CFAP 6

CFAP-6
Cyber Risk & Controls, Data Analytics, and ICT
Jamshaid Akhtar ACA
1. Cyber security
1.1. Definition:
The protection of systems, networks and data in cyberspace. This definition can be extended
to include the protection of data from unauthorised modification, disclosure or destruction,
and the protection of the information system from the degradation or non-availability of
services, in other words, system failure.
The widespread use of IT/IS throughout the world presents organisations with the increasingly
complex challenge of keeping the systems and data they hold safe from a range of constantly
evolving risks. This has made cyber security a major issue for most organisations. Cyber
security is directed towards protecting IT systems from risks which predominantly feature
some degree of human involvement.
Although by no means definitive, the list below details some of the most significant cyber risks
an organisation's IT systems might encounter:
▪ Human threats: hackers may be able to get into the organisation's internal network,
either to steal data or to damage the system. Political terrorism is a major risk in the
era of cyberterrorism.
▪ Fraud: the theft of funds by dishonest use of a computer system.
▪ Deliberate sabotage: For example, commercial espionage, malicious damage or
industrial action.
▪ Viruses and other corruptions: can spread through the network to all of the
organisation's computers.
▪ Malware: this term is used for hostile or intrusive software such as worms, Trojan
horses, spyware and other malicious programs.
▪ Denial of Service (DoS) attack: a denial-of-service attack is characterised by an
attempt by attackers to prevent legitimate users of a service from using that service.
In recent years, there has been an alarming rise in the number of so called 'cyber attacks'
carried out by hackers and saboteurs, intent on causing maximum disruption to organisational
IT systems.
The growth of big data and its use in the business environment poses new risks for businesses
and for auditors. Some recent high-profile incidents of security breaches have highlighted the
reputational risk that organisations face when data is hacked. In addition, the failure to
protect personal data can result in fines for breaching data protection legislation.
There are four areas for businesses to consider mitigating the risk:
i. Consider 'cyber' implications in all business activities, not simply as an IT issue
ii. Accept the fact that security will be compromised and act accordingly
iii. Focus on critical information assets and key data
iv. Get the basics right
On the final point, it is estimated that up to 80% of security breaches could be prevented by
having basic protection measures, such as malware, in place. There is also evidence of
complacency, where businesses believe that they have adequate security in place and
therefore no more needs to be done.
1.2. Challenges and recommendations
▪ Communication is a key barrier to common understanding and discussion.

JAMSHAID AKHTAR ACA 1

CFAP 6
▪ Organisational structures need to define responsibility and accountability for cyber
security.
▪ Board-level accountability for cyber risks needs to be determined.
▪ Non-executive directors and audit committees also need to play a part.
1.3. IT security controls
Security can be subdivided into several aspects.

▪ Prevention: practical measures such as the use of passwords and securing IT assets
by keeping doors leading to servers locked when not in use may help to prevent
unauthorised access. In practice it is impossible to prevent all threats cost-effectively.
▪ Detection: detection techniques are often combined with prevention techniques: a
log can be maintained of unauthorised attempts to gain access to a computer system.
▪ Deterrence: as an example, computer misuse by personnel can be made grounds for
dismissal.
▪ Recovery procedures: if the threat occurs, its consequences can be contained.
▪ Correction procedures: these ensure the vulnerability is dealt with (for example, by
instituting stricter controls).
▪ Threat avoidance: this might mean changing the design of the system.
1.4. Combating IT risks and IT security
There are a number of practical measures that organisations can take in combating IT risks.

▪ Business continuity planning: this means that there should be measures to ensure
that if major failures or disasters occur, the business will not be completely unable
to function.
▪ Systems access control: this includes protection of information, information
systems, networked services, detection of unauthorised activities and security when
using the systems.
▪ Systems development and maintenance: this includes security measures and steps
to protect data in operational and application systems and also ensuring that IT
projects and support are conducted securely.
▪ Physical and environmental security: measures should be taken to prevent
unauthorised access, damage and interference to business premises, assets,
information and information facilities and prevention of theft.
▪ Compliance with any relevant legal requirements and also with organisational
policies in standards. There is no point in having them if they are not enforced.
▪ Personnel security: this covers issues such as recruitment of trustworthy employees,
and also reporting of security-related incidents. Training is particularly important,
with the aim that users are aware of information security threats and concerns and
are equipped to comply with the organisation's security policy.
▪ Security organisation: it should be clear who has responsibility for the various
aspects of information security. Additional considerations will apply if facilities and
assets are accessed by third parties or responsibility for information processing has
been outsourced.
▪ Computer and network management: this includes ensuring continuity of
operations and minimising the risk of systems failures, also protecting the integrity
of systems and safeguarding information, particularly when exchanged between
organisations. Particularly important is protection from viruses.

