Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
10. kertas kerja it audit
1.
2.
3.
4.
5.
6.
7. Kertas kerja:
“Catatan-catatan yang diselenggarakan oleh auditor tentang:
prosedur audit yang ditempuhnya,
pengujian yang dilakukannya,
informasi (bukti audit) yang diperolehnya, dan
simpulan yang dibuatnya
sehubungan dengan auditnya. “
8. Tujuan Kertas Kerja:
a. for planning,
b. record of evidence accumulated and the result of test,
c. deterimine type of opinion,
d. for review/ supervision
Kepemilikan Kertas Kerja:
KKA adalah milik auditor (red: untuk konteks audit oleh KAP), dengan
memperhatikan kerahasiaan KKA.
Kerahasiaan Kertas Kerja:
Auditor shall not disclose any confidential information, except with the
conset of client (or required by the law).
CISA Review: Auditee tidak boleh melihat kertas kerja auditor.
IIA: Internal Auditor (Eksternal Auditor) dapat memanfaatkan KKA
Eksternal Auditor (Internal Auditor), untuk tujuan efisiensi, dengan
mempertimbangkan aspek hukum dan kerahasiaan.
9. Ownership of Engagement Documentation
Unless otherwise specified by law or regulation, engagement
documentation is the property of the firm.
The firm may, at its discretion, make portions of, or extracts from,
engagement documentation available to clients, provided such
disclosure does not undermine the validity of the work performed,
or, in the case of assurance engagements, the independence of the
firm or its personnel.
10. Practice Advisories 2330 :
a. WP merupakan properti organisasi (red: organisasi di mana IA berada).
b. CAE must control access to WPs.
c. CAE memutuskan ijin akses pihak eksternal ke WP , setelah berkonsultasi
dengan SM and/ or Bagian Legal, kecuali untuk criminal proceeding.
d. Dengan berdasar SOP, Board dan Mgt boleh akses ke WP.
e. CAE must develop retention requirements for engagement records,
regardless of the medium in which each record is stored. These retention
requirements must be consistent with the organization’s guidelines and
any pertinent regulatory or other requirements.
11. These files are intended to contain data of a historical
or continuing nature pertinent to the current audit.
Audit program
General information
Working trial balance
Adjusting and reclassification entries
Supporting schedules
Sumber: ARENS...
12.
13.
14. Rather than providing stringent rules, prof standards provide
context and guidance for sound judgment relating to WP.
IPPF specify WP requirements in a variety of sections:
2240 Engagement Work Program
“Internal auditors must develop and document work programs that
achieve the engagement objectives.”
2300 Performing the Engagement
“Internal auditors must identify, analyze, evaluate, and document
sufficient information to achieve the engagement’s objectives.”
2310 Identifying Information
“IAr must identify sufficient, reliable, relevant, and useful
information to achieve the engagement’s objectives. “
See interpretation next:
15. IPPF specify WP requirements in a variety of sections:
2310 Identifying Information
(Interpretation: Sufficient inf: factual, adequate, and convincing so that a
prudent, informed person would reach the same conclusions as the
auditor. Reliable inf: the best attainable inf through the use of appropriate
engagement techniques. Relevant inf: supports engagement observations
and recommendations and is consistent with the obj for the engagement.
Useful information helps the org meet its goals.)
2320 Analysis and Evaluation
“Internal auditors must base conclusions and engagement results
on appropriate analyses and evaluations.”
2330 Documenting Information
“Internal auditors must document relevant information to support
the conclusions and engagement results.”
16. Completeness and Accuracy
“WPs should be complete, accurate, and support observations,
testing, conclusions, and recommendations. They should also show
the nature and scope of the work performed.”
Clarity and Understanding
“WPs should be understandable w/o supplementary oral explanations.
With the inf the WP reveal, a reviewer should be able to readily
determine their purpose, the nature and scope of the work done and
the preparer's conclusions.”
Pertinence
“Inf contained in WPs should be limited to matters that are important
and necessary to support the objectives and scope established for the
assignment.”
Sumber: Integrating Working Papers with Audit Management: How to shift from ‘common practices’ to
‘best practices’, Codec DSS, Ireland, 2013
17. Logical Arrangement
“Working papers should follow a logical order.”
Minimize Variance
“WPs should be prepared within a consistent approach and execution
framework across the audit and organization.”
Legibility and Neatness
“WPs should be legible and as neat as practical. Sloppy WPs may lose
their worth as evidence.”
Optimize Workflow
“Find ways to create workflows for doc preparation that directly
integrate project mgt mechanisms such as client request list tracking,
sign-offs, supervisor reviews, findings follow-up, time tracking, and
project status reporting directly into a single process.”
Sumber: Integrating Working Papers with Audit Management: How to shift from ‘common practices’ to
‘best practices’, Codec DSS, Ireland, 2013
18. The content of WP cannot be changed, unless required/ justified.
Whether audit doc is in paper, electronic or other media, the integrity,
accessibility or retrievability of the underlying data may be
compromised if the doc could be altered, added to or deleted w/o the
auditor’s knowledge.
The auditor applies appropriate controls for audit doc to:
(a) Enable the determinination of when and by whom audit documentation
was created, changed or reviewed;
(b) Protect the integrity of the inf at all stages of the audit, especially when
the inf is shared within the audit team or transmitted to other parties via
the Internet;
(c) Prevent unauthorized changes to the documentation; and
(d) Allow access to the doc by the audit team and other authorized parties
as necessary to properly discharge their responsibilities.
Sumber: ISA 230 (Revised) Audit Documentation, 2006
19. Controls that the auditor may apply to maintain the confidentiality,
safe custody, integrity, accessibility and retrievability of audit
documentation include, for example:
The use of a password amongst audit team members to restrict
access to electronic audit doc to authorized users.
Appropriate back-up routines for electronic audit doc at
appropriate stages during the audit.
Procedures for properly distributing audit doc to the team
members at the start of fieldwork, processing it during fieldwork,
and collating it at the end of fieldwork.
Procedures for restricting access to, and enabling proper
distribution and confidential storage of, hardcopy audit doc.
+ Encrypting and compressing data, Activity log.
Sumber: ISA 230 (Revised) Audit Documentation, 2006
20.
21. KKA untuk TABK harus konsisten dengan kertas kerja untuk
audit sebagai keseluruhan.
Lebih baik jika kertas kerja teknis ybs dengan penggunaan
TABK dipisahkan dari kertas kerja audit yang lain.
22. Kertas kerja harus berisi dokumentasi memadai yang
menjelaskan penerapan TABK, seperti:
Perencanaan
Tujuan TABK/ CAAT
TABK / CAAT yang digunakan.
Pengendalian/ Control yang dilaksanakan.
Staf yang terlibat, saat penerapan, dan biaya.
23. Kertas kerja harus berisi dokumentasi memadai yang
menjelaskan penerapan TABK, seperti:
Pelaksanaan
Prosedur persiapan dan pengujian serta pengendalian TABK.
Rincian pengujian yang dilaksanakan dengan TABK.
Rincian masukan, pengolahan, dan keluaran.
Informasi teknis yang relevan mengenai sistem akuntansi entitas,
seperti file layout atau file description atau record definition.
Informasi mengenai sistem operasi yang digunakan.
Informasi mengenai jenis, ukuran, media penyimpanan yang
digunakan.
Informasi mengenai sistem penggandaan file.
24. Bukti Audit
Keluaran/output (dari klien) yang tersedia.
Penjelasan pekerjaan audit yang dilaksanakan terhadap keluaran/
output.
Kesimpulan audit.
Lain-lain
Rekomendasi ke
manajemen
entitas.
Sbg tambahan, auditor
dapat mendoku-
mentasikan saran
untuk penggunaan
TABK di tahun depan.
25.
26. The permanent audit file normally includes:
The organisation structure of the entity.
The IS policies of the organisation.
The historical background of the information system in the
organisation.
Extracts of copies of important legal documents relevant to audit.
A record of the study and evaluation of the internal controls related
to the information system.
Copies of audit reports and observations of earlier years.
Copies of management letters issued by the auditor, if any.
Sumber: Board of Studies, the Institute of Chartered Accountants of India, Infromation Systems
Control and Audit, Year ?.
27. The current file normally includes:
Correspondence relating to the acceptance of appointment and the
scope of the work.
Evidence of the audit planning process and the audit programme.
A record of the nature, timing, and extent of auditing procedures
performed, and the results of such procedures.
Copy of letter and note concerning audit matter communicated to
or discussed w/ client, include material weaknesses in relevant IC.
Letters of representation and confirmation received from the client.
Conclusions reached by the auditor concerning significant aspects
of the audit, including their follow-up.
Copies on the data and system being reported on and the related
audit reports.
Sumber: Board of Studies, the Institute of Chartered Accountants of India, Infromation Systems
Control and Audit, Year ?.
28.
29.
30. PLANNING AND PERFORMANCE
2.1 Documentation Contents
2.1.1 IS audit doc is the record of the audit work performed and the
audit evidence supporting the IS auditor’s findings, conclusions and
recommendations. Audit doc should be complete, clear, structured,
indexed, and easy to use and understand by the reviewer.
Potential uses of doc include, but are not limited to:
Demo the extent to which IS auditor has complied w/ IS Auditing Standard
Demo audit performance to meet requirements as per the audit charter.
Assistance with planning, performance and review of audits.
Facilitation of third-party reviews.
Evaluation of the IS auditing function’s QA programme.
Support in circumstances: claim, fraud case, dispute and lawsuit.
Assistance with professional development of staff.
31. PLANNING AND PERFORMANCE
2.1.2 Documentation should include, at a minimum, a record of:
Review of previous audit documentation
The planning and preparation of the audit scope and obj. IS auditors must
have an understanding of the industry, business domain, business
process, product, vendor support and overall environment under review.
Minutes of management review meetings, audit committee meetings and
other audit-related meetings.
The audit programme and procedures that will satisfy the audit objs.
The audit steps performed and audit evidence gathered to evaluate the
strengths and weakness of controls.
The audit findings, conclusions and recommendations.
Any report issued as a result of the audit work.
Supervisory review.
32. PLANNING AND PERFORMANCE
2.1.3 The extent of the IS auditor’s documentation depends on the
needs for a particular audit and should include such things as:
The IS auditor’s understanding of areas to be audited and its environment
The IS auditor’s understanding of the information processing systems
and the internal control environment including the:
- Control environment
- Control procedures
- Detection risk assessment
- Control risk assessment
- Equate total risk
The author and source of the audit doc and the date of its completion
Methods used to assess adequacy of control, existence of control
weakness or lack of controls, and identify compensating controls.
33. PLANNING AND PERFORMANCE
2.1.3 The extent of the IS auditor’s documentation depends on the
needs for a particular audit and should include such things as:
Audit evidence, the source of the audit documentation and the date of
completion, including:
- Compliance tests, which are based on test policies, procedures and
segregation duties
- Substantive tests, which are based on analytic procedures, detailed
test accounts balances and other substantive audit procedures
Acknowledgement from appropriate person of receipt of audit report and
findings
Auditee’s response to recommendations
Version control, especially where documentation is in electronic media.
34. PLANNING AND PERFORMANCE
2.1.4 Documentation should include appropriate information required
by law, government regulations or applicable professional standards.
2.1.5 Documentation should be submitted to the audit committee for
its review and approval.
35. DOCUMENTATION
3.1 Custody, Retention and Retrieval
3.1.1 Policies and procedures should be in effect to verify and ensure
appropriate custody and retention of the documentation that supports
audit findings and conclusions for a period sufficient to satisfy legal,
professional and organisational requirements.
3.1.2 Documentation should be organised, stored and secured in a
manner appropriate for the media on which it is retained and should
continue to be readily retrievable for a time sufficient to satisfy the
policies and procedures defined above.