ENDEAVOR E-MAGAZINE ENDEAVOR | Page 24

WORLD ACADEMY OF INFORMATICS AND MANAGEMENT SCIENCES
ISSN : 2278-1315
Other RPA examples include automating a workflow (e.g.,
How has management evaluated the sufficiency of existing
open, read, and create emails), automating rule-based
policies and procedures related to the safeguarding of
calculations (e.g., calculation of the depreciation charge on
assets when implementing the emerging technology?
property, plant, and equipment), and recording the journal
entry to the general ledger each month.
Has management identified intermediaries or third parties
Certain business functions may be better suited for
integral to the emerging technology functionality? If so,
automation than others. An RPA strategy could be applied
are current third-party risk management practices
to business functions with the following characteristics:
sufficient to adequately address the emerging technology?
 A need for a high degree of precision, accuracy,
and consistency
In Director FAQ: Board Oversight of Emerging
 Repetitive, manual transaction processing
Technologies, the National Association of Corporate
 Information being housed in multiple systems
Directors (NACD) recommends the following practices to
 Dependency on manually intensive yet simple tasks
support board oversight of emerging technologies:
such as data entry, data manipulation, and report
 Consider recruiting technology experts to fill open
generation.
board seats.
 Invest in technology-focused director education.
 Consider establishing a board-level technology
committee or setting up a technology advisory board.
 Integrate the topic of technology disruption into
discussions about strategy and risk.
©2013, Committee of Sponsoring Organizations of the
Treadway Commission COSO). Used by permission
MANAGEMENT’S RISK IDENTIFICATION AND
ASSESSMENT PROCESS
Risk assessment involves a dynamic and ongoing process
for identifying and assessing risks in order to achieve
financial reporting objectives. Audit committees might
consider whether management has assessed the risks
associated with changes to company processes as a result of
emerging technology projects and whether controls are in
place to identify new risks as they arise. Audit committees
may think about whether they have adequate access to
technology expertise (which could be external).
Audit committees also may consider what procedures are in
place to help ensure that risk assessment of how technology
impacts financial reporting is an ongoing exercise and does
not become stale as technology evolves.
OVERSIGHT IN ACTION
What risks associated with the use of the emerging
technology have management considered?

How has management identified and addressed
fraud risks associated with emerging technology
environments?
 Has
management
considered
additional
transparency-related risks (e.g., risks related to the
identification of related parties and illegal acts). If
so, what are the plans to address these risks?
 Were any new compliance or regulatory risks
introduced by using the emerging technology?
Has management considered the adequacy of the current
risk assessment process relative to the risks introduced
by the emerging technology?
www.waims.co.in
UNDERSTAND
THE
CONTROL
ACTIVITIES:
IDENTIFIED RISKS
Control activities are the specific actions established to ensure
that the risk of failing to meet an objective is mitigated to an
appropriate level. Audit committees may seek to understand
from management that control activities address:
 How systems that rely on emerging technologies are
ready to respond to financial reporting needs prior to
deployment;
 If the technology is functioning as intended and the
output is reliable;
 How emerging technologies will be tested and
integrated with other systems;
 How information technology (IT) considerations
regarding unauthorized access, user provisioning,
and segregation of duties are controlled; and
 How important assets (including customer data and
intellectual property assets) are safeguarded.
If the emerging technology involves intermediaries or third
parties, audit committees may want to understand how
management has satisfied themselves that such organizations
also operate in a well-controlled manner and do not pose a
threat to timely and accurate financial reporting.
OVERSIGHT IN ACTION:
How has management assessed the current control
environment to determine whether new controls are
needed in response to the additional risks introduced by
the emerging technology?
Are controls in place to address the risk that the
technology is not operating as intended (i.e., to assess the
reliability of the outputs from the technology)?
For an AI project, how is the introduction of bias in the
data and algorithm used by the model prevented?
What controls are in place to help ensure that those
charged with oversight would be informed if a cyber-
security breach occurred?
ENDEAVOR 2019 | WAIMS ACADMIC PRESS
24 | P a g e