Auditing and Assurance Chapter 6: Audit in an Automated Environment
CA Inter Auditing and Assurance Chapter 6, Audit in an Automated Environment, Important Solved Questions for May 2021 & November 2021 Exams.
Question 1
Describe how risks in IT systems, if not mitigated, could have an impact on audit.
Solution
When risks in IT systems are not mitigated the audit impact could be as follows:
(i) The auditor may not be able rely on the reports, data obtained, automated controls, calculations and accounting procedures in the IT system.
(ii) The auditor has to perform additional audit work by spending more time and efforts.
(iii) The auditor may have to issue a modified opinion, if necessary.
Question 2
Explain the objective and enlist the activities involved in the General IT Controls over “Program Change”.
Solution
Program Change
Objective: To ensure that modified systems continue to meet financial reporting objectives.
Activities:
- Change Management Process – definition, roles & responsibilities
- Change Requests – record, manage, track
- Making Changes – analyze, design, develop
- Test Changes – test plan, test cases, UAT
- Apply Changes in Production
- Emergency & Minor Changes
- Documentation – user/technical manuals
- User Training
Question 3
Briefly mention three reasons why IT should be considered relevant to an audit of financial statements.
Solution
The auditor should consider relevance of IT in an audit of financial statements for the following reasons:
(a) Since auditors rely on the reports and information generated by IT systems, there could be risk in the IT systems that could have an impact on audit.
(b) Standards on auditing SA 315 and SA 330 require auditors to understand, assess and respond to risks that arise from the use of IT systems.
(c) By relying on automated controls and using data analytics in an audit, it is possible to increase the effectiveness and efficiency of the audit process.
Question 4
What are the different testing methods used when auditing in an automated environment. Which is the most effective and efficient method of testing?
Solution
When auditing in an automated environment, the following testing methods are used:
(a) Inquiry
(b) Observation
(c) Inspection
(d) Reperformance
A combination of inquiry and inspection is generally the most effective and efficient testing method. However, determining the most effective and efficient testing method is a matter of professional judgement and depends on the several factors including risk assessment, control environment, desired level of evidence required, history of errors /misstatements, complexity of business, assertions being addressed.
Question 5
‘The directors and management have primary responsibility of implementing and maintaining an effective internal controls framework and auditors are expected to evaluate, validate and report on the design and operating effectiveness of internal financial controls’.
Explain the framework which helps the auditors in fulfilling this responsibility.
Solution
The Guidance note on Audit of Internal Financial Controls over Financial Reporting issued by the Institute of Chartered Accountants of India provides a framework that auditors should follow to fulfil their responsibility.
The below is a summary of this controls based audit approach :-
Question 6
With respect to audit in an automated environment, explain the following:
(i) CAATs
(ii) Data Analytics
(iii) Database
(iv) Information Systems
(v) Privileged access
Solution
(i) CAATs: Short form for Computer Assisted Audit Techniques, are a collection of computer based tools and techniques that are used in an audit for analysing data in electronic form to obtain audit evidence.
(ii) Data Analytics: A combination of processes, tools and techniques that are used to tap vast amounts of electronic data to obtain meaningful information
(iii) Database: A logical subsystem within a larger information system where electronic data is stored in a predefined form and retrieved for use.
(iv) Information Systems: Refers to a collection of electronic hardware, software, networks and processes that are used in a business to carry out operations and transactions.
(v) Privileged access: A type of super user access to information systems that enforces less or no limits on using that system.
Question 7
List any five points that an auditor should consider to obtain an understanding of the Company’s automated environment.
Solution
Understanding of the Company’s Automated Environment: Given below are some of the points that an auditor should consider to obtain an understanding of the company’s automated environment
- Information systems being used (one or more application systems and what they are)
- their purpose (financial and non-financial)
- Location of IT systems – local vs global
- Architecture (desktop based, client-server, web application, cloud based)
- Version (functions and risks could vary in different versions of same application)
- Interfaces within systems (in case multiple systems exist)
- In-house vs Packaged
- Outsourced activities (IT maintenance and support)
- Key persons (CIO, CISO, Administrators)
Question 8
The auditor should understand and consider the risks that may arise from the use of Information Technology (IT) Systems.
Solution
Having obtained an understanding of the IT systems and the automated environment of a company, the auditor should now understand the risks that arise from the use of IT systems.
Given below are some such risks that should be considered,
- Inaccurate processing of data, processing inaccurate data, or both
- Unauthorized access to data
- Direct data changes (backend changes)
- Excessive access / Privileged access (super users)
- Lack of adequate segregation of duties
- Unauthorized changes to systems or programs
- Failure to make necessary changes to systems or programs
- Loss of data