Mahipal Singh Rajpurohit

Advance ITT Exam 1 Day Revision notes

Module II Unit 1 - ADVANCED EXCEL
Chapter 1 – Working With XML
1. XML is a technology that is designed for managing and sharing structured data in a human-readable text file.
2. XML is a great way of Exchanging information between Computer applications
3. XML stands for EXtensible Markup Language
• XML is a markup language much like HTML
• XML was designed to carry data, not to display data
• XML tags are not predefined, we must define our own tags
• XML is designed to be self-descriptive
• XML is a W3C Recommendation
4. XML is a language that’s very similar to HTML, but much more flexible.
5. XML does not DO anything. XML was created to structure, store, and transport information.
The following example is a note to Sachin, from Mahendra, stored as XML:
<?xml version="1.0" encoding="ISO-8859-1"?>
<note>
<to>Sachin</to>
<from>Mahendra</from>
<heading>Reminder</heading>
<body>Meet me at IPL!</body>
</note>
The note above is self-descriptive. It has sender and receiver information, it also has a heading and a message
body. Honestly, XML document does not DO anything. It is just information wrapped in tags. To send, receive or
display it, software would be needed.5.XML Documents Form a Tree Structure

6. syntax rules of XML

• Every bit of data has to start and end with an identical tag: <TagName>Data</TagName>
• Tag names are case sensitive
• The XML file must begin and end with a root tag eg, the root tag is <Note>.
• We can have an empty tag - put the slash at the end of the tag instead of the beginning: <TagName/>
• If we nest tags, we must close the inner tag before closing the outer tag. <Item><a>data</a></Item> will
work, but <Item><a>data</Item></a> will not.
7. A tag – either opening or closing – is used to mark the start or end of an element
8. Excel works primarily with two types of XML files:
• XML data files (.xml), which contain the custom tags and structured data.
• Schema files (.xsd), which contain schema tags that enforce rules, such as data type and validation.
9. XML schemas in Excel are called XML maps
10. Xml Data File Format vs. XML Spreadsheet Format
The XML Data format allows us to save our data to standard XML data files. The XML Spreadsheet format is
proprietary, and requires Excel 2002 or later.

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
 Mahipal Singh Rajpurohit
Chapter 2 – Advance in Macro

We all want shortcuts and to avoid the chore of doing monotonous work like data entry or some formatting
which we want done every time. Excel offers us excellent options to automate in the form of Macros which are
basically small programs which automatically perform repetitious steps
1. Programming of Macros is done in programming Language VBA (Visual Basic for Applications)
2. Macros can be written in two ways
• Writing a Macro using VBA Code
• Recording a macro using Excel Macro recorder
3. If we have to store Macros it is not possible in .xlsx files , Fortunately excel has a file extension .xlsm which are
macro enabled workbooks
4. Macros can be stored in either of two locations, as follows:
• The workbook we are using, or
• Our Personal Macro Workbook (which by default is hidden from view)
5. If our macro applies to all workbooks, then store it in the Personal Macro Workbook so it will always be available
in all of our Excel workbooks; otherwise we store it in our current workbook
6. Absolute reference mode: In absolute reference mode, Excel stores the absolute references for the cells that we’re
modifying.
7. Relative reference mode: In relative reference mode, Excel tracks how far we move from our starting position.

Chapter 3 – APPLIED FINANCIAL ANALYSIS AND FORECASTING FINANCIAL

STATEMENTS
1. Elements of a Formula in Excel are
• Arithmetic Operators
• Conditional Operators
• Cell References
• Range References
• Named References
• Values or Strings (Strings are to be always enclosed in double quotes when used in a formula)
• Worksheet functions
• Parentheses
2. Arguments of a Function
• No arguments Ex: =TODAY() TODAY function gives you system date which changes daily. This function doesn’t
require an argument
• One argument Ex: =ABS(-4) ABS function gives you absolute value of a number i.e number without its sign. This
function accepts only one argument.
• A fixed number of arguments Ex: =MOD(100,3) MOD function returns the remainder after a number is divided by
a divisor. It mandatorily requires two arguments: number and divisor.
• Optional arguments Ex: =INDEX (Salesdata, 5) INDEX function returns value from a given data range based on
row and column you enter
3. Following function categories are available in excel.
Financial Date & Time
Math & Trig Statistical
Lookup & Reference Database
Text Logical
Information &
Compatibility User defined
Engineering Cube

4. Show Formula Mode = Ctrl + ~ to to toggle between Formula view and Normal view.

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
 Mahipal Singh Rajpurohit

5. Various Ratios
Liquidity Ratios : These ratios shows the ability of a company to pay its current financial obligations.
Company should not be selling its assets at a loss to meet its financial obligations. In a worst scenario company will
be forced into liquidation.
Current Ratio (CR) : It is a measure of company’s ability to meet its short term requirements.
It indicates whether current liabilities are adequately covered by current assets.
It measures safety margin available for short term creditors.
CR = Current Assets / Current Liabilities
If Net Working Capital is to be positive, CR > 1
Higher ratio ensures firm does not face problems in meeting increased working capital
requirements.
Acid Test / Quick Ratio (QR): Used to examine whether firm has adequate cash or cash equivalents to meet
current obligations without resorting to liquidating non cash assets such as inventories
Measures position of liquidity at a point of time
QR = Quick Assets / Current Liabilities
Quick assets = Current assets – (inventories + prepaid expenses)
As a thumb rule ideal QR = 1; should not be less than 1
Leverage / Solvency Ratios : These ratios show dependency of a firm on outside long term finance. They
show long term financial solvency & measures firm’s ability to pay interest & principle regularly when due
Debt – Equity Ratio : It measures relative proportion of debt & equity in financing assets of a firm.
DER = Long term debt / Shareholders funds.
Creditors would like this ratio to be low.
Lower ratio implies larger credit cushion.
Debt (loans) = Secure loans + Unsecure loans
Shareholders’ funds = (equity + preference capital + reserves & surplus – fictitious assets &
accumulated losses not written off)
Debt – Total Fund Ratio
DTF ratio= Long term debt / Total fund
Total funds (debt + shareholders’ funds)
Debt (long term)
Higher the debt - total funds ratio, greater the financial risk
Debt – Assets Ratio
Debt - Assets ratio = Debt / Net assets
Net assets (less fictitious assets & losses)
Interest Coverage Ratio : This ratio shows ability of company to pay back long term loans along with interest
or other charges from generation of profit from its operations
Interest coverage ratio = EBIT / Debt interest
EBIT should be 6 – 7 times of debt interest
Liability Coverage Ratio (LCR): Calculated to determine time a company would take to pay off all its
liabilities from internally generated funds.
Assumes that liabilities will not be liquidated from additional borrowings or from sale of assets.
LCR = internally generated funds / Total liabilities.
Internally gen funds = Equity + Preference + Reserves & Surplus

Inventory turnover ratio : Measures No of times inventory turned over in a year OR No of days of inventory held
by company to sales
Times Inventory turned over =
Net sales OR COGS .
Average inventory Average stock
Inventory measured in days of sale = 365 x Average inventory

Net Sales
Average collection period (ACP) : It represents duration a company must wait after making sales, before it
actually receives cash from its customers
Average collection period = Average receivables OR Average receivables × 365
Average sales per day Sales
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
 Mahipal Singh Rajpurohit

This ratio is used to assess credit policy of firm.

