Professional Documents
Culture Documents
Jump to: navigation, search This article has multiple issues. Please help improve it or discuss these issues on the talk page. This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (December 2009) This article has no lead section. Please help by adding an introductory section to this article. For more information, see the layout guide, and Wikipedia's lead section guidelines. (September 2009) It has been suggested that this article or section be merged into Information technology audit. (Discuss) Proposed since January 2010. Main article: Information technology audit Information technology audit process:
Contents
1 Generally Accepted Auditing Standards (GAAS) 2 Phases of an IT Audit o 2.1 Establish the Terms of the Engagement o 2.2 Preliminary Review o 2.3 Establish Materiality and Assess Risks o 2.4 Plan the Audit o 2.5 Consider Internal Control o 2.6 Perform Audit Procedures o 2.7 Issue the Audit Report 3 Planning the Audit o 3.1 Materiality o 3.2 Risk Assessment 3.2.1 Documentation of Risk Assessment o 3.3 The Audit Plan o 3.4 Planning Memo 4 Evaluation of Internal Controls o 4.1 General Controls o 4.2 Application Controls o 4.3 Tests of Controls 5 Audit Procedures o 5.1 Audit Sampling 5.1.1 Selecting the Sample 5.1.2 Evaluation and Documentation of Samples o 5.2 Computer Assisted Auditing Techniques (CAATs) o 5.3 Evidence 6 Completing the Audit
6.1 Reporting 6.1.1 Types of Auditors' Opinions o 6.2 Audit Documentation 7 Resources
o
General Standards relates to professional and technical competence, independence, and professional due care. Field Work Standards relates to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based. Reporting Standards relates to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to explicitly state their assertions.
The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps: Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. The auditors understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes. Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organizations business risks (threats to the organizations ability to achieve its objectives). An organizations business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few. Evaluate the Organizations Response to those Risks: Once the auditor has evaluated the organizations response to the assessed risks, the auditor should then obtain evidence of managements actions toward those risks. The organizations response (or lack thereof) to any business risks will impact the auditors assessed level of audit risk. Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organizations responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment.
independence, deliverables), authority (right of access to information), and accountability (auditees rights, agreed completion date) of the auditor.
IS Standard 050 (Planning) states, The IT auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards. One of the first tasks an auditor must do when planning the audit is to develop a working budget. The IT audit manager must know the capabilities of the audit staff assigned to the project. In addition to budgeted time needed to perform the audit, the IT audit manager should also budget time needed to train the audit staff (if needed) and allow time for any error correction purposes. While planning the audit, the auditor decides what level of audit risk (the risk of reaching an incorrect conclusion based on the audit findings) he or she is willing to accept. The more effective and extensive the audit work is, the less the risk that a weakness will go undetected and the auditor will issue an inappropriate report. Audit risk is dependent on the auditors assessed levels of inherent risk (the susceptibility of an audit area to error which could be material, assuming there are no related internal controls), control risk (the risk a material weakness will not be prevented or detected by internal controls), and detection risk (the risk substantive tests will not detect an error which could be material). These risks are determined when the auditor performs a risk assessment of the organization. Additionally, in order to evaluate whether an IT audit has been successful, the auditor must first identify the intended scope and objectives of the audit to test managements assertions on their information systems. To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality. An assessment of risk should be made to provide reasonable assurance that all material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems.
[edit] Materiality
In assessing materiality, the IT auditor should consider:
The aggregate level of error acceptable to management, the IT auditor, and appropriate regulatory agencies. The potential for the cumulative effect of small errors or weaknesses to become material.
While establishing materiality, the auditor may audit non-financial items such as physical access controls, logical access controls, and systems for personnel management, manufacturing control, design, quality control, and password generation. While planning the audit work to meet the audit objectives, the auditor should identify relevant control objectives and determine, based on materiality, which controls should be examined. Internal control objectives are placed by management and identifies what the management strives to achieve through their internal controls. Where financial transactions are not processed, the following identifies some measures the auditor should consider when assessing materiality:
Criticality of the business processes supported by the system or operation. Cost of the system or operation (hardware, software, third-party services) Potential cost of errors. Number of accesses/transactions/inquiries processed per period. Penalties for failure to comply with legal and contractual requirements.
