Previous Table of Contents Next


Reporting Findings and Conclusions

Potential audit findings should be discussed with the appropriate personnel throughout the course of the audit. Preliminary conclusions and audit findings, normally a subset of the potential findings, should be presented to the auditee during an exit conference and discussed at that time. The draft audit report should be the natural extension of the exit conference materials combined with the discussions that took place during the exit meeting. Once the auditee’s responses have been received, the final audit report may be prepared and distributed.

Regardless of whether the IT auditor uses the four-step approach just mentioned or another, the following guidelines should be satisfied.

  All potential audit findings should be documented in the normal course of the audit, discussed with appropriate personnel, and their comments documents as well.
  All potential findings with sufficient merit should be included for discussion at the exit conference as preliminary audit recommendations.
  The exit meeting should document and include auditee comments and questions concerning the preliminary audit recommendations.
  The draft audit report should contain an overall opinion of the audited function, state whether controls have strengthened or weakened since the function was last audited, and summarize the preliminary recommendations and related exposures.
  Written responses to all audit reports should be prepared by line management and provided to audit management on a timely basis.
  The final audit report, including management’s responses, should be distributed as soon as possible once those responses have been received.
  Serious control deficiencies or other issues identified during the audit that remain unresolved should be escalated as needed until a satisfactory resolution is reached.
  IT auditors should schedule a follow-up review, even if only done over the phone, whenever the auditor agrees to take action in response to a recommendation.
  All significant audit findings should be periodically summarized and reviewed with senior management and the audit committee.

Audit Follow-up

The IT auditor should schedule follow-up procedures whenever an auditee agrees to take action in response to a specific audit recommendation. The auditor should always be concerned about whether that action is really taken, as there will be a certain percentage of auditees that will agree to take action just to get the audit over with, never intending to make any change. One very real risk is that an auditor’s failure to follow up may lead the auditee community to conclude that the audit recommendations are not worth taking seriously, and actually create the problem situation just described. Follow-up procedures may include the following:

  Requesting a written report on the status of the planned changes
  Deciding whether on-site procedures are warranted
  Planning and performing audit procedures to confirm that the planned change was made and to evaluate whether it has met original objective (if not, then an additional recommendation may become appropriate)
  Deciding whether unresolved issues warrant an immediate notification to the audit committee, or special mention during the next scheduled meeting

The IT auditor should remain aware that although the desirability of formal procedures is clear, the auditor should obtain effective responses without overemphasizing haste. Overall audit management should try to ensure that monitoring techniques are effective yet do not arouse antagonism that may impair the department’s relationship with operating management. The company may choose to appoint a senior officer formally responsible for audit follow-up to protect the auditor/auditee relationship.

EXTERNAL AUDITORS

The responsibilities of external auditors should be defined clearly for the audit committee, board of directors, and senior management. The external auditors are aware of this need, and will normally submit engagement letters to the board that require a written acceptance before commencing their work. Such letters normally include the scope of the audit, its length, and expected results. In many cases, essential features of the audit are summarized in the letter with schedules attached that describe specific procedures for each area to be audited. The letter may include biographical information on the personnel involved, as well as provisions for disclosure and review of audit workpapers by third parties. In addition, the letter may specify any normal audit procedures to be omitted and whether the auditor is expected to render an opinion on the organization’s financial statements.

The external auditor must review IT internal control procedures as part of his evaluation of the overall system of internal control when auditing the organization’s financial statements. AICPA standards require auditors to consider the effects of IT activity in each significant financial application.

Generally, the external auditors must review the general controls and application controls that could have a material impact on the financial statements as presented. General controls include IT planning and structure, physical and logical access security, and other controls over the IT environment. Application controls are linked to individual systems, and should ensure that these are adequate controls over input, processing, output, and data storage.

As the external auditors evaluate internal controls, they must determine the extent to which IT is used in each significant accounting application, and thus also determine the need to review IT controls. The AICPA has indicated in the past that: the external auditor is permitted to select the specific procedures they believe are the most effective for evaluating IT controls. Most of the audit forms begin with a questionnaire that gathers most or all of the required background information. Usually, these questionnaires cover:

  Hardware, software, and organization
  User department controls over data processed by automated applications
  IT program and procedural documentation
  Automatic controls over processing
  Backup procedures
  Security
  Contingency planning

As part of their review, external auditors can also decide to perform a variety of substantive audit procedures.


Previous Table of Contents Next