Digital transaction

versus
Audit
Profesi Keuangan Expo 2022

IAMI

14 October 2022
 Auditing Digital Enterprise

Page 2 13 October 2022 Presentation title

Changes in Today’s Enterprise

• Business and business processes are going digital

• Blurring of distinction between business process and technology
• Separation of IT and business process difficult
• Tech savvy customers demanding digitization
• Business is real time
• Increased used of robotic process automation, AI, Chatbots, machine learning, IoT
• Everything is digital

The Digital Enterprise:

• Increasing/high use of technology to deliver outputs
• Business processes driven/managed/operated by non-human entities
• Customers interact with the business through non-human points of contact
• Customer is not always ‘human’
• Digital metabolism
• Increased used of technology that is near autonomous or autonomous!
 How Digital Transactions
affects Audit

Page 4 13 October 2022 Presentation title

How Digital Transactions affects Audit

Evolving aspects of the audits

• Auditors
• Competency
• Independence

• Audit process Auditor

• Scoping (traditional scoping may not applies)
• Evidence collection and retention Scope
• Usage of tools – IT Tools/Analytical Tools of the
Audit

• Auditee Audit
Auditee
• Third-party/Service Organizations Process
• Non-human auditees

Page 5 13 October 2022 Presentation title

How Digital Transactions affects Audit

Digital transactions require the exchange of digital information to facilitate payments

(example). This requires four specific procedures.

1 2
Identifying
payment method
► Auditors will ask for a list
of the types of payments
your company accepts and
the process maps for each
payment vehicle. Examples
of cashless payment
methods include:
- Credit and debit cards,
- Mobile wallets
- Wire transfers, and
- Payments via
intermediaries.
► Be prepared to provide
documents detailing how
the receipt of cashless
payments works and how
the funds end up in your
company’s bank account.
Evaluating
roles
► Auditors will request a list
of employees involved in
the receipt, recording,
reporting and analysis of
cashless transactions. They
will also want to see how
your company manages
and monitors employee
access to every technology
platform connected to
cashless payments.
► Evaluating who handles
each aspect of the cashless
payment cycle helps
auditors confirm whether
you have the appropriate
level of security and
segregation of duties to
prevent fraud and
misstatement.
3 4
Testing the
reconciliation
► Auditors will review prior
sales reconciliations to test
their accuracy and ensure
appropriate recognition of
revenue. This may be
especially challenging as
companies implement the
new accounting rules on
revenue recognition for
long-term contracts.
Auditors also will test
accounting entries related
to such accounts as
inventory, deferred
revenue and accounts
receivable.
Analyzing
trends
► Cashless transactions
create an electronic audit
trail. So, there’s ample
data for auditors to
analyze. To uncover
anomalies, auditors may,
for example, analyze sales
by payment vehicle, over
different time periods and
according to each
employee’s sales activity.
► If your company has
experienced payment
fraud, it’s important to
share that information with
your audit team. Also tell
them about steps you took
to remediate the problem
and recover losses.

Page 6 13 October 2022 Presentation title

How Digital Transactions affects Audit

The effect of digital transactions on

audit objectives
• Auditors have been auditing
computerized information systems (IT
systems) for many years and have
adapted their approach to deal with risks
relating to electronic data processing.
But the use of the Internet, mobile
application, and other media, to deliver
services raises new issues for
management and auditors.
• Electronic service delivery does not
introduce new audit objectives, but it
does introduce new risks (or changed
levels of existing risks) and new forms of
business records. New risks need to be
managed and so require new controls.

Page 7 13 October 2022 Presentation title

How Digital Transactions affects Audit

Digital transactions generates new opportunities as well as new risks.

The risks include those relating to technology, software, transaction
authentication, electronic and digital signatures, legal provisions
relating to electronic documents, and personal information privacy.

Since digital transactions involves the use of the Internet, the most important
risks associated with digital transactions are IT risks.
The following IT risks can be distinguished: IT infrastructure, IT application, and IT IT Risks
business process risks.

