Page 140 - CA Inter Bhaskar Vol 1
P. 140
RISK ASSESSMENT AND INTERNAL CONTROL CA RAVI TAORI
(CNO--AAE.100) IMPACT OF IT RELATED RISKS I.E. ON SUBSTANTIVE AUDIT, CONTROLS AND REPORTING
(QNO-AAE.25) (MCQ-AAE.13)
IMPACT OF IT RISKS
If IT risks are high and they are not mitigated by controls, they will impact following.
Automated / IT-based controls will not be reliable AUDIT BHASKAR CH 03 - PART 05
A) Controls IT-dependent controls will not be reliable
System data & reports generated need to be examined before reliance
As systems are not reliable, less focus will be on Test of Controls
and more focus on Substantive Audit procedures
B) Substantive While checking TBD, system data & reports should be first checked
Audit
for completeness and accuracy using corroborative evidence
Procedures
More efforts & manpower will be required. It will increase the cost
of audit and decrease efficiency and effectiveness
Deficiencies in the system should be communicated to Mgt / TCWG.
It should be reported in the audit report on IFCR.
C) Reporting
Further, if records are unreliable then auditor will not be able to
understand and conclude. he may have to give a qualified or
disclaimer in audit report on financial statements
The above risks, if not mitigated, could have an impact on audit in di erent ways. Let us understand how:
Impact on Controls
cannot rely on automated controls, system calculation and accounting procedures built into
applications.
cannot rely on IT dependent manual controls.
Hence system data and reports should be tested substantively for completeness and accuracy.
more substantive audit work is needed.
Impact on Substantive Audit
cannot rely on the data obtained from system.
system data and reports should be tested substantively for completeness and accuracy Hence
more audit evidence is needed. We may not be able to rely on the data obtained from systems
where such risks exist. This means, all forms of data, information or reports that we obtain
from systems for the purpose of audit has to be thoroughly tested and corroborated for
completeness and accuracy.
Impact on Reporting
communication to those charged with governance.
modified auditors report.
due to the regulatory requirement of auditors to report on internal financial controls of a
company, the audit report also may have to be modified in some instances.
In all the above scenarios, it is likely that the auditor will be required to obtain more audit evidence and
perform additional audit work. The auditor should also be able to demonstrate how the risks were
identified and what audit evidence was obtained and validated to address these IT risks.
Here, we should remember that as the complexity, automation and dependence of business operations on
IT systems increases, the severity and impact of IT risks too increases accordingly. The auditor should
apply professional judgement in determining and assessing such risks and plan the audit response
appropriately.
To mitigate the above (and more) risks and maintain the confidentiality, integrity, availability and
security of data, companies implement IT controls. Let us learn about the various types of IT controls in
more detail.
www.auditguru.in 03.71
