Regulation 16 — Audit Regulations 2020
Original Rule Text
16. Auditing in an Information Technology (IT) environment
(1) Audits, whether financial, compliance or performance audits, are conducted increasingly in an IT environment today. Governments and other public sector entities have continuously adopted IT, in order to enhance efficiency and effectiveness in their functioning and delivery of various public services. IT has made it possible to capture, store, process, retrieve and deliver information electronically, and the delivery mode of public services is, in many cases, rapidly transitioning from physical to electronic.
(2) Audits in IT environment cover either or both of the following:
(i) Audit of IT systems or IT Audits
(ii) Financial, compliance or performance audits (or combined audits) using various IT tools for supporting the achievement of the audit objectives – also referred to as “IT assisted audits”.
(3) The broad principles of audit and requirement of access to data, information and documents as contained in these Regulations shall apply to auditing in an IT environment.
What This Means
Audits increasingly operate in an IT environment as governments digitize their operations and service delivery. Auditing in an IT environment has two aspects: (1) audit of the IT systems themselves (IT Audits) to ensure they are secure, reliable, and meet organizational goals, and (2) using IT tools to assist in financial, compliance, or performance audits. The general principles of audit apply fully in IT environments. Where an entity uses end-to-end automated systems with adequate controls, a significant proportion of audit can be conducted off-site (remotely), except for verifying outputs and outcomes.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Key Points
- 1IT environment audits cover both 'audit of IT systems' and 'IT-assisted audits'
- 2IT audits assess whether systems meet organizational goals and safeguard data integrity
- 3All general audit principles apply equally in IT environments
- 4Off-site (remote) audit is permitted for end-to-end automated systems with adequate controls
- 5Even in off-site audits, verification of outputs and outcomes requires on-site work
- 6The auditor must assess whether IT data can be relied upon as a single source of truth
Practical Example
The AG (Audit) Karnataka is auditing the state's e-procurement platform (which handles all government purchases above Rs 5 lakh). The audit has two tracks: (1) an IT audit examining whether the platform has adequate security controls, proper user authentication, non-repudiable audit trails, and data integrity safeguards; and (2) an IT-assisted compliance audit using data analytics to identify split procurements just below the threshold, unusual patterns in bid timings, and contracts awarded without competitive bidding. Since the e-procurement system is end-to-end automated, much of the data analysis is done off-site, but auditors visit selected procuring entities to physically verify deliveries.
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.
Frequently Asked Questions
What does 'single source of truth' mean in an IT audit context?▼
Can audit be conducted entirely off-site for fully automated systems?▼
What if the entity's IT system does not have an audit trail?▼
This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.