Professional Documents
Culture Documents
Audit Magic Charts
Audit Magic Charts
• Standardized process
• Informed decisions
• More reliable audit report
• Savings in time, cost & human effort
• End to End Understanding
• Technology AdvancementAdvancement
• Better Analytics
• Improved Risk Assessment
• Enhanced Effectiveness & Efficiency
• Better Audit Quality
• Lower Costs
Understanding-
• Changes in way entity’s systems developed & whether it results in new risks &
controls.
• New activities/changes in existing process due to new technology (eg, new revenue
streams).
• Impact of new technology on how organization obtain & use information to
support internal control functions.
271
Understanding IT Environment (IT Envt.)
(1) STAGES
Used
Application Database OS Network Server & Storage
for
Oracle Windows 2016 Packaged HP Server & Internal
BILLSYS Billing
12c Server software HDD
272
Risks arising from use of IT
SCALING
IT Dependencies
Helps to-
273
(3) ITGCs
(Shortform-FR-Financial Reporting)
1) Malware
274
• Types-
o Mobile Malware
▪ To target mobile devices
▪ Malicious downloads, phishing, unsecured Wi-Fi
o Ransomware
▪ Adversary encrypts victim’s data & provides decryption key for
payment.
▪ Malicious links by phishing emails
o Fileless Malware
▪ Uses native, legitimate tools built into system for cyber attack
▪ Does not require attacker to install any code on system.Hence
difficult to detect
o Trojan
▪ Appears legitimate software disguised as native OS program/free
downloads.
▪ Installed by social engineering techniques like phishing/bait
websites
2) Phishing
• Uses email, SMS, phone, social media, social engineering techniques to entice
victim-
o To share sensitive information like password/account no.
o To download malicious file that will install viruses on system
• Types-
o Spear Phishing
▪ Targets specific individuals/organizations by malicious emails.
▪ To steal sensitive information like login details/infect device with
malware.
o Smishing
▪ Sending text message pretending to be from reputable org.
▪ To induce people to reveal personal info-Password/credit card no.
o Vishing
▪ Voice phishing attack
▪ Fraudulent use of calls/voice msg. pretending to be from reputable
org.
▪ To induce people to reveal personal info-Password/credit card no.
o Whaling
▪ Targets senior/C-level executive employees
▪ To steal money/info/gaining access to person’s computer to execute
further cyberattacks.
3) Spoofing
275
o Domain spoofing
▪ Attacker impersonates known business with fake website/email to
fool people.
▪ Domain appears legitimate at first, but closer look will reveal
differences
o Email spoofing
▪ Targets business by emails with forged sender addresses.
▪ Recipient trusts sender & opens email-malicious link
6) Insider Threats
7) DNS Tunneling-
276
o Insiders committing malicious activities. Thus, unintended discourse of info
& fraud
o Common criminals using email phishing & hacks for fraud & theft
• Varies from organization to organization & attack to attack. Some indicative areas-
o Ransomware
o Business interruptions causing operational challenge for organization
o Regulatory costs
o Data loss, reputational loss & litigation
o Fines & penalties
o Breach of privacy
• Benefits-
o Understand accepted risks & documented compensating controls.
o Understand cyber risks, threats to org. & other financial institutions.
o Assess existing IT program & capabilities against regulatory requirements
o Align cybersecurity & IT transformation initiatives with strategic objectives
& risks.
1) IDENTIFY RISK-
• Entity-
o Conduct periodic risk assessment & develop management (mgt) strategy to
identify cybersecurity risks
o Maintain & periodically reviews information assets-i.e., Asset Management
(eg, patents)
• From governance perspective, mgt. reviews how cybersecurity risk affect ICFR
(internal controls over financial reporting)
• To determine overall responsibility for cybersecurity in business envt.,entity-
o Establish roles & responsibilities over cybersecurity
o Discuss risk assessment with TCWG
2) PROTECT RISK-
3) DETECT RISK-
277
o cybersecurity risks, its impact on business, significance & consider
disclosures.