The nature, extent, and timing of audit procedures. The areas or business functions to be audited. The amount of time and resources to be allocated to an audit.
[edit] Documentation of Risk Assessment Once the assessed level of risk has been determined, the auditor should document the following in their work papers:
A description of the risk assessment technique used. The identification of significant risks. The risks the audit is going to address. The audit evidence used to support the IS auditors assessment of risk.
The auditors understanding of the client. Potential audit risks. A basic framework for how the audit resources (budgeted audit hours) are to be allocated throughout the audit. Audit procedures to be performed.
The objective of the audit plan is to assist the auditor in conducting an effective and efficient audit.
Organizational Controls includes segregation of duties controls. Data Center and Network Operations Controls ensures the proper entry of data into an application system and proper oversight of error correction. Hardware & Software Acquisition and Maintenance Controls includes controls to compare data for accuracy when it is input twice by two separate components. Access Security Controls ensures the physical protection of computer equipment, software, and data, and is concerned with the loss of assets and information through theft or unauthorized use. Application System Acquisition, Development, and Maintenance Controls ensures the reliability of information processing. Managerial controls- To ensure that there is no unauthorised access to IT assets.
Data Capture Controls ensures that all transactions are recorded in the application system, transactions are recorded only once, and rejected transactions are identified, controlled, corrected, and reentered into the system. Data Validation Controls ensures that all transactions are properly valued. Processing Controls ensures the proper processing of transactions. Output Controls ensures that computer output is not distributed or displayed to unauthorized users. Error Controls ensures that errors are corrected and resubmitted to the application system at the correct point in processing.
Weak security Unauthorized access to data and unauthorized remote access Inaccurate information and erroneous or falsified data input Misuse by authorized end users Incomplete processing and/or duplicate transactions Untimely processing Communication system failure Inadequate training and support
Statistical Sampling Methods o Random Sampling ensures that all combinations of sampling units in the population have an equal chance of selection. o Systematic Sampling involves selecting sampling units using a fixed interval between selections with the first interval having a random start. Non-Statistical Sampling Methods o Haphazard Sampling the auditor selects the sample without following a structured technique. o Judgmental Sampling the auditor places a bias on the sample. For example, selecting only sampling units over a certain value.
The selection of the sample size is affected by the level of sampling risk that the IT auditor is willing to accept. Sampling risk is the risk the auditors conclusion may be different from the conclusion that would be not be reached
reached if the entire population were subjected to the same audit procedure. The two types of sampling risk are:
1. The Risk of Incorrect Acceptance the risk that a material misstatement is assessed as unlikely, when in fact the population is materially misstated. 2. The Risk of Incorrect Rejection the risk that a material misstatement is assessed as likely, when in fact the population is not materially misstated. Once the sample items have been selected to be tested, the auditor can begin audit tests using Computer Assisted Auditing Techniques (CAATs), which will be discussed shortly. [edit] Evaluation and Documentation of Samples The performance and evaluation of a sample must address the following issues:
The effect of not being able to apply a planned procedure to a sample item. A projection of the sample results to the population being tested, then comparing those results with the planned amounts. Appropriate consideration to the assessed level of sampling risk must be performed. SAS 39 requires the auditor to adequately consider qualitative aspects of misstatements, such as the nature and cause of the misstatement and the possible relationship of the misstatements to other phases of the audit.
The auditor must document in their work papers the sampling objectives and the sampling process used. The work papers should include the source of the population, the sampling method used, sampling parameters, items selected, details of audit tests performed, and conclusions reached.
Generalized Audit Software (GAS) Custom Audit Software (CAS) Test Data Parallel Simulation Integrated test facility
[edit] Evidence
Through the use of CAATs, the auditor will be able to obtain evidence to support their final conclusions developed on the audit. Audit evidence should be sufficient, reliable, relevant, and useful in order for the auditor to form an opinion and to support their findings and conclusions. If the auditor cannot form an opinion based on the audit evidence obtained, the auditor should then obtain additional audit evidence. Procedures used to gather audit evidence varies depending on the information system being audited. The auditor should select the most appropriate procedure for the audit objective. The following procedures should be considered:
The audit evidence gathered by the auditor should be documented and organized to support the auditors findings and conclusions. Finally, when an auditor believes that sufficient audit evidence cannot be obtained, the auditor should disclose this fact as a scope limitation within the audit report.
