - Change the level of accounts to 5. - Mark ‘x’ the CA201 – Metrobank Account No. 9021 - For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions for the whole fiscal year 2013 for this account. - Then press Ok.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Beginning Balance, December 1, 2013 Date Remarks

51

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Balance per Bank Add: Deposits in Transit

Ref. No.

524,657.60

Less: Outstanding Checks

Total adjustments Adjusted Balance

52

Balance per Book Add:

1,101,550.40

Less: Total Adjustments Adjusted Balance

Now the auditor can perform his bank reconciliation by comparing the records per bank and the records per SAP Business One. Write below your findings and proposed adjusting entries: ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ Audit of Inventories Ensure that inventories are stated at lower of cost or net realizable value. The company’s manager told the auditor that on December 20, the compartment where the laptops are being stored caved in resulting in some exterior damages on the units. The laptops are still working properly however the physical appearance have been damage and they fear that they might not sell it on their intended prices so they decide to hire someone to compute the net realizable values of the laptops. This list of net realizable values were given to the auditor Acer Laptops Dell Laptops Lenovo Laptops Samsung Laptops

Php28,000.00 Php25,000.00 Php28,000.00 Php30,000.00

b. Compare the recorded costs of the inventories with their NRV and compute for the necessary adjustment to recognize inventory loss (use Auditor’s Account). - Open the Inventory Audit Report Go to Inventory > Inventory Reports > Inventory Audit Report - On the Selection Criteria insert the following information in the specified field. Change to Posting Date From 01.01.13, To 12.31.13 to include the transactions for the whole fiscal year 2013. Item Code: From A1000 To S1000 Then click OK.

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

The deposit in the bank statement amounting to Php190,000.00 was traced to a deposit slip sent by Solid Electrics on January 2014. Upon inquiry by the client, the deposit pertains to a partial payment made by Solic Electrics regarding its amount due to the client.

53

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

-

54

The Inventory Audit Report will appear. If you click on the black arrow beside the yellow arrow, the details of a particular item will expand. Now the auditor can know the actual cost recorded per system and compare it with its net realizable value. Take note that the valuation method used for the laptops is First In, First Out (FIFO).

Enter your Inventory Cost and NRV analysis here: Cost

NRV

Difference

Write down your findings and proposed adjusting entries below: ____________________________________________________________________________ ____________________________________________________________________________ ____________________________________________________________________________ Audit of Prepayments Check if prepayments were representative its actual prepaid amount. If not, make necessary adjustments to recognize the expense. Upon checking the Trial Balance of the company, the auditor noted two items that are considered as prepayments. The auditor examine the SAP Business One documents used to record the prepayments and also the journal entry. He also examined any third party document related to that asset c.

View the Trial Balance as a basis of selecting accounts to audit - Open Trial Balance in SAP Business One Go to Financials > Financial Reports > Financial > Trial Balance In the Selection Criteria, enter the following information: - Uncheck BP Box - Change the level to 5 - Check G/L Accounts Box - Mark ‘x’ all G/L accounts - Date is Posting Date - From 01.01.13 To 12.31.13 Then click OK. Change the Level to Level 5 to see a more detail Trial Balance

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Laptops

55

56 QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Open the SAP Business One document used to record Office Supplies. - Go to Financials > Financial Reports > Accounting > General Ledger - In the General Ledger – Selection Criteria, uncheck the Business Partner Box and check the accounts box. Make sure that no accounts are marked with ‘x’. - Change the level of accounts to 5. - Mark ‘x’ the CA500 – Office Supplies - For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions for the whole fiscal year 2013 for this account. - Then press Ok. - The General Ledger for Office Supplies will appear. - To view the SAP Business One document used, click the link arrow on the Doc. No. Column (i.e. PS 8) - To view the journal entry, click the link arrow on the posting date column (i.e. 02.14.13)

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Upon seeing the contents of the Trial Balance, the auditor decided to audit the Office Supplies account and Insurance Expense account. He wants to see the SAP Business One documents used to record these accounts as well as any third party documents.

57

58 QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

Note your findings below and your proposed adjusting entries: __________________________________________________________________________ __________________________________________________________________________ __________________________________________________________________________ Audit of Fixed Assets Determine the correct amount of depreciation that should be recorded for the year. Upon checking the Trial Balance, the auditor noted that depreciation expenses were yet to be entered in the accounting records so the auditor examine the SAP Business One documents used to record the acquisition of the asset as well as any third party document to properly know the start date of depreciation then compute the depreciation expense based on the company’s policy on depreciating fixed assets. Depreciation Method: 10% Salvage Value 5 year Useful Life – Office Equipment, Office Furniture 10 year Useful Life – Delivery Truck 20 year Useful Life – Leasehold Improvements

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

According to company’s personnel, the estimated remaining Office Supplies is 20% of the original purchased amount. As for the insurance, upon examination of the Insurance Contract, it is for 2 years starting on its purchase date which is also the posting date. Do the same procedure for Insurance Expense. (Hint: The insurance premium is recorded using Expense Method)

59

QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One

60

d. View SAP Business One document used to record Office Equipment Open the SAP Business One document used to record Office Equipment. - Go to Financials > Financial Reports > Accounting > General Ledger - In the General Ledger – Selection Criteria, uncheck the Business Partner Box and check the accounts box. Make sure that no accounts are marked with ‘x’. - Change the level of accounts to 5. - Mark ‘x’ the NC101 – Office Equipment - For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions for the whole fiscal year 2013 for this account. - Then press Ok. - The General Ledger for Office Equipment will appear. - To view the SAP Business One document used, click the link arrow on the Doc. No. Column (i.e. PS 16) - To view the journal entry, click the link arrow on the posting date column (i.e. 03.29.13) Do the same for Office Furniture, Delivery Truck and Leasehold Improvements. Just make sure that you use the correct date of acquisition. e. Compute the depreciation expense for the fixed assets. Use the table below for your computation. Acquisition Fixed Asset Date Office Equipment Office Furniture Delivery Truck Leasehold Improvements TOTAL DEPRECIATION FOR 2013

Acquisition Cost

Salvage Value

Yearly Depreciation

2013 Depreciation

Note your findings below and your proposed adjusting entries: __________________________________________________________________________ __________________________________________________________________________ __________________________________________________________________________

*** NOTHING FOLLOWS ***