DISA Module 6 by CA.Shweta Ajmera - Indore

advertisement
IS AUDIT PROCESS
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Information systems auditing is a process of
collecting and evaluating evidence to
determine whether :
 a computer system safeguards assets,
 maintain data integrity,
 allows organizational goals to be achieved
effectively,
 and uses resources efficiently.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



Information
Systems
Auditing
O
R
G
A
N
I
S
A
T
I
O
N
Safeguarding of Assets
Data Integrity
System Efficiency
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


The asset should not be destroyed, stolen or
used for unauthorized purposes.
Data is the most important asset of any
organization.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
 The
completeness, soundness,
purity, authenticity and
genuineness of the data.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


An efficient information system uses minimum
resources to achieve its required objectives.
Resources like machine time, peripherals, system
software and labour are scarce and
different
application systems usually compete for their
use.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



Availability: Will the organisation computer
systems be available for the business at all
times when required?
Confidentiality: Will the information in the
systems be disclosed only to authorized
users?
Integrity: Will the information provided by the
system always be accurate, reliable and
timely?
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



IS Audit strategy
Audit Objective
Audit environment
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Audit Mission:
The mission statement defines the primary
purpose of the Audit function and provides
an overview of the focus, priorities, values
and principles that will measure the audit
decisions.

CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Audit charter should clearly state
management’s responsibility
 Audit charter is usually a part of
internal audit, hence may include
other audit functions
 Should state objectives of audit
 Role of IS audit is established by audit
charter

CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



An IS auditor require a clear mandate from
the company to perform the IS audit. This
mandate is called AUDIT CHARTER or
ENGAGEMENT LETTER.
Audit charter should be approved by
highest level of management and once
established should not be altered except in
exceptional circumstances.
Audit charter should clearly address three
aspects of responsibility, authority and
accountability of the IS auditor as under:
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
◦ Responsibility – This may include
 Scope
 Objectives
 Specific auditee requirements
 deliverables
◦ Authority – This may include
 Right of access to information, personnel,
locations and systems relevant to the
performance of audit
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
◦ Accountability - This may include
 Designated recipients of the report
 Auditee's right
 Agreed completion dates
 Agreed fees, if applicable
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Purpose
 Engagement letters are often used for
individual assignments or for setting the
scope and objectives of a relationship
between the external IS auditor and an
organisation.
Content
 The engagement letter should clearly
address the three aspects – responsibility,
authority and accountability
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

To perform audit planning, IS auditor
should perform the following steps :
◦ Gain understanding of business’s
mission,
objectives, purposes and processes
◦ Touring key organizational facilities
◦ Studying applicable laws and regulations
◦ Conduct internal control review
◦ Reading background material including
industry publications, annual reports etc.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
◦ Reviewing long term strategic plans
◦ Interviewing key managers to
understand business issues
◦ Reviewing prior audit reports
◦ Set audit scope and audit objectives
◦ Develop audit strategy
◦ Assign personnel resources to audit
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Is used to determine the extent of
compliance and /or substantive testing an
auditor should undertake to fulfill the
objectives of audit. Factors to consider
include:
◦ Knowledge of business
◦ Degree of operational/internal controls
available
Risk assessment model may use a scoring
system based on
◦ Technical complexity
◦ Level of controls in place
◦ Level of financial loss
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
These factors may or may not be weighed
to arrive at a measure of overall risks.
Another way of risk assessment is
judgmental based upon management
directives, historical perspectives, business
goals and environment factors.
A typical overview of risk based audit
approach is presented below
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Gather information and plan
Knowledge of business
and industry
Prior years’ audit results
Recent financial
information
Regulatory statutes
Inherent risk
assessment
Obtain understanding of internal controls
Control environment
Control procedures
Detection risk
assessment
Control risk assessment
Equate total risks
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Perform Compliance Test
Test policies and
Test segregation of
procedures
duties
Perform Substantive Tests
Analytical procedures Other substantive
audit
Detailed test of
account balances
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Conclude the Audit
Create
recommendations
Write audit reports
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Audit programs are based on objective and scope
of the assignment and becomes guide for
documenting
◦ Various audit steps to be performed
◦ Extent and type of evidential matters to be
reviewed
Though not necessarily to be followed in a
sequence, IS auditor will be best advised to take a
sequential approach in understanding the entity,
evaluating control structure and testing the
controls.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



