Chapter 12 Digital Auditing And Assurance Page No. - 12.

` Digital Audit Key considerations/Areas for an Auditor to Understand IT

Auditing Digitally
Environment Q5
What is a Digital Audit? Using advancements in technology for conducting an effective and 1. Understand the flow of transaction
efficient audit. Q4
❑ Placing assurance on the effectiveness of the IT systems Focus on identifying and understanding the nature and no. of the
implemented in an org. Key Features or Advantages of Auditing Digitally:MT HEART Q
specific IT applications that are relevant to the flows of
Org. reviews their technology-related controls to identify gaps and 1. Decreasing human dependency: Minimizes manual intervention
❑
transactions and processing of information in the IS.
risks for continuous improvement and to ensure regulatory results in reducing the risk of manual errors.
2. Identification of Significant Systems
compliance 2. Improved Efficiency: What used to take weeks to learn and
programme using deep experts, is now easily available to auditors Identify IT applications and supporting IT infrastructure
Key Features of Digital Audit after some simple training and digital upskilling. concurrently with the auditor's understanding of how information
1. Improves Quality of opinion leads to more reliable audit report flows into entity's information system.
3. Automation and Ease: Automating tasks have improved the
2. Leads to savings in Time, Cost & Human effort. Operate 3. Identification of Manual and Automated Controls
quality of audit and reduced manual error.
autonomously 24x7, driving real-time transactions An entity's system of internal control contains manual elements
4. Better risk assessment: focus on the bigger picture rather than
3. Allows to standardize processes & allows controls to be and automated elements which are relevant to auditor's
being involved with repetitive tasks.
implemented to mitigate risk. identification and assessment of the ROMM
5. Increases Transparency: New ERPs & tools have audit trail
4. Help create future for a digital strategy & paves way for adopting feature available to trace transaction end to end. 4. Identification of the technologies used
new technologies such as AI Need to understand the emerging technologies implemented and
6. Improved Quality of Audits: Through automation, data analytics
5. Help auditee to make informed decisions. consider whether there are risks arising from their use.
techniques we can easily move from sample auditing to full
population of transactions being reviewed or re-performed. Examples of emerging technologies are: AI, drone blockchain
Advantages of Digital Audit
Considerations in Auditing Digitally Q4 5. Assessing the complexity of the IT environment
1. Better Audit Quality
Evaluate massive volumes of data quickly. Few questions it is important to ask and answer – at all stages of Not all applications of the IT environment have the same level of
2. Better Analytics tech journey: complexity.
Aid mgt. and auditors in seeing trends and patterns that may be What problems are you trying to solve? Identifying the risk arising from the use of IT
challenging to spot manually.
❑ Continuously evaluate the emerging technologies and latest tools
3. Lower Costs Risks arising from use of IT
to see what can benefit the audit.
By automating processes that were previously done manually 1. Unauthorized access to data that may result in destruction of
Which technology can help you?
4. Enhanced Effectiveness & Efficiency data or improper changes to data.
❑ No. of tools available.
Use of tools and automation techniques, standardize the processes 2. Unauthorized changes to data in master files.
❑ Consider how comfortably these solutions will integrate into your
and routine tasks can be automated current processes. 3. Unauthorized changes to IT applications or other aspects of the
5. Improved Risk Assessment IT environment.
How will you upskill your people to make best use of the technology
Creating a no. of automations to assist with the audit process and available? 4. Inappropriate manual intervention.
streamlined testing improves the risk assessment procedure. ❑ Training & development to ensure teams understand how and why 5. Data loss or data corruption
they are using the technology.
Consideration and Challenges of Digital Audit ❑ Reluctance to change is obvious, continuous training help them to Types of IT dependencies Q6
Considerations that org. should keep in mind while using digital get better.
Automated Automated controls are designed into the IT
techniques & automation: Range of automated solutions
Controls environment to enforce business rules. For
1. Know what business benefits the org. wants to achieve with ❑ There is a range of automation solutions, which helps to example,
automation standardize the repeatable tasks and optimize the efforts Existence checks (e.g., Duplicate customer number
2. Think people first and don’t underestimate change is difficult Understand IT Envt. (SA 315) cannot exist),