JAMSHAID AKHTAR ACA 2

CFAP 6
▪ Asset classification and control: information is an asset, just like a machine, building
or a vehicle, and security will be improved if information assets have an 'owner', and
are classified according to how much protection they need.
▪ Security policy: a written document setting out the organisation's approach to
information security should be available to all staff.

Example: Cyber security

One of your audit clients, Derby Ltd (Derby) has outsourced its payroll function. The service
organisation that processes the payroll provides Derby with monthly payroll information for its
employees. Using this information Derby pays wages and salaries directly into its employee’s bank
accounts and pays the relevant payroll taxes to the tax authorities.

The business risks arising from the outsourcing of Derby's payroll function, and the implications for
the financial statements, are as follows:

▪ Loss, theft or misuse of personal data

▪ Reputational damage
▪ Fines for late submissions to the tax authorities
▪ Fines for breach of data protection legislation
▪ Risk of material misstatements in the financial statements due to unrecognised provisions

Q. 3 ICAP-W-20 (For course of action)

JAMSHAID AKHTAR ACA 3

CFAP 6

2. Data analytics
Definition

"Data Analytics, when used to obtain audit evidence in a financial statement audit, is the science
and art of discovering and analysing patterns, deviations and inconsistencies, and extracting other
useful information in the data underlying or related to the subject matter of an audit through
analysis, modelling and visualisation for the purposes of planning and performing the audit."

Data analysis has been used in the business and other sectors for some time. It was originally
developed by technology firms for the purposes of data mining and modelling, especially in
banking and retail. More recently data analytics is being seen as a practical way for auditors to
approach IT issues and the complex uses of data, especially in large organisations.

Auditors have been using computer-assisted audit techniques (CAATs) since the days when their
audit clients started computerising their accounting systems. Such CAATs tended to be entity-
specific and were therefore not widely used as a general audit tool.

Data analytics is now also seen as a means of improving audit quality, from its use in the risk
assessment process through to the testing of controls and substantive procedures including
analytical procedures. The quality of audit information is also enhanced through the use of
graphics and other means to visualise the results of audit procedures. In addition, audit
procedures can be carried out on a continuous basis rather than being concentrated at the year
end.

ISAs are based on the systems-based approach to audit, which seeks to obtain audit evidence by
placing reliance on internal controls rather than on carrying out extensive substantive testing. The
emergence of the use of data analytics in audit engagements, especially by the larger firms,
enables 100% checking to take place, thereby eliminating sampling risk.

An example of how data analytics can be used is in the analysis of journals to show, for example:
▪ Year on year comparisons
▪ The number of manual input vs system-generated journals
▪ Identifying who is raising journals and when
▪ Activity identifying potential fraud risk

The use of data analytics has the potential to transform the way in which audits are carried out
for the better, but there are some negative impacts that need to be addressed:
▪ The cost of setting up the infrastructure can be prohibitive, especially for smaller firms
▪ The quality of the underlying data is crucial
▪ Staff need training in the new skills needed to manipulate data and to interpret the
results
▪ Ensuring the security of client and audit data

Commonly performed data analytics routines

Auditors can perform following routines when carrying out risk analysis, transactions and controls
testing, and analytical procedures, or to support judgements and to provide insights. Many
routines can be carried out with little or no management involvement, which enhances the
independence of the evidence or information obtained.
i. Comparing the last time an item was bought with the last time it was sold, for
cost/NRV purposes.

JAMSHAID AKHTAR ACA 4

CFAP 6
ii. Inventory ageing and how many days inventory is in stock by item.
iii. Receivables and payables ageing and the reduction in overdue debt over time by
customer.
iv. Analyses of revenue trends split by product or region.
v. Analyses of gross margins and revenues, highlighting items with negative margins.
vi. Matches of orders to cash and purchases to payments.
vii. 'Can do did do testing' of user codes to test whether segregation of duties is
appropriate, and whether any inappropriate combinations of users have been
involved in processing transactions.
viii. Detailed recalculations of depreciation on fixed assets by item, either using
approximations (such as assuming sales and purchases are mid-month) or using the
entire data set and exact dates.
ix. Analysis of capital expenditure vs repairs and maintenance.
x. Three-way matches between purchase/sales orders, goods received/despatched
documentation and invoices.
xi. Analyse all transactions in a population, stratify that population and identify outliers
for further examination
xii. Reperform calculations relevant to the financial statements
xiii. Match transactions as they pass through a processing cycle
xiv. Assist in segregation of duties testing
xv. Compare entity data to externally obtained data
xvi. Manipulate data to assess the impact of different assumptions

The use of data analytics means that procedures can be performed much more quickly and also, more
significantly, to a higher standard. The extent to which this activity contributes to improvements in
audit quality is largely dependent on the skills and judgement applied to analysing and drawing
conclusions from the results obtained.