Risk that financial statements may contain
material errors or material errors may
remain undetected.
Sometimes audit risk may also refer to the
risk that an auditor is prepared to accept
Types of risks in an audit:
◦ Inherent risk – based on nature of
business and is independent of audit
◦ Control risk - a risk that a material error
may not be prevented or detected
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


◦ Detection risk – a risk that an IS auditor may
use inadequate test procedure and conclude
that material errors do not exist when in fact
they do.
◦ Overall risk – a combination of the risk factors
as above. The objective is to keep overall risk
within acceptable levels.
Materiality concept is applicable in case of
financial audits.
In the context of IS audit, materiality may mean
that a significant internal control weakness exist
which leaves the organization susceptible to
threat leading to financial loss, business
interruptions, loss of customer trust etc.,
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Materiality always require sound judgment
from an auditor. For an IS auditor the task
is still more difficult
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Information
Systems Auditors
ultimately are
concerned with
evaluating the
reliability or
operating
effectiveness of
controls.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



After identifying the key control, the auditor has to
determine whether to test these control through
compliance or substantive testing
Compliance testing determines whether the
controls are functioning as intended.
Substantive testing – refer to verifying the integrity
of processing. It provides evidence as to the
validity and proprietary of balances in financial
statements and the transactions supporting such
statements
There is direct correlation between the level of
internal control and the amount of substantive
testing to be applied.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



Information used to determine whether
audit criteria or objective is met
May include
◦ Observations
◦ Notes taken during interviews
◦ Correspondence
◦ Internal documentation
◦ Result of test conducted by auditor
Reliability may depend on
◦ Independence of the provider of evidence
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

◦ Qualification/competence level of the person
providing information
◦ Objectivity of evidence
Techniques of gathering evidence may include
◦ Review IS organization structure – key word here
is adequate separation of duties
◦ Reviewing IS documentation standard – key word
here is that documentation may be in automated
form rather than on paper. Documentation may
include
 System development initiating document
 Functional design specifications
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
 Program change histories
 User manual
 Database specifications
 Test plans and reports
 Quality assurance reports
◦ Interviewing appropriate personnel – an
interview form or checklist may be used.
Also remember that interviews are not
accusatory
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

◦ Observing process and performance - key
here is to document as much detail as is
possible. Also remember that your
observations do not obstruct the on going
business
Finally, judgment call has to be made to
determine which material is relevant for
meeting audit objective and to what extent
reliance should be placed there upon.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


End product of the audit
The Audit Report format should be considered at
the time of planning stage itself. No fixed format
but may include :
◦ Introduction including audit objectives, scope,
period etc.,
◦ Overall conclusion and opinion on the adequacy
of controls in the areas covered as per scope of
audit
◦ Any reservations or qualifications
◦ Detailed findings/recommendations depending
upon materiality and intended recipient of the
report
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

◦ Management responses including plan if
any for implementation of the
recommendations.( This may be included
if required by terms of reference)
It is a good practice to also give an
executive summary preferably in a visual
presentation mode
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)






There cannot be a standard format. However
the contents and format of the IS audit report
should contain the minimum requirements as
per the reporting standards. Some of the
features of Audit report:
Report, Content and form.
Purpose and Content
Intended Receipients
Style and Content
Statement of Objectives.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)










Scope of Audit
Restrictions on distribution
Significant findings
Conclusion
Recommendations
Reservations or qualifications
Presentations
Timeliness
Subsequent events
Follow Up
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



