date:- 18 june , 2021 session :- 1 virtual coaching classes

VIRTUAL COACHING CLASSESORGANISED BY BOS, ICAI

INTERMEDIATE LEVELPAPER 6: AUDITING AND ASSURANCE

TOPIC :- AUDIT IN AN AUTOMATED ENVIRONMENT(CHAPTER – 6 FROM STUDY MATERIAL )

Faculty : VIPUL SABOO ( B.COM , FCA )

© The Institute of Chartered Accountants of India

Date:- 18 June , 2021SESSION :- 1

THE STUDY SEQUENCE

16 June 2021 © THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA 2

A) THE CHAPTER – Understanding the Topic with a Bird’s Eye View & Weightage in the Exam.

B) CONCEPTUAL UNDERSTANDING - Study Material & Presentation .

C) PRACTICE QUESTIONS – MCQ’s , Correct Incorrect , Case Studies & Descriptive Questions

D) SUMMARY OF THE CHAPTER - A Brief Chapter / Topic Chart for Quick Recap.

E) HOW TO WRITE AUDIT (Exam Style) – Using Professional & Technical Jargon ( Terms , Words , etc. )

F) SHORT MOCK TEST - Checking what all we have been able to cover today.

G) DOUBTS SESSION - Relevant Common & Specific Doubts

THE CHAPTER OF THE DAY – CH :- 6

* Weightage – 15-20% ( alongwith CH - 4 )

16 June 2021 © THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA 3

PART – I :- GENERALA) Automated Environment & Key Features.B) Relevance of IT in Audit .

PART – II :- RISKS , CONTROLS & TESTINGC) Risks & Controls in an Automated Environment

a) Understanding & Documentationb) Impact of IT Related Risksc) Types of Controls

D) Testing Methods

PART – III :- MISCELLANEOUS IMPORTANT TOPICSE) Internal Financial Controls ( IFC )F) Data AnalyticsG) Audit Findings

PART – I :- GENERALA) Automated Environment & Its Features

© THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA 4

An Automated environmentbasically refers to :-

• a business environment

• where the processes,operations, accounting andeven decisions

• are carried out by usingcomputer systems – alsoknown as InformationSystems (IS) or InformationTechnology (IT) systems.

MEANING

PART – I :- GENERALB) Relevance of IT in Audit


1. With the increasing adoption of information technology, businesses today rely on software systems and applicationsmore than ever. Many of these IT systems generate and process data that is used in the preparation offinancialstatements of a company. The auditors also often rely on the data and reports that are generated from these systems.In this context, it is critical to understand the IT specific risks that could potentially impact the integrity andreliability of financial transactions and data flowing through a company’s systems.

2. The complexity ofa business environment depends on the level of automation i.e., if a business environment is moreautomated, it is likely to be more complex. If a company uses an integrated enterprise resource planning system(ERP) viz.,SAP, Oracle etc., then it is considered more complex to audit. On the other hand,if a company is usingan off-the-shelf accounting software, then it is likely to beless automated and hence less complex environment.

3. Companies derive benefit from the use of IT systems as an enabler to support various business operations andactivities. Auditors need to understand the relevance of these IT systems to an audit of financial statements.

4. It is true that the use of IT systems and automation benefit the business by making operations more accurate,reliable, effective and efficient, such systems also introduce certain new risks, including IT specific risks, which needto be considered, assessed and addressed by management.

5. With the introduction of the Companies Act 2013, there is greater emphasis given to internal financial controls (IFC)from a regulatory point of view. Directors and those charged with governance (including Board of directors, Auditcommittee) are responsible for the implementation of internal controls framework within the company. The auditors’responsibilities now include reporting on Internal Financial Controls over Financial Reporting which include andunderstanding IT environment of the company and relevant risks & controls.

PART – I :- GENERALB) Relevance of IT in Audit


Given below are some situations in which IT will be relevant to an audit :-1) Increased use of Systems and Application software in Business (for example, use of ERPs)

2) Complexity of transactions has increased (multiple systems, network of systems)

3) Hi-tech nature of business (Telecom, e-Commerce).