3. Target the right processes – this is a key for successful Calculations Calculations are accounting procedures that are
Auditor’s understanding of automated envt. should include performed by an IT system instead of a person.
automation.
1. Organization structure & governance. For ex, system will calculate the value of the amount
4. Automation is not a stand- alone solution and should be part of a
broader digitalization strategy. 2. Policies, procedures & processes followed. invoiced by multiplying price & qty.
3. Applications that are being used by company.
5. Automation introduces new challenges for organization. Don’t Reports System generated reports are information
4. Details of IT infrastructure components for each of application generated by IT systems. E.g. (Vendor master
forget about governance and data security in the risk framework.
5. Extent of IT integration, use of service organizations. report, customer ageing report)
Note Stages involved in Digital audit : understand – Identify - Assess
6. IT risks and controls.

Telegram – CA _Rakesh_AuditClasses CA Rakesh Sarediya # Keep Going

 Chapter 12 Digital Auditing And Assurance Page No. - 12. 2

Phishing: Phishing is a type of cyberattack that uses email, SMS, IoT-Based Attacks: An IoT attack is any cyberattack that targets
Types of IT dependencies
phone, social media, and social engineering techniques to entice a an Internet of Things (IoT) device or network. Once compromised,
Security Security including segregation of duties (SOD) is victim to share sensitive info. — such as passwords or account the hacker can assume control of the device, steal data, or join a
enabled to restrict access to info. and to determine numbers or to download a malicious file that will install viruses on their group of infected devices.
the separation of roles and responsibilities . computer or phone.
3 Stages of Cyber Risks
Interfaces Interfaces are programmed logic that transfer
Type Description
data from one IT system to another. For example, Stage 1 - Assessing the cyber risk:
an interface may be programmed to transfer data Spear phishing attack that targets specific individuals or
from a payroll sub- ledger to the general ledger. Phishing organizations typically through malicious emails. Goal No organization is completely immune to a cyber risk. Every
steal sensitive information or infect the targets’ organization should consider at least the common threats –
AssessingCyber
Assessing CyberRisks
Risks (including remote audit) Q7 device .  Ransomware disabling their organization
Whaling A whaling attack is a type of social engineering attack  Common criminals using email phishing and hacks for fraud and
What is Cyber Risk? specifically targeting senior or C-level executive theft.
A cyber-attack is an attempt to gain unauthorized access to a employees with the purpose of stealing money or inf.  Insiders committing malicious activities or accidental activities
computing system or network with the intent to cause damage, steal,
expose, alter, disable, or destroy data. Smishing Sending text messages purporting to be from
Stage 2 - Impact of cyber risk:
reputable companies in order to induce individuals to
Most common types of cyber- attacks are reveal personal info. Cyber-attack can impact one, two or more types of risks. The
impact of the attack would vary from organization to organization
