1. IT Auditing & Assurance, 2e, Hall & Singleton Chapter 9 Auditing the Revenue Cycle REVIEW

2. IT Auditing & Assurance, 2e, Hall & Singleton REAL-TIME SALES ORDER ENTRY AND CASH RECEIPTS  See Figure 9-7  Sales procedures  Transactions are processed as they occur, separately  Credit check is performed online by the system  If approved, system checks availability of inventory  If available, system:  Transmits electronic stock release to warehouse dept  Transmits electronic packing slip to shipping dept  Updates inventory file records for depletion  Records sale in open sales order computer file

3. IT Auditing & Assurance, 2e, Hall & Singleton REAL-TIME SALES ORDER ENTRY AND CASH RECEIPTS  Warehouse procedures  Produces hard copy of stock release  Clerk picks goods, sends them with a copy of stock release to shipping dept.  Shipping procedures  Reconciles goods, stock release, packing slip from system.  Online, IS prepares Bill of Lading for shipment, and shipping notice for DP Dept.  Select carrier and prepare goods for shipment, along with packing slip and Bill of Lading  Stock release form is filed

4. IT Auditing & Assurance, 2e, Hall & Singleton INPUT CONTROLS  Data Validation Controls  To detect transcription errors in data as it is processed  Batch: after shipment of goods Error logs Error correction computer processes Transaction resubmission procedures  Real-Time: Errors handled as they occur  Missing data checks – presence of blank fields  Numeric-Alphabetic data checks – correct form of data  Limit checks – value does not exceed max for the field  Range checks – data is within upper and lower limits  Validity checks – compare actual values against known acceptable values  Check digit – identify keystroke errors by testing internal validity  Testing Data Validation Controls  Verify controls exist and are functioning effectively  Validation of program logic can be difficult  If Controls over system development and maintenance are NOT weak, testing data editing/programming logic more efficient than substantive tests of details (test data, ITF)  Some assurance can be gained through the testing of error lists and error logs (detected errors only)

5. IT Auditing & Assurance, 2e, Hall & Singleton INPUT CONTROLS  Batch controls  Manage high volumes of similar transactions  Purpose: Reconcile output produced by system with the original input  Controls continue through all computer (data) processes  Batch transmittal sheet:  Unique batch number  Batch date  Transaction code  Record count  Batch control total (amount)  Hast totals (e.g., account numbers)  Testing data validation controls  Failures of batch controls indicates data errors  Involves reviewing transmittal records of batches processed and reconcile them to the batch control log (batch transmittal sheet)  Examine out-of-balance conditions and other errors to determine cause of error  Review and reconcile transaction listings, error logs, etc.

6. IT Auditing & Assurance, 2e, Hall & Singleton PROCESS CONTROLS  Computerized procedures for file updating  Restricting access to data  Techniques:  File update controls -- Run-to-run batch control data to monitor data processing steps  Transaction code controls – to process different transactions using different programming logic (e.g., transaction types)  Sequence check controls – sequential files, proper sorting of transaction files required  Testing file update controls – results in errors  Testing data that contains errors (incorrect transaction codes, out of sequence)  Can be performed in ITF or test data  CAATTs requires careful planning  Single audit procedure can be devised that performs all tests in one operation.

7. IT Auditing & Assurance, 2e, Hall & Singleton ACCESS CONTROLS  Prevent and detect unauthorized and illegal access to firm’s systems and/or assets  Warehouse security  Depositing cash daily  Use safe deposit box, night box, lock cash drawers and safes  Accounting records  Removal of an account from books  Unauthorized shipments of goods using blank sales orders  Removal of cash, covered by adjustments to cash account  Theft of products/inventory, covered by adjustments to inventory or cash accounts  Testing access controls – heart of accounting information integrity  Absence thereof allows manipulation of invoices (i.e., fraud)  Access controls are system-wide and application-specific  Access controls are dependent on effective controls in O/S, networks, and databases

