Previous Table of Contents Next


The planning that occurs prior to visiting the auditee site is a six-task process. A description of the tasks follows:

  Task 1: Assigning an auditor-in-charge—Selects the individual who is to run the fieldwork, which may be the same individual who performs the remaining five planning tasks.
  Task 2: Performing application fact-gathering—Involves gathering background information about the application to be audited before visiting the auditee work areas.
  Task 3: Analyzing application audit risk—Uses the risk analysis performed in the annual audit planning as a base and then extends the analysis of risk to materials gathered through fact-gathering and risk investigation.
  Task 4: Developing and ranking measurable audit objectives—Develops specific measurable audit objectives and ranks those objectives in order of importance.
  Task 5: Developing an administrative plan to accomplish objectives— Determines the amount of resources, skill levels, and special needs required to perform each of the measurable audit objectives developed in task 4.
  Task 6: Writing audit assignment—Develops the audit assignment that is the basis for performing the fieldwork. Part III of this book describes how to conduct the fieldwork, which is based on the audit assignment developed in this individual audit planning step.

Updating Annual and Individual Audit Plans

The creation of these plans occurs at a single point in time; however, the plans should he continually updated on the basis of changing information. Audit management updates the annual plan, and the individual audit plan is updated by the auditor-in-charge.

The events that can cause an audit plan to he changed include:

  Change in the business or operating environment (e.g., the addition of a new line of business, significant changes in the volume of business, or perceived problems in a specific line of business)
  Change in allocation of work between the independent auditors and the internal auditors
  Change in the size or skill of the internal audit staff
  Change in scope of audits based on individual audit planning or findings during the audit fieldwork
  Audit judgment or experience indicating that the business risks and exposures have changed and thus the type or scope of audits should change.

Whenever one of these events causes changes to occur, the plan should be updated. The plan is a document that is used by audit management and the auditor-in-charge to determine the completion of the audit effort. If the plan is not updated as activities change, audit management has lost the tool to perform its function.

Section 4
IT Audit Planning

IT audit planning should address strategic and tactical considerations. This planning should ultimately satisfy the following objectives:

  Identifying the general controls reviews, application reviews, and other specialized reviews that could be performed to better understand the potential risks
  Evaluating and prioritizing the reviews from the prior objective
  Arranging the human and other resources needed to perform the selected reviews
  Monitoring progress against the approved plan
  Responding to unplanned projects and deviations from the plan

OVERVIEW OF STANDARDS FOR IT AUDIT PLANNING

The standards issued by professional audit organizations include audit planning. These standards normally define the basic planning process without specifying the process to follow. This section uses the Standards for the Professional Practice of IT Auditing, as issued by the Information Systems Audit and Control Association. The ISACA standards are extended by Standard 050.010, which requires the IT auditor to comply with all applicable professional auditing standards.

General Planning

Institute of Internal Auditors (IIA) standards indicate that the Internal Audit Director is ultimately responsible for all planning within the department. Although the IIA standard does not divide planning into strategic and tactical components, it does indicate that the plans should be consistent with the internal audit department charter. Most strategic plans are at least one year in scope, to match the most common business cycle. Tactical planning is most often done within the timeline of a single business cycle.

The most senior IT auditor on staff should be responsible for IT audit strategic and tactical planning. The IT audit planning activities should coincide with and compliment internal audit planning to support effective overall department functioning.

The IT audit strategic and tactical plans should be realistic, supported by the personnel, budgets, and other necessary resources, and measurable from an actual versus plan perspective.

Tactical IT audit plans should indicate what will be audited, when the audit is set to take place, and how much time is required. The IT auditor or internal auditor responsible for developing the tactical plans should consider most, if not all, of the following:

  When the most recent IT audit was performed
  Results of the most recent IT audit
  Results of the most recent risk assessment
  Magnitude of specific financial exposures
  Changes in the operations
  Requests from management

IT auditors should develop tactical plans that include specific objectives, staffing plans, financial budgets, administrative activities, training requirements, and encompass other appropriate activities.

The IT audit director and lead IT auditor should regularly prepare combined status and activity reports, and provide them to senior management, and, if appropriate, to the audit committee and the board of directors. The reports should include a comparison of actual to planned performance, and actual to planned expenditures. The report should also include the reasons for major variances, whether plan adjustments are needed, and what decisions, if any senior management and the board need to make.

Part II covers strategic and tactical planning, except for activity reporting. These reports are important to the planning process, and auditors should ensure that they are prepared. Senior management, the audit committee, and the board of directors should only approve changes to strategic or tactical plans based on these reports or other equally authoritative information.


Previous Table of Contents Next