Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: 14 Standard on Internal Audit - SIA 14 Internal Audit in an Information Technology Environment

  1. #1

    Default 14 Standard on Internal Audit - SIA 14 Internal Audit in an Information Technology Environment

    Standard on Internal Audit (SIA) 14
    Internal Audit in an Information Technology Environment

    The following is the text of the Standard on Internal Audit (SIA) 14, Internal Audit in An Information Technology Environment, issued by the Institute of Chartered Accountants of India. The Standard should be read in the conjunction with the “Preface to the Standards on Internal Audit”, issued by the Institute.
    In terms of the decision taken by the Council of the Institute at its 260th meeting held in June 2006, the following Standard on Internal Audit shall be recommendatory in nature in the initial period. The Standard shall become mandatory from such date as may be notified by the Council in this regard.

  2. #2

    Default Introduction of internal audit


    1. The purpose of this Standard on Internal Audit (SIA) is to establish standards on procedures to be followed when an internal audit is conducted in an information technology (IT) environment. An information technology environment exists when one or more computer(s) of any type or size is (are) involved in the processing of financial information, including quantitative data, and other types of information processing whether those computers are
    operated by the entity or by a third party. An IT system is a system that uses technology to capture, classify, summarize and report data in a meaningful manner to interested users, including an enterprise resource planning (ERP) system.

    2. The overall objective and scope of an internal audit does not change in an IT environment. However, the use of a computer changes the processing, storage, retrieval and communication of financial information and the interplay of processes, systems and control procedures. This may affect the internal control systems employed by the entity. Accordingly, an IT environment may affect:

    1. the procedures followed by the internal auditor in obtaining a sufficient understanding of the processes, systems and internal control system; and

    2. the auditor's review of the entity's risk management and continuity systems.

  3. #3

    Default IT Environment – Matters to Consider in internal audit

    IT Environment – Matters to Consider

    3. The internal auditor should consider the effect of an IT environment on the internal audit engagement, inter alia:

    1. the extent to which the IT environment is used to record, compile, process and analyse information; and

    2. the system of internal control in existence in the entity with
    regard to:

    * the flow of authorised, correct and complete data to the processing centre;

    * the processing, analysis and reporting tasks undertaken in the installation; and

    * the impact of computer based accounting system on the audit trail that could otherwise be expected to exist in an entirely manual system.

  4. #4

    Default Skills and Competence in internal audit

    Skills and Competence

    4. The internal auditor should have sufficient knowledge of the information technology systems to plan, direct, supervise, control and review the work performed. The sufficiency of knowledge would depend on the nature and extent of the IT environment. The internal auditor should consider whether any specialised IT skills are needed in the conduct of the audit, for example,
    the operating knowledge of a specialised ERP system. Specialised skills may be needed, for example, to:

    1. obtain sufficient understanding of the effect of the IT environment on systems, processes, internal control and risk management systems;

    2. design and perform appropriate tests of control and substantive procedures; and

    3. determine the effect of the IT environment on assessment of overall audit risk.

    5. If specialized skills are needed, the internal auditor should seek the assistance of a technical expert possessing such skills, who may either be the internal auditor's staff or an outside professional. If the use of such a professional is planned, the internal auditor should, in accordance with SIA 16*, “Using the work of an Expert”, obtain sufficient appropriate evidence that the work performed by the expert is adequate for the purposes of the internal audit.

    6. The internal auditor should obtain an understanding of the systems, processes, control environment, risk response activities and internal control systems sufficient to plan the internal audit and to determine the nature, timing and extent of the audit procedures, in accordance with SIA 1, “Planning an Internal Audit”. Such an understanding would help the internal
    auditor to develop an effective audit approach.

    7. In planning the portions of the internal audit which may be affected by the IT environment, the internal auditor should obtain an understanding of the significance and complexity of the IT activities and the availability of the data for use in the internal audit. This understanding would include such matters as:

    1. the information technology infrastructure [hardware, operating system(s), etc., and application software(s)] used by the entity including changes, if
    any, therein since last audit.

