|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
Example B-4 –
Programmed Prevent
Control and Weekly Information
Technology-
Dependent Manual
Detective Control
The auditor
determined that cash, accounts payable, and
inventory were significant
accounts to the
audit of the company's internal control over
financial reporting.
Through
discussions with
company personnel, the auditor learned that the
company's computer
system performs a
three-way match of the receiver, purchase order,
and invoice. If
there are any
exceptions, the system produces a list of
unmatched items that
employees review
and follow up on weekly.
In this case, the
computer match is a programmed application
control, and the review
and follow-up of
the unmatched items report is a detective
control. To determine
whether
misstatements in cash (existence) and accounts
payable/inventory
(existence,
valuation, and
completeness) would be prevented or detected on
a timely basis, the
auditor decided to
test the programmed application control of
matching the receiver,
purchase order,
and invoice as well as the review and follow-up
control over unmatched
items.
Nature, Timing,
and Extent of Procedures.
To test the
programmed application
control,
the
auditor:
a. Identified,
through discussion with company personnel, the
software used to
process receipts
and purchase invoices. The software used was a
third-party
package consisting
of a number of modules.
b. Determined,
through further discussion with company
personnel, that they do not
modify the core
functionality of the software, but sometimes
make personalized
changes to reports
to meet the changing needs of the business. From
previous
experience with
the company's information technology
environment, the auditor
believes that such
changes are infrequent and that information
technology process
controls are well
established.
c. Established,
through further discussion, that the inventory
module operated the
receiving
functionality, including the matching of
receipts to open purchase
orders.
Purchase invoices
were processed in the accounts payable module,
which
matched them to an
approved purchase order against which a valid
receipt has
been made. That
module also produced the Unmatched Items Report,
a standard
report supplied
with the package to which the company has not
made any
modifications.
That information was agreed to the supplier's
documentation and to
documentation
within the information technology
department.
d. Identified,
through discussions with the client and review
of the supplier's
documentation, the
names, file sizes (in bytes), and locations of
the executable
files (programs)
that operate the functionality under review. The
auditor then
identified the
compilation dates of the programs and agreed
them to the original
installation date
of the application. The compilation date of the
report code was
agreed to
documentation held within the information
technology department
relating to the
last change made to that report (a change in
formatting).
e. Identified the
objectives of the programs to be tested. The
auditor wanted to
determine whether
appropriate items are received (for example,
match a valid
purchase order),
appropriate purchase invoices are posted (for
example, match a
valid receipt and
purchase order, non-duplicate reference numbers)
and
unmatched items
(for example, receipts, orders or invoices) are
listed on the
exception report.
The auditor then reperformed all those
variations in the
packages on a
test-of-one basis to determine that the programs
operated as
described.
In addition, the
auditor had evaluated and tested general
computer controls,
including
program changes
(for example, confirmation that no unauthorized
changes are
undertaken to the
functionality and that changes to reports are
appropriately authorized,
tested, and
approved before being applied) and logical
access (for example, user
access to the
inventory and accounts payable modules and
access to the area on the
system where
report code is maintained), and concluded that
they were operating
effectively.
(Since the computer is deemed to operate in a
systematic manner, the
auditor concluded
that it was sufficient to perform a walkthrough
for only the one item.)
To determine
whether the programmed control was operating
effectively, the auditor
performed a
walkthrough in the month of July. As a result of
the walkthrough, the
auditor performed
and documented the following
items:
a. Receiving
cannot record the receipt of goods without
matching the receipt to a
purchase order on
the system. The auditor tested that control by
attempting to
record the receipt
of goods into the system without a purchase
order. However,
the system did not
allow the auditor to do that. Rather, the system
produced an
error message
stating that the goods could not be recorded as
received without
an active purchase
order.
b. An invoice will
not be paid unless the system can match the
receipt and vendor
invoice to an
approved purchase order. The auditor tested that
control by
attempting to
approve an invoice for payment in the system.
The system did not
allow the auditor
to do that. Rather, it produced an error message
indicating that
invoices could not
be paid without an active purchase order and
receiver.
c. The system
disallows the processing of invoices with
identical vendor and
identical invoice
numbers. In addition, the system will not allow
two invoices to
be processed
against the same purchase order unless the sum
of the invoices is
less than the
amount approved on the purchase order. The
auditor tested that
control by
attempting to process duplicate invoices.
However, the system
produced an error
message indicating that the invoice had already
been
processed.
d. The system
compares the invoice amounts to the purchase
order. If there are
differences in
quantity/extended price, and such differences
fall outside a preapproved
tolerance, the
system does not allow the invoice to be
processed. The
auditor tested
that control by attempting to process an invoice
that had
quantity/price
differences outside the tolerance level of 10
pieces, or $1,000.
The system
produced an error message indicating that the
invoice could not be
processed because
of such differences.
e. The system
processes payments only for vendors established
in the vendor
master file. The
auditor tested that control by attempting to
process an invoice
for a vendor that
was not established in the vendor master file.
However, the
system did not
allow the payment to be
processed.
f. The auditor
tested user access to the vendor file and
whether such users can
make modifications
to such file by attempting to access and make
changes to the
vendor tables.
However, the system did not allow the auditor to
perform that
function and
produced an error message stating that the user
was not authorized
to perform that
function.
g. The auditor
verified the completeness and accuracy of the
Unmatched Items
Report by
verifying that one unmatched item was on the
report and one matched
item was not on
the report.
Note: It is
inadvisable for the auditor to have uncontrolled
access to the
company's systems
in his or her attempts described above to record
the receipt
of goods without a
purchase order, approve an invoice for payment,
process
duplicate
invoices, etc. These procedures ordinarily are
performed in the
presence of
appropriate company personnel so that they can
be notified
immediately of any
breach to their systems.
To test the detect
control of review and follow up on the Unmatched
Items Report, the
auditor performed
the following procedures in the month of July
for the period January
to
July:
a. Made inquiries
of company personnel. To gain an understanding
of the
procedures in
place to ensure that all unmatched items are
followed-up properly
and that
corrections are made on a timely basis, the
auditor made inquiries of
the
employee who
follows up on the weekly-unmatched items
reports. On a weekly
basis, the control
required the employee to review the Unmatched
Items Report to
determine why
items appear on it. The employee's review
includes proper followup
on items,
including determining
whether:
�� All open
purchase orders are either closed or voided
within an acceptable
amount of
time.
�� The requesting
party is notified periodically of the status of
the purchase order
and the reason for
its current status.
�� The reason the
purchase order remains open is due to incomplete
shipment
of goods and, if
so, whether the vendor has been
notified.
�� There are
quantity problems that should be discussed with
purchasing.
b. Observed the
performance of the control. The auditor observed
the employee
performing the
control for the Unmatched Items Reports
generated during the first
week in
July.
c. Reperformed the
control. The auditor selected five weekly
Unmatched Items
Reports, selected
several items from each, and reperformed the
procedures that
the employee
performed. The auditor also scanned other
Unmatched Items
Reports to
determine that the control was performed
throughout the period of
intended
reliance.
To determine that
the company had not made significant changes in
their controls from
interim to
year-end, the auditor discussed with company
personnel the procedures in
place for making
such changes. Since the procedures had not
changed from interim to
year-end, the
auditor observed that the controls were still in
place by scanning the
weekly Unmatched
Items Reports to determine that the control was
performed on a
timely basis
during the interim to year-end
period.
Based on the
auditor's procedures, the auditor concluded that
the employee was
clearing
exceptions in a timely manner and that the
control was operating effectively
as
of
year-end.
|
|
| | |
