Contents. Process flow diagrams and other documentation

Similar documents
Smart Lite User Guidance Pack

Audit Considerations Relating to an Entity Using a Service Organization

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Auditing IT General Controls

Making trust evident Reporting on controls at Service Organizations

Chapter 08. Consideration of Internal Control in an Information Technology Environment. McGraw-Hill/Irwin

International Standard on Auditing (Ireland) 505 External Confirmations

Tools & Techniques I: New Internal Auditor

SAS70 Type II Reports Use and Interpretation for SOX

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

TAN Jenny Partner PwC Singapore

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

International Standard on Auditing (UK) 505

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

Auditing in an Automated Environment: Appendix B: Application Controls

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

ADVANCED AUDIT AND ASSURANCE

Probe MMX Compilation

Period from October 1, 2013 to September 30, 2014

COMPUTER FLOOD STANDARDS

ISACA Cincinnati Chapter March Meeting

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Information for entity management. April 2018

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

SOC Reporting / SSAE 18 Update July, 2017

PROPRIETARY MATERIALS

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Chapter 8: General Controls and Application Controls

Evaluating SOC Reports and NEW Reporting Requirements

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

COBIT 5 With COSO 2013

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

CITADEL INFORMATION GROUP, INC.

COM Operating Personnel Communications Protocols. October 31, 2013

Introduction to Automated Controls. Jay Swaminathan Senior Manager, SOAProjects. San Francisco Chapter

CASA External Peer Review Program Guidelines. Table of Contents

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

ISA 540 (Revised): Update. May 2018 ASB meeting Dan Montgomery May 17, 2018

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

BEST PRACTICES. PPC s Checkpoint Tools & SMART Practice Aids with ProSystem fx. Table of Contents

Deutsche Bank Credit. Credit User guide.

Transitioning from SAS 70 to SSAE 16

Auditing in an Automated Environment: Appendix E: System Design, Development, and Maintenance

COMPUTER/INFORMATION FLOOD STANDARDS

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

The Accreditation and Verification Regulation - Verification report

IT Attestation in the Cloud Era

Audit System New Zealand Process Map

350 Index 2005 GOAL/QPC

Advanced Corporate Reporting. Corporate Reporting. Financial Accounting. Management in Organisations

Maher Duessel Not for Profit Training July Agenda

CitiManager. Registering for CitiManager, Enrolling in Paper-Free Statements, and Viewing Your Electronic Statement

Safeguarding unclassified controlled technical information (UCTI)

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

EXAM PREPARATION GUIDE

AND ASSURANCE AN INTEGRATED APPROACH SIXTEENTH EDITION GLOBAL EDITION

ITCC112. Course Summary. Description. Objectives

The Wdesk Platform by Workiva

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Full file at

How to get started with CaseWare Cloud

Consideration of Internal Control in an Information Technology Environment

ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS

Endorsement Version. Guidelines on IT Audit I N T O S A I ISSAI ISSAI 5300: Guidelines on IT Audit

Spree Privacy Policy

ERO Compliance Enforcement Authority Staff Training

Incident Response Services

EA Document for Recognition of Verifiers under the EU ETS Directive

Adopting SSAE 18 for SOC 1 reports

Table of Contents 2. Welcome to Checkpoint Engage 5. Creating an Engagement in Advance Flow or Onvio 6. Create Checkpoint Engage Engagement 8

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

REPORT OF THE INDEPENDENT ACCOUNTANT

Rich Powell Director, CIP Compliance JEA

AUDITING (PART-18) (UNIT-III) INTERNAL CONTROL (PART 4)

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

EnviroIssues Privacy Policy Effective Date:

Audit Guidelines Super Audio CD Player Patent License Agreement

The Accreditation and Verification Regulation - Sampling

_isms_27001_fnd_en_sample_set01_v2, Group A

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

FINANCIAL/ADMINISTRATIVE PROCEDURES MANUAL GUIDANCE

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

Issue for Consideration: Appropriateness of the Drafting of Paragraph A17

Losing Control: Controls, Risks, Governance, and Stewardship of Enterprise Data

PEM Contents Checklist

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

REVIEW OF THE RPS MAP OF EVIDENCE

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

*ANSWERS * **********************************

Definition of Internal Control

Data Breach Preparation and Response. April 21, 2017

Transcription:

