Previous Table of Contents Next


Part V
Assessing Implemented Systems

The IT Audit Professional is likely to find the most significant challenges when assessing automated application systems that are fully implemented when the audit is done. The sections included in Part V are designed to support effectively performing these reviews.

Section 21, “Initial Review Procedures,” focuses on the IT auditor’s understanding of the applications design and its control procedures.

Section 22, “Audit Evidence,” focuses on the types of data and information the IT auditor will need to fully substantiate their conclusions and recommendations.

Section 23, “Identify Application Risks,” details several alternative approaches the IT auditor can employ to determine where the most important potential reviews are that might be done.

Section 24, “Develop a Detailed Plan,” presents both the components and a detailed process for developing plans that will ensure that the work performed meets the intended objectives.

Section 25, “Evaluate Internal Controls,” is designed for the IT auditor to determine whether the controls in a particular application are adequate to reduce the potential risks to an acceptable level.

Section 26, “Test Data Integrity,” takes the IT auditor through a range of techniques he or she might employ to determine whether the data within an application has integrity, which is one of the most crucial areas for the auditor in order to reach the proper conclusion.

Section 27, “Certify Computer Security,” describes an optional step in an IT audit. It should be performed when security is important to the successful operation of the automated application system.

Section 28, “Analyze Audit Results,” takes the IT auditor through a step-by-step process to analyze and use the information produced by the data tests.

Section 29, “Review and Report Findings,” describes how the IT auditor develops the audit report, distributes it, and follows up on the recommendations. Good ideas are of little value unless they are accepted and implemented, and the value of the audit is frequently rated on acceptance of the audit report by both auditee and senior management.

Section 30, “Review Quality Control,” defines a process for performing a self-assessment of the audit and the audit process followed while the audit was performed.

Section 31, “Workflow Diagramming,” is intended to be a primer for IT auditors to be able to either review existing diagrams or develop their own.

Section 21
Initial Review Procedures

IT auditors should begin application reviews after the audit preplanning is concluded, but before the final audit plan is completed. The initial application review procedures focus on auditors gaining or confirming an understanding of the applications design and its control procedures.

INITIAL REVIEW PROCEDURES

The initial review procedures include reviewing permanent and carryforward workpapers, holding a planning meeting with selected users, reviewing existing documentation, and developing additional documentation, most often workflow diagrams.

REVIEW EXISTING AUDIT FILES

The IT auditor should review prior audit workpapers to identify one or more of the following items:

  Prior audit reports covering the same or related business areas
  Relevant permanent folder items

Carryforward workpapers covering the specific application or applications under review or the detailed workpapers from a prior review of the same or a similar area.

Prior Audit Reports. The IT auditor should locate any prior audit reports that could be related to the current area under review. From those past audit reports, the IT auditor should identify any significant issues along with management responses and, at least, the original disposition of any final audit recommendations. He or she should also determine whether the status of those recommendations agreed to by management was ever reported to the Internal Audit Department. If a status report is not available for that prior audit, the IT auditor should request one and place it in the current audit workpapers.

Permanent Files. IT auditors should review permanent audit files for the current area under review. They may find items in the permanent file that can further their understanding of the current area being audited. They may also find that permanent file items need to be updated, or that a permanent file is incomplete and should be updated during the current review.

Carryforward Files. IT auditors are likely to find that the carryforward files for an audit location either include documentation related to the current review or they do not. If the carryforward files include related information, that information should be duplicated. The copies are placed in the prior files and marked to indicate that the originals were carried forward, updated, and included in the current workpapers.

Prior Detailed Workpapers. IT auditors should have copies made of any detailed workpaper that might be directly relevant or useful for reference purposes. This retains the integrity of the prior workpapers, while making the information available for the current procedures. If no other use exists, this information may represent a baseline for evaluating test procedures later in the review.

THE PLANNING MEETING

IT auditors should initiate a planning meeting to explain the audit objectives, inform the internal customers of all appropriate information, and solicit their assistance in conducting the audit. The planning meeting also provides the auditee with the opportunity to express concerns or ask questions about the audit. The IT auditor may also choose to make at least initial inquiries about the status of prior audit recommendations.

IT auditors should attempt to ensure that the planning meeting memorandum is complete and accurate. All IT auditors in the meeting should read the memorandum and offer comments as needed. If any disagreement arises during the meeting or if the audit team cannot agree on a common conclusion or action, the auditor in charge should either make a decision or request further clarification from the auditee. The IT auditor should update the memorandum for all final changes or additions made.

Critical Success Factors. IT auditors should emphasize the following objectives for successful planning meetings.

  Invite all appropriate personnel to the planning meeting.
  Prepare as completely as is reasonable for the meeting.
  Give the auditees every reason to support the review.
  Follow through on any commitments made or issues arising during the planning meeting.


Previous Table of Contents Next