Application Activity-Seminar 2

Auditing-416

Application Activity-Seminar 2

Chapter 3 3-82-Explain how the concept of continuous monitoring might be applied in a computerized applicant that processes sale orders and records sales.

These are examples of how the concept of continuous monitoring might be applied in a computerized applicant that processes sales orders and records sales.

Automating the revenue cycle

Authorizations and data access can be performed through computer screens.

There is a decrease in the amount of paper.

The manual journals and ledgers are changed to disk or tape transaction and master files.

Input is still typically from a hard copy document and goes through one or more computerized processes.

Processes store data in electronic files (the tape or disk) or prepare data in the form of a hardcopy report

Revenue cycle programs can include:

formatted screens for collecting data

edit checks on the data entered

instructions for processing and storing the data

security procedures (passwords or user IDs)

steps for generating and displaying output

To understand files, you must consider the record design and layout.

The documents and the files used as input sources must contain the data necessary to generate the output reports.

Independent Verification – consolidating accounting tasks under one computer program can remove traditional independent verification controls. To counter this problem:

perform batch control balancing after each run

produce management reports and summaries for end users to review

PC control issues

Segregation of Duties – tend to be inadequate and should be compensated for with increased supervision, detailed management reports, and frequent independent verification

Access Control – access controls to the data stored on the computer tends to be weak; methods such as encryption and disk locking devices should be used

Explain the types of products that each company provides and how the products might help other companies implement effective monitoring over computer operation. To what extent are the software products (1) another control to be implemented verses (2) an approach to control monitoring.

ACL.com- Data Analysis – Ad-hoc analysis of data populations to detect transactions that fall outside of business norms, internal control standards or regulatory requirements.

Internal audit, financial control and compliance professionals are faced with the challenge of reliably achieving objectives while addressing uncertainty and acting with integrity. Whether the objective is to provide business assurance, improve controls, or ensure compliance, it will be difficult to draw any credible conclusions to help the business without analyzing the underlying data in detail.

However, data analysis specifically for audit, financial control and compliance is easier said than done. The key goal behind the analysis is to identify data discrepancies that need more investigation – this requires more sophisticated capabilities than just summarization and aggregation. Add to this the importance of easily sharing, presenting and distributing analysis results to stakeholders and the search for an effective analysis solution becomes even more challenging.

Enterprise Continuous Monitoring – Recurring analysis of transactional data designed as an early detection system to help prevent and mitigate business impacts through identification of operational deficiencies or control gaps.

With a centralized working environment, teams can set up a consistent and repeatable analytics practice that analyzes transactional data and minimizes dependency upon any one individual, thus having less risk of existing work becoming unusable because a team member has left. This approach helps to retain knowledge and maximize resources needed to on-board new users, especially when faced with rotational staff demands.

Users can also formulate thoughts, ideas, and questions related to data analysis more easily – all of which help achieve collaborative team effort rather than a solitary task. Team efficiency is greatly improved as both technical and non-technical users can efficiently access, use, and share test results.

GRC – Management and measurement of risks and controls against business objectives in accordance with regulations, standards, policies and business decisions.

There is a solution. Audit, risk and compliance management doesn’t have to be complex or spreadsheet-intensive. With you in mind, we designed ACL™ GRC— a flexible and easy way to manage the process of assessing risk, planning and organizing projects, analyzing data, communicating issues, and visually sharing your findings. Since ACL GRC is delivered in the cloud, it’s accessible from anywhere, secure, and doesn’t require any ongoing IT support.

Improve productivity by achieving an average increase of 25% in audit efficiency with automated workflows

Deliver higher ROI by providing organizational value-add services while spending less time documenting and reviewing

Enable faster decision making by providing visibility into information with smart dashboards and reporting tools and sharing it across other departments and stakeholders

Collaborate and work from anywhere since your client audit data is accessible in the cloud and available to your team members 24×7

Achieve low Total Cost of Ownership by eliminating the heavy up-front technology costs that other on premise or complex systems impose. ACL GRC is cost effective over traditional manual processes and requires no IT set up time or maintenance headaches – your system is automatically upgraded.

