730 likes | 2.02k Vues
Chapter 9: Auditing the Revenue Cycle. IT Auditing & Assurance, 2e, Hall & Singleton. MANUAL PROCEDURES. Processing shipping orders 4 copies of Sales Order to warehouse; packing slip, shipping notice, stock release, file copy
E N D
Chapter 9:Auditing the Revenue Cycle IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
MANUAL PROCEDURES • Processing shipping orders • 4 copies of Sales Order to warehouse; packing slip, shipping notice, stock release, file copy • Locate and “pick” goods using Stock Release; package them with packing slip • Reconcile documents and goods, sign Shipping Notice, prepare Bill of Lading – multiple copies [Figure 9-3] • Transfer custody of goods (packing slip inside) and 2 copies of Bill of Lading to carrier • Record shipment in shipping log • Send shipping notice to Billing Dept. • File: Stock Release, 1 BOL, File Copy IT Auditing & Assurance, 2e, Hall & Singleton
LEGACY SYSTEM PROCEDURES • Keypunch batch of shipping notices • Edit run program, correct any errors • Field checks • Limit tests • Range tests • Price times quantity extensions • Sort run on batches by AR account number • Legacy systems store records in sequential manner, usually tape • Next process is to “post” individual shipping notices to appropriate individual AR accounts • AR update & billing run[Figure 9-4] Updates AR file becomes new AR file • Billing would be printing invoices to be mailed • Sales journal file or printout • Journal voucher for AR [DR] and sales [CR] IT Auditing & Assurance, 2e, Hall & Singleton
LEGACY SYSTEM PROCEDURES • Re-sort by inventory item {why?} • Same reason; but this process is to update Inventory Items • Inventory update run [Figure 9-5] • Reduce quantity on hand for items shipped, generate a new Inventory file • Compare “On Hand” quantity with “Reorder Point” to identify items needing replenishment; file or printout • Journal voucher for Cost of Goods Sold [DR] and Inventory [CR] • Sort journal entries by GL # • Run general ledger update • Management reports IT Auditing & Assurance, 2e, Hall & Singleton
BATCH CASH RECEIPTS SYSTEMS WITH DIRECT ACCESS FILES • See Figure 9-6 • Discrete events that naturally fit the batch approach • Update Procedures • Mail Room • Receives checks and Remittance Advices. • Separates checks from Remittance Advices • Prepares a Remittance List – multiple copies • Copy of Remittance List and checks go to Cash Receipts Dept. • Remittance Advices and copy of Remittance List go to AR Dept. • Last copy of Remittance List to Controller’s Office IT Auditing & Assurance, 2e, Hall & Singleton
REAL-TIME SALES ORDER ENTRY AND CASH RECEIPTS • See Figure 9-7 • Sales procedures • Transactions are processed as they occur, separately • Credit check is performed online by the system • If approved, system checks availability of inventory • If available, system: • Transmits electronic stock release to warehouse dept • Transmits electronic packing slip to shipping dept • Updates inventory file records for depletion • Records sale in open sales order computer file IT Auditing & Assurance, 2e, Hall & Singleton
REAL-TIME SALES ORDER ENTRY AND CASH RECEIPTS • Warehouse procedures • Produces hard copy of stock release • Clerk picks goods, sends them with a copy of stock release to shipping dept. • Shipping procedures • Reconciles goods, stock release, packing slip from system. • Online, IS prepares Bill of Lading for shipment, and shipping notice for DP Dept. • Select carrier and prepare goods for shipment, along with packing slip and Bill of Lading • Stock release form is filed IT Auditing & Assurance, 2e, Hall & Singleton
FEATURES OF REAL-TIME PROCESSING • Events Database • Traditional accounting does not have to exist in per se (in traditional form) • General Ledger can be derived at any time from a compilation from the events database • Advantages • Greatly shortens the cash cycle of the firm • Can give a firm a competitive advantage (e.g., managing inventory better) • Real-time editing permits the identification of many kinds of errors as they occur, greatly reducing the efficiency and effectiveness of business processes • Reduces the amount of paper documents • Electronic audit trails are possible in real-time computer-based systems IT Auditing & Assurance, 2e, Hall & Singleton
MANAGEMENT ASSERTIONS AND REVENUE CYCLE AUDIT OBJECTIVES • Existence / Occurrence • VERIFY AR balance represents amounts actually owed as of Balance Sheet date • Establish sales represents goods shipped and/or services rendered during period of financials • Completeness • Determine all amounts owed organization are included in AR • VERIFYshipped goods, services rendered, and/or returns and allowances for period are included in financials • Accuracy • VERIFY revenue transactions are accurately computed, based on correct prices and quantities • EnsureAR subsidiary ledger, sales invoice file, remittance file are mathematically correct .. And agree with GL accounts • Rights & Obligations • Determineorganization has legal right to AR • VERIFY accounts sold or factored have been removed from AR • Valuation or Allocation • Determine AR balance stated in net realizable value • Establishallocation for uncollectible accounts is appropriate • Presentation and Disclosure • VERIFYAR and revenues for period are properly described and classified IT Auditing & Assurance, 2e, Hall & Singleton
