36
CAA Audit Documentati BPKP, Jakarta, 2014

10. kertas kerja it audit

Embed Size (px)

DESCRIPTION

 

Citation preview

  • 1. Kertas kerja: Catatan-catatan yang diselenggarakan oleh auditor tentang: prosedur audit yang ditempuhnya, pengujian yang dilakukannya, informasi (bukti audit) yang diperolehnya, dan simpulan yang dibuatnya sehubungan dengan auditnya.

2. Tujuan Kertas Kerja: a. b. c. d.for planning, record of evidence accumulated and the result of test, deterimine type of opinion, for review/ supervisionKepemilikan Kertas Kerja: KKA adalah milik auditor (red: untuk konteks audit oleh KAP), dengan memperhatikan kerahasiaan KKA.Kerahasiaan Kertas Kerja: Auditor shall not disclose any confidential information, except with the conset of client (or required by the law). CISA Review: Auditee tidak boleh melihat kertas kerja auditor. IIA: Internal Auditor (Eksternal Auditor) dapat memanfaatkan KKA Eksternal Auditor (Internal Auditor), untuk tujuan efisiensi, dengan mempertimbangkan aspek hukum dan kerahasiaan. 3. Ownership of Engagement Documentation Unless otherwise specified by law or regulation, engagement documentation is the property of the firm. The firm may, at its discretion, make portions of, or extracts from, engagement documentation available to clients, provided such disclosure does not undermine the validity of the work performed, or, in the case of assurance engagements, the independence of the firm or its personnel. 4. Practice Advisories 2330 : a. WP merupakan properti organisasi (red: organisasi di mana IA berada). b. CAE must control access to WPs. c. CAE memutuskan ijin akses pihak eksternal ke WP , setelah berkonsultasi dengan SM and/ or Bagian Legal, kecuali untuk criminal proceeding. d. Dengan berdasar SOP, Board dan Mgt boleh akses ke WP. e. CAE must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organizations guidelines and any pertinent regulatory or other requirements. 5. These files are intended to contain data of a historical or continuing nature pertinent to the current audit. Audit program General information Working trial balance Adjusting and reclassification entries Supporting schedules Sumber: ARENS... 6. Rather than providing stringent rules, prof standards provide context and guidance for sound judgment relating to WP. IPPF specify WP requirements in a variety of sections: 2240 Engagement Work Program Internal auditors must develop and document work programs that achieve the engagement objectives. 2300 Performing the Engagement Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagements objectives. 2310 Identifying Information IAr must identify sufficient, reliable, relevant, and useful information to achieve the engagements objectives. See interpretation next: 7. IPPF specify WP requirements in a variety of sections: 2310 Identifying Information (Interpretation: Sufficient inf: factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable inf: the best attainable inf through the use of appropriate engagement techniques. Relevant inf: supports engagement observations and recommendations and is consistent with the obj for the engagement. Useful information helps the org meet its goals.) 2320 Analysis and Evaluation Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. 2330 Documenting Information Internal auditors must document relevant information to support the conclusions and engagement results. 8. Completeness and Accuracy WPs should be complete, accurate, and support observations, testing, conclusions, and recommendations. They should also show the nature and scope of the work performed.Clarity and Understanding WPs should be understandable w/o supplementary oral explanations. With the inf the WP reveal, a reviewer should be able to readily determine their purpose, the nature and scope of the work done and the preparer's conclusions.Pertinence Inf contained in WPs should be limited to matters that are important and necessary to support the objectives and scope established for the assignment. Sumber: Integrating Working Papers with Audit Management: How to shift from common practices to best practices, Codec DSS, Ireland, 2013 9. Logical Arrangement Working papers should follow a logical order.Minimize Variance WPs should be prepared within a consistent approach and execution framework across the audit and organization.Legibility and Neatness WPs should be legible and as neat as practical. Sloppy WPs may lose their worth as evidence.Optimize Workflow Find ways to create workflows for doc preparation that directly integrate project mgt mechanisms such as client request list tracking, sign-offs, supervisor reviews, findings follow-up, time tracking, and project status reporting directly into a single process. Sumber: Integrating Working Papers with Audit Management: How to shift from common practices to best practices, Codec DSS, Ireland, 2013 10. The content of WP cannot be changed, unless required/ justified. Whether audit doc is in paper, electronic or other media, the integrity, accessibility or retrievability of the underlying data may be compromised if the doc could be altered, added to or deleted w/o the auditors knowledge. The auditor applies appropriate controls for audit doc to: (a) Enable the determinination of when and by whom audit documentation was created, changed or reviewed; (b) Protect the integrity of the inf at all stages of the audit, especially when the inf is shared within the audit team or transmitted to other parties via the Internet; (c) Prevent unauthorized changes to the documentation; and (d) Allow access to the doc by the audit team and other authorized parties as necessary to properly discharge their responsibilities. Sumber: ISA 230 (Revised) Audit Documentation, 2006 11. Controls that the auditor may apply to maintain the confidentiality, safe custody, integrity, accessibility and retrievability of audit documentation include, for example: The use of a password amongst audit team members to restrict access to electronic audit doc to authorized users. Appropriate back-up routines for electronic audit doc at appropriate stages during the audit. Procedures for properly distributing audit doc to the team members at the start of fieldwork, processing it during fieldwork, and collating it at the end of fieldwork. Procedures for restricting access to, and enabling proper distribution and confidential storage of, hardcopy audit doc. + Encrypting and compressing data, Activity log. Sumber: ISA 230 (Revised) Audit Documentation, 2006 12. KKA untuk TABK harus konsisten dengan kertas kerja untuk audit sebagai keseluruhan. Lebih baik jika kertas kerja teknis ybs dengan penggunaan TABK dipisahkan dari kertas kerja audit yang lain. 13. Kertas kerja harus berisi dokumentasi memadai yang menjelaskan penerapan TABK, seperti: Perencanaan Tujuan TABK/ CAATTABK / CAAT yang digunakan. Pengendalian/ Control yang dilaksanakan. Staf yang terlibat, saat penerapan, dan biaya. 