Question

Information Produced by the Entity

Example 3 – Audit procedures to address audit risks related to IPE from a transaction process

Complete the following table, indicating the audit procedure that would be performed to address the identified risk.

Risk 1: The IT application is not processing data correctly (incomplete or inaccurate). Information about ABC’s shipments is input manually into the IT application by the shipping clerk. The risk is that the shipping clerk mistypes the quantity shipped.

Audit procedure to address the risk:

Risk 2: The IT application is not collecting data correctly for output (incomplete or inaccurate). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts. The risks include that the data extracted includes paid invoices, does not include all unpaid invoices (e.g., excludes the unpaid invoices for one line of business) or includes all unpaid invoices but excludes unmatched credit notes.

Audit procedure to address the risk:

Risk 3: The IT application is not computing or categorizing data correctly for output (inaccurate). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts. The risk includes that the invoices may be aged differently than expected or the aging columns may not be totaled accurately (e.g., the aging column content may be different than expected because the user expects aging of the invoice date but the IT application ages according to the due date, or the user expects the total to be the sum of the numbers in the column but the IT application obtains the total number from a summary data table rather than creating the sum of the details displayed).

Audit procedure to address the risk:

Risk 4: The output from the IT application into the EUC tool is modified or lost in the transfer to the tool (incomplete or inaccurate). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts that was exported from the accounts payable application into Excel. The risk is that the data did not transfer correctly, including such issues as larger numbers being truncated when exported or lines of information being dropped in the transfer.

Audit procedure to address the risk:

Risk 5: The output from the IT application into the EUC tool or the output from the EUC tool is incomplete (data is missing) or inaccurate (data has been added, changed, computed or categorized incorrectly). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts that was exported from the accounts payable application into Excel. The risk is that fictitious unpaid invoices are inserted into the spreadsheet or formulas intended to calculate a provision for old, unpaid amounts are incorrect.

Audit procedure to address the risk:

Information Produced by the Entity (IPE)

Example 4 – Examples of IPE from an IT process

Complete the following table, indicating whether the item is an example of IPE from an IT process and explain why or why not.

Item	IPE?	Why or why not?
An Excel log of actions by programmers who have access to production programs that comprise IT applications
An email exchange evidencing approval for a program change
A report of IT system settings of a particular financial reporting system
A listing of all program changes made during a given period of the year, from which the auditor plans to select a sample for testing

Information Produced by the Entity

Example 5 – Audit risks associated with IPE from an IT process

Complete the following table, indicating which risk (by number and description) is associated with each processing error.

Processing error	Risk number	Risk description
The quarterly user access review is initiated by the business analyst, who generates a report from the IT application and exports it into Excel. The Excel spreadsheet then separates the listing into five different reports based on the user’s business unit (BU). In categorizing the user by BU, Excel excludes all new employees from the listing and, thus, those individuals are not subject to the review by the respective BU director.
You have requested a system-generated listing of PeopleSoft users with a create date from 1/1/2XX2 through 6/30/2XX2. The company runs a report, but mistakenly inputs the end date as 6/1/2XX2.
You have requested a system-generated listing of production directories and files for a UNIX server that supports an in-scope application. The client exports the results of the query to an Excel file. The client uses Excel 2003 and, because there is a limit of 65,000 rows, all remaining rows are dropped in the transfer process.

Answer 1

Risk 1: The IT application is not processing data correctly (incomplete or inaccurate). Information about ABC’s shipments is input manually into the IT application by the shipping clerk. The risk is that the shipping clerk mistypes the quantity shipped.

Audit procedure to address the risk: Verify if there is any record maintained immediately after the shipment is ready with the details of shipment to be dispatched. Cross verify that register with the Issue register maintained by the shipping clerk. Verify the sales orders to be serviced in a particular month to get an estimate of quantity to be shipped. Cross verify the quantity in sales orders and quantity in Issue registers. Note cases of difference in quantities but the sales order has been closed. If the sales order is short closed, there are no issues. If it is not short closed, then it gives the picture of errors made by shipping clerk in recording the details.

Risk 2: The IT application is not collecting data correctly for output (incomplete or inaccurate). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts. The risks include that the data extracted includes paid invoices, does not include all unpaid invoices (e.g., excludes the unpaid invoices for one line of business) or includes all unpaid invoices but excludes unmatched credit notes.

Audit procedure to address the risk: Obtain Balance Confirmations from the customers and cross verify the same with the outstanding balances in the client’s records. Note any differences, and request for a detailed ledger from the client. Reconcile the company’s details with the customers’ details. In that way, any errors in recording the receivables can be found out.

Risk 3: The IT application is not computing or categorizing data correctly for output (inaccurate). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts. The risk includes that the invoices may be aged differently than expected or the aging columns may not be totaled accurately (e.g., the aging column content may be different than expected because the user expects aging of the invoice date but the IT application ages according to the due date, or the user expects the total to be the sum of the numbers in the column but the IT application obtains the total number from a summary data table rather than creating the sum of the details displayed).

Audit procedure to address the risk: Audit procedure of ‘Recalculation’ can be used in this scenario. The auditor can obtain the details of accounts receivables and perform ageing analysis of the same.

Risk 4: The output from the IT application into the EUC tool is modified or lost in the transfer to the tool (incomplete or inaccurate). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts that was exported from the accounts payable application into Excel. The risk is that the data did not transfer correctly, including such issues as larger numbers being truncated when exported or lines of information being dropped in the transfer.

Audit procedure to address the risk: After export from the application to excel, cross verify the total number of line items, quantities and total amounts. Through this, the auditor can find if any data is exported incorrectly.

Risk 5: The output from the IT application into the EUC tool or the output from the EUC tool is incomplete (data is missing) or inaccurate (data has been added, changed, computed or categorized incorrectly). The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts that was exported from the accounts payable application into Excel. The risk is that fictitious unpaid invoices are inserted into the spreadsheet or formulas intended to calculate a provision for old, unpaid amounts are incorrect.

Audit procedure to address the risk: The auditor can obtain balance confirmations from the parties and cross check the balances to find out if there are any fictitious payments. Provision calculations can be re-performed to identify any errors.

Information Produced by the Entity (IPE)

Example 4 – Examples of IPE from an IT process

Complete the following table, indicating whether the item is an example of IPE from an IT process and explain why or why not.

Item	IPE?	Why or why not?
An Excel log of actions by programmers who have access to production programs that comprise IT applications	Yes	This log of actions helps the auditor in identifying any changes made in the programs. It serves as an evidence to the fact that changes have or have not been made to the programs. It helps, identify the changes, and further, obtaining the details of reviews and approvals for those changes.
An email exchange evidencing approval for a program change	Yes	An email between the authorized personnel as per the Authority matrix serves as an evidence for approvals through mails.
A report of IT system settings of a particular financial reporting system	Yes	It serves as an evidence for all the system settings. For example, if there are an approval processes embedded in the system, this report serves as an evidence of implementation of Authority matrix in the system.
A listing of all program changes made during a given period of the year, from which the auditor plans to select a sample for testing	Yes	This log of actions helps the auditor in identifying any changes made in the programs. It serves as an evidence to the fact that changes have or have not been made to the programs. It helps, identify the changes, and further, obtaining the details of reviews and approvals for those changes.

Information Produced by the Entity

Example 5 – Audit risks associated with IPE from an IT process

Complete the following table, indicating which risk (by number and description) is associated with each processing error.

Processing error	Risk number	Risk description
The quarterly user access review is initiated by the business analyst, who generates a report from the IT application and exports it into Excel. The Excel spreadsheet then separates the listing into five different reports based on the user’s business unit (BU). In categorizing the user by BU, Excel excludes all new employees from the listing and, thus, those individuals are not subject to the review by the respective BU director.	Risk 5	The output from the IT application into the EUC tool or the output from the EUC tool is incomplete (data is missing) or inaccurate (data has been added, changed, computed or categorized incorrectly).
You have requested a system-generated listing of PeopleSoft users with a create date from 1/1/2XX2 through 6/30/2XX2. The company runs a report, but mistakenly inputs the end date as 6/1/2XX2.	Risk 1	The IT application is not processing data correctly (incomplete or inaccurate).
You have requested a system-generated listing of production directories and files for a UNIX server that supports an in-scope application. The client exports the results of the query to an Excel file. The client uses Excel 2003 and, because there is a limit of 65,000 rows, all remaining rows are dropped in the transfer process.	Risk 4	The output from the IT application into the EUC tool is modified or lost in the transfer to the tool (incomplete or inaccurate