4) Volume of transactions are high (Insurance, Banking, Railways ticketing).

5) Company Policy (Compliance).

6) Regulatory requirements - Companies Act 2013 IFC, IT Act 2008.

7) Required by Indian and International Standards - ISO, PCI-DSS, SA 315, SOC, ISAE.

8) Increases efficiency and effectiveness of audit.

PART – I :- GENERALPRACTICE QUESTIONS (CORRECT / INCORRECT)


1. The Complexity of a business environment depends on the level of automation i.e., if a businessenvironment is more automated, it is likely to be less complex.= Incorrect: The fundamental principle of an automated environment is the ability to carry out businesswith less manual intervention and more system driven. The complexity of a business environmentdepends on the level of automation i.e., if a business environment is more automated, it is likely to bemore complex. If a company uses an integrated enterprise resource planning system (ERP) viz., SAP,Oracle etc., then it is considered more complex to audit. On the other hand, if a company is using an off-the-shelf accounting software, then it is likely to be less automated and hence less complex environment.

2. . In an audit of financial statements, the primary focus is around those risks that are relevant to financialreporting.= Incorrect: There could be other non-audit assurance engagements that auditors maybe involved wherein the areaof focus could include those IT risks relevant to company’s compliance and business operations in addition to financialreporting risks . Examples of such non-audit assurance engagements are internal audits, IT audits, pre-implementation reviews, data migration audits, third party assurance. Hence , IT is relevant to an audit underdifferent situations viz., audit, non-audit and meeting regulatory compliance requirements.

PART – I :- GENERALPRACTICE QUESTIONS (CORRECT / INCORRECT)


3. With the introduction of the Companies Act 2013, there is greater emphasis given to internalfinancial controls (IFC) from a regulatory point of view.= Correct: Directors and those charged with governance (including Board of directors, Auditcommittee) are responsible for the implementation of internal controls framework within thecompany. The auditors’ responsibilities now include reporting on Internal Financial Controlsover Financial Reporting which include and understanding IT environment of the companyand relevant risks & controls.

4. Many companies use less complex IT systems including desktop based accounting orspreadsheets. In such situations, the relevance of IT to an audit could be less.= Correct: However, the auditor is still required to carry out at least an understanding the ITenvironment of the company and document the same.

PART – I :- GENERALPRACTICE QUESTIONS (DESCRIPTIVE)


1. When a business operates in a more automated environment it is likely that we, as auditors, will seeseveral business functions and activities happening within the systems. Explain which of the aspectyou will consider relevant as an auditor.

Ans. :- When a business operates in a more automated environment it is likely that we, as auditors, will seeseveral business functions and activities happening within the systems. As an auditor, there is a need toconsider the following aspects : - Computation and Calculations are automatically carried out (for example, bank interest computation and

inventory valuation). Accounting entries are posted automatically (for example, sub-ledger to GL postings are automatic). Business policies and procedures, including internal controls, are applied automatically (for example,

delegation of authority for journal approvals, customer credit limit checks are performed automatically). Reports used in business are produced from systems. Management and other stakeholders rely on these

reports and information produced (for example, debtors ageing report). User access and security are controlled by assigning system roles to users (for example, segregation of

duties can be enforced effectively).

PART – I :- GENERALPRACTICE QUESTIONS (DESCRIPTIVE)


2. With the increasing adoption of information technology, business today relies on software systems andapplications more than ever. Many of these IT systems generate and process data that is used in thepreparation of financial statements of a company. The auditors also often rely on the data and reportsthat are generated from these systems. Explain stating clearly the meaning of Automated environmentwith example.Ans. :- With the increasing adoption of information technology, business today relies on software systems andapplications more than ever. Many of these IT systems generate and process data that is used in the preparationof financial statements of a company. The auditors also often rely on the data and reports that are generatedfrom these systems. In this context, it is critical to understand the IT specific risks that could potentially impactthe integrity and reliability of financial transactions and data flowing through a company’s systems :-a) Automated Environment :- An automated environment basically refers to a business environment where theprocesses, operations, accounting and even decisions are carried out by using computer systems – also known asInformation Systems (IS) or Information Technology (IT) systems. Nowadays, it is very common to see computersystems being used in almost every type of business.b) Example :- Banking transactions that are carried out using ATMs (Automated Teller Machines), or how ticketscan be purchased using “apps” on mobile phones, etc. In these examples, one can see how these computersystems enable to transact business at any time and any day.c) Features of Automated Environment :- Slide No. - 4


