Previous Table of Contents Next


Part II
Developing the IT Audit Plan

The IT audit planning process involves developing a strategic annual audit plan and tactical plans for the individual audits. Both types of planning are discussed here. The overall objectives of IT application audit planning include:

  Determining which audit tasks must be performed
  Determining the priority for performing audit tasks
  Acquiring the necessary staff to perform the audit
  Budgeting the needed resources to perform the audit
  Demonstrating to the independent auditors the scope of internal auditing
  Effectively managing the audit function

OVERVIEW OF COMPUTER APPLICATIONS AUDIT PLANNING STANDARDS AND PROCESSES

The auditing standards issued by all professional audit organizations include audit planning information. The standards that relate to planning define what the planning process should include but do not specify the procedures for meeting planning standards. Because the standards related to planning from all professional audit groups are similar, this section uses the Standards for the Professional Practice of Internal Auditing, as issued by the Institute of Internal Auditors. This approach is supported by the Information Systems Audit and Control Association Standard for Information Systems Auditing number 050.010, which requires the Information Systems auditor to comply with applicable professional auditing standards.

Section 520 of the Institute’s professional standards states that the director of internal auditing should establish plans to carry out the responsibilities of the internal auditing department. Although this standard does not divide planning into annual planning and individual planning, it does indicate that the plans should he consistent with the department’s charter. Most businesses run on an annual cycle; therefore, the standard is consistent with the audit charter that a plan coincide with the organization’s annual plan and that each individual audit be planned.

The specific content of Section 520 of the Institute’s standards states: The planning process involves establishing:

  Goals
  Audit work schedules
  Staffing plans and financial budgets
  Activity reports

The goals of the internal auditing department should be capable of being accomplished within specified operating plans and budgets and, to the extent possible, should be measurable. They should be accompanied by measurement criteria and targeted dates of accomplishment.

Audit work schedules should include which activities are to be audited, when they will be audited, and the estimated time required, taking into account the scope of the audit work planned and the nature and extent of audit work performed by others. Matters to be considered in establishing an audit work schedule should include the date and results of the last audit; financial exposure; potential loss and risk; requests by management; major changes in operations, programs, systems, and controls; opportunities to achieve operating benefits; and changes to and capabilities of the audit staff. The work schedules should be sufficiently flexible to cover unanticipated demands on the internal auditing department.

Staffing plans and financial budgets, including the number of auditors and the knowledge, skills, and disciplines required to perform their work, should be determined from audit work schedules, administrative activities, education and training requirements, and audit research and development efforts.

Activity reports should be submitted periodically to management and to the board. These reports should compare performance with the department’s goals and audit work schedules and compare expenditures with financial budgets. They should explain the reasons for major variances and indicate any action taken or needed.

Part II covers all aspects of the planning process except activity reporting. Activity reports are, however, an important part of the planning process and auditors must ensure that these reports are prepared and measured against the plan. Audit management makes adjustments to annual and individual audit plans on the basis of these activity reports.

Annual Audit Planning

The annual audit plan that audit management performs should include an IT audit plan for computer applications. This part of the planning process can be performed as an independent planning process and then integrated into the audit group’s annual audit plan.

A five-task process is proposed here to meet the internal auditing standards for planning the annual audits of computer applications. This plan begins with guidance from the overall audit planning process and adheres to the following outline:

  Task 1: Identify potential audit areas—Identifies the computer applications subject to audit by creating an inventory of the organization’s automated applications.
  Task 2: Develop a work priority scheme—Pinpoints the applications to be audited and the risks or exposures faced by these applications.
  Task 3: Determine the audit’s scope—Determines the scope of computer applications audits, including the amount of resources required to perform the audit.
  Task 4: Select and schedule audits—Selects and schedules the applications to he audited in the following year on the basis of the population of potential computer applications, the degree of risk within those applications, the amount of resources required for the audit, and the amount of resources available.
  Task 5: Merge audit plans—Integrates the annual audit plan for computer applications into the audit group’s annual audit plan, in some instances introducing changes into one or both plans.

Individual Audit Planning

Planning for individual audits occurs when audit management determines that it is time to begin a specific audit. The individual audit planning is constrained by the components of the annual audit plan. The purpose of the individual audit plan is to prepare for the detailed fieldwork. As such, individual audit planning is a two-part process. The first part, which is covered in this section, deals with the planning that occurs before fieldwork begins. This planning is usually done by audit management or the auditor in charge of the audit. The second part of this process occurs immediately prior to the fieldwork. This planning usually takes place at the auditee location and includes the performance of a preliminary survey and a review of auditee documentation.


Previous Table of Contents Next