8. IT Auditing & Assurance, 2e, Hall & Singleton PHYSICAL CONTROLS  Segregation of duties  Rule 1: Transaction authorization separate from transaction processing  Rule 2: Asset custody separate from record-keeping tasks  Rule 3: Organization structured such that fraud requires collusion between two or more people  Supervision  Necessary for employees who perform incompatible functions  Compensates for inherent exposure from incompatible functions  Can be supplement when duties are properly segregated  Prevention vs. detection of fraud and crime is objective: supervision can be effective preventive control

9. IT Auditing & Assurance, 2e, Hall & Singleton OUTPUT CONTROLS  PURPOSE: Information is not lost, misdirected, or corrupted; that the system output processes function properly  Controls are designed to identify potential problems  Reconciling GL to subsidiary ledgers  Maintenance of the audit trail – that is the primary way to trace the source of detected errors  Details of transactions processed at intermediate points  AR change report  Transaction logs: permanent record of valid transactions  Transaction listings – successfully posted transactions  Log of automatic transactions  Unique transaction identifiers  Error listings  Testing output controls  Reviewing summary reports for accuracy, completeness,timeliness, and relevance for decisions  Trace sample transactions through audit trails; including transaction listings, error logs, and logs of resubmitted records  ACL is very helpful in this process

10. IT Auditing & Assurance, 2e, Hall & Singleton SUBSTANTIVE TESTS OF REVENUE CYCLE ACCOUNTS  PURPOSE: Determine the nature, timing, and extent of substantive tests using auditor’s assessment of inherent risk, unmitigated control risk, materiality considerations, and efficiency of the audit.  Concern: Overstatement or understatement of revenues?  Focus on large and unusual transactions, especially near period-end  Recognizing revenues from sales that did not occur  Recognizing revenues BEFORE they are realized  Failing to recognize cutoff points  Underestimating allowance for doubtful accounts  Shipping unsolicited products to customers, subsequently returned  Billings customers for products held by seller  Tests of controls and substantive tests  Credit limit logic may be effective but cut-off of AR may be error  Substantive testing of AR may give assurance about accuracy of total AR but does not offer assurance about collectibility

11. IT Auditing & Assurance, 2e, Hall & Singleton Controls for Automated Systems General and application controls for IS Transaction tags Transaction logs Increased supervision Online validation and authentication Rotation of duties Authorizations and automated rules Continuous auditing techniques

12. IT Auditing & Assurance, 2e, Hall & Singleton Chapter 10 Auditing the Expenditure Cycle REVIEW

13. IT Auditing & Assurance, 2e, Hall & Singleton Data processing steps performed automatically: 1.Inventory file scanned for items and reorder points 2.Purchase requisition record for all items needing replenishment 3.Consolidate requisitions by vendor 4.Retrieve vendor mailing information 5.P.O. prepared and sent to vendor (EDI) 6.Open P.O. record added for each transaction 7.List of P.O. sent to purchasing department CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED

14. IT Auditing & Assurance, 2e, Hall & Singleton Goods arrive at receiving department Quantities received entered per item CASH DISBURSEMENT: REENGINEERED– FULLY AUTOMATED

15. IT Auditing & Assurance, 2e, Hall & Singleton Data processing steps performed automatically: 1.Quantities keyed matched to open P.O. record 2.Receiving report file record added 3.Update inventory subsidiary records 4.G.L. inventory updated 5.Record removed from open P.O. file and added to open A.P. file, due date established CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED

16. IT Auditing & Assurance, 2e, Hall & Singleton Each day, due date filed of A.P. are scanned for items where payment is due CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED

17. IT Auditing & Assurance, 2e, Hall & Singleton Data processing steps performed automatically: 1.Checks are printed, signed and distributed to mailroom (unless EDI/EFT) 2.Payments are recorded in check register file 3.Items paid are transferred from open A.P. to closed A.P. file 4.G.L.- A.P. and cash accounts are updated 5.Appropriate reports are transmitted to A.P. and cash disbursements departments for review CASH DISBURSEMENT: REENGINEERED—FULLY AUTOMATED

18. IT Auditing & Assurance, 2e, Hall & Singleton Input controls  Data validation controls  Testing validation controls  Batch controls  Testing batch controls  Purchases authorization controls  Testing purchases authorization controls  Employee authorization  Testing employee authorization procedures EXPENDITURE CYCLE AUDIT OBJECTIVES