a) Understanding & Documentation


1. UNDERSTANDING :- An auditor is required to understand the entity and its business, including IT as per SA315. Understanding the entity and its automated environment involvesunderstanding how IT department isorganised, IT activities, the IT dependencies, relevant risks and controls.

2. CONSIDERATIONS BY THE AUDITOR FOR UNDERSTANDING THE AUTOMATED ENVIRONMENT :-a) Information systems being used (one or more application systems and whatthey are).b) Their purpose (financial and non-financial).c) Location of IT systems - local vs global.d) Architecture (desktop based, client-server, web application, cloud based).e) Version (functions and risks could vary in different versions of same application).f) Interfaces within systems (in case multiple systems exist).g) In-house vs Packaged.h) Outsourced activities (IT maintenance and support).i) Key persons (CIO, CISO, Administrators).


a) Understanding & Documentation


3. DOCUMENTATION :- The understanding of a company’s IT environment that is obtained should bedocumented [ SA 230 – Audit Documentation] using any standard format or template. Having a summarizeddocument helps the auditor in determining the areas considered in scope of audit .

4. RISKS ASSOCIATED :- Having obtained an understanding of the IT systems and the automated environmentof a company, the auditor should now understand the risks that arise from the use of IT systems. For Example :- Inaccurate processing of data, processing inaccurate data, or both. Unauthorized access to data. Direct data changes (backend changes). Excessive access / Privileged access (super users). Lack of adequate segregation of duties. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Loss of data.


b) Impact of IT Related Risks


Such risks , if not mitigated , may impact the Audit as follows :-


c) Types of IT Controls


To mitigate such risks and maintain the confidentiality, integrity, availability and security of data (CIAS) companies implement IT controls:-

GENERAL IT• General IT controls are policies and procedures

that relate to many applications and support theeffective functioning of application controls.

• They apply to mainframe, miniframe, and end-userenvironments.

• General IT-controls that maintain the integrity ofinformation and security of data .

• These are IT controls generally implemented tomitigate the IT specific risks and applied commonlyacross multiple IT systems, applications andbusiness processes. Hence, General IT controls areknown as “pervasive” controls or “indirect”controls.

APPLICATION• Application controls include both automated

or manual controls that operate at a businessprocess level.

• Automated Application controls are embeddedinto IT applications viz., ERPs and help in ensuringthe completeness, accuracy and integrity of data inthose systems

• Examples of automated applications include editchecks and validation of input data, sequencenumber checks, user limit checks, reasonablenesschecks, mandatory data fields.

General IT Controls are needed to support thefunctioning of application controls, and both areneeded to ensure complete and accurateinformation processing through IT systems.

IT DEPENDENT• IT dependent controls are basically manual

controls that make use of some form of data orinformation or report produced from IT systemsand applications.

• Even though the control is performed manually,the design and effectiveness of such controlsdepends on the reliability of source data.

• Due to the inherent dependency on IT, theeffectiveness and reliability of Automatedapplication controls and IT dependent controlsrequire the General IT Controls to be effective.

PART – II :- RISKS , CONTROLS & TESTINGC) Risks & Controls in an Automated Environmentc) Types of IT Controls – GENERAL IT CONTROLS


1. Data Center and Network Operationsa) Objective:- To ensure that production systems are processed tomeet financial reporting objectives.

b) Activities:-• Overall Management of Computer Operations Activities• Batch jobs – preparing, scheduling and executing• Backups – monitoring, storage & retention• Performance Monitoring – operating system, database and

networks• Recovery from Failures – BCP, DRP• Help Desk Functions – recording, monitoring & tracking• Service Level Agreements – monitoring & compliance

