Auditing Standard No' 2

1
Auditing Standard No. 2

• An Audit of Internal Control Over Financial
  Reporting Performed in Conjunction with an Audit
  of Financial Statements
• Public Company Auditing Oversight Board
• Managers and auditors understand procedures that
  initiate and process transactions
• Business processes
• Managers and auditors understand how transactions
  are recorded and reported
• AIS

2
Business Processes and AIS

• Business Processes
• Manner in which work is organized, coordinated,
  and focused to produce a valuable product or
  service
• Concrete work flows of material, information, and
  knowledge
• Sets of activities or events
• Unique ways to coordinate work, information, and
  knowledge
• Ways in which management chooses to coordinate
  work
• When you find events, think about
• Internal agent assuming responsibility
• When the event starts
• Specific activities in the event
• May be necessary to sub-divide events as process
  unfolds

3
Guidelines for Finding Events

• Recognize the first event in a process when a
  person or department within an organization
  becomes responsible for an activity
• Ignore activities that do not require an internal
  agent
• Recognize a new event when responsibility is
  transferred from one internal agent to another
• Recognize a new event when a process has been
  interrupted and resumed later by the same
  internal agent
• After the interruption, someone outside the
  organization or the process may restart the
  process.
• Alternatively, the process may continue at a
  scheduled time.
• Use an event name and description that reflects
  the broad nature of an event

4
Types of Files

• Transaction File
• Store information about events
• e.g. customer orders
• Master file
• Store information about non-event entities
• External agents, internal agents, goods and
  services
• Reference data
• Data that describe the entity
• Relatively permanent not affected by
  transactions
• e.g. customers name, product ID
• Summary data
• Summarize past transactions
• Beginning inventory

5
Master Files
Inventory File (Goods and Services)
Summary Fields
Reference Fields
Customer File (External Agents)
Reference Fields
6
Transaction Files

• Usually include a date
• Why?
• Usually include price and quantity
• Why quantity? Price?
• Since price is in the master file and not the
  transaction file, what can we conclude?

Order file (event)
Order Detail (event)
7
Events and Data

• Events that use data
• Recording
• Preparation of transaction files
• Updating
• Changing summary data in the master file
• Quantity on hand
• File Maintenance
• Adding and deleting master records, changing
  master file reference data

8
Overview Activity Diagrams
S Sales Ticket
Customer
Order Food
Pay Cash
S (in progress)
Server
Take Order
Serve Food
S (completed)
Kitchen Staff
Prepare Food
SS Sales Summary
S (completed)
Ring Up Sale
Close Register
Cashier
Manager
Reconcile Cash
S (paid)
Register
S Sale
P Price lookup
9
Diagram Components
D document
Document/ Report
Start of Process
Events/Triggers
Customer
Event A
Event D
Server
Event B
Event C
D (completed)
Sequence (triggers)
Kitchen Staff
Status
Swimlanes Separation based on role
S (completed)
Event E
Cashier
Files (tables)
Manager
Event F
Data flows
D (paid)
End of Process
Register
T Table 1
F File 1
10
Detailed Activity Diagrams

• High level Overview Diagrams are helpful but we
  often need to see details also
• Driving directions from Cleveland to OSU state
  map and map of campus
• Overview find which processes to audit
• Detailed audit
• Typical activities in an Event
• Record information on a source document or
  transaction file
• Check information in computer files (in stock?)
• Compare documents
• Update information about entities
• Prepare a report

11
Workflow Tables

• Event 1 Take Order. The customer arrives1 and
  sits2 at a table or at the counter .
• Event 6 Reconcile Cash. The cashier gives23 the
  sales summary to the manager and the total of
  the sales tickets.

Detailed Activities for Event
Actor Customer Cashier

• Activity
• Take Order
• Arrives at diner.
• Sits at counter/table
• Reconcile Cash
• 23. Gives the Sales summary and cash to manager

Events On Overview diagram
12
Detailed Activity Diagram
Customer
Server
Arrives1
branch
Not available
Waits3
available
Sits Down2,4
Take Order
Customer Server
1. Arrives at diner 2. Sits at counter/table 3.
Waits if necessary 4. Sits at table when
available 5. Calls server 6. Records order on
prenumbered ticket
Calls Server5
Records Order6
Workflow Table
S Sales Ticket (in progress)
13
Controls and Accountants

• Internal control is a process designed to provide
  reasonable assurance regarding achievement of
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations
• Accountants roles and controls
• Managers SOX and Public Company Accounting
  Oversight Board Statement No. 2
• Users be able to apply controls appropriately
• System Designers risk / reward tradeoff for
  controls
• Evaluators Internal evaluation of controls,
  External attestation of controls, Conduct audit
  of financial statements

14
Components of Internal Control

• Control Environment
• Integrity, ethical values, management philosophy,
  etc.
• Risk Assessment
• Identification and analysis of risks that
  interfere with controls
• Control Activities
• Performance reviews
• Segregation of duties
• Application (specific) controls
• General controls
• Information and Communication
• Provide understanding of individual roles and
  responsibilities
• Monitoring
• Make sure it is working

15
Information Systems Risks

• Information is both a risk and a control
• Risk of creating a transaction error, but the
  right information can help control
• Two main categories of Information System Risks
• Recording Risks
• Information about an event is not recorded
  properly in transaction file
• e.g. wrong customer associated with a purchase
• Also a timing risk of recording events too late
• Updating Risks
• Summary fields in master record are not updated
  properly
• e.g. incorrect Quantity_on_Hand could lead to
  improperly rejected orders

