Beruflich Dokumente
Kultur Dokumente
AUDITING IN AN IT
ENVIRONMENT using
SAP Business One
TABLE OF CONTENTS
2
CHAPTER 1:
INTRODUCTION TO INFORMATION TECHNOLOGY AUDIT
Auditing is a systematic process of objectively obtaining and evaluation evidence regarding assertions
about economic actions and events to ascertain the degree of correspondence between those
assertions and established criteria and communicating the results to interested users.
SYSTEMATIC PROCESS
Conducting an audit is a systematic and logical process that applies to all forms of information systems.
While important in all audit settings, a systematic approach is particularly important in the IT
environment. The lack of physical procedures that can be visually verified and evaluated injects a high
degree of complexity into the IT audit. Therefore, a logical framework for conducting an audit in the IT
environment is critical to help the auditor identify all-important processes and data files.
1. Existence or Occurrence assertion - affirms that all assets and equities contained in the
balance sheet exist and that all transactions in the income statement actually occurred.
2. Completeness assertion - declares that no material assets, equities, or transactions have been
omitted from the financial statements.
3. Rights and Obligations - assertion maintains that assets appearing on the balance sheet are
owned by the entity and that the liabilities reported are obligations.
4. Valuation or Allocationassertion - states that assets and equities are valued in accordance with
generally accepted accounting principles and that allocated amounts such as depreciation
expense are calculated on a systematic and rational basis.
5. Presentation and Disclosure assertion - alleges that financial statement items are correctly
classified (e.g., long-term liabilities will not mature within one year) and that footnote
disclosures are adequate to avoid misleading the users of financial statements.
Generally, auditors develop their audit objectives and design audit procedures based on the preceding
assertions.
3
Audit objectives may be classified into two general categories. The preceding assertions related to
transactions and account balances that directly impact financial reporting. The second category
pertains to the information system itself. This includes the audit objectives for assessing controls over
manual operations and computer technologies used in transaction processing.
OBTAINING EVIDENCE
Auditors seek evidential matter that corroborates management assertions. In the IT environment, this
process involves gathering evidence relating to the reliability of computer controls as well as the
contents of databases that have been processes by computer programs. Evidence is collected by
performing tests of controls, which establish whether internal controls are functioning properly, and
substantive tests, which determine whether accounting databases fairly reflect the organizations
transactions and account balances.
ASCERTAINING MATERIALITY
The auditor must determine whether weaknesses in internal controls and misstatements found in
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
transactions and account balances are material. In all audit environments, assessing materiality is an
auditor judgment. In an IT environment, however, this decision is complicated further by technology
and a sophisticated internal control structure.
COMMUNICATING RESULTS
Auditors must communicate the results of their tests to interested users. An independent auditor
renders a report to the audit committee of the board of directors or stockholders of a company. The
audit report contains, among other things, an audit opinion. This opinion is distributed along with the
financial report to interested parties both internal and external to the organization. IT auditors often
communicate their findings to internal and external auditors, who can then integrate these findings
with the non-IT aspects of the audit.
The IT audit is generally divided into three phases: audit planning, tests of controls, and substantive
testing.
4
1. AUDIT PLANNING
The first step in the IT audit is audit planning. Before the auditor can determine the nature and
extent of the tests to perform, he or she must gain a thorough understanding of the clients
business. A major part of this phase of the audit is the analysis of audit risk. The objective of the
auditor is to obtain sufficient information about the firm to plan the other phases of the audit.
The risk analysis incorporates an overview of the organizations internal controls. During the
review of controls, the auditor attempts to understand the organizations policies, practices, and
structure. In this phase of the audit, the auditor also identifies the financially significant
applications and attempts to understand the controls over the primary transactions that are
processed by these applications.
The techniques for gathering evidence at this phase include questionnaires, interviewing
management, reviewing systems documentation, and observing activities. During this process,
2. TESTS OF CONTROLS
The objective of the tests of controls phase is to determine whether adequate internal controls
are in place and functioning properly. To accomplish this, the auditor performs various tests of
controls. The evidence gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques.
