Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes. As bothersome as security audits are, business owners, executives and IT managers who truly understand them realize that periodic examinations can actually help ensure that security strategies are in sync with overall business activities and goals.
Audit Practices and Activities
There is no standard security-audit process, but auditors typically accomplish their job though personal interviews, vulnerability scans, examination of OS and security-application settings, and network analyses, as well as by studying historical data such as event logs. Auditors also focus on the business's security policies to determine what they cover, how they are used and whether they are effective at meeting ongoing and future threats.
CAATs (Computer-Assisted Audit Techniques) are often employed to help auditors gain insight into a business's IT infrastructure in order to spot potential security weaknesses. CAATs use system-generated audit reports, as well as monitoring technology, to detect and report changes to a system's files and settings. CAATs can be used with desktop computers, servers, mainframe computers, network routers and switches, and an array of other systems and devices.
While CAATs can provide definitive data on business systems, auditors must also keep an eye on activities and practices that are not easily quantifiable. Some of the key questions that an auditor must ask include:
Who is in charge of security, and who does this person report to?
Have ACLs (Access Control Lists) been placed on network devices to control who has access to shared data?
How are passwords created and managed?
Are there audit logs to record who accesses data?
Who reviews the audit logs, and how often are they examined?
Are the security settings for OSes and applications in accordance with accepted industry security practices?
Have unnecessary applications and services been purged from systems? How often does this task take place?
Are all OSes and applications updated to current levels?
How is backup media stored? Who has access to it? Is it up-to-date?
How is email security addressed?
How is Web security addressed?
How is wireless security addressed?
Are remote workers covered by security policies?
Is a disaster-recovery plan in place? Has the plan ever been rehearsed?
Have custom applications been tested for security flaws?
How are configuration and code changes documented? How often are these records reviewed?
Many other questions pertaining to the exact nature of the business's operations also must be addressed.
Auditors
An auditor's skills and affiliations depend on the nature of the audit and the audited company's business focus. An internal audit will usually draw auditors from within the business's own IT and accounting departments. Alternatively, a company may hire a security consultant to handle the job. A financial institution or other business working in a regulated industry will often find itself dealing with federal and state regulators. Auditors may also be sent to a business by private standards-setting bodies and other industry organizations.
Aftermath and Follow-Up
Shortly after the audit concludes, the auditors will usually brief a company's owners, executives and managers on what they've discovered and if any immediate remedial action is necessary. A few days or weeks later, the auditors usually issue a formal report. Stakeholders can use both the meeting and the report as opportunities to gain insight into their security practices and make improvements.
While a security audit is usually a specific event, IT security is an ongoing process. As a business designs, deploys and maintains its security policies, technologies and practices, it should strive to maintain a constant state of preparedness that will allow it to pass a security audit at any given moment.
source
Security audits are important nowadays because many accounting systems are now computerized and organizations have to protect the interests of their companies.
Showing posts with label audit ideas. Show all posts
Showing posts with label audit ideas. Show all posts
Wednesday, July 29, 2009
Audit Process in Security Audit
Audit planning & preparation
The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine if whether or not the client’s goal is being achieved, the auditor should perform the following before conducting the review:
Meet with IT management to determine possible areas of concern
Review the current IT organization chart
Review job descriptions of data center employees
Research all operating systems, software applications and data center equipment operating within the data center
Review the company’s IT policies and procedures
Evaluate the company’s IT budget and systems planning documentation
Review the data center’s disaster recovery plan
Establishing audit objectives
The next step in conducting a review of a corporate data center takes place when the auditor outlines the data center audit objectives. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively.
Following is a list of objectives the auditor should review:
Personnel procedures and responsibilities including systems and cross-functional training
Change management processes are in place and followed by IT and management personnel
Appropriate back up procedures are in place to minimize downtime and prevent loss of important data
The data center has adequate physical security controls to prevent unauthorized access to the data center
Adequate environmental controls are in place to ensure equipment is protected from fire and flooding
Performing the review
The next step is collecting evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes and procedures performed within the data center. The following review procedures should be conducted to satisfy the pre-determined audit objectives:
Data center personnel – All data center personnel should be authorized to access the data center (key cards, login ID’s, secure passwords, etc.). Data center employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. The auditor should observe and interview data center employees to satisfy their objectives.
Equipment – The auditor should verify that all data center equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of data center equipment. Additionally, the auditor should interview employees to determine if preventative maintenance policies are in place and performed.
Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Important documented procedures include: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.
Physical security / environmental controls – The auditor should assess the security of the client’s data center. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of data center equipment. These include: Air conditioning units, raised floors, humidifiers and uninterruptible power supply.
Backup procedures – The auditor should verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure.
source
The auditor should have a lot of preparation when performing security audit. To be prepared is the best tool an auditor can carry along with him when performing audit.
The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine if whether or not the client’s goal is being achieved, the auditor should perform the following before conducting the review:
Meet with IT management to determine possible areas of concern
Review the current IT organization chart
Review job descriptions of data center employees
Research all operating systems, software applications and data center equipment operating within the data center
Review the company’s IT policies and procedures
Evaluate the company’s IT budget and systems planning documentation
Review the data center’s disaster recovery plan
Establishing audit objectives
The next step in conducting a review of a corporate data center takes place when the auditor outlines the data center audit objectives. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively.
Following is a list of objectives the auditor should review:
Personnel procedures and responsibilities including systems and cross-functional training
Change management processes are in place and followed by IT and management personnel
Appropriate back up procedures are in place to minimize downtime and prevent loss of important data
The data center has adequate physical security controls to prevent unauthorized access to the data center
Adequate environmental controls are in place to ensure equipment is protected from fire and flooding
Performing the review
The next step is collecting evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes and procedures performed within the data center. The following review procedures should be conducted to satisfy the pre-determined audit objectives:
Data center personnel – All data center personnel should be authorized to access the data center (key cards, login ID’s, secure passwords, etc.). Data center employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. The auditor should observe and interview data center employees to satisfy their objectives.
Equipment – The auditor should verify that all data center equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of data center equipment. Additionally, the auditor should interview employees to determine if preventative maintenance policies are in place and performed.
Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Important documented procedures include: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.
Physical security / environmental controls – The auditor should assess the security of the client’s data center. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of data center equipment. These include: Air conditioning units, raised floors, humidifiers and uninterruptible power supply.
Backup procedures – The auditor should verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure.
source
The auditor should have a lot of preparation when performing security audit. To be prepared is the best tool an auditor can carry along with him when performing audit.
What is a Security Audit?
You may see the phrase "penetration test" used interchangeably with the phrase "computer security audit". They are not the same thing. A penetration test (also known as a pen-test) is a very narrowly focused attempt to look for security holes in a critical resource, such as a firewall or Web server. Penetration testers may only be looking at one service on a network resource. They usually operate from outside the firewall with minimal inside information in order to more realistically simulate the means by which a hacker would attack the site.
On the other hand, a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.
Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization. Given the dynamic nature of computer configurations and information storage, some managers may wonder if there is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a fair and measurable way to examine how secure a site really is.
Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:
Are passwords difficult to crack?
Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
Are there audit logs to record who accesses data?
Are the audit logs reviewed?
Are the security settings for operating systems in accordance with accepted industry security practices?
Have all unnecessary applications and computer services been eliminated for each system?
Are these operating systems and commercial applications patched to current levels?
How is backup media stored? Who has access to it? Is it up-to-date?
