09.2 audit siklus pembelian dan pembayaran

Information technology auditing, 3rd editionJames A. Hall

Chapter 10Auditing the

expenditures cycle

Task associated with expenditures cycle Audit objectives - expenditures cycle Audit objectives, controls, and test of control

Expenditures cycle – substantive test

Production Dept

Warehouse/ Inventory

request for

inventoryPurchase

Dept

Check for the availability

Inventory Balance

Purchase

Requisition

Vendor

Purchase Order

Receiving Depart

Inventory and

Receiving Report

Warehouse/ Inventory

Inventory

Inventory

A/P Dept

Vendor’s Invoice

Receiving Report

Treasury

Cash Disbursement Voucher

DFD of Purchases System

• Begins in Inventory Control when inventory levels drop to reorder levels.

• PR is prepared and copies sent to Purchasing and A/P

• Purchasing prepares a PO for each vendor and sends copies to Inventory Control, A/P, and Receiving.

A Manual Purchases System

• Upon receipt, Receiving counts and inspects the goods.

– Blind copy of PO is used to force worker to count goods.

• Rec report is prepared and copies sent to raw materials storeroom, Purchasing, Inventory Control, and A/P.


blind copy of P

O

• A/P eventually receives copies of the PR, PO, Rec Report, and the supplier’s invoice.

• A/P reconciles these docs, posts to purchase journal, and records liability in the AP subsidiary ledger.


• A/P periodically summarizes the entries in the purchases journal as a journal voucher which is sent to the General Ledger (G/L) department.

Inv-Control or Purchases DR

Accts Payable-Control CR

• A/P also prepares a cash disbursements voucher and posts it in the voucher register.


• G/L department:

– posts from the accounts payable journal voucher to the general ledger

– reconciles the inventory amount with the account summary received from inventory control


Manual Purchases Flowchart

DFD of Cash Disbursements System

• Periodically, A/P searches the open vouchers payable file for items with payments due:

– A/P sends the vendor’s voucher and supporting documents to Cash Disbursements

– A/P updates the accounts payable subsidiary ledger

A Manual Cash Disbursement System

• Cash Disbursements Departement:

– prepares the check

– records the information in a check register (cash disbursements journal)

– returns paid vouchers to accounts payable, mails the check to the supplier

– sends a journal voucher to G/L:

Accounts Payable DR

Cash CR


• G/L department receives:

– the journal voucher from cash disbursements

– a summary of the accounts payable subsidiary ledger from A/P

• The journal voucher is used to update the general ledger.

• The accounts payable control account is reconciled with the subsidiary summary.


Cash Disbursements System

• CBAS technology can be viewed as a continuum with two extremes:

– automation - use technology to improve efficiency and effectiveness

– reengineering – use technology to restructure business processes and firm organization

Computer-Based Accounting System

Level 1: Computer generates PR

– Purchases manually generates PO

Level 2: Computer generates PO (no PR needed)

– PO not sent until manually reviewed

Level 3: Computer-generated PO is automatically sent without manual review

Level 4: Electronic Data Interchange (EDI)

– Computer-to-computer communication without PO

Levels of Automating and Reengineering Ordering

• Master Files– supplier (vendor) master file– accounts payable master file– merchandise inventory

master file• Transaction and Open Document

Files– purchase order file• open purchase order file

– supplier’s invoice file– open vouchers file– cash disbursements file

• Other Files– supplier reference and

history file– buyer file– accounts payable detail file

Expenditures Cycle Database

Automated Batch Purchases

Automated Batch Purchases

Reengineered Purchases/Cash Disbursements

• A Data Processing Dept. performs routine accounting tasks.

• Purchasing - a computer program identifies inventory requirements

• The following methods are used for authorizing and ordering inventories:

– the system prepares POs and sends them to Purchases for review, signing, and distributing, or

– the system distributes POs directly to the vendors and internal users, bypassing Purchases, or

– the system uses electronic data interchange (EDI) and electronically places the order without POs

Computer-Based Purchases

• Other tasks performed automatically by the computer:

– Updates the inventory subsidiary file from Rec Report.

