Auditing and Assurance Chapter 6: Audit in an Automated Environment
CA Inter Auditing and Assurance Chapter 6, Audit in an Automated Environment, Important Solved Questions for May 2021 & November 2021 Exams.
Describe how risks in IT systems, if not mitigated, could have an impact on audit.
When risks in IT systems are not mitigated the audit impact could be as follows:
(i) The auditor may not be able rely on the reports, data obtained, automated controls, calculations and accounting procedures in the IT system.
(ii) The auditor has to perform additional audit work by spending more time and eﬀorts.
(iii) The auditor may have to issue a modiﬁed opinion, if necessary.
Explain the objective and enlist the activities involved in the General IT Controls over “Program Change”.
Objective: To ensure that modiﬁed systems continue to meet ﬁnancial reporting objectives.
- Change Management Process – deﬁnition, roles & responsibilities
- Change Requests – record, manage, track
- Making Changes – analyze, design, develop
- Test Changes – test plan, test cases, UAT
- Apply Changes in Production
- Emergency & Minor Changes
- Documentation – user/technical manuals
- User Training
Brieﬂy mention three reasons why IT should be considered relevant to an audit of ﬁnancial statements.
The auditor should consider relevance of IT in an audit of ﬁnancial statements for the following reasons:
(a) Since auditors rely on the reports and information generated by IT systems, there could be risk in the IT systems that could have an impact on audit.
(b) Standards on auditing SA 315 and SA 330 require auditors to understand, assess and respond to risks that arise from the use of IT systems.
(c) By relying on automated controls and using data analytics in an audit, it is possible to increase the eﬀectiveness and eﬃciency of the audit process.
What are the diﬀerent testing methods used when auditing in an automated environment. Which is the most eﬀective and eﬃcient method of testing?
When auditing in an automated environment, the following testing methods are used:
A combination of inquiry and inspection is generally the most eﬀective and eﬃcient testing method. However, determining the most eﬀective and eﬃcient testing method is a matter of professional judgement and depends on the several factors including risk assessment, control environment, desired level of evidence required, history of errors /misstatements, complexity of business, assertions being addressed.
‘The directors and management have primary responsibility of implementing and maintaining an eﬀective internal controls framework and auditors are expected to evaluate, validate and report on the design and operating eﬀectiveness of internal ﬁnancial controls’.
Explain the framework which helps the auditors in fulfilling this responsibility.
The Guidance note on Audit of Internal Financial Controls over Financial Reporting issued by the Institute of Chartered Accountants of India provides a framework that auditors should follow to fulﬁl their responsibility.
The below is a summary of this controls based audit approach :-
With respect to audit in an automated environment, explain the following:
(ii) Data Analytics
(iv) Information Systems
(v) Privileged access
(i) CAATs: Short form for Computer Assisted Audit Techniques, are a collection of computer based tools and techniques that are used in an audit for analysing data in electronic form to obtain audit evidence.
(ii) Data Analytics: A combination of processes, tools and techniques that are used to tap vast amounts of electronic data to obtain meaningful information
(iii) Database: A logical subsystem within a larger information system where electronic data is stored in a predefined form and retrieved for use.
(iv) Information Systems: Refers to a collection of electronic hardware, software, networks and processes that are used in a business to carry out operations and transactions.
(v) Privileged access: A type of super user access to information systems that enforces less or no limits on using that system.
List any five points that an auditor should consider to obtain an understanding of the Company’s automated environment.
Understanding of the Company’s Automated Environment: Given below are some of the points that an auditor should consider to obtain an understanding of the company’s automated environment
- Information systems being used (one or more application systems and what they are)
- their purpose (financial and non-financial)
- Location of IT systems – local vs global
- Architecture (desktop based, client-server, web application, cloud based)
- Version (functions and risks could vary in different versions of same application)
- Interfaces within systems (in case multiple systems exist)
- In-house vs Packaged
- Outsourced activities (IT maintenance and support)
- Key persons (CIO, CISO, Administrators)
The auditor should understand and consider the risks that may arise from the use of Information Technology (IT) Systems.
Having obtained an understanding of the IT systems and the automated environment of a company, the auditor should now understand the risks that arise from the use of IT systems.
Given below are some such risks that should be considered,
- Inaccurate processing of data, processing inaccurate data, or both
- Unauthorized access to data
- Direct data changes (backend changes)
- Excessive access / Privileged access (super users)
- Lack of adequate segregation of duties
- Unauthorized changes to systems or programs
- Failure to make necessary changes to systems or programs
- Loss of data