Auditing in an IT

Environment

1
This material is taken from the book Accounting Information Systems, 3 rd edition by James A. Hall for
purposes of applying SAP B1. Suggestions, comments or questions are highly appreciated.

I. INTRODUCTION
What is an Information Technology (IT) Audit?

An IT audit focuses on the computer-based aspects of an organization’s information system. This

includes assessing the proper implementation, operation, and control of computer resources. Since
most modern information systems employ information technology, the IT audit is typically a significant
component of all external (financial) and internal audits.

Auditing is a systematic process of objectively obtaining and evaluation evidence regarding assertions
about economic actions and events to ascertain the degree of correspondence between those
assertions and established criteria and communicating the results to interested users.

A SYSTEMATIC PROCESS. Conducting an audit is a systematic and logical process that applies to all
forms of information systems. While important in all audit settings, a systematic approach is
particularly important in the IT environment. The lack of physical procedures that can be visually
verified and evaluated injects a high degree of complexity into the IT audit. Therefore, a logical
framework for conducting an audit in the IT environment is critical to help the auditor identify all-
important processes and data files.

MANAGEMENT ASSERTIONS AND AUDIT OBJECTIVES. The organization’s financial statements reflect a
set of management assertions about the financial health of the entity. The task of the auditor is to
determine whether the financial statements are fairly presented. To accomplish this, the auditor
establishes audit objectives, designs procedures, and gathers evidence that corroborate or refute
management’s assertions. These assertions fall into five general categories:

 The existence or occurrence assertion affirms that all assets and equities contained in the
balance sheet exist and that all transactions in the income statement actually occurred.
 The completeness assertion declares that no material assets, equities, or transactions have
been omitted from the financial statements.
 The rights and obligations assertion maintains that assets appearing on the balance sheet are
owned by the entity and that the liabilities reported are obligations.
 The valuation or allocation assertion states that assets and equities are valued in accordance
with generally accepted accounting principles and that allocated amounts such as depreciation
expense are calculated on a systematic and rational basis.
 The presentation and disclosure assertion alleges that financial statement items are correctly
classified (e.g., long-term liabilities will not mature within one year) and that footnote
disclosures are adequate to avoid misleading the users of financial statements.

Generally, auditors develop their audit objectives and design audit procedures based on the
preceding assertions.

Audit objectives may be classified into two general categories. The preceding assertions related to
transactions and account balances that directly impact financial reporting. The second category
2
 pertains to the information system itself. This includes the audit objectives for assessing controls
over manual operations and computer technologies used in transaction processing.

II. Concepts in IT Auditing

The Structure of an IT Audit

The IT audit is generally divided into three phases: audit planning, tests of controls, and substantive
testing.

1. AUDIT PLANNING

The first step in the IT audit is audit planning. Before the auditor can determine the nature and
extent of the tests to perform, he or she must gain a thorough understanding of the client’s
business. A major part of this phase of the audit is the analysis of audit risk. The objective of the
auditor is to obtain sufficient information about the firm to plan the other phases of the audit. The
risk analysis incorporates an overview of the organization’s internal controls. During the review of
controls, the auditor attempts to understand the organization’s policies, practices, and structure.
In this phase of the audit, the auditor also identifies the financially significant applications and
attempts to understand the controls over the primary transactions that are processed by these
applications.

Audit Planning Phase Tests of Controls Phase Substantive Testing Phase

Start Review of Organization’s Perform Tests of Controls Perform Substantive
Policies, Practices, and Tests
Structure

Review General Controls Evaluate Test Results Evaluate Results and

and Application Controls Issue Auditor’s Report

Plan Test of Controls and Determine Degree of Audit Report

Substantive Testing Reliance on Controls
Procedures

The techniques for gathering evidence at this phase include questionnaires, interviewing
management, reviewing systems documentation, and observing activities. During this process, the IT
auditor must identify the principal exposures and the controls that attempt to reduce these
exposures. Having done so, the auditor proceeds to the next phase, where he or she tests the
controls for compliance with preestablished standards.

3
TESTS OF CONTROLS

The objective of the tests of controls phase is to determine whether adequate internal controls are
in place and functioning properly. To accomplish this, the auditor performs various tests of controls.
The evidence gathering techniques used in this phase may include both manual techniques and
specialized computer audit techniques.

At the conclusion of the tests-of-controls phase, the auditor must assess the quality of internal
controls. The degree of reliance the auditor can ascribe to internal controls affects the nature and
extent of substantive testing that needs to be performed. The relationship between tests of controls
and substantive tests is discussed late.

SUBSTANTIVE TESTING

The third phase of the audit process focuses on financial data. This involves a detailed investigation
of specific account balances and transactions through what are called substantive tests. For example,
a customer confirmation is a substantive test sometimes used to verify account balances. The
auditor selects a sample of accounts receivable balances and traces these back to their source – the
customers-to determine if the amount stated is in fact owed by a bona fide customer. By so doing,
the auditor can verify the accuracy of each account in the sample. Based on such sample findings,
the auditor is able to draw conclusions about the fair value of the entire accounts receivable asset.