Malware: Malware or malicious software is any program or code that is Vishing voice phishing attack, is the fraudulent use of phone
and most importantly from an attack to attack.
created with intent to do harm to a computer, network or server. calls and voice messages pretending to be from a
reputable organization to convince individuals to Some of the indicative areas can be –
Type Description
reveal private info.  Regulatory costs
Ransomware In a ransomware attack, an adversary encrypts a  Ransomware - where entire systems are encrypted
victim’s data and offers to provide a decryption key
in exchange for a payment. Spoofing: Spoofing is a technique through which a cybercriminal  Data loss, reputational loss and litigation
disguise themselves as a known or trusted source. In so doing, the Fines and penalties
Fileless Uses native, legitimate tools built into a system to 
adversary is able to engage with the target and access their systems
Malware execute a cyber-attack..  Breach of Privacy, if personal data of a consumer is hacked it
or devices with the ultimate goal of stealing information, extorting
could have a significant impact on the organization.
Trojan A Trojan is malware that appears to be legitimate money or installing malware or other harmful software on the device.
software disguised as native operating system Stage 3 - Managing the cyber risk:
programs or harmless files like free downloads.. Type Description
A strategic approach to cyber risk management can help an
Mobile Type of malware designed to target mobile devices. Domain Domain spoofing is a form of phishing where an organization to:
Malware MM is delivered through malicious downloads, Spoofing attacker impersonates a known business or person  Gain a holistic understanding of the cyber risks, threats facing
phishing, smishing, and the use of unsecured Wi-Fi. with fake website or email domain to fool people into their organization and other financial institutions
the trusting them.
Denial-of-Service (DoS) Attacks:  Assess existing IT and cybersecurity program and capabilities
Email Email spoofing is a type of cyberattack that targets against the relevant regulatory requirements
 A (DoS) attack is a malicious, targeted attack that floods a Spoofing the businesses by using emails with forged sender
 Align cybersecurity and IT transformation initiatives with
network with false requests in order to disrupt business addresses..
strategic objectives and critical risks
operations.
Identity-Based Attacks: When a valid user’s credentials have been  Understand accepted risks & documented compensating controls
 In a DoS attack, users are unable to perform routine and
compromised and an adversary is pretend to be that user. For e.g.,
necessary tasks, such as accessing email, websites, online accounts
people often use the same user ID and password across multiple
or other resources.
accounts. Therefore, possessing the credentials for one account may be
DNS Tunneling: DNS Tunneling is a type of cyberattack that leverages able to grant access to other, unrelated account.
domain name system (DNS) queries & responses to bypass traditional
security measures and transmit data and code within the network. Insider Threats: When current or former employees that pose
danger to an organization because they have direct access to the
company network, sensitive data, and intellectual property (IP), that
would help carry out such an attack.