If ratio is too high it means company is facing difficulties in collecting debts
If the ratio is too low means the company is having restrictive credit policy
Fixed assets turnover ratio (FATR) : It helps to measure effective utilization of fixed assets by company.
It is used to compare fixed assets utilization of two firms.
High ratio usually indicates better asset utilization.
Sometimes this ratio may be too high if assets are old or the ratio maybe too low if capital assets are procured
recently.
FATR = Net Sales (or COGS) / Fixed Assets
Return on Investment :This ratio indicates efficiency with which company used its capital (Equity as well as debt)
This ratio takes into consideration overall returns of the company assuming company has not taken any debt.
It gives overall returns including adjustments of earnings for financial leveraging.
It enables one to check whether return made on investment is better than other alternatives
available.
RoI = EBIT x 100 / Capital Employed
Capital Employed = (Equity + Preference + Reserve & Surplus + Debt) – (Fictitious assets + Non-operating assets))

6. Du Pont Analysis helps to break down the Return on Equity (RoE)

These are the three questions that the DuPont analysis can help you answer:
Is the company increasing margins?
Is the inventory turnover increasing?
Is leverage being used?.
ROE = (Net Profit Margin) x (Asset Turnover) x (Equity Multiplier)
• Net Profit Margin = Net Income/Sales
• Asset Turnover = Sales/Total Assets
• Equity Multiplier = Total Assets/Shareholders Equity
7. Equity Research : Equity research is a study of equities or stocks for the purpose of investments. Equities or common
stock comprises a big chunk in any company’s capit and shareholders need to know whether to stay invested in the company
or sale the shares and come out.
8. Valuation Methods
Asset and adjusted asset valuations;
Dividend models;
Market methods;
Free cash valuation.

Chapter 4 – MATHEMATICAL AND STATISTICAL

TOOLS FOR FINANCIAL ANALYSIS
Ignore the chapter

Chapter 5 - Application of MS Excel

Depreciation Accounting : Depreciation stands for reduction in value of fixed assets. Value of fixed assets
is generally reduced over the period of time due to any of the following reasons.
(a) Wear & Tear
(b) Change in taste of people
(c) Change in technology
Function :
SLN - For calculation of depreciation as per Straight Line Method. - Depreciable Base x Remaining Useful Life
Sum of Years’ Digits
SYD - For calculation of depreciation as per Sum of Years’ Digit Method - (Cost – Previous Depreciation) x rate
DB - For calculation of depreciation as per Declining Balance Method.
DDB - For calculation of depreciation as per Double Declining Balance Method
VDB - For calculation of depreciation as per Variable Declining Balance Method
Marginal Costing Equations :
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
 Mahipal Singh Rajpurohit
Following equations are used in Marginal Costing.
(a) Profit = Sales – Total Cost
(b) Total Cost = Fixed Cost + Variable Cost
(c) Contribution = Sales – Variable Cost
The whole idea of marginal costing revolves around a simple equation as under.
Fixed Cost + Profit = Sales – Variable Cost
Fixed Cost = Sales – Variable Cost – Profit
Fixed Cost = (Sales x PV Ratio) – Profit
Variable Cost = Sales – Fixed Cost – Profit
Variable Cost = Sales x Variable Cost Ratio
(Variable Cost Ratio = 1 – PV Ratio)
Contribution per unit = Selling Price per Unit - Variable Cost per Unit
Or
Contribution per unit = Total Sales Value – Total Variable Cost
No. of units sold
PV Ratio = (Contribution / Sales) x 100
PV Ratio = [(Sales – Variable Cost) / Sales] x 100
PV Ratio = 1 – Variable Cost Ratio
PV Ratio = (Change in Profit / Change in Sales) x 100
BEP: Break Even Point is the point of no profit or no loss
BEP (Value) = Fixed Cost
PV Ratio
BEP (Units) = Fixed Cost
Contribution per Unit
Margin of Safety: It is the value of sales above the BEP point.
Margin of Safety = Total Sales – BEP Sales
Using Excel for calculating Discounting Factor : Discounting Factor = 1 / (1+r) ^ n
Where r = rate of interest and n = the year number for which discounting factor is to be calculated.
EMI Calculations Using Excel :
Equated Monthly Installment can be very easily calculated using PMT function
Rate – It is the rate of interest, to be divided by 12 for getting monthly rate of interest.
Nper – It is total number of periods,
PV – It is present value of cash flows,
To calculate the principal portion in every instalment of EMI – PPMT Function
To calculation of interest component in each EMI – IPMT Fucntion

Sampling Random Methods:

Simple Random Sampling: In this case each individual is chosen entirely by chance and each member of
the population has an equal chance, or probability, of being selected.
Type “Rand()” and press ENTER
Systematic Sampling
Stratified Sampling
Clustered Sampling:
Quota Sampling
Convenience Sampling
Snowball Sampling
Net Present Value : Net present value is the value of all future cash inflows less future cash outflows as on today.
This is a major point in capital budgeting decisions. Net present value can be calculated in excel using two ways.
By calculating discounting factors
By using NPV function
Internal Rate of Return : The discount rate often used in capital budgeting that makes the net present value of
all cash flows from a particular project equal to zero.
To calculate IRR use function IRR
Probability :
Probability is a measure of the likeliness that an event will occur
To calculate probability use PROB function

Finance Planning: anning is considered to be the primary requirement for moving towards any goal. Financial
planning is the process of meeting the financial goals through the proper management of finances. Proper management
of finances includes deciding the source and application of funds along with it timing.
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
 Mahipal Singh Rajpurohit
There are two basic rules in any type of financial planning.
(a) Earlier the better – Money received today is always better than money received tomorrow.
(b) Bigger the better – More money received is always better than less money received
Five Ds of Finance Planning:
Deciding the Objective
Data Collection
Data Analysis
Drawing Inference
Decision Making
Various excel functions and features can be used in the process of financial planning
1- PMT - Payment – Used for calculating monthly installment/investment amount.
2- PPMT - Principal Payment – Used for calculating principal amount in EMI
3- IPMT - Interest Payment – Used for calculating interest amount in EMI
4- FV - Future Value – Used for calculating future value of present investment
5- RATE - Rate – Used for calculating rate of interest
6- NPER - Number of Periods – Used for calculating number of periods (months/years) required for a particular
maturity amount at a given rate of interest.
7- IRR – Internal Rate of Return – Used for
8- PV – Present Value – Used for calculating present value of future cash flows.

Module II Unit 2 – MS Excel as Audit Tool

Chapter 1 - INTRODUCTION TO MS EXCEL AS AN AUDIT TOOL

Microsoft Excel is one of the most widely used software in the world. Primarily, it is used for all sorts of data
processing and calculations. Excel is indispensable and has become life blood of modern commerce.

Language is used by excel for automation purpose Visual Basic for Applications

Originally released in 1985, Microsoft Excel is today the most popular spreadsheet program in the world. No
business can imagine working without excel. It has become most essential in many departments like:
Accounting and Finance
Marketing
Purchase
Production
Human Resources
Administration

Another popular format for exporting data is PDF (Portable Document Format). It is not easy to
convert it into excel. We need to make use of converters. There are many converters available in the
market. There are also websites which offer PDF to excel conversion.

Key Steps Obtaining Audit Data:

1. Raise a data Request
2. Do follow up
3. Receive the data
4. Validate the data
5. Follow up
Key Capabilities of MS Excel
1. Quick data processing
2. Accurate computation
3. Wide range of pre-set functions
4. Scope for automation

As auditor, we need to obtain data for auditing purpose. This data may come in various formats like XML, CSV,
PDF etc. We can bring that to excel and work upon it.

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit

What can you say about the two statements?