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
Have custom-built applications been written with security in mind?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
These are just a few of the kind of questions that can and should be assessed in a security audit. In answering these questions honestly and rigorously, an organization can realistically assess how secure its vital information is.
Security Policy Defined
As stated, a security audit is essentially an assessment of how effectively the organization's security policy is being implemented. Of course, this assumes that the organization has a security policiy in place which, unfortunately, is not always the case. Even today, it is possible to find a number of organizations where a written security policy does not exist. Security policies are a means of standardizing security practices by having them codified (in writing) and agreed to by employees who read them and sign off on them. When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Furthermore, until all employees have read and signed off on the security policy, compliance of the policy cannot be enforced. Written security policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company data and agrees to fulfill their obligations in order to do so.
Natural tensions frequently exist between workplace culture and security policy. Even with the best of intentions, employees often choose convenience over security. For example, users may know that they should choose difficult-to-guess passwords, but they may also want those passwords to be close at hand. So every fledgling auditor knows to check for sticky notes on the monitor and to pick up the keyboard and look under it for passwords. IT staff may know that every local administrator account should have a password; yet, in the haste to build a system, they may just bypass that step, intending to set the password later, and therefore place an insecure system on the network.
The security audit should seek to measure security policy compliance and recommend solutions to deficiencies in compliance. The policy should also be subject to scrutiny. Is it a living document, accurately reflecting how the organization protects IT assets on a daily basis? Does the policy reflect industry standards for the type of IT resources in use throughout the organization?
source
Performing security audit means that one should be good at computers.
On the other hand, a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.
Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization. Given the dynamic nature of computer configurations and information storage, some managers may wonder if there is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a fair and measurable way to examine how secure a site really is.
Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:
Are passwords difficult to crack?
Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
Are there audit logs to record who accesses data?
Are the audit logs reviewed?
Are the security settings for operating systems in accordance with accepted industry security practices?
Have all unnecessary applications and computer services been eliminated for each system?
Are these operating systems and commercial applications patched to current levels?
How is backup media stored? Who has access to it? Is it up-to-date?
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
Have custom-built applications been written with security in mind?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
These are just a few of the kind of questions that can and should be assessed in a security audit. In answering these questions honestly and rigorously, an organization can realistically assess how secure its vital information is.
Security Policy Defined
As stated, a security audit is essentially an assessment of how effectively the organization's security policy is being implemented. Of course, this assumes that the organization has a security policiy in place which, unfortunately, is not always the case. Even today, it is possible to find a number of organizations where a written security policy does not exist. Security policies are a means of standardizing security practices by having them codified (in writing) and agreed to by employees who read them and sign off on them. When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Furthermore, until all employees have read and signed off on the security policy, compliance of the policy cannot be enforced. Written security policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company data and agrees to fulfill their obligations in order to do so.
Natural tensions frequently exist between workplace culture and security policy. Even with the best of intentions, employees often choose convenience over security. For example, users may know that they should choose difficult-to-guess passwords, but they may also want those passwords to be close at hand. So every fledgling auditor knows to check for sticky notes on the monitor and to pick up the keyboard and look under it for passwords. IT staff may know that every local administrator account should have a password; yet, in the haste to build a system, they may just bypass that step, intending to set the password later, and therefore place an insecure system on the network.
The security audit should seek to measure security policy compliance and recommend solutions to deficiencies in compliance. The policy should also be subject to scrutiny. Is it a living document, accurately reflecting how the organization protects IT assets on a daily basis? Does the policy reflect industry standards for the type of IT resources in use throughout the organization?
source
Performing security audit means that one should be good at computers.
Thursday, July 23, 2009
Computer-assisted Audit Techniques
The auditor may use three broad categories of computer-assisted techniques to test controls:
Auditing around the computer
Auditing with the computer
Auditing through the computer
Auditing Around the Computer
With this technique, auditors test the reliability of computer-generated information by first calculating expected results from the transactions entered into the system. Then, the auditors compare these calculations to the processing or output results. If they prove to be accurate and valid, it is assumed that the system of controls is effective and that the system is operating properly.
The auditing around the computer approach is adequate when automated systems applications are relatively simple and straightforward. SAS No. 94 does not eliminate the use of this technique. This approach may be suitable for firms using a variety of accounting software that process applications periodically and, when the audit trail generated is extensive, allow outputs to be traced back to inputs.
The major weakness of the auditing around the computer approach is that it does not determine whether the program logic is correct. In addition, this approach does not reveal how the automated controls respond to a wide variety of transactions containing errors. Therefore, in complex IT environments, this approach may overlook potentially significant errors and may be ineffective in restricting detection risk to an acceptable level.
Auditing With the Computer
The auditing with the computer approach embraces a variety of techniques and often is referred to as computer-assisted audit techniques (CAATs). CAATs involve using computers, often a microcomputer, to aid auditors. Although the utilization of CAATs has radically improved the capabilities and effectiveness of auditors, they are primarily used to perform substantive tests. One widely used CAAT, known as general audit software (GAS), is frequently employed to perform substantive tests and may be used for limited testing of controls. For example, GAS can be used to test the functioning of complex algorithms in computer programs, but it requires extensive experience in using the software. In contrast, the auditing through the computer techniques are designed specifically to test automated controls, and some techniques do not require extensive IT experience.
Auditing Through the Computer
These techniques focus on testing automated processing steps, programming logic, edit routines and programmed controls. The approach assumes that, if the processing programs are soundly developed and incorporate adequate edit routines and programmed checks, then errors and irregularities are not likely to slip by undetected. If these programs are functioning as designed, the outputs can reasonably be accepted as reliable.
The auditing through the computer approach is particularly appropriate for testing controls in the complex IT systems emphasized in SAS No. 94. This approach embraces a family of techniques (see table 1), including test data, parallel simulation, integrated test facility and embedded audit module. In a survey conducted by the authors, only 26 of 91 responding Fortune 500 firms, or 28.6 percent, indicated that auditing through the computer techniques were used in an audit of the purchase function, usually a highly automated and complex IT application. This survey, conducted before SAS No. 94, confirms that a majority of auditors continue to set control risk at the maximum level and rely solely on substantive testing to obtain evidence about the accuracy and completeness of the relevant information. When SAS No. 94 becomes widely adopted, the number of all firms, regardless of size, using auditing through the computer techniques should increase.
source
In today's fast changing, we need to use the computer to help us in our daily work.
Auditing around the computer
Auditing with the computer
Auditing through the computer
Auditing Around the Computer
With this technique, auditors test the reliability of computer-generated information by first calculating expected results from the transactions entered into the system. Then, the auditors compare these calculations to the processing or output results. If they prove to be accurate and valid, it is assumed that the system of controls is effective and that the system is operating properly.
The auditing around the computer approach is adequate when automated systems applications are relatively simple and straightforward. SAS No. 94 does not eliminate the use of this technique. This approach may be suitable for firms using a variety of accounting software that process applications periodically and, when the audit trail generated is extensive, allow outputs to be traced back to inputs.
The major weakness of the auditing around the computer approach is that it does not determine whether the program logic is correct. In addition, this approach does not reveal how the automated controls respond to a wide variety of transactions containing errors. Therefore, in complex IT environments, this approach may overlook potentially significant errors and may be ineffective in restricting detection risk to an acceptable level.
