SAP

AUDITING IN AN IT ENVIRONMENT
AUDITING IN AN IT
ENVIRONMENT
(Using SAP B1)
FASTTRACK IT ACADEMY l GF King’s Court Bldg II., Chino Roces cor. Delarosa Sts., Makati City 1200, Philippines l Telephone Number: 63.2.759.4348 l www.fitacademy.ph
Page 1 / 40
QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

TABLE OF CONTENTS
TABLE OF CONTENTS .................................................................................................................................. 2

Chapter 1 .................................................................................................................................................... 4
Introduction to Information Technology Audit ........................................................................................... 4
What is an Information Technology (IT) Audit? ...................................................................................... 4
IT Audit Objectives .................................................................................................................................. 4
IT Audit vs. Financial Statement Audit and Compliance Audit ................................................................ 4
IT Audit Process ...................................................................................................................................... 5
Overview of the Four (4) Phases of an IT Audit ....................................................................................... 7
Chapter 2 .................................................................................................................................................. 10
Test of Controls ......................................................................................................................................... 10
What is an Internal Control? ................................................................................................................. 10
Objectives of Internal Control ............................................................................................................... 10
Modifying Assumptions ........................................................................................................................ 10
Five Components of Internal Control (CRIME) ...................................................................................... 11
EXERCISE 1: Transaction Authorization ................................................................................................. 14
EXERCISE 2: Transaction Authorization ................................................................................................. 15
EXERCISE 3: Segregation of duties ........................................................................................................ 16
EXERCISE 4: Accounting Records ........................................................................................................... 18
EXERCISE 5: General Controls ............................................................................................................... 25
EXERCISE 6: Source Document Controls ............................................................................................... 30
EXERCISE 7: Data Coding Controls......................................................................................................... 32
EXERCISE 8: Field Integration ................................................................................................................ 33
EXERCISE 9: Audit Trail Controls............................................................................................................ 36
Chapter 3 ...................................................................................................... Error! Bookmark not defined.
Substantive Tests .......................................................................................... Error! Bookmark not defined.
What is Substantive Procedure? ............................................................... Error! Bookmark not defined.
Substantive Tests of Revenue Cycle .......................................................... Error! Bookmark not defined.
Page 2 / 40

EXERCISE 10: Testing the Accuracy and Completeness Assertions (Use Auditor’s Account)Error! Bookmark not defined.
EXERCISE 11: Testing the Valuation and Allocation Assertion ................... Error! Bookmark not defined.
Substantive Tests of Expenditure Cycle .................................................... Error! Bookmark not defined.
EXERCISE 12: Testing the Accuracy Assertion (Use Auditor’s Account) ..... Error! Bookmark not defined.
EXERCISE 13: Testing the Completeness Assertion ................................... Error! Bookmark not defined.
EXERCISE 14: Testing the Existence Assertion ........................................... Error! Bookmark not defined.
EXERCISE 15: Testing the Valuation and Allocation Assertion ................... Error! Bookmark not defined.
Substantive Test of Other Financial Statement Accounts ......................... Error! Bookmark not defined.
Audit of Cash ......................................................................................... Error! Bookmark not defined.
Audit of Inventories .............................................................................. Error! Bookmark not defined.
Audit of Prepayments ........................................................................... Error! Bookmark not defined.
Audit of Fixed Assets ............................................................................. Error! Bookmark not defined.
Chapter 4 ...................................................................................................... Error! Bookmark not defined.
IT Audit Report .............................................................................................. Error! Bookmark not defined.
Page 3 / 40

Chapter 1
Introduction to Information Technology Audit
What is an Information Technology (IT) Audit?
 IT audit is the examination and evaluation of an organization's information
technology infrastructure, policies and operations. Information technology audits determine
whether IT controls protect corporate assets, ensure data integrity and are aligned with the
business's overall goals. IT auditors examine not only physical security controls, but also
overall business and financial controls that involve information technology systems.
 It can also be defined as any audit that encompasses review and evaluation of automated
information processing systems, related non-automated processes and the interfaces among
them.
IT Audit Objectives
Because operations at modern companies are increasingly computerized, IT audits are used
to ensure information-related controls and processes are working properly. The primary objectives of an
IT audit include:
 Evaluate the systems and processes in place that secure company data.
 Determine risks to a company's information assets, and help identify methods to minimize those
risks.
 Substantiating that the internal controls exist and are functioning as expected to minimize business
risk.
 Ensure information management processes are in compliance with IT-specific laws,

policies and standards.
 Determine inefficiencies in IT systems and associated management.
IT Audit vs. Financial Statement Audit and Compliance Audit

IT Audit is not about ordinary accounting controls or traditional financial auditing. The use of
computers in accounting systems introduced a new source of risk associated with accounting
processes and information (i.e., data). And, it introduced the need for those who understand this
new “thing” to identify and mitigate the risk. Financial Audit is focused on gathering data to ensure to
ensure that the company’s financial statements are free from material misstatements. On the other
hand, IT audit is the examination and e v a l u a t i o n of an organization's information
technology infrastructure, policies and operations. Information technology audits determine
whether IT c o n t r o l s protect c o r p o r a t e a s s e t s , e n s u r e data i n t e g r i t y and are a l i g n e d
w i t h t h e business's overall goals. IT Audit is just a part of the overarching process of the Financial
Audit.
Page 4 / 40

IT auditing is also not compliance testing. Some believe IT auditors are about making sure people
conform to some set of rules—implicit or explicit—and that what we do is report on exceptions to the
rules. Actually, that is management’s job. It is not the compliance with rules that is of interest to IT
auditors. IT auditors are examining whether the entity’s relevant systems or business processes for
achieving and monitoring compliance are effective. IT auditors also assess the design effectiveness of
the rules—whether they are suitably designed or sufficient in scope to properly mitigate the target risk
or meet the intended objective.
Compliance failures are important to IT auditors, but for reasons beyond the keeping of rules. A
compliance failure can be, and often is, the symptom of a bigger problem related to some risk factor
and/or control, such as a defective system or business process, that can or does adversely affect the
entity. Thus, to the IT auditor, compliance failures are much more about risk (ultimately) than the rules
themselves.
It is also passé to automatically or casually consider IT considerations of an audit to be out of scope

because it is not explicitly related to some stated requirement, or to consider an audit to be a waste of
time. The fact is IT can and does adversely affect business processes or financial data in ways of which
management may not be adequately aware.
IT Audit Process
1. Planning the Audit Schedule
A key part of a good process is having an overall Audit Schedule that is readily available to let
everyone know when each process will be audited over the upcoming cycle (usually a yearly
schedule). If you were not to have a plan and went with surprise audits, the message that is
given from senior management is “We don’t trust our employees.” By publishing the audit
intentions, the message is that this is meant as a support to the process owners and the auditors
are there to help. This can allow the process owners to time the finish of any improvement
projects that they are working on to be before the audit, so that they can gather valuable
information on the implementation, or to request the auditors to focus on helping to gather
information for other planned improvements.
2. Planning the Process Audit
The first step in planning the individual process audits is to confirm with the process owners
when the audit will take place. The overall plan above is more of a guideline as to how often
processes will be audited, and roughly when, but the confirmation allows the auditor and
process owner to collaborate to determine the best time to review the process. This is when the
auditor can review previous audits to see if any follow-up is required on comments or concerns
previously found, and when the process owner can identify any areas that the auditor can
look at to assist the process owner to identify information. A good audit plan can make sure
that the process owner will get value out of the audit process.
Page 5 / 40

Planning the IT audit involves two major steps. The first step is to gather information and do some
planning the second step is to gain an understanding of the existing internal control structure.
More and more organizations are moving to a risk-based audit approach which is used to assess
risk and helps an IT auditor make the decision as to whether to perform compliance testing or
substantive testing. In a risk-based approach, IT auditors are relying on internal and operational
controls as well as the knowledge of the company or the business. This type of risk
assessment decision can help relate the cost-benefit analysis of the control to the known risk. In
the “Gathering Information” step the IT auditor needs to identify five items:
a. Knowledge of business and industry

b. Prior year’s audit results
c. Recent financial information
d. Regulatory statutes
e. Inherent risk assessments
A side note on “Inherent risks,” is to define it as the risk that an error exists that could be
material or significant when combined with other errors encountered during the audit,
assuming there are no related compensating controls. As an example, complex database
updates are more likely to be miswritten than simple ones, and thumb drives are more likely to
be stolen (misappropriated) than blade servers in a server cabinet. Inherent risks exist
independent of the audit and can occur because of the nature of the business.
In the “Gain an Understanding of the Existing Internal Control Structure” step, the IT auditor
needs to identify five other areas/items:
a. Control Environment
b. Control Procedures
c. Detection Risk Assessment
d. Control Risk Assessment
e. Equate Total Risk
Once the IT auditor has “Gathered Information” and “Understands the Control” then they are
ready to begin the planning, or selection of areas, to be audited. Remember one of the key
pieces of information that you will need in the initial steps is a current Business Impact Analysis
(BIA), to assist you in selecting the application which support the most critical or sensitive
business functions.
3. Conducting the Audit
An audit should start with a meeting of the process owner to make sure that the audit plan is
complete and ready. Then there are many avenues for the auditor to gather information during
the audit: reviewing records, talking to employees, analyzing key process data or even
observing the process in action. The focus of this activity is to gather evidence that the process
Page 6 / 40

is functioning as planned in the QMS, and is effective in producing the required results. One of the most
valuable things that an auditor can do for a process owner is not only to identify areas that do not
have evidence that they are functioning properly, but also to point out areas of a process that may
function better if changes are made.
4. Reporting on the Audit
A closing meeting with the process owner is a necessity to ensure that the flow of information is
not delayed. The process owner will want to know if there are any areas of weakness that need
to be addressed, but will also be interested in knowing if any areas exist that might be
improved. This should be followed with a written record as soon as possible to provide the
information in a more permanent format to enable follow-up of the information. By identifying
not only the non-conforming areas of the process, but also the positive areas and potential
improvement areas, the process owner will get a better value from the Internal Audit, which
will allow for process improvements.
5. Follow-up on Issues or Improvements Found
As with many areas of the standard, follow-up is a critical step. If problems have been found and
corrective actions taken, making sure that the problem is actually fixed is a key part of fixing it.
If improvement projects have been completed from opportunities identified in the audit, then
seeing how much the process has improved is a great motivator for future improvements.
Overview of the Four (4) Phases of an IT Audit

The IT audit is generally divided into three phases: audit planning, tests of controls, and substantive
testing.
1. Audit Planning
The first step in the IT audit is audit planning. Before the auditor can determine the nature and
extent of the tests to perform, he or she must gain a business. A major part of this phase of the
audit is the analysis of audit risk. The objective of the auditor is to obtain sufficient information
about the firm to plan the other phases of the audit. The risk analysis incorporates an overview
of the organization’s internal controls. During the review of controls, the auditor attempts to
understand the organization’s policies, practices, and structure. In this phase of the audit, the
auditor also identifies the financial attempts to understand the controls over the primary
transactions that are processed by these applications.
The techniques for gathering evidence at this phase include questionnaires, interviewing
management, reviewing systems documentation, and observing activities. During this process,
the IT auditor must identify the principal exposures and the controls that attempt to reduce
these exposures. Having done so, the auditor proceeds to the next phase, where he or she tests t
controls for compliance with pre-established standards.
2. Tests of Controls
Page 7 / 40

The objective of the tests of controls phase is to determine whether adequate internal controls are in
place and functioning properly. To accomplish this, the auditor performs various tests of
controls. The evidence gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques.
At the conclusion of the tests controls phase, the auditor must assess the quality of
internal controls. The degree of reliance the auditor can ascribe to internal controls affects the
nature and extent of substantive testing that needs to be performed.
3. Substantive Testing
The third phase of the audit process focuses on financial data. This involves a detailed
investigation of specific account balances and transactions through what are called
substantive tests. For example, a customer confirmation is a substantive test sometimes used
to verify account balances. The auditor selects a sample of accounts receivable balances and
traces these back to their source – the customers-to determine if the amount stated is in fact
owed by a bona fide customer. By doing so, the auditor can verify the accuracy of each
account in the sample. Based on such sample findings, the auditor is able to draw
conclusions about the fair value of the entire accounts receivable asset.
Some substantive tests are physical, labor-intensive activities such as counting cash, counting
inventories in the warehouse, and verifying the existence of stock certificates in a safe. In an IT
environment, the information needed to perform substantive tests (such as account balances
and names and addresses of individual customers) is contained in data files that often
must be extracted using Computer Assisted Audit Tools and Techniques (CAATTs) software.
4. Audit Report
So what’s included in the audit documentation and what does the IT auditor need to do once
their audit is finished. Here’s the laundry list of what should be included in your audit
documentation:
 Planning and preparation of the audit scope and objectives

 Description and/or walkthroughs on the scoped audit area
 Audit program
 Audit steps performed and audit evidence gathered
 Whether services of other auditors and experts were used and their contributions
 Audit findings, conclusions and recommendations
 Audit documentation relation with document identification and dates (your cross-
reference of evidence to audit step)
 A copy of the report issued as a result of the audit work
 Evidence of audit supervisory review
When you communicate the audit results to the organization it will typically be done at an exit
interview where you will have the opportunity to discuss with management any findings and
recommendations. You need to be absolutely certain of:
Page 8 / 40

 The facts presented in the report are correct

 The recommendations are realistic and cost-effective, or alternatives have been
negotiated with the organization’s management
 The recommended implementation dates will be agreed to for the recommendations
you have in your report.
Your presentation at this exit interview will include a high-level executive summary (as Sgt.
Friday use to say, just the facts please, just the facts). And for whatever reason, a picture is
worth a thousand words so do some PowerPoint slides or graphics in your report.
Your audit report should be structured so that it includes:
 An introduction (executive summary)

 The findings are in a separate section and grouped by intended recipient
 Your overall conclusion and opinion on the adequacy of controls examined and any
identified potential risks
 Any reservations or qualifications with respect to the audit
 Detailed findings and recommendations
Finally, there are a few other considerations which you need to be cognizant of when preparing
and presenting your final report. Who is the audience? If the report is going to the audit
committee, they may not need to see the minutia that goes into the local business unit report.
You will need to identify the organizational, professional and governmental criteria applied
such as GAO-Yellow Book, CobiT or NIST SP 800-53. Your report will want to be timely so as to
encourage prompt corrective action.
And as a final, final parting comment, if during the course of an IT audit, you come across a
materially significant finding, it should be communicated to management immediately, not at
the end of the audit.
Page 9 / 40

Chapter 2
Test of Controls
What is an Internal Control?
Internal Control is being defined as a process for assuring of an organization’s objectives in operational
effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and
policies.
Internal Controls are also the mechanisms, rules, and procedures implemented by a company to ensure
the integrity of financial and accounting information, promote accountability and prevent fraud.
Objectives of Internal Control

The internal control system comprises policies, practices, and procedures employed by the
organization to achieve four broad objectives:
1. To safeguard assets of the firm.

2. To ensure accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.
The internal control system serves as a shield that protects the firm’s assets from numerous
undesirable events that bombard the organization. These include attempts at unauthorized access to
the firm’s assets (including information), fraud perpetrated by persons both in and outside the firm,
errors due to employee incompetence, faulty computer programs, and corrupted input data, and
mischievous acts such as unauthorized access by computer hackers and threats from computer viruses
that destroy programs and database.
A weakness in internal control may expose the firm to one or more of the following types of risks:
1. Destruction of assets (both physical assets and information)

2. Theft of assets
3. Corruption of information or the information system
4. Disruption of the information system
Modifying Assumptions
Inherent in these control objectives are four modifying assumptions that guide designers and
auditors of internal control systems.
1. Management Responsibility
This concept holds that the establishment and maintenance of a system of internal control is a
management responsibility.
2. Reasonable Assurance
Page 10 / 40

The internal control system should provide reasonable assurance that the four broad objectives of
internal control are met. This means that no system of internal control is perfect and the
cost of achieving improved control should not outweigh its benefits.
3. Methods of Data Processing
The internal control system should achieve the four broad objectives regardless of the data
processing method used. However, the techniques used to achieve these objectives will vary
with different types of technology.
4. Limitations
Every system of internal control has limitations on its effectiveness. These include (1) the
possibility of error – no system is perfect, (2) circumvention – personnel may circumvent
the system through collusion or other means, (3) management override – management is in a
position to override control procedures by personally distorting transactions or by directing a
subordinate to do so, and (4) changing conditions – conditions may change over time so that
existing controls may become ineffectual.
Five Components of Internal Control (CRIME)
1. Control Environment
The control environment is the foundation for the other four control components. The control
environment sets the tone for the organization and influences the control awareness of its
management and employees.
2. Risk Assessment
Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to
financial reporting. Risks can arise out of changes in circumstances such as:
 Changes in the operating environment that impose new competitive pressures on the firm.
 New personnel who possess a different or inadequate understanding of internal control.
 New or reengineered information systems that affect transaction processing.
 Significant or rapid growth that strains existing internal controls.
 The implementation of new technology into the production process or information
system that impacts transaction processing.
3. Information and Communication
The accounting information system consists of the records and methods used to initiate, identify,
analyze, classify, and record the organization’s transactions and to account for the related
Page 11 / 40

assets and liabilities. The quality of information generated by the AIS impacts management’s ability
to take actions and make decisions in connection with the organization’s operations and to
prepare reliable financial statements. An effective accounting system will:
 Identify and record all valid financial transactions.

 Provide timely information about transactions in sufficient detail to permit
proper classification and financial reporting.
 Accurately measure the financial value of transactions so their effects can be recorded
in financial statements.
 Accurately record transaction in the time period in which they occurred.
SAS 78 requires that auditors obtain sufficient knowledge of the organization’s information
system to understand:
 The classes of transactions that are material to the financial statements and how
those transactions are initiated.
 The accounting records and accounts that are used in the processing of
material transactions.
 The transaction processing steps involved from the initiation of an economic event to
its inclusion in the financial statements.
 The financial reporting process used to prepare financial statements, disclosures,
and accounting estimates.
4. Monitoring
Management must determine that internal controls are functioning as intended. Monitoring is
the process by which the quality of internal control design and operation can be assessed. This
may be accomplished by separate procedures or by ongoing activities.
An organization’s internal auditors may monitor the entity’s activities in separate procedures.
They gather evidence of control adequacy by testing controls, and then communicate control
strengths and weaknesses to management. As part of this process, internal auditors make
specific recommendations for improvement to controls.
Ongoing monitoring may be achieved by integrating special computer modules into the
information system that capture key data and/or permit tests of controls to be conducted as
part of routine operations.
Another technique for achieving ongoing monitoring is the judicious use of management
reports. Timely reports allow managers in functional areas such as sales, purchasing,
production, and cash disbursements to oversee and control their operations. By summarizing
activities, highlighting trends, and identifying exceptions from formal performance, well-
designed management reports provide evidence of internal control function or malfunction.
5. Control Activities
Control activities are the policies and procedures used to ensure that appropriate actions are
Page 12 / 40

taken to deal with the organization’s identified risks. Control activities can be grouped into two
distinct categories: computer controls and physical controls. The focus of this module is on the
former.
Physical Controls - This class of control activities relates primarily to traditional accounting
systems that employ manual procedures. However, an understanding of these control concepts
also gives insights to the risks and control concerns associated with the IT environment. There
are six traditional categories of Physical Control Activities.
Transaction Authorization - The purpose of transaction authorization is to ensure that all

material transactions processed by the information system are valid and in accordance with
management’s objectives. Authorizations may be general or specific. General authority is
granted to operations personnel to perform day-to- day operations. An example of general
authorization is the procedure to authorize the purchase of inventories from a designated
vendor only when inventory levels fall to their predetermined reorder points. This is
called a programmed procedure (not necessarily in the computer sense of the word). The
decision rules are specified in advance, and no additional approvals are required.
On the other hand, specific authorizations deal with case-by-case decisions associated with
non- routine transactions. An example of this is the decision to extend a particular customer’s
credit limit beyond the normal amount. Specific authority is usually a management
responsibility.
Page 13 / 40

EXERCISE 1: Transaction Authorization
Perform transaction with a programmed procedure

a. Open SAP Business One
 On the desktop, double-click SAP Business One.
 Click the ‘Change Company’ then on the Choose Company window, click the RU
Laptops, Co.
 Enter the User ID: Lukas Password: 1234
Note: Use the user account of Lukas Ibarra to have the proper authorizations for the
transaction to be made.
b. Create a Sales Order

 Navigate to Sales – A/R Module > Sales Order.
 In the Customer field, choose C1100 Jacob Electronics.
 Click the Logistics Tab, then check the box for Procurement Document by clicking
it.
 Type the current date in the delivery date. Posting date is at its default which is
the system date.
 Click the Contents Tab. Add Item S1000 in the Item Field with the Quantity of 20.
 Press Enter. Item Availability Check window will appear as shown below. Choose
Continue and click OK.
 Click Cancel to cancel the document
The Item Availability Check is a programmed procedure to ensure that proper action will be
performed regarding sales order on items that could not be available at the moment
Page 14 / 40

EXERCISE 2: Transaction Authorization
Perform transaction with specific authorizations
You found out in the Company policies that no Purchase Order amounting to more than
P200,000 shall be allowed to be posted without the approval of the manager first. Test this
kind of control in the system.
a. Log in to the account of Karla Sy to have the proper authorizations for the transaction to
be made
Go to Administration > Choose Company > Change User > User ID: Karla then Password: 1234
b. Create a Purchase Order that will qualify for the Approval Procedure
 Navigate to Purchasing – A/P Module > Purchase Order
 In the Vendor field, choose V1000 Laptop Queen Philippines, Inc.
 Dates are defaults which are the system date.
 In the Contents Tab, add Item S1000 in the Item Field with the Quantity of 10. Enter
Unit Price of P22,000.00 then click Add. Total amount of Purchase Order should be
PhP246,400 which should trigger the approval procedure.
 Cancel the document.
Based on the internal policy of the company approval of the manager is needed for purchases
greater than 200,000.00.
Page 15 / 40

EXERCISE 3: Segregation of duties
Business Process Segregation.
Upon reading the Organization Chart, you found out that Lukas Ibarra is designated as a Sales
Officer so he should be able the work on the documents that are related to Sales. While for
other documents such as those relating to Purchasing, he should not have authorization to
open it. Test the segregation of duties as defined in the Authorization Table.
a. Log in to the account of manager to view the authorizations made for Lukas Ibarra.
Go to Administration > Choose Company > Change User > User ID: manager then Password:
1234
b. View the authorizations of Lukas Ibarra

Go to Administration > System Initialization > Authorizations > General Authorizations
Choose Lukas. You can see that he has Full Authorization in Sales – A/R but No Authorization
in Purchasing A/P
c. Test the Segregation of Duties by checking if the Authorizations are functioning properly.
 Log in to Lukas account
Go to Administration > Choose Company > Change User > User ID: Lukas then
Password: 1234
Page 16 / 40

 Sales Order. Since he has authorization for Sales – A/R, he should be able to open it
Go to Sales – A/R > Sales Order
 Open Purchase Order. Since he has no authorization for Purchasing – A/P, he
should not be permitted to open it
 Go to Purchasing – A/P > Purchase Order
(Note: If Purchaser Order and other documents in the Purchasing – A/P module is
not visible, click the Form Settings tool in the Toolbar. Then set the documents in the
Purchasing A/P as visible.)
 Test further the other users based on their authorizations, follow same procedures
Test of segregation of incompatible duties are performed in SAP by series of tests like this.
Data ownership authorization is pre-assigned by the system administrators who have
super user accounts.
Page 17 / 40

EXERCISE 4: Accounting Records
Identify which document In SAP Business One that can give simple audit trail.
Log in to Auditor’s account: User Name: Auditor Password: 1234
a. View document trail on marketing documents

 Open a closed A/R Invoice
Go to Sales – A/R > A/R Invoice > Switch to Find Mode by pressing Ctrl + F > Type 28
on the No. field then press Enter
 On the Remarks Field, you can see the base documents related to the A/R Invoice
 Another way is to view the relationship map. Right click on any blank part of the A/R
Invoice then choose relationship map
 You can double click on any document in the relationship map to view the actual
document
Page 18 / 40

b. View a list of all transactions posted in SAP Business One or generate transaction log
 Open a document – A/R Invoice for example. Go to Sales – A/R > A/R Invoice
 In the toolbar, click the Transaction Journal tool
 Choose All Transactions in the Original Journal field then set the posting date from
01.01.13 to 12.31.13. This is to show all the transaction journal records for the
whole fiscal year 2013 that could be used for analysis
Page 19 / 40

c. Plot SAP Business One to the Accounting Cycle (Still using Auditor’s Account)
Accounting Cycle SAP Business One

1. Journal General Journal Generate Transaction Journal Report (See Previous
Step but change the Original Journal criteria to
Journal Entry to view only the manual journal
entries made.)
Page 20 / 40

Special Journals
a. Sales Journal Sales – A/R
b. Purchases Journal Purchasing – A/P
c. Cash/Check Receipts Banking – Incoming
d. Cash/Check Banking – Outgoing
Disbursements
2. Ledger General Ledger Financials > Financial Reports > Accounting >
General Ledger
- Uncheck the Business Partner Checkbox then
check the Accounts Checkbox to show only
General Ledger Accounts
- Mark ‘X’ the accounts
- Change the Posting Date range ‘From 01.01.13’
‘To 12.31.13’
- Then Click ‘OK’ to show the General Ledger
Page 21 / 40

Subsidiary Ledger Financials > Financial Reports > Accounting

>General Ledger
- Check the Business Partner Checkbox then
uncheck the Accounts Checkbox to show only
Subsidiary Accounts
- To view a particular SL, change the BP Code
‘From C1100’ and ‘ToC1100’
- Change the Posting Date range ‘From 01.01.13’
‘To 12.31.13’
- Then Click ‘OK’ to show the Subsidiary Ledger
for this Business Partner
Page 22 / 40

Trial Balance Financials > Financial Report > Financial > Trial
Balance
(Note: Do the same process with General Ledger)
3. Adjusting Entries Financial > Journal Entry > Click Adjustment Box
(Note: The process given is how to create Adjusting
Entries)
4. Financial Statements Financials > Financial Report > Financial >Profit &
Loss or Balance Sheet
(Note: Just change to desired period then click OK)
5. Closing Entries Administration > Utilities > Period End Closing
'
Page 23 / 40

6. Post-Closing Trial Balance Financials > Financial Report > Financial > Trial
Balance > Check Add Closing Balances
7. Reversing Entries Financials > Journal Entry > Click Reversal Box (Note:
The process given is how to create Reversing Entries)
Page 24 / 40

EXERCISE 5: General Controls
Have an experience on how to view an actual database in a database management system. This can be
exemplified using the SQL Server Management Studio Express
1. Open SQL Server Management Studio Express

From your desktop, click the start button, choose All Programs then navigate to SQL Server
Management Studio Express
Ask assistance from your IT personnel, if you cannot find it. It should look like the one below.
On the left side under the databases folder, you can see a list. For database management
purposes, a new database can be added and an existing database can be deleted. For
internal control purposes, this function should only be given to the database administrator.
2. Perform database backup and store it in another storage device
a. Click Start Button (lower leftmost corner of the screen)

b. Click All Programs > Microsoft SQL Server 2005> SQL Server Management Studio
Express
Page 25 / 40

Page 26 / 40

c. Click Connect
Note: If connection is unsuccessful, call the attention of your technical support to put in
the correct Server Type and Server Name. Login is sa and fasttracksql.com
d. Click + before the Databases to expand and view all databases > Right Click on the
database that you want to back up > Click Tasks > Click Backup.
Page 27 / 40

e. Click OK when Backup Database window appears. Take note of the default location
of the backup.
Example: (c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Backup\)
f. Retrieve the backup database
Go to Start > Computer > Local Disk (C:) > Program Files > Microsoft SQL Server >
MSSQL.1 > MSSQL > Backup
g. Copy the backup file with an extension file of “.bak” and save it to another storage
device
3. Perform Database Restore

a. Follow steps a, b and c, in Number 2
b. Right-click + before the Databases > Click Restore Database and a new window
restore Database Database will appear
c. Type in the field ‘To database:’ your new database name (in the example below it is
Sample)
d. Click ‘From device:’ and the button. A new window Specify Backup will appear. Click
Add Button and locate your backup file. Click Ok. Click Ok
e. Click box under Restore. Click OK to execute restoration
f. To check, expand Databases and view the restored database
Page 28 / 40

g. Refresh databases in SAP B1 to view the restored database by double-clicking

the SAP B1 shortcut from your desktop. Click the Change Company button. In the
Choose Company screen, click Refresh
Page 29 / 40

Page 30 / 40

EXERCISE 6: Source Document Controls
 View the list of a particular document to identify if there is any document missing by
double checking the numbering of source documents
 Double check if the source documents were used in sequence
1. Open SAP Business One

 On the desktop, double-click SAP Business One
 Click the ‘Change Company’ then on the Choose Company window, click the RU Laptops,
Co.
o Enter the User ID: auditor, Password: 1234
2. See the list of a particular document i.e. Sales Order
 Go to Sales – A/R > Sales Order
 Switch to Find mode by pressing Ctrl + F
 In the No. field, enter an asterisk symbol (*) then press Enter
 A list of Sales Order will appear where you can examine the sequence of the its numbering
 You can do this test to other documents as well. To test if the sequence of numbering is
correct, you can sort the list by date then double check if the numbering is still chronological.
Any irregularity will be considered as an exception
Page 31 / 40

Page 32 / 40

EXERCISE 7: Data Coding Controls
1. View the list of Business Partners and examine if the codes used were according to the adapted BP
Codes of the Company
 Go to Business Partners > Business Partner Master Data
 Change the BP Type to Customers
 Type an asterisk symbol (*) in the code field then press Enter. The list of Business
Partners will appear
 What is the coding control for Customers BP? Any irregularity will be considered as an
exception
 Do the same process for Vendors BP
Page 33 / 40

EXERCISE 8: Field Integration
a. Missing Data Checks. Test if marketing documents in SAP Business One has this control. (Note:
Use Lukas user account)
 Open a Sales Order
 Insert the following Information in the Sales Order:
Customer: C1100
Name: Jacob Electronics
Item No.: D1000
Unit Price: PhP 32,000
 Click Add. SAP Business One should flag an error message due to missing delivery date
 Cancel the Sales Order. You can test other documents for this control
b. Numeric-alphabetic Data Checks. Test if marketing documents in SAP Business One has this
control
 Open a Sales Order
 Insert the following Information in the Sales Order:
Customer: C1100
Name: Jacob Electronics
Item No.: A1000
Delivery date: Current System date
Quantity: ABC
 Click Add. SAP Business One should flag an error message due to invalid monetary value
 Cancel the Sales Order. You can test other documents for this control
Page 34 / 40

c. Limit Checks. Test if creating a User Account in SAP Business One has this control
 Log in to the account of manager to view to see the User Setup window.
Go to Administration > Choose Company > Change User > User ID: manager then
Password: 1234
 Go to Administration > Setup > General > Users. Users – Setup window will appear.
Make sure you are in Add mode
 Insert in the User Code field the word ‘Administrator’. SAP Business One will flag an
error message due to exceeding of character limit
 Cancel the Users – Setup
Page 35 / 40

d. Validity Checks. Test if Business Partner Master Data has this control.(Use Auditor’s Account)
 Go to Business Partners > Business Partner Master Data. Make sure you are in Find mode
(i.e. Ctrl + F)
 In the BP Code field, type ‘L1000’ then press Enter. SAP Business One should flag an
error message due to no matching records
 Cancel the Business Partner Master Data. You can try this control to other documents
with known values
Page 36 / 40

EXERCISE 9: Audit Trail Controls
View some techniques used to preserve audit trails in SAP Business One.
a. Transaction Logs
Every transaction successfully processed by the system should be recorded on a transaction
log, which serves as a journal
View a list of all transactions posted in SAP Business One or generate transaction log
 Open a document – A/R Invoice for example. Go to Sales – A/R > A/R Invoice
 In the toolbar, click the Transaction Journal tool
 Choose All Transactions in the Original Journal field then set the posting date from 01.01.13
Page 37 / 40

to 12.31.13. This is to show all the transaction journal records for the whole fiscal year
2013 that could be use for analysis.
b. Listing of Automatic Transactions

Some transactions are triggered internally by the system. To maintain control over
automatic transactions processed by the system, the responsible end user should
receive a detailed listing of all internally generated transactions.
c. Unique Transaction Identifiers

Each transaction processed by the system must be uniquely identified with a transaction
number. This is the only practical means of tracing a particular transaction through a
database of thousands or even millions of records.
View examples of unique identifiers in SAP Business One.
Page 38 / 40

a. View automatic journal entry created

 Open a closed A/R Invoice
Go to Sales – A/R > A/R Invoice > Switch to Find Mode by pressing Ctrl + F > Type
28 on the No. field then press Enter
 Click the Accounting Tab then click the Journal Remark link arrow. This will open
up the automatic journal entry created by SAP Business One for this transaction
b. Take note of the unique identifiers in the A/R Invoice Transaction
 Take note of the Origin field. The original transaction is navigated when the
arrow is clicked. These are just some of the originating transactions:
IN - AR Invoice
RC - Incoming Payments
PU - AP Invoice
PD - Goods Receipt PO PS - Outgoing Payments
If the entry is entered manually, origin is JE
Page 39 / 40

Page 40 / 40

SAP

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SAP

Загружено:

Авторское право:

Доступные форматы

AUDITING IN AN IT ENVIRONMENT

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

TABLE OF CONTENTS .................................................................................................................................. 2

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

 Ensure information management processes are in compliance with IT-specific laws,

 Determine inefficiencies in IT systems and associated management.

IT Audit vs. Financial Statement Audit and Compliance Audit

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

It is also passé to automatically or casually consider IT considerations of an audit to be out of scope

1. Planning the Audit Schedule

2. Planning the Process Audit

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

a. Knowledge of business and industry

3. Conducting the Audit

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

4. Reporting on the Audit

5. Follow-up on Issues or Improvements Found

Overview of the Four (4) Phases of an IT Audit

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

 Planning and preparation of the audit scope and objectives

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

 The facts presented in the report are correct

Your audit report should be structured so that it includes:

 An introduction (executive summary)

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

Objectives of Internal Control

1. To safeguard assets of the firm.

1. Destruction of assets (both physical assets and information)

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

3. Methods of Data Processing

Five Components of Internal Control (CRIME)

3. Information and Communication

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

 Identify and record all valid financial transactions.

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

Transaction Authorization - The purpose of transaction authorization is to ensure that all

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

EXERCISE 1: Transaction Authorization

Perform transaction with a programmed procedure

b. Create a Sales Order

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

EXERCISE 2: Transaction Authorization

Perform transaction with specific authorizations

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

EXERCISE 3: Segregation of duties

Business Process Segregation.

b. View the authorizations of Lukas Ibarra

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

EXERCISE 4: Accounting Records

Log in to Auditor’s account: User Name: Auditor Password: 1234

a. View document trail on marketing documents

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

Accounting Cycle SAP Business One

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

Subsidiary Ledger Financials > Financial Reports > Accounting

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

5. Closing Entries Administration > Utilities > Period End Closing

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

QG Template_IT Audit _Part I printed on 10/18/2019 4:33 PM

EXERCISE 5: General Controls