THE AUDIT OF INTEGRATED COMPUTER SYSTEMS
Marian Pompiliu CRISTESCU
'Lucian Blaga' University of Sibiu
marian.cristescu@ulbsibiu.ro
Abstract: Basically, ERP implies a policy that reflects what it means to think and act for the purpose of economic processes, and is therefore considered a strategic management solution. The new business model with process focused operations, increases productivity and meets the economic performance standards. The economic operational stages must be integrated in order to trigger workflows, to control the flow of information and to create connections between the organization, suppliers and customers. All this requires organizational changes, technological updates and, eventually, a new identity for the organization itself. The present paper proposes a specific approach to the procedures needed to perform the audit of integrated information systems. Concrete methods of undertaking audit operations for the financial accounting modules of integrated information systems are presented in the present work.
Keywords: Integrated Computer Systems, Internal Audit, Risk Management, System Implementation, procedures.
JEL classification: O31, O32
1. Introduction
The ERP applications form the backbone or basis of an organization and are "responsible" for data and information operations and with the internal organizational knowledge. The core of this application package has to administer internal data. They are organized in data warehouses, from where they are extracted and analyzed through decision support systems using OLAP or OLTP type tools. Overall, "data warehouses provide architecture and useful tools for the entity's top management by means of systematic organization, the understanding and usage of data for strategic decisions" [6]; in particular, they support information processing procedures by providing a solid platform for strengthening historical data for analysis.
According to [6], "the integration can be achieved at any business level using any type of technology. The key to success lies in choosing the best performing technologies that comply with the following criteria: the support provided to users, technological longevity, adaptability, scalability and the fast feedback of a solution":
' the application of the system, the data, the accessibility to the data and the graphical user interface are harmonized and standardized for users;
' the rationality of data corresponding to the enterprise ' the data has the same status in different systems and modules and are coherently defined at organizational level;
' all management applications and computerized media are scalable, portable and cover multiple functions.
From a technological point of view, the applications can be quickly reconfigured according to the amended business processes and must show flexibility. The code and the structure of the data support changes and replicates.
2. Performing substantive procedures
During an audit, the audit team must choose and apply those procedures that comply with audit standards and at the same time meet the objectives of that audit. Substantive procedures represent tests conducted by auditors in order to obtain proof or evidence needed to detect major inaccuracies in the financial statements. There are two types of substantive procedures: analytical procedures and substantive tests.
To understand the quality and the fairness of the financial accounting systems' operation, carried out within an entity and to rule over the truthfulness and accuracy with which financial statements were prepared for the financial term, auditors have to make a series of investigations:
a) Describing the procedures in a system that collects and processes data in order to determine, for each significant field (purchase of goods and services, storage, production, sales), which are the procedures used by the company for collecting information, drafting registers, data processing, recording of synthetic and analytical accounting in chronological and systematic records. The legal provisions of the National Accounting Standards state as follows: "The supporting documents that help base the underlying accounting records make liable the individuals who have drafted, authorized, approved or made the registration in the accounting", this claim is also found in [11], [8], [9].
b) The compliance tests
The compliance tests are designed to determine whether the procedures described above are real, regardless if they are applied or not. At this stage, the main focus is not on discovering the errors in the functioning of financial accounting information system, but only to determine whether the system described above is, of course, the real one.
c) Preliminary assessment of the risk of errors
Once a description of the accounting data collection and processing is established in the financial system, a preliminary assessment of the reliability of the organization will be undertaken in order to highlight the strengths and weaknesses of the system procedures.
At this stage the system is analyzed in order to asses the design, to highlight the design errors, making sure that the stage that follows will verify the functionality of the system.
The strengths consist of controls, placed in the data processing flow, which guarantee a correct accounting procedure.
The weaknesses are represented by the deficiencies of the system that may give rise to risks of errors or fraud.
d) Test of continuity
The aim is to monitor if the procedures are implemented in a permanent manner without fault. These tests must be broad enough to provide certainties for the functioning of the system.
To detect the risks occurred in the functioning of the system, an analysis of the preventive and detection controls provided by the company, must be enforced.
3. Performing analytical procedures and documentation
The auditors design and perform substantive procedures to account for the assessment regarding significant audit risk at the level of assertion. The substantive procedures applied by the auditors at assertion level may be derived from tests of details, from substantive analytical procedures or from a combination of both of the above.
In accordance with the International Standards on Auditing [10], the analytical procedures are used for the following purposes:
a) As risk assessment procedures to gain an understanding of the entity and its environment;
b) As substantive procedures, when their usage can be more effective or efficient than compared to the tests of details, in reducing audit risk at the level of assertion at an acceptable low level;
c) As an overall review of computer systems and of the financial statements at the end of the year.
The first stage of an analytical procedure is to determine the acceptable difference between the forecast made by the auditor and the numbers stated in the financial statements. Furthermore, the auditor will take into account the relationship between the total value of the category of operations and the basis of materiality, calculating the acceptable difference as according to the following formula [11]:
The acceptable difference = The level of materiality x V (1)
(The value of the transaction category /The square root of the basis of materiality)
Example:
An auditor determines the materiality level at 450,000 Euros for entity X. The total expenditure of 50 million Euros forms the basis of materiality. The auditor wants to perform an analytical review of the transaction category for staff salary, of 40 million Euros.
The method of calculation:
The sum of 40 million Euros (the value of the transaction category) divided by 50 million Euros (the basic materiality) equal to 0.8, from which the auditor extracts the square root (0.8944). Then, he multiplies this result with the materiality level (450.000 Euros) obtaining the acceptable difference of 402.292 Euros.
The second stage of an analytical procedure is to make an estimate. The auditor should perform this procedure before knowing the value noted in the financial statements. Therefore, the forecast that the auditor makes, must result from independent data than those foreseen by the accounting records. In this case, it results that the information obtained from outside sources of the entity are more valuable than those obtained from the inside.
Example:
If the audior inspects a school with 150 employed teachers who earn 2000 Euros per year, then the total value of expenses encountered for paying wages is expected to be of 300.000 (150 x 2.000).
If an audited entity collects local taxes from the population, the auditor will be able to estimate what would be the total income. Thus, if the entity collects 100 Euros per apartment in the area and 150 Euros per house, and there are 20,000 apartments and 5,000 houses, then the expected income will be:
Table 1. Data adherent to the process of estimation
Number Value Total income
Apartments 20.000 100 Euros 2.000.000 Euros
Houses 5.000 150 Euros 750.000 Euros
2.750.000 Euros
The third stage of the analytical procedures is to compare the forecast with the value of the account. This is a simple procedure that the auditor must register within the work papers, then he must assess whether the actual numbers correspond within the acceptable ranges, meaning that the difference between forecast and account numbers is lower than the accepted difference. In case the value ranges within these limits, the auditor is certain that the verified transactions are in accordance with the existing regulations. It is accepted only a small difference between the actual and the estimated number (maximum tolerance of 1 percent) where those differences cannot be adequately explained.
If the numbers surpass the limits, the auditor should request punctual explanations. He will use open questions as: 'what factors have influenced those incomes?' and he will not ask 'why the resulted income is bigger or smaller, this year'.
Example:
If the recorded incomes in the financial accounting information system related to concessions and corporate rents are about 4.000.000 Euros and the forecast situations had been about 2.750.000 Euros, then the audit team will request explanations for the variation of the 1.250.000 Euros sum. The informatic system should be equipped with a warning system in case of increased variation (45%). If the credit accountant will explain to the audit team that this increase is due to the new spaces used during the year, then the team will have to determine how many such spaces were built and which was the surface given for rent, as well as the commencement date of collecting the rents.
Considerations regarding the evaluation of the analytical procedures and tests of control regarding the information system:
Evaluation of the analytical procedures
If the analytical procedures allow the formulation of a forecast in the limits of an acceptable difference, then the auditor can rely on the planned insurance. In the case where the analytical procedures do not indicate a forecast within the limits of the acceptable difference, then the planned insurance cannot be taken into consideration and the audit must adopt alternative procedures aimed to obtain the planned insurance.
Evaluation of the control tests
If the auditors find that certain controls have not given the proper result, they will analyze the possibility of conducting other controls (alternatives). In case there are no alternative controls or they prove to be ineffective, the auditor should revise the audit plan.
For example, if a monthly variation analyze is not undertaken for individual wages, this does not necessarily mean that the payroll for that month is incorrect.
4. The audit report
The audit report should contain a clear opinion based on the evaluation of the conclusions drawn in accordance with the evidence obtained during the audit.
According to the Audit Standard no. 700 , "The audit report" [12], "must contain, in writing, a clear opinion on the financial statements considered as a whole".
Before drafting the audit report, it is recommended to verify the decision tree that might look like this:
Figure 1. The decisions tree
To select the most appropriate audit procedures to be used for checking the financial accounting information system, it is considered that the auditors should use the decision tree [7], [2].
According to [1], [3], [5], [6] it all starts with the risk assessment for the information system as a whole and for each separate module. If majour error risks were identified, the auditors must verify the internal controls of the entity, carried out for preventing and reducting risks.
5. Conclusions
Following the analysis and the comparison of the European Standards [8], [9] used in the auditing of the financial and accounting information systems, a number of common elements that need to be introduced and used in Romanian standards were identified.
As such, the financial and accounting information systems' audit should be:
a) easy to understand ' a clear, simple language must be used, to the extent permitted by the objectives of the audit.
b) unambiguous/clear – the auditor will ensure that all the findings are expressed accurately and leave no room for interpretation, the easiest way to be fully understood is to use standard formulas that are generally accepted;
c) complete – an audit must contain all the information necessary to firstly fulfill the objectives of the audit and then the requirements of the audited entity;
d) accurate – an accurate description implies, with accuracy the scope of the audit and the used methods. Any inaccuracy occurred within the audit report may create doubts on the validity of the report as a whole, and can distract the attention from the purpose of the report;
e) objective – an audit report has a considerably greater credibility if the evidence is presented in an impartial manner;
f) persuasive/ convincing ' the user must be convinced by the reality of the findings, of the reasonableness of conclusions and by the benefit of applying the formulated recommendations;
g) concise – the audit should be concise and to contain conclusions and recommendations to support the evidence presented.
An audit report must specify the type and extention of the paper, of the IFAC International Auditing Standards and the Guidelines for Internal or International Audit [10], [12] on with theme works were carried out.
References
[1] M. Boulescu, D. Fusaru, Z. Gherasim, 'Auditul Sistemelor Informatice Financiar- Contabile', Editura Tribuna Economic'', 2005, Bucure''ti.
[2] J. J. Champlain, 'Auditing Information Systems', Second Edition, John Wiley & Sons, Inc., 2003, USA.
[3] A. Eden, V. Stanciu, 'Auditul Sistemelor informatice', Editura Dual Tech, 2004, Bucure''ti.
[4] D. Fotache and A. Munteanu, ' Auditarea sistemelor integrate de aplica''ii' in Analele ''tiin''ifice ale universit''ii 'Alexandru Ioan Cuza' din Ia''i, Tomul LII/LIII, ''tiin''e Economice 2005/2006, pp. 283-287.
[5] A. Munteanu, 'Auditul sistemelor informa''ionale contabile', Editura Polirom, 2001, Ia''i.
[6] ''. Popa, C. Ionescu, 'Audit ''n medii informatizate', Editura Expert, 2005, Bucure''ti.
[7] O. Ray Whittington, K. Pany, W. B. Meigs, R. F. Meigs, 'Principles of Auditing', Tenth Edition, IRWIN Boston.
[8] Curtea european'' de conturi, 'Standardele europene de audit ale Organiza''iei Europene a Institu''iilor Supreme de audit', 2002.
[9] Curtea european'' de conturi, 'Liniile directoare europene de implementare a standardelor de audit INTOSAI', Curtea de Conturi a Rom''niei, 2002.
[10] Standardele Interna''ionale de Audit nr. 520, paragraph 7.
[11] Curtea de Conturi a Rom''niei, 'Manualul de Audit Financiar ''i Regularitate', Bucure''ti, 2003.
[12] Standardele Interna''ionale de Audit, ISA 700, 'Raportul de audit'.