    2. the significance and complexity of computerised processing in each significant application. An application may be considered to be complex when, for example:

    1. the volume and materiality of transactions is such that users would find it difficult to identify and correct errors in processing.

    2. the computer automatically generates material transactions or entries directly to another application.

    3. the computer performs complicated computations of financial information and/or automatically generates material transactions or
    entries that cannot be (or are not) validated independently.

    4. transactions are exchanged electronically with other organisations [as in electronic data interchange (EDI) systems] without manual
    review for propriety or reasonableness.

    3. determination of the organisational structure of the client's IT activities and the extent of concentration or distribution of computer processing throughout the entity, particularly, as they may affect segregation of duties.

    4. determination of the availability of data. Source documents, computer files, and other evidential matter that may be required by the internal auditor may exist for only a short period or only in machine readable form. Information Technology systems may generate reports that might be useful in performing substantive tests (particularly analytical procedures). The potential for use of computer assisted audit techniques may permit increased efficiency in the performance of internal audit procedures, or may enable the auditor to economically apply certain procedures to the entire population of transactions.

    8. When the information technology systems are significant, the
    internal auditor should also obtain an understanding of the IT environment and whether it influences the assessment of inherent and control risks. The nature of the risks and the internal control characteristics in IT environments include the following:

    1. Lack of transaction trails: Some IT systems are designed so that a complete transaction trail that is useful for audit purposes might exist for only a short period of time or only in computer readable form. Where a complex application system performs a large number of processing steps, there may not be a complete trail. Accordingly, errors embedded in an application's program logic may be difficult to detect on a timely basis by manual (user) procedures.

    2. Uniform processing of transactions: Computer processing uniformly processes like transactions with the same processing instructions. Thus, the clerical errors ordinarily associated with manual processing are virtually eliminated. Conversely, programming errors (or other systemic errors in hardware or software) will ordinarily result in all transactions being processed incorrectly.

    3. Lack of segregation of functions: Many control procedures that would ordinarily be performed by separate individuals in manual systems may become concentrated in a IT environment. Thus, an individual who has access to computer programs, processing or data may be in a position to perform incompatible functions.

    4. Potential for errors and irregularities: The potential for human error in the development, maintenance and execution of computer information systems may be greater than in manual systems, partially because of the level of detail inherent in these activities. Also, the potential for individuals to gain unauthorised access to data or to alter data without visible evidence may be greater in IT than in manual systems. In addition, decreased human involvement in handling transactions processed by computer information systems can reduce the potential for observing errors and irregularities. Errors or irregularities occurring during the design or modification of application programs or systems software can remain undetected for long periods of time.

    5. Initiation or execution of transactions: Information Technology systems may include the capability to initiate or cause the execution of certain types of transactions, automatically. The authorisation of these transactions or procedures may not be documented in the same way as that in a manual system, and management's authorisation of these transactions maybe implicit in its acceptance of the design of the information technology systems and subsequent modification.

    6. f. Dependence of other controls over computer processing: Computer processing may produce reports and other output that are used in performing manual control procedures. The effectiveness of these manual control procedures can be dependent on the effectiveness of controls over the completeness and accuracy of computer processing. In turn, the effectiveness and consistent operation of transaction processing controls in computer applications is often dependent on the effectiveness of general computer information systems controls.

    7. Potential for increased management supervision: IT systems can offer management a variety of analytical tools that may be used to review and supervise the operations of the entity. The availability of these analytical tools, if used, may serve to enhance the entire internal control structure.
    h. Potential for the use of computer assisted audit techniques: The case of processing and analysing large quantities of data using computers may require the auditor to apply general or specialised computer audit techniques and tools in the execution of audit tests. Both the risks and the controls introduced as a result of these characteristics of information technology systems have a potential impact on the internal auditor's assessment of risk, and the nature, timing and extent of audit procedures.

    9. While evaluating the reliability of the internal control systems, the internal auditor should consider whether these systems, inter alia:

    1. ensure that authorised, correct and complete data is made available for processing;

    2. provide for timely detection and correction of errors;

    3. ensure that in case of interruption in the working of the IT environment due to power, mechanical or processing failures, the system restarts without distorting the completion of the entries and records;

    4. ensure the accuracy and completeness of output;

    5. provide adequate data security against fire and other calamities, wrong processing, frauds etc;

    6. prevent unauthorised amendments to the programs; and

    7. provide for safe custody of source code of application software and data files.