IS audit documentation includes the audit
plan, a description or diagram of network
environment, audit programs, minutes of
meetings, audit evidence, findings,
conclusions and recommendations, any
report issued as result of audit work and
management responses.
Audit documentation should support the
findings and conclusions/ opinions.
Also include questionnaires and
understandable flow charts
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Sometime, terms of reference may require
an auditor to submit follow up action
report. If so, IS auditor must set up a follow
up program to determine if the agreed
corrective actions have been taken
Follow up reporting may involve
◦ Inquiry as to the current status
◦ Certain audit steps to determine the
extent and correctness of the
implementation measures
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



Sampling used when entire population cannot
be examined for reasons of cost, time or sheer
volume
Sample is a subset of population.
Sampling approaches are:
◦ Statistical – sample size and selection process
are based on objective criteria. Each item in
population has equal opportunity of being
selected.
◦ Non-statistical – sample size and the the
selection process are based on judgment.
This type of sampling is also called
judgmental sampling.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Both are subject to risk that conclusions may be
wrong (sampling risk)
Methods of sampling are:
◦ Attribute sampling
◦ Variable sampling
Attribute sampling
◦ Is applied in compliance testing
◦ Deals with presence or absence of characteristics
(attribute)
◦ Conclusions are expressed in terms of rates of
occurrence
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Variable sampling
◦ Is applied in substantive testing
◦ Deals with rupee value, weight etc.,
(variable characteristics)
◦ Conclusions are expressed in terms of
range of value or deviation from an
expected value
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Important sampling terms include
◦ Confidence coefficient – a measure of
confidence in the testing process and is
expressed as a percentage. Remember
 Stronger the internal control, lower can be the
confidence coefficient
 Greater the confidence coefficient, larger the
sample size
◦ Level of risk – is equal to 100 minus
confidence coefficient
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
◦ Expected error rate – applicable in
attribute sampling only. Remember
 Higher the expected error rate, larger the
sample size
◦ Tolerable error rate – acceptable
upper limit of error. Used to set the
precision amount in respect of
compliance testing
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Key steps in using sampling in audit include
◦ Determine the objectives of the test.
◦ Define the population to be sampled.
◦ Determine the sampling method, such as
attribute versus variable sampling.
◦ Determine the precision and reliability
desired
◦ Calculate the sample size.
◦ Select the sample.
◦ Evaluate the sample from an audit
perspective
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


An IS auditor should clearly understand the
basic concept of risks, techniques of risk
assessment and relationship between risk
and controls.
ISO define risk as
“ The potential that a given threat will
exploit vulnerabilities of an asset or group
of assets to cause loss or damage to the
assets. The impact or relative severity of
the risk is proportional to the business
value of loss/damage and to the estimated
frequency of the threat”
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Threats includes :
◦ Power loss
◦ Communication
failure
◦ Disgruntled
employee
◦ Malicious code
◦ Natural disasters
◦ Abuse to access
privileges by
employees
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Based on above, elements of risk are
◦ Threats to and vulnerabilities of assets
◦ Impact of threats and vulnerabilities
◦ Probability of occurrence of threats
IS audit is focused towards a particular
class of risk defined potential for loss of
confidentiality, availability or integrity of
information
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Process of identifying vulnerabilities and
threats to an organization resources and
deciding on countermeasures to reduce
the risk to an acceptable level based on
the value of information resource to the
organization.
Step 1
◦ Identify and classify the information
resources or assets which need
protection. Examples of assets
associated with IT include:
 Information and data
 Hardware
 Software
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
 Services
 Documents
 Personnel

Step 2
◦ Assess vulnerabilities which are
characteristics of information resources
that can be exploited by a threat to
cause harm. Examples of vulnerabilities
are:
 Lack of user knowledge
 Lack of security functionality
 Poor choice of passwords
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
 Untested technology
 Transmission over unprotected
communications

Step 3
◦ Assess threats which are events with
potential to cause harm such as
destruction, disclosure, modification,
denial of service etc., Common classes
of threats are:
o Errors
o Malicious damage or attack
o Fraud
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
o Theft
o Equipment/software failures
•
Step 4
◦ Assess impact if threats were to
materialize. Impact is usually in terms of
financial loss both in short/long term.
Example of losses are:
 Loss of money
 Breach of legislation
 Loss of reputation or goodwill
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Endangering of staff or customers
Breach of confidence
Loss of business opportunity
Reduction in operational efficiency or
performance
 Interruption of business activity