Some substantive tests are physical, labor-intensive activities such as counting cash, counting
inventories in the warehouse, and verifying the existence of stock certificates in a safe. In an IT
environment, the information needed to perform substantive tests (such as account balances and
names and addresses of individual customers) is contained in data files that often must be extracted
using Computer Assisted Audit Tools and Techniques (CAATTs) software.

III. INTERNAL CONTROL

The internal control system comprises policies, practices, and procedures employed by the
organization to achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.

Inherent in these control objectives are four modifying assumptions that guide designers and
auditors of internal control systems.

1. Management Responsibility
This concept holds that the establishment and maintenance of a system of internal control is a
management responsibility.

2. Reasonable Assurance

4
 The internal control system should provide reasonable assurance that the four broad objectives
of internal control are met. This means that no system of internal control is perfect and the cost
of achieving improved control should not outweigh its benefits.

3. Methods of Data Processing. The internal control system should achieve the four broad
objectives regardless of the data processing method used. However, the techniques used to
achieve these objectives will vary with different types of technology.

4. Limitations. Every system of internal control has limitations on its effectiveness. These include (1)
the possibility of error – no system is perfect, (2) circumvention – personnel may circumvent the
system through collusion or other means, (3) management override – management is in a
position to override control procedures by personally distorting transactions or by directing a
subordinate to do so, and (4) changing conditions – conditions may change over time so that
existing controls may become ineffectual.

The internal control system serves as a shield that protects the firm’s assets from numerous
undesirable events that bombard the organization. These include attempts at unauthorized access to
the firm’s assets (including information), fraud perpetrated by persons both in and outside the firm,
errors due to employee incompetence, faulty computer programs, and corrupted input data, and
mischievous acts such as unauthorized access by computer hackers and threats from computer
viruses that destroy programs and database.

A weakness in internal control may expose the firm to one or more of the following types of risks:
1. Destruction of assets (both physical assets and information)
2. Theft of assts
3. Corruption of information or the information system
4. Disruption of the information system

Five Components of Internal Control System

1. The Control Environment
2. Risk Assessment
3. Information and Communication
4. Monitoring
5. Control Activities

The control environment is the foundation for the other four control components. The control
environment sets the tone for the organization and influences the control awareness of its management
and employees.

Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to financial
reporting. Risks can arise out of changes in circumstances such as:
 Changes in the operating environment that impose new competitive pressures on the firm.
 New personnel who possess a different or inadequate understanding of internal control.
 New or reengineered information systems that affect transaction processing.
 Significant or rapid growth that strains existing internal controls.

5
  The implementation of new technology into the production process or information system that
impacts transaction processing.

The accounting information system consists of the records and methods used to initiate, identify,
analyze, classify, and record the organization’s transactions and to account for the related assets and
liabilities. The quality of information generated by the AIS impacts management’s ability to take actions
and make decisions in connection with the organization’s operations and to prepare reliable financial
statements. An effective accounting system will:
 Identify and record all valid financial transactions.
 Provide timely information about transactions in sufficient detail to permit proper classification
and financial reporting.
 Accurately measure the financial value of transactions so their effects can be recorded in
financial statements.
 Accurately record transaction in the time period in which they occurred.

SAS 78 requires that auditors obtain sufficient knowledge of the organization’s information system to
understand:
 The classes of transactions that are material to the financial statements and how those
transactions are initiated.
 The accounting records and accounts that are used in the processing of material transactions.
 The transaction processing steps involved from the initiation of an economic event to its
inclusion in the financial statements.
 The financial reporting process used to prepare financial statements, disclosures, and accounting
estimates.

Management must determine that internal controls are functioning as intended. Monitoring is the
process by which the quality of internal control design and operation can be assessed. This may be
accomplished by separate procedures or by ongoing activities.

An organization’s internal auditors may monitor the entity’s activities in separate procedures. They
gather evidence of control adequacy by testing controls, then communicate control strengths and
weaknesses to management. As part of this process, internal auditors make specific recommendations
for improvement to controls.

Ongoing monitoring may be achieved by integrating special computer modules into the information
system that capture key data and/or permit tests of controls to be conducted as part of routine
operations.

Another technique for achieving ongoing monitoring is the judicious use of management reports. Timely
reports allow managers in functional areas such as sales, purchasing, production, and cash
disbursements to oversee and control their operations. By summarizing activities, highlighting trends,
and identifying exceptions from formal performance, well-designed management reports provide
evidence of internal control function or malfunction.

CONTROL ACTIVITIES

6
Control activities are the policies and procedures used to ensure that appropriate actions are taken to
deal with the organization’s identified risks. Control activities can be grouped into two distinct
categories: computer controls and physical controls.

1. Computer Controls. Computer controls constitute a body of material that is of primary concern
to us. These controls, which relate specifically to the IT environment and IT auditing, fall into two
broad groups: general controls and application controls.

General controls pertain to entity-wide concerns such as controls over the data center,
organization databases, systems development, and program maintenance.

Exercises:

1. Have an experience on how to view an actual database in a database management

system. This can be exemplified using the SQL Server Management Studio Express.

In your PC, navigate to SQL Server Management Studio Express. Ask assistance from your IT
personnel, if you cannot find it. It should look like the one below. On the left side under the
databases folder, you can see a list. For database management purposes, a new database
can be added and an existing database can be deleted. For internal control purposes, this
function should only be given to the database administrator.