At the conclusion of the tests-of-controls phase, the auditor must assess the quality of internal
controls. The degree of reliance the auditor can ascribe to internal controls affects the nature and
extent of substantive testing that needs to be performed. The relationship between tests of
controls and substantive tests is discussed late.
3. SUBSTANTIVE TESTING
The third phase of the audit process focuses on financial data. This involves a detailed
investigation of specific account balances and transactions through what are called substantive
tests. For example, a customer confirmation is a substantive test sometimes used to verify
account balances. The auditor selects a sample of accounts receivable balances and traces these
back to their source the customers-to determine if the amount stated is in fact owed by a bona
fide customer. By so doing, the auditor can verify the accuracy of each account in the sample.
Based on such sample findings, the auditor is able to draw conclusions about the fair value of the
entire accounts receivable asset.
Some substantive tests are physical, labor-intensive activities such as counting cash, counting
inventories in the warehouse, and verifying the existence of stock certificates in a safe. In an IT
environment, the information needed to perform substantive tests (such as account balances and
names and addresses of individual customers) is contained in data files that often must be
extracted using Computer Assisted Audit Tools and Techniques (CAATTs) software.
5
CHAPTER 2:
TEST OF CONTROLS
The internal control system comprises policies, practices, and procedures employed by the
organization to achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure accuracy and reliability of accounting records and information.
3. To promote efficiency in the firms operations.
4. To measure compliance with managements prescribed policies and procedures.
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
The internal control system serves as a shield that protects the firms assets from numerous
undesirable events that bombard the organization. These include attempts at unauthorized access to
the firms assets (including information), fraud perpetrated by persons both in and outside the firm,
errors due to employee incompetence, faulty computer programs, and corrupted input data, and
mischievous acts such as unauthorized access by computer hackers and threats from computer viruses
that destroy programs and database.
A weakness in internal control may expose the firm to one or more of the following types of risks:
1. Destruction of assets (both physical assets and information)
2. Theft of assets
3. Corruption of information or the information system
4. Disruption of the information system
MODIFYING ASSUMPTIONS
Inherent in these control objectives are four modifying assumptions that guide designers and auditors
of internal control systems.
1. Management Responsibility
This concept holds that the establishment and maintenance of a system of internal control is a
management responsibility.
2. Reasonable Assurance
The internal control system should provide reasonable assurance that the four broad objectives
of internal control are met. This means that no system of internal control is perfect and the cost
of achieving improved control should not outweigh its benefits.
4. Limitations
6 Every system of internal control has limitations on its effectiveness. These include (1) the
possibility of error no system is perfect, (2) circumvention personnel may circumvent the
system through collusion or other means, (3) management override management is in a
position to override control procedures by personally distorting transactions or by directing a
subordinate to do so, and (4) changing conditions conditions may change over time so that
existing controls may become ineffectual.
CONTROL ENVIRONMENT
The control environment is the foundation for the other four control components. The control
environment sets the tone for the organization and influences the control awareness of its
management and employees.
RISK ASSESSMENT
Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to
financial reporting. Risks can arise out of changes in circumstances such as:
SAS 78 requires that auditors obtain sufficient knowledge of the organizations information system to
understand:
The classes of transactions that are material to the financial statements and how those
transactions are initiated.
The accounting records and accounts that are used in the processing of material transactions.
The transaction processing steps involved from the initiation of an economic event to its
inclusion in the financial statements.
The financial reporting process used to prepare financial statements, disclosures, and
accounting estimates.
7
MONITORING
Management must determine that internal controls are functioning as intended. Monitoring is the
process by which the quality of internal control design and operation can be assessed. This may be
accomplished by separate procedures or by ongoing activities.
An organizations internal auditors may monitor the entitys activities in separate procedures. They
gather evidence of control adequacy by testing controls, and then communicate control strengths and
weaknesses to management. As part of this process, internal auditors make specific recommendations
for improvement to controls.
Ongoing monitoring may be achieved by integrating special computer modules into the information
system that capture key data and/or permit tests of controls to be conducted as part of routine
operations.
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
Another technique for achieving ongoing monitoring is the judicious use of management reports.
Timely reports allow managers in functional areas such as sales, purchasing, production, and cash
disbursements to oversee and control their operations. By summarizing activities, highlighting trends,
and identifying exceptions from formal performance, well-designed management reports provide
evidence of internal control function or malfunction.
CONTROL ACTIVITIES
Control activities are the policies and procedures used to ensure that appropriate actions are taken to
deal with the organizations identified risks. Control activities can be grouped into two distinct
categories: computer controls and physical controls.
Physical Controls
This class of control activities relates primarily to traditional accounting systems that employ manual
procedures. However, an understanding of these control concepts also gives insights to the risks and
control concerns associated with the IT environment. There are six traditional categories of Physical
Control Activities.
1. Transaction Authorization
The purpose of transaction authorization is to ensure that all material transactions
processed by the information system are valid and in accordance with managements
objectives. Authorizations may be general or specific. General authority is granted to
operations personnel to perform day-to-day operations. An example of general
authorization is the procedure to authorize the purchase of inventories from a designated
vendor only when inventory levels fall to their predetermined reorder points. This is called a
programmed procedure (not necessarily in the computer sense of the word). The decision
rules are specified in advance, and no additional approvals are required.
On the other hand, specific authorizations deal with case-by-case decisions associated with
non-routine transactions. An example of this is the decision to extend a particular
customers credit limit beyond the normal amount. Specific authority is usually a
management responsibility.
8
EXERCISE 1: Transaction Authorization
Perform transaction with a programmed procedure
The Item Availability Check is a programmed procedure to ensure that proper action will be
performed regarding sales order on items that could not be available at the moment.
You found out in the Company policies that no Purchase Order amounting to more than 9
P200,000 shall be allowed to be posted without the approval of the manager first. Test this
kind of control in the system.
a. Log in to the account of Karla Sy to have the proper authorizations for the transaction to
be made.
Go to Administration > Choose Company > Change User > User ID: Karla then Password:
1234
b. Create a Purchase Order that will qualify for the Approval Procedure
- Navigate to Purchasing A/P Module > Purchase Order.
- In the Vendor field, choose V1000 Laptop Queen Philippines, Inc..
- Dates are defaults which are the system date.
- In the Contents Tab, add Item S1000 in the Item Field with the Quantity of 10. Enter
Unit Price of P22,000.00 then click Add. Total amount of Purchase Order should be
Php246,400 which should trigger the approval procedure.
- Cancel the document.
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
2. Segregation of Duties
One of the most important control activities is the segregation of employee duties to
minimize incompatible functions. Segregation of duties can take many forms, depending
upon the specific duties to be controlled. However, the following three objectives provide
general guidelines applicable to most organizations.
Objective 1
The segregation of duties should be such that the authorization for a transaction is
separate from the processing of the transaction. For example, purchases should not
be initiated by the purchasing department until authorized by the inventory control
10
department. This separation of tasks is a control to prevent the purchase of
unnecessary inventory by individuals.
Objective 2
Responsibility for the custody of assets should be separate from the recordkeeping
responsibility. For example, the department that has physical custody of finished
goods inventory (the warehouse) should not keep the official inventory records.
Accounting for finished goods inventory is performed by inventory control, an
accounting function. When a single individual or department has responsibility for
both asset custody and recordkeeping, the potential for fraud exists. Assets can be
stolen or lost, and the accounting records falsified to hide the event.
Objective 3
The organization should be structured so that a successful fraud requires collusion
between two or more individuals with incompatible responsibilities. In other words,
no single individual should have sufficient access to assets and supporting records to
perpetrate a fraud.
a. Log in to the account of manager to view the authorizations made for Lukas Ibarra.
Go to Administration > Choose Company > Change User > User ID: manager then Password:
1234
11
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
c. Test the Segregation of Duties by checking if the Authorizations are functioning properly.
- Log in to Lukas account.