1.There is no need to validate the data given by the auditee as excel data cannot be tampered with.
2. We can do programming in MS Excel
1st statement is wrong but the 2nd statement is right

Chapter 2 - USEFUL FUNCTIONS FOR AUDITING

various functions in MS Excel which can be profitably used by Chartered Accountants from an audit
perspective.
The function library is available in Formulas Tab

Difference between function and formula

A function is a pre-set calculation methodology developed by Microsoft. It may require some inputs (known as
arguments).
A formula may involve multiple functions or may even be free from any functions. A formula is the complete
structure of calculation laid down for the purpose of deriving the final output.
Function = Sum (A1:B1)
Formula = A1+B1

XNPV and XIRR Function

NPV and IRR functions assume that the cashflows are spaced equally. However, in real life, we may come
across many situations where the cashflows occur unevenly. In such cases, we may rather use the XNPV and
XIRR functions in excel.
XNPV function’s arguments are rate, values and dates
XIRR function’s arguments are values, dates and guess

Date & Time Functions :

1. Eomonth Function - It lets you calculate the end of the month date corresponding to a given date
Eg. 01-04-2020 , =EOMONTH(A1,1) it will return the date as 31-05-2020; =EOMONTH(A1,2) ) it will return
the date as 30-06-2020
2. Edate Function - Edate returns the date with the same day which is specified number of months before
and after the start date.
Eg: 01-04-2020 , =Edate(A1,1) it will return the date as 01-05-2020; =EOMONTH(A1,2) ) it will return the date
as 01-06-2020.
3. Networkdays Function - This function calculates the number of working days between two dates.
Network days can be used to verify employee benefits which are paid by the auditee on the basis of number
of actual days worked during a period. Net workdays excludes all weekends (Saturdays and Sundays) in
between two dates and returns the remaining number of days.
There are three arguments to Networkdays function; start date, end date and holidays
4. Workday Function - Workday returns the working day before or after specified number of workdays
with respect to a start date.
Math & Trig Functions:
1. MOD Function : Ordinarily, if we divide a number by some divisor and if the dividend is not completely
divisible by the divisor, the quotient is expressed in decimal form. However, sometimes we are interested in
obtaining the remainder separately. In such a case, we can make use of Mod function.
Mod is a very simple function having only two arguments, number and divisor. Both are mandatory
2. Quotient Function : Quotient function returns the integer portion of the division, ignoring the
remainder. Quotient is also a simple function having two arguments numerator and denominator. Both
are mandatory
Text Functions:
1. Concatenate Function - To concatenate means to link together or join. This function joins two or
more text strings together. It is a very simple function. Its arguments are texts. Instead of using concatenate
function we can also use the symbol ‘&’ (known as ampersand).
2. Exact Function - several situations where we would like to compare two values and check whether they
are alike. If they are numeric values, we can calculate the difference between the two. If the difference is zero
then the numbers are alike. However, when those two values are text strings, then we cannot perform any
mathematical operations on them. In such cases, we can make use of exact function. Exact function is

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
case-sensitive i.e ( Text = Text – will return True value ; Text = TEXT = Will Retun False Value to over
come this we can use A1=B1 instead of Exact)
Lookup & Reference Functions
1. Vlookup Function - most frequently used function from Lookup & Reference category. Vlookup searches
for a value in first column of a data/table array and if it’s found, it returns a corresponding value from the same
row but another column. four arguments for Vlookup function, (lookup value, table array, col index number
and range lookup.) In excel, true is denoted by 1 and false is denoted by 0
2. HLOOKUP Function - Hlookup as a horizontal Vlookup. In fact, the ‘H’ in Hlookup stands for horizontal.
3. Index Function - Index function returns the value or reference at the intersection of a specified row and
column. It has two sets of arguments First set has three arguments, viz. array, row number and column
number. Second set has four arguments, viz. reference, row number, column number and area number.
4. Match - This function is somewhat similar to Vlookup. Like Vlookup, match searches for a lookup value
inside an array. However, instead of returning a corresponding value, it returns the position or ranking
of the lookup value in side the array Match has three arguments viz. lookup value, lookup array and match
type. Lookup value and lookup array are mandatory while match type is optional.
5. Index and Match Combo Function - Vlookup function doesn’t support right to left lookup. these
situations, we may combine index function and match function to create a synthetic Vlookup
6. Indirect Function - This function returns the reference specified by a text. Sometimes, we may build
certain references using concatenate or some other functions. These references are stored as text
strings by excel. If we wish to use these references as ‘references’ in our formulas, we must use Indirect
function.
Logical Functions
1. IF Function - If function is the leading logical function. This is fundamental to most of the audit processes
as somewhere or the other, we are bound to come across condition based working. If function has three
arguments viz. logical test, value if true and value if false. If the logical test is satisfied then the value if
true is executed else the value if false is executed.
2. And & Or Function - These two functions are highly similar. Hence, we can consider them together.
Sometimes, there are multiple conditions, based on which calculations are to be made. Such calculations are
required to be made when all conditions are satisfied or any one condition is satisfied. In such cases we can
make use of these functions. Use And function when all the conditions are to be satisfied. On the other
hand, use Or function when any one condition is to be satisfied.
3. NOT Function - Not function is a negation function. It negates the logical evaluation and produces the
opposite result. In simple words, Not function will convert true into false and false into true.
4. IFERROR Function - This function may be viewed as a special case of If function. It has two arguments,
value and value if error. If the 1st value generates an error of any kind (eg. #N/A, #REF!, #VALUE!, #DIV/0!
etc.), then the value if error will be executed. If it doesn’t generate any error, then the 1 st value itself will be
executed
Statistical Functions:
1. COUNTA Function - If we wish to count text ,values, errors, cells with spaces etc; we must use CountA
function
2. COUNTBLANK Function - It counts all the blank cells in a range of cells
3. LARGE & SMALL Function - This function returns the kth largest number from a list of numbers.
Sometimes we are required to fetch 3rd largest or 5th largest value. For that, this function is very useful.

Chapter 3 – Formula Auditing

We have a dedicated toolset available for the purpose of Formula Audit. It is available in Formulas Tab.

Studying interrelationships between cells:

When we try to audit formulas, sometimes we would like to dig the precedents or the dependents for few cells.
This helps us in understanding the interrelationship between the cells better. For this purpose, we can use
Trace Precedents and Trace Dependents features from the Formula Auditing Group.

Trace Precedents - A formula generally involves other cell references. Sometimes, we may like to mark them
clearly on the worksheet. For this, we can use Trace Precedents feature available in the Formula Auditing Group,
the precedent cells are marked using arrows. (Are inputs for the active cell)

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
Trace Dependents - the cells which may get affected when we modify the value of a cell. This is especially
essential when we think of deleting a cell. If a cell is deleted without bothering about tracing its dependents, the
dependents cells will lose their input cell and hence will carry #REF! Error .(Use active cell as input)

We cannot effectively trace the precedents / dependents from other worksheets or workbooks
Go To Special for Formula Auditing:
• Sometimes, Trace Precedents and Dependents generate lot of arrows. This becomes extremely
confusing and we may wonder whether there is an alternate way of marking the precedents and
dependents. Fortunately, we do have an alternate way of doing this. It is achieved using Go To Special
feature from Home Tab
• Keep the cell pointer on the target cell and then open the Go To Special Window. Select the option of
Precedents. We also get to choose whether we want to highlight Direct only or All levels
• On clicking OK, all the Precedents are highlighted
• This is only a temporary selection and it will disappear once the active cell is moved. If you wish to retain
the highlighting permanently, you may assign a fill colour at this stage.
Error Checking:
Microsoft has developed a dedicated tool for tracking down the errors. This tool is called as ‘Error Checking’
On clicking Error Checking, MS Excel runs through the formulas in the worksheet and identifies the common
errors that may creep in while constructing formula based templates.
Error Checking only identifies certain common errors. Needless to say, it will not identify errors in the
logic behind formula construction
Evaluate Formula
We may like to observe the step-by-step execution of the formula and deduce the logic behind the formula.
Keeping this requirement in mind, Microsoft has developed the feature of Evaluate Formula
we want a quick evaluation of only one of the parts of the formula, we can make use of F9 key. If To evaluate the
complete formula, don’t highlight any portion. Simply go inside the cell (by pressing F2) and then press F9.

Formula Auditing Tips : There are some commonly found errors which may inadvertently creep in. You should
carefully watch out for them. These errors may not be detected by the Error Checking feature.
1. Numeric Headings Included in AutoSum Totals
2. Ignoring Order of Operations - In general, one must remember the following order of calculation
which is followed by excel (or almost every other software, for that matter):
Brackets Exponents Division Multiplication Addition Subtraction
It is easy to remember this sequence using the acronym BEDMAS.
Beware of Reset Error Indicators - some common errors may occur while developing some formulas in
excel Such errors are indicated by green coloured triangle at the top left hand corner of the cell.
It is difficult to trace the errors by using the green triangle indicator. A better idea is to use the Error Checking
feature. This is, of course, assuming that errors are reset in the first place.
Someone may remove error indicators put by excel, in the form of green triangle. Those can be restored by
visiting File Options Formulas Reset Ignored Errors.

