参考说明分析complex system self assessment checklist

byJackyWKLionInvolvementofRiskandControlAssurance/RiskAssurance(RCA/RA)isencouragedinanyaudittohelpidentifyandconsiderrisksposedbytheentity'suseofinformationtechnologyintheauditnandtoassist,asneeded,intheunderstandingandevaluationofinternalcontrolsrelevanttotheaudit.WhilethenatureandextentofRCA/RA'sinvolvementvariesbyengagement,innninganauditthatincludestheinvolvementofRCA/RAspecialists,theengagementleaderandtheengagementRCA/RAleaderagreeon,amongstotherthings,thetestingnandresourceallocationforassessingITgeneralcontrols,automatedcontrolsandautomatedaccountingproceduresandsystemgenerateddataandreports.Thenature,timingandextentofRCA/RA nel’sinvolvementmaydependonanumberoffactors,includingthecomplexityofa ’sinformationsystemsandcontrols.Toassistwiththeengagementteam'sassessmentofwhetherasystemiscomplexornot,anoverallauditengagementcategorisationexerciseshouldbeconductedatleastannually.Thisformwillassistyoutodothiswiththeexceptionofnon-PIEengagementwhereaFULLYsubstantiveauditisbeingundertakeninwhichcasenocategorisationisrequired.Ingeneral,thecomplexityofasystemdependsontheextentandtypeofcomputerprocessing.ThedecisiononwhetherornotthesystemiscomplexismadejointlybytheengagementRCA/RAleaderandtheengagementleader.Ordinarily,complexsystemsarethosethatprocesstransactionsorperformcalculationsthatareeitherimpossibleorimpracticabletoreperformmanually.Indicatorsofacomplexsysteminclude: However,circumstancescanchangerapidlyatour sandtheengagementleadershouldconsultwithRCA/RApartner/directorifinanydoubt.Itisexpectedthatthisquestionnairewillbecompletedbycoreassuranceteams,withprovidedbyRCA/RA.AdditionalguidanceisprovidedasanappendixtothisForthoseauditengagementsforwhichacategorisationhasnotpreviouslybeencompletedengagementleadersshouldcompletetheselfassessmentquestionnaires(withtheexceptionofnon-PIEengagementswhereaFULLYsubstantiveauditisbeingundertakeninwhichcasenocategorisationisrequired).Insubsequentyears,inordertoassesstheappropriatenessofapplyingtheexistingcategorisation,anannualself-reassessmentprocessisrequiredforeachengagementwherebytheengagementleaderisrequiredtoconfirmwhethertheyaresatisfiedwiththepreviouslydeterminedcategorisationorwhether,duetosignificantchangesinthe'sITsystemsand/orcontrolenvironmentorchangestothe 'sbusiness(seebelowA2note),achangeincategorisationisnecessary.鼓鼓鼓鼓鼓鼓鼓鼓鼓鼓鼓鼓鼓/鼓鼓鼓鼓鼓风（RCA/RA）在在在在在在在在在在在，以在鼓以在在在划划划划划划划划划划划划划划划划划划划划划在鼓鼓，并并并并并并划鼓并划并并在在在并并在鼓鼓鼓鼓。虽虽RCA/A在在参参在在在参参划参参参划参参，但在鼓但在在在划划（其在其其RCA/RA专专在在在），在在项项项划RCA/RA项项并并在以负负负负负负负，其其在划划划划负般鼓鼓、自自鼓鼓、自自自在参自以鼓自自在自并划自自自自并并划在自自自自。RCA/RA项人在在在在参参、划时划参参时时负时时时时划时，其其划划划鼓鼓在参参。为划划在在为并并为为，应应应参应自自负应应应在在在在自应。此此时划划在在为此自此在成成,（应此应应划应参参在在在应应应应应应应在在应应，此应在在在参并此自自应）负般一一负，负参为为负时时在一一一鼓在参参划应一。为为应系在在在在在RCA/RA项项项划在在项项参时但。通通一一负， 一鼓在复复复复自在复一复复系项成复复复自复复复复自参时自。负参在其一以负一一：其一在自自包在一（如如如在在一）一鼓企处复复在（例如，银自划银银划鼓为为为应应（例如，跨跨复为）一鼓划在划划划划复复（例如例例一、例但为，在一一时时客客企客，在在项项项如参在在项项应项RCA/A合合项/总总自自总总。这这项这应在RCA/A在划划负，系由由在在由由此自。此项这此此供供此此例在此此。包时对对系对对尚此自自应在在在在在，在在项项项应此自自项并并项这（应此应应划应参参在在在应应应应应应应在在应应，此应在在在参并此自自成成自应）。在此在在时时应在，为并并为参自应在为为参，参参在在每并并自自应参自项复复并并。在复复并并在，在在项项项项项但其为为项时以对项但在自应，复系时在划划划划划/复鼓鼓或或复划鼓（见A2注并）企自发发企客，为为参是并包自应成是企企。例地：Entity:应应：SWEETT)在在项SWEETT)LIMITED-2014Auditfortheperiod划在在在所时在所所所所*例自划：Division/鼓风/为Expecteddateforkick-off预在在在预自自预预企所Expectedstartof预在应预成成在在审审所所Charge在在项在在项项项MabelManagerIn在在为JackyRCA/RARCA/RAJackyKennyLCA1A1Hasacomplexsystemquestionnairebeencompletedforthisengagementinthisdatabaseinthepast? PartAGeneralQuestionA鼓自–负般项一A2Whereaninitialself-assessmentquestionswascompletedforthisengagementinthepast,theengagementleaderisrequiredtoconfirmthathe/sheissatisfiedthattheexistingappliedcategorisationiscorrectgivingconsiderationtoanychangesinthe ’sITsystemsand/orcontrolenvironmentsorchangestothe ’sbusiness(seenotebelow).Wheresignificantchangesareidentified,theteamshouldcontinuetocompletePartB&Cagainandrevisitthecategorisation上，项项为参自应在确项参（见负见注见）。如企为此复企客此，在在为应组组此自B&C鼓自，并供应项项并应自应在确项参。Note注-InansweringA2,engagementteamshouldconsiderthefollowingexamplesthatmayindicatethatIsthereanychangeinthe ’sITsystemand/orcontrolenvironments?Exampleswouldinclude:-ThereisanewlyimplementedorrevisedITsystemwhichisrelatedtofinancialreporting;Thereismoveofdatacentrewithinoroutside Establishmentofnewchannelsorsharedservice/outsourcingtypearrangements;Isthereanychangetothe ’sbusinessoperationswhichmayaffectcategorisation?Exampleswould Anychangesinregulatoryrequirementswhichmayimpactthe’soperationorreportingAnymerger&acquisitionsordisposals;Anychangesinlistingstatus;在在在A2划，在在为应划划以负时时此项并自自复复自在划划划划划/复鼓鼓或或为为企自此在在客此？例如：-复应划此复企企此在在新鼓自自并并在划划划划；自并在由在鼓鼓数数复数数数应鼓；等在为为客自为为企自此时时客客自应在客此自在客客企自总鼓并此企自在客此时时客客在复为复自自并此；PartPartBInitialSelf-AssessmentB鼓自–如预自项并并B1Systems AreITsystemsusedtosupportanyofthebusinessareascoveredour为为划划在在划划划划是是是是在项是在在在在在在划鼓是是？