Previous | Table of Contents | Next |
The IT audit department plans should include IT components, and within these components should be plans for auditing automated application systems. This section focuses on application system audit planning, which follows the same pattern as the overall planning, and which should be running concurrently.
The IT auditor following the described four-step process should comply with all applicable professional standards for planning. This plan begins with guidance from the overall audit planning process and adheres to the following outline.
Specific Audit Planning
There are several very different, but equally effective, models for detailed planning. The model presented includes two phases, which may run consecutively. The first phase is designed to establish a framework for the review, gather additional background information, attempting to support or extend the original risk analysis, developing the specific measurable objectives, and summarizing the phase, often in an Audit Planning Memo (APM).
The first detailed planning phase should almost always be performed and completed before spending any time in the field. The second phase can be performed in the office or the field, although the IT auditor will often find that being in the field facilitates completing the second phase. Second-phase procedures should confirm the APM or lead to its revision, and should also result in a final detailed audit program, whether it is developed or simply finalized in this phase.
At one time, this second phase was known to the public accounting forms as interim procedures. The IT auditors updated all carryforward files, reviewed permanent workpapers, performed walkthroughs to validate procedural narratives, and performed tests of transactions to evaluate both narrative accuracy and quantitative compliance with established procedures.
Phase 1 specific audit planning includes the following steps:
Updating IT Planning Deliverables
The IT audit planning process has been described as a single thread activitydevelop, document, and monitor progress. However, the plans should be periodically updated to reflect significant changes in assumptions or underlying information.
Significant changes requiring plan maintenance:
Plans should be updated as needed whenever one of these events occurs. Internal audit and IT audit management, along with each AIC, use the plans to manage the audit effort. All these persons will be less effective if plans are not properly maintained.
The annual IT audit plan is usually prepared by the most senior IT auditor on staff. This plan is a subset of the internal audits annual planning process. IT audit planning is properly separated due to its unique issues and objectives, although all auditing planning must be coordinated to help ensure that all top-level objectives are met. (Throughout this section, we will generically refer to the senior IT auditor as the IT audit manager for convenience.)
The IT audit manager should already know or gather the following information before preparing the annual IT audit plan.
The IT audit manager, armed with the above information, should prepare the plan by following the four-step methodology described earlier in the text.
The IT audit manager will find that the vast majority of IT reviews will fall into one of two categories: automated application reviews or general controls reviews. This author feels that almost every conceivable review falls into one of these categories, except for special topics like fraud investigations. In most normal situations, the IT auditor will be focused on a processing environment, making the work a general controls review, or on how the activity within or across environments meets general business objectives, making the work an automated application review.
Previous | Table of Contents | Next |