Mgmt implements controls; audit provides assurance they are effective and strong enough.

Authority of the board of directors delegated to audit through the charter.

Audit committee determines what will be audited but senior management has ultimate say on what will be
audited and can change priorities.
If mgmt disagrees with audit findings, audit explains the risk of the missing controls.
Risk: any event that may negatively affect the accomplishment of business objectives. Definition: The
potential or likelihood that a given threat will exploit vulnerabilities of an asset or group of assets to cause
loss or damage to the assets. The impact or relative severity of the risk is proportional to the business
value of the loss/damage and to the estimated frequency of the threat.
Elements of Risk: threats, vulnerabilities, impact, likelihood
Controls can reduce the risk down to acceptable levels.
Risk assessment:
• Helps auditor identify risk, vulnerabilities and threats.
• Helps auditor evaluate controls
• Helps auditor determine audit objectives - what are the objectives of the audit
• supports risk based audit decision.
Internal Controls:
• Preventive (strongest) – prevents threat from exploiting vulnerability
• Detective – detects that a control has failed
• Corrective – corrects situation and mitigates risk
• Compensating controls – if another control fails or not possible, can mitigate risk through
compensating controls.
Internal control objectives: - why do you want to have this control?
Are controls acting as they should
• Internal Accounting Controls – safeguarding assets and reliability of financial records
• Operational Controls - protecting day to day operations
• Administrative Controls – adherence to mgmt policies

One of the basic purposes of any IS audit is to identify control objectives and the related controls
that address the objective.
Types of Audits:
• Financial – correctness of financial statements
• Operational – evaluate internal control structure of a given process or area – app controls, logical
security systems would be examples
• Integrated – combines financial and operational and looks at overall objectives of organization.
Process whereby audit disciplines are combined to assess key internal controls over an operation,
process or entity.
• Administrative – looks at issues related to efficiency of operational productivity
• IS – looks at systems to make sure assets safeguarded properly
• Forensic – fraud investigations
An audit methodology is a set of documented audit procedures designed to achieve planned audit
objectives. Its components are a statement of scope, statement of audit objectives and a statement of
work programs.
Audit Risk
is defined as the risk that the information/financial report may contain material error that may go
undetected during the course of the audit.
Materiality
this refers to an error that should be considered significant to any party concerned with the item in
question..
Materiality considerations combined with an understanding of audit risk are essential concepts for
planning areas to be audited.
Compliance Testing:
A compliance test determines if controls are being applied in a manner that complies with management
policies and procedures. Usually a review of the presence or absence of something to make sure stuff is
compliant with policy – appropriate authorizations, is the log logging what it should, passwords
compliant with policy etc.
Substantive Testing:
substantiates the integrity of actual processing – provides evidence of the validity and integrity of the
balances in financial statements and the transactions that support these balances. Can include a count of
physical items etc.
If results of compliance testing reveals the presence of adequate internal controls the confidence
coefficient can be lowered and the auditor can minimize the amount of substantive testing required.

Sampling
Two general approaches to sampling:
Statistical: objective method of determining sample size and selection criteria. Uses the
mathematical laws of probability to calculate sample size, select sample items and evaluate
sample results.
• Nonstatistical – subjective aka judgment sampling. Uses auditor judgment to determine method
of sampling.
Two primary methods of sampling used by auditors:
• Attribute sampling – used for compliance testing. Deals with the presence or absence of an
attribute and provides conclusions expressed in rates of incidence. How many of the passwords
in this file comply with policy, do proper authorizations exist? 70% of your passwords are
compliant with policy.
• Variable sampling – used for substantive testing. Deals with population characteristics like
monetary values and weights. Integrity of the data – is the data correct.
Attribute sampling – looking for a % of occurrence - used to estimate the rate (percent) of occurrence of a
specific quality (attribute) in a given population.
• Stop or go sampling – prevents excessive sampling of an attribute that allows the test to stop at
any time
• Discovery sampling – used when the expected occurrence rate is low.
Variable Sampling:
Different types of quantitative sampling models – all the mathematical stuff.

Computer Assisted audit techniques (CAAT)

Used to gather information and collect evidence during an audit. Can be used in continuous audit
situations.
• Generalized audit software: can read and directly access data from databases and do all sorts of
tests on the data collected. Facilitates sampling.
• Utility software – provides evidence about system control effectiveness
• Test data
• Debugging and scanning software
• Application tracing and mapping
• Expert systems
Continuous audits – usually done in parallel with normal operations, captures internal control problems
as they occur. Used in critical, complex systems that can’t be shut down.
CSA (control self assessment) – auditor is facilitator, early detection of risk; line managers involved and
helps educate and motivate people. Helps focus on areas of high risk.