Change in Chapter 4 (Included as part of Chapter 9 where it logically belongs) Approach to Audit of Controls

Many a times IS Auditors are called upon to review the presence and effectiveness of key controls both at the application level as well as general controls. Such control reviews would broadly involve the following processes: a. b. c. d. e.
a.

Understanding of the existing IT infrastructure and key business processes Obtain an understanding of the existing controls Evaluate the level of risk Perform audit procedures/Test of controls Documentation

Understanding of the existing IT infrastructure and key business processes: This is generally the first step since no two infrastructures are same- hence the IS Auditors first needs to gain grasp of the existing infrastructure. This is possible through review of existing documents like security policies, BCP/DR documents, Organisational structure charts etc. Also interaction with IT Department and users would facilitate this process.
i.

b. Obtain an understanding of the existing controls: Controls are broadly classified into Entity wide controls: These controls are generally referred to as general controls which apply to the complete organisation as a whole and are not application specific. That is they are not dependent on specific software. Examples of such controls include change management, configuration management etc. Network/operating system/IT infrastructure level controls - While these would also fall under the broad category of general controls, they are a little more specific.

ii.

iii. Application level controls: These controls focus on controls in specific business application softwares and processes. An IS Auditor should gain clear understanding of these controls as he would be required to test their effectiveness or otherwise. c. Evaluate the level of Risk: As part of IS Audit planning, the auditor is required to evaluate the level of risk of controls failures associated with various aspects of the business processes. Based on his assessment of risk, he would need to plan the nature and timing of his audit procedures d. Test of Controls: Primary function involves testing the design, operation and effectiveness of the various controls and forming an opinion thereof. Generally the entity wide general controls are first tested and finally the application specific controls are tested. i. Test of Entity wide general controls: In order to test general controls, the auditor uses procedures like observation, enquiry, inspection etc. The comfort that the IS Auditor gets as regards the effectiveness of general controls helps him plan the application controls better. If general controls are ineffective, he would document the same and verify if compensating controls mitigate this risk to some extent. He has to recommend to the management that they improve general controls.

ii. Test of Controls at Network/Operating System and IT Infrastructure level: These reviews focus on controls at the network, operating system and IT infrastructure levels. They are carried out to ascertain if general controls at these levels are functioning properly. Risks are measured in the event of a control being ineffective iii. Test of Application level controls: Application level controls review generally involve verifying the presence or absence of controls at the software level. The IS Auditor needs to understand the business process as existing, its mapping to the software and how controls are inbuilt as part of input, processing and output generation. Usually application level controls have a direct business impact especially if processes financial transactions. Methods of collecting data for test of controls i. Review of documentation relating to controls and processes ii. Questionnaires specific to a control function iii. Interview of key personnel iv. Observation of a control at work- especially true for application level controls (ex: maker-checker process, logs being generated etc.) v. Review of minutes of IT Steering committee, audit committee and security committee- in evidence of management supervision vi. Obtaining and analyzing system based data ex: parameter values, access control matrix etc. vii. Review of key data outputs for processing accuracy viii. Test cases/re-performance to obtain comfort on operations of a few controls e. Documentation of control testing phase As per ISACAs Audit standards, the documentation of audit work should be of such quality that it should enable another professional to re-perform the audit and arrive at the same conclusion. Thus emphasis is laid on good documentation. Generally the following should form part of the audit work documentation: i. His understanding of the IT infrastructure and controls ii. The list of controls that would be covered as part of his audit process iii. Methods, procedures and audit techniques used including basis of sampling, sample size etc. iv. Evidences gathered in substantiation of operation or otherwise of the primary controls v. Evidences gathered as regards compensating controls vi. His conclusions as to whether significant material control weaknesses exist

Change in Chapter 8
AAS 29 - AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT (Effective 01.04.2008 Replaced with SA 315 and SA 330) AAS 29 was issued by the ICAI establishes procedures to be followed when audit related to accounting is carried out in a computer information system (CIS) environment- i.e accounting data and processes are system based. Effective 01.04.2008, AAS 29 stands withdrawn pursuant to introduction of SA 315 and SA 330). SA 315- Identifying and assessing risk of material misstatement through understanding the entity and its environment. This standard focuses on auditors responsibility to identify and assess risks of material misstatement in financial statements through understanding the entity and its environment including its internal control. The said standard requires the auditor to evaluate the risks of a computerised environment so that his audit objectives can be suitably framed. The information system, including the related business processes, relevant to financial reporting, and communication The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: (a) The classes of transactions in the entitys operations that are significant to the financial statements; (b) The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements; (c) The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form; (d) How the information system captures events and conditions, other than transactions, that are significant to the financial statements; (e) The financial reporting process used to prepare the entitys financial statements, including significant accounting estimates and disclosures; (f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments. (Ref. Para A77-A81) A77. The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures and records designed and established to:

Initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity; Resolve incorrect processing of transactions, for example, automated suspense files and procedures followed to clear suspense items out on a timely basis; Process and account for system overrides or bypasses to controls; Transfer information from transaction processing systems to the general ledger; Capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortisation of assets and changes in the recoverability of accounts receivables; and Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarised and appropriately reported in the financial statements.

Journal entries A78. An entitys information system typically includes the use of standard journal entries that are required on a recurring basis to record transactions. Examples might be journal entries to record sales, purchases, and cash disbursements in the general ledger, or to record accounting estimates that are periodically made by management, such as changes in the estimate of uncollectible accounts receivable. An entitys financial reporting process also includes the use of non-standard journal entries to record non-recurring, unusual transactions or adjustments. Examples of such entries include consolidating adjustments and entries for a business combination or disposal or non-recurring estimates such as the impairment of an asset. In manual general ledger systems, non-standard journal entries may be identified through inspection of ledgers, journals, and supporting documentation. When automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may therefore be more easily identified through the use of computer-assisted audit techniques.

A79.

Related business processes A80. An entitys business processes are the activities designed to:

Develop, purchase, produce, sell and distribute an entitys products and services; Ensure compliance with laws and regulations; and Record information, including accounting and financial reporting information.

Business processes result in the transactions that are recorded, processed and reported by the information system. Obtaining an understanding of the entitys business processes, which include how transactions are originated, assists the auditor obtain an understanding of the entitys information system relevant to financial reporting in a manner that is appropriate to the entitys circumstances. Considerations specific to smaller entities A81. Information systems and related business processes relevant to financial reporting in small entities are likely to be less sophisticated than in larger entities, but their role is just as significant. Small entities with active management involvement may not need

extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Understanding the entitys systems and processes may therefore be easier in an audit of smaller entities, and may be more dependent on inquiry than on review of documentation. The need to obtain an understanding, however, remains important. The standard emphasis the need for review of internal controls and risks associated with the same as it could materially impact the financial statements. The standard also talks about use of computer assisted audit techniques. SA 330- Auditors Response to Assessed Risk This Standard on Auditing (SA) deals with the auditors responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with SA 315 The said standard talks about issues like test of controls, nature and extent of such tests, timing thereof, evaluating the operating effectiveness of controls, substantive procedures, evaluating sufficiency and appropriateness of audit evidence, documentation etc. Things relevant to IS Audit are:

The standard talks about evaluating IT General Controls Suggests use of CAATs for more extensive testing of electronic transactions and account files (A-16) Because of the inherent consistency of IT processing, it may not be necessary to increase the extent of testing of an automated control. An automated control can be expected to function consistently unless the program (including the tables, files, or other permanent data used by the program) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor may consider performing tests to determine that the control continues to function effectively. Such tests might include determining that:
o o

Changes to the program are not made without being subject to the appropriate program change controls; The authorised version of the program is used for processing transactions; and

o Other relevant general controls are effective. Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them (A29)

Because of the inherent consistency of IT processing, audit evidence about the implementation of an automated application control, when considered in combination with audit evidence about the operating effectiveness of the entitys general controls (in particular, change controls), may also provide substantial audit evidence about its operating effectiveness. (A31) In certain circumstances, audit evidence obtained from previous audits may provide audit evidence where the auditor performs audit procedures to establish its continuing relevance. For example, in performing a previous audit, the auditor may have determined that an automated control was functioning as intended. The auditor may obtain audit evidence to determine whether changes to the automated control have

been made that affect its continued effective functioning through, for example, inquiries of management and the inspection of logs to indicate what controls have been changed. Consideration of audit evidence about these changes may support either increasing or decreasing the expected audit evidence to be obtained in the current period about the operating effectiveness of the controls (A35)