Auditing With the Computer
The auditing with the computer approach embraces a variety of techniques and often is referred to as computer-assisted audit techniques (CAATs). CAATs involve using computers, often a microcomputer, to aid auditors. Although the utilization of CAATs has radically improved the capabilities and effectiveness of auditors, they are primarily used to perform substantive tests. One widely used CAAT, known as general audit software (GAS), is frequently employed to perform substantive tests and may be used for limited testing of controls. For example, GAS can be used to test the functioning of complex algorithms in computer programs, but it requires extensive experience in using the software. In contrast, the auditing through the computer techniques are designed specifically to test automated controls, and some techniques do not require extensive IT experience.
Auditing Through the Computer
These techniques focus on testing automated processing steps, programming logic, edit routines and programmed controls. The approach assumes that, if the processing programs are soundly developed and incorporate adequate edit routines and programmed checks, then errors and irregularities are not likely to slip by undetected. If these programs are functioning as designed, the outputs can reasonably be accepted as reliable.
The auditing through the computer approach is particularly appropriate for testing controls in the complex IT systems emphasized in SAS No. 94. This approach embraces a family of techniques (see table 1), including test data, parallel simulation, integrated test facility and embedded audit module. In a survey conducted by the authors, only 26 of 91 responding Fortune 500 firms, or 28.6 percent, indicated that auditing through the computer techniques were used in an audit of the purchase function, usually a highly automated and complex IT application. This survey, conducted before SAS No. 94, confirms that a majority of auditors continue to set control risk at the maximum level and rely solely on substantive testing to obtain evidence about the accuracy and completeness of the relevant information. When SAS No. 94 becomes widely adopted, the number of all firms, regardless of size, using auditing through the computer techniques should increase.
source
In today's fast changing, we need to use the computer to help us in our daily work.
THE BENEFITS OF COMPUTER AUDIT
In today's fast changing world, computer audit is very important. Hereunder are the benefits of computer audit:
Business efficiency – companies are required by company law to safeguard assets by instituting effective internal controls. Computer audit would not only meet this requirement but would give you the facts you need to make important decisions.
Security – computer audit would reinforce your company’s attitude to risk. Thousand of pounds are invested in computers (PCs, workstations, laptops, scanners, etc) it pays to be prudent by mitigating loss, whether by theft, fire or otherwise.
The fact that your company has a computer audit policy and that it is taken seriously acts as a deterrent. This is further reinforced when security measures, such as “electronic tagging”, bar coding, permanent fixing or similar measures are employed.
Having documented records of your computer assets aid your claim for loss under your company’s insurance policy. The existence of reliable records aids the process.
Standardisation – a computer audit promotes a standardised purchasing policy. What could be more practical than applying a purchasing policy that not only saves money but also reinforces values, such as brand, efficiency and time?
Don’t assume that all computer equipment comes with quality parts and that they are subject to the same quality control standards. Likewise, not all retailers give the same guarantee! This is where a computer audit could provide valuable information.
Asset tracking – at the point where computer equipment arrives in the company they should be tagged to aid tracking, accounting and ultimately, control against loss. If these assets are not tracked or traceable, they could easily disappear from the company. A computer audit would capture all computing equipment, whether they are included on the asset register or not.
Asset replacement policy – computer audit assists your replacement policy by identifying ageing assets that present potential operational risk to your business. Your accounting policy may provide for non-capitalisation or write off over two to four years, however computers will be used until they are incapable of being sustained.
Such a policy does not help your company in maximising efficiency and productivity. This plays into your competitor’s hands, surrendering to them your competitive advantage. If your business relies on latest technology, it’s imperative that obsolete computers are systematically identified and replaced.
Accounting – computer audit will ensure the completeness of your fixed asset register and the accounting transactions that are processed in your ledgers.
Cost control – computer audit aids the budgeting and timely replacement of computer equipment. It reduces substantially the guesswork in constructing the relevant capital expenditure budget.
Competitive advantage – whether being the quickest to market, having the latest technology or efficient processes is what sets you apart from your competitors it is essential that you make computer audit an essential company tool. Factors that contribute to maintaining competitive advantage cannot be ignored and a Finance Director or IT Manager would be grossly negligent in failing to have answers on this important matter.
source
Business efficiency – companies are required by company law to safeguard assets by instituting effective internal controls. Computer audit would not only meet this requirement but would give you the facts you need to make important decisions.
Security – computer audit would reinforce your company’s attitude to risk. Thousand of pounds are invested in computers (PCs, workstations, laptops, scanners, etc) it pays to be prudent by mitigating loss, whether by theft, fire or otherwise.
The fact that your company has a computer audit policy and that it is taken seriously acts as a deterrent. This is further reinforced when security measures, such as “electronic tagging”, bar coding, permanent fixing or similar measures are employed.
Having documented records of your computer assets aid your claim for loss under your company’s insurance policy. The existence of reliable records aids the process.
Standardisation – a computer audit promotes a standardised purchasing policy. What could be more practical than applying a purchasing policy that not only saves money but also reinforces values, such as brand, efficiency and time?
Don’t assume that all computer equipment comes with quality parts and that they are subject to the same quality control standards. Likewise, not all retailers give the same guarantee! This is where a computer audit could provide valuable information.
Asset tracking – at the point where computer equipment arrives in the company they should be tagged to aid tracking, accounting and ultimately, control against loss. If these assets are not tracked or traceable, they could easily disappear from the company. A computer audit would capture all computing equipment, whether they are included on the asset register or not.
Asset replacement policy – computer audit assists your replacement policy by identifying ageing assets that present potential operational risk to your business. Your accounting policy may provide for non-capitalisation or write off over two to four years, however computers will be used until they are incapable of being sustained.
Such a policy does not help your company in maximising efficiency and productivity. This plays into your competitor’s hands, surrendering to them your competitive advantage. If your business relies on latest technology, it’s imperative that obsolete computers are systematically identified and replaced.
Accounting – computer audit will ensure the completeness of your fixed asset register and the accounting transactions that are processed in your ledgers.
Cost control – computer audit aids the budgeting and timely replacement of computer equipment. It reduces substantially the guesswork in constructing the relevant capital expenditure budget.
Competitive advantage – whether being the quickest to market, having the latest technology or efficient processes is what sets you apart from your competitors it is essential that you make computer audit an essential company tool. Factors that contribute to maintaining competitive advantage cannot be ignored and a Finance Director or IT Manager would be grossly negligent in failing to have answers on this important matter.
source
Sunday, July 19, 2009
BALANCE SHEET OF LIFE
Our Birth is our Opening Balance
Our Death is our Closing Balance
Our Prejudiced Views are our Liabilities
Our Creative Ideas are our Assets
Heart is our Current Asset
Soul is our Fixed Asset
Brain is our Fixed Deposit
Thinking is our Current Account
Achievements are our Capital
Character & Morals, our Stock-in-Trade
Friends are our General Reserves
Values & Behavior are our Goodwill
Patience is our Interest Earned
Love is our Dividend
Children are our Bonus Issues
Education is Brands / Patents
Knowledge is our Investment
Experience is our Premium Account
The Aim is to Tally the Balance Sheet Accurately.
The Goal is to get the Best Presented Accounts Award.
Some very Good and Very bad things...
