Audit in an Automated Environment Flashcards
Identify the controls which are automated, manual or IT dependent manual for the below mentioned cases?
- Price master configured in the sales master can only be edited by authorized personnel in the system.
- Invoice cannot be booked in SAP in case Purchase orders are not approved.
- Inventory ageing report is pulled out from the system based on which provisioning is calculated after analyzing the future demand by the inventory personnel and approved by the controller.
- All invoices are signed by warehouse personnel before the goods are dispatched to the customer.
- Credit limit is assigned to the customer and goods cannot be sold in excess of credit limit configured in the system.
- All changes to the credit limit is approved manually by sales manager.
- Ageing report is pulled out from SAP based on which provisioning is calculated by accounting personnel and approved by financial controller.
- PO, GRN (Good received note) and invoice are matched by the system before it is posted in the financial records.
- Automated control as there is inbuilt control for editing of the price master by the authorized personnel.
- Automated control as system doesn’t allow approval of invoice in case Purchase Order is not booked.
- IT dependent manual control as Inventory ageing report is pulled out from the system after which provision for inventory is manually approved.
- Manual control as sign off is required to be done for the invoice before the dispatch of the goods.
- Automated control as system doesn’t allow goods to be sold if credit limit assigned to the customer has been crossed.
- Manual control as sign off is required for every change to the credit limit.
- IT dependent manual control as ageing report is relied upon for calculation of provisioning for debtors.
- Automated control as PO, GRN and invoice is matched by the system before recording of the invoice to the vendor account.
The volatility, unpredictability and pace of fast changes that exists in the automated environment today is far greater than in the past and consequently it throws more risk to business which requires them to have a need to continuously manage such risks. State various risks which an enterprise may have to face and manage.
Risks which an enterprise may face and manage:
Businesses today operate in a dynamic environment. The volatility, unpredictability and pace of
changes that exist in the business environment today is far greater than in the past. Some of the reasons
for this dynamic environment include globalization, use of technology, new regulatory requirements,
etc. Because of this dynamic environment the associated risks to business have also increased and
companies have a need to continuously manage risks.
Examples of risks include:
1. Market Risks;
2. Regulatory & Compliance Risks;
3. Technology & Security Risks;
4. Financial Reporting Risks;
5. Operational Risks;
6. Credit Risk;
7. Business Partner Risk;
8. Product or Project Risk; and
9. Environmental Risks.
In a controls-based audit, the audit approach can be classified into three broad phases comprising of planning, execution, and completion.
You are required to briefly explain the relevant considerations for every phase in above audit approach in case of an automated environment.
In a controls-based audit, the audit approach can be classified into three broad phases comprising of planning, execution, and completion.
In this approach, the considerations of automated environment will be relevant at every phase as given below:
I. Risk Assessment Process
• Identify significant accounts and disclosures.
• Qualitative and Quantitative considerations.
• Relevant Financial Statement Assertions (FSA).
• Identify likely sources of misstatement.
• Consider risk arising from use of IT systems.
II. Understand and Evaluate
• Document understanding of business processes using Flowcharts / Narratives.
Prepare Risk and Control Matrices (RCM).
• Understand design of controls by performing walkthrough of end-to-end
process.
• Process wide considerations for Entity Level Controls, Segregation of Duties.
• IT General Controls, Application Controls.
Ill. Test for Operating Effectiveness
• Assess Nature, Timing and Extent (NTE) of controls testing.
• Assess reliability of source data; completeness of population.
• Testing of key reports and spreadsheets.
• Sample testing.
• Consider competence and independence of staff /team performing controls
testing.
IV. Reporting
• Evaluate Control Deficiencies.
• Significant deficiencies, Material weaknesses.
• Remediation of control weaknesses.
• Internal Controls Memo (ICM) or Management Letter.
• Auditor’s report.
The auditors are required to understand, evaluate and validate the entity level controls as a part of
audit engagement, the result of which has an impact on the nature, timing and extent of other audit
procedures. In evaluating the effect of such control, existence, effectiveness and assessment of
the whistle-blower policy in the company is very important. Specify the procedure you would
perform for an understanding and evaluation of such whistle-blower policy.
Procedure for understanding and evaluation of whistle-blower policy - Auditors are required
to understand, evaluate and validate the entity level controls as a part of an audit engagement.
The results of testing entity level controls could have an impact on the nature, timing and extent of
other audit procedures including testing of controls. For example, when the entity level controls at
a company are effective, the auditor may consider reducing the number of samples in the test of
controls and where the auditor finds the entity level controls ineffective, the auditor may consider
to increase the rigour of testing by increasing sample sizes. In small and less complex companies,
the entity level controls may not formally defined or documented. In such situations, the auditor
should design audit procedures accordingly to obtain evidence of the existence and effectiveness
of entity level controls.
The following example shows how the auditor performs an understanding and evaluation of the
whistle-blower policy in a company:
(i) Does the company have a whistle-blower policy?
(ii) Is this policy documented and approved?
(iii) Has the whistle-blower policy been communicated to all the employees?
(iv) Are employees aware of this policy and understand its purpose and their obligations?
(v) Has the company taken measures viz., training, to make the employees understand the
contents and purpose of the policy?
(vi) Does the company monitor effectiveness of the policy from time-to-time?
(vii) How does the company deal with deviations and non-compliance?