GuidanceforQuestionWhileallareasofa ’sfinancialoperationsarepotentiallyincludedinthescopeofanannualfinancialstatementorintegratedaudit,thereareusuallykeybusinesscycles/areasthatarecriticalauditareasforus,forexample,financialreporting,revenueandreceivableandpurchasesandpayables,etc.AuditGuide5034requiresustomapourFinancialStatementLineItems(FSLIs)tobusinessprocessesandmanagementunits,ITapplicationsandthesignificantsub-processes/transactionsrelevanttofinancialreportingwherethereisnnedrelianceonthemanagementIftheanswertothisquestionisyes,prepareaFSLImaptothekeyITsystemsandkeybusinessprocessestheysupportandincludeacopyofthisinthe“UnderstandandevaluatethedesignandimplementationofITGCs”EGAoftheAurafile. shouldbeusedifassistanceisrequiredinunderstandingthekeyITsystemandbusinessprocesses.尽管一个年度审计（财务报表或整合审计）的范围可能涵盖客户所有的财务运营领域，但通常那些关键环节/领域才是对我们审计具有重要影响的领域，例如，财务报告、收入和应收、采购和应付等领域。根据审计指南5034的要求，对于拟信赖的管理层信息，项目组应将财务报表项目如果对这个问题的回答是“是”，请编制一份财务报表项目与关键信息技术系统及其支撑的关键业务流程之间的对应表，并将该对应表附件加入Aua文档的“了解和评估一般控制的设计和应用”步骤中。如果需要协助以了解重要的信息系统和业务流程，那么就应让RA/A小组参与。1.21.2Doanyofsystemsnotedin1.1aboveinvolvecomplex 为为中 在自自包在一GuidanceforQuestionA’ssystemsmayinvolveautomatedcomplexcalculations,calculationofinsurancecalculationofinterestcalculationofstockcostsusingweightedaveragevaluationcalculationofcostprovisionsbasedoncomplexSubquestion(s)forHoweasilycantheauditorverifythesecalculations客户系统可能会涉及复杂的自动化计算，例如使用平均估值法对存货成本的计算按多重定价/关税方案进行的计算1.31.3Isrelyingonoldertechnologythatisnosupportedby 为为客客供应供参供供供供供为为客客供应供参供供供供供/GuidanceforQuestionTechnologychangesallthetimeandmustbecontinuouslyandsupportedifitistoremainIfthesystemisnotastandardofftheshelvepackage,isthereacurrentservicecontractorservicelevelagreementbetweentheandvendor?Howarethekeyapplicationsystemsmaintained?Hasitbeenmorethan5yearssincethelastmajorupgrade?技术无时无刻不在变化着。因此，需要对其进行持续地开发和，才能确保与时俱进。如果系统并非标准的现成程序包，公司与供应商之间是否签订了服务合同或服务水准协议？主要应用系统的情况怎样？是否已有五年以上未进行重大升级？1.41.4Is GuidanceforQuestionthatarechangingthewayoursconducttheirbusiness.Inthefuturewemayhavemachine-to-machinenetworks,cloudapplicationusfromnewsecurityconcerns.SomeofoursareattheDoes conductbusinessviatheIsthe differentiatingthemselvesfromtheircompetitorsbyusinglatesttechnologye.g.cloudservicesandapps?Is Bga、Socal和loudcomputing（云计算）代表了目前影响客户经营方式的趋势。我们在未来可能会拥有物联网、云端应用网、信息分析与新ID和信用模型以抵御新的安全。我们的一部分客户已经开始尝试这些新科技的变化，而其他客户仍在观望。 1.51.5Areshelf 在并客为鼓鼓企企对为为此供企企企在在通划企企GuidanceforQuestion ’sbusinessprocesseswereonceorganizedaroundacompaniesusecustomizedsystemswhichfittheirparticularbusinessmodelsandorganizationstructures,whichtheybelievegivethemthemostcompetitiveadvantage.Thesesystemsneedtobecontinuouslydevelopedandmaintained.greatertheeffortrequiredbythe todevelopandmaintainit.Doesthe haveadedicatedITteamtodevelopandsupportthesystem?以前，公司采用普遍通用的统一现成来管理业务流程。而如今，很多公司采用适合自身特有业务模型和组织结构的定制系统，并认为这样的系统能为自身带来最大的竞争优势。这些系统需要持续的开发和。通常来说，系统的定制程度越高，公司研发和系统的程度就要越高。 