Process flow diagrams and other documentation Contents 1. Audit lessons 2. Process flows 3. Flowcharts 4. Information produced by entity (IPE) 5. Documentation

Topic 1: Audit lessons

Audit lessons Teams did not sufficiently understand the likely sources of potential misstatements related to significant accounts or disclosures as part of selecting controls to test. Teams walkthrough procedures were not adequate to verify the auditor s understanding of the risks in the company s processes and to identify and select for testing controls sufficient to address the risk of misstatement for the relevant assertions as they were limited to: Performing inquiry and observation to confirm that there have been no significant changes to the processes Obtaining an understanding through controls testing and substantive procedures Reviewing walkthroughs performed by the company s internal auditor who did not provide direct assistance under the firm s supervision Relying on the auditor s knowledge and experience obtained from prior year s audits.

Topic 2: Process flows

Process flows A process flow generally consists of: Following a single transaction from origination through the entity s processes, including information systems, until it is reflected in the entity s financial records. Using the same documents and information technology that entity personnel use. Probing inquiries of the entity s personnel about their understanding of what is required by the entity s prescribed procedures and controls at the points at which important processing procedures occur. Asking personnel to describe their understanding of the previous and succeeding accounting or control activities and to demonstrate what they do to corroborate information at various points in the walkthrough. Combination of inquiry, observation, and inspection 5

Key Points for Understanding the Process Cover from the initiation of the transaction to recording in the financial statement and understand all processing in between. Document and trace the flow of information, not controls. Document key points of information, whether in the client s narrative or on a flowchart. Walk through the IT system, not around it. Understand relevant data elements in the process. Involve experienced team members for complex areas. Don t get locked into prior year s documentation. Walk through processes, not controls!

Obtaining an Understanding Have you identified and documented: All relevant assertions associated with each significant account and disclosure? The flow of transactions related to each relevant assertion? The points within the process where a misstatement could arise that individually or in aggregate with other misstatements could be material? The controls that management has implemented to address potential misstatements? It is important that engagement teams are able to answer these questions and that these answers are reflected in their documentation.

Walkthrough Documentation Location where the walkthrough occurred. Date(s) the walkthrough occurred. Audit firm interviewer. Client interviewee. Consider IT controls as you document your walkthroughs. Transaction(s) traced, including identifying characteristics of the transaction(s). Document(s) reviewed, including identifying characteristics of the document(s). Other Considerations Probing follow-up question(s) that were asked by the audit firm interviewer(s) of the interviewee(s), and any notable responses. 8

Key Attributes of Documentation Related to IT Process Level Understanding Provides understanding of how specific data elements of interest are captured and flow through information system to financial statements. Addresses manual and IT processes in a way that avoids process gaps in documentation. Describes relevant activities within IT systems, not just inputs and outputs. Describes and differentiates IT system components to allow for identification of specific risks.

Topic 3: Flowcharting

What is Flowcharting? Flowcharting is used to visually represent client processes and accounting systems so we can more easily identify and document the WCGWs and assess the design of the controls over those WCGWs.

Flowcharting Potential Advantages and Challenges Advantages: Challenges:

Flowcharting Tips Identify the output of the system (e.g. General ledger account, report used by management as the basis of a high level management review control). Begin the documentation with the output of the system, making this a more efficient approach. Check that all appropriate information has been linked to the source documentation. Use active voice in your flowchart processes (i.e. The employee enters information into the system versus Information is entered into the system ). Draw the flowchart such that information flows top to bottom and from left to right.

Flowcharting Considerations When creating a process flow diagram, consider: Who are the individuals, departments, etc. involved in the process? How often is the process performed? What are the key activities in the process? In what order do the key activities occur? Where do the WCGWs reside in the process? Which relevant controls address the WCGWs? What are the various reports and data elements used in or generated from the process? Which systems are critical to the process? Begin with the end in mind!

