Audit of Autonomous District Councils (in an IT environment using FAAM)

FAAM and audit in IT environment Guidance given in FAAM is preliminary Guidance given in FAAM is preliminary Detailed instructions on audit in IT environment contained in CAG’s IT Audit manual Detailed instructions on audit in IT environment contained in CAG’s IT Audit manual A number of instructions issued from time to time on the matter available A number of instructions issued from time to time on the matter available

IT in Autonomous District Councils Investment in IT negligible Investment in IT negligible Investment, if at all, is basically on purchase of PCs/laptops for very basic use Investment, if at all, is basically on purchase of PCs/laptops for very basic use No Mission-critical systems. Basically Support systems, if at all No Mission-critical systems. Basically Support systems, if at all Absence of separate IT department/wing Absence of separate IT department/wing

Financial Audit in an IT environment The Auditing Standards of the Comptroller and Auditor General of India require that The Auditing Standards of the Comptroller and Auditor General of India require that “Where accounting or other information systems are computerized, the auditor should determine whether internal controls are functioning properly to ensure the integrity, reliability and completeness of the data.” “Where accounting or other information systems are computerized, the auditor should determine whether internal controls are functioning properly to ensure the integrity, reliability and completeness of the data.”

Impact of IT on Financial Audit Financial Audit Objective in an IT Environment – Changed Risk Perception Financial Audit Objective in an IT Environment – Changed Risk Perception Understanding of system essential for Planning Understanding of system essential for Planning Identifying Internal Controls in an IT Environment a must for audit Identifying Internal Controls in an IT Environment a must for audit Changed data retrieval methods and Substantive Tests in audit Changed data retrieval methods and Substantive Tests in audit Use of Advanced Auditing Techniques Use of Advanced Auditing Techniques CAATs, Simulation, Test Data CAATs, Simulation, Test Data

Identifying controls in an IT system I Controls reflect the policies, procedures, practices and organizational structures designed to provide reasonable assurance that the intended objectives of the entity will be achieved. Controls reflect the policies, procedures, practices and organizational structures designed to provide reasonable assurance that the intended objectives of the entity will be achieved. They ensure effectiveness and efficiency of operations, reliability of financial reporting and compliance with the rules and regulations. They ensure effectiveness and efficiency of operations, reliability of financial reporting and compliance with the rules and regulations. However, computer systems are efficient only if they function in the manner they are designed to and the controls provided are effective. However, computer systems are efficient only if they function in the manner they are designed to and the controls provided are effective.

Identifying controls in an IT System II Thus it is important for the Auditor to verify that not only adequate controls exist, but that they also function effectively. Thus it is important for the Auditor to verify that not only adequate controls exist, but that they also function effectively. Such controls should also be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels. Such controls should also be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels.

General controls General controls are controls over General controls are controls over data centre operations, data centre operations, system software acquisition and maintenance, system software acquisition and maintenance, access security, and access security, and application system development and maintenance application system development and maintenance General Controls create the environment in which the application systems and application controls operate e.g. General Controls create the environment in which the application systems and application controls operate e.g. IT policies, standards, and guidelines pertaining to IT security and information protection, application software development and change controls, IT policies, standards, and guidelines pertaining to IT security and information protection, application software development and change controls, segregation of duties, service continuity planning, IT project management, etc. segregation of duties, service continuity planning, IT project management, etc.

Application Controls Application controls pertain to specific computer applications and include controls that help to ensure Application controls pertain to specific computer applications and include controls that help to ensure proper authorization, proper authorization, completeness, completeness, accuracy and validity of transactions, accuracy and validity of transactions, maintenance; and maintenance; and other types of data input other types of data input

Application controls Examples include Examples include system edit checks to help prevent possible invalid inputs system edit checks to help prevent possible invalid inputs system-enforced transaction controls that prevent users from performing transactions that are not part of their normal duties system-enforced transaction controls that prevent users from performing transactions that are not part of their normal duties the creation of detailed reports and transaction control totals that can be balanced by various units to the source data to ensure that all transactions have been posted completely and accurately. the creation of detailed reports and transaction control totals that can be balanced by various units to the source data to ensure that all transactions have been posted completely and accurately.

Financial Audit in an IT environment The overall objective and scope of an audit remains same in an IT environment. The overall objective and scope of an audit remains same in an IT environment. The processing, storage, retrieval and communication of financial information changes, which may affect the accounting and internal control systems employed by the auditee organization. The processing, storage, retrieval and communication of financial information changes, which may affect the accounting and internal control systems employed by the auditee organization. Thus IT environment may affect: Thus IT environment may affect: the procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems the procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems the auditor’s evaluation of inherent risk and control risk through which the auditor arrives at the risk assessment the auditor’s evaluation of inherent risk and control risk through which the auditor arrives at the risk assessment the auditor’s design and performance of tests of control and substantive procedures appropriate to meet the audit objective the auditor’s design and performance of tests of control and substantive procedures appropriate to meet the audit objective

Financial Audit in an IT environment While determining the effect of the IT environment on the financial audit, the auditor should evaluate, While determining the effect of the IT environment on the financial audit, the auditor should evaluate, the extent to which the IT environment is used to record, compile and analyze accounting information; the extent to which the IT environment is used to record, compile and analyze accounting information; the system of internal control in existence in the auditee organization with regard to the system of internal control in existence in the auditee organization with regard to flow of authorized, correct and complete data to the processing center flow of authorized, correct and complete data to the processing center processing, analysis and reporting tasks undertaken in the installation processing, analysis and reporting tasks undertaken in the installation the impact of computer-based accounting system on the audit trail that could otherwise be expected to exist in an entirely manual system. the impact of computer-based accounting system on the audit trail that could otherwise be expected to exist in an entirely manual system.

To check effectiveness of controls Effectiveness of controls over the information technology processes that have a direct impact on the processing of financial information could be judged by the following procedures: Effectiveness of controls over the information technology processes that have a direct impact on the processing of financial information could be judged by the following procedures: determine the scope of audit analysis of the information technology processes by identifying how they support important business processes and the processing of financial information; determine the scope of audit analysis of the information technology processes by identifying how they support important business processes and the processing of financial information; obtain background information about the auditee organization’s IT environment, including information about and applications supporting the critical business processes, together with the underlying platforms and those to which they are networked; obtain background information about the auditee organization’s IT environment, including information about and applications supporting the critical business processes, together with the underlying platforms and those to which they are networked;

To check effectiveness of controls Conduct a walk-through of those information technology processes deemed to have a direct and important effect on the processing of financial information to confirm the auditor’s understanding of the process design and related controls; and Conduct a walk-through of those information technology processes deemed to have a direct and important effect on the processing of financial information to confirm the auditor’s understanding of the process design and related controls; and Based upon the understanding of the information technology processes, evaluate the effectiveness of the design of each of the major information technology processes and related internal controls. Based upon the understanding of the information technology processes, evaluate the effectiveness of the design of each of the major information technology processes and related internal controls.

To evaluate reliability of accounting and controls The auditor should check whether the systems: The auditor should check whether the systems: ensure that authorised, correct and complete data is made available for processing; ensure that authorised, correct and complete data is made available for processing; provide for timely detection and correction of errors; provide for timely detection and correction of errors; ensure that in case of interruption in the working of the IT environment due to power, mechanical or processing failures, the system restarts without distorting the completion of the entries and records; ensure that in case of interruption in the working of the IT environment due to power, mechanical or processing failures, the system restarts without distorting the completion of the entries and records; ensure the accuracy and completeness of output; ensure the accuracy and completeness of output; provide adequate data security against fire and other calamities, wrong processing, frauds etc.; provide adequate data security against fire and other calamities, wrong processing, frauds etc.; prevent unauthorized amendments to the programs; and prevent unauthorized amendments to the programs; and provide for safe custody of source code of application software and data files. provide for safe custody of source code of application software and data files.

Audit procedures The auditor should consider the IT environment in designing audit procedures to reduce audit risk to an acceptably low level. He should check whether: The auditor should consider the IT environment in designing audit procedures to reduce audit risk to an acceptably low level. He should check whether: adequate procedures exist to ensure that the data transmitted is correct and complete; and adequate procedures exist to ensure that the data transmitted is correct and complete; and cross-verification of records, reconciliation statements and control systems between primary and subsidiary records do exist and are operative and that accuracy of computer compiled records is not assumed. cross-verification of records, reconciliation statements and control systems between primary and subsidiary records do exist and are operative and that accuracy of computer compiled records is not assumed. The methods of applying audit procedures to gather evidence may be influenced by the methods of computer processing. The methods of applying audit procedures to gather evidence may be influenced by the methods of computer processing.

Audit procedures The auditor can use manual audit procedures, or computer-assisted audit techniques, or a combination of both to obtain sufficient evidence. The auditor can use manual audit procedures, or computer-assisted audit techniques, or a combination of both to obtain sufficient evidence. The IT Systems can help the auditor in using analytical procedures (for analyzing ratios and trends, identifying unusual items, etc.) and in using sampling techniques and generating random samples. IT Systems can facilitate the application of Monetary Unit Sampling, which is widely used in financial audit. The IT Systems can help the auditor in using analytical procedures (for analyzing ratios and trends, identifying unusual items, etc.) and in using sampling techniques and generating random samples. IT Systems can facilitate the application of Monetary Unit Sampling, which is widely used in financial audit. The auditor can also extract the relevant records required by him using IDEA or other package. The auditor can also extract the relevant records required by him using IDEA or other package.

Documentation The auditor should document the audit plan, the nature, timing and extent of audit procedures performed and the conclusions drawn from the evidence obtained. The auditor should document the audit plan, the nature, timing and extent of audit procedures performed and the conclusions drawn from the evidence obtained. If audit evidence is in the electronic form, the auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required. If audit evidence is in the electronic form, the auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required. The authenticity of the audit evidence should be ensured beyond all reasonable doubt. The authenticity of the audit evidence should be ensured beyond all reasonable doubt.

IT, IT Audit and IAAD(1) Voucher Level Computerisation in A&E offices Voucher Level Computerisation in A&E offices Computerisation of Pension and GPF functions Computerisation of Pension and GPF functions Audit Management System (AMS) Audit Management System (AMS) PM’s award for IT initiative PM’s award for IT initiative

IT, IT Audit and IAAD(2) Department’s involvement in IT projects/ systems involving estimated expenditure above Rs. 10 crore at three stages of SDLC – Department’s involvement in IT projects/ systems involving estimated expenditure above Rs. 10 crore at three stages of SDLC – After the work of the system design is completed but before the computer programmes are written up After the work of the system design is completed but before the computer programmes are written up After the computer programmes are written up and tested and new system is introduced After the computer programmes are written up and tested and new system is introduced After the system is introduced at pilot stage but before it is replicated After the system is introduced at pilot stage but before it is replicated  Is the Department ready for this?

IT, IT Audit and IAAD(3)  Standard Audit Tool adopted by IAAD – i. Microsoft Office including Microsoft Access ii. IDEA iii. Structured Query Language (SQL)  CoBIT framework  Criticality Assessment Tool Criticality Assessment Tool Criticality Assessment Tool

Thank You