IS Audit and Internal Control

Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for enterprises. Internal Controls can be compared to the chassis of a vehicle – without the chassis, the engine is rendered useless. Internal Controls are most needed in a corporate environment to prevent fraud incidence and to manage risk of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along with help of technology, they have succeeded in increasing their size of services, produces and presence.  Enterprises are now having their locations all over the world. Thus the need of having correct Internal Controls is more than ever.

A CA provided the following services until the effect of technology struck business. As a professional, he used to provide services such as Audit, Tax, Company Matters, Legal Compliances, and Accounting etc. Specifically as an Audit Professional, he used to render services of conducting audit engagements such as Statutory Audit, Tax Audits (both Direct and Indirect Taxes), Special Audits (as prescribed under various Acts), Bank Audits, and Internal Audits etc. There is a paradigm shift in the expectations from Chartered Accountants in the new scenario.

A CA as an audit professional can provide more services that relate to technology such as IS Audits, Implementation of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic Audits etc.

A CA is  expected to know and review  implementation of new  regulations and standards like  The Sarbanes – Oxley Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing Agreement, Privacy Acts of various Countries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5 (Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations) Framework for Internal Controls.

One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is related to Internal Audit. Internal Controls that are present in the enterprise are completely relevant while conducting an IS Audit.

These are some keywords that would be repeating in this study and is important to understand them.

1. Control: It literally means Internal Controls that is present in a business environment. It can be IT Controls or non IT Controls.
2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non happening.
3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a “Process owner” or “Function head”. E.g. HR Process, Procurement Process.

Internal Control simply means “Policies framed by the management in order to have stronger and adequate control of affairs within the enterprise, and which can be checked by the Internal or Statutory Auditor in order to ensure that the goals and objectives of the enterprise are duly met”. They are practices and processes enforced on the employees of an enterprise to prevent fraud and to maintain integrity of the data.

Internal Controls is said to be a sum of General Controls and IS Controls. IS controls is said to be a sum of IT Application Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software.

IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software could be a retail banking system, an Inventory system or possibly an integrated ERP. Controls which relate to business applications leading to judicial use of the application and enforced through the application itself to the end user are called IT Application Controls. IT Application Controls can be broadly classified into five categories:

1. Input Controls: Controls that are enforced during the input of data by a user. E.g. Data Checks and validations.
2. Processing Controls: Controls that are enforced during the processing of data that have been input. E.g. duplicate checks, File Identifications and Validations etc.
3. Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update Authorizations etc.
4. Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data Encryption, Input Validations etc. These controls can be enforced during input and processing and storage of data.
5. Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g. Time stamps and snapshots of application.

IT General Controls: They may also be referred as General Computer controls. These are controls other than IT Application Controls, which relate to the environment within which computer-based application systems are developed, maintained and operated and are therefore applicable to all applications These are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.

IT General Controls can be broadly classified into the following areas:

1. Physical Access Controls: These controls are enforced at protecting the physical locations of the IT Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc.
2. Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data center is treated as an extremely sensitive area and thus a higher risk would be present. E.g. Biometric Locks, Presence of Server Racks, Presence of Air Conditioners, Fire Extinguishers, Weather Controls, Log Register of people etc.
3. IS Security: These controls are enforced at every level of IT Infrastructure. The objectives of these controls are protection of Information Assets. The CIA triad is enforced i.e. Confidentiality, Integrity and Availability of Data and information security is maintained. E.g. Firewall, Antivirus, Anti Spyware, Timely updating of software and antivirus updates and patches etc.
4. System Development Life Cycle and Change Management Controls: These controls are enforced to ensure that the correct process of software development/procurement and release management is followed. E.g. Documented Process for procuring software, Documented Process of incorporating changes to the acquired software etc.
5. Logical Controls: These are controls which provide access restrictions to the employees who use the IT Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc.
6. Backup and Recovery: These controls are present to ensure proper backup and recovery processes of the data of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc.
7. End user computing: These controls are enforced directly on the employees. These controls are enforced with an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and Review, Disabling of USB Ports etc.

