AICITSS (Advanced IT) Course

Auditing in an ERP Environment

Chapter 3: Automated Application Controls

© The Institute of Chartered Accountants of India

Overview
Section 143 of Companies Act 2013 – Whether Company has adequate
internal financial controls system in place
Securities Exchange Commission (SEC) of the United States of America 2003 –
Certification of the Internal Controls over Financial Reporting (ICFR) by
management and auditor
Regulatory requirements from other countries mention auditors
requirement to certify adequacy of internal controls over financial
statements.
Auditors are required to express and opinion on the effectiveness of a
Company’s internal controls over financial reporting and such opinion is in
addition to and distinct from the opinion expressed by the auditor on the
financial statements.
Overview

SA 315 – Identifying the risk of material misstatement through

understanding the control and its environment.
Internal Control framework to minimize the risk.
Internal Control framework is implemented irrespective of whether a
Company has ERP or not.
Focus of this session is to understand the internal controls in an ERP
environment.
Overview

The Guidance Note on Internal Financial Controls over Financial Reporting

defines Application Controls “as those controls that achieve the business
objectives of timely, accurate and reliable information”.

The Committee of the Sponsoring Organisations of the Treadway

Commission (COSO) defines controls activities “as the policies, procedures
and activities that help management objectives are carried out”.
Overview
Manual
Manual to
to
automated
automated
processes
processes

Respond
Respond
Why
Why are
are Ease
Ease of
of
faster
faster to
to ERP’s
ERP’s reporting
competition reporting
competition implemented
implemented

Better
Better
control
control
environment
environment
due
due to
to
automation
automation
Learning Objectives
What are Automated Application Controls

Types of Automated Application Controls

Various Business Cycles, Obtain Process

Understanding and Identification of Controls
Procedures for review of Design Effectiveness and
Operating Effectiveness of Application Controls
When to test Automated Application Controls
Sample Sizes
Impact of deficiencies in Automated Application
Controls
What are automated controls
Controls that are implemented over the processing of transactions and data
within the application and are specific to each application. These are AACs.

Objectives of AAC’s to ensure

Completeness of
Accuracy of data
data

Authorised
Validity of
transactions are
transactions
processed
Appropriate
segregation of
duties
What are automated controls
Some Risks addressed by AAC’s include
Unauthorised
Personnel entering
personnel entering
unauthorised data
the data

Unauthorised
Inaccurate
changes /
processing of data
modifications to data

Data being obtained

by unauthorised
personnel
Types of Automated Controls
Inherent
Automated
Automated Controls
Account
Account
Posting
Posting

Embedded
Embedded
Calculations
Calculations

Access/Secu
Access/Secu
rity
rity Controls
Controls

Configurab
le Controls
Types of Automated Controls

Inherent Controls
Types of Automated Controls
Embedded Calculations
Types of Automated Controls
Configurable Controls
Types of Automated Controls

Configurable Controls
Types of Automated Controls

Automated Account Posting

ACCOUNT CODE PARTCULARS DEBIT CREDIT

300000 Stock Account XXXXX  
191100 To Goods Receipt account   XXXXX
301100 To Freight Clearing account   XXXXX

ACCOUNT CODE PARTCULARS DEBIT CREDIT

301100 Goods Receipt account XXXXX  
V11001 To Vendor account   XXXXX
Types of Automated Controls
Automated Account Posting
Types of Automated Controls

Access Security Controls

Data Entry Operator

Purchase Executive

Sales Manager/Finance Manager

CFO and Other Senior Mngt.

