Previous | Table of Contents | Next |
The purpose of producing the computer reports is to provide audit information. In many instances, the computer program will perform analyses; in others, additional audit steps will be needed to verify or refute findings in the report. The objective of this step is to analyze and use the information produced by the data tests.
The concerns raised during the audit tests should be documented as potential findings; a finding is the discovery of a difference between actual and expected or prescribed procedures, operations, or results. It should be understood that documenting a finding at this point does not necessarily mean that the finding will be included in the audit report. In this task, findings are described as they occur during the audit process. These can be operational or financial findings that represent a variance from the organizations policies, procedures, and guidelines or from general good business practices.
The analyses of auditee controls and data performed during the audit may uncover deviations from what is expected. In most cases, the IT auditor discovers deviations from company policies or procedures (including established transaction processing procedures) in the functioning of a control or in the result produced. When a finding (i.e., a factual circumstance) is located, it should be documented; however, the IT auditor should judge which findings are worth documenting. It obviously would not be prudent for the IT auditor to document a calculation that was off by a penny. The following guidelines can help the IT auditor determine whether or not to document a particular deviation:
At this point, the IT auditor is asked not to draw conclusions but to merely document the finding. The audit objectives are those stated in the workpapersthe narrative should be kept brief, and all supporting workpapers should be referenced. The IT auditor should avoid the two extremes possible in documenting findings. Documenting insignificant findings causes the audit function to lose credibility with the auditee. On the other hand, if the IT auditor fails to recognize the potential effect of a deviation and therefore fails to document a critical finding, the organization could be adversely affected.
The investigative work has now been completed, and the IT auditor must begin to turn the disparate audit results into an audit report. The initial effort is an in-depth analysis of the findings that will be helpful in presenting the findings to the auditee and management and in developing recommendations. Analyzing an audit finding involves answering the what, where, when, who, how, and why questions about that findingthe questions that both the auditee and management will ask. This task explains the background information needed concerning a finding and how to obtain it. Six categories of analysis should be performed about every finding, each involving the following process:
Analysis 1: The Finding Event
Factual Question:
What was done?
The IT auditor must be able to state exactly what has happened that is a problem.
Analytical Question:
Why that?
The IT auditor must determine why the event happened, and whether it was caused by inadequate training, employee oversight, or other problem.
General Analysis:
When there is a problem as to why something was done, an analysis of the finding generally leads to the conclusion that the event was nonessential or redundant.
Analysis 2: Location of the Event
Factual Question:
Where was it done?
The IT auditor must determine which part of the process, which department, or which job is the source of the problem.
Analytical Question:
Why there?
The IT auditor must determine why the event was performed at that location and whether that was in fact the right place for the event.
General Analysis:
In most instances when there is a problem associated with location, the results of the analysis will reveal that the event was performed at an inconvenient location or segment of the application.
Previous | Table of Contents | Next |