RISKS & CONTROLS IN AN AUTOMATED ENVIRONMENT

RISKS & CONTROLS IN AN AUTOMATED ENVIRONMENT 

 Understanding and Documenting Automated Environment

In the previous section, we have learnt that, in an audit of financial statements, an auditor is required to understand the entity and its business, including IT as per SA 315. Understanding the entity and its automated environment involves understanding how IT department is organised, IT activities, the IT dependencies, relevant risks and controls.

Given below are some of the points that an auditor should consider to obtain an understanding of the company’s automated environment:

•  Information systems being used (one or more application systems and what they are).
•  Their purpose (financial and non-financial). 
•  Location of IT systems - local vs global. 
•  Architecture (desktop based, client-server, web application, cloud based). 
•  Version (functions and risks could vary in different versions of same application).
•   Interfaces within systems (in case multiple systems exist). 
•  In-house vs Packaged. 
•  Outsourced activities (IT maintenance and support). 
•  Key persons (CIO, CISO, Administrators).

The understanding of a company’s IT environment that is obtained should be documented [Ref. SA 230 – Audit Documentation] using any standard format or template.