Previous | Table of Contents | Next |
It has always been recommended that audit objectives be written so that they are clearly measurable. The precision involved in a computer application requires that computer audit tests and procedures must also be precise and conducive to measurement. It is important to eliminate inconsistencies among the criteria on which the success of the audit will be judged and the risks evaluated. Reconciling these factors and developing measurable audit objectives from them may involve rewriting some of the success criteria or changing the risks to be investigated. Developing measurable audit objects is the basis of the detailed audit plan.
Audit objectives should be written for each identified risk. A nonmeasurable objective might read evaluate the adequacy of internal controls in the payroll application. Rewritten in measurable terms, the same objective might be stated identify any vulnerability in the payroll system that has the probability of resulting in a loss of more than $1000.
A detailed audit plan should not be developed until there is agreement that the measurable objectives will satisfy the success criteria, or that success criteria are changed to be compatible with the defined measurable audit objectives. If, in the opinion of the audit team, differences still remain between the measurable audit objectives and the previously determined success criteria, they should be reconciled with audit management. The IT Auditor must be sure that audit management wants specific objectivesgeneralized audit objectives (e.g., probe x) should be avoided and an effort should be made to put difficult objectives into measurable terms.
A detailed audit plan delineating the execution of the audit should be developed for use during fieldwork. The plan is an extension of the individual audit plan developed during the planning process. A properly prepared plan can make the audit more effective by allocating audit resources to the areas that have the highest probability of problems. The planning process often consumes as much as one-third of the total audit effort. In addition, for a small audit, this task could replace the prefieldwork planning.
At this point, the basic components of the IT audit plan have been developed and the activities to be accomplished have been defined. Determining how to accomplish these goals must now be completed. This involves deciding:
In an IT audit, the sequencing of events may assume more importance than in a non-IT audit. Computer programs may have to be written, tested, and operated before a task or objective that uses the information produced by that program can be started. Putting the tasks on a Gantt chart can be a valuable step: it identifies any critical period in the audit when the work cannot be accomplished, it helps identify slack periods as well as critical paths through the audit process, and because the individual time commitments and scheduling are clearly documented, it aids in assigning staff.
The key to good planning is the development of realistic estimates. Organizations new to IT auditing frequently have difficulty in this area; as they become more proficient, their estimates improve. Some of the more sophisticated audit software packages include scheduling systems, and many IT departments have already acquired sophisticated scheduling systems. Because the audit process is similar in nature to the system development process and objectives can be equated with tasks in the development process, these scheduling packages often can, and should, be used for audit purposes. The main advantages of such packages include:
Under certain conditions, these objectives could be difficult to achieve. The shipped but not billed amount, for example, may be too small to detect, or it may be impossible to determine the cause of the shortage. Inventory shortages may be the result of theft or shipping the wrong product instead of shipping a product but not billing for itthe IT auditor must therefore examine all evidence carefully.
Previous | Table of Contents | Next |