Documentation – operations manuals, service reports



2. Program Changea) Objective:- To ensure that modified systems continue to meetfinancial reporting objectives.

b) Activities:-• Change Management Process – definition, roles & responsibilities• Change Requests – record, manage, track• Making Changes – analyze, design, develop• Test Changes – test plan, test cases, UAT• Apply Changes in Production• Emergency & Minor Changes• Documentation – user/technical manuals• User Training



3. Access Securitya) Objective:- To ensure that access to programs and data is

authenticated and authorized to meet financial reportingobjectives.

b) Activities:- Security Organization & Management Security Policies & Procedures Application Security Data Security Operating System Security Network Security – internal network, perimeternetwork Physical Security – access controls, environment controls• System Administration & Privileged Accounts – Sysadmins, DBAs,

Superusers



4. Application system acquisition, development, and maintenancea) Objective:- To ensure that systems are developed, configured andimplemented tomeet financial reporting objectives.

b) Activities:-• Overall Mgmt. of Development Activities• Project Initiation• Analysis & Design• Construction• Testing & Quality Assurance• Data Conversion• Go-Live Decision• Documentation & Training

PART – II :- RISKS , CONTROLS & TESTINGD) Testing Methods – Audit Tests Performed


IAUDIT TESTS

&( Common Methods )

INQUIRYInquiry is the process of gathering informationdirectly from an individualwho is familiar with the subjectmatter or control being tested.Inquiry may be written (i.e. email)or oral (i.e. interview).

OBSERVATIONObservation is the process orprocedure of observing processes takeplace or witnessing physical items in placeand operating as described.These might also be consideredwalkthroughs.

INSPECTIONInspection is the examination ofDocumentation that serves of evidence thata control is in place. Inspection involvesgathering populations and creating samples fortesting, but can also overlap with observations (e.g.inspecting fire suppression inspection records whileobserving that the fire suppression system is in place)

REPERFORMANCERe-performance is independentlyrecreating a process to verify that it isoperating effectively. Re-performance mayalso include recreating a process in tandemwith an observation to observe anotherwise automated process.

PART – II :- RISKS , CONTROLS & TESTINGD) Testing Methods - Some Considerations


1. Inquiry is the most efficient audit test but it also gives the least audit evidence.Hence, inquiry should always be used in combination with any one of the otheraudit testing methods. Inquiry alone is not sufficient.

2. Reperformance is most effective as an audit test and gives the best audit evidence.However, testing by reperformance could be very time consuming and least efficientmost of the time.

3. Generally, applying inquiry in combination with inspection gives the mosteffective and efficient audit evidence.

4. However, which audit test to use, when and in what combination is a matter ofprofessional judgement and will vary depending onseveral factors including –

• risk assessment,• control environment,• desired level of evidence required,• history of errors/misstatements,• complexity of business,• assertions being addressed, etc.5. The auditor should document the nature of test (or combination of tests) applied

along with the judgements in the audit file as required by SA 230.

PART – II :- RISKS , CONTROLS & TESTINGPRACTICE QUESTIONS (CORRECT / INCORRECT)


1. Inquiry alone is sufficient to test the operating effectiveness of controls.= Incorrect: Inquiry along with other audit procedures (for example observation, inspection, external confirmationetc.) would only enable the auditor to test the operating effectiveness of controls. Inquiry alone is not sufficient to testthe operating effectiveness of controls.

2. When auditing in an automated environment, inquiry is often the most efficient and effective audittesting method.= Incorrect: There are basically four types of audit tests that should be used in an automated environment. They areinquiry, observation, inspection and re-performance. Inquiry is the most efficient audit test but it also gives the leastaudit evidence. Hence, inquiry should always be used in combination with any one of the other audit testing methods.Inquiry alone is not sufficient. Applying inquiry in combination with inspection gives the most effective and efficientaudit evidence.

3. The different categories of control over IT systems are interrelated.= Correct : The relationship between the application controls and the General IT Controls is such that General ITControls are needed to support the functioning of application controls, and both are needed to ensure complete andaccurate information processing through IT systems. Due to the inherent dependency on IT, the effectiveness andreliability of Automated application controls and IT dependent controls require the General IT Controls to be effective.

