“Automated Environment” means a business environment in which computer systems, also known as Information Systems (IS) or Information Technology (IT) systems, are used to carry out processes, operations, accounting, and even decisions is referred to as an automated environment.
Key features of an Automated Environment
The capacity to conduct business with less manual intervention and more system-driven operations is the fundamental principle of an automated environment. The degree of automation in a business environment determines the level of complexity.
- Enables faster business operations
- Accuracy in data processing and computation
- Ability to process large volumes of transactions
- Integration between business operations
- Better security and control
- Less prone to human error
- Provides latest informations
- Connectivity and networking capability
RELEVANCE OF ‘IT’ IN AN AUDIT
It is likely that several business functions and activities will take place within the systems of a business that operates in an environment that is more automated. Consider the following aspects instead of:
- Calculations and computations, such as calculating bank interest and valuing inventory, are carried out automatically.
- Sub-ledger to GL postings, for instance, are posted automatically in accounting.
- The application of business policies and procedures, including internal controls, is automated (for instance, the automatic delegation of authority for journal approvals and customer credit limit checks).
- Systems are used to create business reports. These reports and the information they contain are relied upon by management and other stakeholders (such as the debtors’ aging report).
- System roles are used to control user access and security (such as the effective enforcement of duties segregation).
Companies derive benefit from the use of IT systems as an enabler to support various business operations and activities. The relevance of these IT systems to an audit of financial statements must be understood by auditors.
While it is true that the business benefits from the use of IT systems and automation by making operations more accurate, reliable, effective, and efficient, such systems also introduce new risks, including IT-specific risks, which management must take into account, evaluate, and address.
Even auditors are required to comprehend, evaluate, and respond to such risks that arise from the use of IT systems to the extent that it is relevant to an audit of financial statements.
Given below are some situations in which IT will be relevant to an audit,
♦ Increased use of Systems and Application software in Business (for example, use of ERPs)
♦ The complexity of transactions (multiple systems, network of systems) has increased.
♦ Hi-tech nature of business (Telecom, e-Commerce).
♦ There are a lot of transactions (in insurance, banking, and ticketing for trains).
♦ Company Policy (Compliance).
♦ Regulatory requirements – Companies Act 2013 IFC, IT Act 2008.
♦ Required by Indian and International Standards – ISO, PCI-DSS, SA 315, SOC, ISAE.
♦ Increases efficiency and effectiveness of audit
RISKS & CONTROLS IN AN AUTOMATED ENVIRONMENT
The following are some considerations that an auditor should make in order to comprehend the automated environment of the business:
- Information systems being used (one or more application systems and what they are).
- Their purpose (financial and non-financial).
- Location of IT systems – local vs global.
- Architecture (desktop based, client-server, web application, cloud based).
- Version (functions and risks could vary in different versions of same application).
- Interfaces within systems (in case multiple systems exist).
- In-house vs Packaged.
- Outsourced activities (IT maintenance and support).
- Key persons (CIO, CISO, Administrators).
Given below are some such risks that should be considered:
- Inaccurate processing of data, processing inaccurate data, or both.
- Unauthorized access to data.
- Direct data changes (backend changes).
- Excessive access / Privileged access (super users).
- Lack of adequate segregation of duties.
- Unauthorized changes to systems or programs.
- Failure to make necessary changes to systems or programs.
- Loss of data.
Types of Controls in an Automated Environment
♦ General IT Controls
♦ Application Controls
♦ IT-Dependent Controls
General IT Controls
“General IT controls are policies and procedures that support the efficient operation of application controls and relate to numerous applications. They are applicable to end-user environments, miniframes, and mainframes. Controls over the following are common in general IT controls that ensure data security and information integrity:
♦ Data center and network operations
♦ Program change
♦ Access security
♦ Acquiring, developing, and maintaining application systems (Business Applications)
Application controls include both automated or manual controls that operate at a business process level. IT applications, such as, incorporate automated application controls. ERPs aid in maintaining the accuracy, completeness, and integrity of data stored in these systems.
IT dependent Controls
Controls that rely on IT systems and applications are essentially manual but make use of some kind of data, information, or report. In this instance, despite the fact that the control is carried out by hand, the dependability of the source data is crucial to the design and efficiency of such controls. The General IT Controls are necessary for Automated application controls and IT-dependent controls to function effectively due to their inherent dependence on IT.
INTERNAL FINANCIAL CONTROLS AS PER REGULATORY REQUIREMENTS
The term Internal Financial Controls (IFC) basically refers to the policies and procedures put in place by companies for ensuring:
♦ reliability of financial reporting
♦ effectiveness and efficiency of operations
♦ compliance with applicable laws and regulations
♦ safeguarding of assets
♦ prevention and detection of frauds
The Companies Act of 2013 has increased the importance of a company’s internal controls’ effective implementation and reporting.
DATA ANALYTICS FOR AUDIT
The amount of data and information in these systems is enormous in the digital age, when businesses rely on IT systems and networks to run their operations. A famous businessman recently said, “Data is the new Oil”.
Data analytics is the process of combining processes, tools, and techniques to extract meaningful information from vast amounts of electronic data. While it is true that companies can benefit immensely from the use of data analytics in terms of increased profitability, better customer service, gaining competitive advantage, more efficient operations, etc., even auditors can make use of similar tools and techniques in the audit process and obtain good results. Computer Assisted Auditing Techniques, or CAATs for short, are the tools and methods auditors use to apply the principles of data analytics. Data analytics can be used in testing of electronic records and data residing in IT systems using spreadsheets and sspecialised audit tools viz., IDEA and ACL to perform the following:
- Check completeness of data and population that is used in either test of controls or substantive audit tests.
- Random or systematic sampling are the two methods used to select audit samples.
- Re-computation of balances is the process of reconstructing the trial balance from transaction data.
- Repetition of mathematical calculations, such as the calculation of bank interest and depreciation.
- Analysis of journal entries as required by SA 240.
- Fraud investigation.
- Evaluating impact of control deficiencies.