An IS Audit is performed to provide assurance that all of the above mentioned controls are adequate and satisfactory to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically divided into two sections i.e. Review of IT Application Controls (ITAC) and Review of IT General Controls (ITGC). An IS Audit would have the following process:-

• An IS Auditor would begin his audit engagement by having conversation with the IT Administrator/CIO of an enterprise. The IS auditor would review all the documented policies and processes that are being enforced within the organization. Documented policies would include a IS Security Policy, Bring Your Own Device Policy (BYOD), Password Policy, BCP etc. The IS Auditor would be gaining an understanding of the overall level of the Internal Controls.
• An IS Auditor would then gain an understanding of the applications that have been implemented in the IT Infrastructure. It would be a base for him to decide the plan of action of the Audit.
• The next step would be to collect a list of all the types of logs that can be generated by the applications.
• After collecting the above information, the auditor the auditor identifies the risks that are applicable for the enterprise. The approach that would be followed is to create a matrix for each application and area (for ITAC and ITGC respectively) and would identify the controls that are enforced in the enterprise. All the identification and Review of controls would be performed by sampling, observations or any other method.
• Testing of Design Effectiveness and testing of operating effectiveness would be performed by the IS Auditor on every identified control. Testing of Design Effectiveness refers to the working design of the control as documented. It is a blue print of the control. Testing of Operating Effectiveness refers to actual performance of the Control in the IT Environment.
• It is important for the IS Auditor to collect sufficient evidence while identifying the controls. Evidences can be in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.
• A Risk Rating exercise is then performed to the identified controls to see whether the identified control is sufficient to mitigate the identified risk.
• Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggested and accordingly an IS Audit report would be drafted and shared to the enterprise.

Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and observations, an IS Auditor would be able to provide sufficient assurance whether the incorporated controls are adequate or not to the nature and size of the IT Infrastructure of the enterprise.

Information Systems Audit is now an emerging field for Chartered Accountants and other Auditing Professionals. This presentation describes in brief the relation between Internal Controls and IS Audit. Below is a basic presentation for understanding the concept of IS Audit for those who are new into the field

Compliance of Internal Controls over Indian Fianancial Reporting

In the year 2009, we have seen the investor confidence under the Indian scenario falling from Rs. 300 to Rs. 10 per share. The money so invested was systematically wiped off and withdrawn over a number of years by the management of Satyam and falsified its accounts. Satyam had betrayed the trust and belief of its investors. This led to a big blow in the accountability and transparency of Accounts and Internal Controls in India.

Incidentally this problem was highlighted during the Enron, WorldCom and other such scams surfaced the public world-wide.

It is evident that there is a growing need for the protection of the interest of public on companies. The Money invested by the shareholders need to be well protected from ill use and must be used for the sole purpose of the objectives levied down by the company. Apart from investors, various other parties rely on the efficient performance of the companies. They include regulators, bankers, vendors, customers, suppliers etc.

Government as a regulator has an implied responsibility to protect the interest of the public. It has come up with stringent regulations for all those types of business entities that run on public money. To quote a few examples we have the Companies Act 2013, SEBI Act, Clause 49, Multi state co-operative society act etc. Time and again, the Government continues to update the regulation and enforces its compliance by virtue of its regulators. Regulators include SEBI, MCA, and RBI etc.

In the USA, which is known for its benchmark regulations, the Sarbanes-Oxley Act of 2002 was enacted as a reaction to scandals due to Enron and WorldCom and other notable scams The following major sections are enforced on the companies of US origin –

1. Section 302 – Disclosure of Controls
   Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.”

 

2. Section 404 – Assessment of Internal Controls
   The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company’s internal control on financial reporting (ICFR). This includes documenting and testing important financial manual and automated controls deployed in the company.

Under the Indian scenario, we have the Companies Act revised in the year 2013. This act was revised as a response to the Satyam Scam and to prevent further financial losses. Under the new Companies Act 2013, the following sections pertain to ICFR –

1. Section 134 – Directors Statement of Internal Controls being adequate and operating effectively
   Clause (e) of Sub-section 5 of Section 134 to the Act requires the directors’ responsibility statement to state that the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.

Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term, “internal financial controls” as “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.”

 

2. Section 143 – Auditor’s assessment on the operating effectiveness of Internal Controls –
   The Companies Act, 2013 specifies the auditor’s reporting on internal financial controls only in the context of audit of financial statements. Consistent with the practice prevailing internationally, the term ‘internal financial controls’ stated in Clause (i) of Sub-section 3 of Section 143 would relate to ‘internal financial controls over financial reporting’.
   Considering the above, the auditor needs to obtain reasonable assurance to state whether an adequate internal controls system was maintained and whether such internal financial controls system operated effectively in the company in all material respects with respect to financial reporting only.
   A company’s internal financial control over financial reporting includes those policies and Procedures that –

• Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company.
• provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and directors of the company; and
• Provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.”

Thus the companies act has created a new challenge for the management to design and implement internal controls over the business processes of the company and even a difficult task to the auditor of testing the design and operating effectiveness of the implemented controls and to check if the deployed controls are sufficient and adequate against the risk that is present in the company’s business environment.

The Management thus have the following responsibilities –

1. Identify and Evaluate the risk present in the business environment
2. Design a control
3. Implement the control
4. Monitor the control
5. Design compensating controls in-case if a preventive control cannot be implemented.