– Calculates batch totals for general ledger update

Computer-Based Purchases

– Closes the correspond records in the open PO file to closed PO file

– Validates the voucher records against valid vendor files

• Tasks performed automatically by the computer:

– the system scans for vouchers currently due

– prints checks for these vouchers

– records these checks in the check register

– batch totals are prepared for the general ledger update procedure

Computer-Based Cash Disbursements

• Shortens the time-lag in record-keeping; hence, records are more current

• Eliminates much of the routine manual procedures, such as transcribing information onto paper documents

• Eliminates much of the storage and shuffling of paper documents

• Reduces data entry correction procedures

Advantages of Real-Time Input and Processing over Batch Processing

Summary of Internal Controls

General Internal Controls

• Organization controls

– segregation of duties

• Documentation

• Asset Accountability Controls

• Management Practices

• Data Center Operations Controls

• Authorization Controls

• Access Controls

• Purchases of inventory should be authorized by the Inventory Control department, not by purchasing agents

• Accounts Payable authorizes the payments of bills, not the cash disbursements clerk, who writes the checks

How do these controls change in a CBAS?

Manual Authorization Controls

• Authorizations are automated.– programmed decision rules must be debugged (find

and reduce bug/ defect)• Automating inventory in EDI and JIT – faulty inventory model can lead to over-purchasing or

under-purchasing• Cash disbursements may automate check printing and

signing.– programming logic must be flawless – automated signing only below a dollar threshold

Computer-Based Authorization Controls

• Warehouse (stores)

• Inventory control

• Accounts payable

• General ledger

• Requisitioning

• Purchases

• Purchases returns and allowances

• Cash disbursements

Traditional Segregation of Duties

• Custody of the asset, inventory, by the Warehouse must be separate from recordkeeping for the assets by the Inventory Control.

• Custody of the asset, cash, by Cash Disbursements must be kept separate from recordkeeping for the asset by A/P.


Manual Segregation of Duties

• Extensive consolidation by the computer of tasks traditionally segregated– computer programs authorize and process purchase

orders (reduce order time-lag)– computer programs authorize and issue checks to

vendors

Computer-Based Segregation of Functions

• Within the expenditure cycle, supervision is of highest importance in the Receiving department, where the inventory arrives and is logged in by a receiving clerk. Need to minimize:

– failures to properly inspect the assets

– theft of the assets


Manual Supervision

• Automation often leads to a collapsing of the traditional segregation of duties.

– requires greater supervision

• Supervision takes on new aspects as technology advances.

– electronic monitoring

• Supervision because more difficult as the workplace becomes more sophisticated.

– employees may have advanced IT training

Computer-Based Supervision

• Must maintain adequate records for:

– accounts payable

– vouchers payable

– checks

– general ledger

– subsidiary ledgers


Manual Accounting Records

• Accounting records rest on the reliability and security of stored digitalized data.

– Accountants should be skeptical about the accuracy of hard-copy printouts.

– Backups - the system needs to ensure that backups of all files are continuously kept.

• Most automated systems still have a lot of paper documents.

– This is good for audit trail purposes but is often inefficient.

– As the system becomes increasing paperless, maintaining an audit trail becomes more difficult.

Computer-Based Accounting Records

• Access to:

– inventories (direct access to make fraud)

– cash (direct access)

– accounting records (indirect access)


Manual Access Controls

• Magnetic records are vulnerable to both authorized and unauthorized exposure and should be protected

– must have limited file accessibility

– programs must be safeguarded and monitored

Computer-Based Access Controls

• A/Payable Dept. verifies much of the work done within the expenditure cycle.

– PR, PO, receiving reports, and suppliers’ invoices must be checked and verified by A/P.

• G/Ledger Dept. verifies:

– the total obligations recorded equal the total inventories received

– the total reductions in accounts payable equal the total disbursements of cash


Manual Independent Verification

• Automating the accounting function reduces the need for verification by reducing the chances of fraud and error in the expenditure cycle.

• However, the need for verification shifts to the computer program and the programmers where fraud and error may still be present.

Computer-Based Independent Verification

Threats in the process of ordering goods include:

– THREAT 1: Stockouts and/or excess inventory

– THREAT 2: Ordering unnecessary items

– THREAT 3: Purchasing goods at inflated prices

– THREAT 4: Purchasing goods of inferior quality

– THREAT 5: Purchasing from unauthorized suppliers

– THREAT 6: Kickbacks

– EDI-Related threats

– Threats related to purchases of services

Threats in Ordering Goods

The primary objectives of this process are to:

– Verify the receipt of ordered inventory.

– Safeguard the inventory against loss or theft.

Threats in the process of receiving and storing goods include:

– THREAT 7: Receiving unordered goods

– THREAT 8: Errors in counting received goods

– THREAT 9: Theft of inventory

Threats in Receiving and Storing Goods

The primary objectives of this process are to:– Pay only for goods and services that were ordered and

received.– Safeguard cash.

