Module: | Statutory Audit, NFRA & ICAI Standards
Q59: Consider the following statements regarding the auditor's responsibilities under the revised Standard on Auditing (SA) 315 concerning the IT environment:
1. The auditor is required to obtain an understanding of the entity's IT environment, including the specific IT applications and IT infrastructure relevant to the financial reporting process.
2. If an entity uses complex, automated IT systems for financial reporting, the auditor is permitted to completely bypass testing IT General Controls (ITGCs) as long as they perform extensive manual substantive testing.
3. The revised SA 315 mandates that the auditor evaluate the design of the entity's risk assessment process, regardless of whether the entity is a massive conglomerate or a smaller enterprise.
Which of the above statements is/are incorrect?
2. If an entity uses complex, automated IT systems for financial reporting, the auditor is permitted to completely bypass testing IT General Controls (ITGCs) as long as they perform extensive manual substantive testing.
3. The revised SA 315 mandates that the auditor evaluate the design of the entity's risk assessment process, regardless of whether the entity is a massive conglomerate or a smaller enterprise.
Which of the above statements is/are incorrect?
✅ Correct Answer: B
🎯 Quick Answer:
B. Only 2 is incorrect.Structural Breakdown: Statement 1 is correct; mapping the IT landscape is a non-negotiable step in the risk assessment phase.
Statement 2 is incorrect; modern auditing standards explicitly state that in highly automated environments, it is impossible to obtain sufficient appropriate audit evidence relying solely on substantive testing.
The auditor MUST test the IT General Controls (access rights, change management) because if the system code is flawed or compromised, all the output data being substantively tested is inherently corrupted.
Statement 3 is correct; evaluating the risk assessment process is mandatory for all entities.
Historical/Related Context: The revision to SA 315 was a direct response to the global shift toward ERPs (Enterprise Resource Planning systems like SAP or Oracle). Auditors were historically treating IT as a "black box," which led to massive audit failures when underlying algorithms were manipulated to hide losses.
Causal Reasoning: You cannot manually verify millions of micro-transactions in a digital bank or e-commerce platform.
The auditor must verify the integrity of the machine making the calculations, making ITGC testing unavoidable.