Audit in an Automated Environment – CA Inter Audit Notes

Audit in an Automated Environment – CA Inter Audit Notes is designed strictly as per the latest syllabus and exam pattern.

Audit in an Automated Environment – CA Inter Auditing Notes

Question 1.
The fundamental principle of an automated environment is the ability to carry out business wit:i less manual intervention. Explain. [MTP-March 19]
Or
Explain the meaning of automated environment. Also discuss the key features of an automated environment. [RTP-May 19]
Answer:
Automated Environment:

• Automated environment refers to a business environment where the processes, operations, accounting and decisions are being carried out by using computer systems – also known as Information Systems (IS) or Information Technology (IT) systems.
• Fundamental principle of an automated environment is the ability to carry out business with less manual intervention and more system driven.
• The complexity of a business environment depends on the level of automation i.e., if a business environment is more automated, it is likely to be more complex. For example, if a company uses an integrated enterprise resource planning system (ERP) viz., SAP, Oracle etc., then it is considered more complex to audit. On the other hand, if a company is using an off-the-shelf accounting software, then it is likely to be less automated and hence less complex environment.

Key features of Automated Environment:

• Faster Business Operations.
• Accuracy in data processing and computation.
• Ability to process large volume of data.
• Integration between business operations.
• Better security and controls.
• Less prone to human errors.
• Provides latest information.
• Connectivity and networking capability.

Question 2.
When a business operates in a more automated environment it is likely that we will see several business functions and activities happening within the systems. Explain stating the points that an auditor should consider to substantiate the above. [RTP-Nov. 18, Nov. 20]
Answer:
Relevance of IT in business functions and activities:
In an automated environment it is likely that a number of business functions and activities happened within the systems, for example:

• Computation and Calculations are automatically carried out.
• Accounting entries are posted automatically.
• Business policies and procedures, including internal controls, are applied automatically
• Reports used in business are produced from systems. Management and other stakeholders rely on these reports and information produced.
• User access and security are controlled by assigning system roles to users.
• Companies derive benefit from the use of IT systems as an enabler to support various business operations and activities, but at the same time such systems also introduce certain new risks, including IT specific risks, which need to be considered, assessed and addressed by management.

Question 3.
Briefly describe the reasons why IT should be considered relevant to an audit of financial statements.
Or
Discuss the situations in which IT will be relevant to an audit. [RTP-May 19]
Or
The auditor’s responsibility includes reporting on Internal Financial Controls over Financial Re¬porting which include and understanding IT environment of the company and relevant risks and control. Mention any three situations where IT will be relevant to an audit. [Nov. 19 (3 Marks)]
Answer:
Relevance of IT in auditing:
In an automated environment, carrying out audit using traditional substantive audit procedures may be difficult or even not feasible if the company prepares, records and conducts majority of business activities through IT systems only.

Auditor is required to obtain an understanding of IT environment of the company and document the same. While carrying out audit in an automated environment, auditors are required to understand, assess and respond to such risks that arise from the use of IT systems.

Situations requiring use of IT in Audit:
(a) Increased use of Systems and Application software in Business (for example, use of ERPs)
(b) Increased complexity of business transactions (multiple systems, network of systems)
(c) Technology based business (Telecom, e-Commerce).
(d) High volume of transactions (Insurance, Banking, etc.).
(e) Company Policy (Compliance).
(f) Regulatory requirements – IT Act, 2008.
(g) Requirement of Standards of Auditing – SA 315.
(h) Increases efficiency and effectiveness of audit.

Question 4.
With the increasing adoption of information technology, business today relies on software systems and applications more than ever. Many of these IT systems generate and process data that is used in the preparation of financial statements of a company. The auditors also often rely on the data and reports that are generated from these systems. Explain stating clearly the meaning of Automated environment with example. [RTP-Nov. 20]
Answer:
Concept of Automated Environment:

• With the increasing adoption of information technology, business today relies on software systems and applications more than ever. Many of these IT systems generate and process data that is used in the preparation of financial statements of a company.
• Auditors also often rely on the data and reports that are generated from these systems. In this context, it is critical to understand the IT specific risks that could potentially impact the integrity and reliability of financial transactions and data flowing through a company’s systems.
• An automated environment basically refers to a business environment where the processes, operations, accounting and even decisions are carried out by using computer systems – also known as Information Systems (IS) or Information Technology (IT) systems. Nowadays, it is very common to see computer systems being used in almost every type of business.