Threats in the process of approving and paying vendor invoices include:– THREAT 10: Failing to catch errors in vendor invoices– THREAT 11: Paying for goods not received– THREAT 12: Failing to take available purchase discounts– THREAT 13: Paying the same invoice twice– THREAT 14: Recording and posting errors to accounts

payable– THREAT 15: Misappropriating cash, checks, or EFTs

Threats in Approving and Paying Vendor Invoices

• Achieving audit obj require designing audit procedure to gather evidence that either corroborates or refutes mgt assertions.

• It involves a combination of ToC and substantive tests of details. The specific controls addressed here are based on the application controls framework, which classifies controls into: input controls, process controls, and output controls.

• Within this framework, we examine application controls, tests of controls, and the audit objectives to which they relate.

EXPENDITURES CYCLE AUDIT OBJECTIVES, CONTROLS, AND TEST OF CONTROLS

Input controls are designed to ensure that transactions are valid, accurate, and complete.

• Data Validation Controls

Input validation controls are intended to detect transcription errors in transaction data before they are processed.

Missing data checks: to examine the contents of a field for the presence of blank spaces.

Numeric-alphabetic data checks. Limit checks. Range checks assign upper and lower limits to acceptable data

values. Validity checks compare actual values in a field against known

acceptable values. Check digit controls.

INPUT CONTROLS

Testing Validation Controls

Audit procedures provide evidence about the accuracy assertion:

The auditor may decide to rely on the quality of other controls to provide the assurance needed to reduce substantive testing. Ex: after reviewing systems development and maintenance controls, auditor may determine that controls over original program design and testing and subsequent changes to programs are effective.

ITF or the test data approach enable the auditor to perform explicit tests of the validation logic. This evidence help auditor determine the nature, timing, and extent of subsequent substantive tests.

The auditor can achieve some degree of assurance by reviewing error listings and error logs. These documents provide evidence of the effectiveness of the data entry process, the types and volume of errors encountered, and the manner in which the errors are corrected and reentered into the system.

INPUT CONTROLS

Batch Controls

The objective of batch control is to reconcile output produced by the system with the input originally entered into the system.

The information contained in the transmittal sheet is entered as a separate control record that used to verify the integrity of the batch. Periodic reconciliation between the data in the transmittal record and actual processing results provides assurance of the following:

All invoices that were entered into the system were processed.

No invoices were processed and paid more than once.

All invoices entered into the system are accounted for as either successfully processed or rejected because of errors.

INPUT CONTROLS

Testing Batch Controls

Tests of batch controls provide the auditor with evidence relating to the assertions of completeness and accuracy.

Testing batch controls involves reviewing transmittal records of batches processed throughout the period and reconciling them to the batch control log.

The auditor needs to investigate out-of-balance conditions to determine their cause.

INPUT CONTROLS

Purchases Authorization Controls Purchases authorization actually occurs in the revenue cycle when goods

are sold to customers.

At that time, the system compares the quantity-on-hand with the reorder point to determine if the inventory needs to be reordered.

Testing Purchases Authorization Controls The following tests of controls provide evidence pertaining to the

accuracy and valuation assertions.

Since PReq are internally generated, they should be free from clerical errors and do not need validating. However, computer logic errors in this procedure can cause negative operational and financial consequences.

Testing these controls using CAATTs involves creating test inventory records and sales trans that reduce the inventory items below their reorder point. The resulting PReq and inventory records can then be examined for evidence of properly functioning controls.

INPUT CONTROLS

Employee Authorization

The personnel department:

prepares and submits personnel action forms to the payroll department. These documents are used to effect changes in hourly pay rates, payroll deductions, and job classification.

identify employees who are authorized to receive a paycheck. This information plays an important role in preventing errors and payroll fraud.

A common form of fraud: overcharging or fictitiounus.

When employee authorization procedures are computerized, the payroll program matches each attendance record with a corresponding record in the current personnel action file.

→ Any attendance records that do not match should be rejected and investigated by management.

INPUT CONTROLS

Testing Employee Authorization Procedures

The following tests of controls provide evidence pertaining to the existence, accuracy, valuation, and rights and obligation assertions.

Using either the test data or integrated test facility (ITF) approaches:

→ the auditor can assess the correctness of programmed procedures that validate employee authenticity.

The auditor can obtain assurance that the file has integrity when the following controls exist:

access to the authorized employee file is password controlled;

additions to and deletions from the file are restricted to authorized individuals in the personnel department;

and the employee records stored on the file are encrypted.

INPUT CONTROLS

Process controls include computerized procedures for updating files and restricting access to data.

File Update Controls

Run-to-run controls use batch control data to monitor the batch as it moves from one programmed procedure (run) to another.

Sequence Check Control.

Liability Validation Control. An important control in purchases/accounts payable systems is the validation of the liability prior to making payment. The process involves reconciling supporting documents including the purchase order, receiving report, and supplier’s invoice.

