Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 1 CHAPTER 17 ADVANCED TOPICS IN ASSURANCE SERVICES

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 2 AUDITING IN AN E- COMMERCE ENVIRONMENT E-commerce defined: The use of electronic transmission mediums (telecommunications) to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location. E-commerce is changing how organisations currently undertake business.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 3 EARLY E-COMMERCE SYSTEMS: ELECTRONIC DATA INTERCHANGE (EDI) When parts are shipped, supplier transmits an invoice to manufacturer Reduces data entry, mailing costs and time to complete transactions Forerunner to e-commerce was EDI. Example: Manufacturer requires suppliers to accept orders through electronically transmitted purchase orders:

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 4 CURRENT CATEGORIES OF E- COMMERCE SYSTEMS Business-to-business (B2B) e-commerce: Companies buying from and selling to each other online. EDI was the early form for undertaking B2B e-commerce. Business-to-consumer (B2C) e-commerce: Any business or organisation that sells its products or services to consumers over the Internet, e.g. Amazon.com.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 5 BUSINESS RISK ASSESSMENTS AND CONTROL CONSIDERATIONS Number of differences for business risk assessment and controls for B2B compared with B2C e-commerce B2B: audit client is transacting with small group of other businesses (identity known, authorisation procedures in place) B2C audit client is transacting with world at large (identity unknown)

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 6 RISK CONSIDERATIONS E-commerce risks include:  Risks arising from the nature of relationships with e-commerce trading partners  Risks related to the recording and processing of e-commerce transactions  Pervasive e-commerce security risks, including privacy issues  Fraud risks  Risks of systems failures or ‘crashes’

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 7 E-COMMERCE CONTROLS Include: Security infrastructure controls (firewalls, encryption and other security controls) Systems controls (controls over systems development, systems monitoring) Programmed controls (e.g. to ensure customer is authentic – payment authorised with approved credit card, order is reasonable, method of payment or credit- worthiness have been established)

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 8 TESTS OF CONTROLS B2B – authorisation system between transacting parties important. Tested as part of general control review. Programmed controls tested by test data techniques. B2C – authorisation of transactions established on many occasions by quoting valid credit card. Funds usually received before goods shipped. System reviewed as part of general controls. Programmed controls tested by use of test data.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 9 SUBSTANTIVE TESTS IN AN E- COMMERCE ENVIRONMENT Should be evidence to support figures contained in financial report. Auditor can substantively verify these figures. May be assertions, such as rights and obligations (at what time do transactions take place?), to which auditor has to pay closer attention. Caution should be exercised with regard to analytical procedures, as some traditional relationships between account balances might no longer hold (e.g. a supplier might not hold inventory).

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 10 CONTINUOUS ASSURANCE Rapid advances in information technology enable information to be made available to users on a more timely basis. For example, in the future entities might have financial reports on Internet and show current status of accounts (as impacted by transactions as they flow into system). Assurance will be required on such reporting advances. Assurance more likely on system generating figures (tests of controls) than on figures themselves (substantive testing).

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 11 CONDITIONS NECESSARY FOR A CONTINUOUS AUDIT

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 12 EXAMPLES OF CONTINUOUS ASSURANCE Specific financial information required by debt covenants An entity’s compliance with stated policies and practices with regard to e-commerce transactions Completeness and accuracy of frequently updated key information provided publicly on a website Financial reports available on demand Effective operation of controls over specified systems or publicly accessible databases Continuous assurance can be on either financial or non-financial information. Examples include:

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 13 CONTINUOUS ASSURANCE AND XBRL Uses accepted standards and practice to encourage standardisation and exchange of financial information (including financial reports) across different technologies. Takes transactions and maps onto a standard structure for financial reports, and provides tags that permit the tracing of transactions. eXtensible Business Reporting Language (XBRL) is a new technology bringing continuous assurance closer to reality.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 14 FORENSIC AUDITING One of the fastest growing areas in public accounting over past 10 years. Forensic auditing is called upon when there are large systems and corporate failures, or when fraud is suspected.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 15 FORENSIC AUDITORS UNDERTAKE: Investigative engagements:  Fraud investigations – determining existence, nature and extent of fraud and funds tracing  Business economic loss analysis – contract disputes, product liability claims, etc. Litigation support:  Review of evidence to form assessment of case and identify areas of loss  Obtain relevant evidence to support or refute legal claim

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 16 TYPICAL APPROACH TO FORENSIC AUDITING ASSIGNMENT Plan meeting with client Perform an engagement acceptance check Perform a preliminary investigation Develop an action plan Obtain the relevant evidence Evaluate the evidence Prepare the report

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 17 ENVIRONMENTAL AND SUSTAINABILITY ASSURANCE Environmental reporting is becoming increasingly prevalent, with the advent of triple bottom line and sustainability reporting. Assurance on such reports is becoming more common. KPMG 2002 survey No. of companies issuing such reports45%35% No. of such reports independently assured27%19%

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 18 INTERNATIONAL DEVELOPMENTS Many groups encouraging or creating standards or criteria for environmental and sustainability reporting Fédération des Experts Comptables Européens (FEE) The Global Reporting Initiative (GRI) Environment Australia The International Organisation for Standardisation (ISO) 14,000 series

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 19 OVERARCHING PRINCIPLES

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 20 ASSURANCE CURRENTLY PROVIDED Level 1: Data verification — the checking of randomly selected data. Level 2: Verification of completeness of reporting — assessing the level of reporting against the organisation’s policy, aspects and impacts, and objectives and targets. Level 3: Report verification incorporating site level compliance auditing. Level 4: Report verification incorporating re-sampling and analysis. Environment Australia notes that there are primarily four levels of assurance services currently provided by assurance providers. These are:

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett 21 ASSURANCE REPORTS ON ENVIRONMENT AND SUSTAINABILITY MATTERS An assurance report should contain: Identification of the subject matter Acknowledgment that the reported subject matter is the responsibility of management and that the verification statement is the responsibility of the assurance provider Purpose of carrying out the verification Nature and source of criteria used in evaluating the subject matter, developing findings and reaching conclusions Procedures carried out and any standards followed Identification of the party or parties responsible for the verification, including relevant qualifications or competencies A statement or opinion as to the conclusions reached and an indication of the level of assurance provided Date and place of issuing the assurance report