Go to Administration > Choose Company > Change User > User ID: Lukas then Password:
1234
- Open Sales Order. Since he has authorization for Sales A/R, he should be able to open it.
Go to Sales A/R > Sales Order
- Open Purchase Order. Since he has no authorization for Purchasing A/P, he should not
be permitted to open it.
Go to Purchasing A/P > Purchase Order
(Note: If Purchaser Order and other documents in the Purchasing A/P module is not
visible, click the Form Settings tool in the Toolbar. Then set the documents in the
Purchasing A/P as visible.
- Test further the other users based on their authorizations, follow same procedures.
12
3. Supervision
Implementing adequate segregation of duties requires that a firm employ a sufficiently large
number of employees. Achieving adequate segregation of duties often present difficulties for
small organizations. Obviously, it is impossible to separate five incompatible tasks among
three employees. Therefore, in small organizations or in functional areas that lack sufficient
personnel, management must compensate for the absence of segregation controls with close
4. Accounting Records
The traditional accounting records of an organization consist of source documents, journals,
and ledgers. These records capture the economic essence of transactions and provide an audit
trail of economic events. The audit trail enables the auditor to trace any transaction through
all phases of its processing from the initiation of the event to the financial statements.
13
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
b. View a list of all transactions posted in SAP Business One or generate transaction log.
- Open a document A/R Invoice for example. Go to Sales A/R > A/R Invoice
- In the toolbar, click the Transaction Journal tool.
14
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
- Choose All Transactions in the Original Journal field then set the posting date from
01.01.13 to 12.31.13. This is to show all the transaction journal records for the whole fiscal
year 2013 that could be use for analysis.
15
c. Plot SAP Business One to the Accounting Cycle (Still using Auditors Account)
Special Journals
a. Sales Journal Sales A/R
b. Purchases Journal Purchasing A/P
c. Cash/Check Receipts Banking Incoming
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
2. Ledger General Ledger Financials > Financial Reports > Accounting > General
Ledger
- Uncheck the Business Partner Checkbox then
check the Accounts Checkbox to show only
General Ledger Accounts
- Mark X the accounts
- Change the Posting Date range From 01.01.13
To 12.31.13
- Then Click OK to show the General Ledger
16
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
Subsidiary Ledger Financials > Financial Reports > Accounting >General
Ledger
- Check the Business Partner Checkbox then
uncheck the Accounts Checkbox to show only
Subsidiary Accounts
- To view a particular SL, change the BP Code
From C1100 and To C1100
- Change the Posting Date range From 01.01.13
To 12.31.13
- Then Click OK to show the Subsidiary Ledger
for this Business Partner
17
3. TrialBalance Financials > Financial Report > Financial > Trial Balance
(Note: Do the same process with General Ledger)
5. FinancialStatements Financials > Financial Report > Financial >Profit & Loss
or Balance Sheet
(Note: Just change to desired period then click OK)
18
7. Post-Closing Trial Balance Financials > Financial Report > Financial > Trial Balance
> Check Add Closing Balances
8. Reversing Entries Financials > Journal Entry > Click Reversal Box
(Note: The process given is how to create Reversing
Entries)
6. Independent Verification
Verification procedures are independent checks of the accounting system to identify errors
and misrepresentations. Verification differs from supervision because it takes place after the
act, by an individual who is not directly involved with the transaction or task being verified.
Examples of independent verifications include:
Comparing physical assets with accounting records.
Reconciling subsidiary accounts with control accounts
Computer Controls
Computer controls constitute a body of material that is of primary concern to us. These controls, which
relate specifically to the IT environment and IT auditing, fall into two broad groups: general controls
and application controls.
General Controls
Pertain to entity-wide concerns such as controls over the data center, organization databases, systems
development, and program maintenance.
b. Click All Programs > Microsoft SQL Server 2005> SQL Server Management Studio Express
c. Click Connect
Note: If connection is unsuccessful, call the attention of your technical support to put in the
correct Server Type and Server Name.
20
d. Click + before the Databases to expand and view all databases > Right Click on the database
that you want to back up > Click Tasks > Click Backup.
