# Audit in an Automated Environment

## What is an Automated Environment?

A business environment where processes, accounting and decisions are performed using computer systems. Also called an Information Systems (IS) or Information Technology (IT) environment.

## Understanding & Documenting the Environment

Key points to consider when planning the audit:

Location of IT systems — local vs global
In-house vs Packaged software
Outsourced activities (service organisations)
Information Systems in use
Purpose — financial vs non-financial
Architecture — desktop / web / cloud
Version — risks differ across versions
Interfaces between systems
Key persons involved

## Key Features of an Automated Environment

Provides latest information
Ability to process large volume of transactions
Accuracy in data processing
Connectivity & networking
Integration across business operations
Faster business operations
Better security & controls
Less prone to human errors

## Risks Arising from Use of IT Systems

Risk	Description
Unauthorised access	Outsiders accessing data
Excessive/privileged access	Users with more rights than needed
Direct data changes	Bypassing application controls
Inaccurate processing	Wrong data or wrong logic
Unauthorised system/program changes	Untested code in production
Failure to make necessary changes	Stale logic, outdated rules
Loss of data	Backup/recovery failure
Lack of segregation of duties	Single person controls full transaction cycle

## Impact of IT Risks (If Not Mitigated)

On controls: Non-reliance on automated controls
On substantive checking: Non-reliance on system-generated data
On reporting: Modification of auditor's report

## Types of Controls — General IT Controls (GITC)

GITCs support effective functioning of application controls. They mitigate IT-specific risks and apply across multiple IT systems → also called pervasive or indirect controls.

### Data Centre & Network Operations

Objective: Ensure production systems are processed to meet financial reporting objectives.

Includes:

Overall management of computer operations
Preparing, scheduling & executing batch jobs
Monitoring
Storage & retention of backups
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)

## Testing Methods in Automated Environment

Four standard audit tests, ranked:

Method	Efficiency	Evidence Strength
Inquiry	Most efficient	Least audit evidence
Observation	High	Moderate
Inspection	Moderate	High
Re-performance	Least efficient (time consuming)	Most effective

> Best practice: Inquiry should always be combined with other methods. Inquiry + Inspection gives the most effective AND efficient evidence.

### Common Testing Techniques in IT

Walkthrough — understand how an automated transaction is processed end-to-end
Observe a user processing transactions live
Inspect configuration defined in an application

Worked example

### Example 1

Example — GITC failure:

Client's IT team makes direct changes to the production database (bypassing the application) to correct invoice amounts.

Risk: Unauthorised data change + lack of change control.

Audit Impact: Cannot rely on automated controls; substantive procedures must be expanded; if pervasive, may modify the audit opinion.

### Example 2

Example — Test method selection:

Auditor needs to verify that the system correctly applies a 10% volume discount when order quantity > 1000 units.

Approach:

1. Inquiry with the IT manager about the rule (efficient, low evidence)

2. Inspect the configuration screen showing the rule (high evidence)

3. Re-perform by entering test orders and checking discount applied (most effective)

Combining inquiry + inspection is usually the optimal mix.

### Example 3

Example — Loss of data risk:

Client does not test backups regularly. Year-end revenue file gets corrupted.

Consequence: Without tested backup procedures, data cannot be restored → entire audit trail for revenue is lost → likely modification of audit opinion.

⚠️ Common exam mistakes

Treating GITCs and application controls as the same — GITCs are pervasive/indirect; application controls are transaction-specific
Relying only on Inquiry — gives least evidence and must be combined with other methods
Forgetting that BCP and DRP fall under Data Centre & Network Operations within GITC
Believing automation eliminates audit risk — it changes the nature of risk (unauthorised access, system errors) rather than eliminating it

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →

Automated Environment - Features, Risks and Controls

Worked example

⚠️ Common exam mistakes