19. IT Auditing & Assurance, 2e, Hall & Singleton Process controls  File update controls  Sequence check control  Liability validation control  Valid vendor file  Testing file update controls  Access controls  Warehouse security  Moving assets promptly when received  Paying employees by check vs. cash  Risks Employees with access to A.P. subsidiary file Employees with access to attendance records Employees with access to both cash and A.P. records Employees with access to both inventory and inventory records  Testing access controls EXPENDITURE CYCLE AUDIT OBJECTIVES

20. IT Auditing & Assurance, 2e, Hall & Singleton Process controls  Physical controls  Purchase system controls Segregation of inventory control from warehouse Segregation of G.L. and A.P. from cash disbursements Supervision of receiving department Inspection of assets Theft of assets Reconciliation of supporting documents: P.O., receiving report, supplier’s invoice  Payroll System controls Verification of timecards Supervision Paymaster Payroll imprest account  Testing of physical controls EXPENDITURE CYCLE AUDIT OBJECTIVES

21. IT Auditing & Assurance, 2e, Hall & Singleton Process controls  Output controls  A.P. change report  Transaction logs  Transaction listing  Logs of automatic transactions  Unique transaction identifiers  Error listing  Testing output controls EXPENDITURE CYCLE AUDIT OBJECTIVES

22. IT Auditing & Assurance, 2e, Hall & Singleton C hapter 12: Fraud Schemes & Fraud Detection IT Auditing & Assurance, 2e, Hall & Singleton

23. FRAUD  Asset misappropriation fraud 1. Stealing something of value – usually cash or inventory (i.e., asset theft) 2. Converting asset to usable form 3. Concealing the crime to avoid detection 4. Usually, perpetrator is an employee  Financial fraud 1. Does not involve direct theft of assets 2. Often objective is to obtain higher stock price (i.e., financial fraud) 3. Typically involves misstating financial data to gain additional compensation, promotion, or escape penalty for poor performance 4. Often escapes detection until irreparable harm has been done 5. Usually, perpetrator is executive management  Corruption fraud 1. Bribery, etc.

24. IT Auditing & Assurance, 2e, Hall & Singleton ACFE 2004 REPORT TO THE NATION

25. IT Auditing & Assurance, 2e, Hall & Singleton FRAUD SCHEMES  Fraudulent financial statements {5%}  Corruption {13%}  Bribery  Illegal gratuities  Conflicts of interest  Economic extortion  Asset misappropriation {85%}  Charges to expense accounts  Lapping  Kiting  Transaction fraud Percentages per ACFE 2002 Report to the Nation – see Table 12-1

26. IT Auditing & Assurance, 2e, Hall & Singleton COMPUTER FRAUD SCHEMES  Data Collection  Data Processing  Database Management  Information Generation

27. IT Auditing & Assurance, 2e, Hall & Singleton AUDITOR’S RESPONSIBILITY FOR DETECTING FRAUD—SAS NO. 99  Sarbanes-Oxley Act 2002  SAS No. 99 – “Consideration of Fraud in a Financial Statement Audit” 1. Description and characteristics of fraud 2. Professional skepticism 3. Engagement personnel discussion 4. Obtaining audit evidence and information 5. Identifying risks 6. Assessing the identified risks 7. Responding to the assessment 8. Evaluating audit evidence and information 9. Communicating possible fraud 10. Documenting consideration of fraud

28. IT Auditing & Assurance, 2e, Hall & Singleton FRAUDULANT FINANCIAL REPORTING  Risk factors: 1. Management’s characteristics and influence over the control environment 2. Industry conditions 3. Operating characteristics and financial stability

29. IT Auditing & Assurance, 2e, Hall & Singleton FRAUDULANT FINANCIAL REPORTING  Common schemes:  Improper revenue recognition  Improper treatment of sales  Improper asset valuation  Improper deferral of costs and expenses  Improper recording of liabilities  Inadequate disclosures

30. IT Auditing & Assurance, 2e, Hall & Singleton What Is Internal Control? Control Environment Control activities Risk Assessment Information / Communication Monitoring Sets the tone of an organization. Influences control consciousness Foundation for all other components Provides discipline and structure

