AICITSS (Advanced IT) Course

Auditing in an ERP Environment

Chapter 1

© The Institute of Chartered Accountants of India

Accounting in ERPs
 All entries are Journal Entries
 No Primary or Secondary Books of Account
– only data stored in Tables
 No posting from Primary to Secondary
Books of Account
 So called “Primary Books” such as Purchase
Registers, Sales Registers, etc. are mere
reports drawing data from tables which have
already been populated.
 Difficulties in Substantive audits in ERP
 Absence of Printouts
 Difficulty in Ledger Scrutiny
 Difficulty in audit of “manual” journal entries
 Increased use & complexity of Systems and Application
software in Business
 IT Driven business
 Volume of transactions are high
 Systems distributed over different geographies
 Outsourced processes
 Need for efficiency and effectiveness of audit
Alternative to Substantive Audit?

Reliance on Controls -
 Relying on Automated Controls and Automated Accounting
Procedures
 Reliance on System-Dependent Manual Controls

 Reliance on Underlying Data

A Controls-Based audit approach

can be followed.
Types of Controls

 Manual Controls
 Automated Controls and Automated Accounting
Procedures
 System-Dependent Manual Controls
(Manual Controls relying on IT Reports)
 What is General IT Controls

GITCs may also be referred to as ITGCs or GCCs which are

defined as:

“Controls, other than application controls, which relate

to the environment within which computer-based application
systems are developed, maintained and
operated, and which are therefore applicable
to all applications”.
Impact of Inadequate General IT Controls
In case there are inadequate GITCs, the auditor will not be
able to rely on -
 Automated Controls and Automated Accounting Procedures

 System-Dependent Manual Controls

 Underlying Data

Hence, there can be reliance only on Manual

Controls and Substantive Audit Procedures,
which can be very challenging.
Standards on Auditing
SA315 – Identifying and Assessing the Risk of Material Misstatement Through
Understanding of the Entity and its Environment

The auditor shall, (in addition to other procedures),

 Obtain understanding of Internal Controls
 Obtain understanding of Information Systems, including related business
processes

 Obtain understanding of how the entity has

responded to risks arising from IT
 Obtain an understanding of the entity’s controls
over risk of inaccurate or incomplete recording of
transactions in highly automated processing environment
Standards on Auditing

SA330 – The Auditor’s Responses to Assessed Risk

The auditor shall, (in addition to other procedures) -

 Consider effectiveness of General IT Controls
Standards on Auditing
SA 701 Communicating Key Audit Matters in the Independent
Auditors Report (Periods beginning on or after 01/04/2018)

 In determining Key Audit Matters (KAMs), the auditor is also expected to

take into account the effect on the audit of significant events or
transactions that occurred during that year, which include those relating
to IT Systems and Controls.

 Insight on auditor’s assessment of the quality of

internal controls in their significant risk assessment
 Explanations of changes to the audit approach or
risk assessment
Reporting on IFCoFR
143 (3) The auditor’s report shall also state -
(i) whether the company has adequate internal financial
controls system in place and the operating effectiveness of
such controls;
Reporting on IFCoFR - Exemptions
143(3)(i) shall not now apply to a private company:-

 which is a one person company or a small company; or

 which has turnover less than rupees fifty crores as per
latest audited financial statement or which has
aggregate borrowings from banks or financial
institutions and any body corporate at
any point of time during the financial
year less than rupees twenty five crore.
Accessing ERPs
 NEVER access Production (Live) Environments with
INSERT/ EDIT/ DELETE RIGHTS
 Log-on only with “READ ONLY” access
 If access is not provided to Production Environments, testing
can be on Test Environments, provided it is assessed that the
application code version of the Production and
Test Environments are the same.
(e.g. through cloning in presence of auditor)
 Super user, privileged or administrative
access is not required for auditors.
Accessing ERPs
 Auditor should request for temporary access for the
duration of audit only.
 To obtain data from core technology components of an
ERP environment viz., operating systems, databases,
networks, the auditor should take help from the respective
system administrators.
 The auditor should not even inadvertently
violate the company policies or compromise
IT security.
IT Governance Framework

 The IT team is the owner of the application and the

Business team is the owner of the data residing within
the application.

 Ideally, the roles of both the teams should be segregated

and should not overlap.
 Communication lines are strictly drawn
to maintain the integrity of the data.
 Board of
Directors

Chief
Information Chief Finance
Officer (CIO)
Communication Officer (CFO)

Application
Data Owner
Owner
Other Challenges in ERPs

 Issues on Data Extraction

 Each ERP installation is unique
 Each ERP child installation is unique
 First-year audits are difficult
 Absence of parallel runs
 Management Perception
 – ERP does it all
 Audit work-papers
SA 610 - Using the Work of an Auditors’
Expert
You will come across several aspects of ERP environments
that require more in-depth understanding and knowledge of
the technical subjects.

Even best IT experts may not know all technologies.

If you DON’T KNOW, use Experts

Learning Objectives - Recap
 To understand the requirements of SA315 and SA330 relating to
IT and auditing in an ERP environment.
 To understand the types of Books of Accounts in an ERP
 To understand Controls Based audit

 To understand the difficulties in performing

only Substantive audits in ERP environment
 To understand the process of Access to
systems relevant for audit
 To understand the Use of work of experts in an audit
Happy Learning…