2. Perform database backup and store it another storage device.

7
a. Click Start (lower leftmost corner of the screen)
b. Click All Programs > Microsoft SQL Server 2005 > SQL Server Management Studio Express

c. Click Connect.
Note: If connection is unsuccessful, call the attention of your technical support to put in the
correct Server Type and Server Name.
d. Click + before the Databases to expand and view all databases > click Tasks > click Backup.

e. Click OK when Backup Database window appears. Take note of the default location of the
backup. See example below (c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Backup\).

8
f. Retrieve the backup database. Go to Start > Computer > Local Disk (C:) > Program Files >
Microsoft SQL Server > MSSQL.1 > MSSQL > Backup.
g. Copy the backup file with an extension file of .bak and save it to another storage device.

3. Perform database restore.

a. Follow steps a, b and c in number 2.
b. Right-click + before the Databases > click Restore Database and a new window Restore
Database will appear.
c. Type in the field To database your new database name (in the example below, it is Sample).
d. Click From Device and the button. A new window Specify Backup will appear. Click Add button
and locate your backup file. Click OK. Click OK.

e. Click box under Restore. Click OK to execute restoration.

9
 Exercise:
Give example of specific application or systems.

Open SAP B1. There are thirteen different modules each representing a specific application.
Each module should only be assigned to specific employee or personnel. If not authorized,
modules are not visible to the user thus no alteration, addition or cancellation can be done. To
view the authority table, navigate to Administration > System Initialization > Authorizations >
f. To check,Authorizations.
General expand Databases
Eachand view thelisted
employee restored database.
on the left side should be assigned with authority
as READ ONLY, FULL AUTHORIZATION or NO AUTHORIZATION to each module or even
submodule.

g. Refresh databases in SAP B1 to view the restored database by double-clicking the SAP B1
shortcut from your desktop. Click the Change Company button. In the Choose Company screen,
click Refresh.

Application controls ensure the integrity of specific systems such as sales order processing,
accounts payable, and payroll applications.

10
 2. Physical Controls. This class of control activities relates primarily to traditional accounting
systems that employ manual procedures. However, an understanding of these control concepts
also gives insight to the risks and control concerns associated with the IT environment.

Six Traditional Categories of Physical Control Activities:

11
 1. Transaction Authorization
2. Segregation of Duties
3. Supervision
4. Accounting Records
5. Access Control
6. Independent Verification

1. TRANSACTION AUTHORIZATION

The purpose of transaction authorization is to ensure that all material transactions processed by the
information system are valid and in accordance with management’s objectives. Authorizations may be
general or specific. General authority is granted to operations personnel to perform day-to-day
operations. An example of general authorization is the procedure to authorize the purchase of
inventories from a designated vendor only when inventory levels fall to their predetermined reorder
points. This is called a programmed procedure (not necessarily in the computer sense of the word). The
decision rules are specified in advance, and no additional approvals are required.

Exercise:
Perform transaction with a programmed procedure. Create a Sales Order by navigating to Sales-AR and
click Sales Order.
1. In the Customer field, choose C20000 Norm Thomson.
2. In the Logistics tab (between Contents and Accounting tabs) check box for Purchase Orders.
3. Go back to Contents tab and add item A00001 in the item field with quantity 1000.
4. Type the current date in the delivery date. Posting date is at its default which is the system date.
5. Press Enter. Item Availability Check window will appear as shown below. Choose Continue and click
OK.

6. PO Confirmation will appear as shown below. Without going to the module Purchasing-AP, this step
would create a purchase order. Click the first box under the column # so that the first three lines are
highlighted. Click >> in the middle so that the data from the left side will transfer to the right side. Click
Add.

12
On the other hand, specific authorizations deal with case-by-case decisions associated with nonroutine
transactions. An example of this is the decision to extend a particular customer’s credit limit beyond the
normal amount. Specific authority is usually a management responsibility.

Exercise:
No sales order amounting to more than P200,000 by sales employee Brad Thomson shall be allowed to
be posted without the approval of the manager first. Set this kind of control in the system.

Requirements:
1. Setup approval procedure.
2. Know how to login as Brad Thomson.
3. Transaction of Brad of SO with more than P200,000 in total per document should be approved by the
manager.

Solution:
1. Approval Procedure
a. Setup approval procedure. Navigate to Administration > Approval Procedures > Approval Stages
Follow details below.

b. Click Add.

c. From Approval Stages, go to Approval Templates. Follow details below.

C1. Under Originator tab.

13
C2. Under Documents tab

C3. Under Stages tab. Click the field in line 1 under Stage Name, a selection list button will
appear. Click the selection list button and from the list, choose SO200000.

C4. Under the Terms tab. Choose When the Following Applies. Check Total Document (which
means that this procedure is applicable based on the total amount of document). Under the
Ratio column, change undefined type to Greater than. In the Value column, add or encode
P200,000.

14
 e. Click ADD.

2. Login as Brad Thomson (sales employee)

Click Administration > Choose Company > Click OEC Computers UK > Click Change User
Type Brad in the User Code field and type the Password. Press Enter.
*Note: if you can’t login as Brad because your password is not accepted, set the password of Brad first
while logged in as manager.