The management would refer to internal control frameworks such as COSO (Company of Sponsoring Organisations) Internal Control Framework, COBIT 5 (Control Objectives in Information and Related Technology), ISO Standards etc. for guidance of implementing the control.

It is crucial to note that the controls need to be deployed uniformly at all business units of the company. Each control has to be documented and reviewed periodically by the management. The Internal control component can be broken into the following –

1. Control Environment – it refers to the company’s entire business environment.
2. Risk Assessment – It refers to identification and assessment of the risks present in the environment. This is performed to decide the design of the control.
3. Control Activities – A control objective is a statement which emphasis the extent of which the control is to be achieved. A control objective is set after assessing the level of risk that is present in the control environment. These refer to the activities that may be in the form of Policies, Procedures, organisation structure that would be developed and implemented in the company. A set of control activities are mapped to one control objective.
4. Information System and Communication – It refers to the IT Controls that have to be implemented in the system. IT Controls can be broadly classified into IT Application controls and IT General Controls.

   IT Application Controls vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software could be a retail banking system, an Inventory system or possibly an integrated ERP. Controls which relate to business applications leading to judicial use of the application and enforced through the application itself to the end user are called IT Application Controls.

   IT General Controls are those controls other than IT Application Controls, which relate to the environment within which computer-based application systems are developed, maintained and operated and are therefore applicable to all applications These are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.

5. Monitoring Activities – These refer to the controls that are deployed by the management which would monitor the regular activities that are performed using the controls. Usually this is performed by conducting periodic reviews initiated by the Compliance team and audited by the internal audit team.

Management would be able to comply with Section 134, if they are successful in designing, implementing and monitoring the internal controls against the identified risks.

The Auditor would have the following responsibilities –

Financial reporting is like singing a success for any organisation. Just as we see a transition from complex classical music to the modern music, there has been a steady change in from Historical Reporting to Responsible Reporting. The need for effective presentation of the results makes a difference in decision making to diverse groups of end users who are spread across geographical bodies. Thus financial reporting makes it a very challenging and a complex exercise.

Because of Section 143, Responsible Reporting now includes that the auditor to provide an opinion on the financial statements and additionally provide an opinion on the operating effectiveness of the internal controls that is in place in the company. Operating Effectiveness refers to the effectiveness of actual performance of the Control in the business environment.

Thus the auditor has now become accountable regarding the financial statements and the internal controls. Penalties would be levied on the auditor by the regulators in case if he has not fulfilled his responsibility of gaining assurance on the effectiveness of the controls.

The Institute of Chartered Accountants of India has come out with a Guidance note for auditors which provides guidance towards their responsibility for Internal Financial controls over financial reporting. This guidance note suggests the following methodology that can be followed by the auditor.

In addition to the above mentioned approach, the auditor will have to ensure that he performs the following tasks –

1. Perform Design Effectiveness of every control that is being deployed in every business process, business applications and general applications.
2. He would have to obtain sufficient and adequate evidences that would help him substantiate his report in accordance with SA 500. Evidences would include raw system logs, screen shots, tickets, raw files, policy documents, organisation chart etc.
3. He would have to test the controls and document the results as part of his work-papers in accordance with SA 230 (Audit Documentation).
4. His documentation should include testing lead sheets which would provide the following details –
   • Test Date
   • Risk, Control Objective and Control Activities and Control Number
   • Details of the entity which is being audited.
   • Details of evidence provided and the person who provided the evidence
   • Completeness check details
   • Evaluation of design effectiveness. Design simply refers to a documented blueprint of a control. The documentation includes the control objective and the risks being addressed, the control activities, control owner etc.
   • Evaluation of Operating effectiveness.
   • Population details and Sampling Methodology.
   • Testing Summary of the chosen samples and references to the supporting work-papers created as evidence.
   • In case if the auditor would rely on the work of the internal auditor/another auditor in accordance with SA 610/600, he would have to provide his opinion on the quality of testing performed by the Internal Auditor/another auditor.

Thus the ultimate test of Internal Controls is performed here. Based on the inquiries, findings and observations, an Auditor would be able to provide sufficient assurance whether the incorporated controls are adequate and ensuring that there is no harmful effect on the figures presented in the financial statements.

A good chartered accountant loves good challenges and it also means good money, and the big bonus has come out in the form of the companies’ act 2013. It’s only the number which sounds unlucky, but, it is nothing but a baggage of new riverside opportunities. One such opportunity for the Chartered Accountant is his services that he can render to ensure that the company would stay compliant to the Internal Controls over Financial Reporting regulatory requirements and thus he will be able to restore, cultivate and protect the confidence of the investors and other stakeholders of the company.