PART – II :- RISKS , CONTROLS & TESTINGPRACTICE QUESTIONS (CORRECT / INCORRECT)


4. To rely on the system and application based information including data, reports, automatedcontrols, configurations, calculations and IT dependent , it is essential to first determine theexistence and effectiveness of General IT Controls .= Correct :- Where the general IT controls are not existing or existing but ineffective, the auditor shouldassess the impact of IT risks and complexity of the automated environment in which the businessoperations take place and plan alternative audit procedures in order to rely on the system basedinformation .

5. IT dependent controls are known as “pervasive” controls or “indirect” controls.= Incorrect: General IT controls are generally implemented to mitigate the IT specific risks and appliedcommonly across multiple IT systems, applications and business processes. Hence, General IT controlsare known as “pervasive” controls or “indirect” controls.

PART – II :- RISKS , CONTROLS & TESTINGPRACTICE QUESTIONS (DESCRIPTIVE)


Q.1 :- Discuss the common methods applied by the auditor when testing in an automatedenvironment is done by him. (4 Marks)Ans. :- There are basically four types of audit tests that should be used. They are inquiry, observation,inspection and reperformance. Inquiry is the most efficient audit test but it also gives the least audit evidence.Hence, inquiry should always be used in combination with any one of the other audit testing methods. Inquiryalone is not sufficient. When testing in an automated environment, some of the more common methodsare as follows:-1) Obtain an understanding of how an automated transaction is processed by doing a walkthrough of one end-to-

end transaction using a combination of inquiry, observation and inspection.2) Observe how a user processes transactions under different scenarios.3) Inspect the configuration defined in an application.4) Inspect the system logs to determine any changes made since last audit testing.5) Inspect technical manual / user manual of systems and applications.6) Carry out a test check (negative testing) and observe the error message displayed by the application.7) Conduct reperformance using raw source data and independently applying formulae, business rules or

validations on the source data using CAATs.



Q.2 :- List any four points that an auditor should consider to obtain an understanding of theCompany's automated environment. (4 Marks)Ans. :- Understanding of the Company’s Automated Environment:- Given below are some of the points thatan auditor should consider to obtain an understanding of the company’s automated environment :-

i. Information systems being used (one or more application systems and what they are)ii. their purpose (financial and non-financial)iii. Location of IT systems - local vs globaliv. Architecture (desktop based, client-server, web application, cloud based)v. Version (functions and risks could vary in different versions of same application)vi. Interfaces within systems (in case multiple systems exist)vii. In-house vs Packagedviii. Outsourced activities (IT maintenance and support)ix. Key persons (CIO, CISO, Administrators)



Q.3 :- The auditor should understand and consider the risks that may arise from the use ofInformation Technology (IT) Systems. (4 Marks)Ans. :- Having obtained an understanding of the IT systems and the automated environment of acompany, the auditor should now understand the risks that arise from the use of IT systems.

Given below are some such risks that should be considered:-a) Inaccurate processing of data, processing inaccurate data, or bothb) Unauthorized access to datac) Direct data changes (backend changes)d) Excessive access / Privileged access (super users)e) Lack of adequate segregation of dutiesf) Unauthorized changes to systems or programsg) Failure to make necessary changes to systems or programsh) Loss of data



Q.4 :- Analyse how risks in the IT system if not mitigated could have an impact on the audit.(3 Marks)

Ans. :- When risks in IT systems are not mitigated, the audit impact could be as follows:-(i) First, we may not be able to rely on the reports, data obtained from systems where

such risk exist. This means all forms of data, information or reports that we obtainsfrom system for the purpose of audit has to be thoroughly tested and corroborated forcompleteness and accuracy.

(ii)Second, we will not be able to rely on automated controls, calculations andaccounting procedures that are built into the application. Additional audit work maybe required in this case.

(iii)Third, due to the regulatory requirement of auditors to report on internal financialcontrols of a company, the audit report also may have to be modified in someinstances.

date:- 18 june , 2021 session :- 1 virtual coaching classes

Documents