Previous | Table of Contents | Next |
The IT audit planning process involves developing a strategic annual audit plan and tactical plans for the individual audits. Both types of planning are discussed here. The overall objectives of IT application audit planning include:
The auditing standards issued by all professional audit organizations include audit planning information. The standards that relate to planning define what the planning process should include but do not specify the procedures for meeting planning standards. Because the standards related to planning from all professional audit groups are similar, this section uses the Standards for the Professional Practice of Internal Auditing, as issued by the Institute of Internal Auditors. This approach is supported by the Information Systems Audit and Control Association Standard for Information Systems Auditing number 050.010, which requires the Information Systems auditor to comply with applicable professional auditing standards.
Section 520 of the Institutes professional standards states that the director of internal auditing should establish plans to carry out the responsibilities of the internal auditing department. Although this standard does not divide planning into annual planning and individual planning, it does indicate that the plans should he consistent with the departments charter. Most businesses run on an annual cycle; therefore, the standard is consistent with the audit charter that a plan coincide with the organizations annual plan and that each individual audit be planned.
The specific content of Section 520 of the Institutes standards states: The planning process involves establishing:
The goals of the internal auditing department should be capable of being accomplished within specified operating plans and budgets and, to the extent possible, should be measurable. They should be accompanied by measurement criteria and targeted dates of accomplishment.
Audit work schedules should include which activities are to be audited, when they will be audited, and the estimated time required, taking into account the scope of the audit work planned and the nature and extent of audit work performed by others. Matters to be considered in establishing an audit work schedule should include the date and results of the last audit; financial exposure; potential loss and risk; requests by management; major changes in operations, programs, systems, and controls; opportunities to achieve operating benefits; and changes to and capabilities of the audit staff. The work schedules should be sufficiently flexible to cover unanticipated demands on the internal auditing department.
Staffing plans and financial budgets, including the number of auditors and the knowledge, skills, and disciplines required to perform their work, should be determined from audit work schedules, administrative activities, education and training requirements, and audit research and development efforts.
Activity reports should be submitted periodically to management and to the board. These reports should compare performance with the departments goals and audit work schedules and compare expenditures with financial budgets. They should explain the reasons for major variances and indicate any action taken or needed.
Part II covers all aspects of the planning process except activity reporting. Activity reports are, however, an important part of the planning process and auditors must ensure that these reports are prepared and measured against the plan. Audit management makes adjustments to annual and individual audit plans on the basis of these activity reports.
Annual Audit Planning
The annual audit plan that audit management performs should include an IT audit plan for computer applications. This part of the planning process can be performed as an independent planning process and then integrated into the audit groups annual audit plan.
A five-task process is proposed here to meet the internal auditing standards for planning the annual audits of computer applications. This plan begins with guidance from the overall audit planning process and adheres to the following outline:
Individual Audit Planning
Planning for individual audits occurs when audit management determines that it is time to begin a specific audit. The individual audit planning is constrained by the components of the annual audit plan. The purpose of the individual audit plan is to prepare for the detailed fieldwork. As such, individual audit planning is a two-part process. The first part, which is covered in this section, deals with the planning that occurs before fieldwork begins. This planning is usually done by audit management or the auditor in charge of the audit. The second part of this process occurs immediately prior to the fieldwork. This planning usually takes place at the auditee location and includes the performance of a preliminary survey and a review of auditee documentation.
Previous | Table of Contents | Next |