http://en.wikipedia.org/wiki/Information_technology_audit_process
Contents
1 Generally Accepted Auditing Standards (GAAS) 2 Information Technology Audit Process Overview 3 Phases of an IT Audit 3.1 Establish the Terms of the Engagement 3.2 Preliminary Review 3.3 Establish Materiality and Assess Risks 3.4 Plan the Audit 3.5 Consider Internal Control 3.6 Perform Audit Procedures 3.7 Issue the Audit Report 4 Planning the Audit 4.1 Materiality 4.2 Risk Assessment 4.2.1 Documentation of Risk Assessment 4.3 The Audit Plan 4.4 Planning Memo 5 Evaluation of Internal Controls 5.1 General Controls 5.2 Application Controls 5.3 Tests of Controls 6 Audit Procedures 6.1 Audit Sampling 6.1.1 Selecting the Sample 6.1.2 Evaluation and Documentation of Samples 6.2 Computer Assisted Auditing Techniques (CAATs) 6.3 Evidence 7 Completing the Audit 7.1 Reporting 7.1.1 Types of Reports 7.2 Audit Documentation 8 Resources
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits. The standards cover the following three categories: General Standards relates to professional and technical competence, independence, and professional due care. Field Work Standards relates to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based. Reporting Standards relates to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to explicitly state their assertions.
Phases of an IT Audit
The audit process can be broken down into the following audit phases:
2 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
Preliminary Review
This phase of the audit allows the auditor to gather organizational information as a basis for creating their audit plan. The preliminary review will identify an organizations strategy and responsibilities for managing and controlling computer applications. An auditor can provide an in depth overview of an organizations accounting system to establish which applications are financially significant at this phase. Obtaining general data about the company, identifying financial application areas, and preparing an audit plan can achieve this.
3 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
While planning the audit, the auditor decides what level of audit risk (the risk of reaching an incorrect conclusion based on the audit findings) he or she is willing to accept. The more effective and extensive the audit work is, the less the risk that a weakness will go undetected and the auditor will issue an inappropriate report. Audit risk is dependent on the auditors assessed levels of inherent risk (the susceptibility of an audit area to error which could be material, assuming there are no related internal controls), control risk (the risk a material weakness will not be prevented or detected by internal controls), and detection risk (the risk substantive tests will not detect an error which could be material). These risks are determined when the auditor performs a risk assessment of the organization. Additionally, in order to evaluate whether an IT audit has been successful, the auditor must first identify the intended scope and objectives of the audit to test managements assertions on their information systems. To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality. An assessment of risk should be made to provide reasonable assurance that all material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems.
Materiality
In assessing materiality, the IT auditor should consider: The aggregate level of error acceptable to management, the IT auditor, and appropriate regulatory agencies. The potential for the cumulative effect of small errors or weaknesses to become material. While establishing materiality, the auditor may audit non-financial items such as physical access controls, logical access controls, and systems for personnel management, manufacturing control, design, quality control, and password generation. While planning the audit work to meet the audit objectives, the auditor should identify relevant control objectives and determine, based on materiality, which controls should be examined. Internal control objectives are placed by management and identifies what the management strives to achieve through their internal controls. Where financial transactions are not processed, the following identifies some measures the auditor should consider when assessing materiality: Criticality of the business processes supported by the system or operation. Cost of the system or operation (hardware, software, third-party services) Potential cost of errors. Number of accesses/transactions/inquiries processed per period. Penalties for failure to comply with legal and contractual requirements.
