Previous Table of Contents Next


Section 30
Review Quality Control

The last audit step in any audit is to perform a self-assessment of the audit and the audit process. This is part of the quality assurance activity in auditing. Quality assurance means looking at the process to determine whether it worked. If the audit process failed to work or worked ineffectively, action should be taken to initiate changes to that process. A failure to perform this step may mean that flaws in the audit process will remain through future audits, causing it to remain ineffective or become extremely time-consuming.

Quality assurance activities are divided into two parts. First, IT auditors look at the products of the audit, which is called quality control. Quality control is partially performed by the audit staff and partially by audit management. In addition, IT auditors determine the effectiveness of the process, which is called quality assurance. Quality assurance uses the results of the quality control review to assess deficiencies in the audit process. Quality assurance also provides an opportunity for the audit team to comment on the effectiveness and efficiency of the audit process.

CONDUCT A QUALITY CONTROL REVIEW

This task involves reviewing the audit to ensure that all the steps and tasks specified for auditing computer applications have been performed properly. Quality control is similar to quality assurance (which involves the third-party review of the audit) except that with quality control, the audit team that conducted the audit performs the review. For most audits of automated applications, this task is performed throughout the audit process by the IT auditor in charge, typically at the completion of each step. Although each IT auditor assigned to an audit should be accountable for the quality of individual work, the IT auditor in charge has supervisory responsibility for overall audit quality.

Although quality assurance reviews are recommended for internal audit departments, only a small percentage of such departments actually use them. Most internal audits rely on quality control—a line management responsibility—to ensure the quality of the audit. Although quality control is usually the responsibility of line audit management, the quality control process must be integrated into the audit process if audit resources are to be used effectively.

CONDUCT A QUALITY ASSURANCE REVIEW

The audit team must evaluate the audit process that was used in conducting the audit. A member of audit management usually performs this quality assurance activity, although audit management can delegate the task to the audit team. This task identifies deficiencies and inefficiencies in the computer application audit process. Two activities are involved in this task. The first activity is to identify problems that have occurred during the audit. These problems should have been documented during the course of the audit. This activity recognizes that the problem occurred and records it for action purposes. The most common sources of problem identification are:

  Audit management workpaper review comments list
  Problems noted by the audit team in the workpapers (these may be a special audit section, or they might be identified as notes for future audits)
  IT auditor to-do lists (these indicate tasks that have not been performed correctly or work that needs to be performed again)
  Tasks that have not been completed because of difficulty in completing them (examples are questions on the checklist that the IT Auditor did not understand or task instructions that were not understandable)
  Problems noted on workpapers indicating difficulty in performing these steps

These problems should be recorded in a workpaper. This workpaper should include a number to identify the specific problem, the name of the audit problem, a brief description of the problem that should reference the location of the problem (i.e., a workpaper reference), and an estimation of the significance of the problem, with a potential solution to the problem if one can be determined at this time.


Previous Table of Contents Next