Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Digital Audit - Ankush Chirimar

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

https://linktr.

ee/ankushchirimar
Follow us on #Learn with Audit-95!

Digital Auditing & Assurance

Digital Audit Key Features of Digital Audit


Placing assurance on effectiveness of IT systems • It help to create future for digital strategy
implemented in org • It encourages auditee to accept latest
technological advancements & provides
Consideration & Challenges of Digital Audit confidence to stay updated
• Automation should be part of broader • It allows to standardize processes & controls
digitalization strategy to mitigate risk
• Don't forget about governance & data • It leads to savings in time, cost & human
security in risk framework effort leading towards more productive tasks
• Target right processes for successful • It helps org gain more comprehensive
automation overview of end-to-end processes
• Ensure process works & is standardised • It helps auditee to make informed decisions
before automating • It improves quality of opinion leading to more
• Think people first & do not underestimate reliable audit report
change is difficult
• Know what business benefits org wants to Areas of Focus of auditors to obtain
achieve understanding of mgt’s implementation of new
technologies include
Advantages of Digital Audit • New activities or changes to existing
• Improved Risk Assessment processes due to new technology
• Better Analytics • Changes in way entity’s systems are
• Enhanced Effectiveness & Efficiency developed & maintained
• Better Audit Quality • Impact new technology has on functioning of
• Lower Costs IC

Auditing Digitally Key Features/Advantages of Auditing Digitally


Using advancements in technology for conducting • Better risk assessment
effective & efficient audit • Improved Efficiency
• Increases Transparency
Considerations in Auditing Digitally • Improved Quality of Audits
• What problems are you trying to solve? • Decreasing human dependency
• Which technology can help you? • Automation & Ease
• How will you upskill your people to make best
use of technology available?
• Range of automated solutions

Understand IT/Automated Environment include Key Areas for Auditor to Understand IT


• Org structure & governance Environment
• Policies, procedures & processes followed • Identification of technologies used
• Details of IT infrastructure components for • Identification of Significant Systems
each application • Assessing complexity of IT environment
• IT risks & controls • Understand flow of transaction
• Applications being used by co. • Identification of Manual & Automated
• Extent of IT integration, use of service orgs Control

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 1


Digital Auditing & Assurance

Risks arising from use of IT 5 types of IT dependencies


• Unauthorized access to data • Interfaces - They are programmed logic that
• Unauthorized changes to IT applications transfer data from 1 IT system to another
• Failure to make necessary update to IT • Security - It is enabled by IT environment to
• Data loss/corruption is major risk which restrict access to info through SODs
arises from use of IT • Automated Controls – They are designed into
• Inappropriate manual intervention IT environment to enforce business rules. E.g.
• Possibility of IT personnel gaining access format checks, existence checks &
privileges beyond necessary reasonableness checks
• There is risk of system downtime due to • Calculations - They are a/cing procedures
hardware fails, cyberattacks or power outage performed by IT system instead of person
• Since co. uses > 1 IT systems, system • Reports - System generated reports are info
integration & system compatibility risks generated by IT systems
• With increase in usage of IT, risk of
regulatory compliances increases IT general controls addresses risks of IT
• Performance Issues arises with way requests dependencies
are processed in IT systems

Cyber Risk 3 Stages of Cyber Risk


It is an attempt to gain unauthorized access to 1. Assessing cyber risk
network to damage, steal, alter or destroy data • Ransomware disabling their org
• Common criminals using email phishing &
Most common types of cyber-attacks are hacks for fraud & theft
• Malware - Malicious software is program • Insiders committing malicious activities
created to do harm to computer. It is most resulting in unintended discourse of info
common cyber-attack, its subsets are –
o Mobile Malware – It targets mobile devices 2. Impact of cyber risk
o Fileless Malware - It uses native tools built • Data loss, reputational loss & litigation
in system for cyber-attack. It not require • Breach of Privacy, if personal data of
attacker to install code on target’s system consumer is hacked
o Trojan - It appears to be legitimate • Incident response cost for investigations
software disguised as native operating & remediations
system/harmless files like free downloads • Ransomware - more common where entire
o Ransomware - Adversary encrypts victim’s systems are encrypted
data & provide decryption key for payment • Regulatory costs
• Fines & penalties
• Phishing - It uses email, SMS, phone, social • Business interruptions causing operational
media to tempt victim to share sensitive info challenge for org
o Spear Phishing - It targets specific • Intellectual property theft to take
individuals or orgs through malicious emails competitive advantage
o Whaling - It is social engineering attack,
targets senior/C-level executive employee 3. Managing cyber risk to
o Vishing - Voice phishing is fraudulent use of • Gain holistic understanding of cyber risks
phone calls & voice messages pretending to • Understand accepted risks & documented
be from reputable org compensating controls
o Smishing – Fraudulent practice of sending • Assess existing IT & cybersecurity
texts pretending to be from reputable co. against regulatory requirements
• Align cybersecurity & IT initiatives with
objectives & risks

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 2


Digital Auditing & Assurance

• Spoofing – In this, cybercriminal disguises Cyber Security Framework includes


themselves as known or trusted source • Identify risk - Entity shall conduct periodic
o Domain Spoofing – Attacker impersonates risk assessment & develop mgt strategy to
known person with fake website/email identify cybersecurity risks
o Email Spoofing - It targets businesses by • Detect risk - Entity shall have controls to
using emails with forged sender addresses identify cybersecurity risks & to assess &
analyse their impact
• Identity-Based Attacks - When valid user’s • Respond to risk - Entity shall have response
credentials are compromised & adversary planning to capture details of incident &
pretend to be that user communicate it with TCWG
• Denial-of-Service Attacks - It is malicious, • Protect risk - Entity shall implement effective
targeted attack that floods network with controls for data security
false requests to disrupt business operations • Recover from risk - Entity shall undertake
• Insider Threats - When current/former appropriate actions to recover from attack &
employees pose danger to org due to having make sure business is up & running
direct access to co.
• DNS Tunneling - It leverages domain name
system (DNS) queries & responses to bypass
traditional security measures
• IoT-Based Attacks - It targets Internet of
Things (IoT) device or network

Control considerations for Cyber Risks Remote Audit/Virtual Audit


1. Control around vendor setup & modification It is when auditor uses online means for audit
• Are there authentication protocols to
verify modifications to vendor master Considerations for remote audit
data? • Feasibility & Planning - Agreeing audit
• Who is responsible for making changes to timelines, meeting platform used for audit
vendor master data? • Confidentiality, Security & Data Protection -
• What systems are used to process Access to doc sharing platform shall be
requests for changes to vendor master restricted & secured by encrypting data
data? • Risk assessment - Assessment if remote audit
• Are other communication channels used to will be sufficient to achieve audit objectives
request changes to vendor master data?
Advantages
2. Controls around electronic transfer of • Wide selection of auditor from global expert
funds • First-hand evidence directly from IT system
• Are there authentication protocols to • Time to gather evidence can spread for week
verify wire transfer requests? • Comfort & flexibility to audit team
• What systems are used to process wire • Cost & time effective
transfers?
• Are personnel responsible for wire Disadvantages
transfers educated on threats & phishing • Remote access to sensitive IT systems may
scams? not be allowed
• Opportunity to present doctored docs & to
3. Controls around patch mgt omit relevant info is increased
• Does entity have patch mgt program? • Limited or no ability to visualize facility
• Does entity run vulnerability scans to culture of org & body language of auditees
identify missing patches? • Meeting is interrupted due to network issues

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 3


Digital Auditing & Assurance

• How is entity notified of patches by • Cultural challenges for auditor


external vendors?