Risk Assessment
A risk is any event or action, generated internally or externally, which prevents an organization from achieving its goals and/or objectives. Risks affect control objectives in the areas of data integrity and accuracy, timeliness of the information for decision making, ability to access the system, and confidentiality/privacy of information, to name a few. Risk assessment allows the auditor to determine the scope of the audit and assess the level of audit risk and error risk (the risk of errors occurring in the area being audited). Additionally, risk assessment
4 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
will aid in planning decisions such as: The nature, extent, and timing of audit procedures. The areas or business functions to be audited. The amount of time and resources to be allocated to an audit. Documentation of Risk Assessment Once the assessed level of risk has been determined, the auditor should document the following in their work papers: A description of the risk assessment technique used. The identification of significant risks. The risks the audit is going to address. The audit evidence used to support the IS auditors assessment of risk.
Planning Memo
A planning memo outlines for the auditee the tone and course of action the IT audit manager plans to take. The memo outlines for the auditee the areas within the audit the auditor is planning to spend most of their time, and it gives the auditee the opportunity to voice any concerns.
5 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively). 4. Information and Communication Ensures the organization obtains pertinent information, and then communicates it throughout the organization. 5. Monitoring Reviewing the output generated by control activities and conducting special evaluations. In addition to understanding the organizations control components, the auditor must also evaluate the organizations General and Application controls. there are three audit risk componenets which are control risk, detection risk and inherent risk.
General Controls
General controls relate to the overall information-processing environment and has a large effect on the organizations computer operations. Types of general controls include: Organizational Controls includes segregation of duties controls. Data Center and Network Operations Controls ensures the proper entry of data into an application system and proper oversight of error correction. Hardware & Software Acquisition and Maintenance Controls includes controls to compare data for accuracy when it is input twice by two separate components. Access Security Controls ensures the physical protection of computer equipment, software, and data, and is concerned with the loss of assets and information through theft or unauthorized use. Application System Acquisition, Development, and Maintenance Controls ensures the reliability of information processing. Managerial controls- To ensure that there is no unauthorised access to IT assets.
Application Controls
Application controls apply to the processing of individual accounting applications and help ensure the completeness and accuracy of transaction processing, authorization, and validity. Types of application controls include: Data Capture Controls ensures that all transactions are recorded in the application system, transactions are recorded only once, and rejected transactions are identified, controlled, corrected, and reentered into the system. Data Validation Controls ensures that all transactions are properly valued. Processing Controls ensures the proper processing of transactions. Output Controls ensures that computer output is not distributed or displayed to unauthorized users. Error Controls ensures that errors are corrected and resubmitted to the application system at the correct point in processing. Application controls may be compromised by the following application risks: Weak security Unauthorized access to data and unauthorized remote access Inaccurate information and erroneous or falsified data input Misuse by authorized end users Incomplete processing and/or duplicate transactions
6 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
Tests of Controls
Tests of controls are audit procedures performed to evaluate the effectiveness of either the design or the operation of an internal control. Tests of controls directed toward the design of the control focuses on evaluating whether the control is suitably designed to prevent material weaknesses. Tests of controls directed toward the operation of the control focuses on assessing how the control was applied, the consistency with which it was applied, and who applied it. In addition to inquiring with appropriate personnel and observation of the application of the control, an IT auditors main focus when testing the controls is to do a re-performance of the application of the control themselves.
Audit Procedures
Audit Sampling
Audit sampling is the application of an audit procedure to less than 100% of the population to enable the IT auditor to evaluate audit evidence within a class of transactions for the purpose of forming a conclusion concerning the population. When designing the size and structure of an audit sample, the IT auditor should consider the audit objectives determined when planning the audit, the nature of the population, and the sampling and selection methods. Selecting the Sample The auditor should select the sample items in such a way that they are representative of the population. The most commonly used sampling selection methods are: Statistical Sampling Methods Random Sampling ensures that all combinations of sampling units in the population have an equal chance of selection. Systematic Sampling involves selecting sampling units using a fixed interval between selections with the first interval having a random start. Non-Statistical Sampling Methods Haphazard Sampling the auditor selects the sample without following a structured technique. Judgmental Sampling the auditor places a bias on the sample. For example, selecting only sampling units over a certain value. The selection of the sample size is affected by the level of sampling risk that the IT auditor is willing to accept. Sampling risk is the risk the auditors conclusion may be different from the conclusion that would be reached if the entire population were subjected to the same audit procedure. The two types of sampling risk are: 1. The Risk of Incorrect Acceptance the risk that a material misstatement is assessed as unlikely, when in fact the population is materially misstated. 2. The Risk of Incorrect Rejection the risk that a material misstatement is assessed as likely, when in fact the population is not materially misstated.