The most destructive habit......................Worry
The greatest Joy...............................Giving
The greatest loss................Loss of self-respect
The most satisfying work...............Helping others
The ugliest personality trait.............Selfishness
The most endangered species.........Dedicated leaders
Our greatest natural resource...............Our youth
The greatest "shot in the arm"..........Encouragement
The greatest problem to overcome.................Fear
The most effective sleeping pill........Peace of mind
The most crippling failure disease............Excuses
The most powerful force in life..................Love
The most dangerous pariah..................A gossiper
The world's most incredible computer........The brain
The worst thing to be without................... Hope
The deadliest weapon.......................The tongue
The two most power-filled words..............."I Can"
The greatest asset..............................Faith
The most worthless emotion..................Self-pity
The most beautiful attire......................SMILE!
The most prized possession................Integrity
The most powerful channel of communication.....Prayer
The most contagious spirit.................Enthusiasm
The most important thing in life..................GOD
Chinese Proverb:
"When someone shares something of value with you and you benefit from it,
you have a moral obligation to share it with others"
Our Death is our Closing Balance
Our Prejudiced Views are our Liabilities
Our Creative Ideas are our Assets
Heart is our Current Asset
Soul is our Fixed Asset
Brain is our Fixed Deposit
Thinking is our Current Account
Achievements are our Capital
Character & Morals, our Stock-in-Trade
Friends are our General Reserves
Values & Behavior are our Goodwill
Patience is our Interest Earned
Love is our Dividend
Children are our Bonus Issues
Education is Brands / Patents
Knowledge is our Investment
Experience is our Premium Account
The Aim is to Tally the Balance Sheet Accurately.
The Goal is to get the Best Presented Accounts Award.
Some very Good and Very bad things...
The most destructive habit......................Worry
The greatest Joy...............................Giving
The greatest loss................Loss of self-respect
The most satisfying work...............Helping others
The ugliest personality trait.............Selfishness
The most endangered species.........Dedicated leaders
Our greatest natural resource...............Our youth
The greatest "shot in the arm"..........Encouragement
The greatest problem to overcome.................Fear
The most effective sleeping pill........Peace of mind
The most crippling failure disease............Excuses
The most powerful force in life..................Love
The most dangerous pariah..................A gossiper
The world's most incredible computer........The brain
The worst thing to be without................... Hope
The deadliest weapon.......................The tongue
The two most power-filled words..............."I Can"
The greatest asset..............................Faith
The most worthless emotion..................Self-pity
The most beautiful attire......................SMILE!
The most prized possession................Integrity
The most powerful channel of communication.....Prayer
The most contagious spirit.................Enthusiasm
The most important thing in life..................GOD
Chinese Proverb:
"When someone shares something of value with you and you benefit from it,
you have a moral obligation to share it with others"
Wednesday, July 15, 2009
Audit Program for Collections and Remittances
Collections and Remittances are important in an organization. It must be properly safeguarded against losses, theft and malversation. Audit program for collections and remittances is shown below:
Audit Objectives:
1. To determine that collections and remittances are recorded properly.
2. To establish the existence and amount of unremitted collections in the
hands of collecting officers.
3. To establish the accuracy of the General Ledger account.
Audit Procedures
Analytical Review:
1. Compare reported collections of prior years with current year’s collection. Note material variances.
2. Compare targeted collections for this period with actual collections for the same period. Mark notable variances.
Test of details of balances and transactions:
3. Check entries in the Report of Collections against duplicate ORs. Verify footings and trace to subsidiary accounts. Check remittances reported against actual deposits made.
4. Get a representative sample of duplicate ORs. Confirm with the payees by sending out confirmation letters with focus on amounts paid and nature of imported cargo.
5. Examine ORs for:
-amounts and dates
-mode of payment, whether cash or check
-account distribution and fund classification
-numerical sequence
-erasures and alterations
-authenticity
6. Check numerical sequence of ORs issued against monthly report of accountable forms
7. Examine reported deposits for:
-validity
-authenticity
-fund classification
-erasures and alterations
8. Check reported deposits by confirming with the
depository bank thru the Resident Auditor
assigned thereat.
9. Trace entries in the General Ledger account to the entries in the appropriate journal. Verify footings and balance.
10. Check entries in the journals against those in the records/reports.
11. Conduct cash examination on the cash and
accounts of the collecting officers.
Audit Objectives:
1. To determine that collections and remittances are recorded properly.
2. To establish the existence and amount of unremitted collections in the
hands of collecting officers.
3. To establish the accuracy of the General Ledger account.
Audit Procedures
Analytical Review:
1. Compare reported collections of prior years with current year’s collection. Note material variances.
2. Compare targeted collections for this period with actual collections for the same period. Mark notable variances.
Test of details of balances and transactions:
3. Check entries in the Report of Collections against duplicate ORs. Verify footings and trace to subsidiary accounts. Check remittances reported against actual deposits made.
4. Get a representative sample of duplicate ORs. Confirm with the payees by sending out confirmation letters with focus on amounts paid and nature of imported cargo.
5. Examine ORs for:
-amounts and dates
-mode of payment, whether cash or check
-account distribution and fund classification
-numerical sequence
-erasures and alterations
-authenticity
6. Check numerical sequence of ORs issued against monthly report of accountable forms
7. Examine reported deposits for:
-validity
-authenticity
-fund classification
-erasures and alterations
8. Check reported deposits by confirming with the
depository bank thru the Resident Auditor
assigned thereat.
9. Trace entries in the General Ledger account to the entries in the appropriate journal. Verify footings and balance.
10. Check entries in the journals against those in the records/reports.
11. Conduct cash examination on the cash and
accounts of the collecting officers.
Audit Program for Expenses
The Audit program for examination of expenses are as follows:
Audit Objectives:
To determine whether the agency’s funds are utilized only for the purpose for which the funds were made available.
To determine whether the agency’s funds are utilized in accordance with pertinent laws, rules and regulations.
To ascertain whether the expenditures are duly accomplished and approved by the head of the agency or duly authorized representatives.
To ascertain whether the expenditures are properly supported by documents and other evidence to establish the validity, propriety and correctness of the claim.
To determine the correctness of the expense classification.
Audit Procedures
1. Collate and inventory all Disbursement Vouchers
-check timeliness of submission
2. Check completeness of submitted vouchers based
on checks issued for the month
3. Check DVs for adequacy of supporting documents.
4. Take note of lacking documents in WPs. Determine that documents are stamped “PAID” to preclude their subsequent use.
5. Take note of any deficiency in the disbursement, if
any. Verify that amounts are correctly computed.
6. Trace vouchers to entries in the cash disbursement records, noting propriety of account distribution
7. Check correctness of entries in JEV
8. Check propriety of disbursement
9. Check propriety of signatories
10. Check funds availability
11. Account for numerical sequence of check issued
12. Prove footings of disbursement records/books
13. Trace postings from appropriate books of
accounts to GL
Audit Objectives:
To determine whether the agency’s funds are utilized only for the purpose for which the funds were made available.
To determine whether the agency’s funds are utilized in accordance with pertinent laws, rules and regulations.
To ascertain whether the expenditures are duly accomplished and approved by the head of the agency or duly authorized representatives.
To ascertain whether the expenditures are properly supported by documents and other evidence to establish the validity, propriety and correctness of the claim.
To determine the correctness of the expense classification.
Audit Procedures
1. Collate and inventory all Disbursement Vouchers
-check timeliness of submission
2. Check completeness of submitted vouchers based
on checks issued for the month
3. Check DVs for adequacy of supporting documents.
4. Take note of lacking documents in WPs. Determine that documents are stamped “PAID” to preclude their subsequent use.
5. Take note of any deficiency in the disbursement, if
any. Verify that amounts are correctly computed.
6. Trace vouchers to entries in the cash disbursement records, noting propriety of account distribution
7. Check correctness of entries in JEV
8. Check propriety of disbursement
9. Check propriety of signatories
10. Check funds availability
11. Account for numerical sequence of check issued
12. Prove footings of disbursement records/books
13. Trace postings from appropriate books of
accounts to GL
Audit Program for Accounts Payable
Accounts Payable should also be properly taken care of to ensure that they actually exist. The audit program for payables are shown below:
Audit Objectives:
To determine that all existing liabilities are properly recorded and shown in the balance sheet
To determine that all the recorded liabilities are existing liabilities of the agency as of balance sheet date
To determine that payees are valid claimants
To ascertain that transactions are duly approved and complete with supporting documents
Test of details of transactions and balances:
1. Vouch recorded accounts payable transactions to supporting documentation.
2. Vouch credits to supporting vouchers, vendor invoices, receiving reports, and purchase orders and other supporting information.
3. Vouch debits to cash disbursements or purchase returns memoranda.
4. Perform purchases cut-off test.
Select sample of recorded purchase transactions from several days before and after year-end and examine supporting vouchers, invoices, etc. to determine that purchases were recorded in the proper period.
Observe the number of the last receiving report issued on the last business day of the audit period and trace sample of lower- and higher-numbered receiving reports to related purchase documents and determine that transactions were recorded in the proper period.
Perform cash disbursements cut-off.
Observe the number of last check issued and trace to the accounting records to verify accuracy of cut-off, or trace dates of paid checks returned with year-end cut-off bank statements to dates recorded.
Confirm accounts payable. On a sample basis, send confirmation requests to vendors with large balances. Investigate and reconcile differences.
Determine that payables are properly identified and classified.
Audit Objectives:
To determine that all existing liabilities are properly recorded and shown in the balance sheet
To determine that all the recorded liabilities are existing liabilities of the agency as of balance sheet date
To determine that payees are valid claimants
To ascertain that transactions are duly approved and complete with supporting documents
Test of details of transactions and balances:
1. Vouch recorded accounts payable transactions to supporting documentation.
2. Vouch credits to supporting vouchers, vendor invoices, receiving reports, and purchase orders and other supporting information.
3. Vouch debits to cash disbursements or purchase returns memoranda.
4. Perform purchases cut-off test.
Select sample of recorded purchase transactions from several days before and after year-end and examine supporting vouchers, invoices, etc. to determine that purchases were recorded in the proper period.
Observe the number of the last receiving report issued on the last business day of the audit period and trace sample of lower- and higher-numbered receiving reports to related purchase documents and determine that transactions were recorded in the proper period.
Perform cash disbursements cut-off.
Observe the number of last check issued and trace to the accounting records to verify accuracy of cut-off, or trace dates of paid checks returned with year-end cut-off bank statements to dates recorded.
Confirm accounts payable. On a sample basis, send confirmation requests to vendors with large balances. Investigate and reconcile differences.
Determine that payables are properly identified and classified.
Audit Program for PROPERTY, PLANT AND EQUIPMENT
PROPERTY, PLANT AND EQUIPMENT (PPE) are very important assets of an organization and hereunder is an audit program in the examination of such assets:
Audit Objectives:
To establish the existence and ownership by the client of property, plant and equipment.
To ascertain that the basis at which property accounts are stated is acceptable and consistent with that of the preceding year
To determine that additions during the audit period are recorded and valued properly
To make certain that all dispositions of property whether transferred without cost or disposed have been properly authorized and recorded in the books
To ascertain that all properties in the hands of end-users are properly identified and handled or managed and corresponding Memorandum Receipts (MRs) are on file and acknowledged by them
To ascertain that totals per inventory report tally with balances appearing in the Balance Sheet
To ascertain whether all PPE are stated at cost less accumulated depreciation, and to determine whether depreciation of these assets had been properly and accurately computed.
Test of details of transactions and balances:
1. Vouch PPE additions to supporting documentation.
2. Vouch PPE disposals to supporting documentation.
3. Review entries to repairs and maintenance expenses.
4. Inspect PPE and additions thereto. Be alert to evidence of additions and disposals not included on agency’s schedules and to conditions that bear on the proper valuation and classification of the PPE.
5. Examine title documents and pertinent papers.
6. Evaluate fair presentation of depreciation expense by evaluating the appropriateness of useful lives and estimated salvage values set by the Commission on Audit.
7. Determine that PPE and related expenses, gains, and losses are properly identified and classified in the financial statements.
8. Determine the appropriateness of disclosures related to the cost, book value, depreciation methods and useful lives.
Audit Objectives:
To establish the existence and ownership by the client of property, plant and equipment.
To ascertain that the basis at which property accounts are stated is acceptable and consistent with that of the preceding year
To determine that additions during the audit period are recorded and valued properly
To make certain that all dispositions of property whether transferred without cost or disposed have been properly authorized and recorded in the books
To ascertain that all properties in the hands of end-users are properly identified and handled or managed and corresponding Memorandum Receipts (MRs) are on file and acknowledged by them
To ascertain that totals per inventory report tally with balances appearing in the Balance Sheet
To ascertain whether all PPE are stated at cost less accumulated depreciation, and to determine whether depreciation of these assets had been properly and accurately computed.
Test of details of transactions and balances:
1. Vouch PPE additions to supporting documentation.
2. Vouch PPE disposals to supporting documentation.
3. Review entries to repairs and maintenance expenses.
4. Inspect PPE and additions thereto. Be alert to evidence of additions and disposals not included on agency’s schedules and to conditions that bear on the proper valuation and classification of the PPE.
5. Examine title documents and pertinent papers.
6. Evaluate fair presentation of depreciation expense by evaluating the appropriateness of useful lives and estimated salvage values set by the Commission on Audit.
7. Determine that PPE and related expenses, gains, and losses are properly identified and classified in the financial statements.
8. Determine the appropriateness of disclosures related to the cost, book value, depreciation methods and useful lives.
Audit Program for Inventories
Here is an audit program for inventories which is very useful for auditors:
Audit Objectives:
To ascertain the physical existence of the items appearing in the balance sheet and to be satisfied of the reasonable accuracy of quantities
To ascertain whether all recorded procurements and utilization occurred during the current year.
To test whether the inventories are properly valued using the moving average method of costing.
Analytical Procedure:
Compare inventory balances to anticipated need as well as to last year’s inventory balances.
Test of details of transactions:
1. Vouch entries in inventory accounts to supporting documentation (e.g. invoices, requisition and issue slips, etc.)
2. Trace data from purchases, supply card, subsidiary ledgers to inventory accounts.
3. See if the asset method of accounting is applied.
4. Test cut-off of purchases and issuances.
Test of details of balances:
5. Observe agency’s physical count and verify inventory quantities:
review the client’s inventory instructions, if any, Determine whether the procedures outlined will result in reasonably accurate inventory.
- Observe the inventory-taking and make sufficient test counts to determine whether inventory instructions are carried out, counts are accurate and properly recorded, and quality and condition of goods are considered
- Obtain proper cut-off
- Note existence of obsolete, slow-moving or damaged goods
- Test check extension and footings of Inventory List
- Check against Memorandum Receipts
- Assist in the inventory-taking personally or by representative
- Conduct inquiry/personal observation to satisfy oneself as to
effectiveness of methods of inventory-taking and as to reliability of
client’s representations
- Prepare reports as to results of inventory-taking observed
Obtain copy of final inventory lists, trace test of inventory
quantities
- compare final inventory list with the inventory balances
appearing in the Supplies Ledger cards maintained by the
Accounting Division as well as the inventory balances indicated
in the stock cards of the Supply Office. Note down differences.
