Module 6: Business Application Software Audit. Chapter 1: Business Application Software Audit

Size: px

Start display at page:

Download "Module 6: Business Application Software Audit. Chapter 1: Business Application Software Audit"

Sophie Goodwin
6 years ago
Views:

1 Module 6: Business Application Software Audit Chapter 1: Business Application Software Audit 1

2 Basic Learning Objectives Task Statement Knowledge Statement 2

3 Learning Objectives Business application software Business application controls Business application audit 3

4 Business Process and Business Application- Chapter 1 4

5 INTRODUCTION 5

6 Part 1: Enterprise Business Models Part 2:Business Application Software as per Enterprises Business Models Part 3:Case Studies on separate PPT 6

7 Introduction Part 1: Enterprise Business Models Business Models and Controls Business Model, Business process and Business Applications Business model and Risk Assessment Case Study 7

8 Introduction A business model can be thus said to be a way an organization delivers its product / service to customers, strategies to do business, infrastructure, trading practices, and operational processes and policies. Business models are a necessary outcome of the vision, mission statements of an organization 8

9 Business Models and Controls Each business model shall have a basic control structure built into its processes. The controls structure is also dependent upon the business application software that is being used by the entity. 9

10 Business Models and Controls Control structures are relevant for each business model. The nature of control, the way they are implemented and executed depends upon the business model being put to use. 10

11 Business Model, Business Process and Business Applications Business Process Business processes and control structure Business Applications 11

12 Business Process Business Process is defined as way / method of arranging a set of activities / tasks to achieve a specific business objective or manufacture a product or deliver a service. 12

13 Business Processes and Control Structure Each business cycle used by an entity has a defined control structure that has a direct corelation to the business model used. Entity need to document business processes and identify key control points. 13

14 Business Applications Business Application, may be defined as applications used by entity to run its business. The consideration is whether the said application covers / incorporates the key business processes of the entity. Another important consideration is whether the control structure as available in the Business Application is appropriate to help entity achieve its goals. 14

15 Business Applications Business applications are where the necessary controls needed to run business are put in place. The business processes and related controls are put in place through business applications used by an entity. 15

16 Business Model and Risk Assessment Auditing standards Risk Assessment for a business application used by entity 16

17 Auditing Standards ISACA ITAF, 1201 Engagement Planning, identifies one of key aspects for an states that IS audit and assurance professionals, as; 17

18 Auditing Standards Obtain an understanding of the activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives and guidelines issued by government or industry. 18

Audit strategies, materiality levels and resource requirements can then be developed.

19 Auditing Standards Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed. Develop the engagement project plan using appropriate project management methodologies to ensure that activities remain on track and within budget. 19

20 Auditing Standards SA 200. Basic Principles Governing an Audit, Issued by ICAI, requires an auditor to plan an audit and get following information; The auditor should plan his work to enable him to conduct an effective audit in an efficient and timely manner. Plans should be based on knowledge of the client s business. Plans should be made to cover, among other things: 20

Steps To Audit Step1 Step 2 Step 3 Acquiring

placed on internal control; Determining and

21 Steps To Audit Step1 Step 2 Step 3 Acquiring knowledge of the client s accounting system, policies and internal control procedures Establishing the expected degree of reliance to be placed on internal control; Determining and programming the nature, timing, and extent of the audit procedures to be performed; 21

22 Internal Audit Standards the extent to which the IT environment is used to record, compile, process and analyse information; and The system of internal control in existence in the organisation with regard to: the flow of authorised, correct and complete data to the processing centre; the processing, analysis and reporting tasks undertaken in the installation. 22

timing, and extent of the audit procedures to be performed; ISACA ITAF 1202, states IS

23 Risk Assessment for a Business Application used by entity Risk assessment is a necessary initial procedure to be adopted by an IS Auditor, so that he/she can determine the nature, timing, and extent of the audit procedures to be performed; ISACA ITAF 1202, states IS auditor needs to consider subject matter risk, audit risk and related exposure to the enterprise. 23

These are important for an IS auditor to consider but merged with inherent risk Audit risk, is

24 Risk Assessment for a Business Application used by entity Subject matter risk, relates to business risk, country risk, contract risks. These are important for an IS auditor to consider but merged with inherent risk Audit risk, is define as auditor reaching incorrect conclusion after an audit. The components of audit risk being control risk, inherent risk and detection risk. 24

25 Risk Assessment for a Business Application used by entity AS per COBIT guidelines: Business process controls are activities designed to achieve the broad range of management objectives for the process as a whole. 25

Case Study Objective To understand the concept of risk assessment of a

Income Tax Act, 1961, auditor has to list cash expenses done by an

26 Case Study Objective To understand the concept of risk assessment of a business application and its impact of other audit procedures to be adopted by auditor. Issue under consideration For tax audits done under section 44AB of Income Tax Act, 1961, auditor has to list cash expenses done by an organisation in excess of Rs.20,000/-. These expenses disallowed as a business expense under 40A (3) of the Income Tax Act,

27 Case Study Business Consideration Any amount of expense in excess of Rs.20, 000/- in cash shall result in the expense being disallowed as a business expense. The same shall lead to increase in tax liability and related. 27

28 Case Study Two different business applications are being considered. 1. Accounting application: The organisation is using TALLY as its business application. 2. ERP Application: The organisation is using SAP as its business application. 28

29 Conclusion: The part addressed the following. Business Models Business Applications 29

Case for participants Issue to audit: Prepare a risk assessment table to see: Whether the business application used by organisation restricts negative cash balance.