Valid Vendor File. The valid vendor file is similar to the authorized employee file.

PROCESS CONTROLS

Process controls include computerized procedures for updating files and restricting access to data.

Testing File Update Controls.

Failure of file update controls can result in transactions (1) not being processed (liabilities are not recognized and recorded), (2) being processed incorrectly (i.e., payments are approved for unauthorized recipients), or (3) being posted to the wrong supplier’s account.

Tests of file update controls provide evidence relating to assertions of existence, completeness, rights and obligations, and accuracy.

Tests of sequence checks can be performed using either ITF or the test data approach.

Testing the liability validation logic requires understanding the decision rule for matching supporting documents. By creating test purchase orders, receiving reports, and supplier invoices, the auditor can verify whether decision rules are being correctly applied.

PROCESS CONTROLS

Access Controls

Access controls prevent and detect unauthorized and illegal access to the firm’s assets. An individual with unrestricted access to data can manipulate the assets of the firm and cause fs to be materially misstated.

The following are examples of risks specific to the expenditure cycle:

1. Once recognized by the system as a legitimate liability, the AP account will be paid even though no purchase transaction transpired.

2. Access to employee attendance cards may enable an unauthorized individual to trigger an unauthorized paycheck.

3. An individual with access to both cash and accounts payable records could remove cash from the firm and record the act as a legitimate disbursement.

4. An individual with access to physical inventory and inventory records can steal products and adjust the records to cover the theft.

PROCESS CONTROLS

Testing Access Controls

In the absence of adequate controls, supplier invoices can be deleted, added, or falsified. Individual payroll account balances can be erased or the entire accounts payable file can be destroyed.

Evidence gathered about the effectiveness of access controls tests the management assertions of existence, completeness, accuracy, valuation and allocation, rights and obligations, and presentation and disclosure.

Since payments to false vendors carries such potential for material loss, the auditor is concerned about the integrity of the valid vendor file. By gaining access to the file, a computer criminal can place his or her name on it and masquerade as an authorized vendor.

The auditor should therefore assess the adequacy of access controls protecting the file. These include password controls, restricting access to authorized managers, and using data encryption to prevent the file contents from being read or changed.

PROCESS CONTROLS

Physical Controls

Purchases System Controls

Segregation of inventory control from the warehouse.

Segregation of the GL and AP from cash disbursements.

Supervision of receiving department, reduces the chances of failure to properly inspect the assets and the theft of assets.

Inspection of assets. Receiving clerks must inspect items for proper quantities and condition (damage, spoilage, and so on), with a blind PO. Incoming goods are accompanied by a packing slip. A supervisor should take custody of the packing slip while receiving clerks count and inspect the goods.

Reconciliation of supporting documents: PO, Receiving report, and supplier’s invoice.

PROCESS CONTROLS

Payroll System Controls

Verification of timecards, verify their accuracy and sign them.

Supervision / CCTV.

Paymaster. The use of an independent paymaster to distribute checks (rather than the normal supervisor) helps verify the existence of the employees.

Payroll imprest account. Employee paychecks are drawn on a special payroll imprest account at the bank, which is used only for payroll clearing.

PROCESS CONTROLS

Testing Physical Controls

The auditor’s review of organizational structure should disclose the more egregious examples of incompatible tasks, such as one individual opening and approving timecards, authorizing employee payments, and receiving and distributing the paychecks.

In automated environments, the auditor’s concern should focus on the integrity of the computer programs that perform these tasks. Is the logic of the computer program correct? Has anyone tampered with the application since it was last tested? Have changes been made to the program that could have caused an undisclosed error? Are there adequate formal procedures (i.e., supervision) to compensate for the lack of segregation of duties?

Answers to these questions come from the auditor’s review of systems development and maintenance controls and by reviewing organizational structure.

PROCESS CONTROLS

Output controls are designed to ensure that information is not lost, misdirected, or corrupted and that system processes function as intended.

Invoice (AP) file listing past-due liabilities can identify discounts lost and help mgt assess the operational performance of the AP process.

Reconciling the GL can detect certain types of transaction errors. Example, total of all reductions to AP should = total cash disbursements to vendors.

Other important element of output control is the maintenance of an audit trail.

The following are examples of audit trail output controls.

Accounts Payable Change Report Transaction Logs Transaction Listing Log of Automatic Transactions Unique Transaction Identifiers Error Listing

OUTPUT CONTROLS

Testing Output Controls

Evidence gathered through tests of output controls relates to the completeness and accuracy assertions.

Testing output controls involves reviewing summary reports for accuracy, completeness, timeliness, and relevance to the decision that they are intended to support.

