chapter 10: auditing the expenditure cycle it auditing & assurance, 2e, hall & singleton
TRANSCRIPT
Chapter 10:Auditing the Expenditure Cycle
IT Auditing & Assurance, 2e, Hall & Singleton
Step 1: Data processing department – inventory control Purchasing Department
Step 2: Data processing department – P.O. Receiving Department
Step 3: Data processing department – batch update of inventory Accounts Payable
Step 4: Data processing department – validates vendors
PURCHASES: BATCH PROCESSING
Step 5: Data processing department – scans for items due and prints checks for items received
Step 6: Cash disbursements department – reconciles checks, submits checks to management for signature
Step 7: Accounts payable – matches copies of checks with open vouchers, closes them and files documents
Concludes expenditure cycle
CASH DISBURSEMENT: BATCH PROCESSING
Data processing steps performed automatically:
1. Inventory file scanned for items and reorder points
2. Purchase requisition record for all items needing replenishment
3. Consolidate requisitions by vendor
4. Retrieve vendor mailing information
5. P.O. prepared and sent to vendor (EDI)
6. Open P.O. record added for each transaction
7. List of P.O. sent to purchasing department
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Goods arrive at receiving department
Quantities received entered per item
CASH DISBURSEMENT: REENGINEERED– FULLY AUTOMATED
Data processing steps performed automatically:
1. Quantities keyed matched to open P.O. record
2. Receiving report file record added
3. Update inventory subsidiary records
4. G.L. inventory updated
5. Record removed from open P.O. file and added to open A.P. file, due date established
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Each day, due date filed of A.P. are scanned for items where payment is due
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Data processing steps performed automatically:
1. Checks are printed, signed and distributed to mailroom (unless EDI/EFT)
2. Payments are recorded in check register file
3. Items paid are transferred from open A.P. to closed A.P. file
4. G.L.- A.P. and cash accounts are updated
5. Appropriate reports are transmitted to A.P. and cash disbursements departments for review
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Control implications
General in nature Similar to those of Chapter 9
CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED
Improved inventory control Better cash management Less time lag Better purchasing time management Reduction of paper documents
BATCH AUTOMATED SYSTEM
VS. MANUAL BATCH
Segregation of duties
Accounting records and access controls
REENGINEERED SYSTEM VS. BATCH AUTOMATED SYSTEM
Drawbacks to using regular A.P. and cash disbursements systems to do payroll
General expenditure procedures that apply to all vendors will not apply to employees
Writing checks to employees requires special controls
General expenditure procedures are designed to accommodate relatively smooth flow of transactions
PAYROLL PROCEDURES
Often integrated with H.R. Differs from previous automate system
Operations departments transmit transactions to D.P. electronically
Direct access to files are used for data storage Many processes are now performed in real time
REENGINEERED PAYROLL SYSTEM
Personnel Cost accounting Timekeeping Data processing
1. Labor costs are distributed to accounts2. Online labor distribution summary 3. Online payroll register4. Employee records are updated5. Payroll checks are prepared and signed6. Disbursement system generates check to fund the
payroll imprest account7. G.L. updated
REENGINEERED PAYROLL SYSTEM
Input controls
Data validation controls Testing validation controls Batch controls Testing batch controls Purchases authorization controls Testing purchases authorization controls Employee authorization Testing employee authorization procedures
EXPENDITURE CYCLE AUDIT OBJECTIVES
Process controls File update controls
Sequence check control Liability validation control Valid vendor file Testing file update controls
Access controls Warehouse security Moving assets promptly when received Paying employees by check vs. cash Risks
• Employees with access to A.P. subsidiary file• Employees with access to attendance records• Employees with access to both cash and A.P. records• Employees with access to both inventory and inventory records
Testing access controls
EXPENDITURE CYCLE AUDIT OBJECTIVES
Process controls Physical controls
Purchase system controls• Segregation of inventory control from warehouse• Segregation of G.L. and A.P. from cash disbursements• Supervision of receiving department
Inspection of assets Theft of assets Reconciliation of supporting documents: P.O., receiving
report, supplier’s invoice
Payroll System controls• Verification of timecards• Supervision• Paymaster• Payroll imprest account
Testing of physical controls
EXPENDITURE CYCLE AUDIT OBJECTIVES
Process controls
Output controls
A.P. change report Transaction logs Transaction listing Logs of automatic transactions Unique transaction identifiers Error listing Testing output controls
EXPENDITURE CYCLE AUDIT OBJECTIVES
Risks and audit concerns Understanding data
Inventory file Purchase order file Purchase order line item file Receiving report file Disbursement voucher file File preparation procedures
EXPENDITURE CYCLE SUBSTANTIVE TESTS
Testing accuracy and completeness assertions
Review disbursement vouchers for unusual trends and exceptions
Accurate invoice prices
Testing completeness, existence, rights and obligations assertions
Searching for unrecorded liabilities Searching for unauthorized disbursement vouchers Review of multiple checks to vendors Auditing payroll and related records
EXPENDITURE CYCLE SUBSTANTIVE TESTS
Additional Cybercrime Info
The following slides are not in the text!
Incident Response Mandates Gramm-Leach-Bliley
Financial Institutions must … Establish incident response capability Perform prompt and reasonable investigation
when sensitive customer info is accessed Notify customers if misuse of info has or is
likely to occur
Incident Response Requirements
ISO 17799 ISO 17799 is international standard for IS best practices
Security framework must contain an effective incident response approach
In 2002, 22% companies with sales over $500 million had implemented ISO 17799
Must collect information for three purposes … Internal problem analysis Use as evidence Negotiation for compensation from software/service
vendors
Incident Response Requirements
ISO 17799 Response procedures should cover … Analysis and identification of cause of
incident Planning and implementation of remedies Collection of audit trails and similar evidence Communication with those affected or
involved with recovery Reporting the action to the appropriate
authority
Best Practices
Imaging hard drive of employees who resign or are terminated (proactive)
Avoid “patch and proceed” response Implement network forensics analysis with
tools like EnCase Focus on insider threats Companies face increasing cyberliability
claims stemming from security breaches
Chapter 10:Auditing the Expenditure
Cycle
IT Auditing & Assurance, 2e, Hall & Singleton