16
Four Kinds of Controls

• Workflow Controls
• Focus on process as it moves between events
• Performance Reviews
• Analysis of performance
• Input Controls
• Apply to input of data into computer systems
• General Controls
• Apply to multiple processes and workflow and
  input controls

17
Workflow Controls

• 1.Segregation of Duties
• For each event separate
• Authorization
• Execution
• Recording data
• Custody of resources

Server Kitchen Staff
Ingredients?
Server Cashier
18
Workflow Controls

• 2. Use of information about prior events to
  control activities
• From document
• Sales ticket authorizes use of ingredients to
  prepare food
• From computer file
• Summary file
• Check seats available before selling tickets
• Transaction file
• Approve invoices after checking purchasing and
  receiving records
• Like looking at a printed purchase order
• 3. Required Sequence of Events
• Reduce risk of getting surprised at the end of a
  process
• Gather insurance information before seeing the
  doctor
• Provide a credit card before leaving with a
  rental car (even if youre going to pay cash)

19
Workflow Controls

• 4. Follow-Up Events
• Reduce the risk of not finishing what you start
• Unfilled (open) customer orders
• Past due invoices
• 5. Pre-numbered documents
• Make event initiation easy to find
• Drink tickets
• 6. Recording of responsible agents
• Make sure employees understand their
  responsibilities
• Watch employees and let them know theyre being
  watched
• Checking out equipment, swiping your ID

20
Workflow Controls

• 7. Limitation of Access to Assets and Information
• Guns, guards and gates
• Passwords and badges
• 8. Reconciliation of Records with Physical
  Evidence
• Make sure transaction and master file correspond
  to actual assets
• More than just checking up on individual events
  as it involves multiple events
• Occurs after events are executed and recorded
• Documents initiate events

21
Performance Reviews

• Compare actual data with forecasts and budgets
• Ensure were accomplishing long term goals
• Review sales to find products to discontinue
• Evaluate quality of suppliers
• Check past-due accounts
• Planned standards and budgets are often recorded
  during file maintenance of master file
• Budgeted performance would be a reference field
• Summary data used to implement corrective action
• Total days of late shipments or number of late
  shipments could be used to evaluate suppliers

22
Identifying the Need for Transactions Tables

• Determine the events in the process (again)
• Exclude events that are not recorded in system
• Exclude query and reporting events
• These data have already been recorded were just
  using them
• Exclude maintenance events
• Usually not relevant for transactions tables for
  reference fields in master table
• There are examples where both a transaction
  record and a master record are created
• e.g. open a bank account with initial deposit

23
Identifying the Need for Master Files

• For each event the produces a transaction file
  identify related goods, services or agents
• Sale
• Who sold it? What did we sell? Who did we sell
  it to?
• Initiate Layaway
• Who placed the item on layaway? What is the
  item? Who started the account?
• Consider master tables to track location of cash
  and effect of events on account balances
• Each master file should be linked to at least one
  transactions file, and vice-versa

24
Designing Data with UML Class Diagram

• Draw required transaction tables in sequential
  order
• Draw required master tables and link to
  transactions table(s)
• Determine cardinality of relationships
• Determine the required attributes
• Assign a primary key
• 1m add primary key of 1 to m
• mm split with junction table with compound key
• Assign other attributes as needed

25
A UML Example of a Class Diagram
Other attributes
26
Event Table and Use Case Diagram
Master File Maintenance
Maintain Inventory Data
Owner
Maintain Manager Data
Record Sales Cash Receipts
Manager
Record Deposits
Manager (3rd Shift)
27
Sales Form Layout
Sale/Cash Receipt Form
28
Sales Form Input Controls (Sales)
29
IT Governance

• The Sarbannes-Oxley act requires organizations to
  select and implement a suitable internal control
  framework
• What is suitable?
• COBIT framework focus on IT governance
• IT governance provides the structure that links
  IT processes, IT resources, and information to
  enterprise strategies and objectives. IT
  governance integrates and institutionalizes
  optimal ways of planning and organizing,
  acquiring and implementing, delivering and
  supporting, and monitoring IT performance.

30
Controlling the IT Environment General Controls
31
Organizing the IT Function

• Separate users from operations
• Segregate authorization, execution, recording and
  custody of assets
• AIS should only handle recording
• Separate development from operations
• Reduce risk of fraud and abuse
• Back doors, salami schemes
• Separate development from maintenance
• Dont let developers watch over their own code
• Separate development components/roles
• Better documentation because each group relies on
  docs from previous work

32
Controlling Decentralized AIS

• Help desk
• Information center
• Standard setting
• Hardware/Software acquisition
• Personnel review
• Hiring controls
• Match with IS strategy
• Personnel development
• Irony of well trained personnel
• Termination plans
• Easy for disgruntled IT employees to do serious
  damage
• Take keys/badges, reset passwords

33
Developing IS Solutions

• Adopt appropriate development methodology
• Allows us to repeat the good and avoid the
  repeating the bad
• Implement controls for development and testing
• Development vs. production environments
• Quality control and testing
• Testing
• Unit testing test each program independently
• System testing test integrated components
• Acceptance testing tests by users
• Ensure adequate documentation
• User manuals, training, application description
  (tables, controls, etc.)
• Documentation is an ongoing process, not a
  last-minute undertaking