Data analytics and audit quality

It is noted that potential improvements in audit quality provide a key driver to audit firms when using
data analytics. These improvements include

i. Deepening the auditor's understanding of the entity

ii. Facilitating the focus of audit testing on the areas of highest risk through stratification of
large populations
iii. Aiding the exercise of professional scepticism
iv. Improving consistency and central oversight in group audits
v. Enabling the auditor to perform tests on large or complex datasets where a manual
approach would not be feasible
vi. Improving audit efficiency
vii. Identifying instances of fraud
viii. Enhancing communications with audit committees

ICAP-Study Text

The following are some of the projects under review by the IAASB where data analytics will have a
role.

Professional Skepticism

JAMSHAID AKHTAR ACA 5

CFAP 6
The use of data analytics in an audit of financial statements will not replace the need for the auditor
to exercise appropriate professional judgement and professional skepticism. It is very important for
the auditor to have a thorough understanding of the entity and its environment in order to facilitate
a high-quality audit in which professional skepticism is appropriately applied.

The ability of the auditor to analyze data underlying the financial information represented in the
financial statements may enable the auditor to have a deeper understanding of what has actually
occurred in the financial reporting system—which will be beneficial to the auditor in making inquiries
of entity personnel. When appropriately exercising professional skepticism, the auditor should take
care not to disregard the results of the data analytic merely because they do not appear as the auditor
would expect based on the auditor’s understanding of the entity’s business or the population. Instead,
the auditor should use professional judgment and professional skepticism to consider whether the
results of the data analytic represent inconsistent or contradictory evidence for which further
investigation is necessary.

ISA 315 (Revised)

Risk assessment, including the identification of the risks of material misstatement, is fundamental to
the performance of an audit in accordance with the ISAs. Data analytics enables auditors to improve
the risk assessment process. The ability to analyze large populations can enable the auditor to
determine and assess the areas of audit risk earlier in the audit process.

Group Audits

Many audits today are audits of group financial statements (group audits). Group audits generally
involve participation of component auditors who perform work on financial information related to
components that comprise the group. Audit risk in a group audit encompasses the possibility that a
misstatement at the component level, or across components, is not detected, which might result in
the group financial statements being materially misstated. Data analytics can help in the following
areas of a group audit:

▪ Scoping of the group audit

▪ For components that are not significant components—data analytics enables more effective
analytical and other audit procedures to be performed by the auditor in obtaining sufficient
appropriate audit evidence.
▪ In some group audit environments, more of the audit procedures can be centralized and
performed by the group auditor

Q. 1

You are working on the external audit of Talat Limited (TL) for the year ending 30 th June 2019. Your
firm’s data analytics software has produced the following dashboard, relating to journal entries, using
data provided by TL.

The dashboard shows the total value (analysed by time of posting), average value and department for
each employee who has posted journals during the year. Normal working hours are from 9am to 6pm.

JAMSHAID AKHTAR ACA 6

CFAP 6

Average Value
Total Value

(Rs. 000)
(Rs. 000)

Mr. A Mr. B Mr. C Mr. D Mr. E

(Finance) (Finance) (Finance) (HR) (Board)

Required:
Using the dashboard, identify and explain the matters which you consider require further
examination. (4 Marks)

Ans. 1

Matters for further investigation

▪ Mr. C/Mr. D have high proportion of journals posted outside working hours
o Increased risk of fraud
o Unauthorised transactions
▪ Mr. D/Mr. E have journals of high average value
o May include material transactions
▪ Journals posted by HR / Board
o Likely to be non-routine transactions
o Increased risk of error
o May indicate management override
▪ High value of journals by Mr. C
o Consider if this is consistent with Mr. C’s role

Q. 2

Your firm acts as auditor to Hydra Ltd, which manufactures and bottles non-alcoholic drinks in the
Pakistan under licence from a Swiss company.
Hydra Ltd has two products only: 'Vital', a sparkling cold drink made from fruit juices, herbal extracts
and mineral water, and 'Glow', which is to be served hot, made from grape juices, herbs and spices.