6. Verify inventory valuation-test check basis of prices from
purchase orders/delivery receipts. See whether ending balances were arrived at using the moving average method of valuation.
Reconcile inventory report balances with balances appearing in
the balance sheet
Audit Objectives:
To ascertain the physical existence of the items appearing in the balance sheet and to be satisfied of the reasonable accuracy of quantities
To ascertain whether all recorded procurements and utilization occurred during the current year.
To test whether the inventories are properly valued using the moving average method of costing.
Analytical Procedure:
Compare inventory balances to anticipated need as well as to last year’s inventory balances.
Test of details of transactions:
1. Vouch entries in inventory accounts to supporting documentation (e.g. invoices, requisition and issue slips, etc.)
2. Trace data from purchases, supply card, subsidiary ledgers to inventory accounts.
3. See if the asset method of accounting is applied.
4. Test cut-off of purchases and issuances.
Test of details of balances:
5. Observe agency’s physical count and verify inventory quantities:
review the client’s inventory instructions, if any, Determine whether the procedures outlined will result in reasonably accurate inventory.
- Observe the inventory-taking and make sufficient test counts to determine whether inventory instructions are carried out, counts are accurate and properly recorded, and quality and condition of goods are considered
- Obtain proper cut-off
- Note existence of obsolete, slow-moving or damaged goods
- Test check extension and footings of Inventory List
- Check against Memorandum Receipts
- Assist in the inventory-taking personally or by representative
- Conduct inquiry/personal observation to satisfy oneself as to
effectiveness of methods of inventory-taking and as to reliability of
client’s representations
- Prepare reports as to results of inventory-taking observed
Obtain copy of final inventory lists, trace test of inventory
quantities
- compare final inventory list with the inventory balances
appearing in the Supplies Ledger cards maintained by the
Accounting Division as well as the inventory balances indicated
in the stock cards of the Supply Office. Note down differences.
6. Verify inventory valuation-test check basis of prices from
purchase orders/delivery receipts. See whether ending balances were arrived at using the moving average method of valuation.
Reconcile inventory report balances with balances appearing in
the balance sheet
Audit Program for Receivables
Audit Objective: To establish the validity and collectibility of the receivables and the fairness of the description and classification of these receivables in the Balance Sheet
Analytical Review:
Compare last year’s Accounts Receivable with the current period receivables. Segregating them as to kind or nature of the receivable. Take note of significant increases/decreases. Know the causes of such significant differences.
Test of Details of Balances and Transactions:
1. Obtain/prepare a schedule of receivables w/ the ff:
name
address
balance of account
age of account balance
2. Pay particular attention to Receivables in the nature of advances to employees
for traveling expenses.
3. Foot the schedule and trace totals to GL
4. Compare balances in SL and test accuracy of
aging
5. Verify collections made after balance sheet date
6. Ascertain that AR represent valid claims against
existing debtors
7. Determine validity of AR
8. Determine collectibility of AR.
9. Confirm receivables
-write positive or negative confirmation letter
-jot down details and items that need to be
clarified
10. For receivables in the nature of traveling advances, prepare demand letters for
their liquidation in accordance with pertinent regulations.
11. Make an evaluation of results of work done
12. Prepare working paper and report
Receivables are also important element in financial statements so it must be examined carefully by an auditor.
Analytical Review:
Compare last year’s Accounts Receivable with the current period receivables. Segregating them as to kind or nature of the receivable. Take note of significant increases/decreases. Know the causes of such significant differences.
Test of Details of Balances and Transactions:
1. Obtain/prepare a schedule of receivables w/ the ff:
name
address
balance of account
age of account balance
2. Pay particular attention to Receivables in the nature of advances to employees
for traveling expenses.
3. Foot the schedule and trace totals to GL
4. Compare balances in SL and test accuracy of
aging
5. Verify collections made after balance sheet date
6. Ascertain that AR represent valid claims against
existing debtors
7. Determine validity of AR
8. Determine collectibility of AR.
9. Confirm receivables
-write positive or negative confirmation letter
-jot down details and items that need to be
clarified
10. For receivables in the nature of traveling advances, prepare demand letters for
their liquidation in accordance with pertinent regulations.
11. Make an evaluation of results of work done
12. Prepare working paper and report
Receivables are also important element in financial statements so it must be examined carefully by an auditor.
AUDIT PROGRAM for Cash Receipts Transactions and Cash Balances
Hereunder is a useful audit program for auditing Cash Receipts Transactions and Cash Balances:
Audit Objective: To determine whether cash balances at month-end/year-end are valid and actually exist.
Analytical Procedures:
1. Compare cash accounts with those of prior years and investigate additions or deletions of accounts;
2. Compare cash receipts from miscellaneous sources with those of prior year and account for major changes.
Other Procedures:
3. Count and list cash on hand at year-end and trace to cash receipts record and bank statement.
4. Vouch significant cash receipts from sources other than customers and trace to deposit slips and bank statements on a test basis.
5. Confirm bank balances directly with bank and BTr. Compare replies and investigate differences, if any.
6. Reconcile bank accounts as of year-end.
7. Obtain cutoff bank statement(s) directly from banks and trace reconciling items from bank reconciliation to cut-off statement.
8. Inquire as to status of inactive bank accounts.
9. Review GL account balances and trace postings from the underlying receipts and supporting documents to the reports and journals.
10. Prepare/obtain schedule of collections and deposits per bank account as of month-end/year-end.
11. Compare schedule with SL accounts. Examine the schedule footings and compare totals with the GL.
12. Review/verify bank reconciliation statements.
13. Note differences between bank and book balances and verify whether reconciling items are properly recorded in the books of accounts.
14. Prepare draft AO and discuss with management officials concerned before issuance.
Audit Objective: To determine whether cash balances at month-end/year-end are valid and actually exist.
Analytical Procedures:
1. Compare cash accounts with those of prior years and investigate additions or deletions of accounts;
2. Compare cash receipts from miscellaneous sources with those of prior year and account for major changes.
Other Procedures:
3. Count and list cash on hand at year-end and trace to cash receipts record and bank statement.
4. Vouch significant cash receipts from sources other than customers and trace to deposit slips and bank statements on a test basis.
5. Confirm bank balances directly with bank and BTr. Compare replies and investigate differences, if any.
6. Reconcile bank accounts as of year-end.
7. Obtain cutoff bank statement(s) directly from banks and trace reconciling items from bank reconciliation to cut-off statement.
8. Inquire as to status of inactive bank accounts.
9. Review GL account balances and trace postings from the underlying receipts and supporting documents to the reports and journals.
10. Prepare/obtain schedule of collections and deposits per bank account as of month-end/year-end.
11. Compare schedule with SL accounts. Examine the schedule footings and compare totals with the GL.
12. Review/verify bank reconciliation statements.
13. Note differences between bank and book balances and verify whether reconciling items are properly recorded in the books of accounts.
14. Prepare draft AO and discuss with management officials concerned before issuance.
Sunday, July 12, 2009
Generally Accepted Auditing Standards
Generally Accepted Auditing Standards, or GAAS, are ten auditing standards, developed by the AICPA, consisting of general standards, standards of field work, and standards of reporting, along with interpretations. They were developed by the AICPA in 1947 and have undergone minor changes since then.
General Standards
1. The auditor must have adequate technical training and proficiency to perform the audit
2. The auditor must maintain independence in mental attitude in all matters related to the audit.
3. The auditor must use due professional care during the performance of the audit and the preparation of the report.
Standards of Field Work
1. The auditor must adequately plan the work and must properly supervise any assistants.
2. The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.
3. The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.
The new standards are in effect for audits of financial statements for periods beginning on or after December 15, 2006.
Standards of Reporting
1. The auditor must state in the auditor's report whether the financial statements are in accordance with generally accepted accounting principles (GAAP).
2. The auditor must identify in the auditor's report those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.
3. When the auditor determines that informative disclosures are not reasonably adequate, the auditor must so state in the auditor's report.
4. The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that such an opinion cannot be expressed in the auditors report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefore in the auditor's report. In all cases where the auditor's name is associated with the financial statements, the auditor should clearly indicate the character of the auditor's work, if any, and the degree of responsibility the auditor is taking, in the auditor's report.
source
Generally Accepted Auditing Standards should be properly observed by an auditor.
General Standards
1. The auditor must have adequate technical training and proficiency to perform the audit
2. The auditor must maintain independence in mental attitude in all matters related to the audit.
3. The auditor must use due professional care during the performance of the audit and the preparation of the report.
Standards of Field Work
1. The auditor must adequately plan the work and must properly supervise any assistants.
2. The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.
3. The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.
The new standards are in effect for audits of financial statements for periods beginning on or after December 15, 2006.
Standards of Reporting
1. The auditor must state in the auditor's report whether the financial statements are in accordance with generally accepted accounting principles (GAAP).
2. The auditor must identify in the auditor's report those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.
3. When the auditor determines that informative disclosures are not reasonably adequate, the auditor must so state in the auditor's report.
4. The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that such an opinion cannot be expressed in the auditors report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefore in the auditor's report. In all cases where the auditor's name is associated with the financial statements, the auditor should clearly indicate the character of the auditor's work, if any, and the degree of responsibility the auditor is taking, in the auditor's report.
source
Generally Accepted Auditing Standards should be properly observed by an auditor.
Wednesday, July 8, 2009
Roles of an Auditor
Auditors as representatives of the Commission. - The Auditors shall exercise such powers and functions as may be authorized by the Commission in the examination, audit and settlement of the accounts, funds, financial transactions, and resources of the agencies under their respective audit jurisdiction.
Role of the Auditor. - The Auditor shall maintain complete independence and exercise professional care and be guided by applicable laws, regulations and the generally accepted principles of auditing and accounting in the performance of the audit work as well as in the preparation of audit and financial reports.
Responsibility to Accumulate Sufficient Evidence. - The Auditor shall obtain, accumulate, and safeguard sufficient evidence to provide an appropriate factual bases for his opinions, conclusions,judgments recommendations. Evidence needed to support his findings may be (1) physical evidence obtained by observation, photograph, ocular inspection, or similar means, (2) testimonial evidence obtained by interviewing and taking sworn statements from witnesses, (3) documentary evidence consisting of letters, contracts, reports, extracts from books of accounts, invoices, receipts and computer print-outs and (4) analytical evidence such as analysis sheets/working papers prepared.
The technicalities of law and the rules governing the admissibility and sufficiency of evidence obtaining in the courts of law shall not strictly apply.
Report, Certificate of Settlement and Balances, Notice of Disallowances and Charges, Order or Decision of the Auditor. - The result of the audit work of the Auditor may be in the form of a report, Certificate of Settlement and Balances, notice of disallowances and charges, audit observation, order or decision which shall clearly and distinctly state his findings of fact, conclusions, recommendations and dispositions. The factual findings shall be adequately established by evidence and the conclusions, recommendations or dispositions shall be supported by applicable laws, regulations, jurisprudence and the generally accepted accounting and auditing principles on which the report, Certificate of Settlement and Balances, notice of disallowances and charges and order or decision are based.
The roles of an auditor are quite difficult but it must be strictly observed for the outstanding performance of the auditor of his duties and responsibilities.
Source
Role of the Auditor. - The Auditor shall maintain complete independence and exercise professional care and be guided by applicable laws, regulations and the generally accepted principles of auditing and accounting in the performance of the audit work as well as in the preparation of audit and financial reports.
Responsibility to Accumulate Sufficient Evidence. - The Auditor shall obtain, accumulate, and safeguard sufficient evidence to provide an appropriate factual bases for his opinions, conclusions,judgments recommendations. Evidence needed to support his findings may be (1) physical evidence obtained by observation, photograph, ocular inspection, or similar means, (2) testimonial evidence obtained by interviewing and taking sworn statements from witnesses, (3) documentary evidence consisting of letters, contracts, reports, extracts from books of accounts, invoices, receipts and computer print-outs and (4) analytical evidence such as analysis sheets/working papers prepared.
The technicalities of law and the rules governing the admissibility and sufficiency of evidence obtaining in the courts of law shall not strictly apply.
Report, Certificate of Settlement and Balances, Notice of Disallowances and Charges, Order or Decision of the Auditor. - The result of the audit work of the Auditor may be in the form of a report, Certificate of Settlement and Balances, notice of disallowances and charges, audit observation, order or decision which shall clearly and distinctly state his findings of fact, conclusions, recommendations and dispositions. The factual findings shall be adequately established by evidence and the conclusions, recommendations or dispositions shall be supported by applicable laws, regulations, jurisprudence and the generally accepted accounting and auditing principles on which the report, Certificate of Settlement and Balances, notice of disallowances and charges and order or decision are based.
The roles of an auditor are quite difficult but it must be strictly observed for the outstanding performance of the auditor of his duties and responsibilities.
Source
Wednesday, June 24, 2009
Pre-audit compared with post-audit
Hereunder is the definition of pre-audit as against post-audit of government transactions:
Pre-audit is an examination of vouchers, contracts, etc., in order to substantiate a transaction or a series of transactions before they are paid for and recorded.
Post-audit is an audit of accounting records, conducted at some interval of time after a transaction or a series of transactions has already occurred.
Source:
An expounded definition of pre-audit vs post-audit, particularly by COA, is given by MARCELO L. TECSON as shown below:
COA audit of government expenditures—whether on post audit or pre-audit basis—involves determination of compliance to governmental laws and regulations, like required APPROPRIATION or budget, LEGALITY of transaction, proper APPROVAL, and SUPPORTING documents (code-named “ALAS”).
PARTIAL COA PRE-AUDIT
Partial COA pre-audit involves doing the same kind of work under the present 100% COA post audit, including looking at exactly the same disbursement vouchers and supporting documents being used in post audit, except that pre-audit is done earlier--or BEFORE payment and consummation of government transactions--on selected key government transactions, therefore:
(1) It does not entail increase in volume of COA audit work; it just advances the audit work to dates before payment of transactions and, in the process, compels COA to do its work promptly and without delay--because the audited government agencies/corporations are waiting for COA's pre-audit verdict on the disbursement vouchers before effecting payments.
In effect, the PRICE of preventing multi-billion-peso corruption under COA pre-audit is timely and expeditious work on the part of COA auditors. They have to act within prescribed time limits on disbursement vouchers submitted for pre-audit by audited agencies/entities. This greater demand from COA is tolerable because, to begin with, its crucial fraud-prevention pre-audit work will cover only a few high-amount and high-risk transactions.