Review for Subsequent Events two types of subsequent events require an evaluation by the auditor. They include:
1. Type I events events that provide additional evidence about the conditions that existed at the date of the balance sheet. 2. Type II events events that provide evidence about conditions that did not exist at the date of the balance sheet, but arose after that date. Audit procedures used to review for subsequent events include asking management whether any unusual adjustments to their information systems have been made during the subsequent events period (after the completion of the audit, but before the audit report is issued), or obtaining a representation letter from management.
Final Evidential Evaluation Processes audit steps performed by the auditor in this phase to determine the most appropriate audit report includes obtaining a representation letter, reviewing work papers, final assessment of audit results and obtaining an independent review of the engagement.
Communications with the Audit Committee and Management communications should include significant audit adjustments, the auditors judgments about the quality of the entitys accounting principles, disagreements with management, major issues discussed with management before the auditor was retained, difficulties encountered during the audit, and fraud involving senior management. Also, the auditor should discuss the draft of the audit report with management to give management the chance to correct any weaknesses or deficiencies before they are reported and released to the public. The auditor may decide to do this in the form of a Management Comment Letter. Subsequent Discovery of Facts Existing at the Date of the Auditors Report Auditing standards 561 provides guidance for auditors when facts have come to the auditors attention about the organizations processes that might have affected the report had they known about them.
The auditors conclusion and findings, which are based on documented evidence, must be objective, measurable, complete, and relevant. The findings are disclosed to management in formal statements, typically an audit report. Any recommendations must be provided for each audit finding for the report to be useful to management.
[edit] Reporting
IS Auditing Standard 070 (Reporting) states, The IT auditor should provide a report in an appropriate form, upon the completion of the audit. The report should state the scope, objectives, period of coverage, and the nature, timing, and extent of the audit work performed. The report should state the findings, conclusions, and recommendations and any reservations, qualifications or limitations of scope that IT auditor has with respect to the audit. [edit] Types of Auditors' Opinions There are four type of opinions the auditor may express in his report, depending upon circumstances:
Unqualified Opinion (sometimes conversationally referred to as a "clean" opinion) Qualified Opinion (a clean opinion "except for" the item mentioned in the body of the opinion letter) Disclaimer of Opinion Adverse Opinion
[edit] Resources
1. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 45
2. Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al., 2nd Edition, page 577 3. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 55 4. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 60 and Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al., 2nd Edition, page 72 5. IS Auditing Standard S5 Planning 04 Risk Assessment 6. IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.2 7. IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.5 8. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.1.3 9. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.3.4 & 2.3.5 10. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.5.3 11. Guest speaker Mike Simpson, May 16, 2005 12. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 263 13. AU 350.01 14. IS Auditing Guideline G10 Audit Sampling, Paragraph 2.3.1 15. SAS No. 39 16. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 304 17. IS Auditing Guideline G10 Audit Sampling, Paragraph 2.4.1 18. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 276 19. IS Auditing Guideline G2 Audit Evidence Requirement, Paragraph 3.2.1 Retrieved from "http://en.wikipedia.org/w/index.php?title=Information_technology_audit_process&oldid=53 1050086" Categories:
Hidden categories:
Articles lacking sources from December 2009 All articles lacking sources Wikipedia introduction cleanup from September 2009 All pages needing cleanup Pages missing lead section Articles covered by WikiProject Wikify from September 2009 All articles covered by WikiProject Wikify Articles to be merged from January 2010 All articles to be merged
Navigation menu
Personal tools
Namespaces
Article Talk
Variants Views
Actions Search
Navigation
Main page Contents Featured content Current events Random article Donate to Wikipedia
Interaction
Toolbox
What links here Related changes Upload file Special pages Permanent link Page information Cite this page
Print/export
Create a book Download as PDF Printable version This page was last modified on 3 January 2013 at 07:22. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details. Wikipedia is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. Contact us Privacy policy About Wikipedia Disclaimers Mobile view