Professional Documents
Culture Documents
DTETI
2018
Introduction
• Definition
“Examine carefully for accuracy with the intent of verification”
“A methodical examination or review of a condition or situation”
• Why Audit?
• Who?
System Management
Organization
Management
The auditor must have adequate Audit work must be adequately The auditor must state in the
technical training and proficiency to planned auditor's report whether the
perform the audit. financial statements are presented
in accordance with generally
accepted accounting principles.
The auditor must maintain The auditor must gain a sufficient The report must identify those
independence in mental attitude in understanding of the internal control circumstances in which generally
all matters related to the audit. structure accepted accounting principles were
not applied
The auditor must use due The auditor must obtain sufficient, The report must identify any items
professional care during the competent evidence that do not have adequate
performance of the audit and the informative disclosures
preparation of the report.
Internal
• Responsibility of Performance
– Company’s own employees
– External of the department being audited
• Audit Purpose
– Employee compliance with policies and procedures
– Development and evaluation of internal controls
External
• Responsibility of Performance
– Those outside the organization
– Accountants working for independent CPA
• Audit Purpose
– Performance of the attest function
– Evaluate the accuracy and fairness of the financial statements relative to
GAAP
Audit Type
Internal audit External audit
• company personnel reporting to • Independent
• evaluate the risks
– top management and/or
– the integrity of accounting data
– the Audit Committee of the Board of • make recommendations
Directors – to managers
• external to the corporate department or – to improve these controls
division being audited • conducted in the context of GAAP
• concerns employee adherence to • check if financial statements
– company policies and procedures, – are free of erroneous materials
evaluation of internal controls – do not contain fraudulent
misstatements
• relatively broad in scope, including • includes a variety of assurance services
– auditing for fraud,
– ensuring that employees are not
copying software programs illegally
• provide assurance to a company’s top
management about
– the efficiency of its organization and
– effectiveness of its organization
IT Audit Function
Elements
Scope 1. Physical and Environmental
2. System Administration
3. Application Software
4. Application Development
5. Network Security
6. Business Continuity
7. Data Integrity
Objectives
Improved Data
Integrity
Improved
System
Efficiency
Policies, Standards,
Guidelines, and Procedures
Organizations typically Policy
• Provide emphasis
have four types of • Sets directions
documents in place: • Signed by management
authority
– Policy
– Standard
Standard
– Guideline • Specifies uniform method Change control process
of support for policy to review and revise
– Procedure • Compliance as mandatory
Guideline
• Suggested actions to consider in
absence of applicable standard
• Discretionary usage
• Can be used to create new standard
Procedure
• Step-by-step instruction to perform Ineffective
desired actions Result?
• Provides support for standard
• Compliance is mandatory
IT Governance
• General Controls
– The concept is relatively new
– Ensuring that effective IT management and security principles, policies and
processes with appropriate compliance measurement tools are in place
– Require an active audit committee
• Control Objectives for Information and Related Technology/COBIT Guideline
– Identifies critical success factors, key goal and performance indicators, and an
IT governance maturity model.
– IT governance framework begins with setting IT objectives and measures and
compares performance against them
– Assessing business risks,
– Controlling for business risks, and
– Evaluating the effectiveness of controls
Controls Hierarchy
IT Standards
Management
Management and
Organization
Technical
Systems Development Controls
Board Audit
Committee Support for Financial Auditors
Middleware
Physical Facility
IT Audit Team Non-IT Audit
Members Entity-Level Controls
Team Members
IT Auditors Specialist
• Ensure IT governance by assessing risks and monitoring controls over those risks
• Works as either internal or external auditor
• Works on many kind of audit engagements
• Reviewing and assessing enterprise management controls
• Review and perform test of enterprise internal controls
• Report to management
• Job Tasks
– Design a technology-based audit approaches; analyzes and evaluates
enterprise IT processes
– Works independently or in a team to review enterprise IT controls
– Examines the effectiveness of the information security policies and procedures
– Develops and presents training workshops for audit staff
– Conduct and oversees investigation of inappropriate computer use
– Performs special projects and other duties as assigned
Financial vs IT Audit
Develop an
• IT auditors may work on financial understanding and
perform preliminary
audit engagements audit work
• IT auditors may work on every step of
the financial audit engagement Develop audit plan
• Standards, such as SAS No. 94, guide
Evaluate the internal
the work of IT auditors on financial control system
audit engagements
• IT audit work on financial audit Determine degree of
reliance on internal
engagements is likely to increase as controls
internal control evaluation becomes
more important Perform substantive
testing
• Early involvement
• Informal audits
• Knowledge sharing
• Self-assessments
Computers Roles on Internal Controls
• Separation of duties
• Delegation of authority and responsibility
• Competent and trustworthy personnel
• System of authorizations
• Adequate documents and records
• Physical control over asset and records
• Adequate management supervision
• Independent check on performance
• Comparing recorded accountability with assets