Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

Audit Approach in Automated Environment

## Audit Approach in an Automated Environment

The audit approach in an IT environment follows four phases:

---

### Phase 1: Risk Assessment

  • Identify significant accounts and disclosures
  • Apply qualitative and quantitative risk considerations
  • Identify relevant financial statement assertions (FSA)
  • Identify likely sources of misstatement
  • Consider risks arising from use of IT systems

---

### Phase 2: Understand and Evaluate Controls

  • Document understanding of business processes using flowcharts / narratives
  • Prepare Risk and Control Matrices (RCM)
  • Understand design of controls by performing walkthroughs of end-to-end processes
  • Consider entity-level controls and segregation of duties
  • Evaluate General IT Controls (GITC) and Application Controls

---

### Phase 3: Test Operating Effectiveness

  • Assess Nature, Timing, and Extent (NTE) of control testing
  • Assess reliability of source data and completeness of population
  • Testing of key reports and spreadsheets
  • Sample testing of control evidence
  • Consider competence and independence of staff performing controls

---

### Phase 4: Reporting

  • Evaluate control deficiencies identified
  • Classify as significant deficiencies or material weaknesses
  • Advise on remediation of control weaknesses
  • Issue Internal Controls Memo (ICM) or Management Letter
  • Communicate significant deficiencies in writing to those charged with governance
  • Issue Auditor's Report

---

### Key Tools by Phase

PhaseKey Deliverable/Tool
Risk AssessmentRisk register, FSA mapping
Understand and EvaluateFlowcharts, narratives, RCM, walkthroughs
Test Operating EffectivenessSample testing, data analytics (CAATs)
ReportingManagement letter, ICM, Auditor's report

Worked example

### Example 1

Walkthrough Example: To understand the purchase-to-pay (P2P) process, the auditor selects one purchase transaction and traces it from the original purchase requisition → purchase order → goods receipt note → vendor invoice → payment. This 'walkthrough' confirms that controls are designed correctly and operating at least once end-to-end.

### Example 2

RCM Example: In a Risk and Control Matrix for 'Revenue Recognition', the auditor maps risks (e.g., 'Revenue recorded before goods dispatched') to specific controls (e.g., 'System blocks invoice creation until GRN is confirmed in ERP') and then plans tests (inspect GRN-to-invoice linkage report for sample of transactions).

⚠️ Common exam mistakes

  • Skipping Phase 2 (understanding) and jumping directly to testing – walkthroughs and RCMs are pre-requisites, not optional extras.
  • Confusing 'design evaluation' with 'operating effectiveness testing' – evaluating design (Phase 2) checks if the control is capable of preventing/detecting the risk; testing operating effectiveness (Phase 3) checks if it actually worked during the period.
  • Not mentioning NTE (Nature, Timing, Extent) in Phase 3 – this is a standard audit planning consideration that examiners expect.
  • Addressing only auditor's report in reporting phase – ICM/Management Letter to management and written communication of significant deficiencies to those charged with governance are equally important.
Reference:
← Previous
Assurance Engagements — Concep
Next →
Audit Committee – Constitution
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic