Page 69 - CA Inter Audit PARAM
P. 69
CA Ravi Taori
QNO IT Risks Old Course -- (M16E/M19R)
ICS.13 Bhaskar CNO- SA315-P2.340
What are the specific risks related to internal control in an IT environment?
OR
Which are specific risks to the company's internal control having IT environment?
Answer Risks because of IT Systems
IT system also poses specific risks to an entity’s Internal Control. They are–
(First Comes IT Personnel)
➢ IT Personnel gaining access, Privileges beyond necessary
The possibility of IT personnel gaining access privileges beyond those necessary to perform
their assigned duties thereby breaking down segregation of duties. (Approved Purchase &
Payment)
(Then comes Data)
➢ Unauthorised Access to Data leading to destruction, unauthorised transaction, non-existent
transaction / Potential loss of Data
Unauthorised access to data that may result in destruction of data or improper changes to
data, including the recording of unauthorised or non-existent transactions, or inaccurate
recording of transactions. Particular risks may arise where multiple users access a common
database.
Potential loss of data or inability to access data as required. (Ransomware)
(Then happened processing)
➢ Manual Intervention / Inaccurate Processing / Processing Inaccurate Data
Inappropriate manual intervention.
Reliance on systems or programs that are inaccurately processing data, processing
inaccurate data, or both. (TDS Calculator / NPA Calculator)
(If required Changes)
➢ Failure to make Changes / Unauthorised changes to systems / Unauthorised changes to
Master Files
Failure to make necessary changes to systems or programs. (Boss shifted to Office 365, Rest
of the office on Office 2007)
Unauthorised changes to systems or programs.
Unauthorised changes to data in master files.
QNO Relevance of Controls for Audit Old Course -- (M21R/M21E/M22M/N22R)
ICS.14 Bhaskar CNO- SA315-P2.065 New Course -- (J25M)
KR & Associates, an auditor of FDP Ltd., observed that the company has implemented various internal
controls addressing financial reporting, operational efficiency, and compliances during their preliminary
evaluation. CA Karan suggests that all controls should be assessed to mitigate the risk of material
misstatement in the financial statements, while CA Rajat is of the view that only those controls deemed
relevant to the audit should be assessed based on professional judgment.
Comment, whether the auditor should assess all the internal controls or limit the assessment to only those
considered relevant by the auditor during the audit. Also, discuss the factors influencing the auditor's
judgment on the relevance of controls.
OR
Factors relevant to the auditor’s judgment about whether a control, individually or in combination with
others, is relevant to the audit may include such matters as materiality, the significance of the related risk
etc. Explain in detail.
Answer There is a direct relationship between an entity’s objectives and the control it implements to provide
reasonable assurance about their achievement. FDP Ltd. has implemented internal controls addressing
financial reporting, operational efficiency, and compliance. However, not all of these objectives and
controls are relevant to the auditor’s risk assessment.
Factors relevant to the auditor’s judgment about whether a control, individually or in combination with
others, is relevant to the audit may include such matters as the following
www.auditguru.in 3.24