In addition, the auditor should trace sample transactions through audit trail reports, including transaction listings, error logs, and logs of resubmitted records.

Alternatively, the auditor can test output controls directly using ITF. A well-designed ITF system will permit the auditor to produce a batch of sample transactions, including some error records, and trace them through all phases of processing, error detection, and output reporting.

OUTPUT CONTROLS

Expenditure Cycle Risks and Audit Concerns

External auditors are concerned primarily with the potential for understatement of liabilities and related expenses. Substantive tests of expenditure cycle accounts are therefore directed toward gathering evidence of understatement and omission of material items rather than their overstatement.

In resolving these concerns, the auditor will seek evidence by performing a combination of tests of internal controls and substantive tests. Tests of controls include testing both general controls and application controls.

In addition to tests of controls, the auditor must perform substantive tests to achieve audit objectives.

SUBSTANTIVE TESTS OF EXPENDITURE CYCLE

Understanding Data

The substantive tests described in this section involve extracting data from accounting files for analysis.

The auditor must verify that he or she is working with the correct version of the file to be analyzed. To do so, the auditor must understand the file backup procedures and, if possible, work with the original files.

Data description of each file follows.

Inventory File

The Inventory file contains quantity, price, supplier, and warehouse location data for each item of inventory. When inventory items are sold or used in production, the Quantity-on-Hand field is reduced accordingly by a computer application. With each inventory reduction, the system tests for a “reorder” condition, which occurs when the quantity-on-hand falls below reorder point. The system prepares a PO, which is sent to the vendor, and adds a record to Purchase Order file.


Understanding Data

Purchase Order File

This file contains records of purchases placed with suppliers.

Purchase Order Line Item File

The Line Item file contains a record of every item ordered.

Receiving Report File

When the ordered items arrive from the supplier, they are counted and inspected, and receiving documents are prepared.

Disbursement Voucher File and Check Register File

If the items, quantities, and prices match, then a record is added to the Disbursement Voucher File. Each payment day, the Cash Disbursement application selects the items due to be paid and adds a record to the Check Register File for each payment.



Testing the Accuracy and Completeness Assertions

The audit procedures described in this section provide evidence relating to management assertions of accuracy and completeness. Review Disbursement Vouchers for Unusual Trends and Exceptions


Auditor use ACL’s Stratify and Classify features to identify various characteristic and anomalies associated w/ AP.

Excessive purchases from a single supplier reflect an unusual business dependency

Large number of small volume suppliers is evidence of a highly inefficient purchasing.

Testing the Accuracy and Completeness Assertions

Reviewing for Accurate Invoice Prices

Comparing prices on supplier invoices to original PO prices provides evidence for testing the mgt assertion of accuracy.

Significant discrepancies between expected prices and the prices actually charged may be due to:

(1) clerical errors,

(2) failure to review supporting documents before authorizing payment, or

(3) AP personnel exceeding their authority in dealing with price discrepancies.

Testing pricing accuracy involves matching records from the two files using ACL’s Join feature and creating a third output file.


Testing the Completeness, Existence, and Rights and Obligations Assertions

The search for unrecorded liabilities provides evidence that tests the completeness, existence, and rights and obligations assertions.

Searching for Unrecorded Liabilities

The search for unrecorded liabilities involves the Disbursement Voucher and Receiving Report files. Again, using the Join feature, the two files can be compared for the existence of mismatched records.

Searching for Unauthorized Disbursement Vouchers (prepared by?)

Unsupported disbursement vouchers may signify an attempt at fraud or a poor control environment in which multiple payments are made for the same purchase.


Testing the Completeness, Existence, and Rights and Obligations Assertions

Review for Multiple Checks to Vendors

The auditor can test for duplicate records in a large file by employing ACL’s Duplicate feature. This technique is demonstrated below using the Disbursement Voucher file.

Various fields or combination of fields may be used to test for


duplicate records. The auditor needs to understand the relationship between the files to draw meaningful conclusions from the test results.

Assume:1 voucher for 1 invoice

1 invoice for 1 PO

Auditing Payroll and Related Accounts

Testing accrued payroll and related accounts for completeness and accuracy consist primarily of analytical procedures and reviews of cash disbursements made in the following period.

The auditor should test the mathematical accuracy of payroll summaries and trace totals to the payroll records and to the general ledger accounts.

The average salary per employee in the current period can be compared to the previous year’s averages. ACL’s Stratify feature can help the auditor detect unusual trends and abnormal balances in the payroll file.


Informasi Lebih Lanjut,Hubungi:

Education

09.2 audit siklus pembelian dan pembayaran