3. Transaction of Brad of SO with more than P200,000 in total per document should be approved by the
manager.
a. Navigate to Sales-AR > Sales Order
Add details below. Deliberately change the unit price to P200,000. Click Add. Approval window should
appear as shown below on the lower right corner of the sales order. In the Remarks field, a message can
actually be added. Click ok. Click Add button on the Sales Order.

15
b. Logout by clicking Administration > Choose Company > Change User
Enter in the User Code and Password - manager

c. When logging back to the system as user ‘manager’, look for this window. Disregard other windows.

Highlight by making a single click pointing to Request for Document Approval by Brad Thomson.
Document number seeking for that approval will appear below. Click on the navigational arrow pointing
Sales Order Based on Draft No. __ (number 84 based on the transaction above, YOURS may not be of the
same number). This window should appear:

16
The bottom part is for executing DECISION – PENDING, APPROVED or NOT APPROVED. Once chosen, click
UPDATE.

2. SEGREGATION OF DUTIES

One of the most important control activities is the segregation of employee duties to minimize
incompatible functions. Segregation of duties can take many forms, depending upon the specific duties
to be controlled. However, the following three objectives provide general guidelines applicable to most
organizations.

Objective 1. The segregation of duties should be such that the authorization for a transaction is
separate from the processing of the transaction. For example, purchases should not be initiated
by the purchasing department until authorized by the inventory control department. This
separation of tasks is a control to prevent the purchase of unnecessary inventory by individuals.

Objective 2. Responsibility for the custody of assets should be separate from the recordkeeping
responsibility. For example, the department that has physical custody of finished goods
inventory (the warehouse) should not keep the official inventory records. Accounting for finished
goods inventory is performed by inventory control, an accounting function. When a single
individual or department has responsibility for both asset custody and recordkeeping, the
potential for fraud exists. Assets can be stolen or lost, and the accounting records falsified to
hide the event.

Objective 3. The organization should be structured so that a successful fraud requires collusion
between two or more individuals with incompatible responsibilities. In other words, no single
individual should have sufficient access to assets and supporting records to perpetrate a fraud.
Implementing adequate segregation of duties requires that a firm employ sufficiently large
number of employees. Achieving adequate segregation of duties often presents difficulties for
small organizations. Obviously, it is impossible to separate five incompatible tasks among three
employees. Therefore, in small organizations or in functional areas that lack sufficient personnel,
management must compensate for the absence of segregation controls with close supervision.
For this reason, supervision is often called a compensating control.

Exercise:
Assign employees with their specific authorization. We will call this Authority table. For internal control
purposes, determine who should have access for viewing and maintenance for this control.

17
Go back to page 7 for the steps. The objective here is to be able to define an authority table emphasizing
segregation of duties. Example, PO clerk should not be the person who shall prepare the Goods Receipt
PO for this is done by the warehouse clerk and so on...

Exercise:
For purposes of control, even two employees with the same position must be segregated. Let us put into
example two sales clerks Bill Levine and Sophie Klogg. Bill shall be given the authority to view sales
document AR Invoice created by Sophie. Sophie, on the other hand, shall not be given the same
authority as Bill.

Solution:
1. Enable Data Ownership Filtration by going to Administration > System Initialization > Authorizations >
Data Ownership Exceptions.

18
2. Create Employee Master Data for Manager, Bill and Sophie.
Go to Human Resources > Employee Master Data > must be in Add mode. Follow details below. Click
Add.

19
3. Set the authorization for both Bill and Sophie.

a. Go to Administration > System Initialization > Authorizations > Data Ownership Authorization > click
Bill Levine under Employees so that the options for Full, Read Only and None become available.

b. For Bill, choose Read Only for the AR Invoice under Peer column. Click Update. Click OK.

20
4. Set password for Bill and Sophie.
a. Go to Administration > Setup > Users > Find mode > type * in the User Code field > Double-click on Bill
Levine.

b. In the Users – Setup window of Bill Levine, click the Password button. Type 1234 in the Password and
Confirm fields. Click Update in the Password window. Click Update in the Users – Setup window.

21
c. Do the same process for Sophie Klogg.

5. Log in as Bill. Post an AR Invoice.

a. Go to Administration > Choose Company > Click Change User > type bill in the User Code and 1234 in
the Password field > Press Enter.

b. Just enter 1234 if asked for the Old Password, New Password and Confirm fields.

c. Post AR Invoice. Go to Sales –AR > choose Norm Thomson as the customer > choose A00001. Click
Add.

22
d. Change user from Bill to Sophie. Go to Administration > Choose Company > Click Change User > type
Sophie in the User Code field and 1234 in the Password field > press Enter > when the window Change
Password appears, type 1234 in the fields Old Password, New Password and Confirm > press Enter.

e. Post AR Invoice. Go to Sales –AR > choose Parameter Technology as the customer > choose A00001.
Click Add.

6. TEST the segregation of authorization. The AR Invoice created by Bill Levine should not be viewed by
Sophie Klogg.

*In the AR Invoice, click the Find button in the toolbar.

*Choose Primary in the No. field and type * in the next field.
*Press Enter.
*The list of AR Invoices will appear. The list should not show all AR Invoices.

23
4. ACCOUNTING RECORDS

c.

Exercises:
1. Identify which document in SAP B1 that can give simple audit trail viewable on a user level.

