Previous | Table of Contents | Next |
The planning that occurs prior to visiting the auditee site is a six-task process. A description of the tasks follows:
Updating Annual and Individual Audit Plans
The creation of these plans occurs at a single point in time; however, the plans should he continually updated on the basis of changing information. Audit management updates the annual plan, and the individual audit plan is updated by the auditor-in-charge.
The events that can cause an audit plan to he changed include:
Whenever one of these events causes changes to occur, the plan should be updated. The plan is a document that is used by audit management and the auditor-in-charge to determine the completion of the audit effort. If the plan is not updated as activities change, audit management has lost the tool to perform its function.
IT audit planning should address strategic and tactical considerations. This planning should ultimately satisfy the following objectives:
The standards issued by professional audit organizations include audit planning. These standards normally define the basic planning process without specifying the process to follow. This section uses the Standards for the Professional Practice of IT Auditing, as issued by the Information Systems Audit and Control Association. The ISACA standards are extended by Standard 050.010, which requires the IT auditor to comply with all applicable professional auditing standards.
General Planning
Institute of Internal Auditors (IIA) standards indicate that the Internal Audit Director is ultimately responsible for all planning within the department. Although the IIA standard does not divide planning into strategic and tactical components, it does indicate that the plans should be consistent with the internal audit department charter. Most strategic plans are at least one year in scope, to match the most common business cycle. Tactical planning is most often done within the timeline of a single business cycle.
The most senior IT auditor on staff should be responsible for IT audit strategic and tactical planning. The IT audit planning activities should coincide with and compliment internal audit planning to support effective overall department functioning.
The IT audit strategic and tactical plans should be realistic, supported by the personnel, budgets, and other necessary resources, and measurable from an actual versus plan perspective.
Tactical IT audit plans should indicate what will be audited, when the audit is set to take place, and how much time is required. The IT auditor or internal auditor responsible for developing the tactical plans should consider most, if not all, of the following:
IT auditors should develop tactical plans that include specific objectives, staffing plans, financial budgets, administrative activities, training requirements, and encompass other appropriate activities.
The IT audit director and lead IT auditor should regularly prepare combined status and activity reports, and provide them to senior management, and, if appropriate, to the audit committee and the board of directors. The reports should include a comparison of actual to planned performance, and actual to planned expenditures. The report should also include the reasons for major variances, whether plan adjustments are needed, and what decisions, if any senior management and the board need to make.
Part II covers strategic and tactical planning, except for activity reporting. These reports are important to the planning process, and auditors should ensure that they are prepared. Senior management, the audit committee, and the board of directors should only approve changes to strategic or tactical plans based on these reports or other equally authoritative information.
Previous | Table of Contents | Next |