31. IT Auditing & Assurance, 2e, Hall & Singleton Why Did It Take So Long to Find Out?

32. IT Auditing & Assurance, 2e, Hall & Singleton What Is Internal Control? Control Environment Control activities Risk Assessment Information / Communication Monitoring Identification and analysis Relevant risks to objective achievement Forms basis of risk management

33. IT Auditing & Assurance, 2e, Hall & Singleton What Is Internal Control? Control Environment Control activities Risk Assessment Information / Communication Monitoring Policies and procedures Help ensure achievement of management objectives

34. IT Auditing & Assurance, 2e, Hall & Singleton What Is Internal Control? Control Environment Control activities Risk Assessment Information / Communication Monitoring Information identification, capture, and exchange Forms and time frames Enables people to carry out responsibilities

35. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Misappropriation of Assets Poor recordkeeping Lack of management oversight Inadequate job applicant screening Poor segregation of duties or independent checks

36. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Misappropriation of Assets Poor physical safeguards Inappropriate transaction authorization and approval No mandatory vacations for control function employees Lack of timely and appropriate transaction documentation

37. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Susceptibility of Assets to Misappropriation Large amounts of cash on hand or in process.

38. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Susceptibility of Assets to Misappropriation Inventory that is small in size, high in value, or in high demand.

39. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Susceptibility of Assets to Misappropriation Easily convertible assets

40. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Susceptibility of Assets to Misappropriation Fixed assets that are small, marketable, or lack ownership identification.

41. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Material Misstatements Due to Fraud Transactions improperly recorded or not recorded completely / timely. Unsupported/unauthorized balances or transactions. Last-minute adjustments significantly affecting financial results.

42. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Conflicting or Missing Evidential Matter Missing documents or photocopies where originals should be. Missing significant inventory or physical assets.

43. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Conflicting or Missing Evidential Matter Unusual discrepancies between records and confirmation replies. Significant unexplained items on reconciliations.

44. IT Auditing & Assurance, 2e, Hall & Singleton Risk Factors Conflicting or Missing Evidential Matter Inconsistent, vague, or implausible responses to inquiries or analytical procedures.

45. IT Auditing & Assurance, 2e, Hall & Singleton Perpetrator Characteristics College-educated white males committed 53% of the offenses. Median losses by men over 2.5 times those of women:  Men - $160,000  Women - $60,000

46. IT Auditing & Assurance, 2e, Hall & Singleton

49. 82.9% 11.6% 5.5% 82.9% 11.6% 5.5%

50. 30.3% 41.8% 15.8% 12.2% $100,000 $123,000 $100,000 $37,500

51. IT Auditing & Assurance, 2e, Hall & Singleton 21.1% 19.8% 13.3% 45.8% $78,500 $98,000 $87,500 $105,500 21.1% 45.8% 13.3% 19.8% $78,500 $98,000 $105,500 $87,500

52. IT Auditing & Assurance, 2e, Hall & Singleton Methods Used Asset Misappropriation Accounted for over 92% of Wells Report cases Lowest median loss $93K Fraudulent Statements Smallest Wells Report Category at 8% of cases Highest median loss $1M Corruption and all Accounted for just over 30% of Wells Report cases Median Loss of $250K

53. IT Auditing & Assurance, 2e, Hall & Singleton MISAPPROPRIATION OF ASSETS  Common schemes:  Personal purchases  Ghost employees  Fictitious expenses  Altered payee  Pass-through vendors  Theft of cash (or inventory)  Lapping

54. IT Auditing & Assurance, 2e, Hall & Singleton ACFE 2004 REPORT TO THE NATION

55. IT Auditing & Assurance, 2e, Hall & Singleton AUDITOR’S RESPONSE TO RISK ASSESSMENT  Engagement staffing and extent of supervision  Professional skepticism  Nature, timing, extent of procedures performed

56. IT Auditing & Assurance, 2e, Hall & Singleton AUDITOR’S RESPONSE TO DETECTED MISSTATEMENTS DUE TO FRAUD  If no material effect:  Refer matter to appropriate level of management  Ensure implications to other aspects of the audit have been adequately addressed  If effect is material or undeterminable:  Consider implications for other aspects of the audit  Discuss the matter with senior management and audit committee  Attempt to determine if material effect  Suggest client consult with legal counsel