JAMSHAID AKHTAR ACA 7

 CFAP 6
Royalties are payable to the Swiss company, which is not related to Hydra Ltd, at the rate of 20p per
bottle of Vital or Glow sold. Royalties are included in cost of sales, and Hydra Ltd expects to make an
average mark-up on total cost of 150% for Vital and 120% for Glow.
To reflect environmental concerns the customer is charged a deposit of 10p, which is reimbursed on
return of the bottle. This scheme was introduced during the year. The theme of concern for the
environment is echoed in Hydra Ltd’s advertising, which emphasises the natural ingredients.
The final audit is scheduled to commence in two weeks' time. You have recently received a copy of
Hydra Ltd’s management accounts, which reflect the position for the current year.
20X6 20X5
Rs.'000 Rs.'000
Revenue 3,280 1,876
Gross profit 1,940 1,042
Profit from operations 1,345 807
Required:
a. Prepare a schedule that indicates the analytical procedures which would form part of your
year end substantive procedures. Where relevant, suggest possible reasons for the changes
between 20X6 and 20X5.
b. Explain what impact the new scheme involving deposits on bottles will have on the audit of
liabilities at the year end.
Ans. 2

(a)

Analytical procedures Possible reasons for change

▪ Analyse revenue per product type A difference in the rate of increase would
by month. indicate a switch from one product to the
other.
Seasonal variations are expected as Glow is
largely a winter product and Vital a summer
product.
▪ Analyse gross profit per product GP margin has increased from 55.5% to 59.1%. The
type by month. higher margin indicates a move from Glow to Vital
(possibly due to a mild winter in 20X5/X6).

▪ Analyse cost of goods sold Cost of goods sold only increased by 60.6%, while
per product type by month. revenue increased by almost 75%. Again, a
possible reason could be the switch from one
product to the other. It does seem a
disproportionately small increase, especially as
royalties are included in cost of goods sold and
remain constant per bottle sold, regardless of
product.

However, recycling of glass bottle returns could

account for the slower rate of increase.

JAMSHAID AKHTAR ACA 8

 CFAP 6

Analytical procedures Possible reasons for change

▪ Analyse distribution
These have increased by 153%, contributing to the
and administrative
fall in net profit margin from 43% to 41%. The increase
costs into:
in these costs could have been caused by:
– Administrative cost o Implementation of the deposit scheme
especially deposit scheme) (unlikely to account for the whole
increase as not operational for the whole
– Advertising costs o year)
Increased advertising costs to promote
the deposit scheme and 'environment
friendly' nature of the products (this
could also have contributed to the
increase in revenue)

– Transport costs o Increased transport costs in proportion

to the 75% increase in revenue
– Labour costs o Increased labour costs, again in
proportion to the rise in revenue

▪ Analysis of nature, valuation, and The disproportionately smaller increase in cost of

consistency of treatment of closing goods sold could be caused by an error in the
inventories. Compare with counting or valuation of closing
inventories held at end of previous
inventories, causing them to be overstated
years. The is proportionately
and thus cost of goods sold reduced.
smaller increase in cost of goods
sold could be caused by an error in
the counting or valuation of closing
inventories, causing them to be
overstated and thus cost of goods
sold reduced.

(b) Impact of deposit scheme on audit of liabilities

Liabilities at the 20X6 yearend will have increased, as this is the first year in which the scheme has
been implemented. This should be evident in analytical procedures on sundry payables.
The amount may be material as the number of bottles sold and not returned per annum could be high.
It is necessary to ascertain and evaluate the client's procedure for recording:
i. The number of bottles (or cases) sold
ii. The number of bottles returned
iii. The number outstanding

JAMSHAID AKHTAR ACA 9

CFAP 6
As this is the first year of the scheme there will be no opening liability to provide added
assurance.
Consideration should be given to the length of time the client intends to keep the provision in place.
It may be that, each year, the previous year's provision can be written back.
Because of the uncertainty in calculating the liability required and the fact that the final
figure may rest on an estimate of the number of bottles likely to be returned, the auditor's main
concern will be that liabilities are not understated
The auditor therefore needs to be satisfied those returns are recorded with reasonable accuracy.
Records of returns will be received from retailers (mainly supermarkets and off-licences) and the
auditor will need to be satisfied that the client can reasonably rely on these records. Since the retailers
will be requesting a refund of money paid by them with the returns, there is a risk that the number of
returns may be overstated.
In summary, the principal impact on the audit of liabilities will be:
i. An additional year end liability in 20X6
ii. Uncertainty in the calculation of the liability, and therefore
iii. The risk that this liability may be understated

JAMSHAID AKHTAR ACA 10