Create an SO then copy to Delivery then copy to AR Invoice. In the remarks field, it should contain ‘Based
on SO # __ and Delivery __’ like the one shown below.

24
2. Have a list of all transactions posted in the system or generate a transaction log.

Open a document – AR Invoice for example. In the taskbar, click the icon Transaction Journal. In the
Original Journal field, choose All Transactions. You set posting dates. The objective here is to be able to
produce a report containing sequence of transactions posted in the system. So, this is a mix of all
documents.

It should be able to generate a report like this:

3. Provide a report containing all errors encountered in the system or generate an error file.

25
Go to this:
C:\Program Files\SAP\SAP Business One\Log
You will find in text file, all errors encountered.

4. Plot SAP B1 to the Accounting Cycle

Accounting Cycle SAP Business One

1. Journal General Journal Financials > Journal Entry

Special Journals
a. Sales Journal Sales - AR
b. Purchases Journal Purchasing - AP
c. Cash/Check Receipts Banking - Incoming
d. Cash/Check Disbursements Banking - Outgoing

2. Ledger General Ledger Financials > Financial Reports > Accounting >
General Ledger

Subsidiary Ledger Financials > Financial Reports > Accounting >

GL Accounts and Business Partners

Business Partner >

Business Partner Master Data

Stock Cards Inventory > Inventory Reports

> Inventory Posting
26
 Inventory > Item Master Data

3. Trial Balance Financials > Financial Report > Financial

> Trial Balance

4. Adjusting Entries Financial > Journal Entry

Click Adjustment box

5. Financial Statements Financial > Financial Report > Financial

> Income Statement or Balance Sheet

6. Closing Entries Administration > Utilities > Period End Closing

7. Post-Closing Trial Balance Financials > Financial Report > Financial

Trial Balance > Check Add Closing Balances

27
8. Reversing Entries Financials > Journal Entry
Click Reversal box

9. Opening Balance Administration > System Initialization

> Opening Balance

28
5. ACCESS CONTROLS

The purpose of access controls is to ensure that only authorized personnel have access to the firm’s
assets. Unauthorized access exposes assets to misappropriation, damage, and theft. Therefore, access
controls play an important part in safeguarding assets. Access to assets can be direct or indirect. Physical
security devices, such as locks, safes, fences, and electronic and infrared alarm systems, control against
direct access. Indirect access to assets is achieved by gaining access to the records and documents that
control their use, ownership, and disposition.

EXERCISES:
1. Create a user and set password. Go to Admin > Setup > General > Users

29
 If the user has unrestricted authority, click Superuser box. Complete the required fields. User
code is the one required when logging in the system. Click the ellipses box for the password then enter
password. Do not forget to click Ok and Add or Update.
The default is 4 characters for the password. Go to Password Administration if the 4-character
requirement is to be changed to 6 or 8.

2. View all users who are authorized to login using #1. Take note, this is a very sensitive and should be a
reason for a strong internal control.

Just click the first/last/previous/forward icons in the taskbar to view each user with a direct
access to change password.

In the IT environment, accounting records are often concentrated within the data processing center on
mass storage devices. Data consolidation exposes the organization to two forms of threat:
(1) computer fraud
An individual with proper skills and unrestricted access to accounting records is in a prime
position to perpetrate a fraud.
(2) losses from disasters

Verification procedures are independent checks of the accounting system to identify errors and
misrepresentations. Verification differs from supervision because it takes place after the act, by an
individual who is not directly involved with the transaction or task being verified. Examples of
independent verifications include:
 Comparing physical assets with accounting records.
 Reconciling subsidiary accounts with control accounts

Exercises:
1. Make an inventory audit.

Go to Inventory > Inventory Transactions > Initial Qtys, Stock Tracking and Stock Posting
Click Stock Tracking tab, do not choose any item or supplier, just choose warehouse 1 to audit all items in
warehouse 1.

The Stock in Whouse can actually be hidden by clicking the box on the lower left corner and check box
for counted. Enter the actual counted under Counted in Whse and click Update.

30
Go to Inventory > Inventory Transactions > Initial Qtys, Stock Tracking and Stock Posting
Click Stock Posting. A column per record in the warehouse and a column for the counted are shown with
the difference in another. For the entry of the difference, click the selection list in the fields of Inv Offset
Dec / Inc and choose appropriate account title like Miscellaneous Income/Expense, Loss in ....

2. Reconcile subsidiary to control.

Example: Norm Thomson paid to the company the amount of 1,000 without referencing to a specific
document. Prior to this payment, assume that the AR-Norm Thomson is 5,000 based on the following:
AR Inv # Total
1 500
2 1,800
3 1,200
4 1,500
5,000

If paid without referencing to a specific document, control account is 4,000. But, since this is not based
on a specific document, the documents would still total 5,000. Thus, there is a float of 1,000 and this
difference should be reconciled.