Telegram – CA _Rakesh_AuditClasses CA Rakesh Sarediya # Keep Going

 Chapter 12 Digital Auditing And Assurance Page No. - 12. 3

Cyber Security Framework Q8 (III) Controls around patch management:

Auditor can get first-hand Remote access to sensitive IT
(a) Does the entity have a patch management program? evidence directly from the systems may not be allowed
Cybersecurity framework includes how management is identifying the
risk, protecting and safeguarding its assets from the risk. (b) Does the entity run periodic vulnerability scans to identify IT system
Identify the risk: missing/unapplied patches? Widens the selection of Cultural challenges for the auditor.
(c) How is the entity notified of patches by external vendors (e.g., auditors from global Audit procedures like physical
1. Conduct a periodic risk assessment & develop a management
Microsoft for Windows patches)? network of experts. verification of assets and stock
strategy. 2. Asset Mgt. (e.g., intellectual property, patents)
taking cannot be performed.
Remote Audit
Protect the risk:
Emerging Technologies in Audit
1. Monitors whether there has been unauthorized access to Remote audit/virtual audit is when the auditor uses the online or
electronic assets. 2. Formal training should be conducted. Data Analytic Techniques Q10
electronic means to conduct the audit.
2. Implement effective controls for data security. It could be partially or completely virtual.  Generating and preparing meaningful information from raw
Detect The risk: system data using processes, tools, and techniques is known as
Considerations for remote audit
Data Analytics.
Entity should have controls and procedures that enable it to identify
Feasibility and Planning
cybersecurity risks and incidents and to assess & analyse their  It involves analysing large sets of data to find,trends, draw
impact.  Planning should involve agreeing on audit timelines, meeting conclusions and for informed decision making.
platform (Zoom calls) to be used for audit sessions, data exchange. Enables greater efficiencies and more accurate findings
Respond to the risk: 
 Ensure feasibility is determining what technology may be used.
1. Entity should have a response planning in place to capture the  Execution phases involve video/tele conferencing with auditees. The data analytics methods used in an audit are known as Computer
details of nature of incident + communicated to TCWG.
 Documentation for audit evidence should be transferred through a Assisted Auditing Techniques or CAATs.
2. Management should assess Litigation costs, Regulatory investigation document sharing platform. Some of the popular tools used across the industry as part of
costs and Remediation costs. 3. assess future action plans. CAATs are listed below:
Confidentiality, Security and Data Protection
Recover from risk:
Access to document sharing platform should be sufficiently 1. ACL - Audit Command Language (ACL) Analytics is a data
1. Once impact is evaluated ,recovery plan needs to be 
restricted and secured by encrypting the data to ensure data extraction and analysis software used for fraud detection and
implemented
security and confidentiality. prevention, and risk management.
2. Necessary improvements – like patch upgrades, better controls,
 Info. once reviewed & documented by auditor, is removed from It samples large data sets to find irregularities or patterns in
Control considerations for Cyber Risks the platform, & stored according to applicable archiving standards transactions that could indicate control weaknesses or fraud.
 Take into consideration legislation and regulations,
(I) Controls around vendor setup and modifications:
 Auditors should not take screenshots of auditees as audit 2. Alteryx –
(a) Who is responsible for making changes to vendor master data? evidence. Should be previously authorized.
 Alteryx is used to consolidate financial or operational data to assess
(b) Are other communication channels, such as email, used to request  Use VPN (Virtual private network). VPN is a service which creates controls.
changes to vendor master data? (If yes, consider if multi-factor safe and encrypted online connection.  A fully transparent audit trail of every action is performed in Alteryx
authentication is enabled for email). in form of a workflow which makes it easier for the user to learn as
Risk assessment
(c) What systems and technologies are used to initiate, authorize no prior knowledge of coding or scripting is required.
and process requests related to changes to vendor master data?  Assessment if remote audit would be sufficient to achieve the  Can be leveraged to automate analytics and perform Machine
(d) Are authentication protocols defined to verify modifications to audit objectives. Learning to search for patterns indicative of fraud or irregularities.
vendor master data? Q9  It can also be used to automate set procedures that are performed
Advantages and Disadvantages of remote audit
(II) Controls around electronic transfer of funds: periodically like reconciliations, consolidations, marketing workflows,
Advantages Disadvantages system integrations, continuous audits etc.
(a) Are personnel responsible for wire transfers educated on the
relevant threats and info. related to common phishing scams Cost and time effective: No Due to network issues, interviews 3. Power BI –
associated? travel time and travel costs and meetings can be interrupted.
involved.  Power Bi is business intelligence (BI) platform that provides
(b) Are authentication protocols defined to verify wire transfer nontechnical business users with tools for aggregating, analyzing,
requests? Comfort and flexibility to the Limited or no ability to visualize visualizing and sharing data.
(c) What systems and technologies are used to facilitate the audit team as they would be facility culture of the organization,  From audit perspective, such visualization tools can be used to find the
request/initiation, authorization and release of wire transfers? working from home and the body language of the outliers in the population.
environment. auditees. Time zone issues could  It can also be used for reporting purpose (audit reports) in an
also affect the efficiency. interactive dashboard to the higher management.

