In the fourth installment of our Standards on Internal Audit segment, today we will be discussing about two more standards. These are SIA 14- Internal Audit in an Information Technology Environment and SIA 15- Knowledge of Entity and its Environment. These are discussed in detail as below-
- Standards on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment
The fourteenth Standard on Internal Audit or SIA 14 states the provisions for performing the Internal Auditing Process in an environment of information technology. The contents of the standards are-
- Matters for consideration: The followings areas or matters are to be considered by the internal auditor-
- Extent of the IT environment used
- Computer-based accounting system’s impact on the audit trail
- Flow of the complete and correct data that have been properly authorized to the processing department and center
- The tasks undertaken related to processing, analyzing and reporting during the installation
- Planning: The planning structure in the Internal Auditing Process involves the following-
- Significance of the computerized or automated processing system
- Complexity of the processing system
- Infrastructure of the Information Technology
- Determining the data that is available
- Determining the organizational structure of the company
- Nature of Risks: It is important to consider the nature of the risks while conducting Internal Audit Process. The following must be taken into consideration-
- Whether the transaction processing are of uniform nature
- Dependence of the controls on the computerized processing system
- Potential irregularities, errors or mistakes that may occur
- Potentiality of using the CAAT
- Potentiality for significant increase in management supervision
- Lack of segregation of functions
- Lack of trails of transactions
- Initiating and executing the transactions
- Reliability of ICS: The reliability of the computerized system and internal control of the organization must also be checked and ensured by the auditor thoroughly while providing Internal Audit Services.
- Adequacy of the data and information security
- Availability of data that has authorization, is correct and complete for the processing
- The accuracy and completeness of the outputs
- Any unauthorized amendments levied on the program
- Any interruptions in the IT environment’s working
- Safe and secure custody of the application software and data file’s source code
- Detecting the errors and correcting them on time
- Review of IT Environment: The auditor’s responsibility while conducting the Internal Auditing Process in an organization also includes reviewing the IT environment. For this he may verify the following-
- General controls
- Controls on application
- Audit Reports on Systems
- Planning for business continuity
- Management in case of crisis
- Reports related to system breaching
- Procedures of disaster recovery
- Network failure reports
- Reports on any threats on the security perimeter
- Reports about any virus attacks on the system
- Standards on Internal Audit (SIA) 15: Knowledge of the Entity and its Environment
The fifteenth Standard on Internal Audit states the regulations about the knowledge of the entity and its environment that an auditor must possess before performing the internal auditing process. The contents of the standard are as follows-
- Introduction: It includes-
- Constituents in the knowledge and understanding of the entity’s business
- Identification of information that is reliable, useful and appropriate in all manners
- Importance of the acquired knowledge in different phases of the engagement period in internal auditing process
- Techniques that the auditor has used to acquire that knowledge
- Acquiring Knowledge of the Entity: The following facts have to be acquired by the auditor while understanding the environment of the company-
- Relevant industry type
- Regulatory provisions and other external factors
- Nature of the organization
- Nature the business operations carried out in the organization
- Activities related to financing, investment and financial reporting
- Accounting policies of the company
- Business risks involved in the operation
- Strategies of the company
- Objectives and goals of the entity
- Source of Information: The source of the information used by the auditor is as important as the information itself. In the internal auditing process the following are included-
- Organizational structure
- Business plans followed by the company
- Any experience of previous engagement
- Documents of incorporation
- Visits to the premises of the entity
- Documentation produced internally by the company
- Any publications made related to the industry
- Thorough discussion sessions with the statutory auditors, customers, suppliers, third party agencies and key management persons
- Using the Knowledge: The knowledge of the entity must be used adequately in the internal auditing process by the auditor.
- Assessment of the risks
- Identification of the key areas of focus
- Evaluation of Internal Audit Evidence
- Planning the internal audit
- Performing the internal audit efficiently and effectively
- Adequate documentation of the obtained information
- Providing quality services to the clients