21
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
Input Controls
The data collection component of the information system is responsible for bringing data into the
system for processing. Input controls at this stage are designed to ensure that these transactions are
valid, accurate, and complete. Data input procedures can be either source document-triggered and
direct input.
Source document input requires human involvement and is prone to clerical errors. Some types of
errors that are entered on the source documents cannot be detected and corrected during the data
These control classes are not mutually exclusive divisions. Some control techniques that we shall
examine could fit logically into more than one class.
27
Validation Controls
Input validation controls are intended to detect errors in transaction data before the data are
processed. Validation procedures are most effective when they are performed as close to the source of
the transaction as possible. However, depending on the type of CIS in use, input validation may occur
at various points in the system.
Field Interrogation
Field interrogation involves programmed procedures that examine the characteristics of the data in the
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
b. Numeric-alphabetic Data Checks. Test if marketing documents in SAP Business One has this
control.
- Open a Sales Order.
Go to Sales A/R > Sales Order
- Insert the following Information in the Sales Order:
Customer: C1100
Name: Jacob Electronics
Item No.: A1000
Delivery date: Current System date
28 Quantity: ABC
- Click Add. SAP Business One should flag an error message due to invalid monetary value.
- Cancel the Sales Order. You can test other documents for this control.
29
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
c. Limit Checks. Test if creating a User Account in SAP Business One has this control.
- Log in to the account of manager to view to see the User Setup window.
Go to Administration > Choose Company > Change User > User ID: manager then
Password: 1234
- Go to Administration > Setup > General > Users. Users Setup window will appear. Make
sure you are in Add mode.
- Insert in the User Code field the word Administrator. SAP Business One will flag an error
message due to exceeding of character limit.
- Cancel the Users Setup.
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
30
d. Validity Checks. Test if Business Partner Master Data has this control.(Use Auditors Account)
- Go to Business Partners > Business Partner Master Data. Make sure you are in Find mode (i.e.
Ctrl + F)
- In the BP Code field, type L1000 then press Enter. SAP Business One should flag an error
message due to no matching records.
- Cancel the Business Partner Master Data. You can try this control to other documents with
known values.
a. Reasonableness checks determine if a value in one field, which has already passed a limit check
and a range check, is reasonable when considered along with other data fields in the record.
31
b. Sign checks are tests to see if the sign of the field is correct for the type of record being processed.
For example, in a sales order processing system, the dollar amount field must be positive for sales
orders but negative for sales return transactions. This control can determine the correctness of the
sign by comparing it with the transaction code field.
Processing Controls
After passing through the data input stage, transactions enter the processing stage of the system.
Processing controls are divided into three categories: run-to-run controls, operator intervention controls,
and audit trail controls.
1. Run-to-Run Controls
2. Operator Intervention Controls
3. Audit Trail Controls
The preservation of an audit trail is an important objective of process control. In an accounting system,
every transaction must be traceable through each stage of processing from its economic source to its
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
presentation in financial statements. In a CBIS environment, the audit trail can become fragmented and
difficult to follow. It thus becomes critical that each major operation applied to a transaction be thoroughly
documented. The following examples of techniques used to preserve audit trails in a CBIS.
32
- Choose All Transactions in the Original Journal field then set the posting date from
01.01.13 to 12.31.13. This is to show all the transaction journal records for the whole fiscal
year 2013 that could be use for analysis.
Output Controls
Output controls ensure that system output is not lost, misdirected, or corrupted and that privacy is not
violated.
34
Black Box Approach
With an understanding of what the application is supposed to do, the auditor tests the application by
reconciling production input transactions processed by the application with output results. The output
results are analyzed to verify the applications compliance with its functional requirements.
Completeness tests, which identify missing data within a single record and entire records
missing from a batch.
Access tests, which ensure that the application prevents authorized users from unauthorized
access to data. Access controls include passwords, authority tables, user-defined procedures,
data encryption, and inference controls.