Telegram – CA _Rakesh_AuditClasses CA Rakesh Sarediya # Keep Going

 Chapter 12 Digital Auditing And Assurance Page No. - 12. 4

4. CaseWare –
(3) Blockchain Key Features of NFT
 CaseWare is a data analysis software & provide tools that helps in  Blockchain is based on a decentralized and distributed ledger that
conducting audit and assurance engagements quickly, accurately and  Digital Asset
is secured through encryption.
consistently.  Unique - It cannot be forged or otherwise manipulated.
 Each transaction is validated by the blockchain participants,
 It shares analytical insights which help in taking better informed creating a block of information that is replicated and distributed  Exchange - NFT exchanges take place with cryptocurrencies
decisions. to all participants. such as Bitcoin on specialist sites.
 It helps in streamlining processes & eliminating the routine tasks.  All blocks are sequenced so that any modification or deletion of a
block disqualifies the information. Challenges of NFT
Automated Tools in Audit Q11  Challenges like ownership & copyright concerns, security risks,
Ex: Bitcoin, cryptocurrency transfer application - Blockchain in market is not that wide, online frauds etc.
(1) Internet of Things money transfer, blockchain smart contracts.
 NFT audit considerations include comprehensive code review for
 IoT is the concept of connecting any device (cell phones, coffee verifying the safety of a token, valid contract, data privacy and
Audit Implications
makers, washing machines, and so on) to the internet. potential cyber threat.
 Auditors should consider the appropriate governance and security
 Key components of IoT are data collection, analytics, connectivity,
transactions. (4) Robotic Process Automation
and people and process.
 Although blockchain’s core security premise rests on cryptography,  RPA is an automation of repetitive processes performed by
 IoT not only changes the business model, but also affects the
there are risk factors associated with it. users
strategic objectives of the organization.
 Concerns related to, data confidentiality and privacy cannot be  It is a software technology that emulates human’s actions
 Risk profile of the entity changes with exposure to new laws and
ignored. interacting with digital systems and software.
regulations.
 Determine whether the data put on blockchain will expose the
Audit Implications enterprise to liability for noncompliance with applicable L&R.  RPA software bots can interact with any application or system
the same way people do—except that RPA bots can operate around
 A shift to connected devices and systems may result in auditors the clock, nonstop, much faster.
not being able to rely only on manual controls. Instead, auditors may Common risks for blockchain technology
need to scope new systems into their audit.  Strengths of blockchain can also be its weaknesses. Audit Implications
 Audit firms may need to train and upskill auditors to evaluate the  Inability to reverse transactions and to access data without the  It important for auditors to understand RPA processes, which
design and operating effectiveness of automated controls. required keys make system secure, but also mean that organisations include data extraction, aggregation, sanitization and cleansing.
need specific protocols and management processes to ensure that Unless auditors understand these processes, they will not be in a
Common risks of IoT position to initiate an audit.
they are not locked out & have clear contingency plans.
Device hijacking, data siphoning, data breaches and device theft  To perform substantive testing, auditors must have an
 Operating through network nodes could also expose organisation to understanding of the tools used to develop and maintain RPA.
cyber-attacks and data hacks.
(2) AI (Artificial intelligence)
 AI refers to a system or a machine that can think and learn.  Auditors should ensure that organisation has the necessary data Common Risks of RPA
management processes and complies with regulations. Operational and execution risks –
 AI systems utilize data analysis and algorithms to make decisions
based on predictive methods. Robots are deployed without proper operating model.
(3.1) NFT (Non-Fungible Token) 

Ex: Self-driving cars, marketing chatbots, virtual travel booking agent,  NFT means something is unique and cannot be replaced.  Assigning proper responsibilities, training can help you reduce
Alexa to turn off the lights. operational risk .
 Unlike physical money and cryptocurrencies are fungible (means
Audit Implications
they can be traded or exchanged for one another) NFTs are non-
Change management risks: Not following the change management
 Audits must focus on the logical flow of processes. fungible tokens. implementation lifecycle, improper and incomplete testing leads to
 Ascertain whether unintended bias has been added to the  NFTs contain the digital signatures which make them unique. inaccurate results.
algorithms.
 NFTs are digital assets, e.g., photos, videos, artwork, etc.
RPA Strategy Risk: Setting wrong expectations, improper KPIs, and
 Assess the effectiveness of algorithms and whether their output NFTs are tokens used to represent ownership of unique items.
 unrealistic business goals creates an environment of uncertainty.
is appropriately reviewed and approved.
 NFTs allow their creators to tokenize things like art, collectibles,
 Consider whether the AI is making decisions. or even real estate.
 Secured by the blockchain and can only have one official owner at
Common risks for AI
a time. No one can change the record of ownership or copy/paste a
Security + Inappropriate configuration + Data Privacy new NFT into existence.