1.6Isthe usingcomplexapplication(s)inEnterprise 为为划划划划自自企划(ERP) GuidanceforQuestionERPsystemsaredesignedtobeintegratedacrossa managersandownershaveaccesstothedatatheyneedwhentheyneedit.Doesthesystemsupportbusinessprocessesonentirebusiness;covermultiplebusinessprocessesandIsthesystemmulti-functional(i.e.ittracksfinancialamounts,material,people,goodsandresources)?Isthesystemafullyintegrated,fullservicesuiteofsoftwarecoveringmultiplebusinessapplications?ERPsystemsareusuallymodularandsomeorallofthefunctionalitycanbeusedandimplemented.ExamplesofERPsystems:SAP,Oracle,PeopleSoft,JDEdwards.系统是否在企业层面为业务流程提供支持（例如对整体业务进行规划、管理和处理；涵盖多个业务流程和地点）？系统是否具有多重功能（即对财务金额、材料、人员、商品和资源进行追踪）？系统是否为涵盖多个商业应用程序的完全集成的全方位服务软件套件？企业资源计划系统通常具有模块化的特点，且其部分或全部功能均能被使用和实施。ERP系统包括：A,Oacle,eopleof,Ddwads。系时为为系在企 包系负 GuidanceforQuestionManyofoursuseautomatedinterfacesbetweentheiroperational,financialandreportingsystemstopromoteefficiencyandbetteraccuracyofdatatransfer.Subquestion(s)forIfthehasseveralapplicationsystems,isthereanyneedtotransferinformation/databetweenthesystems?Isthisinformationmorethanjustsimpletransactionaldataorpostingstothefinancialreportingsystemse.g.operationaldata,multiplesourcesanddatastreams,real-time(asopposedtobatche.g.periodend),cross-border,IsthedatatransferprocessistheresignificantuseofDoesthesystemreceiveorsendelectronicmessages(EDI)tothirdparties?我们有很多客户在其运营、财务和报告系统间使用自动化接口以提高数据传输的效率和准确性。如果客户拥有数个应用系统，是否有必要在系统间传输信息/数据？此类信息是否不仅仅是简单的数据或对财务报告系统进行的过账，例如操作数据、复合源和数据流、实时过账（相对于批处理，如期末过账）、过账等？客户系统与第之间是否存在电子信息的收发（电子数据换1.81.8Doessystemprocessahighvolumeof为为一鼓企处复 GuidanceforQuestionSomeofoursmayhaverelativelyfew,buthighvaluetransactions;othersmayhaveahighvolumeofrelativelylowvaluetransactions.Typicalindustrieswithhighvolumetransactionsincludethefinancialservices, munications,utilitiesandthepharmaceuticalsectors.Theissuefacingour sisthatwhileasingleerrorforagiventransactionmaybeimmaterial,ifthiserrorwasrepeatedmanymillionsoftimes,thenthemagnitudeoftheerrorormisstatementcouldbeInsituationswheresystemsarehighlyintegrated(e.g.ERP)andthevolumeoftransactionsislarge,journalentriesmaybegeneratedautomaticallyandinsomecasesthenpostedautomaticallyfromonesystemtoanother.Thechallengefacingusishowweaudithighvolumesofdata.Subquestion(s)forreference:WhatapproachshouldIadopttoauditanareawherevolumesoftransactionsareprocessedbyaWherethenumberoftransactionsissohigh,forexampleintheretailbankingor