Audit trail tests, which ensure that the application creates an adequate audit trail. This
includes evidence that the application records all transactions in a transaction log, posts data
values to the appropriate accounts, produces complete transaction listings, and generates
error files and reports for all exceptions.
Rounding error tests, which verify the correctness of rounding procedures. Rounding errors
occur in accounting information when the level of precision used in the calculation is greater
than that used in the reporting.
To perform the test data technique, the auditor must obtain a copy of the current version of the 35
application. In addition, test transaction files and test master files must be created. Results from the
test run will be in the form of routine output reports, transaction listings, and error reports. In
addition, the auditor must review the updated master files to determine that account balances have
been correctly updated. The test results are then compared with the auditors expected results to
determine if the application is functioning properly. This comparison may be performed manually or
through special computer software. Any deviations between the actual results obtained and those
expected by the auditor may indicate a logic or control problem.
evaluation (BSCE).
Tracing
Another type of the test data technique is called tracing performs an electronic walkthrough of the
applications internal logic. The tracing procedure involves three steps:
1. The application under review must undergo a special compilation to activate the trace option.
2. Specific transactions or types of transactions are created as test data.
3. The test data transactions are traced through all processing stages of the program, and a
listing is produced of all programmed instructions that were executed during the test.
ITF audit modules are designed to discriminate between ITF transactions and routine production data.
This may be accomplished in a number of ways. One of the simplest and most commonly used is to
assign a unique range of key values exclusively to ITF transactions. For example, in a sales order
processing system, account numbers between 2000 and 2100 can be reserved for ITF transactions and
will not be assigned to actual customer accounts. By segregating ITF transactions from legitimate
transactions in this way, routine reports produced by the application are not corrupted by ITF test
data. Test results are produced separately on storage media or hard copy output and distributed
directly to the auditor. Just as with the test data techniques, the auditor analyzes ITF results against
expected results.
Parallel Simulation
Parallel simulation requires the auditor to write a program that simulates key features or processes of
the application under review. The simulated application is then used to reprocess transactions that
were previously processed by the production application. The results obtained from the simulation are
reconciled with the results of the original production run to establish a basis for making inferences
about the quality of application processes and controls.
36
CHAPTER 3
SUBSTANTIVE TESTS
Review Sales Documents and Balances for Unusual Trends and Exceptions
A useful audit procedure for identifying potential audit risks involves scanning data files for unusual
transactions and account balances. For example, scanning accounts receivable for excessively large
balances may indicate that the companys credit policy is being improperly applied.
Review Sales Invoices and Customer Master Data for Missing and Duplicate Items
Searching for missing and/or duplicate transactions and data entries is another important test that
helps the auditor corroborate or refute the completeness and accuracy assertions. Duplicate and
missing transactions in the revenue cycle may be evidence of over or understated sales and accounts
receivable.
EXERCISE 10: Testing the Accuracy and Completeness Assertion (USE AUDITORS ACCOUNT)
a. Review Sales Documents and Balances for Unusual Trends and Exceptions
Open a list of Sales Order for examination for any unusual trends and exception using
Query.
- Open Query Generator and create a query statement to produce an ad hoc report
showing the list of all sales order
Go to Tools Menu > Queries > Query Generator
37
- On the Table field, Type ORDR then press Tab. The Field names and description will
appear. (Note: ORDR is the table name of Sales Order in the MSSQL where the database
used in SAP are running)
- Double click the following field names: (Tip: You can list the field name alphabetically by
double clicking the name title)
DocNum, DocDate, CardCode, CardName, DocTotal
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
- Click in the Sort By field then double click DocTotal in the list of Field names.
- Then click execute to produce the ad hoc report, List of Sales Order
38
Now you can examine all the Sales Order and scan for any unusual items. For example, a Sales Order
amounting to Php894,080 was executed at December 31, 2013 which is considered as a holiday in the
Philippines. Also, the amount is unusually large as compared with other sales order. The auditor should
inquire this to the management of the company and seek for additional information.
You can do the same procedures for other Sales documents. You just need to know the appropriate
Table Name.