  5. #5

    Default Risk Assessment in internal audit

    Risk Assessment in internal audit

    10. The internal auditor should make an assessment of inherent and control risks for material assertions related to significant processes and systems. These assertions apply to significant processes and systems for example - sales, procurement, inventory management, production, marketing, human resources and logistics.

    11. The internal auditor should review whether the information technology system in the entity considers the confidentiality, effectiveness, integrity, availability, compliance and validity of data and information processed. The internal auditor should also review the effectiveness and safeguarding of IT
    resources, including people, applications, facilities and data.

    12. The inherent risks and control risks in an IT environment may have both a pervasive effect and an account specific effect on the likelihood of material misstatements, as follows:

    1. The risks may result from deficiencies in pervasive IT activities such as program development and maintenance, system software support, operations, physical IT security and control over access to special privilege utility programs. These deficiencies would tend to have a pervasive impact on all application systems that are processed on the lT system.

    2. The risks may increase the potential for errors or fraudulent activities in specific applications, in specific databases or master files, or in specific processing activities. For example, errors are not uncommon in systems that perform complex logic or calculations, or that must deal with many different exception conditions. Systems that control cash disbursements or other liquid assets are susceptible to fraudulent actions by users or by IT personnel.

  6. #6

    Default Audit Procedures in internal audit

    Audit Procedures in internal audit

    13. The internal auditor should consider the IT environment in designing audit procedures to review the systems, processes, controls and risk management framework of the entity.

  7. #7

    Default Review of Information Technology Environment in internal audit

    Review of Information Technology Environment in internal audit

    14. The internal auditor should review the robustness of the IT environment and consider any weakness or deficiency in the design and operation of any IT control within the entity, by reviewing:

    1. System Audit reports of the entity, conducted by independent Information System auditors;

    2. Reports of system breaches, unsuccessful login attempts, passwords compromised and other exception reports;

    3. Reports of network failures, virus attacks and threats to perimeter security, if any;

    4. General controls like segregation of duties, physical access records, logical access controls,

    5. Application controls like input, output, processing and run-to-run controls; and

    6. Excerpts from the IT policy of the entity relating to business continuity planning, crisis management and disaster recovery procedures.

    An illustrative checklist of IT controls to be reviewed by the internal auditor is given in the Appendix to this Standard.

    15. If the internal auditor is not able to rely on the effectiveness of the IT environment as a result of the review, he may perform such substantive testing or test of IT controls, as deemed fit in the circumstances. The internal auditor should apply his professional judgment and skill in reviewing the IT environment and assessing the interfaces of such IT infrastructure with other business processes.

  8. #8

    Default Outsourced Information Processing in internal audit

    Outsourced Information Processing

    16. The internal auditor should assess and review the reliance which the management of the entity places on the outsourced agency, in case where such information processing has been outsourced to the outside party. The risks associated with such outsourced services should be considered by the internal auditor in light of the review of IT controls prevalent in such outside entity. The internal auditor should also review the extent to which the entity's controls provide reasonable assurance regarding the complete ness, validity, reliability and availability of the data and information processed by such outsourced agency.

  9. #9

    Default Documentation in internal audit

    Documentation in internal audit

    17. The internal auditor should document the internal audit plan, nature, timing and extent of audit procedures performed and the conclusions drawn from the evidence obtained. In an internal audit in IT environment, some or all of the audit evidence may be in the electronic form. The internal auditor should satisfy himself that such evidence is adequately and safely stored and is retrievable in its entirety as and when required.

  10. #10

    Default Effective Date in internal audit

    Effective Date in internal audit

    18. This Standard on Internal Audit is applicable to all internal audits commencing on or after _________. Earlier application of the SIA is encouraged.

Tags for this Thread


Posting Permissions

  • Register / Login to post new threads
  • Register / Login to post replies
  • Register / Login to post attachments
  • You may not edit your posts