Process of identification of AAC’s
Process of identification of AAC’s
IT system Significant Accounts and Major Business Processes / Relevant for financial Automated Controls
Disclosures Cycles reporting configured within the
system/Application
Y/N
Y/N

SAP Sales, Debtors, Purchases, Sales/ Debtors - Revenue Y Y

Creditors, Closing Stock etc. and Receivables
Purchases/Creditors –
Purchase Payables Process
Stock – Inventory Process
Pay Master Salaries, Loans and HR and Payroll process Y Y
Advances to Employees,
Leave balances
Interface Salaries, Loans and HR and Payroll process and Y Y
between Advances to Employees, Period End Closing process
Paymaster Leave balances
and SAP
Process of identification of AAC’s
The understanding of the process flows and the controls within the
processes can be documented in either of the 2 ways

Process Flow Diagrams

Process Narratives
Process of identification of AAC’s
Points to consider

Who is involved in the process (e.g., departments, roles, and people)?

Are there segregations of duties that are relevant to the process?

What is the general objective of the processes and what are the related sub
processes?

When does the process occur?

Does the process involve, or impact, multiple locations?

Process of identification of AAC’s
Points to consider

What are the tasks within the process and in what sequence do they occur?

What are the points in the process at which a misstatement, including a

misstatement due to fraud could arise?

What control activities address the risks?

What IPE is involved?

How are application systems involved within the process?

Process of identification of AAC’s
Start

Process Flow Diagrams - Example

Depreciation is calculated as per
the compliance of Schedule-II, the
calculation is automated in ERP.

After finalization of additions and

deletions in every quarter, the
depreciation is run month – wise in
ERP. FA01- A

The authorization in ERP to run

depreciation is given to Manager –
Accounts

Stop
Process of identification of AAC’s
Process Narrative – Example: Depreciation Run Procedure

 The Finance Team is in charge of the depreciation run in the ERP. This is run
centrally for all locations.
 Depreciation is calculated as per Schedule-II and the depreciation
calculation is automated in the ERP.
 The finalization of additions and deletions are done every quarter.
 The depreciation is run month wise in the ERP via path: Transactions -
Assets – Depreciation Run.
 Depreciation in the ERP can be run only on a monthly basis. The
authorization in the ERP to run depreciation is given to Manager–Accounts.
Process of identification of AAC’s
Process Sub Control Risk Control FSA Frequency Manual/ Preventive/ System
Process No. Descripn Description of Control , IPE
Automate Detective
d

Fixed Deprecia FA-01 Depreciati Manager- A Monthly Automate Preventive ERP

Assets tion on Accounts runs d
calculation the depreciation
may be after all the
incorrect additions and
deletions are
updated by
accounts team.
Depreciation is
automatically
computed by
ERP based on
the useful life
entered in Asset
Master.
Review of Design and Operating Effectiveness
Evaluation of Design Walkthrough

 Inquiry should be made of relevant or appropriate personnel performing the

control. Probing and open ended questions to be asked of the personnel
 Observation of the relevant procedures performed by the personnel
 Inspection of relevant supporting documents etc. for the control to be
performed.
 Reperformance if necessary

NOTE: While testing the design of the AAC, the auditor should understand
whether the logic of the control has been clearly defined in the system. The
auditor will have to check the configuration in the system and understand
whether it satisfies the control objective.
Review of Design and Operating Effectiveness
Evaluation of Design Walkthrough

Start

Raise CAPEX Create Fixed Asset entry

in ERP

Approve CAPEX
Make Payment

Place Order for purchase

of Fixed Assets Initiate Depreciation run

Receive Fixed Asset along Retire or sell Fixed Asset

with installation certificate
Review of Design Effectiveness
Review of Design Effectiveness
Review of Design Effectiveness
Control Walkthrough Procedure Results Exceptions Y/N
The system 1. From the Asset Register select Obtained the Fixed Assets Register and No exceptions
automatically one asset that was created picked up one asset no. 000000005 –
calculates the during the year. Chairs.  
depreciation as per 2. Note the Depreciation Noted that the purchase date of the
the rates defined in percentage as given for the asset asset was 31st July 2013.
the system. from the Asset register.  Noted from the configuration that the
3. For that asset reperform the Cost = 12866.11
calculation of depreciation. Less: Salvage = 643.31
4. Reconcile the depreciation Cost = 12222.80
amount with the amount Useful life = 60 months
automatically calculated by the Depreciation = 12222.80/60= 203.71.
system. Please refer to screenshot DEPN 2
 Depreciation for 1 day = 203.71/31 =
6.57.
Please refer to screenshot DEPN 2
 Thus total depreciation for 2013-14 =
203.71*8 = 1629.68
Depn for 31st July = 6.58
Total Depreciation 2013 =1636.26
 Please refer screenshot DEPN2
Review of Design Effectiveness

