6. Audit in Automated Environment Flashcards
What is an Automated Environment?
An automated environment basically refers to a business environment where the
i) processes
ii) operations
iii) accounting and
iv) decisions
[MT: PADO]
are carried out by using computer systems - also known as Information Systems (IS) or Information Technology (IT) systems.
Nowadays, it is very common to see computer systems being used in almost every type of business.
Key features of an Automated Environment.
Key features of an automated environment are as under: -
i) Ability to process large volumes of transactions [IRCTC]
ii) Accuracy in data processing and computation [Bank Interest]
iii) Enables faster business operation
iv) Integration amongst business operations [ERP systems]
v) Better security and controls [Password/Biometrics]
vi) Less prone to human errors
vii) Provides latest information [Seat availability, Stock availability]
viii) Connectivity and networking capability [LAN / MAN / WAN]
Understanding and documenting the Automated environment.
Given below are some of the points that an auditor should consider to obtain an understanding of the company’s automated environment:
i) Information systems being used (one or more application systems and what they are)
ii) In-house vs Packaged
iii) Version (functions and risks could vary in different versions of the same application).
iv) Their purpose (financial and non-financial)
v) Location of IT systems - local vs global
vi) Architecture (desktop based, client-server, web application, cloud based)
vii) Interfaces within systems (in case multiple systems exist).
viii) Outsourced activities (IT maintenance and support).
ix) Key persons (CIO, CISO, Administrators).
The understanding of a company’s IT environment that is obtained should be documented.
Risk arising from use of IT systems.
Given below are some such risks that should be considered:
i) Unauthorized access to data.
ii) Excessive access / Privileged access (super users).
iii) Lack of adequate segregation of duties.
iv) Unauthorized changes to systems or programs.
v) Failure to make necessary changes to systems or programs.
vi) Direct data changes (backend changes).
vii) Inaccurate processing of data, processing inaccurate data, or both.
viii) Loss of data.
Impact of IT related risks.
The IT related risks have to be mitigated. If not mitigated, such risks, could have an impact on audit in different ways discussed as under: -
Impact on substantive checking:
i) Cannot rely on the data obtained from systems.
ii) System data and reports should be tested substantively for completeness and accuracy.
iii) More audit evidence is needed.
Impact on Controls:
i) Cannot rely on automated controls, system calculations and accounting procedures built into applications.
ii) Cannot rely on IT dependent manual controls.
iii) System data and reports should be tested substantively for completeness and accuracy.
iv) More substantive audit work is needed.
Impact on Reporting:
i) Communication to those charged with governance.
ii) Modified auditor’s report.
Types of controls in an automated environment.
Controls in an automated environment can be categorized as under:-
A) General T controls:
General IT controls are policies and procedures that relate to many applications and support the effective functioning of application controls.
General IT-controls that maintain the integrity of information and security of data commonly include controls over the following:
i) Data centre and network operations
ii) Program change
iii) Access security
iv) Application system acquisition, development, and maintenance (Business Applications).
General IT controls are known as “pervasive” controls or “indirect” controls.
B) Application Controls:
Application controls include both automated or manual controls that operate at a business process level.
Automated Application controls are embedded into IT applications.
Examples of automated applications include edit checks and validation of input data, sequence number checks, user limit checks, reasonableness checks, mandatory data fields.
C) IT dependent Controls:
IT dependent controls are basically manual controls that make use of some form of data or information or report produced from IT systems and applications.
In this case, even though the control is performed manually, the design and effectiveness of such controls depends on the reliability of source data.
Due to the inherent dependency on IT, the effectiveness and reliability of automated application controls and IT dependent controls require the General IT controls to be effective.
General IT controls vs. Application Controls
a) These two categories of control over IT systems are interrelated.
b) The relationship between the application controls and the General IT Controls is such that General IT Controls are needed to support the functioning of application controls, and both are needed to ensure complete and accurate information processing through IT systems.
Testing methods in an automated environment.
There are basically four types of audit tests that should be used. These are
a) Inquiry
b) Observation
c) Inspection and
d) Re-performance.