INPUT CONTROLS • Purpose • Ensure creditworthiness of customers • Control techniques vary considerably between batch systems and real-time systems • Credit authorization procedures • Credit worthiness of customer • Batch and manual systems use credit dept. • Real-time systems use programmed decision rules • Testing credit procedures • Verifyeffective procedures exist • Verifyinformation is adequately communicated • Verifyeffectiveness of programmed decision rules (test data, ITF) • Verifythat authority for making credit decisions is limited to authorized credit personnel/procedures • PerformSubstantive Tests of Detail • Reviewcredit policy periodically and revise as necessary IT Auditing & Assurance, 2e, Hall & Singleton
INPUT CONTROLS • Data Validation Controls • To detect transcription errors in data as it is processed • Batch: after shipment of goods • Error logs • Error correction computer processes • Transaction resubmission procedures • Real-Time: Errors handled as they occur • Missing data checks – presence of blank fields • Numeric-Alphabetic data checks – correct form of data • Limit checks – value does not exceed max for the field • Range checks – data is within upper and lower limits • Validity checks – compare actual values against known acceptable values • Check digit – identify keystroke errors by testing internal validity • Testing Data Validation Controls • Verify controls exist and are functioning effectively • Validation of program logic can be difficult • If Controls over system development and maintenance are NOT weak, testing data editing/programming logic more efficient than substantive tests of details (test data, ITF) • Some assurance can be gained through the testing of error lists and error logs (detected errors only) IT Auditing & Assurance, 2e, Hall & Singleton
INPUT CONTROLS • Batch controls • Manage high volumes of similar transactions • Purpose: Reconcile output produced by system with the original input • Controls continue through all computer (data) processes • Batch transmittal sheet: • Unique batch number • Batch date • Transaction code • Record count • Batch control total (amount) • Hast totals (e.g., account numbers) • Testing data validation controls • Failures of batch controls indicates data errors • Involves reviewing transmittal records of batches processed and reconcile them to the batch control log (batch transmittal sheet) • Examine out-of-balance conditions and other errors to determine cause of error • Review and reconcile transaction listings, error logs, etc. IT Auditing & Assurance, 2e, Hall & Singleton
PROCESS CONTROLS • Computerized procedures for file updating • Restricting access to data • Techniques: • File update controls -- Run-to-run batch control data to monitor data processing steps • Transaction code controls – to process different transactions using different programming logic (e.g., transaction types) • Sequence check controls – sequential files, proper sorting of transaction files required • Testing file update controls – results in errors • Testing data that contains errors (incorrect transaction codes, out of sequence) • Can be performed in ITF or test data • CAATTs requires careful planning • Single audit procedure can be devised that performs all tests in one operation. IT Auditing & Assurance, 2e, Hall & Singleton
ACCESS CONTROLS • Prevent and detect unauthorized and illegal access to firm’s systems and/or assets • Warehouse security • Depositing cash daily • Use safe deposit box, night box, lock cash drawers and safes • Accounting records • Removal of an account from books • Unauthorized shipments of goods using blank sales orders • Removal of cash, covered by adjustments to cash account • Theft of products/inventory, covered by adjustments to inventory or cash accounts • Testing access controls – heart of accounting information integrity • Absence thereof allows manipulation of invoices (i.e., fraud) • Access controls are system-wide and application-specific • Access controls are dependent on effective controls in O/S, networks, and databases IT Auditing & Assurance, 2e, Hall & Singleton
PHYSICAL CONTROLS • Segregation of duties • Rule 1: Transaction authorization separate from transaction processing • Rule 2: Asset custody separate from record-keeping tasks • Rule 3: Organization structured such that fraud requires collusion between two or more people • Supervision • Necessary for employees who perform incompatible functions • Compensates for inherent exposure from incompatible functions • Can be supplement when duties are properly segregated • Prevention vs. detection of fraud and crime is objective: supervision can be effective preventive control IT Auditing & Assurance, 2e, Hall & Singleton
PHYSICAL CONTROLS • Independent verification • Review the work of others at critical points in business processes • Purpose: Identify errors or possible fraud • Examples: • Shipping dept. verifies goods sent from warehouse dept. are correct in type and quantity • Billing dept. reconciles shipping notice with sales notice to ensure customers billed correctly • Testing physical controls • Review organizational structure for incompatible tasks • Tasks normally segregated in manual systems get consolidated in DP systems. • Duties of design, maintenance, and operations for computers need to be separated • Programmers should not be responsible for subsequent program changes. IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS • PURPOSE:Information is not lost, misdirected, or corrupted; that the system output processes function properly • Controls are designed to identify potential problems • Reconciling GL to subsidiary ledgers • Maintenance of the audit trail – that is the primary way to trace the source of detected errors • Details of transactions processed at intermediate points • AR change report • Transaction logs: permanent record of valid transactions • Transaction listings – successfully posted transactions • Log of automatic transactions • Unique transaction identifiers • Error listings • Testing output controls • Reviewing summary reports for accuracy, completeness,timeliness, and relevance for decisions • Trace sample transactions through audit trails; including transaction listings, error logs, and logs of resubmitted records • ACL is very helpful in this process IT Auditing & Assurance, 2e, Hall & Singleton