Example
Carrying out of banking transactions using ATMs (Automated Teller Machines), or purchasing of tickets using “apps” on mobile phones, etc. Computer systems enable these transactions at any time and any day.

Question 5.
Understanding the entity and its automated environment involves understanding how IT depart¬ment is organised, IT activities, the IT dependencies, relevant risks and controls.
Explain stating the points that an auditor should consider to obtain an understanding of the com¬pany’s automated environment. [RTP-May 18, MTP-Oct. 19]
Or
List any five points that an auditor should consider to obtain an understanding of the company’s automated environment. [May 18 (5 Marks)]
Or
Give some of the points that an auditor should consider to obtain an understanding of the compa¬ny’s automated environment. [RTP-Nov. 19]
Answer:
Understanding of Automated Environment:
As required by SA 315, auditor is required to obtain an understanding of the entity and its environment as a part of Risk Assessment procedure to identify and assess Risk of Material Misstatements.

While obtain an understanding of the company’s automated environment, auditor should consider the following points:

• Information systems being used (one or more application systems and what they are).
• Their purpose (financial and non-financial).
• Location of IT systems – local v. global.
• Architecture (desktop based, client-server, web application, cloud based).
• Version (functions and risks could vary in different versions of same application).
• Interfaces within systems (in case multiple systems exist).
• In-house v. Packaged.
• Outsourced activities (IT maintenance and support).
• Key persons (CIO, CISO, Administrators).
• As required by SA 230, auditor is required to document the understanding of a company automated environment.

Question 6.
“IT poses specific risk to internal control system of an entity”. Comment.
Or
Having obtained an understanding of the IT systems and the automated environment of a company, the auditor should consider the risks that arise from the use of IT systems. Explain. [MTP-Aug. 18, RTP – Nov. 19]
Answer:
Risk to internal control imposed by IT:
As per SA 315, “Identifying and Assessing Risk of Material Misstatements through Understanding
the Entity and its Environment” IT poses specific risks to an entity’s internal control, including, for
example:
(a) Reliance on systems or programs that are inaccurately processing data, processing inaccurate data or both.
(b) Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions, or inaccurate recording of transactions. Particular risk may arise when multiple users access a common database.
(c) The possibility of IT personnel gaining access beyond those necessary to perform their assigned duties thereby breaking down segregation of duties.
(d) Unauthorised changes to data in Master files.
(e) Unauthorised changes to systems or programs.
(f) Failure to make necessary changes to systems or programs.
(g) In appropriate manual intervention
(h) Potential loss of data or inability to access data as required.

Question 7.
Describe how risks in IT systems, if not mitigated, could have an impact on audit.
Or
Discuss the impact of IT related risks on Substantive Audit, Controls and Reporting. [RTP-May 18]
Or
Analyse how risks in the IT system if not mitigated could have an impact on the audit. [Nov. 20 (3 Marks)]
Answer:
Impact of IT Related Risks:
When risks in IT systems are not mitigated the audit may be impacted as:

• Auditor may not be able rely on the reports, data obtained, automated controls, calculations and accounting procedures in the IT system.
• Auditor has to perform additional audit work by spending more time and efforts.
• Auditor may have to issue a modified opinion, if necessary.

Impact of IT on substantive tests, controls and reporting:
(a) On Substantive Audit:

• Non-reliance on the data obtained from systems.
• Substantive testing of system data and reports for completeness and accuracy.
• Need of more audit evidences.

(b) On Controls:

• Non-reliance on automated controls, system calculations and accounting procedures.
• Non-reliance on IT dependent Manual Controls.
• Substantive testing of system data and reports for completeness and accuracy.
• Need of more substantive test audit.

(c) On Reporting:

• Communication to TCWG.
• Modified Audit reports.

Question 8.
Write short note on: General IT Controls.
Answer:
General IT Controls:
General IT-controls are policies and procedures that relate to many applications and support the effective functioning of application controls.

They apply to mainframe, mini frame, and end-user environments. General IT-controls that maintain the integrity of information and security of data commonly include controls over the following:

• Data centre and network operations.
• Program change.
• Access security.
• Application system acquisition, development, and maintenance.

Question 9.
Describe application controls and give three examples of automated application controls.
Answer:
Application Controls:

• Application controls are manual or automated procedures that typically operate at a business process level and apply to the processing of individual applications.
• Application controls can be preventive or detective in nature and are designed to ensure the integrity of the accounting records.
• Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised, and are completely and accurately recorded and processed.
• Examples of Application controls include the following:
  • Edit checks and Validation of input data,
  • Sequence Number checks.
  • Limit Checks.
  • Reasonable Checks.
  • Mandatory Data Fields.

Question 10.
Identify the controls which are automated, manual or IT dependent manual for the below mentioned cases?
(i) Price master configured in the sales master can only be edited by authorised personnel in the system.
(ii) Invoice cannot be booked in SAP in case Purchase orders are not approved.
(iii) Inventory ageing report is pulled out from the system based on which provisioning is calculated after analyzing the future demand by the inventory personnel and approved by the controller.
(iv) All invoices are signed by warehouse personnel before the goods are dispatched to the customer.
(v) Credit limit is assigned to the customer and goods cannot be sold in excess of credit limit configured in the system.
(vi) All changes to the credit limit is approved manually by sales manager.
(vii) Ageing report is pulled out from SAP based on which provisioning is calculated by accounting personnel and approved by financial controller.
(viii) PO, GRN (Good received note) and invoice are matched by the system before it is posted in the financial records.
Answer:
Identification of Controls:
(i) Automated control as there is inbuilt control which allows editing in sales master by only authorised personnel.
(ii) Automated control as there is inbuilt control which doesn’t allow approval of invoice in case of non approval of purchase order.
(iii) IT dependent manual control as inventory ageing report is pulled out from the system after which provision for inventory is manually approved.
(iv) Manual control as sign off is required to be done for the invoice before the dispatch of the goods.
(v) Automated control as there is inbuilt control that doesn’t allow goods to be sold if credit limit assigned to the customer has been crossed.
(vi) Manual control as sign off is required for every change to the credit limit.
(vii) IT dependent manual control as ageing report is relied upon for calculation of provisioning for debtors.
(viii) Automated control as PO, GRN and invoice is matched by the system before recording of the invoice to the vendor account.

Question 11.
What are the different testing methods used when auditing in an automated environment? Which is the most effective and efficient method of testing?
Or
Generally, applying inquiry in combination with inspection gives the most effective and efficient audit evidence. However, which audit test to use, when and in what combination is a matter of professional judgment. Discuss stating the different ways testing is performed in an automated environment. [MTP-Oct. 18]
Answer:
Testing Methods used while auditing in an Automated Environment:
There are basically four types of audit tests that should be used:
(a) Inquiry
(b) Observation
(c) Inspection
(d) Reperformance
Consideration while selecting testing method:

• Which audit test to use, when and in what combination is a matter of professional judgment and will vary depending on several factors including risk assessment, control environment, desired level of evidence required, history of errors/ misstatements, complexity of business, assertions being addressed, etc.
• Inquiry is the most efficient audit test but it gives least audit evidence. Therefore, inquiry should be used in combination with other audit testing methods. Inquiry alone is not sufficient.
• Reperformance is most effective as an audit test and gives the best audit evidence. However, it will be very time consuming and least efficient most of the time.
• Applying inquiry in combination with inspection gives the most effective and efficient audit evidence.
• The auditor should document the nature of test (or combination of tests) applied along with the judgments in the audit file as required by SA 230.

Question 12.
Discuss the different ways testing is performed in an automated environment. [MTP-March 18]
Or
Explain some of the commonly used methods for testing in an automated environment. [RTP-May 20]
Answer:
Commonly used methods for testing in an automated environment:

1. Obtain an understanding of how an automated transaction is processed by doing a walk through of one end-to-end transaction using a combination of inquiry, observation and inspection.
2. Observe how a user processes transaction under different scenarios.
3. Inspect the configuration defined in an application.
4. Inspect the system logs to determine any changes made since last audit testing.
5. Inspect technical manual/user manual of systems and applications.
6. Carry out a test check and observe the error message displayed by the application.

Question 13.
Briefly describe the reporting requirements of Internal Financial Control.
Answer:
Meaning of IFC:
The term Internal Financial Controls means the policies and procedures adopted by the company for ensuring:

• Orderly and efficient conduct of its business, including adherence to Company’s policies,
• Safeguarding of its assets,
• Prevention and detection of frauds and errors,
• Accuracy and completeness of the accounting records, and
• Timely preparation of reliable financial information.

Reporting Requirements:
(a) Section 134: In the case of a listed company, the Directors’ Responsibility states that directors, have laid down IFC to be followed by the company and that such controls are adequate and operating effectively.
(b) Section 143 : The auditor’s report should also state whether the company has adequate IFC system in place and the operating effectiveness of such controls.
(c) Section 177: Audit committee may call for comments of auditors about internal control systems before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company.
(d) Schedule IV: The independent directors should satisfy themselves on the integrity of financial information and ensure that financial controls and systems of risk management are robust and defensible.
(e) Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 : The director’s report should contain details in respect of adequacy of internal financial controls with reference to the financial reporting.

Question 14.
What is Data Analytics? When auditing in an automated environment, auditors can apply the con¬cepts of data analytics for several aspects of an audit. State those aspects.
Or
In today’s digital age when companies rely on more and more on IT systems and networks to oper¬ate business, the amount of data and information that exists in these systems is enormous. Explain stating uses of Data analytics. [RTP-Nov. 18, MTP-April 19]
Or
Data analytics can be used in testing of electronic records and data residing in IT systems using spreadsheets and specialised audit tools viz., IDEA and ACL to perform check completeness of data and population that is used in either test of controls or substantive audit tests. Explain in detail stating all the relevant points. [RTP-May 20, MTP-Oct. 20]
Or
While it is true that companies can benefit immensely from the use of data analysis in terms of in¬creased profitability, better customer service, etc., Analyse various functions that can be performed even by the auditor also using Data Analytics tools and techniques in the audit process to obtain good results. [Nov. 20 (4 Marks)]
Answer:
Concept of Data Analytics:

• Data analytics is an analytical process by which meaning information is generated and prepared from raw system data using processes, tools, and techniques.
• In an automated environment, various insights can be extracted from operational, financial, and other forms of electronic data internal or external to the organization.
• The data so extracted is useful for preparation of management information system (MIS) reports and electronic dashboards that give a high-level snapshot of business performance.
• The data analytics methods used in an audit are known as Computer Assisted Auditing Techniques or CAATs.
• Data analytics can be used in testing of electronic records and data residing in IT systems using spreadsheets and specialised audit tools viz., IDEA and ACL.

Application of Data Analytics:
In an automated environment, auditors can apply the concept of data analytics for several aspects of an audit including the following:

• Check completeness of data and population that is used in either test of controls or substantive audit tests.
• Selection of audit samples – random sampling, systematic sampling.
• Re-computation of balances – reconstruction of trial balance from transaction data.
• Reperformance of mathematical calculations – depreciation, bank interest calculation.
• Analysis of journal entries as required by SA 240.
• Fraud investigation.
• Evaluating impact of control deficiencies.

Question 15.
The auditor needs to assess each finding or exception to determine impact on the audit and evaluate if the exception results in a deficiency in internal control. Explain the statement.
Answer:
Assessment of findings:

• The auditor needs to assess each finding or exception to determine impact on the audit and evaluate if the exception results in a deficiency in internal control.
• As per SA 265, a deficiency in internal control exits if a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or the control is missing.
• Evaluation and assessment of audit findings and control deficiencies involves applying professional judgment that include considerations for quantitative and qualitative measures. Each finding should be looked at individually and in the aggregate by combining with other findings/deficiencies.

Consideration while assessing the findings:

• Weaknesses identified in IT controls.
• Impact of these weaknesses on overall audit.
• Reporting of deficiencies to management through Management Letter.
• Communicate in writing any significant deficiencies to TCWG as per requirement of SA 260.

Question 16.
With respect to audit in an automated environment, explain the following:
(a) CAATs
(b) Data Analytics
(c) Database
(d) Information Systems
(e) Privileged access [Nov. 18 (5 Marks), MTP-May 20]
Answer:
Meaning of Terms used in Automated Environment:

• CAATs: Computer Assisted Audit techniques- Collection of computer-based tools and techniques that are used in an audit for analysing data in electronic form to obtain audit evidence.
• Data Analytics: Data analytics is an analytical process by which meaning information is generated and prepared from raw system data using processes, tools, and techniques.
• Database: A logical sub-system within a larger information system where electronic data is stored in a predefined form and retrieved for use.
• Information Systems: Collection of electronic hardware, software, networks and processes that are used in a business to carry out operations and transactions.
• Privileged access: A type of super user access to information systems that enforces less or no limits on using that system.

Objective Type Questions {True/False, Correct/incorrect)

Question 1.
All automated environments are complex.
Answer:
Statement is incorrect.
Complexity of an automated environment depends on various factors like:

• nature of business,
• level of automation,
• volume of transactions,
• useofERPetc.

There could be environments where dependence on IT and automation is relatively less or minimal and hence, considered less complex or even non-complex.

Question 2.
In an audit of financial statements, the auditor should plan response to all IT risks.
Answer:
Statement is incorrect.
The auditor should plan response to those IT risks that are relevant to financial reporting and not “all” IT risks.

Question 3.
General IT controls support the functioning of Application controls.
Answer:
Statement is correct.
General IT controls support the functioning of automated application controls and IT dependent controls.

Question 4.
Inquiry is often the most efficient audit testing method, but least effective.
Answer:
Statement is correct.
Inquiry is the most efficient audit test but it gives least audit evidence. Therefore, inquiry should be used in combination with other audit testing methods. Inquiry alone is not sufficient.

Question 5.
General IT controls are designed to ensure the integrity of the accounting records.
Answer:
Statement is incorrect.

• General IT-controls are policies and procedures that relate to many applications and support the effective functioning of application controls.
• Controls designed to ensure the integrity of the accounting records are known as Application IT Controls.

Question 6.
Specialised audit tools like IDEA, ACL are required to perform data analytics.
Answer:
Statement is incorrect.

• Specialised audit tools are very useful, but not always required or necessary to carry out data analytics.
• More commonly available spreadsheet applications like MS-Excel can also be effectively used for carrying out data analytics.

Question 7.
The fundamental principle of an automated environment is the ability to carry out business with less manual intervention and more system driven. [MTP-March 18, Oct. 18, March 19}
Answer:
Statement is correct.

• The fundamental principle of an automated environment is the ability to carry out business with less manual intervention and more system driven.
• The complexity of a business environment depends on the level of automation i.e., if a business environment is more automated, it is likely to be more complex.

Question 8.
Application controls include manual controls only that operate at a business process level. [MTP-March 18]
Answer:
Statement is incorrect.

• Application controls are manual or automated procedures that typically operate at a business process level and apply to the processing of individual applications.
• Application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised, and are completely and accurately recorded and processed.

Question 9.
When auditing in an automated environment, inquiry is often the most efficient and effective audit testing method. [Nov. 18 (2 Marks}]
Answer:
Statement is incorrect.
Inquiry is the most efficient audit test but it gives least audit evidence. Therefore, inquiry should be used in combination with other audit testing methods. Inquiry alone is not sufficient.