A public sector entity’s management is responsible for ensuring the privacy of

personal information obtained through digital transactions activities. Privacy Risks

Management is responsible for ensuring that digital transactions operations are

conducted in compliance with applicable laws and regulations. Legal Risks

Page 8 13 October 2022 Presentation title

 IT Risks

Page 9 13 October 2022 Presentation title

IT Risks

• The following IT risks can be distinguished:

IT Risks Examples

IT infrastructure • Inappropriate physical security

• Absence of adequate back-up procedures
IT application • Bugs and errors in IT applications
• Uncoordinated or undocumented program changes
IT business process risk • Lack of data flow transparency
• Inadequate integration of systems
IT Risks
Type of Control

IT General
Controls
Application controls
Automated
Type of control

IT-dependent manual controls

Manual
Manual controls

Prevent Detect and Support the continued

Objective of

functioning of automated
misstatement correct
aspects of prevent,
control

misstatement detect, and correct

controls
IT Risks
IT General Control

Manage access Manage change Manage operations

Provide access to the IT Make changes to IT Provide a reliable

environment only to application programs and processing environment
authorized, appropriate other relevant IT that is prepared for routine
users and those users are environment components operating issues resulting
restricted to performing that are appropriate and from the loss of IT
authorized, appropriate function as intended application programs and
actions data and the incomplete
processing of information

1 2 3
IT Risks
Cloud computing services
IT Risks
Cloud computing services

IT components Internal Cloud computing services

IaaS PaaS SaaS
IT applications
Databases
Operating system
Network
Hardware – Servers
Hardware – Storage

Client responsible

Service organization responsible

Requires different kind of Service Organization Control (SOC) reports;

• Internal Control over Financial Reporting
• Security, availability, processing, confidentiality, or privacy controls
IT Risks
Application Control

Automated controls configurable vs. non-configurable

Configurable controls have additional IT risks related to inappropriate users with access to
change the control configuration to affect transaction processing.

Configurable Non-configurable

Control functionality depends on key Control functionality is programmed within

settings and fields within the application the application logic and can only be
that can be modified using IT application modified through changes to the code.
screen by certain users.

• Different processing applied to different • Generally, do not involve thresholds or

categories or transactions in the same
application
• Configurations may be changed by
users of IT department
• Changes may not be covered by IT
manage change process
other variable configurations
• Processing can only be modified by
changing source code
• Changes covered by IT manage change
process
 Privacy Risks

Page 16 13 October 2022 Presentation title

Privacy Risks

• A public sector entity’s management is responsible for ensuring the privacy of personal
information obtained through electronic service delivery activities. Although privacy
and security of information are highly related, secure electronic delivery service
systems do not automatically provide assurance that privacy is not being abused or
violated.

• Consequently it is important that management assesses the legal requirements in

countries where their customers, suppliers or service providers are located to
determine the degree of privacy that the law requires.
 Legal Risks

Page 18 13 October 2022 Presentation title

Legal Risks

• Management is responsible for ensuring that electronic service delivery operations are
conducted in compliance with applicable laws and regulations.

• Some of the relevant legal issues include :

• Protection of intellectual property, including patent, copy right, and trademark laws;
• Enforceability of contracts with Internet Service Provides;
• Ownership of software by a software vendor or the right of a software vendor to sell software
licenses.
 Effect of digital transactions
delivery on audit approach

Page 20 13 October 2022 Presentation title

Effect of digital transactions on audit approach

01
In order to test the controls, the auditor should determine whether the entity has
responded to the identified inherent risks in the IT system by establishing effective
internal controls. From the auditor’s perspective internal controls and internal
control systems are effective when they prevents inherent risks in the IT system
from causing material error, fault or failure during a specified period.

02
A material prerequisite for the assessment of the effectiveness of controls is the
auditor’s assessment of the appropriateness of management’s evaluation of IT risks
in the context of the implementation of the IT strategy.

03

Page 21 13 October 2022 Presentation title

Effect of digital transactions on audit approach

To test the effectiveness of the internal controls, the following steps are required in

04
the audit areas defined in audit planning:
• Documentation of the IT system as the basis for the auditor’s understanding of
the internal controls and the internal control system;
• Testing the design of the internal controls (test of design);
• Testing the operation of the IT controls (test of operation).

The purpose of tests of design is to assess, whether the stipulated controls are

05
appropriate and effective to the extent intended. The specific controls (i.e. input,
output and processing controls) and their interaction are the subjects of this test.
Typical audit procedures for tests of design include reviewing documents, making
inquiries, observing activities and work processes.

06
Page 22 13 October 2022 Presentation title
Focus of Auditing Digital Enterprise

Audit of the digital enterprise will need to focus on:

• Business process risk management
• ‘Strength’ of controls
• Change management
• Configuration control
• Increasing need to use analytics
• Coalesced insights drawn from multiple sources
• Ability to analyze larger sets of data rather than sampling
• Audit ‘intelligence’

Implications for the audit professional:

• Outsider to trusted, valued insider. Collaborate more /Share knowledge
• Keeps abreast of changing technology and uses tools extensively
• Be closely attached to the business process without impinging on independence
• Engage before and during the course of business rather than only post facto
• Increasing need to involve in post audit actions
 Q&A

Page 24 13 October 2022 Presentation title