30 Case for participants Issue to audit: Prepare a risk assessment table to see: Whether the business application used by organisation restricts negative cash balance. Business relevance: Negative cash balance is indicator that the accounting is not timely, and not as per general business transaction. The same has an implication in Income Tax Act, Any negative cash balance may be treated as un-explained expenditure under section 69C of the act and added to income of assessee. 30

31 Part 2: Business Application Software as per Enterprises Business Model Introduction Business Application Software: Parameters of selection Types Key features and controls for business applications 31

32 Introduction Business applications are the tool to achieve management goals and objectives. The nature of business enterprise model is guide to the business application software selects. 32

33 Business Application Software: Parameters of selection Entity has to put on a piece of paper the business requirements and business goals. Listing of these shall be great help for an entity to conclude which type and nature of business application it shall use. 33

34 Business Application Software: Parameters of selection The business goal The nature of business The geographical spread The volume of transaction 34

35 Business Application Software: Parameters of selection The regulatory structure at place of operation: As the number and nature of compliances increase across the world, entity shall prefer that software which is capable to cater to the compliance requirements. 35

36 Types Business applications applications can be can classified be classified based on based processing on type processing or source type or based or source on function or based covered. on function The most critical covered. way The for management most critical is based way in for function management it performs. is based in function it performs. 36

37 Types Accounting Application Banking Application ERP Application Payroll Application 37

38 Types Other Business Applications: Office Management Software Compliance Applications Customer relationship management Software Management Support Software 38

39 Types Other Business Applications: Logistics Management Software Legal matter management Industry Specific Applications 39

40 Key Features and Controls for Business Applications Each business application is selected and implemented for a specific business purpose. An IS Auditor needs to see whether the business objective from implementing the business application is achieved or even achievable. 40

41 Conclusion: This part dealt with Types of business application Parameters for selection 41

42 Questions 42

43 1. Initial adoption of Business Model adopted by an organisation is dependent upon: A. Business Applications B. Business Objective C. Controls in business applications D. Business Laws Answer: B Business Objectives shall be the prime reason for adoption of business models. Other answers may be valid reasons but are never the first reason for adoption of a specific business model. A business model describes the rationale of how an organization creates, delivers, and captures value (economic, social, cultural, or other forms of value). The process of business model construction is part of business strategy. 43

44 2. The first activity to be assessed by IS Auditor is:. A. Business Application B. Business Controls C. Business Model D. Business Laws Answer: C Business Model, needs to be assessed first by IS Auditor. The, b and d, are assessment to be made later on. As an IS Auditor it becomes important to understand the business model adopted by an organisation for a better understanding of risk associated with business model adopted by an organisation. 44

45 3. Arrange the following in chronological order A. Establishing the expected degree of reliance to be placed on internal control B. Determining and programming the nature, timing, and extent of the audit procedures to be performed C. Coordinating the work to be performed D. Acquiring knowledge of the client s accounting system, policies and internal control procedures The correct serial order: A, B, C, D D, A, B, C D, C, B, A B, C, D, A Answer: B As per SA 00 SA 00 on OVERALL OBJECTIVES OF THE INDEPENDENT AUDITOR AND THE CONDUCT OF AN AUDIT IN ACCORDANCE WITH STANDARDS ON AUDITING, the steps to audit as mentioned at point b. 45

46 4. ISACA ITAF 1202, states IS auditor needs the following for an enterprise: A. Inherent Risk and Audit Risk. B. Detection Risk and Control Risk. C. Subject matter risk and Audit risk. D. None of above Answer: B ISACA ITAF 1202, states IS auditor needs to consider subject matter risk and audit risk. Subject matter risk, relates to business risk, country risk, contract risks. Audit risk, is define as auditor reaching incorrect conclusion after an audit. The components of audit risk being control risk, inherent risk and detection risk. 46

47 5. The best definition which fits COBIT 5 is that it is a: A. Business framework for the governance and management of enterprise IT. B. System Audit Tool C. Management tool for corporate governance D. IT management tool Answer: A COBIT 5 can be best described as Business framework for the governance and management of enterprise IT by a. Other answers are part of COBIT framework but not full Framework. 47

48 Thank you! Questions? 48

SA 402(REVISED) AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING

Part I : Engagement and Quality Control Standards I.271 SA 402(REVISED) AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING A SERVICE ORGANISATION (EFFECTIVE FOR ALL AUDITS RELATING TO ACCOUNTING PERIODS