Special Aspects of Auditing in an Automated Environment – CA Final Audit Question Bank is designed strictly as per the latest syllabus and exam pattern.
Special Aspects of Auditing in an Automated Environment – CA Final Audit Question Bank
Meaning and Components of Automated Environment
A real-time environment is a type of automated environment in which business operations and transactions are initiated, processed and recorded immediately as they happen without delay. It has several critical IT components that enable anytime, anywhere transactions to take place. You are required to name the components and its example of real-time environment. [MTP-Oct. 18, May 20; RTP-Nov. 18]
Components and Example of Real Time Environment:
- Real Time Environment is a type of automated environment in which business operations and transactions are initiated, processed and recorded on a real-time basis, i.e. immediately on their occurrence.
- Examples of Such environments are Airlines and Railway Reservations, CORE Banking, E-Commerce, ERP etc.
- Real Time Environment facilitates anytime, anywhere transactions to take place. For this purpose, it is essential to have the systems, networks and applications available during all times.
IT Components required in Real Time Environment:
- Applications like ERP, Core Banking Etc.
- Middleware like web servers
- Networks like WAN, Internet hosting.
- Hardware like Data centres, storage devices, power supply etc.
Auditing in an Automated Environment
SA 315 requires the auditor to obtain an understanding of the entity and its environment as a part of Risk Assessment procedure to identify and assess Risk of Material Misstatements. List the areas of which auditor is required to obtain understating in an automated environment.
Write a short note on: Understanding and documenting automated environment. [RTP-May 20]
Understanding of Automated Environment
As required by SA 315, auditor is required to obtain an understanding of the entity and its environment as a part of Risk Assessment procedure to identify and assess Risk of Material Misstatements. In an automated environment, auditor is required to obtain an understating of the following:
- Applications being used by the entity;
- IT infrastructure components for each of the application;
- Organisation structure and governance;
- Policies, procedures and processes followed;
- IT risks and controls.
In a controls-based audit, the audit approach can be classified into three broad phases comprising of planning, execution, and completion. In this approach, the considerations of automated environment will be relevant at every phase. Comment. [RTP-May 18, MTP-Aug. 18]
“The audit cycle consists of Planning, Execution and Completion. The automation in processing of business transactions has considerations to b.e weighed by auditor at every phase of this cycle”. – Enumerate the focal points of such considerations when auditing in automated environment. [Nov. 18-New Syllabus (4 Marks)]
In a controls-based audit, the audit approach can be ‘classified into three broad phases comprising of planning, execution, and completion. You are required to briefly explain the relevant considerations for every phase in above audit approach in case of an automated environment. [Nov. 19 – New Syllabus (4 Marks)]
Considerations of automated environment in different stages of Audit:
|Stages of Audit||Considerations|
|A. Planning Stage|
|1. Risk Assessment||♦ Consider risk arising from use of IT systems.
♦ Identify significant accounts and disclosures.
♦ Identify likely sources of misstatement.
|2. Understanding of the Business||1 Document understanding of business processes using Flowcharts/Narratives.
2. Prepare Risk and Control Matrices.
3. Understand design of controls by performing walkthrough of end-to-end process.
4. Process wide considerations for Entity Level Controls, Segregation of Duties.
|B. Executing Stage|
|3. Assessing Entity Level Controls||Consider aspects related to:
♦ understanding and review of IT Governance.
♦ Segregation of duties,
♦ Review of General IT Controls & Application Controls.
|4. Assessing Process Level Controls||Consider aspects relating to Risks and Controls with each process, sub-process and activity.|
“ICAI Examiner Comments”
It appeared that the examinees were not aware about the topic consequently they answered in general terms.
Enterprise Risk Management
The volatility, unpredictability and pace of fast changes that exists in the automated environment today is far greater than in the past and consequently it throws more risks to business which requires them to have a need to continuously manage such risks. State various risks which an enterprise may have to fact; and manage. [May 19 (5 Marks)]
Risks which an enterprise may face and manage:
Businesses today operate in a dynamic environment. The volatility, unpredictability and pace of changes that exist in the business environment today is far greater than in the past. Some of the reasons for this dynamic environment include globalisation, use of technology, new regulatory requirements, etc. Because of this dynamic environment the associated risks to business have also increased and companies have a need to continuously manage risks.