municationssectors,thatitwouldbedifficultforuserstoidentifyandcorrecterrorsinthedataprocessingorthatobtainingameaningfulsamplesizemanuallyfromanauditisnotfeasible,insuchcasestheuseofaudittechniquessuchasComputerAssistedAudittechniques("CAATs")willtypicallyleadtoasignificantreductionintheauditteameffortrequiredinundertakingsubstantivetesting.IstheauditbeingperformedinaccordancewithUSGAAS?SpecificrequirementsexistunderSAS99(ConsiderationofFraudinaFinancialStatementAudit)withfurtherguidanceavailableintheUSPwCAuditGuideSection4520,inparticulararoundUSlistedcompanies,asaresulttheauditapproachshouldexplicitlyconsidertheneedtouseCAATsandconsultationwithRCA/RAis mended.ForNonUSGAASengagements,engagementleadersandteammanagersarestill mendedtoconsiderusingCAATs,togetherwiththerelatedRCA/RAspecialists,aspartofthetestingofjournalentries.某对时时企自并包供应、但但但但在复复，其其则时时企自处、但但但并包供但在复复。企自企处复复在发一自划其其发发鼓鼓划、电划自划、应划公划划公公自划。划负客在项一为：单单负参单单包时负参单但在复复复单为单参单建在，但如如这参单单复包此自但但应，对那这参单单复单单供那那自产自产企客客。在但参在自（如ERP）在产自复复中复复处中企在一一负，时时自自自自自此，虽在然负参自自此然数然负参。项是负客在我我为如在在由企处在自并。包时系一鼓企处复复在是是，项应包此应划在我在在负我呢？为复复自处此企（如银银银自划复电划自划在复复）然从此负划划者者以划划并此确自并一鼓在在者单，复为此负参时时负负或在在从审系参审审在审此企审划，划划使如在一一使划在在划划("CAATs")在在在划划通通自企处的但在在在在为在应的应参参包包划划并试如在试试。为为 在为为应应(例如跨跨复为)一鼓划划SAS99（新鼓自此在在在在财财划划）在系参系应并此并中时然是跨美美美建在在此美美4520章在章负自负章此美（尤其为并时是跨上上应国在此美），划此在在负复应为项项划划划划CAATs在并并并中要要建预总总RCA/RA在审见。包时参应划是跨在在是则在在在，仍建预在在项项项划在在为鼓划划划划CAATs并总总并并在为为 在为为应应(例如跨跨复为)一鼓划划1.91.9Dothesystemsprocessinformationforacomplexorsophisticatedbusinessentity(e.g.multinationaloperations)? 该GuidanceforQuestionDothesystemsprocessinformationforacomplexorsophisticatedbusinessentity(e.g.multinationaloperations)?该系统是否为复杂的经营实体（例如经营企业）处理信息1.1Does (e.g.multiplesites,severaldifferenttypesofintegratedtechnology,usingofITserviceprovidersorsharedservicecentre)?为为系参在划划划划复复(例如，例例一、几参参参应一在应合划划、划划划划划划鼓鼓供应供复负建鼓鼓在由)？GuidanceforQuestionDoesthe haveacomplexinformationtechnologyinfrastructure(e.g.multiplesites,severaldifferenttypesofintegratedtechnology)?Subquestion(s)forHowmanydata-centresdoesthehave?Whatarethephysicallocationsofthedata-centres?DoesthehavealargeITinfrastructureandoperationsDoestheoutsourcecertainITfunctiontoaserviceorganization?Howlargeisthecontractsum?Doesthespendconsiderableamountofmoneyinhardwaremaintenanceand Istheutilisingawiderangeofdifferentintegratedandapplications?客户是否拥有复杂的技术架构（例如多地点、几种不同类型的

客户拥有的数据中心的数量是多少？这些数据中心的所在点在哪里？