Previous Table of Contents Next


The audit manual must be periodically modified to remain consistent with the company, other business changes, technology changes, etc. The Board should at least review, if not approve, any item that threatens to compromise the audit department’s ability to satisfy its chartered responsibilities.

MANAGING THE INDIVIDUAL IT AUDIT

The IT auditor must either know, or else learn, how to manage all of the work involved in performing a specific IT review, beginning with high-level planning and continuing through planning and performing the procedures required for the specific review. The strategic and tactical audit planning process will be covered in detail later in the book, but a summary of the key issues follows below.

Scope and Frequency of Audit Coverage

The Audit Department must perform audits with a scope and frequency sufficient to meet the objectives and responsibilities set forth in the Audit Charter and strategic plans. The scope of any specific IT audit will include one or more of the following.

  Control reviews, covering general controls, application controls, microcomputer controls, or other technical area applicable to the company
  Compliance reviews, covering qualitative or quantitative evaluation of performance against internal and/or external policies, standards, or laws
  Operational reviews, covering effectiveness and efficiency issues that are not directly related to control issues (the IT auditor should note that there will be many situations where control and operational issues are difficult to separate, but the auditor should always try to remember the difference and avoid presenting purely operational issues as strongly as a control issue should be presented for consideration and possible action)

The IT auditor should establish audit frequencies after conducting a risk assessment of the company’s possible IT audit areas. Risk assessment considerations include:

  The nature of the specific operation and related assets and liabilities
  The existence of appropriate policies, standards, and procedures
  The effectiveness of supervision
  The potential impact of errors or irregularities
  The results of past reviews

All relevant IT audit areas should be reviewed on a periodic basis, even if it is only once every three years. There is always a certain chance that the risk assessment is flawed, that the assumptions or information supporting the last risk assessment are no longer valid, or that another condition that caused a review to be deferred when there was a problem to be addressed. The Board, or its audit committee, should approve the annual audit schedule. The audit director should also inform them of significant deviations to that schedule. If these changes will cause part of the approved schedule not to be completed, the audit director should revise the schedule and obtain the audit committee’s approval.

Planning the Audit. The audit department, and the IT audit function within it, benefits from effective planning just like every other part of the company. Effective planning should produce consistent high-quality results, which the IT auditor should view as an absolute necessity. The planning function should include:

  Setting specific objectives
  Gathering background information and evaluating that information
  Formulating the detail audit program
  Preparing a time and expense budget for the audit
  Arranging for the appropriate staff resources
  Providing a mechanism for any needed revisions

Performing the Audit. The IT auditor responsible for performing a specific IT audit may satisfy this objective in one of three ways, or through a combinations of these three in more complex situations. First, the IT auditor may perform all procedures personally if the total effort is limited or if no one else has the technical expertise to effectively help complete the work. Second, the IT auditor may supervise less-experienced IT or financial auditors as they perform the detail audit program steps. Third, the IT auditor may coordinate the efforts of fellow IT auditors or outside consultants who have the experience to do the audit program steps.

In any case, the IT auditor’s responsibility is likely to include most, if not all, of the following.

  Deciding when audit findings warrant additional procedures
  Reviewing the workpapers and deciding when the detail procedures are sufficient to support an opinion
  Meeting with the auditee to discuss audit findings and the items to be included in the audit report
  Preparing and finalizing the audit report, which should include having the IT audit director or audit director review the work, conclusions, and draft report, and distributing the report after it has been signed
  Planning for a follow-up of progress against planned actions in six months or other appropriate interval

IT AUDIT PROCEDURES

IT audit procedures should only vary based on the technical environment and the specific audit scope. The audit procedures should never vary based on the skills of the internal IT audit staff. If the risk assessment identifies an IT audit that no one on the staff has the skill or experience to perform, audit department management is obligated to develop or contract those skills and complete the audit. The audit program steps may include manual procedures, computer-assisted procedures, or fully automated procedures. In most cases, a combination of these techniques is used.

Manual Procedures

The IT auditor utilizes manual procedures when they are more effective than the alternatives, or when they cannot be partially or fully automated. Please note that a procedure that cannot be automated today may be fully automated tomorrow, based on a new technology. Examples of these procedures include:

  Selecting one or more physical documents, such as vendor invoices and comparing the information from them, field by field, with the data stored in the system through to the booking of the documents in the ledger (when possible)
  Driving to one or more vendor addressed to establish at least the existence, if not the legitimacy, of the source of the physical documents from the first example
  Reviewing internal documents for evidence of approval by authorized persons

There are hundreds of other examples that every auditor is probably familiar with, thus no other examples of manual procedures will be discussed.

Computer-Assisted Procedures

The IT auditor uses computer-assisted procedures, also known as Computer Assisted Audit Techniques (CAATs), because they permit the auditor to switch from procedures based on limited, random, or statistical samples of records in a file to procedures that include every record in a file.

The IT auditor may choose to use an audit software package that is designed to support CAATs, or to develop his or her own programs using desktop database or spreadsheet software. In either case, the IT auditor would either request read-only access to the appropriate file or files, or ask to have them downloaded in ASCII or EBCDIC format. The following examples are set in the context of an IT auditor who has received a file of cash disbursement information for testing.

  Total disbursements are computed for the file and compared to ledger and bank records.
  Every record is checked for disbursement amounts equal to or less than zero.
  Every record is checked to see that all required fields contain values.
  For fields that should meet conditions such as numeric values between 10000 and 99999, a check is done for any records with values outside that range.
  The check number field is tested for missing or duplicated values.
  Key items are selected for individual confirmation.

In most cases, CAATs are used to evaluate the data directly, while testing processing indirectly through the data evaluation procedures. It is possible to simulate application processing with a CAAT, but this is still an indirect way of evaluating the actual processing done by an automated application.


Previous Table of Contents Next