7 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
Once the sample items have been selected to be tested, the auditor can begin audit tests using Computer Assisted Auditing Techniques (CAATs), which will be discussed shortly. Evaluation and Documentation of Samples The performance and evaluation of a sample must address the following issues: The effect of not being able to apply a planned procedure to a sample item. A projection of the sample results to the population being tested, then comparing those results with the planned amounts. Appropriate consideration to the assessed level of sampling risk must be performed. SAS 39 requires the auditor to adequately consider qualitative aspects of misstatements, such as the nature and cause of the misstatement and the possible relationship of the misstatements to other phases of the audit. The auditor must document in their work papers the sampling objectives and the sampling process used. The work papers should include the source of the population, the sampling method used, sampling parameters, items selected, details of audit tests performed, and conclusions reached.
Evidence
Through the use of CAATs, the auditor will be able to obtain evidence to support their final conclusions developed on the audit. Audit evidence should be sufficient, reliable, relevant, and useful in order for the auditor to form an opinion and to support their findings and conclusions. If the auditor cannot form an opinion based on the audit evidence obtained, the auditor should then obtain additional audit evidence. Procedures used to gather audit evidence varies depending on the information system being audited. The auditor should select the most appropriate procedure for the audit objective. The following procedures should be considered: Inquiry and/or Observation Inspection Reperformance Monitoring The audit evidence gathered by the auditor should be documented and organized to support the auditors
8 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
findings and conclusions. Finally, when an auditor believes that sufficient audit evidence cannot be obtained, the auditor should disclose this fact as a scope limitation within the audit report.
Reporting
IS Auditing Standard 070 (Reporting) states, The IT auditor should provide a report in an appropriate form, upon the completion of the audit. The report should state the scope, objectives, period of coverage, and the nature, timing, and extent of the audit work performed. The report should state the findings, conclusions, and recommendations and any reservations, qualifications or limitations of scope that IT auditor has with respect to the audit. Types of Reports
9 of 10
10/9/2011 3:49 PM
http://en.wikipedia.org/wiki/Information_technology_audit_process
Unqualified Audit Report Unqualified Audit Report with Explanation Qualified Report Qualified Report with Disclaimer Qualified Report with an Adverse Opinion
Audit Documentation
Working papers (audit documentation) is the formal collection of auditors notes, documents, flowcharts, correspondence, results of observations, plans and results of tests, the audit plan, minutes of meetings, computerized records, data files or application results
Resources
1. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 45 2. Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al., 2nd Edition, page 577 3. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 55 4. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 60 and Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al., 2nd Edition, page 72 5. IS Auditing Standard S5 Planning 04 Risk Assessment 6. IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.2 7. IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.5 8. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.1.3 9. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.3.4 & 2.3.5 10. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.5.3 11. Guest speaker Mike Simpson, May 16, 2005 12. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 263 13. AU 350.01 14. IS Auditing Guideline G10 Audit Sampling, Paragraph 2.3.1 15. SAS No. 39 16. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 304 17. IS Auditing Guideline G10 Audit Sampling, Paragraph 2.4.1 18. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 276 19. IS Auditing Guideline G2 Audit Evidence Requirement, Paragraph 3.2.1 Retrieved from "http://en.wikipedia.org/w/index.php?title=Information_technology_audit_process& oldid=427955504" Categories: Information technology audit
This page was last modified on 7 May 2011 at 18:53. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of use for details. Wikipedia is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.
10 of 10
10/9/2011 3:49 PM