Step 5
◦ Assess probability of occurrence and form
an overall view of risk. The risk is = (Value
of loss x Probability of occurrence)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Step 6
◦ Evaluate existing controls and identify the risks
which are inadequately controlled
Step 7
◦ Prioritize all the identified risks requiring
protection, design effective and efficient
countermeasures and select appropriate
countermeasures keeping in view:
o The cost of control compared to the benefit of
minimizing risk
o Management appetite for risk
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
 Preferred risk reduction method
-Terminate the risk
-Minimize probability of occurrence
-Minimize impact
-Transfer (Insurance)
• Some organization may start the process
with identification of threats rather than
assets. This is just a matter of choice
without any significance.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Risk remaining after the controls have been applied
is called residual risk. The management could
decide to further work upon countermeasures to
mitigate the risks or take them as unavoidable
component of doing business and thus laying down
an acceptable level of risk.
Acceptable level of risk so defined should be used
to determine the areas which might be subjected to
excessive level of controls and where cost savings
can be achieved by removing the excessive element
of controls.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Risk assessment techniques :
o Scoring system – useful in prioritizing audits
based on evaluation of risk factors, considering
various variables such as technical complexity,
level of control procedures and level of financial
loss
o Judgemental – Decision is made based on
business knowledge, executive management
directives, historical perspectives, business goals
and environmental factors.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Control is defined as:
“ the policies, procedures, practices and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved and that undesirable events will
be prevented or detected and corrected”
The strength of a control is measured by its
inherent or design strength and the likelihood of
its effectiveness. The elements to be considered
while evaluating control strengths include whether
controls are:
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



An IT control objective is defined as a statement of the
desired result or purpose to be achieved by
implementing control procedures in a particular IT
activity.
IT control objectives aim to ensure confidentiality,
integrity and availability of information resources.
COBIT and IT Governance Institute provide an excellent
framework for setting IT control objectives.
Example of IT control objectives include:
◦ Information is secured from improper access.
◦ Each transaction is authorized and recorded only
once.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
◦ All exceptions are duly recorded, investigated
and followed through.
◦ Files are adequately backed up to allow for
proper recovery
◦ Changes to software are tested and approved.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Controls are generally classified under three
categories as under
◦ Preventive
◦ Detective
◦ Corrective
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Function
Examples
Prevent an error, omission or
malicious act from occurring
Predict potential problems
before they occur and make
adjustments
Detect problems before they
arise
Employ qualified personnel
Segregate duties
Control physical access
Use well designed documents
Have authorization procedure
Complete programmed edit
checks
Use logical access controls
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Function
Detect that an error,
omission or malicious
act has occurred and
report the occurrence
Examples
Hash totals
Check points
Echo controls
Error messages
Duplicate (re verification) of
calculations
Variance reporting
Internal audit
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Function
Examples
Minimize the impact of
a threat
Remedy problems
discovered by detective
tests
Correct errors arising
from a problem
Modify systems to
minimize future
occurrences of the
problem
Contingency
planning
Backup procedures
Re-run procedures
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
AAS 29- Auditing in CIS Environment issued
by ICAI states that:
“ The overall objective and scope of the Audit
doesnot change in a CIS environment.
However , the use of a computer changes the
processing,
storage,
retrieval
and
communication of Financial Information and
may affect the accounting and internal
control systems employed by the entity”

CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

CAATs are important tools for the IS auditor in
gathering information from these environments.
When systems have different hardware and
software environments, different data structure,
record formats or processing functions, it is
almost impossible for auditors to collect
evidence without a software tool to collect and
analyze the records. CAATs also enable IS
auditors in performing audits to gather
information independently.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