(Tip: To get a list of SAP documents and their equivalent table names. Open a blank query generator. In
the table field name, type the asterisk symbol (*) then press tab. The list of table and field names will
appear.)
39
Upon examination of the list of customers and their balances, you noticed that the balance of
Lappy Trading is negative. This is unusual considering that customer balances are normally
debit or positive. The auditor can investigate further this exception. List your finding below
and your propose adjusting entry:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
- List alphabetically the list of customers by double clicking the BP Name Header.
As you scan the list of business partners, some of the customer names look familiar. You can further
investigate this issue by comparing the master data. Open two business partner master data, one for
Jacob Electrics and one for Jacob Electronics. Do the same for the other two then list your finding
here:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
40
Testing the Existence Assertion
Existence assertion pertains to management assertions that the assets, liabilites and equity balances
exist. For the revenue cycle audit, existence assertion declares that the customer balances recorded in
the system really exist.
42
SUBSTANTIVE TESTS OF EXPENDITURE CYCLE
43
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
Now you can examine all the A/P Invoice and scan for any unusual items. To have further examination,
you can click the small graph icon to see an analysis of AP Invoice depicted on a graph.
You can do the same procedures for other Purchasing documents. You just need to know the
appropriate Table Name.
44
Testing the Completeness Assertion
Completeness assertion says that all transactions that should have been recorded have been recorded.
In the Expenditure Cycle audit, completeness declares that all expense transactions were completely
recorded.
- The auditor will see that there are two open GRPOs meaning, no A/P Invoice has yet been
recorded in this account thus understating the vendor balances.
Double check the findings made by comparing the list of GRPO and A/P Invoice. Open a list
of GRPO and a list of A/P Invoice.
- Go to Purchasing A/P > Goods Receipt PO. Make it Find mode by pressing Ctrl + F.
45
- On the No. field, type the asterisk symbol (*) then press Enter.
- Upon pressing Enter, a list of GRPOs will appear.
- Do the same procedure for A/P Invoice to see the list of A/P Invoice then compare the list.
46
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
- Now, the auditor can compare the list of A/P Invoices available against the GRPO. Note your findings
below and your proposed adjusting entries:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
(Tip: To see the original entry made by SAP for the Goods Receipt PO documents, open the unmatched
GRPOs then go to Accounting tab. Beside the Journal Remark, click the link arrow to know the original
entry made as a basis for the adjusting entry.)
names followed by a double click on the condition Smaller or Equal then double click
again on any variable except the one used before. For example, use [%1]
- Click in the Sort By field then double click DocDate in the list of Field names.
- Then click execute.
- Query Selection Criteria window will appear where we can enter our condition. Insert
01.01.14 in the Greater or Equal field and 01.31.14 in the Smaller or Equal field to show
only the Outgoing Payments made in January 2014. Then click OK.
48
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
- Now, the auditor can trace the payments to existing liabilities as of December 31, 2013. List
your findings here and your proposed adjusting entries:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
SAP Business One will generate Vendor Liabilities Aging showing the age of payables to the 49
vendors. This aging could be the basis of the auditor in sending his confirmation of the balances
to the companys vendors.
50
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
SUBSTANTIVE TEST OF OTHER FINANCIAL STATEMENT ACCOUNTS
Audit of Cash
Perform manual bank reconciliation to know the correct balance of cash that should be reported
by the Company. Reconcile the Balance per SAP records and Balance per Bank Statement.
The accountant showed the auditor the Bank Statement sent by the bank for the month of
December as shown below:
Beginning Balance, December 1, 2013 Php112,207.20
Date Remarks Deposit Withdrawal
51
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
Total adjustments
Adjusted Balance
The deposit in the bank statement amounting to Php190,000.00 was traced to a deposit slip
sent by Solid Electrics on January 2014. Upon inquiry by the client, the deposit pertains to a
partial payment made by Solic Electrics regarding its amount due to the client.
Now the auditor can perform his bank reconciliation by comparing the records per bank and
the records per SAP Business One. Write below your findings and proposed adjusting entries:
Audit of Inventories
Ensure that inventories are stated at lower of cost or net realizable value.