[MT: ROI]
i) Inquiry is the most efficient audit test but it also gives the least audit evidence. Hence, inquiry should always be used in combination with any one of the other audit testing methods. Inquiry alone is not sufficient.
ii) Reperformance is most effective as an audit test and gives the best audit evidence. However, testing by reperformance could be very time consuming and least efficient most of the time.
iii) Generally, applying inquiry in combination with inspection gives the most effective and efficient audit evidence.
iv) However, which audit test to use, when and in what combination is a matter of professional judgement and will vary depending on several factors.
v) The auditor should document the nature of test (or combination of tests) applied along with the judgements in the audit file.
Internal Financial Controls as per regulatory requirements.
The term Internal Financial Controls (IFC) basically refers to the policies and procedures put in place by companies for ensuring:
i) Reliability of financial reporting
ii) Effectiveness and efficiency of operations
iii) Compliance with applicable laws and regulations
iv) Safeguarding of assets
v) Prevention and detection of frauds
[MT: CARE + Fraud]
The directors and management have primary responsibility of implementing and maintaining an effective internal controls framework and auditors are expected to evaluate, validate and report on the design and operating effectiveness of internal financial controls.
Data Analytics for audit.
In today’s digital age when companies rely more and more on IT systems and networks to operate business, the amount of data and information that exists in these systems is enormous.
The combination of processes, tools and techniques that are used to tap vast amounts of electronic data to obtain meaningful information is called data analytics.
While it is true that companies can benefit immensely from the use of data analytics in terms of increased profitability, better customer service, gaining competitive advantage, more efficient operations, etc., even auditors can make use of similar tools and techniques in the audit process and obtain good results.
The tools and techniques that auditors use in applying the principles of data analytics are known as Computer Assisted Auditing Techniques or CAATS in short.
Where can we use data analytics in audit.
Data analytics can be used to perform the following:
i) Check completeness of data and population that is used in either test of controls or substantive audit tests.
ii) Selection of audit samples - random sampling, systematic sampling.
iii) Re-computation of balances - reconstruction of trial balance from transaction data.
iv) Reperformance of mathematical calculations - depreciation, bank interest calculation.
v) Analysis of journal entries.
vi) Fraud investigation.
vii) Evaluating impact of control deficiencies.
Assess and Report audit findings in the IT environment.
At the conclusion of each audit, it is possible that there will be certain findings or exceptions in the IT environment and IT controls the company that needs to be assessed and reported to relevant stakeholders including management and those charged with governance viz., Board of directors, Audit committee .
The auditor needs to assess each finding or exception to determine impact on the audit and evaluate if the exception results in a deficiency in internal control.
A deficiency in internal control exists if a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or the control is missing.
Evaluation and assessment of audit findings and control deficiencies involves applying professional judgement
Each finding should be loo ked at individually and in the aggregate by combining with other findings/deficiencies.
When are manual controls more suitable than automated controls.
Manual elements in internal control may be more suitable where judgment and discretion are required such as for the following circumstances:
i) Large, unusual or non-recurring transactions.
ii) Circumstances where errors are difficult to define, anticipate or predict.
iii) In changing circumstances that require a control response outside the scope of an existing automated control.
iv) In monitoring the effectiveness of automated controls.
When are manual controls less suitable than automated controls.
Manual elements in internal control may be less reliable than automated elements because they can be more easily bypassed, ignored, or overridden and they are also more prone to simple errors and mistakes.
Manual control elements may be less suitable for the following circumstances:
i) High volume or recurring transactions.
ii) Situations where errors that can be anticipated or predicted can be prevented, or detected and corrected, by control parameters that are automated.
iii) Control activities where the specific ways to perform the control can be adequately designed and automated.
Why digital audit is being used?
Entities are embracing digitization as part of their operations to keep pace with changing times.
Companies are restructuring their business models driven by technology.
Automation is key to digitization.
In such a business environment, use of digital technology is being made by auditors right from planning to expression of final opinion.
Auditors are making use of artificial intelligence, data analytics and other latest technologies to help understand business processes in a better way.
Digital audit is helping auditors to better identify risks making use of technology.