Page 231 - CA Final Audit Titanium Full Book. (With Cover Pages)
P. 231
CA Ravi Taori
(CNO DAA.120) Know how to identify the IT dependencies impacting the Audit
Why is it important to identify IT dependencies?
Clearly documenting IT dependencies helps us understand the entity's IT reliance, assess risks, and devise an
efficient audit strategy.
How IT dependencies arise?
IT Dependencies are created when IT is used to initiate, authorize, record, process, or report transactions or other
financial data for inclusion in financial statements.
There are five types of IT dependencies as described below:
(Shortcut: dependencies on CS-AIR)
Calculations: IT systems handle calculations, replacing manual processes. The system might apply a straight-line
depreciation formula or calculate an invoice amount based on price and quantity.
Security: The IT environment ensures security and segregation of duties to prevent and detect errors, fraud, or
undetected process mistakes.
Automated Controls: These controls in the IT environment enforce business rules. Examples include purchase
order workflow approvals, specific format checks, non-duplication of customer numbers, and transaction
amount limits.
Interfaces: These transfer data between IT systems. An example is moving data from a payroll subledger to the
general ledger.
Reports: These are outputs from IT systems used for manual controls, business performance reviews, or by
auditors for testing. Examples are vendor master and customer ageing reports.
Understanding and responding to risks arising from IT dependencies
IT dependencies: When auditors recognize IT dependencies crucial to the entity's financial processes, they must
understand management's response to the related risks.
ITGC Implementation: Management may use information technology general controls (ITGCs) to mitigate
risks related to IT dependencies.
The Illustration below is an overview of the Control Objectives and controls for each area of General IT
Controls:
Access Security: To meet financial reporting objectives, access to programs and data is authenticated and
authorized. This includes proper review and authorization of access requests, prompt removal of terminated
users' access, periodic review and monitoring of access rights and transactions of sensitive IDs, maintenance of
security policies and procedures, and restriction of access to the operating system and database.
Program Change: To ensure that modified systems continue to meet financial reporting objectives, change
management policies and procedures are maintained. This includes segregation of development, testing, and
production environments for application configuration changes, adequate tracking and recording of changes,
thorough testing and approval of changes before migration into production, approval of emergency changes,
and maintenance of segregation of duties between developers and implementers.
Data Centre & Network Operation: To meet financial reporting objectives, production systems are
appropriately backed up. This includes maintaining policies and procedures for data backup and recovery,
ensuring data is backed up and recoverable, performing restoration testing, monitoring compliance with service
level agreements, and restricting and monitoring access to batch job schedules.
IT Dependency & ITGCs: If IT dependencies are identified, auditors should include ITGCs in their tests. If
controls around the IT environment are not effectively implemented or operating, the IT dependencies and
ITGCs cannot be relied upon.
(CNO DAA.140) Assessing Cyber Risks
What is Cyber Risk:
Definition: A cyber-attack is an unauthorized attempt to access a computing system or network intending to
cause damage, steal, expose, alter, disable, or destroy data.
www.auditguru.in 12.6