Automated Controls and Audit Trail

CA Amrita Chattopadhyaypro badge , Last updated: 07 April 2023  
  Share


Finance & Accounting field has seen a shift change in the last two decades. From basic manual-driven cars to cruise controls, and thereafter autonomous cruise control systems … the journey is towards driver-less cars! Today, in a middle to large organizations, huge transactions are processed in a couple of minutes. These transactions may not be related to one region or one time period. As a resultant, most of the organizations have moved from manual books of records to computer-based records with built-in controls to easily track human intervention at any stage, apart from facilitating the commonly known "four-eyes*" principle.

The fast-changing scenario has resulted in the introduction of "Automated controls."Automated controls are adopted by organizations to help them to combat various risks, to adopt a proactive approach much before they are materializing or reduce the point of impact. Automated controls ensure higher security and safety to the management and the third parties involved. In addition, companies are under added pressure as regulators, rating agencies and stock exchanges drive improved standards of risk management at an enterprise level, with special emphasis on good corporate governance.

Automated Controls and Audit Trail

Definition

Automated controls can be defined as a mechanism or device inside an application, interface or appliances that enforces a set-rule or validation of one or more conditions inside a process.

Few simple examples of automated controls could be to

  • Ensure that the entries could not be passed until they are validated by higher authority to ensure that "Four eyes" principal is adhered. This gives the assurance that the entries are checked by two different individuals. OR
  • A drop-down list of vendors for payment to be made to ensure that transactions are carried through authorized set of vendors.
  • Three ways matching where the ERP system automatically reconciles the purchase invoice to the underlying purchase order and good receipt to ensure that previous steps are adequately followed.

The prime objective of automated controls is:

  • Mitigating / Eliminating Frauds through enforced segregation of duties and ensuring adherence to a set of delegation of financial powers
  • Business Process Improvement through elimination of manual controls such as maker-checker for straight-through processes, thereby enhancing efficiency and reducing costs
  • Reduced Audit Costs using "one transaction" test per year for automated controls, thereby substantially reducing the costs and time related to audits based on relatively larger samples
  • Adherence to Regulatory Compliance requirements Information Security, and the likes, entailing testing of key controls through sampling techniques, which again can be reduced substantially through use of automated controls.

Introduction to Amendments to Rule 11(g) of Companies(Audit and Auditors) Rules, 2014

Section 143(3) of the Companies Act, 2013 provides various matters on which auditors are required to report in their auditor's report. Clause (j) of Section 143(3) states that auditor's report shall also state such other matters as may be prescribed.

Rule 11 of the Companies (Audit and Auditors) Rules, 2014 specifies such other matters that are to be reported by the auditor.

The Ministry of Corporate Affairs (MCA) vide its notification No. GSR 206(E) dated March 24, 2021 has issued the 'Companies (Audit and Auditors) Amendment Rules, 2021' (hereinafter referred as "the Audit Rules") read with sub-section 3 of Section 143 of the Companies Act, 2013 (hereinafter referred as "the Act") introducing new Rule 11(e), new Rule 11(f) and new Rule 11(g) and deleting Rule 11(d).

Rule 11(g) is reproduced below:

"Whether the company, in respect of financial years commencing on or after the 1st April, 2022, has used such accounting software for maintaining its books of account which has a feature of recording audit trail (edit log) facility and the same has been operated throughout the year for all transactions recorded in the software and the audit trail feature has not been tampered with and the audit trail has been preserved by the company as per the statutory requirements for record retention."

Above requirement entails the auditor to have additional audit procedures and reliance on the internal controls (specifically the IT controls and the reliance on the automated controls). Certain illustrative additional controls which the auditor must introduce a part of the regular audit program would be:

  • Controls to ensure that the audit trail feature has not been disabled or deactivated.
  • Controls to ensure that User IDs are assigned to each individual and that User IDs are not shared.
  • Controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained.
  • Controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained.
  • Controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act.
 

Audit procedure would be reduced considerably and the audit reliance would be effective if the organization has adopted automated controls. Any changes in the audit trail configuration during the audit period would immediately report where the automated controls have been adopted.

If the back up of the audit trail and the changes to the configuration are automated, it gives assurance to the auditors and the auditor can rely on the exception report rather then checking the manual log for the back up and the changes made. The audit cost and the man-hour spent in the audit would also reduce considerably with the introduction of the automated controls and enable the auditor to focus on more qualitative aspects of the audit.

It becomes imperative for the auditor to guide the organizations not only in the financial aspects but also on the control aspects and encourage them to shift from manual to automated control environment.

 

Source:

  1. Implementation guide on Reporting under Rule 11 (g) of Companies (Audit and Auditors) Rules, 2014
  2. 'https://www.diligent.com/insights/grc/automating-internal-controls'
Join CCI Pro

Published by

CA Amrita Chattopadhyay
(Audit & Assurance)
Category Audit   Report

1 Likes   7685 Views

Comments


Related Articles


Loading