Solution:
1. Receive payment first in the amount of 1,000. Go to Banking > Choose Norm Thomson in the code
field > Click the money bag in the taskbar so that Payment Means will appear like below

31
> Enter 1,000 in the Total field at the lower right portion of the window and click OK > Click Add in the
Incoming window > the following message will appear

Click Yes > Click Add

So, you have received 1,000 without referring to a specific document. Total AR of Norm is reduced by
1,000 but the documents remained as is.
2. Reconcile 1,000 to a specific document.
Go to Business Partners > Internal Reconciliation > Reconciliation > Choose Norm Thomson in the
Business Partner field > Click Reconcile

The following window will appear. The amount received was 1,000 and since this was the last transaction
for Norm Thomson, you will find this amount at the bottom part of the table – just drag the scroll bar on
the right side to view the bottom part. Check the box under selected and the line is highlighted by
yellow. Choose a document or documents with origin IN (representing Invoice) by clicking the box under
the Selected column. Based on the example below, doc IN 133 and 139 are chosen with amounts 954
and 572.40, respectively and if totalled this would exceed 1,000 so that doc IN 139 is changed to only $

32
46 (partial only) under column Amount to Reconcile. This way 1,000 receipt is reconciled to doc IN 133
for $954 and doc IN 139 for $46. Click Reconcile.

V. APPLICATION CONTROLS

Application controls are programmed procedures designed to deal with potential exposures that
threaten specific applications, such as payroll, purchases, and cash disbursements systems. Application
controls fall into three broad categories: input controls, processing controls, and output controls.

Input Controls

The data collection component of the information system is responsible for bringing data into the system
for processing. Input controls at this stage are designed to ensure that these transactions are valid,
accurate, and complete. Data input procedures can be either source document-triggered and direct
input.

Source document input requires human involvement and is prone to clerical errors. Some types of errors
that are entered on the source documents cannot be detected and corrected during the data input
stage. Dealing with these problems may require tracing the transaction back to its source (such as
contacting the customer) to correct the mistake. Direct input, on the other hand, employs real-time
editing techniques to identify and correct errors immediately, thus significantly reducing the number of
errors that enter the system.

Classes of Input Control

 Source document controls
 Data coding controls
 Batch controls
 Validation controls
 Input error correction

These control classes are not mutually exclusive divisions. Some control techniques that we shall
examine could fit logically into more than one class.
33
Source Document Controls
Source document fraud can be used to remove assets from the organization. To control this type of
exposure, the organization must implement control procedures over source documents to account for
each document, as describe below:
a. Use of prenumbered source documents
b. Use of source documents in sequence
c. Periodically audit source documents

Exercises:
1. Is there a control for document numbering in the system? Can the default series Primary be changed?
2. Is there a way not to use the series in sequence?
3. Can these source documents be audited? How?

Go to Administration > System Initialization > Document Numbering

34
Data Coding Controls
Coding controls are checks on the integrity of data codes used in processing. A customer’s account
number, an inventory item number, and a chart of accounts number are all examples of data codes.

Exercises:
1. There are two types of business partners in SAP B1 OEC Company. How are customers identified or
distinguished from vendors or suppliers?

Go to Business Partners > Business Partner Master Data > Type * in the code field > Click Find or press
Enter
To answer question 1, customers has a prefix C and vendors has V.

2. How are account titles identified as assets, liabilities, revenue, expenses?

Go to Financials > Chart of Accounts

Classification Codes start at

Assets 1
Liabilities 2
35
Equity 3
Turnover/Revenue 4
Expenses 5
Others 6 and 7

*Codes should not be duplicated since this is how the system or database identifies. These are primary
keys.

Validation Controls
Input validation controls are intended to detect errors in transaction data before the data are processed.
Validation procedures are most effective when they are performed as close to the source of the
transaction as possible. However, depending on the type of CIS in use, input validation may occur at
various points in the system.

There are three levels of input validation controls:

1. Field interrogation
2. Record interrogation
3. File interrogation

Field Interrogation
Field interrogation involves programmed procedures that examine the characteristics of the data in the
field. The following are some common types of field interrogation:
a. Missing data checks are used to examine the contents of a field for the presence of blank spaces.
When the validation program detects a blank where it expects to see a data value, this will be
interpreted as an error.

Exercise:
Give example.

Open a Sales Order. Add customer Norm Thomson and item A00001. Click Add. The system should
flag the red message below because one delivery date is missing.

36
b. Numeric-alphabetic data checks determine whether the correct form of data is in a field.

Give example.
Open a Sales Order. Add customer Parameter and add item A00001. In the quantity field for the
item, enter a ‘abc’ instead of a number and press enter. It should give an error message such as
the one shown below.

c. Limit checks determine if the value in the field exceeds an authorized limit.

Exercises:
1. Create customer SM Prime Holdings. Payment terms is 2/10, n/30. Credit limit is 100,000.
37
2. Create a transaction that tests whether the system will not accept beyond the credit limit.

To create customer, go to Business Partners > Business Partner Master Data > Click the Find button

....continued on the next page

Choose Customer

Click Add button

Copy the encircled fields and the click ok.

38
To test the created CREDIT LIMIT, open AR-INV to create sales transaction.

Go to Sales-AR > AR-Inv

Choose SM Prime Holdings as the customer. Add A00001 with 200 items. Change the unit price to $600
(the purpose of which is to have a document total of more than $100,000). Click Add or press Enter. It
should give a message like the one below – Customer has exceeded credit limit...

39
d. Validity checks compare actual values in a field against known acceptable values. This control is
used to verify such things as transaction codes, state abbreviations, or employee job skill codes.
If the value in the field does not match one of the acceptable values, the record is determined to
be in error.

