Chapter 4 “Audit in an Automated Environment (New Syllabus)”

4.1 – Meaning and Components of Automated Environment 4.2 – Auditing in an Automated Environment

Automated Environment may be defined as a system within an overall 1 Understanding of Automated Environment
Meaning

As required by SA 315, auditor is required to obtain an understanding of the

business environment which comprise of people, processes and
entity and its environment as a part of Risk Assessment procedure to identify and
technology. assess RMM. In an automated environment, auditor is required to obtain an
understating of the following:
1. Business Applications like Tally, Tally ERP, SAR R/3, Business Suite. 1. Applications being used by the entity;
2. Database like Oracle 12g, MS-SQL Server. 2. IT infrastructure components for each of the application;
3. Organisation structure and governance;
3. Operating Systems like Windows, UNIX.
Components

4. Policies, procedures and processes followed;

4. Storage Devices like disks, tapes, NAS (Network attached Storage). 5. IT risks and controls.
2 Considerations of automated environment in different stages of Audit
5. Network devices like switches, routers. Risk Assessment Process
6. Networks like LAN, WAN, VPN etc.  Consider risk arising from use of IT systems.
7. Physical and Environmental Components like CCTVs, temperature  Identify significant accounts and disclosures.
 Identify likely sources of misstatement.
controls, firefighting equipment etc.

Planning
Understanding of the Business
 Real Time Environment is a type of automated environment in  Document understanding of business processes using Flowcharts /
which business operations and transactions are initiated, processed Narratives.
 Prepare Risk and Control Matrices.
and recorded on a real-time basis, i.e. immediately on their  Understand design of controls by performing walkthrough of end-to-
occurrence. end process.
 Process wide considerations for Entity Level Controls, Segregation of
Real Time environment

 Examples of Such environments are Airlines and Railway Duties.

Reservations, CORE Banking, E-Commerce, ERP etc. Assessing Entity Level Controls
Consider aspects related to
 Real Time Environment facilitates anytime, anywhere transactions  understanding and review of IT Governance.

Execution
to take place. For this purpose, it is essential to have the systems,  Segregation of duties,
 Review of General IT Controls and Application Controls.
networks and applications available during all times.
Assessing Process Level Controls
IT Components required in Real Time Environment Consider aspects relating to Risks and Controls with each process, sub-
1. Applications like ERP, Core Banking Etc. process and activity.
Testing of Reports & Information produced by the entity at completion
Reporting

2. Middleware like web servers stage

3. Networks like WAN, Internet hosting. Consider the evaluation of control deficiencies using Data Analytics.
4. Hardware like Data centers, storage devices, power supply etc.

Page 41
 Chapter 4 “Audit in an Automated Environment (New Syllabus)”

4.3 – Enterprise Risk Management (ERM) 4.4 – Assessing IT Related Risks and Controls

 ERM is a formal program that is implemented across an Considerations in assessing IT Risks Controls required to mitigate IT Risks
Enterprise Risk management

enterprise for enabling risk management. Policies & procedures that relate to many
Entity Level Risks (Pervasive Risks) are
 In many countries, companies are required to have a applications & support the effective functioning
related to Governance, Organization and
formal ERM Program as a statutory requirement. of application controls.
 In India, Sec. 134(3) of Companies Act, 2013 requires the
Management of IT and requires
General IT-Controls that maintain integrity of

General IT Controls
Board of Directors to include in their report a statement examination of following aspects:

Entity Level Risks

information & security of data commonly include
indicating development and implementation of a risk (a) Whether management established an
controls over the following:
management policy for the company including IT Security Policy;
1. Data center and network operations.
identification therein of elements of risk, if any, which in (b) Whether policy is being 2. System software acquisition, change &
the opinion of the Board may threaten the existence of the communicated to all employees; maintenance.
company.
(c) Whether relevant training has been 3. Program change.
Step 1 - Define Business Objectives and Goals.
provided to employees; and 4. Access security.
Steps involved in
Risk Assessment

Step 2 - Identify events that affect achievement of

(d) Whether management monitor the 5. Application system acquisition, development,
Process

business objectives. adherence of the established policies. and maintenance.

Risk Assessment Process

Step 3 - Assess likelihood and impact. Process Level Risks are related to Risks in  Manual or automated procedures that
Step 4 - Respond and mitigate risks. the IT Processes and Procedures being typically operate at a business process level &
Step 5 - Assess Residual Risks. followed and requires examination of apply to processing of individual applications.

Process Level Risks

Application Controls
1. Qualitative and Quantitative Factors; following aspects:  They can be preventive or detective in nature.
Considerations of
Risk Assessment

2. Definition of Key Performance and Risk (a) Whether unauthorized changes to IT  They relate to procedures used to initiate,
Indicators; Systems application being prevented record, process and report transactions or
Process

3. Risk Appetite; other financial data.

and detected in a timely manner; and
4. Risk Scores, Scales and Maps;  Examples of Application controls are:
5. Use of Data & Metrics;
(b) Whether user access to systems
1. Edit checks and Validation of input data,
6. Benchmarking. commensurate with roles and
2. Sequence Number checks.
The most common framework that is suitable for responsibilities of the user.
3. Limit Checks.
Commonly used framework

implementing an effective ERM is the COSO Enterprise Risk Transaction Level Risks are related to IT 4. Reasonable Checks.
Transaction Level Risks

Management – Integrated Framework developed by the Risks at each layer of the automated 5. Mandatory Data Fields.
Committee of Sponsoring Organisations (COSO) in 2004 and environment and requires examination of  Manual controls that make use of some form
for ERM

subsequently updated in 2016 to address the changes in following aspects: of data or information or report produced

IT Dependent
business environment.

Controls
(a) Whether direct data changes to from IT systems and applications.
Besides COSO framework, another widely available
framework is the ISO 31000 Risk Management standard
databases prevented; and  Though the control is performed manually,
published by the International Organization for (b) Whether strong passwords used in the the design and effectiveness of such controls
Standardization. operating system. depend on the reliability of source data.

Page 42
 Chapter 4 “Audit in an Automated Environment (New Syllabus)”

4.5 – Evaluating Controls at Entity Level and Process Level

Entity Level Controls (ELCs) Process Level Controls

 Entity Level controls also known as pervasive controls operate across an entity at all levels of  Process Level Controls primarily
management, i.e. from top management to lower management. focus on control activities and the
 Entity Level Controls are considered to a part of a company’s internal control framework and monitoring of those activities at the
Characteristics

related to components of Internal Control other than control activities. It means that Entity Level process level.
Controls are related to  Examples of Process Level Controls
(a) Control Environment
are: approvals, authorizations,
(b) Entity’s Risk Assessment Process.
verifications and reconciliations, etc.
(c) Information Systems and Communication.
(d) Monitoring.  SA 315 require the auditor to
 Entity level controls are subjective by nature and therefore require application of more professional understand the business
judgment in their evaluation and testing. process that makes up an

Testing of Process Level Controls

Direct ELCs operate at a level of business process to prevent, detect or correct a misstatement account balance or financial
Direct

in a timely manner. Examples of Direct ELCs are:

ELCs

statement line item.

 Business performance reviews;  Understanding the business
 Monitoring of effectiveness of control by Internal Audit function.
process helps the auditor in
Indirect ELCs do not relate to any specific business process, transaction or account balance and
Types

identification of risks and

therefore, cannot prevent, detect or correct misstatements.
Indirect ELCs

controls within each process,

Indirect ELCs contribute indirectly to the effective operation of direct ELCs. Examples of
sub-process and activity.
Indirect ELCs are:
 Company code of conduct;  The auditor should document
 Human resource policies; this understanding of the
 Job roles & responsibilities. company’s business process
 As a part of audit engagement, auditors are required to understand, evaluate and validate the and flow of transactions in
entity level controls. Result of testing entity level controls could have an impact on the NTE of the audit file in accordance
Testing of ELCs

other audit procedures including testing of controls. with SA 230.