客户是否拥有大型 基础设施和操作团队 客户是否使 共享服务中心客户是否在硬 通信方面花费了相当数量的’suseofITsubjecttostringentregulatory在划划划划划划划为为项客客客客在总鼓并此 GuidanceforQuestionInsomejurisdictions,regulatorsandotherlegalbodieshavesetstringentrequirementsforaccessingandstoringofdataorforusinginformationtechnologytosupportbusinessoperations.Forexample:hasissuedthe“GuidelinesonE-bankingSecurityEvaluation”InHongKong,theHongKongMonetaryauthority(“HKMA”)issuedthe“GuidanceNoteonManagementofSecurityRisksinElectronicBankingServices”InSingapore,theMonetaryAuthorityofSingapore(“MAS”)hasissuedthe“Compliancechecklistforinternetbankingandtechnologyriskmanagementguidelines.0一些国家和地区的机构和其他法律实体对数据权限和以及利用 管理业务运营制定了严格的规定，例如：，中国银行业监督管理（“银监会”）已颁布了《电在，金融管理局（“金管局”）已下发了《电子银行服务保安风险管理的建议文件》在新加坡，新加坡金融管理局（“金管局”）已下发了《网络银行30版B2HPCandhigherriskauditconsiderationsIsthis consideredtobeHPC,aUSIntegratedAuditengagement,auditswherewewillotherwisegiveanauditopinionon ’sinternalcontrolsystem(paniesinsubjecttotheBasicStandardforEnterpriseInternalControl)orIPO/ (oranycombinationofthese)?该为为为HPC，是跨应合在在在在，项是并并包在鼓鼓鼓鼓企此在由审见在在在在在（例如例划时《划划鼓鼓鼓鼓或此企企》在在跨应国）复或应应企企自或或复或或应应企企自或或(复上那应一在为合)GuidanceforQuestionOurswhoaresubjecttoUSSOX,C-SOXorJ-SOXrulesorwhoarenninganIPOinHongKong,,Singaporeorotheroverseasjurisdiction,attractahigherdegreeofauditscrutinythan

otheraudits,whetherbecauseadditionalauditproceduresareoverfinancialreporting,orwhethersomeofourworkmaybeusedtomeetlistingrulesasinthecaseofPN21workforaHongKong对于应遵守USOX、C－OX或者J－OX的客户，或者正在计划于香港、陆、新加坡或其他海外国家或地区进行首次公开的客户，由于为形成我们对其财务报告内部控制的审计意见而需要执行额外的审计程序，或者对于在上市的公司而言，我们需要执行一些工作以遵守如PN21等上市条例的规定，因此上述客户需要接受相对于其他审计客户更加严格的审计监督。B3ListingandRegulatory3.1Is该吗3.1Is该吗 GuidanceforQuestionOurswhoarelistedaresubjecttotherespectivelistingrulesoftheexchangewheretheyarelisted.Furthermore,theirregulatorsmayalsosetspecificrequirementsfortheirparticipantsthatarelisted.Theserulesandrequirementsmayvarybetweenexchangesandregulatorybodies.Forexample:HongKong’sCorporateernance’sBasicStandardforEnterpriseInternalSingapore’sCodeofCorporateUS’sSarbanes-Oxley我们的上市客户需遵守相关所的上市规则。此外，机构也可能制定了与上市相关的具体要求。所和机构颁布的这些规则和要中国的《企业内部控制基Category:Category:应一ThedefinitionforeachcategoryisasA-Those sconsideredHPC,allIntegratedAuditengagements,auditswherewewillotherwisegiveanauditopiniononthe'sinternalcontrolsystem(e.gcompaniesin subjecttotheBasicStandardforEnterpriseInternalControl),IPO/nnedIPOengagementsandallotherlisted swithcomplexsystems.B-Any swithcomplexC- s D-Anyothers Thetablebelowfurtherillustratesthein ctionbetweenRCA/RAnelandthecoreassurance tteamsAentIdentifyCombined√RCA/RAnelshouldbeusedifthereisuncertaintyonthelevelofcomplexityandtheapproachtoadoptorifassistanceisrequiredinandtestingofcessesandandevaluatecontrolsotherthangeneralforexampleCombined√ValidateCombined√,evaluateandvalidateITGeneralComputer√CombinedIftheentityhascomplexsystemsi.e.,isassessedascategoryAorB,RCA/RAshallbeinvolvedintheauditofthosesystems,unlesstheEngagementl