Emerging technologies in Audit - Data Analytics Popular tools used as part of CAATs are
It is generating & preparing meaningful info from • Audit Command Language – It samples large
raw data using processes, tools & techniques. data to find irregularities indicating control
Data analytics methods used in audit are called weaknesses or fraud
Computer Assisted Auditing Techniques or CAATs. • Power BI – It is business intelligence platform
that provides non-technical users with tools
E.g. of tests performed using CAATs for analysing & sharing data & finding
• Existence of records outliers
• Data completeness • Alteryx - Fully transparent audit trail of
• Data consistency every action is performed in Alteryx in form
• Verify calculations of workflow
• Identify exceptions • CaseWare – It is data analysis software &
• Identify errors provide tools to conduct audit quickly,
• Duplicate payments accurately & consistently
• A/cs exceeding authorized limit

Automated Tools in Audit

Internet of Things AI (Artificial intelligence) Robotic Process Automation


It is concept of connecting any It is system or machine that can It is automation of repetitive
device to internet think & learn processes performed by users

Audit Implications - Auditors Auditor Implications - Review of Audit Implications - Auditors


may need to scope new systems AI shall ascertain whether shall understand RPA processes
into audit. Audit Firms may need unintended bias is added to including data extraction &
to train & upskill auditors to algorithms. Auditors shall assess cleansing to initiate audit.
evaluate design & operating effectiveness of algorithms & Auditors shall also understand
effectiveness of automated whether its output is reviewed & tools used to develop & maintain
controls approved RPA

Common risks - Device hijacking, Common risks - Security, Common Risks of RPA -
data siphoning, denial of service Inappropriate configuration & Operational & execution risks,
attacks, data breaches & device Data privacy Change mgt risks & RPA Strategy
theft Risk

Blockchain NFT (Non-Fungible Token)


It is based on decentralized & distributed ledger It means something is unique & cannot be replaced.
that is secured through encryption They are digital assets, e.g., photos, videos etc.
They represent ownership of unique items. They
Audit Implications - Auditors shall consider are secured by blockchain & can only have 1
appropriate governance & security around official owner at time
transactions. Weak blockchain application
development is something auditors cannot Key Features of NFT -
overlook. Auditor must determine whether data • Digital Asset
• Unique

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 4


Digital Auditing & Assurance

put on blockchain will expose enterprise to • Exchange - NFT exchanges take place with
liability for non-compliance with L&R cryptocurrencies on special sites

Common risks - Auditors shall ensure that org has Challenges of NFT –
necessary data mgt processes & complies with Ownership & copyright concerns, security risks,
regulations. He shall check that compliance market is not that wide, online frauds etc.
managers are following regulatory developments
constantly & adapting accordingly

Control Considerations or Objectives of Auditing Digitally


• Auditors shall gain holistic understanding of changes in industry & IT environment
• Auditors shall consider risks resulting from implementation of new technologies
• Auditors shall consider whether digital upskilling or specialists are necessary to determine impact
of new technologies

E.g. of technology risks where auditors shall test controls for relying on digital systems
• Unauthorized access to data leading to destruction/improper changes to data
• Unauthorized changes to data in master files
• Unauthorized changes to systems/programs
• Failure to make necessary changes to systems/programs
• Potential loss of data or inability to access data
• Inappropriate manual intervention
• Possibility of IT personnel gaining access privileges beyond necessary
• Reliance on systems/programs processing inaccurate data or inaccurately processing data

Next Generation Audit


It is human-led, tech-powered & data-driven. It is based on combining emerging technologies to
redefine how audits are performed

E.g. of Emerging Technologies Available for Next Generation Audit


• Drone Technology - Drones have great • Metaverse - It is emerging 3D digital space
payload capacity for carrying sensors & that uses VR, AR & other advanced internet
cameras, thus they can photograph & technology to allow people to have lifelike
physically examine count of fixed assets & personal & business experiences online
inventory
• Augmented reality – It allows users to view Potential application of metaverse in financial
real-world environment with augmented domain are
(added) elements, generated by digital • Virtual Banking & Transaction
devices. E.g. Pokémon Go • Digital Asset Mgt
• Virtual reality - It replaces real world • Virtual Financial Education & Training
entirely with simulated environment, through • Virtual Meetings & Conference
digital images, sounds & even touch & smell • Data Visualization & Analytics

Common Risks associated with Next Generation Audit


Public safety, cybersecurity, data privacy, data protection, lack of standards & technical challenges.
Since they track movements, massive data is generated for whereabouts of users. Regulators &
auditors have to think of controls around privacy, data security, governance to make it more regulated

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 5

You might also like