 When the ELCs at a company are effective, the auditor may consider reducing the number of
samples in the TOCs and vice versa.
 In small organisations, the ELCs may not be formally documented and hence, auditor should
design audit procedures accordingly to obtain evidence of the existence and effectiveness of
entity level controls.

Page 43
 Chapter 4 “Audit in an Automated Environment (New Syllabus)”

4.6 – Data Analytics 4.7 – Standards, Guidelines and Procedures

 Data analytics is an analytical process by which meaning Standards on AASB of ICAI issues various standards which are required to be followed while auditing
Auditing the financial statements of an entity.
information is generated and prepared from raw system data
Sec. 143(3)(i) Section 143(3)(i) of Companies Act, 2013 requires statutory auditors to provide an
Concept of Data Analytics

using processes, tools, and techniques. of Companies Independent Opinion on the Design and Operating Effectiveness of Internal Financial
 In an automated environment, various insights can be extracted Act, 2013 Controls Over Financial Reporting (IFC-FR) of the company as at Balance Sheet date.
Section 404 Section 404 of SOX Act 2002 requires public listed companies to implement, assess and
from operational, financial, and other forms of electronic data
of SOX Act, ensure effectiveness of internal controls over financial reporting.
internal or external to the organization. 2002 Auditors of such companies are required to express an independent opinion on the design
 The data so extracted is useful for preparation of management and operating effectiveness of internal controls over financial reporting (ICFR).
information system (MIS) reports and electronic dashboards that ISO ISO 27001:2013 is the Information Security Management System (ISMS) standard issued
27001:2013 by the International Organization for Standardization (ISO).
give a high-level snapshot of business performance.
This standard provides the framework, guidelines and procedures for implementing
 The data analytics methods used in an audit are known as information security and related controls in a company.
Computer Assisted Auditing Techniques or CAATs. ITIL and ISO ITIL (Information Technology Infrastructure Library) and ISO 20000 provide a set of best
20000 practice processes and procedures for IT service management in a company. Some of the
In an automated environment, auditors can apply the concept of data
areas that could be relevant to audit includes change management, incident management,
Application of Data

analytics for several aspects of an audit including the following: problem management, IT operations, IT asset management etc.
1. Preliminary Analytics; PCI-DSS  The Payment Card Industry – Data Security Standard, is the most widely adopted
Analytics

2. Risk Assessment; information security standard for the payment cards industry.
 Any entity that is involved in the storage, retrieval, transmission or handling of credit
3. Control Testing;
card/debit card information are required to implement the security controls in
4. Non-Standard Journal Analysis; accordance with this standard.
5. Evaluation of Deficiencies; SSAE 18 Statements on Standards for Attest Engagements (SSAE) 18 is issued by AICPA and
6. Fraud Risk assessment. effective from 01.05.2017 (Supersedes SSAE 16) requires the organizations to issue their
System and Organization Controls (SOC) Report under the SSAE-18 standard in SOC 1,
Step-1 Understand Business Environment including IT. SOC 2 and SOC 3 reports.
Step-2 Defines the Objectives and Criteria against which subject  SOC 1 for reporting on controls at a service organization relevant to user entities’
Steps involved in using

internal control over financial reporting (ICFR).

matter will be evaluated.
 SOC 2 and SOC 3 for reporting on controls at a service organization relevant to security,
Data Analytics

Step-3 Identify Source and Format of Data. availability, processing integrity, confidentiality or privacy i.e., controls other than
Step-4 Extract Data. ICFR.
Step-5 Verify, Completeness, accuracy and Validity of extracted CoBIT CoBIT is best practice IT Governance and Management framework published by
Information Systems Audit and Control Association.
Data. It provides the required tools, resources and guidelines that are relevant to IT governance,
Step-6 Apply Criteria on data extracted. risk, compliance and information security.
Step-7 Validate and Confirm results. Cyber CSF published by the National Institute of Standards & Technology is one of the most
security popular framework for improving critical infrastructure cyber security, which provides a
Step-8 Document the results and Report the conclusions
.
Framework set of standards and best practices for companies to manage cyber security risks.

Page 44