Previous Table of Contents Next


Section 6
Specific Audit Planning

Specific audit planning is divided into two parts: part one occurs before the fieldwork and part two occurs during the fieldwork. This section deals with audit planning that occurs before commencing the fieldwork.

The prefieldwork individual audit planning is usually performed by the auditor-in-charge. In addition, the planning involves sources of information other than what can be readily acquired from the auditee (e.g., the results of previous audits, consultation with corporate management and key staff groups, and industrial and risk analysis). This differentiates prefieldwork audit planning from the planning that occurs through preliminary investigation of the auditee area, although some audit groups combine both types of individual audit planning.

STEP 1: ASSIGN AN AUDITOR-IN-CHARGE

The IT audit manager should assign auditor-in-charge for this specific audit. The auditor-in-charge then begins to plan for the specific audit.

The IT auditor manager must first become familiar with the individual audit application and audit the risk involved. The annual audit usually provides the auditor with the necessary information.

The manager should assign an auditor-in-charge on the basis of the audit risk, audit scope, and application area. The considerations in assigning an auditor-in-charge include:

  Degree of experience needed to address the audit risk
  Familiarity with the application area
  Specific skills the auditor-in-charge must possess
  Availability of personnel for auditor-in-charge assignments

STEP 2: PERFORM APPLICATION FACT-GATHERING

The auditor-in-charge gathers sufficient background data on the audit to help the plan address the major risk and exposure areas. This fact-gathering task includes visiting and obtaining information from all areas except the auditee areas. In addition, if the information processing area is not visited during the audit, it should be visited as part of this step.

The auditor-in-charge must examine as much background material and interview as many knowledgeable staff members as time permits and potential audit risks warrant. Interviewing large groups for short periods of time usually causes concerns to surface and reveals facts that are helpful in identifying problems. Any and all parties involved in the auditee’s business should be interviewed.

The audit department should develop procedures for performing this fact-gathering process. The most logical individuals to interview include:

  The prior year’s auditor-in-charge
  The prior year’s key audit staff
  The following key company officials:
—Comptroller
—Chief information officer
—Administrative vice president
—Operations vice president
—Corporate security officer
—Corporate legal officer
—Corporate officer in charge of the auditee area
—CPAs and the CPA firm audit partner or manager

These interviews need not be extensive in length, but should include the following types of questions.

  What areas of concern do you have about the auditee area?
  Are there any questions that you personally would like answered as a result of conducting an audit in this area?
  Have there been any significant changes in the area under audit that should be examined or might be potential problems?
  Have you heard any discussions, pro or con, from other departments regarding the operations of the auditee area?
  Have you received correspondence or telephone calls from individuals or organizations interacting with the auditee area regarding problems or unsatisfactory service?
  Do you have any documentation or complaint letters that you could give me as a basis to use in conducting the audit?
  What do you personally believe is the greatest risk that the auditee area faces?
  If you were auditor-in-charge of this audit, what is the first thing you would want to investigate?

The following sources are helpful in gathering background information.

  Audit suggestions for improving the audit made by the prior year’s audit team or suggestions made by auditors concerned with related areas of the business.
  Correspondence arriving in customer service groups or problem groups about the auditee area.
  Newspaper, magazine, and industry reports about the business area in which the auditee is involved.


Previous Table of Contents Next