TO Look formula in a Excel we can use Show Formulas in formula tab or Press Ctrl + ~

Chapter 3 – Data Analysis using MS Excel

The core function of MS Excel as a software is data analysis. Excel helps us in deriving information out of raw
data.

1. Duplicates : we come across list of values which we feel may contain duplicate values. We would like to
mark such duplicate values and may also like to remove them.
Mark Duplicates : make use of conditional formatting from Home Tab highlight cell rules select
Duplicate values select the manner of formatting cells
Remove Duplicates : Go to Data tab Data Tools group click on Remove Duplicates

2. Sort: The data that we receive for audit purpose may not be arranged in the order that we desire. In such
cases, we would like to arrange the records in the data in the order that may be suitable to us.
Sort is located in the Data tab Sort & Filter group
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
If we need of a multi-level sort. Thus, click on ‘Add Level’ Button to add further levels (We can do Multiple
Level Sorting in Excel)
3. Filters: we would like to short-list records out of a big dataset, on the basis of some or the other criteria.
This lets us focus on one portion of the dataset at a time. For this purpose, the most suitable tool will be
filters . Filters are available in Data Tab Sort & Filter On applying filters, row numbers turn to Blue
Type of Filters can be done – Text Filters , Colour Filter , Numeric Filter, Date Filter..
4. Pivot Tables: most powerful features of excel for data analysis. As you advance in excel proficiency,
sooner or later you are bound to use Pivot Tables for efficient data analysis. Even though it’s highly effective,
quite ironically, it is also one of the most user friendly features of excel.
• Preparing Your Data for Analyzing - we need to have a dataset in rectangular format (also known
as flat format) i.e. the data should be composed of fields placed in columns and records placed in rows.
every column should have a heading. If there are no headings, excel cannot create a Pivot Table.
Pivot Table is available in the Insert Tab Tables
We can either place it in a new worksheet or an existing worksheet.
• Adding Fields to Pivot Table –
1. Report Filter – Drop fields in report filters if you wish to filter the Pivot Table
2. Column Labels – Drop fields over here so that the values of the fields become column labels
3. Row Labels - Drop fields over here so that the values of the fields become Row labels
4. Values - Drop fields over here so that computations like sum, count, min, max etc. can be done on
the values of such fields.
• Changing Field Statistics - not necessary that we need to always have sum of a field. We can also
obtain other statistics like count, min, max etc. For this, click on the field in the Values section and
select the last option Value Field Settings
• Eliminating Blank Cells from the Data Section - Go to Options Tab Pivot Table Group Options
Options Layout & Format Tab Format section check box saying For empty cells Show There enter
0.
• Report Filters - when we wish to filter one or more values present in the Pivot Table. But sometimes
we come across a situation where we are required to apply filter on the entire table based on a field which
is actually not a part of the Pivot Table. In such a case, we can make use of Report Filters.
• Pivot Tables and Recalculation - One unfortunate thing about Pivot Tables is that it doesn’t
automatically update itself when the underlying under goes a change. This is because excel copies the
underlying data in its memory, in order to save time in updating the Pivot Table. Therefore, for any change
in the data, we must remember to ‘Refresh’ Pivot Table
• Limitations of Pivot Tables-
o We cannot insert rows or columns in between a Pivot Table report.
o Pivot Tables don’t auto-update themselves. We need to refresh them.
o The data needs to be in rectangular i.e. flat format
o If the number of records are very large, Pivot Tables may respond slowly.

5. Gap Detection - We know that key documents like invoice numbers should be serially numbered.
However, sometimes there may be some invoices which could be ‘missing
we could’ve simply extracted difference between two consecutive invoice numbers. If Results is 1
then no invoice is missing if result is more than 1 some invoice are missing. This would work where
we have purely numeric invoice numbers. There are also instances of repetition of invoice numbers
which is suggested by 0
But over here, we have alphanumeric invoice numbers. Thus we cannot calculate the difference directly.
We need to separate the numeric part first by using Right / Left / Middle etc.. and then apply the
aforesaid formula.
6. Benford’s Law: one the most famous tools used in modern day Forensic Audits. Benford’s Law is
also known as the law of first digit. It was propounded by Frank Benford in 1938
probabilities are given by the formula: 𝑃 (𝑛) = log10(1 + 1/𝑛 )
Where n is the leading digit or the first digit of a number.
Benford’s Law was used for the first time in Forensic Audits by Dr Mark Nigrini in 1993
First Digit Probability
1 0.30103
2 0.17609
3 0.12494
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
4 0.09691
5 0.07918
6 0.06695
7 0.05799
8 0.05115
9 0.04576
Please note that if the numbers deviate from the pattern suggested by the Law, it is not a conclusive
evidence of a fraud. It could still be a genuine list. Thus, it is merely an indicator of a possible fraud or
what is termed as a ‘Red Flag’!
The Conclusion drawn is Subjective
7. Stratification – This involves breaking the given data into number of strata or categories. This is very
similar to Aging Analysis. Stratification is necessary to divide heterogeneous data into homogenous
strata. One may use if function for categorization purpose. This involves using multiple IF functions.
Number of Ifs required is one less than the number of categories. We need to nest these IFs one inside the
other. The formula using IF functions can be extremely long and tedious. It could be difficult to understand
or edit later. A simpler approach is to make a table of the different categories and use Vlookup function.
The range lookup should be TRUE. This achieves the same output and does away with all the demerits of
IF functions. After stratification, we can take out samples from each strata Left / Right function is not relevant
for the Stratification.

Module II Unit 3 – Enterprise Resources Planning

Chapter 1 – ERP Over View

What is ERP Concept? - An enterprise is a group of people with a common goal, having certain
resources at its disposal to achieve this goal. In an enterprise way, the entire organization is considered as one system
and all the departments are its sub-systems. Information regarding all aspects of the organization is stored
centrally and is available to all departments. Resources include money, manpower, materials, machines,
technologies etc. more easily share information and communicate with each other. This transparency and
information access ensures that the departments no longer work in isolation pursuing their own independent
goals.

Each sub-system knows what others are doing, why they are doing it and what should be done to move the
company towards the common goal. The ERP systems help to make this task easier by integrating the
information systems, enabling smooth and seamless flow of information across departmental barriers,
automating business processes and functions, and thus helping the organization to work and move forward as a
single entity.

Business Functions and Business Processes - Organizations have different functional areas
of operation – marketing and sales, production and materials management, accounting and finance, human resources
etc. Each functional area comprises a variety of business functions and business activities.

A business process is a collection of activities that make one or more kinds of input and creates an output that is
of value to the customer. A business process cuts across more than one business function to get a task done

Sharing data effectively and efficiently between and within functional areas leads to more efficient business
processes. Information systems can be designed so that accurate and timely data are shared between
functional areas. These systems are called Integrated Information Systems.

Business Modeling - approach to ERP is to first develop a business model comprising the business
processes or activities that are the essence of the business. A business model is not a mathematical model, but
a representation of the business as one large system showing the interconnections and interdependencies of the
various sub-systems and business processes.
The business model is represented in the graphical form using flowcharts and flow diagrams. The data model
of the system is created from the business model

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
ERP and Related Technologies
1. Business Intelligence
2. Online Analytical Processing (OLAP)
3. Product Life Cycle Management (PLM)
4. Supply Chain Management (SCM)
5. Customer Relationship Management (CRM)

Business Intelligence - Business Intelligence (BI) is a tool that refers to skills, processes, technologies,
applications and practices used to facilitate better, accurate and quicker decision making. Business intelligence
systems are data-driven Decision Support Systems.

Data Warehousing - If operational data is kept in the database of the ERP system, it can create lot of problems. As
time passes, the amount of data will increase and this will affect the performance of the ERP system. As the volume
of the data in the database increases, the performance of the database and the related application degrades. Thus,
archiving the operational data once its use is over is a better option.

Data Warehousing Functions - The definition of data elements in the data warehouse and in the data sources,
and the transformation rules that relate them, are referred to as 'metadata'. Metadata is “data about data” and is the
means by which the end-user finds and understands the data in the warehouse.

Online Analytical Processing (OLAP) - Online Analytical Processing, or OLAP, is an approach to quickly
answer multi-dimensional analytical queries. OLAP systems use concept of OLAP cube called a
multidimensional cube or a hypercube consisting of numeric facts called measures which are categorized by
dimensions. The cube metadata is typically created from a set of tables (Facts and Dimensional) in a relational
database. Measures are derived from the records in the fact table and dimensions are derived from the dimension
tables.
Characteristics of OLAP – Fast, Analysis, Shared , Multi-Dimensional , Information.

Customer Relationship Management (CRM) - Customer Relationship Management is a corporate level

strategy, focusing on creating and maintaining relationships with customers
There are several different approaches to CRM
1. Operational CRM
2. Analytical CRM
3. Sales Intelligence CRM
4. Campaign Management
5. Collaborative CRM
6. Consumer Relationship CRM
7. Simple CRM
8. Social CRM

Chapter 2 – ERP Implementation

Issues on ERP Implementation

1. Fundamental Issues - Implementation of an ERP system can be long, costly, and labor-intensive and can
affect an organization's bottom line if done incorrectly. To ensure the success of any ERP implementation
project, a project team consisting of an ERP consultant, internal auditing, and IT staff familiar with the company's
business operations should be established and their role must be defined.
2. Organizational Change Process - ERP implementation requires organizations to reengineer their key
business processes reengineering of the existing processes, integration of the ERP with other business
information systems, selection of right employees, and training of employees on the new system
3. Implementation Cost and Time- Even though the price of prewritten software is cheap compared with in-
house development, the total cost of implementation could be three to five times the purchase price of the
software. The implementation costs would increase as the degree of customization increases. After training the
selected employees, strategies such as bonus programs, company perks, salary increases, continual training and
education, and appeals to company loyalty work to retain them
4. Implementation Time: ERP systems come in modular fashion and do not have to be implemented

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
entirely at once. ERP packages are very general and need to be configured to a specific type of business and
may follow a phase-in approach with one module implemented at a time. Some of the most commonly installed
modules are Sales and Distribution (SD), Materials Management (MM), Production and Planning, (PP),
and Finance and Controlling (FICO) modules
5. Employee Morale - Employees working on an ERP implementation project put in long hours (as much as 20
hours per day) including seven-day weeks and even holidays. Even though the experience is valuable for their
career growth, the stress of implementation coupled with regular job duties could decrease their morale rapidly.
Leadership from upper management and support and caring acts of project leaders would certainly boost the
morale of the team members.

Introduction to Tally.ERP 9

The Tally.ERP 9 encompasses the following salient features

Simplicity , Speed , Power , Flexibility , Scalability, Concurrent multi-lingual capability , Real time processing ,
Accounting without codes , Quick and Easy installation , Codeless User Interface , Multiple aliases across
languages , Extendible Units of Measure , Unlimited Grouping and Classification , Unlimited multi-user support ,
Graphical analysis of data , Flexible and Extendible reporting , Data Reliability and Automatic recovery , Internal
backup/ restore , Import/ Export of data , Split Company Data , HTTP-XML based data interchange.

Chapter 3 & 4 – ERP Control and Audit (Tally) and Efiling

Follow the notes prepared while doing the class.

Module I Unit 1 – Auditing in an ERP Environment.

Chapter 1 – Auditing in ERP Environment.

Understand the requirements of SA315 and SA330 relating to IT and auditing

in an ERP environment
SA 315 states that the objective of the auditor is to identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertion levels through,
Understanding the entity and its control environment, including the entity’s internal control framework.
Understanding the information systems environment relevant to financial reporting and communication.
Understanding and assessing the risks associated with the relevant environment
The auditor will have to understand the nature of the entity and the governance structure. The governance
structure will provide an indication over the Internal Control Framework.
Objectives of SA 330
SA 330 deals with the auditor’s responsibility to design and implement responses in the form of audit procedures
in response to work done as part of SA 315. The objective of the procedures is to reduce the risk of material
misstatement to an acceptable level. These audit responses will be a part of the overall audit strategy. The
strategy will set the scope, timing and direction of the audit. Depending on the level of automation achieved by a
Corporation, these audit procedures will revolve around a mixture of controls and substantive based approach. Such
audit procedures form a part of the overall financial statement audit procedures
Involvement of key team members and usage of CAATS is a part of SA 300 Planning of Audit of
Financial Statements.
Involvement of Experts in audit is covered under SA 610

ERP – Enterprise Resource Planning

POS – Point of Sale
GITC – General Information Technology Controls
CAATS – Computer Assisted Audit Techniques
ISO – International Organisation for Standardisation
PCI-DSS – Payment Card Industry – Data Security Standard
ISAE – International Standard for Assurance Engagements
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
SOC – Service Organisation Controls
IT Team is the owner of the application and Business team is the owner of the data within the application
Clause (i) of Sub-section 3 of Section 143 of the Companies Act, 2013 the auditor has to
report whether the entity has adequate internal financial controls system in place
Typically, the auditors should request for Display only access or Read only access to the client’s ERP
system..

Chapter 2 – General Information Technology Contorls

What are General IT Controls :

General IT controls are policies and procedures that relate to many applications and support the effective
functioning of application controls. They apply to mainframe, miniframe, and end-user environments.
General IT-controls that maintain the integrity of information and security of data commonly include controls over the
following:” (SA 315)
These are IT controls generally implemented to mitigate the IT specific risks and applied commonly across multiple
IT systems, applications and business processes. Hence, General IT controls are known as “pervasive” controls or
“indirect” controls.

There are basically four categories of General IT Controls which are as follows:
Data center and network operations
Program change
Access security
Application system acquisition, development, and maintenance (Business Applications)

How do GITCS Impact Audit :

Inaccurate processing of data, processing inaccurate data, or both
Unauthorized access to data
Direct data changes (backend changes)
Excessive access / Privileged access (super users)
Lack of adequate segregation of duties
Unauthorized changes to systems or programs
Failure to make necessary changes to systems or programs
Loss of data

ACL Audit Command Language (CAAT Tool)

AIX Unix Operating System for IBM servers
BCP Business Continuity Plan
CAATs Computer Assisted Audit Techniques
CR Change Request
CRM Customer Relationship Management (application software)
DB Data Base
DMZ De-Militarized Zone
DR Disaster Recovery
ELC Entity Level Controls
ERP Enterprise Resource Planning (application software)
GITC General Information Technology Controls
HOD Head of Department
HP-UX Unix Operating System for HP servers
HR Human Resource
IPE Information Produced by Entity (reports, etc)
IT Information Technology
LAN Local Area Network
Oracle EBS Enterprise Business Suite, ERP application software provided by Oracle Corporation
OS Operating System
RHEL Red Hat Enterprise Linux, a type of Linux Operating System
SA Standards on Auditing
SA/SOD Sensitive Access / Segregation of Duties
SAP Systems, Applications and Products in data processing, ERP application software
SDLC System Development Life Cycle, a software development methodology
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
SQL Structured Query Language, high-level software language for database systems
SuSE A type of Linux Operating System
UAT User Acceptance Testing
VPN Virtual Private Network
WAN Wide Area Network

Exercise-
1. What are data flows between multiple IT systems also known as – Interfaces
2. Which of the following activity from the Data center and network operations domain of GITCs is less likely to
have an impact on audit - Service Level Agreements
3. What is the risk due to default passwords - They are easy to guess , Openly know , Do not comply with
company’s password policy
4. Privileged users are more commonly known as, - Super users
a. Privileged users are also known as super users or administrators and have unrestricted access to
systems.
b. Business users, normal users and end users refer to the same type of users who have restricted
access to systems.
5. Segregation of duties is applicable to which layer of access security, - Application security, Database security
, Network security
6. With respect to samples selected for testing, the auditor is required to document Justification, for sample size
and how the auditor ensured Completeness of population
7. The software methodology used for carrying out program development and program changes is known as
Systems Development Life Cycle or SDLC
8. Deficiencies in GITCs will impact the. Reliability of automated controls, IT-dependent controls and IPEs
9. Direct data access considered high risk because it bypasses the application controls and could compromise
data integrity
10. A Disaster Recovery Plan or DR Plan contains procedures for restoring the IT systems back to
normal state after a failure.
11. 11.The auditor should review GITCs for all IT systems and applications used at a company- false
12. Developers and programmers should not be given access to production environment- True
13. It is more efficient to test GITCs at year-end - False
14. Batch jobs should be monitored for failures so that corrective action can be taken True
15. Environmental controls are applicable to all layers of access security – False

Chapter 7 – Non-Standard journal Entries

Overview :
In most ERP’s these transactions are automated based on the business process. In addition to the sub-leger entries
that arise out of business processes, the companies may also pass journal entries that impact the financial
statements.
We shall now try to understand the different types of journal entries
1. Standard Entries - These transactions pertaining to sales, purchases, inventory, rent, audit fees, AMC
expenses, salaries etc. are subject to internal controls as defined by the company
2. Non-Standard Entries - In addition to the automated entries, these entities also record nonrecurring,
unusual transactions or adjustment entries in the ERP’s. These entries may not be subject to the same
level of rigour of the internal controls or may not have passed through any controls at all. Eg . Estimation
, Impairment , adjustment to amount already Reported – combination , reclassification.
3. Top Up entries - These are residing outside the books , Eg : In excel sheet like inter company setoff
entries ,etc. and may impact the Financial Statement

SA 240 and The Guidance Note on Audit of Internal Financial Controls Over Financial Reporting , also talk about
unusual transactions and the audit procedures to deal with them.

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
such NSJE are generally directly passed in the General Ledger. There is a risk of management override of controls
in passing such entries.
These NSJE’s may exist only in electronic form directly in the General Ledger with no supporting physical
documents.

The points to note for understanding the business systems and processes are:
• Accounting software – ERP/customised/off the shelf packages
• IT team – in house/outsourced
• Type of entries – automated or manual etc.
• SA/SOD among IT and business teams etc.
• Timing of passing journal entries – end of day, weekend.

The points to note for understanding the fraud risk factors are:
Sales targets to be achieved – important to investors, stock holders etc.
Bonuses and incentives – employees
Debt requirements – banks etc.
The auditor should generally ask open ended questions to the management to understand if there were any
unusual activities during the year under audit.
Whether the employee who recorded entries went on vacation and if there was a substitute during that period
Whether the employee shared his user id and password with any person during the year.
Whether any entries were passed during the year without any supporting documents.

The process to ensure completeness of Data can be described as:

Extract the full list of entries.
Perform completeness testing
Based on understanding obtained from the company, identify the JE criteria to pick the
Non Standard Journal Entries.
Apply the criteria filter on the full list of JE entries
Test the filtered list of Non Standard Journal Entries.

Common methods to test for completeness of data:

Roll forward testing – Roll forward the entries passed during the year to the balances in the Trial Balance. The
auditor may useCAATS/ ACL/IDEA Caseware/MS Access/Excel to perform Roll forward testing
Procedures other than Roll Forward Testing. - There are industries/sectors where the roll forward testing may not
be appropriate or feasible. For example - in banks/financial institutions/e-commerce/retail sectors where the volume
of transactions are huge, the auditor may have to think of a different method to test for completeness of data.

Software Testing of Scripts

The process of identifying NSJE and applying the JE criteria for testing is a long and time consuming process every
year. Once the auditor understands the processes and controls in place to pass Journal entries, the type of journal
entries, the information system (ERP) used to pass such entries etc., this process may be automated to build in
efficiencies within the audit. The auditor need not spend time on operational matters. This will also
assist the auditor in spending productive time performing the audit, analysing the data.

Exercise –

1. The unusual, non recurring transactions may generally be directly entered in – Generally Ledger, (the non-
recurring transactions may not have a supporting. To be passed in Sub ledgers, it may require collusion
among personnel. Hence, they are passed in General Ledger)
2. Estimates, impairments are generally a type of - Non Standard Journals.
3. While understanding the IT/ERP systems used to record entries, the points to note are: Accounting software
/ ERP used , Automated or Manual entries , SA/SOD among IT and Business teams , Timing of passing the
entries.
4. Some of the fraud risk factors to note which may lead to unusual transactions are: Sales Targets , Personal
gain such as Bonus, incentives , Debts requirements for banks
5. A key factor to be kept in mind while making enquiries of personnel : Ask open ended questions
6. Entries maintained outside the system and impact the financial statements : Top up entries
7. Which is the main risk due to Non Standard Journal entries: Risk of Material misstatement
8. It is possible that a Non standard journal entry may not have relevant Printed supportings
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
9. A common method to test for completeness of data is Roll Forward testing.
10. In industries/sectors, where volume of data is huge, Roll Forward testing may not be an appropriate way of
testing completeness of data.
11. Before testing Journal entries, it is necessary to test the controls surrounding the process of passing Journal
Entries. - True
12. One way of auditor enquiring about unusual activities at a client location is to ask Open ended questions
13. Sales Target to be achieved may be a key fraud risk factor from an investor/ stock holder perspective leading
to Non standard journal entries.
14. Debt Requirement to be achieved may be a key fraud risk factor from a bank/financial institution perspective
15. To bring in efficiencies in the process of extraction and analysis of JE data, the auditor may use Software
Scripts

NSJE - Non Standard Journal Entries

ERP – Enterprise Resource Planning
SA – Sensitive Access
SOD – Segregation of Duties
ACL – Automated Command Language
CAATS – Computer Assisted Audit Techniques

Chapter 6 – New Systems Data migration Review

Data Migration Strategy:

ERP migrations are similar to any other project and accordingly the auditor should understand the strategy and
approach that is being adopted in a particular migration project.
The key phases in any ERP migration project will consist of the following
• Planning
• System Design
• Data Conversion
• Testing
• Implementation (Go Live)
• Documentation
Masters, Balances, Line-items, Open items:
When planning a migration from an existing system to a new system, some of the important considerations
include determining an approach for migration of existing master data, historical transaction data, open items
and account balances.

When to Test?
Having obtained an understanding of the migration approach, the business environment and the IT environment, the
auditor should perform a risk assessment for each phase of the migration process and identify the risks that could
impact the audit. The auditor should design appropriate audit procedures that include evaluation of controls that are in
place to mitigate the risks. The auditor should test these controls for design and operating effectiveness.

The testing for data migrations can be performed pre-implementation which means either immediately preceding
the Go live phase, when a substantial part of the migration has been completed, or postimplementation meaning
after the Go live phase. The suggested approach is to perform both pre-implementation and post-implementation
reviews

• a pre-implementation review provides an opportunity for the company to identify gaps, if any and
provides early assurance on the migration process and controls which can be useful in planning other audit
procedures better.
• a post-implementation review provides assurance on the effectiveness of migration process and controls

Exercise –
1. Which of the following is example of an ERP - SAP, Oracle R12 and In-house developed are examples of ERP.
2. Which of the following activity is part of the System Design phase of a migration - Allocation of budget happens
in Planning phase. Mock conversion is part of Data Conversion phase

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
3. At which phase of the migration would rollback procedures be triggered, if necessary - Rollback procedures
are defined in the Planning phase and triggered during the implementation or Go live phase, if necessary.
4. Which of the following require specific considerations during a migration,- Approach for migration of user
access and segregation of duties, open items and master data should be considered.
5. When would auditors review migration process and controls - Auditors can evaluate and test migration controls
as part of pre-implementation, post-implementation reviews or during while reviewing General IT Controls
during audit process.

6. Documentation should be prepared and maintained for all phases of migration.

7. The auditor should evaluate the impact. of deficiencies identified in the migration process.
8. A _Pre-implementation review provides an opportunity for the company to identify gaps in the migration
process and address the same in a timely manner.
9. The auditor may consider using the work performed by internal auditors in accordance with guidance given in
__SA 610
10. Interfaces with other systems and applications are determined during Planning phase of the migration process
11. When a pre-implementation review has been performed and the gaps have been rectified, the auditor is not
required to evaluate and test controls in the migration process. False
12. The auditor should consider using CAATs when evaluating deficiencies in migration controls. (True
13. Migration approach and strategy will be the same for all companies. (False) - The migration approach will vary
from company to company depending on several factors including the
14. scope and nature of migration.
15. Duplicate master data records should not be considered for migration from legacy to new system.True -
Duplicate master data is identified and discarded as part of data cleansing during migration.
16. After migrating to the new system, the data in legacy system can be discarded. False - Several factors should
be considered including legal and statutory requirements before legacy system is discarded

Chapter 5 – System Generated Report

As per the Guidance Note issued by the ICAI on Audit of Internal Financial Controls over
Financial Reporting, the data or Information Produced by the Entity (IPE) can be generally used for:
IPE is used by entity personnel to perform a relevant control.
IPE is used by the auditor to test a relevant control.
IPE is used by the auditor to perform substantive procedures.
The IPE can be in 2 forms:
Reports generated from the System
Listing/Output created manually with data from the system

Types of Reports
There could be approximately 3 types of reports that can be extracted from ERP systems. The purpose for which
these reports may be used are for analysing Financial or Operational data
• Standard Reports – These are reports that are available at the time of implementation of the ERP systems
by the entity. These reports are inbuilt into the systems
For example: Purchase Register, Sales Register, Fixed Asset Register, Cash Flow statement etc.
• Customised Reports – These reports are created by the entities with respect to their businesses, revenue
streams, divisions etc.
Here, the company has followed their own pattern or code for Chart of Accounts (CoA), Vendors, Customers
etc. For example: B/S, P&L account etc
• Database queries / Other tools etc. Queries are used to retrieve information or data from a database in a
readable format using a SELECT statement.

Validation of Reports – Accuracy of Logic, Completeness and Accuracy of

Data
As per the Guidance Note, the three elements for determining the testing strategy for reports are to understand:
Source Data
Report Logic
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
Report Parameters
The company may have implemented a control on Quarterly Review of Aging Analysis by Finance Controller. In
such a scenario, the auditor will have to test 2 aspects of the control:
1. The Review by the Finance Controller
2. The integrity of the report.

Impact of conclusions of GITCs on Report testing

The auditor needs to understand, evaluate and test the General Information Technology Controls (GITC’s). The
results of the GITC tests will have a bearing on the procedures to be followed to test reports.
Scenario 1: Controls in all domains of GITC’s are effective and there are no relevant deficiencies. In such a
case, the auditor can follow the procedures to test the reports – both standard and customised.
Scenario 2: Controls are ineffective in all domains of GITC’s The auditor will have to devise a more substantive
approach and other substantive procedures to testing the reports. The auditor cannot rely on just one sample to
test the completeness and accuracy assertions of the report.

Timing of Report Testing

Deciding when to test a report is a critical element of the audit. Some of the criteria to be used to decide timing of report
testing are:
• The data captured by a report is also essential in deciding the timing to test a report. A report may capture
real time data.
• Company policy – If a report is generated and used by a Company on an annual basis.
• There may be instances where the company has implemented a new ERP during the financial year. The
legacy/older ERP is no longer used. The auditor may have to test the reports in both the systems as per
the frequency of the report.
• Another important factor to be considered is the inclusion of Period end entries. The auditor will have to
understand the type of entries passed and whether they are included in the logic of the reports
Conclusion of Impact of Deficiencies in Report testing on audit
The auditor may be faced with a situation where there are deficiencies in the reports/IPE that have been tested.
The errors at a minimum may be of 2 types:
• Logic errors
• Arithmetical errors

Exercise -

1. Which of the following method is used to produce reports about data.- Standard Reports , Customised Reports
, Database queries
2. SELECT statement is used to generate which type of reports - Database queries
3. The auditor may limit the test procedures to test reports when - Controls in Business process and GITC are
effective
4. What are the factors to be considered for timing of report testing. Quality and type of entries , Company Policy
, Implementation of new systems
5. Some of the reasons to test reports by auditors - Used by the auditors as part of the audit
6. Prior to testing of reports, the auditor needs to understand, evaluate and test the General Information
Technology Controls and Business Process Controls
7. On the assumption that the GITC’s are effective, the auditor needs to follow which sampling procedure to test
a report - One transaction per scenario.
8. The GITC’s are effective and a report has been tested in earlier years. In subsequent years, the auditor may
adopt an approach of testing Last change date of the report.
9. The 2 assertions generally evaluated at the time of testing reports are Completeness and Accuracy
10. System Reports which are used to analyse business operations and are extracted from systems not relevant
for financial reporting, need not be tested. - true
11. ERP – Enterprise Resource Planning
12. ROC – Registrar of Companies
13. IPE – Information Produced by the Entity
14. GITC – General Information Technology Controls
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit

Chapter 4 – Segregation of duties and sensitive access

Sensitive Access (SA)

Sensitive access is when a user has the ability to perform critical business activities in an ERP. In other words,
business activities that carry a higher risk and could have wider impact on operations are referred to as sensitive
activities and the users who have this access are said to have sensitive access. Eg. of sensitive access in an ERP can
include ability to
create and modify sales prices
approve purchase orders
master data
payroll information
foreign exchange rates
period open/closure function
Segregation of Duties (SOD)
Segregation of duties refers to the separation or distribution of job roles among employees in such a way that
incompatible or conflicting job roles are assigned to different persons. Segregation of duties can be implemented as
preventive or detective control

User Access in ERP

One of the key feature of an ERP is the ability to control users access to relevant business functions, activities and
operations within the ERP. Every person or individual who uses an ERP is called a “user” of the ERP and each
such user is assigned an identification called “user id” along with a corresponding secret code called
“password”. While the user id is known to all, the password is known only to the person or individual to whom the user
id is assigned.
There are several types of users within an ERP, they are
• Normal users: These users are typically regular employees who carry out day-to-day business operations
and transactions using the ERP
• System users: These users are internally used within the ERP to perform automated operations and
transactions.
• Privileged users: These are a type of super users who have very extensive or unlimited access to carry
out all or several activities in an ERP environment.
• Default users: These are users that come packaged along with the ERP software. These users are
sometimes required to setup the ERP system initially. They are also used for educational purposes, when
updating the ERP to newer versions, to facilitate remote monitoring by vendors
• Generic users: These are similar to normal users but named in such a way that represent a title, position,
designation or function, place or region within a company and do not represent an individual or person.
• Temporary users: As the name suggests, these are users who are given user id for a limited time period.
For example, guest users, auditors, consultants and support users.
• External users: These are users who do not belong to the company i.e., they are not employees but they
may still require access to the ERP. For example, vendors, customers, business partners

Procedures for Review

To audit segregation of duties and sensitive access in an ERP environment, the auditor first needs to understand the
business and IT environment in which company operates including the following
(a) understand the various business functions, organisation structure, employee job roles and responsibilities.
(b) the process that is followed for managing user access to ERP
(c) Understand the rules based on which user access has been implemented in the ERP

For example: some of the tools that are used in implementing and review of segregation of duties and sensitive
access include SAP GRC (formerly, Virsa), Oracle GRC, BIZRights, Proprietary tools

Conclusion on Impact of Deficiencies on audit

During a review of segregation of duties and sensitive access the auditor may find deficiencies in the user access
controls.
Examples of such deficiencies are given below:
(a) some users have access to prepare a purchase order and approve the same purchase order
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
(b) users have access to maintain vendor master data and process vendor payments
(c) users in sales department have access to maintain payroll information
(d) IT department users have access to process business transactions
Having found deficiencies, the auditor should evaluate the impact of these deficiencies on the audit.
some of the ways in which the auditor thinks through the deficiencies and assess impact on audit. Wherever
necessary, the auditor may have to obtain additional audit evidence to address the risk of material misstatement.

Exercise –
1. Which of the following is NOT an example of an External user type - Employees
2. Business rules for implementing segregation of duties are defined by - Company
3. Examples of specialised tools to review segregation of duties and sensitive access in an ERP include, - BIZ
Rights
4. Auditors review of user access controls in an ERP environment is performed at a point-in-time. What other
controls can auditors rely upon to get evidence of operating effectiveness for full year. - General IT Controls
5. When an auditor finds a deficiency in the user access controls, what should the auditor do next -Evaluate the
deficiency and determine impact on audit
6. Sensitive access in an ERP refers to the ability of a user to perform Critical business activities.
7. Super users who have very extensive or unlimited access to carry out all or several activities in an ERP
environment are also known as Privileged users.
8. The auditor should first gain and understanding of the Business, and IT environments before auditing
segregation of duties and sensitive access in an ERP.
9. Segregation of duties can be implemented as either Preventive or Detective controls.
10. Roles make it easy to manage user access to an ER
11. False. Segregation of duties is implemented even in companies where there is no ERP.
12. False. Business rules for implementing segregation of duties should be defined by the company/management.
15. A user in purchase department has access to maintain vendor master data and process vendor invoices. This
indicates a deficiency in segregation of duties True
16. User access to an ERP is given based on user job roles and responsibilities True
17. Reliability of user access controls in an ERP depend on effectiveness of application controls False
ERP – Enterprise Resource Planning
SOD – Segregation of duties
SA – Sensitive Access
GITC – General Information Technology Controls
Role – is a logical grouping of users in an ERP that is aligned to a job function
Profile – is an internal technical grouping of authorisations, permissions and user access rights in an ERP and
is derived from a role
GRC – Governance, Risk and Compliance

Chapter 3 – Automated Application Controls

Reasons why ERP’s are implemented by companies are:
To move from manual processes to automated processes and achieve better operational efficiencies
To achieve ease of reporting due to high level of sophistication of the reports defined in ERP’s
To have a better internal control environment as ERP’s allow for processes and controls to be automated
To respond faster to competition and the outside business environment
While there are advantages and efficiencies that can be gained by automation, there is also a heightened risk of
processes and controls being compromised within the ERP. Hence, it is important for the company to implement
controls within the ERP. Such controls are called as Automated Application Controls (AACs)
Another explanation is AACs are controls that prevents applications from executing unauthorised transactions in a
manner that puts data at risk.
The objectives of AACs are to ensure
completeness of data
accuracy of data
the validity of the transactions
only authorised transactions are processed
appropriate segregation of duties.
Some of the risks that are addressed by such AAC’s are:
Risk of unauthorised personnel entering the data
Risk of personnel entering unauthorised data
Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit
Risk of inaccurate processing of data
Risk of unauthorised changes / modifications to data
Risk of data being obtained by unauthorised personnel

Types of Automated Application Controls

• Inherent controls – These controls come along with the implemented ERP. These can also be called Input
controls. These are some basic controls such as
o Debit = Credit. All transactions should match
o Validation checks
• Embedded Calculations - These are controls that also come along with the implemented ERP. These can
also be called Processing controls. These are combined with Configurable controls
eg . depreciation is calculated automatically by the system. This process
of calculation is embedded within the ERP. However, the percentage of depreciation has to be defined for
each class of asset. This is a configurable control.
• Configurable controls – These controls are implemented by the Company at the time of installing the ERP.
These can also be called Processing controls
Eg – (1) 3 way match – The relevant fields within the Purchase Order (PO), Goods Received Note (GRN) and
Invoice should match (2) At the time of raising a Sales invoice, relevant Debtors and Debtors Control account
is debited and
Sales account is credited.
• Access / Security controls – Users are provided access to the systems based on their roles and
responsibilities and job profiles. These can be called as Sensitive Access and Segregation of Duties
• Automated Account Posting – Accounting entries are automatically posted in the ERP based on the
business operation performed.

Process of identification of Automated Application Controls

SA 315 (Revised) – Identifying and assessing the risks of material misstatement through understanding the entity and
its environment
The understanding of a company’s IT environment that is obtained should be documented [Ref. SA 230 – Audit
Documentation] using any standard format or template.

The auditor via an enquiry process gets an understanding of the various business processes. The understanding of
the process flows and the controls within the processes can be documented in either of the 2 ways:
1. Process Flow Diagrams
2. Process Narratives
Timing of AACs testing and Sample Size
The auditor needs to plan for an appropriate time to test AACs. The factors to be considered to determine the timing
to test AACs are:
• The period covered under audit
• Risk associated with the control at the time of risk assessment
Based on the above factors the auditor will test the AACs. The assumptions before testing the AACs are:
GITCs are effective. This is because they assist in effective functioning of application controls including AACs
Design of the control has been evaluated and is effective.
Assess the Impact of Deficiencies
The auditor should evaluate the identified deficiencies in controls to develop a response to risk of material misstatement
as given in SA 240 “The Auditor’s Responsibilities Relating to Fraud in An Audit of Financial Statements”.

• A deficiency in a Control will not allow the management to perform their assigned functions. This deficiency
may not prevent or detect misstatements. Such deficiencies are called Design Deficiencies.
• deficiency in operation exists when a properly designed control does not operate as designed, or when the
person performing the control does not possess the necessary authority or competence to perform the control
effectively.

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI
Mahipal Singh Rajpurohit

Communication of Deficiencies
SA 265 - “Communicating Deficiencies in Internal Control to Those Charged with Governance and Management”
makes it necessary for the auditor to communicate control deficiencies to the Management. Prior to issuing such report
the auditor may also go through the Internal audit reports and evaluate the control deficiencies identified in the reports

The auditor must communicate in writing in sufficient advance to provide an opportunity to the company to remediate
the deficiencies before the auditor issues the report on Internal Financial controls. The auditor will have to also mention
if the deficiencies were present in the prior periods of audit.

Exercise-
1. Some of the objectives to be achieved by implementing AACs are - Completeness and Accuracy are the two
objectives of implementing AACs
2. Some of the risks that are addressed by such AAC’s are
(a) Risk of unauthorised personnel entering the data
(b) Risk of personnel entering unauthorised data
(c) Risk of inaccurate processing of data
3. Some of the examples of AACs are: Inherent, configurable, automated calculations etc. are AACs
4. Understanding the business process can be documented via Flow chart and Process Narratives are 2 ways of
documenting business processes
5. A control necessary to meet the control objective is missing. If a control is missing it is an example of Design
deficiency
6. Who is responsible for the design of internal control - Management is responsible for design of controls. Internal
auditors and Auditor are responsible for testing the controls.
7. Validation checks and Duplicate checks performed by an ERP are part of Inherent Controls
8. Interest Computation performed by an ERP is a component of Automated calculations. which form part of
AACs.
9. The Guidance Note on Internal Financial Controls over Financial Reporting refers to 9 Process flow diagrams
as a helpful form of documentation for auditors to depict the process to initiate, authorise, process, record and
report transactions.
10. Management. is responsible for the design of the internal control.
11. The auditor will have to adopt a combination of Inquiry, Observation and Inspection. while evaluating the
design of a control via Walkthrough process.
12. The 3 way match of fields of PO, GRN and Invoice is an example of a Configurable control.
13. True. GITCs have to be effective, to have a strategy to test AACs for operating effectiveness.
14. True. Operating effectiveness deficiency exists when the control does not operate as expected or the person
operating the control is not competent.
15. False. If there are different scenarios in a business process, then one transaction per scenario have to be
taken for a walkthrough

AAC – Automated Application Controls

SEC – Securities and Exchange Commission
SOX – Sarbanes Oxley Act 2002
ICFR – Internal Controls over Financial Reporting.
COSO – Committee of the Sponsoring Organisations of the Treadway Commission
CAPEX – Capital Expense

Forward the file to your Friends who are going to appear in Advance ITT Exam of ICAI