It’s imperative for a company to have a backup system for all its financial transactions. However, it is costly and many of these systems used to back up a corporations financials are cloud systems. We were all for warned by Edward Norton that these cloud services are very penetrable by hackers or the US Government. Therefore, they are not reliable or safe.

The open nature of the Internet makes it vital for businesses to pay attention to the security of their networks. As companies move more of their business functions to the public network, they need to take precautions to ensure that the data cannot be compromised and that the data is not accessible to anyone who is not authorized to see it.

Modern networks are very large, very interconnected, and run both ubiquitous protocols (such as IP) and proprietary protocols. Therefore, they are often open to access, and a potential attacker can with relative ease attach to, or remotely access, such networks. Widespread IP internetworking increases the probability that more attacks will be carried out over large, heavily interconnected networks, such as the Internet.

Computer systems and applications that are attached to these networks are becoming increasingly complex. In terms of security, it becomes more difficult to analyze, secure, and properly test the security of the computer systems and applications; it is even more so when virtualization is involved. When these systems and their applications are attached to large networks, the risk to computing dramatically increases.

Chapter 4 4-67 Deloitte, Beazer Homes

a. Using appropriate sources, research this case and identify fraud risk red flags that the auditor should have been aware of in these audits. www.cfo.com/article.cfm/13612963?f=search

The investors accused Deloitte of many “red flags” that should have alerted the firm to potential GAAP violations due to the weak internal controls. The auditor was accused of “severe recklessness,” the shareholders alleged, for example, that Deloitte should have noticed that Beazer was likely overdue in recording impairments on their land assets, as the real estate market began to decline, among other the other alleged accounting violations. And “Deloitte either knowingly ignored or recklessly disregarded Beazer’s wide-ranging material control deficiencies and material weaknesses during the class period,” according to the shareholders’ complaint.

b. If the fraud risk red flags were indeed present during Deloitte’s audit, what were the auditors’ responsibilities in conducting the audit?

During the audit, the auditors’ responsibilities were to implement the framework for professional decision making. It was the auditor’s obligation to make quality decisions associated with the evaluation of Deloitte’s financial statements. The auditor was unethical, and he did not comply with the professional responsibilities of the Sarbanes-Oxley Act, PCAOB, and the Sec. Eventually the PCAOB censured and penalized Deloitte & Touche $1 million for not implementing the auditing standards, and for failing to apply due professional care.

c. Comment on Deloitte’s willingness to settle the case, while at the same time denying liability?

Deloitte settled the case to avoid the expense and the uncertainty of continued litigation. It would have been very costly on Deloitte’s part to continue the litigation. The payout could have been much more substantial. Also, adding the court fees and attorney fees is a very expensive process. The case could have dragged on, and meanwhile the plaintiff could have found more evidence to further implicate Deloitte. For Deloitte, who denies any liability in connection with the Action and the claims asserted by Plaintiffs in the Complaint, the principal reason for the settlement is to eliminate the expense, risks, and uncertain outcome of the litigation. It could also negatively affect their reputation, and the liability doctrines permit a recovery of full amount of settlement from an external audit firm even though that firm is found to be only partially responsible for the loss.

References:

http://www.mccc.edu/~horowitk/documents/Johnstone_9e_Auditing_Chapter4_PPtFINAL.pdf

http://ww2.cfo.com/accounting-tax/2009/05/deloitte-to-pay-1m-in-beazer-suit/

http://ww2.cfo.com/accounting-tax/2007/12/pcaob-fines-deloitte-1-million/

Johnstone, K., Gramling, A., & Rittenberg, L. E. (2015). Auditing: A Risk Based-Approach to Conducting a Quality Audit. Boston, MA: Cengage

https://docs.google.com/presentation/d/13Z3xwr3OVOKd2i0gUQnvIxDhYb7FkC042insaIYIdw8/edit?pli=1#slide=id.i308-

http://www.acl.com/solutions/products/acl-grc/

http://www.ciscopress.com/articles/article.asp?p=1998559