## Audit in an Automated Environment
### What is an Automated Environment?
An automated environment is a business setting where processes, operations, accounting, and decisions are carried out using Information Systems (IS) / IT systems.
---
### Key Features
- Faster business operations
- Accurate data processing and computation
- Handles large transaction volumes
- Integration across business operations
- Better security and controls
- Less prone to human error
- Real-time information availability
- Connectivity and networking capability
---
### Understanding and Documenting the IT Environment
Before auditing, the auditor must understand and document:
| Dimension | What to assess |
|---|---|
| Systems in use | Which application systems? Financial and non-financial? |
| Location | Local vs. global deployment |
| Architecture | Desktop, client-server, web application, cloud-based |
| Version | Functions and risks can differ across versions |
| Interfaces | How multiple systems talk to each other |
| In-house vs. packaged | Custom-built or third-party product? |
| Outsourced activities | IT maintenance, support, hosting |
| Key persons | CIO (Chief Information Officer), CISO (Chief Information Security Officer), Administrators |
> This understanding must be documented.
---
### Risks Arising from IT Systems
1. Inaccurate processing of data, or processing inaccurate data, or both
2. Unauthorized access to data
3. Direct (back-end) data changes bypassing application controls
4. Excessive / privileged access (super-users)
5. Lack of adequate segregation of duties
6. Unauthorized changes to systems or programs
7. Failure to make necessary changes to systems or programs
8. Loss of data
---
### Impact of Unmitigated IT Risks on the Audit
| Impact area | Consequence |
|---|---|
| Substantive checking | Cannot rely on system-generated data → all information must be tested for completeness and accuracy → increased detailed checking |
| Controls | Cannot rely on automated controls, system calculations, or built-in accounting procedures → additional audit work required |
| Reporting | May lead to modification of the auditor's report (e.g., for IFC reporting requirements for companies) |
---
### Types of Controls in an Automated Environment
#### A. General IT Controls (GITCs)
Policies and procedures that apply across many applications and support effective functioning of application controls. Four categories:
| Category | Objective | Examples |
|---|---|---|
| Data centre & network operations | Ensure production systems are processed to meet financial reporting objectives | Batch job scheduling, backup/restore, BCP (Business Continuity Plan), DRP (Disaster Recovery Plan) |
| Program change controls | Ensure modified systems continue to meet financial reporting objectives | Change management process, recording/tracking change requests, testing changes |
| Access security controls | Ensure access to programs and data is authenticated and authorized | Security policies, application security, data security, OS/network/physical security |
| System acquisition, development & maintenance | Ensure systems are developed and implemented to meet financial reporting objectives | Project initiation, analysis & design, construction, testing, quality assurance |
#### B. Application Controls
- Operate at the business process level — automated or manual
- Automated application controls are embedded into IT applications
- Examples: edit checks, input validation, sequence number checks, user limit checks, reasonableness checks, mandatory data fields
#### C. IT-Dependent Controls
- Manual controls that use data/reports produced from IT systems
- Even though performed manually, their effectiveness depends on the reliability of source data
- Because they depend on IT, their effectiveness requires GITCs to be effective
#### Relationship between GITCs and Application Controls
> GITCs support the functioning of Application Controls.
> Both together ensure complete and accurate information processing.
> If GITCs are weak → Application Controls cannot be relied upon → IT-Dependent Controls also break down.
---
### Testing Methods in an Automated Environment
Four fundamental audit tests — ranked by evidence quality:
| Test | Efficiency | Evidence strength |
|---|---|---|
| Inquiry | Highest | Lowest — never sufficient alone |
| Observation | Moderate | Moderate — point-in-time only |
| Inspection | Moderate-high | High |
| Reperformance | Lowest (time-consuming) | Highest |
Best combination: Inquiry + Inspection — most effective and efficient.
Common methods in an automated environment:
- Walkthrough: trace one end-to-end transaction using inquiry + observation + inspection
- Observe how a user processes transactions under different scenarios
- Inspect configuration settings defined in the application
Choice of test and combination is a matter of professional judgement based on: risk assessment, control environment, desired evidence level, error history, business complexity, and assertions being addressed.