Telegram – CA _Rakesh_AuditClasses CA Rakesh Sarediya # Keep Going

 Chapter 12 Digital Auditing And Assurance Page No. - 12. 5

Next Generation Audit Q13 Case scenarios to illustrate the potential application of the
Control Considerations or Objectives of Auditing
Digitally metaverse in the financial domain
Q12 Examples of Next Generation Audit ❑ Virtual Banking and Transactions: Users can create virtual bank
As they address the challenge of assessing technology risk, auditors can accounts, access personalized financial dashboards, and perform
and should focus on the following control considerations: Drone Technology: transactions using virtual currencies.

1. Gain a holistic understanding of changes in the industry and the  Using drone technology in the remote locations for stock counts. ❑ Digital Asset Management: virtual asset trading platform within
info. technology environment to evaluate management’s process for  Drones have great payload capacity for carrying sensors and the metaverse, allowing users to buy, sell, and trade NFTs and other
initiating, processing, and recording transactions and then design cameras, thus they can photograph and physically examine the digital assets.
appropriate auditing procedures. count of large quantities of fixed assets and inventory.
❑ Virtual Financial Education and Training: create a virtual
2. Consider risks resulting from the implementation of new classroom environment where participants can attend interactive
Augmented reality: financial education sessions.
technologies and how those risks may differ from those that arise
from more traditional, legacy systems.  The technology allows users to view the real-world environment ❑ Virtual Meetings and Conferences: Participants from around the
with augmented (added) elements, generated by digital devices. world can access the conference through their virtual avatars.
3. Consider whether digital upskilling or specialists are necessary to
determine the impact of new technologies and to assist in the risk  One famous example was Pokémon Go,. ❑ Data Visualization and Analytics: virtual analytics platform allows
assessment and understanding of the design, implementation, and users to visualize complex financial data in interactive and
operating effectiveness of controls. Virtual reality: immersive 3D environments.

VR goes a step forward and replaces the real world entirely with a Common Risks associated
Some examples of technology risks where auditors should test the
simulated environment, created through digitally generated images,
appropriate controls for relying on the digital systems –  Public safety, cybersecurity, data privacy, data protection, lack of
sounds, and even touch and smell. Using special equipment, such as a
standards and technical challenges.
 Inappropriate manual intervention custom headset, the user can explore a simulate experiences such as
 Unauthorized changes to systems or programs flying or skydiving.  It also raises questions about taxation, jurisdiction, and customer
protection.
 Unauthorized or erroneous changes to data in master files
 Potential loss of data or inability to access data as required  Regulators and auditors have to think of the controls around
Metaverse:
 Cybersecurity risks privacy, data security, and governance to make it more regulated.
The metaverse is the emerging 3-D digital space that uses virtual
Key Steps for Auditors in a Changing Technology Environment reality, augmented reality, and other advanced internet technology to
1. Maintain sufficient professional scepticism when reviewing allow people to have lifelike personal and business experiences online.
management’s risk assessment for new systems. It represents a convergence of digital technology to combine and
2. Understand the direct and indirect effects of new technology extend the reach and use of Cryptocurrency, Artificial Intelligence
(AI), Augmented Reality (AR) and Virtual Reality (VR)
3. Understand how technologies impact the flow of transactions,
assess the completeness of the in-scope ICFR systems, and design Some considerations for future –
a sufficient and appropriate audit response.
 Beyond cryptocurrencies, coins, and exchanges, players in the
4. Assess the appropriateness of management’s processes to select, Metaverse will need to consider how to build digital monetary
develop, operate, and maintain controls . systems and apply economic principles to things like digital land.
 Governance models will become ever more difficult to balance
openness and user contribution.
 Identity in digital world has historically been different based on
the platform utilized. (e.g., KYC)
 Synchronicity is the ability for aspects of the Metaverse to be
multiplayer, simultaneous, and real-time.

Telegram – CA _Rakesh_AuditClasses CA Rakesh Sarediya # Keep Going