Note: For example If the Revenue process is different for

Export and Domestic sales
Cash and Credit sales
Separate transactions are to be taken for a walkthrough of
each scenario. This applies for all in scope business
processes.
Review of Operating Effectiveness

Note: Before testing the operating effectiveness of AAC, one key

element to consider is the effectiveness of GITC’s. AACs are configured
within the system after which the system will perform the control once it
is triggered. The auditor needs to determine whether the AACs are
operating as designed and whether the person operating the control has
the required ability and competence to do it.
Review of Operating Effectiveness

Note: The steps mentioned in the Walkthrough procedure may be used

for testing the AACs. During the walkthrough procedure, the
configurations are checked. To add/modify/delete any of the
configurations, the company will have to follow the Change Management
Procedure. The authorized persons as per Company policy can only make
the change in the configurations. These 2 areas fall under the Change
Management and Sensitive Access and Segregation of Duties domains of
GITC.
Timing of AAC’s testing and Sample Sizes
The factors to be considered to determine the timing to test AAC’s are

The period covered under audit Risk associated with the control
at the time of risk assessment.

The assumptions before testing the AAC’s are

GITCs are effective. This is because

they assist in effective functioning Design of the control has been
of application controls including evaluated and is effective.
AACs

Note: As per the requirements of Internal Financial Controls, the

controls need to be operating as on the Balance Sheet date.
Types of deficiencies
Design Deficiency Deficiency in Operating Effectiveness
A deficiency in a Control
will not allow the
management to perform
their assigned functions.
This deficiency may not
prevent or detect
misstatements. Such
deficiencies are called
Design Deficiencies.
A deficiency in operation
exists when a properly
designed control does not
operate as designed, or
when the person
performing the control
does not possess the
necessary authority or
competence to perform the
control effectively.
The Company has implemented an automatic approval of all Purchase Orders. The Company has a
PO approval matrix and this hierarchy has been configured in the system. However, the auditor
may have found out that the company has bypassed this control and placed orders based on
blanket approval of Purchase orders or no approval. Thus the auditor should
o Obtain the complete list of all Purchase orders from the system
o Using CAATS identify all PO’s approved as per the Approval Matrix document
o From the list extracted by the CAATS tool, identify all the PO’s that have blank in the
“Approved by field” or persons others than the Approval matrix
o The auditor will have to seek an explanation from the client for the reasons why the approval
matrix was bypassed
o The auditor will have to perform other substantive procedures to obtain comfort on the
Purchase amount appearing in the financial statement
Communication of deficiencies
SA 265 - “Communicating Deficiencies in Internal Control to Those Charged
with Governance and Management” makes it necessary for the auditor to
communicate control deficiencies to the Management.
 Must give in writing
 Whether present in prior periods of audit

NOTE: Refer Guidance on Internal Financial Controls over Financial Reporting

The auditor has identified a design deficiency in a control. Prior to the
Balance sheet date, the company has rectified the design of the control. The
auditor may test the implemented change for design and operating
effectiveness.
Assess the impact of deficiencies
To develop a response to risk of material misstatement as given in SA 240 “The
Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements”.

Reasons for deficiency

Determine Compensating
controls/mitigating factors if
any

Additional testing may be

required

Communication with
TCWG/Report
Summary
What are Automated Application Controls

Types of Automated Application Controls

Various Business Cycles, Obtain Process

Understanding and Identification of Controls
Procedures for review of Design Effectiveness and
Operating Effectiveness of Application Controls
When to test Automated Application Controls
Sample Sizes
Impact of deficiencies in Automated Application
Controls
Thank You…