The procedures followed by the Auditor in
obtaining a sufficient understanding of the
accounting and Internal Control System.
The auditors evaluation of Inherent risk
through which the auditor accesses the audit
risk.
The Auditor’s design and performance of
tests of control and substantive procedures
appropriate to meet the audit objective.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
AAS 29 specifically requires auditor to
consider the effect of CIS environment on the
audit:
1. Extent to which the CIS environment is used
in control
2. System of Internal Control
3. Audit trail

CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
The Auditor should have sufficient knowledge
of CIS to plan, Direct, Supervise, Control and
Review the work performed
 Specialised skills may be needed, to
1. Obtain sufficient understanding of the effect
of the CIS environment on accounting and
Internal Control System.
2. Determine the effect of the CIS environment
on the assessment of overall audit risk
3. And design and perform appropriate tests
of control and substantive procedures

CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
The IT environment contains Business Risks.
This risks could result from lack of various
controls that includes:
1. Lack of an IS Security Policy framework,
procedures and controls.
2. Approach for control over IT and related
resources.
3. Risks of outsourcing of IT processes
4. Physical and environmental security of IT
equipment and related assets.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
5. Poor controls over communication and N/w
technology and infrastructure.
6. Poor Controls over system parameters
settings and critical systems files.
7. Risks from Viruses, hackers and malicious
code.
8. Poor controls over SDLC.
9. Poor Business Continuity Planning.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Auditing Around the Computer- Black Box
Approach-
The concept of ignoring what is happening
inside the computer and conducting the audit
using the inputs and outputs as in Manual
Audits
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Auditing through the Computer- White Box
Approach-
Considering the Audit trail and auditing the
process followed by the computer system.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Software intended to facilitate or expedite the
auditing process
Examples of CAATs include
◦ Generalized audit software
◦ Test data generators
◦ Expert systems
◦ Standard utilities
◦ Software library packages
◦ Integrated test facilities
◦ Snapshot
◦ Specialized audit software
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


GAS refers to standard software that has the
capability to directly read and access data from
various database platforms, flat-file systems
and ASCII formats. ACL & IDEA
Functions supported by GAS:





File access – reading from different formats
File reorganization – indexing, sorting, merging.
Data selection
Statistical functions – sampling,
Arithmetical functions
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)



It is written for special audit purposes or
targeting specialized IT environments.
For eg: Testing for NPA’s, testing for UNIX
controls, testing for overnight deals in Forex
Application s/w etc.
This s/w may be developed by Auditor’s , the
auditor should take care to get an assurance
on the integrity and security of s/w developed
by the client
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

Utility software or utilities, though not
developed or sold specifically for audit are
often extremely useful and handy for
conducting audits.
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)


Remember
◦ Seek read only access to production data
while using CAATs
Advantages of using CAATs are
◦ Reduce the level of audit risk
◦ Greater independence from the auditee
◦ Broader and more consistent audit
coverage
◦ Faster availability of information
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

◦ Improved exception identification
◦ Greater flexibility of run times
◦ Greater opportunity to quantity internal
control weakness
◦ Enhanced sampling
◦ Cost saving over time
Important factor while considering usage of
CAATs may include
◦ Ease of use
◦ Installation requirement
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)

◦ Availability of source data
Important documentation to be retained for own
developed CAATs may include
◦ Online reports detailing high-risk issues for
review
◦ Flowchart
◦ Record and File layouts
◦ Field definitions
◦ Operating instructions
◦ Sample reports
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)








AAS 29 / SA 401– by ICAI on Auditing in Computer
Information Systems Environment
IS Audit standards issued by ISACA
COBIT – Control Objectives for Information and related Technology
BS7799
SAS 70
SysTrust
ITIL
ISO 9000
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)





SEI – CMM
IT ACT 2000
UNCITRAL Model Law on electronic commerece
SOX
BASEL II
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
By:
CA.Shweta Ajmera
M.Com,CA,DISA(ICAI)
cashwetaajmera@gmail.com
You can join me at:
At Linkedin & twitter: Shweta Ajmera
At FB: shweta.ajmera.3
CA.Shweta Ajmera,
M.Com,CA,DISA(ICAI)
Download