Exercise:
Test the system whether it accepts currency that is not defined in the setup.

To view all currencies:

Go to Administration > Setup > Financials > Currencies

To test:
Go to Financials > Journal Entry
Add any debit and credit. Change the default currency by editing it to yen. Press enter. The system
should prompt the message in red like the one below:

40
Record Interrogation

Record interrogation procedures validate the entire record by examining the interrelationship of its field
values. Some typical tests are discussed below.

a. Reasonableness checks determine if a value in one field, which has already passed a limit check
and a range check, is reasonable when considered along with other data fields in the record.
See pages 27 and 28 (errors in red).

b. Sign checks are tests to see if the sign of the field is correct for the type of record being
processed. For example, in a sales order processing system, the dollar amount field must be
positive for sales orders but negative for sales return transactions. This control can determine
the correctness of the sign by comparing it with the transaction code field.

Exercise:
Go to Financials > Financial Reports > Accounting > General Ledger > OK

Observe the postings in the debit and credit.

41
 c. Sequence checks are used to determine if a record is out of order.
See pages number 24 – 25.

Processing Controls
After passing through the data input stage, transactions enter the processing stage of the system.
Processing controls are divided into three categories: run-to-run controls, operator intervention controls,
and audit trail controls.
1. Run-to-Run Controls
2. Operator Intervention Controls
3. Audit Trail Controls

The preservation of an audit trail is an important objective of process control. In an accounting system,
every transaction must be traceable through each stage of processing from its economic source to its
presentation in financial statements. In a CBIS environment, the audit trail can become fragmented and
difficult to follow. It thus becomes critical that each major operation applied to a transaction be
thoroughly documented. The following examples of techniques used to preserve audit trails in a CBIS.

a. Transaction Logs. Every transaction successfully processed by the system should be recorded on
a transaction log, which serves as a journal. (see page 16-17)

b. Listing of Automatic Transactions.

42
Exercise 1

1. With reference to page 17, accounting cycle 1 journal entry and 2 ledger, illustrate how each
transaction can automatically create an entry (except for PO and SO) and how is this linked to GL.

Go to Sales-AR > Choose Parameter as customer > add item A00001 > Click Add

After clicking Add, retrieve your last data by clicking last data record

Click the Accounting tab (the one encircled below) and click the Journal Remark pointing to AR Inv.

43
What is the entry? Where is this linked?

Therefore, the accounting tab (if it has an entry), is linked to Journal Entry. The Journal Entry (located by
navigating to Financials > Journal Entry) actually records by:
a. manual entry
b. automatic entry through different modules similar to the above example

2. Navigate to the General Ledger, locate the above entry in the postings of the affected accounts.

a. Unique Transaction Identifiers.

Exercise:
Give example(s) of unique identifiers in the system.

Go back to the previous illustration.

Take note of the Origin field. The original transaction is navigated when the arrow is clicked. These are
just some of the originating transactions:
IN - AR Invoice
RC - Incoming Payments
44
 DT - AR Downpayment Invoice
SO - Issue for Production
PU - AP Invoice
PD - Goods Receipt PO
PS - Outgoing Payments
If the entry is entered manually, origin is JE.

Output Controls
Output controls ensure that system output is not lost, misdirected, or corrupted and that privacy is not
violated.

TESTING COMPUTER APPLICATION CONTROLS

Control testing techniques provide information about the accuracy and completeness of an application’s
processes. These tests follow two general approaches: (1) the black box (around the computer) approach
and (2) the white box (through the computer) approach.

Black Box Approach

With an understanding of what the application is supposed to do, the auditor tests the application by
reconciling production input transactions processed by the application with output results. The output
results are analyzed to verify the application’s compliance with its functional requirements.

White Box Approach

The white box approach relies on an in-depth understanding of the internal logic of the application being
tested. The white box approach includes several techniques for testing application logic directly. Some of
the more common types of tests of controls include the following:
 Authenticity tests, which verify that an individual, a programmed procedure, or a message (such
as EDI transmission) attempting to access a system is authentic. Authenticity controls include
user Ids, passwords, valid vendor codes, and authority tables.

 Accuracy tests, which ensure that the system processes only data values that conform to
specified tolerances. Examples include range tests, field tests, and limit tests.

 Completeness tests, which identify missing data within a single record and entire records
missing from a batch.

 Access tests, which ensure that the application prevents authorized users from unauthorized
access to data. Access controls include passwords, authority tables, user-defined procedures,
data encryption, and inference controls.

45
 Audit trail tests, which ensure that the application creates an adequate audit trail. This includes
evidence that the application records all transactions in a transaction log, posts data values to
the appropriate accounts, produces complete transaction listings, and generates error files and
reports for all exceptions.
 Rounding error tests, which verify the correctness of rounding procedures. Rounding errors
occur in accounting information when the level of precision used in the calculation is greater
than that used in the reporting.