• Review entity’s process to monitor & detect security breaches.
• Mgt. implemented anti virus/firewall logs are monitored to detect repetitive tasks
• Check if updates needed to safeguard system.
4) RESPOND TO RISK
• Entity take appropriate action to recover from attack & make sure business is
running.
• Recovery plan implemented to overcome impact
• Necessary improvements-patch upgrades, better controls, anti virus is
implemented.
278
o What systems are used to facilitate request,authorization & release of 0
wire t/f?
o Are authentication protocols defined to verify wire t/f requests?
3) Risk assessment
279
• Auditor gets first hand evidence directly from IT system as direct access given
• Widens selection of auditors from global network of experts
• Time to gather evidence spread over weeks, instead of small period that takes
personnel from daily activities
Data Analytics
• Generating & preparing meaningful info from raw system data using
processes,tools & techniques is called Data Analytics
• Audit Analytics/Audit data analytics involves-
o Analyzing large data for insights,trends,draw conclusions,informed decision
making
• Audit analytics helps-
o To discover & analyze patterns
o Identifying anomalies
o Extract other useful information in data
• Data analytics methods used in audit are called CAATs(Computer Assisted Auditing
Techniques)
• Popular tools used as part of CAATs/Examples of data analytics techniques-
o ACL (Audit Command Language)-
▪ Data extraction & analysis software for fraud detection,prevention
& risk mgt.
▪ Samples large data for pattern in transactions indicating
fraud/control weakness
▪ Eg, Analyse data to perform trial balance reconciliation during audit
o Alteryx-
▪ Consolidates financial/operational data to assess controls
▪ Audit trail is performed.No prior knowledge of coding/scripting
needed
▪ Used to automate analytics & perform machine learning-
• to search fraud patterns/speed up processes like a/cing
close,tax filing
▪ Automates periodical procedures like
reconciliations,consolidations.etc.
o Power BI-
280
▪ Business Intelligence (BI) platform providing nontechnical business
users-
• tools for aggregating, analyzing, visualizing & sharing data
▪ Uses-
• To find outliers in population
• For reporting purpose(Audit report) in interactive dashboard
to higher mgt.
o CaseWare-
▪ Provide tools conducting audit & assurance
quickly,accurately,consistently
▪ Better informed decisions
▪ Streamlines processes & eliminates routine tasks
1) INTERNET OF THINGS(IOT)
3) BLOCKCHAIN
281
• Block of information is created, replicated & distributed to all participants
• All blocks sequenced so that modification of a block disqualifies information
• Audit implications-
o Auditor consider governance,security since insecure APIs,data
confidentiality issue
o Auditor consider issue of weak blockchain application development
protocol
o Auditor consider data privacy law issues
o Auditor consider if data put on BC will result in liability for noncompliance
of law
• Risks-
o Need protocol,mgt.process,contingency plan as data can’t be accessed
without key.
o Security-Cyberattack, data hacks
o Auditor ensure that org. has data mgt. process & complies with regulations
282
o Change management risks-
▪ Not following change mgt.implementation
lifecycle,improper/incomplete testing
o RPA Strategy risk-
▪ Wrong expectation,improper KPIs,unrealistic business goals
• Auditors should-
o Gain holistic understanding of changes in industry,IT Envt. to evaluate
mgt.process for initiating,processing,recording transactions & design audit
procedures
o Consider risk from new technology & how it differs from those of traditional
system
o Consider if digital upskilling/specialists needed to determine impact of new
technology, assist in risk assessment, understanding controls. Eg,IT
Specialists.
283
(1) EXAMPLES-
2) Augmented Reality(AR)-
• Users view real world envt. with augmented elements,generated by digital devices
• Eg, Pokemon Go
3) Virtual Reality(VR)-
4)Metaverse-
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
INTERNAL AUDIT
Meaning of Internal Audit (IA)
IA provides independent assurance on effectiveness of internal control & risk mgt process to
enhance governance & achieve organizational objectives.
Objectives & scope of IA Function as per SA 610-Using the work of Internal Auditor
• listed company
• unlisted public company-
o PUSC 50cr or more in last FY,or
o turnover 200cr or more in last FY,or
o o/s loan from bank/public FI >100cr at any point of time in last FY,or
o o/s deposit 25cr or more at any point of time in last FY
• pvt. company-
o Turnover 200cr or more in last FY,or
o o/s loan from bank/public FI >100cr at any point of time in last FY
Internal Auditor-
• Individual/firm/body corporate
• CA/CMA(whether in practice or not)/Decided by Board
• May/may not employee of co.
• Part of mgt & not merely assistant
375
Std on IA(SIA)210-Managing IA Function,IA Function does activities to achieve objectives-
Developed in way that all business processes of financial & operational activities are
reviewed by internal audit function within defined time & ensuring appropriate consideration
made & balance ensured to following-
376
o Examine if reporting by exception i.e.report highlight significant & distinctive
features
• Review of Organisation Structure-
o Review manner in which activities of enterprise grouped for managerial
control
o Examine reasonableness of span of control(no. of subordinates) of each
executive
o If dual responsibility can’t be avoided,primary one should be specified
o Review SoD considered in org. structure
o Evaluate process of managerial development in enterprise
• Review of Utilisation of Resources-
o Check if proper operating std & norms established
o Review method to establish operating std & norms
o If wide divergence b/w actual & std performance.consider reason
• Review of Accomplishment of Goals & Objectives-
o Review objectives of enterprise to see if clearly stated & attainable
o Examine if objectives in precise quantifiable terms
o Sufficient flexibility in plan for improvement in implementation
• Special expertise to evaluate mgt control system,specially financial & a/cing controls
• A/cing & financial expertise
• Knowledge of commerce,law,tax,cost a/cing,economics,quantitative method,EDP
system
• Provide assurance to mgt that confidentiality of info maintained
• Understanding mgt principle,technique;ability to deal with people
• Understanding a/cing software,ERP system;knowldege of IT controls
377
• Audit managers prepare Detailed work plan & approved by Chief Internal
Auditor(CIA)
• Obtain info directly from source(to extent possible)& check correctness & integrity
• Planning+Advance intimation for interim information
• Collate data & perform analytical procedures(AP) for key trends.AP as per SIA 6
• SIA 5-Sampling (to select samples)
• Audit testing as per work plan.SIA 320-IA Evidence
• List of audit issues & control gap.SIA 350-Review & Supervision of audit
assignment.
• SIA 330-IA Documentation (for IA work papers)
SIA 370 deals with Internal auditor’s responsibility to issue only 1st type of report.
Elements in IA Report-
378
Form & content of Report-Decided by internal auditor based on judgement,in consultation
with auditee.No IA report in final form unless written draft previously shared with auditee.
• Audit scope
• Audit period
• Executive summary
• Summary of critical findings
• Detailed audit finding with elaboration on business impact & root cause of issues
Documentation-
Follow up-
• Scope & objective of IA depends on size & structure of entity & mgt
requirement.Internal auditor-areas like review of a/cing system & IC,exam. of
financial & operating info.There is overlap b/w work of IAr &EAr
• Work of IAr has imp bearing on work of EAr.Function of IAr is intergral part of IC
system
• Sec 138 of Co. act-AC/BoD,in consultation with IAr-scope,functioning,method,period
of IA
• EAr-Examine scope & effectiveness of work of IAr.
• Independence of IAr & status in org. determine effectiveness of audit
• EAr evaluate IA function to determine NTE of compliance & substantive procedures.
379
EAr appointed by
Appointment IAr appointed by AC/BoD
members
Users of report Top mgt & referred by EAr Stakeholders
IAr examine adequacy of EAr examine accuracy &
Examination
operational controls of org validity of FS
Period Continuously throughout yr Once in yr
IA report-IC weakness &
Opinion on truthfulness
Reporting effectiveness of operational
& fairness of FS
activities
Visible trail of evidence to trace info in report back to original input source.It is chronological
record of changes(creating new,updating,deleting data) to data
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434