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS • PURPOSE:Determine the nature, timing, and extent of substantive tests using auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and efficiency of the audit. • Concern: Overstatement or understatement of revenues? • Focus on large and unusual transactions, especially near period-end • Recognizing revenues from sales that did not occur • Recognizing revenues BEFORE they are realized • Failing to recognize cutoff points • Underestimating allowance for doubtful accounts • Shipping unsolicited products to customers, subsequently returned • Billings customers for products held by seller • Tests of controls and substantive tests • Credit limit logic may be effective but cut-off of AR may be error • Substantive testing of AR may give assurance about accuracy of total AR but does not offer assurance about collectibility IT Auditing & Assurance, 2e, Hall & Singleton
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS • Understanding data • VERIFY data used in CAATTs (e.g., ACL) is accurate • VERIFY adequate setup of files from originals (e.g., ACL and Profilecommand) • Relationships and data from [see Figure 9-10]: • Customer file • Sales Invoice file • Line item file • Inventory file • Shipping log file • File preparation procedures IT Auditing & Assurance, 2e, Hall & Singleton
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS • Accuracy/completeness assertion • Analytical review of account balances • Overall perspective for trends in sales, cash receipts, sales returns, and AR • Provides first-level assurance that amounts are reasonably stated and reasonably complete • If so, may reduce the extent of substantive testing • Review sales invoices for unusual trends and exceptions • Scanning data files using CAAT (e.g., ACL and stratify and possibly filters - see Figure 9-11) • Reveals all errors or raises questions? IT Auditing & Assurance, 2e, Hall & Singleton
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS • Accuracy/completeness assertion • Review sales invoice and shipping log files • Missing and duplicate transactions [see Table 9-2] • Questions/survey: • Are procedures in place to document and approve voided invoices? • How are gaps in sales invoice numbers communicated to management? • What physical controls exist over access to sales invoice source documents? • If applicable, are batch totals used to control batch transactions during each processing step? • Are transaction listings reconciled and reviewed by management? • Review line item and inventory files for pricing accuracy • ACL allows auditor to compare prices on invoices with inventory – using JOIN [see example on page 413] • Testing unmatched records (complement) IT Auditing & Assurance, 2e, Hall & Singleton
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS • Existence assertion • Confirmation of AR – SAS #67 • Not required if: • AR is immaterial • Assessed Control Risk is low • Confirmation process will be ineffective • CAATTs to use for this function? • Steps: • Select accounts to confirm • Consolidate invoices (not AR subsidiary) using CLASSIFY (filter) and SUMMARIZE (amount) [see Tables 9-3 and 9-4] • Why? • JOIN the CUSTOMER file with the new consolidated invoice file • Prepare confirmation requests [see Figure 9-12] • Positive and Negative Confirmations (ACL, EXPORT) • Evaluating and controlling responses • Retain custody of the confirmation letters until mailed • The letters should be addressed to the auditor, not client org. • The replies should be mailed to the auditor, not client org. • Discrepancies should be investigated. • Non responses to POSITIVE confirmation should be investigated IT Auditing & Assurance, 2e, Hall & Singleton
SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS • Valuation/allocation assertion • Corroborate or refute AR is stated at reasonable Net Realizable Value • AGING AR • ACL, AGE [see Table 9-7] • Is allowance for doubtful accounts reasonable compared to prior years and based on composition of AR portfolio • Confirmation process will be ineffective • Review past-due balances • Conference with credit manager to determine collectibility • Determine if methods used to estimate allowance for doubtful accounts is adequate, not the collectibility of each account • Determine if overall allowance is, therefore, reasonable IT Auditing & Assurance, 2e, Hall & Singleton
IS Controls Access Controls • Site • System • File • Record • Rights and privileges IT Auditing & Assurance, 2e, Hall & Singleton
Controls for Automated Systems • General and application controls for IS • Transaction tags • Transaction logs • Increased supervision • Online validation and authentication • Rotation of duties • Authorizations and automated rules • Continuous auditing techniques IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 9:Auditing the Revenue Cycle IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton