Sub-theme II: How do auditors examine and test the audited body's financial data information system
1. What aspects of the computer systems of audited bodies do auditors check
(1) Background
The audit work conducted by the Bundesrechnungshof concerns two types of payment procedures:
1. The centralised budgetary, cash management and accounting IT system (known by its German abbreviation as HKR system) of the Federal Ministry of Finance and
2. the preliminary financial management procedures which comprise functions that are not covered by the centralised budgetary, cash management and accounting IT system.
Federal budget managers use these procedures notably to
- compute and determine payments,
- establish vouchers justifying payment,
- establish payment orders or to
- transfer payments.
The IT procedures are designed to help budget managers computing fees and completing on-line forms. These procedures are used to furnish data to the federal cash offices, which are entered into the centralised budgetary, cash management and accounting IT system and eventually lead to payments or receipts.
(2) Cash security arrangements
Compared to traditional non-IT procedures, IT procedures require changes in the allocation of responsibilities for certifying the accuracy of amounts receivable or payable and for ordering payments as precisely defined in the cash security provisions laid down in the Federal Budget Code,
Data are no longer forwarded on paper forms but on data media such as magnetic tapes, cassette tapes and diskettes, or are passed on via remote data transmission. Since these data can be altered without leaving any trace, data security measures need to be taken. In addition the data transmitted to the federal cash offices on-line or via data media need to be in a format (overall payment order, data records) that they are able to process and need to be stored to ensure visibility for the purposes of external auditing.
(3) Cash security criteria
The procedures used need to meet the basic requirements of procedural and cash security. These include above all:
- security: delimitation and allocation of responsibilities
- review of each financial management
action by a second
official,
- certification and ordering of payments,
- unchangeability of payments determined or ordered.
- processability:- compliance with requirements of form
- use of standardised prints
- format of data files
- auditability: availability and storage of records for audit purposes
unambiguous matching of auditable records to the payments made
visibility and documentation of individual areas of responsibility
(4) Information on which the Bundesrechnungshof can base its audit work
Until two years ago, IT assisted financial management procedures had to be submitted to the approval of the Federal Ministry of Finance in conjunction with the Bundesrechnungshof. This obligation has been replaced by a mere notification procedure to encourage decentralised financial management and responsibilities.
However, to keep the Bundesrechnungshof informed of the various IT assisted procedures used, budget managers need to inform the Federal Ministry of Finance and the Bundesrechnungshof of any
- IT procedures proposed for operation at the federal departments and agencies level but also at federal state and local government level and of
- the inception of operation of any such new procedures.
The notification of when actual operation starts is a declaration stating i.a. that the minimum requirements applicable to IT assisted financial management procedures will be complied with.
In addition specified organisational frameworks need to be observed such as
- technical and procedural programme structure,
-
compliance with the review function under which each payment action
needs to be
verified by a second official
- carrying out sample checks.
(5) Audit criteria
When auditing IT assisted payment procedures the Bundesrechnungshof verifies whether and to what extent the general criteria listed under (4) have been fulfilled focusing audit work especially on:
Data generation
Data entry
Data processing
Data review by the body responsible
Decentralised data processing
Data transmission to a data processing centre
Originality of documents
Storage of soft copy and hard copy
Data privacy
Access authorisations
Data security software
Logging of changes
Separation of programme development and production
2. What legal basis, standards or guidelines do auditors follow in testing the computer systems.
The administrative guidance on section 79 para 4 and section 34 of the Federal Budget Code lays down the basic requirements to be met by the security framework for data processing as part of IT assisted financial management procedures.
It includes regulations for example on
- procedural organisation in view to
- the review of any payment procedure by a second official and
- sample checking as well as
- requirements for data entry, data processing, data privacy and
- the development of procedures.
Audit Unit VII 2 does not comment on the following issues of sub-theme II:
2. What software package or tools do auditors use in testing the computer systems of audited bodies;
3. What approach and methods do auditors adopt in testing the computer systems;
4. If auditors have discovered problems of accuracy, security and applicability in the audited computer systems, how do auditors prepare working papers and collect evidence.
Tags: auditors examine, do auditors, auditors, examine, subtheme