Examples of risks include: –
- Market Risks;
- Regulatory & Compliance Risks;
- Technology & Security Risks; ‘
- Financial Reporting Risks;
- Operational Risks;
- Credit Risk;
- Business Partner Risk;
- Product or Project Risk; and
- Environmental Risks.
Briefly describe the various stages of a Risk Assessment Process.
Stages in a Risk Assessment Process:
Risk Assessment Process is the most critical component of Enterprise Risk Management. The entity’s risk assessment process forms the basis for how management determines the risks to be managed.
Steps involved in Risk Assessment Process
Step 1 – Define Business Objectives and Goals.
Step 2 – Identify events that affect achievement of business objectives.
Step 3 – Assess likelihood and impact.
Step 4 – Respond and mitigate risks.
Step 5 – Assess Residual Risks.
Write short note on: Enterprise Risk Management.
Enterprise Risk Management (ERM):
ERM is a formal program that is implemented across an enterprise for enabling risk management. In many countries, companies are required to have a formal ERM Program as a statutory requirement.
In India, Sec. 134(3) of Companies Act, 2013 requires the Board of Directors to include in their report a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
The most common framework that is suitable for implementing an effective ERM is the COSO Enterprise RiskManagement-Integrated FrameworkdevelopedbytheCommitteeof Sponsoring Organisations (COSO) in 2004 and subsequently updated in 2016 to address the changes in business environment.
Besides COSO framework, another widely available framework is the ISO 31000 Risk Management standard published by the International Organization for Standardization.
Assessing IT related Risks and Controls
Write short note on: General IT Controls.
General IT Controls:
General IT-controls are policies and procedures that relate to many applications and support the effective functioning of application controls.
They apply to mainframe, mini frame, and end-user environments. General IT-controls that maintain the integrity of information and security of data commonly include controls over the following:
- Data centre and network operations.
- System software acquisition, change and maintenance.
- Program change.
- Access security.
- Application system acquisition, development, and maintenance.
Describe application controls and give three examples of automated application controls.
- Application controls are manual or automated procedures that typically operate at a business process level and apply to the processing of individual applications.
- Application controls can be preventive or detective in nature and are designed to ensure the integrity of the accounting records.
- Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised, and are completely and accurately recorded and processed.
- Examples of Application controls include the following:
- Edit checks and Validation of input data,
- Sequence Number checks.
- Limit Checks.
- Reasonable Checks.
- Mandatory Data Fields.
Identify the controls which are automated, manual or IT dependent manual for the below mentioned cases?
- Price master configured in the sales master can only be edited by authorised personnel in the system.
- Invoice cannot be booked in SAP in case Purchase orders are not approved.
- Inventory ageing report is pulled out from the system based on which provisioning is calculated after analyzing the future demand by the inventory personnel and approved by the controller.
- All invoices are signed by warehouse personnel before the goods are dispatched to the customer.
- Credit limit is assigned to the customer and goods cannot be sold in excess of credit limit configured in the system.
- All changes to the credit limit is approved manually by sales manager.
- Ageing report is pulled out from SAP based on which provisioning is calculated by accounting personnel and approved by financial controller.
- PO, CRN (Good received note) and invoice are matched by the system before it is posted in the financial records. [MTP-April 18]
Identification of Controls:
- Automated control as there is inbuilt control which allows editing in sales master by only authorised personnel.
- Automated control as there is inbuilt control which doesn’t allow approval of invoice in case of non approval of purchase order. “
- IT dependent manual control as inventory ageing report is pulled out from the system after which provision for inventory is manually approved. „
- Manual control as sign off is required to be done for the invoice before the dispatch of the goods.
- Automated control as there is inbuilt control that doesn’t allow goods to be sold if credit limit assigned to the customer has been crossed.
- Manual control as sign off is required for every change to the credit limit.
- IT dependent manual control as ageing report is relied upon for calculation of provisioning for debtors.
- Automated control as PO, GRN and invoice is matched by the system before recording of the invoice to the vendor account.
Evaluating Controls at Entity Level and Process Level
Distinguish between: Direct Entity Level Controls and Indirect Entity Level Controls.
While evaluating the risks and controls at entity level, the Auditor should take cognizance of the prevalent direct and indirect entity level controls operating in the entity. Explain what they pertain to with few examples. [May 18 (4 Marks)]
Direct Entity Level Controls (ELCs) and Indirect Entity Level Controls:
Direct ELCs operate at a level of business process to prevent, detect or correct a misstatement in a timely manner. Examples of Direct ELCs are:
- Business performance reviews;
- Monitoring of effectiveness of control by Internal Audit function.
Indirect ELCs do not relate to any specific business process, transaction or account balance and therefore, cannot prevent, detect or correct misstatements.
Indirect ELCs contribute indirectly to the effective operation of direct ELCs. Examples of Indirect ELCs are:
- Company code of conduct;
- Human resource policies;
- Job roles & responsibilities.
“ICAI Examiner Comments”
It seems that examinees were unaware of the topic. Very few examinees could comprehend and explain Direct ELCs and indirect ELCs with examples. Some examinees misunderstood the question and explained wrongly the types of audit Risk viz., Inherent Risk, Control Risk, Detection Risk.
What is Data Analytics. When auditing in an automated environment, auditors can apply the concepts of data analytics for several aspects of an audit. State those aspects.
In an automated environment, the data stored and processed in systems can be used to get various insights into the way business operates. This data can be useful for preparation of management information system (MIS) reports and electronic dashboards that give a high-level snapshot of business performance. In view of above you are required to briefly discuss the meaning of data analytics and example of circumstances when auditing in an automated environment, auditors can apply the concepts of data analytics. [RTP-May 19]
Data analytics is an analytical process by which meaning information is generated and prepared from raw system data using processes, tools, and techniques. In an automated environment, various insights can be extracted from operational, financial, and other forms of electronic data internal or external to the organization
The data so extracted is useful for preparation of management information system (MIS) reports and electronic dashboards that give a high-level snapshot of business performance. The data analytics methods used in an audit are known as Computer Assisted Auditing Techniques or CAATs.
Application of Data Analytics
In an automated environment, auditors can apply the concept of data analytics for several aspects of an audit including the following:
- Preliminary Analytics;
- Risk Assessment;
- Control Testing;
- Non-Standard Journal Analysis;
- Evaluation of Deficiencies;
- Fraud Risk assessment.
“Generating and preparing meaningful information from raw system data using processes, tools, and techniques is known as Data Analytics and the data analytics methods used in an audit are known as Computer Assisted Auditing Techniques or CAATs.” You are required to give a suggested approach to get the benefit from the use of CAATs. [RTP-Nov 19, MTP – Oct. 20]
Suggested approach to get the benefit from the use of CAATs:
A suggested approach to benefit from the use of CAATs is to follow the steps given below:
Step 1: Understand Business Environment including IT;
Step 2: Define the Objectives and Criteria;
Step 3: Identify Source and Format of Data;
Step 4: Extract Data;
Step 5: Verify the Completeness and Accuracy of Extracted Data;
Step 6: Apply Criteria on Data Obtained;
Step 7: Validate and Confirm Results.
Standards, Guidelines and Procedures – to be adhered to while auditing in an automated environment
When auditing in an automated environment the auditor should be aware, adhere to and be guided by the various standards, guidelines and procedures that may he relevant to both audit and the automated environment. Briefly describe any four such standards.
Standards relevant to Audit and Automated Environment:
(i) Standards on Auditing (SA): AASB of ICAI issues various standards which are required to be followed while auditing the financial statements of an entity.
(ii) Sec. 143(3)(i) of Companies Act, 2013: Section 143(3)(T) of Companies Act, 2013 requires statutory auditors to provide an Independent Opinion on the Design and Operating Effectiveness of Internal Financial Controls with reference to financial statements of the company as at Balance Sheet date. For this purpose, ICAI issued a Guidance Note on Audit of Internal Financial Controls Over Financial Reporting which provides the guidelines and procedures for reporting on IFC.
(iii) Section 404 of SOX Act, 2002: Section 404 of Sarbanes Oxley Act of 2002 requires public listed companies to implement, assess and ensure effectiveness of internal controls over financial reporting. Auditors of such companies are required to express an independent opinion on the design and operating effectiveness of internal controls over financial reporting (ICFR).
(iv) CoBIT: Control Objectives for Information and Related Technologies is best practice IT Governance and Management framework published by Information Systems Audit and Control Association. It provides the required tools, resources and guidelines that are relevant to IT governance, risk, compliance and information security.
(v) CSF: Cyber security Framework published by the National Institute of Standards and Technology is one of the most popular framework for improving critical infrastructure cyber security, which provides a set of standards and best practices for companies to manage cyber security risks.