Flowcharting in Excel

Topic 4: Information produced by entity

Guidance Note has defined IPE The auditing standards do not provide a definition of information produced by the entity (IPE) or describe what constitutes IPE. IPE is typically in the form of a "report" which may be either systemgenerated, manually-prepared, or a combination of both (e.g., a download of system accumulated data that is then manipulated in an Excel spreadsheet). Examples of different forms of reports include: Standard "out of the box" or default reports or templates Custom-developed reports that are not standard to the application and that are defined and generated by user-operated tools Output from end-user applications such as automated spreadsheets Entity-prepared analyses, schedules and spreadsheets that are manually prepared by entity personnel either from information generated from the entity s system or from other internal or external sources

Understanding IPEs IPE typically consists of three elements: (1) source data, (2) report logic, and (3) parameters. Source Data: The information from which the IPE is created. This may include data maintained in the IT system (e.g., within an application system or database) or external to the system (e.g., data maintained in an Excel spreadsheet or manually maintained), which may or may not be subject to general IT controls. For example, for a report of all sales greater than Rs. 1,000,000, the source data is the database of all sales transactions. Report Logic: The computer code, algorithms, or formulas for transforming, extracting or loading the relevant source data and creating the report. Report logic may include standardised report programs, user-operated tools (e.g., query tools and report writers) or Excel spreadsheets, which may or may not be subject to the general IT controls. Report Parameters: Report parameters allow the user to look at only the information that is of interest to them. Common uses of report parameters including defining the report structure, specifying or filtering data used in a report or connecting related reports (data or output) together.

Auditor considerations of IPE The following considerations related to accuracy and completeness of IPE may assist the auditor in obtaining an appropriate understanding to plan the testing approach to IPE: Not all data is captured. The data is input incorrectly. The report logic is incorrect. The report logic or source data could be changed inappropriately or without authorisation. The user-entered parameters entered are incorrect. Evaluating IPEs: The auditor is required to "evaluate whether the IPE is sufficiently precise and detailed for purposes of the audit. If the IPE is not sufficiently precise or detailed for the purpose, it is likely that the auditor cannot use it as audit evidence; however, the auditor may work with the entity to determine if the original IPE can be modified by the entity to meet his or her needs or identify other audit evidence to achieve the intended purpose.

Test Controls over the C&A of IPE Used in MRC 1 2 Has team obtained an understanding of how 3 Have all relevant data elements used in the operation been identified? each data element is initiated, processed, and reported as IPE (focus on completeness and accuracy)? Has team identified all relevant WCGWs related to IPE? 4 5 6 Has management Are controls over appropriately completeness and identified relevant accuracy of IPE controls around the designed completeness and appropriately? accuracy of each data Operating effectively? element? If there are deficiencies in controls over completeness and accuracy of IPE, are effective compensating controls tested?

Testing Controls over IPE Key Points Test the design and operating effectiveness of the controls over completeness and accuracy of IPE used in MRCs. Determine the flow of each relevant data element, identify the related WCGWs and test the related controls. Failure to have effective controls over completeness and accuracy of the IPE generally renders the MRC ineffective. Ineffective GITCs generally render the MRC ineffective.

Topic 5: Documentation

CFO Financial Forum Opinion Poll Which of the following best describes your organization s documentation of business processes and controls? 10% 11% Primarily use flow charts: 11% Primarily use narratives: 27% 52% 27% Use combination of narratives and flow charts: 52% Document only controls, not processes: 10% Ensure that management has documented in writing its control policies and procedures for all relevant business processes. 23

Documentation Effective documentation of the organization s system of internal control is necessary to: Provide evidence of its effectiveness Enable proper monitoring Effective documentation is also useful: For assigning responsibility and accountability to employees Training new and experienced employees who implement and monitor the controls Promoting consistency across the organization Retaining organizational knowledge Higher level of documentation necessary when management asserts effectiveness of internal controls to regulators, shareholders and other third-parties Expanded documentation on design and operating effectiveness of controls Expanded documentation in areas involving significant judgment 24

Documentation: CFO Financial Forum Opinion Poll What additional effort is required to improve your documentation of ICOFR? 21% 4% No incremental effort: 4% Some incremental effort: 56% Significant incremental effort: 19% Not sure: 21% 19% 56% Documentation of existing and enhanced processes and controls is expected to be one of the main areas of additional effort when transitioning to IFCs 25

Thank you 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback