Audit of Audit of Autonomous Autonomous

District Councils District Councils ((in an IT in an IT

environment using environment using FAAMFAAM))

FAAM and audit in IT FAAM and audit in IT environmentenvironment

Guidance given in FAAM is Guidance given in FAAM is preliminarypreliminary

Detailed instructions on audit in IT Detailed instructions on audit in IT environment contained in CAG’s IT environment contained in CAG’s IT Audit manualAudit manual

A number of instructions issued A number of instructions issued from time to time on the matter from time to time on the matter availableavailable

IT in Autonomous District IT in Autonomous District CouncilsCouncils

Investment in IT negligibleInvestment in IT negligible Investment, if at all, is basically on Investment, if at all, is basically on

purchase of PCs/laptops for very purchase of PCs/laptops for very basic usebasic use

No Mission-critical systems. No Mission-critical systems. Basically Support systems, if at allBasically Support systems, if at all

Absence of separate IT Absence of separate IT department/wingdepartment/wing

Financial Audit in an IT Financial Audit in an IT environmentenvironment

The Auditing Standards of the Comptroller The Auditing Standards of the Comptroller and Auditor General of India require thatand Auditor General of India require that ““Where accounting or other Where accounting or other

information systems are information systems are computerized, the auditor should computerized, the auditor should determine whether internal determine whether internal controls are functioning properly controls are functioning properly to ensure the integrity, reliability to ensure the integrity, reliability and completeness of the data.” and completeness of the data.”

Impact of IT on Financial Impact of IT on Financial AuditAudit

Financial Audit Objective in an IT Financial Audit Objective in an IT Environment – Changed Risk PerceptionEnvironment – Changed Risk Perception

Understanding of system essential for Understanding of system essential for Planning Planning

Identifying Internal Controls in an IT Identifying Internal Controls in an IT Environment a must for auditEnvironment a must for audit

Changed data retrieval methods and Changed data retrieval methods and Substantive Tests in auditSubstantive Tests in audit

Use of Advanced Auditing TechniquesUse of Advanced Auditing Techniques CAATs, Simulation, Test DataCAATs, Simulation, Test Data

Identifying controls in an IT Identifying controls in an IT system Isystem I

Controls reflect the policies, procedures, Controls reflect the policies, procedures, practices and organizational structures practices and organizational structures designed to provide reasonable designed to provide reasonable assurance that the intended objectives assurance that the intended objectives of the entity will be achieved. of the entity will be achieved.

They ensure effectiveness and efficiency They ensure effectiveness and efficiency of operations, reliability of financial of operations, reliability of financial reporting and compliance with the rules reporting and compliance with the rules and regulations. and regulations.

However, computer systems are However, computer systems are efficient only if they function in the efficient only if they function in the manner they are designed to and the manner they are designed to and the controls provided are effective. controls provided are effective.

Identifying controls in an Identifying controls in an IT System IIIT System II

Thus it is important for the Auditor to Thus it is important for the Auditor to verify that not only adequate controls verify that not only adequate controls exist, but that they also function exist, but that they also function effectively. effectively.

Such controls should also be Such controls should also be commensurate with the risk assessed commensurate with the risk assessed so as to reduce the impact of so as to reduce the impact of identified risks to acceptable levels.identified risks to acceptable levels.

General controlsGeneral controls General controls are controls over General controls are controls over

data centre operations, data centre operations, system software acquisition and maintenance,system software acquisition and maintenance, access security, and access security, and application system development and application system development and

maintenancemaintenance General Controls create the environment in General Controls create the environment in

which the application systems and application which the application systems and application controls operate e.g.controls operate e.g. IT policies, standards, and guidelines IT policies, standards, and guidelines

pertaining to IT security and information pertaining to IT security and information protection, application software development protection, application software development and change controls, and change controls,

segregation of duties, service continuity segregation of duties, service continuity planning, IT project management, etc.planning, IT project management, etc.

Application ControlsApplication Controls Application controls pertain to Application controls pertain to

specific computer applications and specific computer applications and include controls that help to ensureinclude controls that help to ensure proper authorization, proper authorization, completeness, completeness, accuracy and validity of transactions, accuracy and validity of transactions, maintenance; and maintenance; and other types of data inputother types of data input

Application controlsApplication controls Examples include Examples include

system edit checks to help prevent possible system edit checks to help prevent possible invalid inputsinvalid inputs

system-enforced transaction controls that system-enforced transaction controls that prevent users from performing transactions prevent users from performing transactions that are not part of their normal dutiesthat are not part of their normal duties

the creation of detailed reports and the creation of detailed reports and transaction control totals that can be transaction control totals that can be balanced by various units to the source balanced by various units to the source data to ensure that all transactions have data to ensure that all transactions have been posted completely and accurately. been posted completely and accurately.

Financial Audit in an IT Financial Audit in an IT environmentenvironment

The overall objective and scope of an audit The overall objective and scope of an audit remains same in an IT environment. remains same in an IT environment.

The processing, storage, retrieval and The processing, storage, retrieval and communication of financial information changes, communication of financial information changes, which may affect the accounting and internal which may affect the accounting and internal control systems employed by the auditee control systems employed by the auditee organization. organization.

Thus IT environment may affect: Thus IT environment may affect: the procedures followed by the auditor in obtaining a the procedures followed by the auditor in obtaining a

sufficient understanding of the accounting and internal sufficient understanding of the accounting and internal control systemscontrol systems

the auditor’s evaluation of inherent risk and control risk the auditor’s evaluation of inherent risk and control risk through which the auditor arrives at the risk assessmentthrough which the auditor arrives at the risk assessment

the auditor’s design and performance of tests of control the auditor’s design and performance of tests of control and substantive procedures appropriate to meet the and substantive procedures appropriate to meet the audit objectiveaudit objective

Financial Audit in an IT Financial Audit in an IT environmentenvironment

While determining the effect of the IT While determining the effect of the IT environment on the financial audit, the environment on the financial audit, the auditor should evaluate,auditor should evaluate,

the extent to which the IT environment is used the extent to which the IT environment is used to record, compile and analyze accounting to record, compile and analyze accounting information;information;

the system of internal control in existence in the system of internal control in existence in the auditee organization with regard to the auditee organization with regard to

flow of authorized, correct and complete data to the flow of authorized, correct and complete data to the processing centerprocessing center

processing, analysis and reporting tasks undertaken processing, analysis and reporting tasks undertaken in the installationin the installation

the impact of computer-based accounting system on the impact of computer-based accounting system on the audit trail that could otherwise be expected to the audit trail that could otherwise be expected to exist in an entirely manual systemexist in an entirely manual system..

To check effectiveness of To check effectiveness of controlscontrols

Effectiveness of controls over the information Effectiveness of controls over the information technology processes that have a direct impact technology processes that have a direct impact on the processing of financial information could on the processing of financial information could be judged by the following procedures:be judged by the following procedures: determine the scope of audit analysis of the determine the scope of audit analysis of the

information technology processes by identifying information technology processes by identifying how they support important business processes how they support important business processes and the processing of financial information;and the processing of financial information;

obtain background information about the obtain background information about the auditee organization’s IT environment, auditee organization’s IT environment, including information about and applications including information about and applications supporting the critical business processes, supporting the critical business processes, together with the underlying platforms and together with the underlying platforms and those to which they are networked;those to which they are networked;

To check effectiveness of To check effectiveness of controlscontrols

Conduct a walk-through of those Conduct a walk-through of those information technology processes deemed information technology processes deemed to have a direct and important effect on to have a direct and important effect on the processing of financial information to the processing of financial information to confirm the auditor’s understanding of the confirm the auditor’s understanding of the process design and related controls; andprocess design and related controls; and

Based upon the understanding of the Based upon the understanding of the information technology processes, information technology processes, evaluate the effectiveness of the design of evaluate the effectiveness of the design of each of the major information technology each of the major information technology processes and related internal controls. processes and related internal controls.

To evaluate reliability of To evaluate reliability of accounting and controlsaccounting and controls

The auditor should check whether the systems: The auditor should check whether the systems: ensure that authorised, correct and complete data is ensure that authorised, correct and complete data is

made available for processing;made available for processing; provide for timely detection and correction of errors;provide for timely detection and correction of errors; ensure that in case of interruption in the working of the ensure that in case of interruption in the working of the

IT environment due to power, mechanical or processing IT environment due to power, mechanical or processing failures, the system restarts without distorting the failures, the system restarts without distorting the completion of the entries and records;completion of the entries and records;

ensure the accuracy and completeness of output;ensure the accuracy and completeness of output; provide adequate data security against fire and other provide adequate data security against fire and other

calamities, wrong processing, frauds etc.;calamities, wrong processing, frauds etc.; prevent unauthorized amendments to the programs; andprevent unauthorized amendments to the programs; and provide for safe custody of source code of application provide for safe custody of source code of application

software and data files.software and data files.

Audit proceduresAudit procedures The auditor should consider the IT environment The auditor should consider the IT environment

in designing audit procedures to reduce audit in designing audit procedures to reduce audit risk to an acceptably low level. He should risk to an acceptably low level. He should check whether: check whether: adequate procedures exist to ensure that the adequate procedures exist to ensure that the

data transmitted is correct and complete; data transmitted is correct and complete; andand

cross-verification of records, reconciliation cross-verification of records, reconciliation statements and control systems between statements and control systems between primary and subsidiary records do exist and primary and subsidiary records do exist and are operative and that accuracy of computer are operative and that accuracy of computer compiled records is not assumed.compiled records is not assumed.

The methods of applying audit procedures to The methods of applying audit procedures to gather evidence may be influenced by the gather evidence may be influenced by the methods of computer processing. methods of computer processing.

Audit proceduresAudit procedures The auditor can use manual audit procedures, The auditor can use manual audit procedures,

or computer-assisted audit techniques, or a or computer-assisted audit techniques, or a combination of both to obtain sufficient combination of both to obtain sufficient evidence.evidence.

The IT Systems can help the auditor in using The IT Systems can help the auditor in using analytical procedures (for analyzing ratios and analytical procedures (for analyzing ratios and trends, identifying unusual items, etc.) and in trends, identifying unusual items, etc.) and in using sampling techniques and generating using sampling techniques and generating random samples. IT Systems can facilitate the random samples. IT Systems can facilitate the application of Monetary Unit Sampling, which application of Monetary Unit Sampling, which is widely used in financial audit. is widely used in financial audit.

The auditor can also extract the relevant The auditor can also extract the relevant records required by him using IDEA or other records required by him using IDEA or other package. package.

DocumentationDocumentation The auditor should document the audit The auditor should document the audit

plan, the nature, timing and extent of audit plan, the nature, timing and extent of audit procedures performed and the conclusions procedures performed and the conclusions drawn from the evidence obtained.drawn from the evidence obtained.

If audit evidence is in the electronic form, If audit evidence is in the electronic form, the auditor should satisfy himself that such the auditor should satisfy himself that such evidence is adequately and safely stored evidence is adequately and safely stored and is retrievable in its entirety as and and is retrievable in its entirety as and when required.when required.

The authenticity of the audit evidence The authenticity of the audit evidence should be ensured beyond all reasonable should be ensured beyond all reasonable doubt.doubt.

IT, IT Audit and IAAD(1)IT, IT Audit and IAAD(1) Voucher Level Computerisation Voucher Level Computerisation

in A&E officesin A&E offices Computerisation of Pension and Computerisation of Pension and

GPF functionsGPF functions Audit Management System Audit Management System

(AMS)(AMS) PM’s award for IT initiativePM’s award for IT initiative

IT, IT Audit and IAAD(2)IT, IT Audit and IAAD(2) Department’s involvement in IT projects/ Department’s involvement in IT projects/

systems involving estimated expenditure systems involving estimated expenditure above Rs. 10 crore at three stages of above Rs. 10 crore at three stages of SDLC –SDLC –• After the work of the system design is After the work of the system design is

completed but before the computer completed but before the computer programmes are written upprogrammes are written up

• After the computer programmes are written After the computer programmes are written up and tested and new system is introducedup and tested and new system is introduced

• After the system is introduced at pilot stage After the system is introduced at pilot stage but before it is replicatedbut before it is replicated

Is the Department ready for this?Is the Department ready for this?

IT, IT Audit and IAAD(3)IT, IT Audit and IAAD(3) Standard Audit Tool adopted by IAAD Standard Audit Tool adopted by IAAD

––i.i. Microsoft Office including Microsoft Microsoft Office including Microsoft

AccessAccessii.ii. IDEAIDEAiii.iii.Structured Query Language (SQL)Structured Query Language (SQL) CoBIT frameworkCoBIT framework Criticality Assessment Tool

Thank YouThank You