46
V. Five CAATT Approaches to Test Application Controls
1. Test Data Method
2. Base Case System Evaluation
3. Tracing
4. Integrated Test Facility
5. Parallel Simulation

Test Data Method

The test data method is used to establish application integrity by processing specially prepared sets of
input data through production applications that are under review. The results of each test are compared
to predetermined expectations to obtain an objective evaluation of application logic and control
effectiveness.
To perform the test data technique, the auditor must obtain a copy of the current version of the
application. In addition, test transaction files and test master files must be created. Results from the test
run will be in the form of routine output reports, transaction listings, and error reports. In addition, the
auditor must review the updated master files to determine that account balances have been correctly
updated. The test results are then compared with the auditor’s expected results to determine if the
application is functioning properly. This comparison may be performed manually or through special
computer software. Any deviations between the actual results obtained and those expected by the
auditor may indicate a logic or control problem.

Creating Test Data

When creating test data, auditors must prepare a complete set of both valid and invalid transactions. If
test data are complete, auditors might fail to examine critical branches of application logic and error-
checking routines. Test transactions should test every possible error, logical process, and irregularity.

Base Case System Evaluation

When the set of test data in use is comprehensive, the technique is called the base case system
evaluation (BSCE).

Tracing
Another type of the test data technique is called tracing performs an electronic walkthrough of the
application’s internal logic. The tracing procedure involves three steps:
1. The application under review must undergo a special compilation to activate the trace option.
2. Specific transactions or types of transactions are created as test data.
3. The test data transactions are traced through all processing stages of the program, and a listing is
produced of all programmed instructions that were executed during the test.

The Integrated Test Facility

The integrated test facility (ITF) approach is an automated technique that enables the auditor to test an
application’s logic and controls during its normal operation. The ITF is one or more audit modules
designed into the application during the systems development process. In addition, ITF databases
contain “dummy” or test master file records integrated with legitimate records. During normal

47
operations, test transactions are merged into the input stream of regular (production) transactions and
are processed against the files of the dummy company.
ITF audit modules are designed to discriminate between ITF transactions and routine production data.
This may be accomplished in a number of ways. One of the simplest and most commonly used is to
assign a unique range of key values exclusively to ITF transactions. For example, in a sales order
processing system, account numbers between 2000 and 2100 can be reserved for ITF transactions and
will not be assigned to actual customer accounts. By segregating ITF transactions from legitimate
transactions in this way, routine reports produced by the application are not corrupted by ITF test data.
Test results are produced separately on storage media or hard copy output and distributed directly to the
auditor. Just as with the test data techniques, the auditor analyzes ITF results against expected results.

Parallel Simulation
Parallel simulation requires the auditor to write a program that simulates key features or processes of
the application under review. The simulated application is then used to reprocess transactions that were
previously processed by the production application. The results obtained from the simulation are
reconciled with the results of the original production run to establish a basis for making inferences about
the quality of application processes and controls.

48
REVENUE CYCLE AUDIT OBJECTIVES, CONTROLS, AND TESTS OF CONTROLS
The auditor needs to determine that effective procedures exist to establish appropriate customer credit
limits; communicate this information adequately to the credit policy decision-makers; review credit
policy periodically and revise it as necessary; and monitor adherence to current credit policy.

Substantive Tests of Revenue Cycle Accounts

The Customer master file contains addresses and credit information about customers. The Credit Limit
value is used to validate sales transactions. If the sum of the customer’s outstanding account balance
and the amount of current sales transaction exceeds the pre-established credit limit, then the
transaction is rejected.

A usual audit procedure for identifying potential audit risks involves scanning data files for unusual
transactions and account balances. For example, scanning accounts receivable for excessively large
balances may indicate that the organization’s credit policy is being improperly applied. Credit balances in
accounts receivable may suggest unusual sales return activity or errors in the application of cash receipts
to customer accounts.

Exercise:
From the database, extract all AR Invoice documents BUT, only those which exceed 100,000 per
document.

Go to Tools > Queries > Query Generator

The screen below will appear. In the first field (in yellow), press tab.

49
The screen below will appear. Type OINV. OINV represents AR Invoice. Click Choose.

Double click DocDate. Double click Cardname. Double click DocTotal.

Bring your mouse to Where and click the field.
Bring your mouse to DocTotal and double click it.
Click conditions. Click the Where field and bring the cursor after the last character.
Double click GREATER THAN in conditions.
Bring the cursor after the sign > in the Where field.
Type 100000.
Click Execute.

50
After clicking Execute, a report is generated showing AR Invoices with more than 100,000 per document.

The auditor can identify such anomalies. The report can provide analysis of unusual trends and
exceptions. For example:
 The minimum invoice amount was _______ and the maximum was _______.
 ________ items constitute ________ of negative sales.
 ________ percent of the sales are between _______ and ________.
 Only _____ items were sales over _________.

Searching for missing and/or duplicate transactions is another important test helps the auditor
corroborate or refute the completeness and accuracy assertions. Duplicate or missing transactions in the
revenue cycle may be evidence of over- or understated sales and accounts receivable. Duplicate sales
invoice records may indicate a computer program error that materially overstates sales and accounts
receivable. A missing sales invoice may point to an unrecorded sale that was shipped but not billed, thus
understating these accounts. On the other hand, it may indicate nothing more than an invoice that was
issued and voided because of a clerical error.

51
One of them most widely performed tests of existence is the confirmation of accounts receivable. This
test involves direct written contract between the auditors and the client’s customers to confirm account
balances and transactions.

52
53