14. Kertas kerja harus berisi dokumentasi memadai yang menjelaskan penerapan TABK, seperti: Pelaksanaan Prosedur persiapan dan pengujian serta pengendalian TABK.Rincian pengujian yang dilaksanakan dengan TABK. Rincian masukan, pengolahan, dan keluaran. Informasi teknis yang relevan mengenai sistem akuntansi entitas, seperti file layout atau file description atau record definition. Informasi mengenai sistem operasi yang digunakan. Informasi mengenai jenis, ukuran, media penyimpanan yang digunakan. Informasi mengenai sistem penggandaan file. 15. Bukti Audit Keluaran/output (dari klien) yang tersedia. Penjelasan pekerjaan audit yang dilaksanakan terhadap keluaran/ output. Kesimpulan audit. Lain-lain Rekomendasi ke manajemen entitas. Sbg tambahan, auditor dapat mendokumentasikan saran untuk penggunaan TABK di tahun depan. 16. The permanent audit file normally includes: The organisation structure of the entity. The IS policies of the organisation. The historical background of the information system in the organisation. Extracts of copies of important legal documents relevant to audit. A record of the study and evaluation of the internal controls related to the information system. Copies of audit reports and observations of earlier years. Copies of management letters issued by the auditor, if any. Sumber: Board of Studies, the Institute of Chartered Accountants of India, Infromation Systems Control and Audit, Year ?. 17. The current file normally includes: Correspondence relating to the acceptance of appointment and the scope of the work. Evidence of the audit planning process and the audit programme. A record of the nature, timing, and extent of auditing procedures performed, and the results of such procedures. Copy of letter and note concerning audit matter communicated to or discussed w/ client, include material weaknesses in relevant IC. Letters of representation and confirmation received from the client. Conclusions reached by the auditor concerning significant aspects of the audit, including their follow-up. Copies on the data and system being reported on and the related audit reports. Sumber: Board of Studies, the Institute of Chartered Accountants of India, Infromation Systems Control and Audit, Year ?. 18. PLANNING AND PERFORMANCE 2.1 Documentation Contents 2.1.1 IS audit doc is the record of the audit work performed and the audit evidence supporting the IS auditors findings, conclusions and recommendations. Audit doc should be complete, clear, structured, indexed, and easy to use and understand by the reviewer. Potential uses of doc include, but are not limited to: Demo the extent to which IS auditor has complied w/ IS Auditing Standard Demo audit performance to meet requirements as per the audit charter. Assistance with planning, performance and review of audits. Facilitation of third-party reviews. Evaluation of the IS auditing functions QA programme. Support in circumstances: claim, fraud case, dispute and lawsuit. 19. PLANNING AND PERFORMANCE 2.1.2 Documentation should include, at a minimum, a record of: Review of previous audit documentation The planning and preparation of the audit scope and obj. IS auditors must have an understanding of the industry, business domain, business process, product, vendor support and overall environment under review. Minutes of management review meetings, audit committee meetings and other audit-related meetings. The audit programme and procedures that will satisfy the audit objs. The audit steps performed and audit evidence gathered to evaluate the strengths and weakness of controls. The audit findings, conclusions and recommendations. Any report issued as a result of the audit work. Supervisory review. 20. PLANNING AND PERFORMANCE 2.1.3 The extent of the IS auditors documentation depends on the needs for a particular audit and should include such things as: The IS auditors understanding of areas to be audited and its environment The IS auditors understanding of the information processing systems and the internal control environment including the: - Control environment - Control procedures - Detection risk assessment - Control risk assessment - Equate total risk The author and source of the audit doc and the date of its completion Methods used to assess adequacy of control, existence of control weakness or lack of controls, and identify compensating controls. 21. PLANNING AND PERFORMANCE 2.1.3 The extent of the IS auditors documentation depends on the needs for a particular audit and should include such things as: Audit evidence, the source of the audit documentation and the date of completion, including: - Compliance tests, which are based on test policies, procedures and segregation duties - Substantive tests, which are based on analytic procedures, detailed test accounts balances and other substantive audit procedures Acknowledgement from appropriate person of receipt of audit report and findings Auditees response to recommendations Version control, especially where documentation is in electronic media. 22. PLANNING AND PERFORMANCE 2.1.4 Documentation should include appropriate information required by law, government regulations or applicable professional standards. 2.1.5 Documentation should be submitted to the audit committee for its review and approval. 23. DOCUMENTATION 3.1 Custody, Retention and Retrieval 3.1.1 Policies and procedures should be in effect to verify and ensure appropriate custody and retention of the documentation that supports audit findings and conclusions for a period sufficient to satisfy legal, professional and organisational requirements. 3.1.2 Documentation should be organised, stored and secured in a manner appropriate for the media on which it is retained and should continue to be readily retrievable for a time sufficient to satisfy the policies and procedures defined above.