57. IT Auditing & Assurance, 2e, Hall & Singleton AUDITOR’S DOCUMENTATION  Document in the working papers criteria used for assessing fraud risk factors: 1.Those risk factors identified 2.Auditor’s response to them

58. IT Auditing & Assurance, 2e, Hall & Singleton FRAUD DETECTION TECHNIQUES USING ACL  Payments to fictitious vendors  Sequential invoice numbers  Vendors with P.O. boxes  Vendors with employee address  Multiple company with same address  Invoice amounts slightly below review threshold

59. IT Auditing & Assurance, 2e, Hall & Singleton FRAUD DETECTION TECHNIQUES USING ACL  Payroll fraud  Test for excessive hours worked  Test for duplicate payments  Tests for non-existent employee

60. IT Auditing & Assurance, 2e, Hall & Singleton FRAUD DETECTION TECHNIQUES USING ACL  Lapping A.R.  Balance forward method  Open invoice method

61. IT Auditing & Assurance, 2e, Hall & Singleton Chapter 12: Fraud Schemes & Fraud Detection IT Auditing & Assurance, 2e, Hall & Singleton

62. Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2005, CCH INCORPORATED 4025 W. Peterson Ave. Chicago, IL 60646-6085 http://tax.cchgroup.com A WoltersKluwer Company

63. IT Auditing & Assurance, 2e, Hall & Singleton Introduction to Cybercrime Most common complaints: Virus attacks—78% Insider abuse of net access—59% Laptop/mobile theft—49% Unauthorized access to information—39% System penetration—37% Denial of service—17% Theft of proprietary information—10%

64. IT Auditing & Assurance, 2e, Hall & Singleton Intangible Assets Information on the Internet and in computer databases represents intangible assets composed of bits and bytes. The destruction of electronic representations or the erasure of data without physically damaging a tangible computer asset may not be considered a crime.

65. IT Auditing & Assurance, 2e, Hall & Singleton Intangible Assets If data is accessed but not used for any purpose, then no crime is committed. Statutes may not provide for the recognition of criminal trespass, a property crime, based on a virtual presence (and no physical presence).

66. IT Auditing & Assurance, 2e, Hall & Singleton Federal Statutes Related to Cybercrimes 18 U.S.C. 1029Fraud and Related Activity in Connection with Access Devices 18 U.S.C. 1030Fraud and Related Activity in Connection with Computers 18 U.S.C. 2701Unlawful Access to Stored Communications

67. IT Auditing & Assurance, 2e, Hall & Singleton State Legislation Many of the states have separately enacted money laundering, identity theft, online gambling, cyberstalking and other Internet statutes in their codes. Many statutes do not refer to “cybercrimes” as they were originally enacted when there was no Internet. Thus, legislative oversight in the acts tends to focus on “computer crimes,” “unlawful access,” or “property crimes.”

68. IT Auditing & Assurance, 2e, Hall & Singleton Fighting Cybercrime The following list describes the skill set needed to fight cybercrime:  Ability to build an Internet audit trail  Skills needed to collect “usable” courtroom electronic evidence  Ability to trace an unauthorized system user (continued on next slide)

69. IT Auditing & Assurance, 2e, Hall & Singleton Fighting Cybercrime  Knowledge base to use in recommending or reviewing security policies  Knowledge of the most recent computer fraud techniques  Basic understanding of the information that can be collected from various computer logs  Ability to place a valuation on incurred losses from attacks (continued on next slide)

70. IT Auditing & Assurance, 2e, Hall & Singleton Fighting Cybercrime  Technical familiarity with the Internet, web servers, firewalls, attack methodologies, security procedures, and penetration testing  Understanding of organizational and legal protocols in incident handling to prevent employee rights violations  An established relationship with law enforcement agencies

71. IT Auditing & Assurance, 2e, Hall & Singleton Why Women Live Longer Than Men

72. IT Auditing & Assurance, 2e, Hall & Singleton

78. That’s All Folks!