(2) It can detect and prevent corruption because it is done BEFORE payments are made, or when acts of corruption are not yet consummated and it is not yet too late to stop them, thus it is useful in the PREVENTION of corruption.
(3) Consequently, it has the great ADVANTAGE of avoiding or minimizing the disgraceful and debilitating LOSSES of BILLIONS upon BILLIONS of PESOS in government funds from rampant corruption.
100% COA POST AUDIT
COA post audit involves doing the same kind of work under pre-audit and looking at exactly the same disbursement vouchers and supporting documents already available even prior to payment, except that it is intentionally done later, or AFTER execution and payment of government transactions, consequently:
(1) It does not contribute to reduction in volume of COA audit work, just postponement of it to later dates after government transactions or disbursements are already consummated.
(2) It cannot detect and prevent corruption because it is done AFTER payment of transactions, or when acts of corruption are already consummated and it is too late to stop them, hence it is USELESS in the PREVENTION of corruption and cannot do away with the need for selective COA pre-audit as potent fraud-prevention measure.
(3) Consequently, under 100% COA post audit, there is a great DISADVANTAGE or cost penalty to the government—LOSSES of BILLIONS upon BILLIONS of PESOS in public funds from unhampered and hence unabated CORRUPTION.
Economic sting
Commission on Audit under COA Circular No. 2009-002 dated May 18, 2009 defines pre-audit and post-audit as follows:
Pre-audit is the examination of documents supporting a transaction or series of transactions before these are paid for and recorded. Pre-audit operates to determine that the proposed expenditure is for a purpose in compliance with the appropriation law, other specific statutory authority and regulations. It assures that sufficient funds are available to enable payment of the claim. It also initially determines that the proposed expenditure is not illegal, irregular, extravagant, excessive, unconscionable or unnecessary. Moreover, pre-audit determines that the transaction is approved by proper authority and duly supported by authentic underlying evidences.
Post-audit covers the same areas and supplemented by tracing the transaction under audit to the books of accounts. It also includes a final determination that the transaction is not illegal, irregular, extravagant, excessive, unconscionable or unnecessary. In general and wherever practical, the scope of post-audit work covers all areas identified in the risk assessment and embraces financial, compliance and value for money audits. Transactions subjected to pre-audit shall be post-audited without reperforming the audit procedures previously undertaken in pre-audit, unless there is compelling reason to reperform the same.
coa circular no. 2009-002
There is really a need nowadays to reinstitute selective pre-audit on government transactions to prevent occurence of irregularities/anomalies in the government.
Pre-audit is an examination of vouchers, contracts, etc., in order to substantiate a transaction or a series of transactions before they are paid for and recorded.
Post-audit is an audit of accounting records, conducted at some interval of time after a transaction or a series of transactions has already occurred.
Source:
An expounded definition of pre-audit vs post-audit, particularly by COA, is given by MARCELO L. TECSON as shown below:
COA audit of government expenditures—whether on post audit or pre-audit basis—involves determination of compliance to governmental laws and regulations, like required APPROPRIATION or budget, LEGALITY of transaction, proper APPROVAL, and SUPPORTING documents (code-named “ALAS”).
PARTIAL COA PRE-AUDIT
Partial COA pre-audit involves doing the same kind of work under the present 100% COA post audit, including looking at exactly the same disbursement vouchers and supporting documents being used in post audit, except that pre-audit is done earlier--or BEFORE payment and consummation of government transactions--on selected key government transactions, therefore:
(1) It does not entail increase in volume of COA audit work; it just advances the audit work to dates before payment of transactions and, in the process, compels COA to do its work promptly and without delay--because the audited government agencies/corporations are waiting for COA's pre-audit verdict on the disbursement vouchers before effecting payments.
In effect, the PRICE of preventing multi-billion-peso corruption under COA pre-audit is timely and expeditious work on the part of COA auditors. They have to act within prescribed time limits on disbursement vouchers submitted for pre-audit by audited agencies/entities. This greater demand from COA is tolerable because, to begin with, its crucial fraud-prevention pre-audit work will cover only a few high-amount and high-risk transactions.
(2) It can detect and prevent corruption because it is done BEFORE payments are made, or when acts of corruption are not yet consummated and it is not yet too late to stop them, thus it is useful in the PREVENTION of corruption.
(3) Consequently, it has the great ADVANTAGE of avoiding or minimizing the disgraceful and debilitating LOSSES of BILLIONS upon BILLIONS of PESOS in government funds from rampant corruption.
100% COA POST AUDIT
COA post audit involves doing the same kind of work under pre-audit and looking at exactly the same disbursement vouchers and supporting documents already available even prior to payment, except that it is intentionally done later, or AFTER execution and payment of government transactions, consequently:
(1) It does not contribute to reduction in volume of COA audit work, just postponement of it to later dates after government transactions or disbursements are already consummated.
(2) It cannot detect and prevent corruption because it is done AFTER payment of transactions, or when acts of corruption are already consummated and it is too late to stop them, hence it is USELESS in the PREVENTION of corruption and cannot do away with the need for selective COA pre-audit as potent fraud-prevention measure.
(3) Consequently, under 100% COA post audit, there is a great DISADVANTAGE or cost penalty to the government—LOSSES of BILLIONS upon BILLIONS of PESOS in public funds from unhampered and hence unabated CORRUPTION.
Economic sting
Commission on Audit under COA Circular No. 2009-002 dated May 18, 2009 defines pre-audit and post-audit as follows:
Pre-audit is the examination of documents supporting a transaction or series of transactions before these are paid for and recorded. Pre-audit operates to determine that the proposed expenditure is for a purpose in compliance with the appropriation law, other specific statutory authority and regulations. It assures that sufficient funds are available to enable payment of the claim. It also initially determines that the proposed expenditure is not illegal, irregular, extravagant, excessive, unconscionable or unnecessary. Moreover, pre-audit determines that the transaction is approved by proper authority and duly supported by authentic underlying evidences.
Post-audit covers the same areas and supplemented by tracing the transaction under audit to the books of accounts. It also includes a final determination that the transaction is not illegal, irregular, extravagant, excessive, unconscionable or unnecessary. In general and wherever practical, the scope of post-audit work covers all areas identified in the risk assessment and embraces financial, compliance and value for money audits. Transactions subjected to pre-audit shall be post-audited without reperforming the audit procedures previously undertaken in pre-audit, unless there is compelling reason to reperform the same.
coa circular no. 2009-002
There is really a need nowadays to reinstitute selective pre-audit on government transactions to prevent occurence of irregularities/anomalies in the government.
Monday, June 22, 2009
Selective Pre-audit on Government Transactions
Starting July 1, 2009, the Commission on Audit through COA Circular no. 2009-002 dated May 18, 2009, is reinstituting selective pre-audit on government transactions. This is because of recent developments which gave rise to incidents of irregular, illegal, wasteful and anomalous disbursements of huge amounts of public funds and disposal of public property. Indeed corruption is everywhere nowadays, you can see or hear it in the news everyday pointing to the need to consider restoring pre-audit as a deterrent against resurgence of the observed maladies. For a full text of COA Circular no. 2009-002, please click below:
COA Circular No. 2009-002
COA Circular No. 2009-002
Subscribe to:
Posts (Atom)