The companys manager told the auditor that on December 20, the compartment where the laptops
are being stored caved in resulting in some exterior damages on the units. The laptops are still
working properly however the physical appearance have been damage and they fear that they might
not sell it on their intended prices so they decide to hire someone to compute the net realizable
values of the laptops. This list of net realizable values were given to the auditor
b. Compare the recorded costs of the inventories with their NRV and compute for the necessary
adjustment to recognize inventory loss (use Auditors Account).
- Open the Inventory Audit Report
Go to Inventory > Inventory Reports > Inventory Audit Report
- On the Selection Criteria insert the following information in the specified field.
Change to Posting Date
From 01.01.13, To 12.31.13 to include the transactions for the whole fiscal year 2013.
Item Code: From A1000 To S1000
Then click OK.
53
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
- The Inventory Audit Report will appear. If you click on the black arrow beside the yellow
arrow, the details of a particular item will expand. Now the auditor can know the actual cost
recorded per system and compare it with its net realizable value. Take note that the valuation
method used for the laptops is First In, First Out (FIFO).
54
Enter your Inventory Cost and NRV analysis here:
Audit of Prepayments
Check if prepayments were representative its actual prepaid amount. If not, make necessary
adjustments to recognize the expense.
Upon checking the Trial Balance of the company, the auditor noted two items that are considered as
prepayments. The auditor examine the SAP Business One documents used to record the prepayments
and also the journal entry. He also examined any third party document related to that asset
55
56
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
Upon seeing the contents of the Trial Balance, the auditor decided to audit the Office Supplies
account and Insurance Expense account. He wants to see the SAP Business One documents used to
record these accounts as well as any third party documents.
Open the SAP Business One document used to record Office Supplies.
- Go to Financials > Financial Reports > Accounting > General Ledger
- In the General Ledger Selection Criteria, uncheck the Business Partner Box and check the accounts
box. Make sure that no accounts are marked with x.
- Change the level of accounts to 5.
- Mark x the CA500 Office Supplies
- For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions for the
whole fiscal year 2013 for this account.
- Then press Ok.
57
58
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
According to companys personnel, the estimated remaining Office Supplies is 20% of the original
purchased amount.
As for the insurance, upon examination of the Insurance Contract, it is for 2 years starting
on its purchase date which is also the posting date. Do the same procedure for Insurance
Expense. (Hint: The insurance premium is recorded using Expense Method)
Upon checking the Trial Balance, the auditor noted that depreciation expenses were yet to be entered
in the accounting records so the auditor examine the SAP Business One documents used to record the
acquisition of the asset as well as any third party document to properly know the start date of
depreciation then compute the depreciation expense based on the companys policy on depreciating
fixed assets.
Depreciation Method:
10% Salvage Value
5 year Useful Life Office Equipment, Office Furniture
59
10 year Useful Life Delivery Truck
20 year Useful Life Leasehold Improvements
d. View SAP Business One document used to record Office Equipment
Open the SAP Business One document used to record Office Equipment.
- Go to Financials > Financial Reports > Accounting > General Ledger
- In the General Ledger Selection Criteria, uncheck the Business Partner Box and check the
accounts box. Make sure that no accounts are marked with x.
- Change the level of accounts to 5.
- Mark x the NC101 Office Equipment
- For the posting date From field, enter 01.01.13 and To field 12.31.13 to show the transactions
for the whole fiscal year 2013 for this account.
- Then press Ok.
- The General Ledger for Office Equipment will appear.
- To view the SAP Business One document used, click the link arrow on the Doc. No. Column
(i.e. PS 16)
QUICK GUIDE TO AUDITING IN AN IT ENVIRONMENT using SAP Business One
- To view the journal entry, click the link arrow on the posting date column (i.e. 03.29.13)
Do the same for Office Furniture, Delivery Truck and Leasehold Improvements. Just make sure
that you use the correct date of acquisition.
e. Compute the depreciation expense for the fixed assets. Use the table below for your
computation.
60