Previous | Table of Contents | Next |
A final technique that is helpful in fact-gathering is to organize a group of key audit personnel and brainstorm about the potential problems in the auditee area. This process usually takes about an hour. The group members list their concerns and then consolidate and rank them in order of importance. The result is a risk list that is used by the audit staff.
The auditor-in-charge documents, from previous planning, the risks associated with this application; analyzes the severity of those risks using auditor judgment; and translates the specific risk concerns into criteria for fieldwork audit objectives.
The auditor-in-charge should have at least these three tasks.
Using the results of previous planning steps, the auditor-in-charge must document the risk criteria from the application system. This information is usually transferred from one workpaper to another; however, it may be easier to cross-reference available workpapers, particularly if they are lengthy.
The auditor-in-charge must use the risk score, risk dimensions, and audit issues gathered during the planning process to create a form that can be used by the audit team. This task converts that data into a summary analysis that familiarizes the audit staff with the concerns that they must address and is used as one of the primary bases for developing audit objectives.
This task is the key task in computer application risk analysis. The auditor extracts the key concerns from the audit risk analysis and the risk information, and then translates them into specific audit objectives (see Step 4).
This step depends heavily on audit judgment and experience. The auditor-in-charge should pose the following questions to determine the audits risk concerns.
The auditor-in-charge develops a set of specific objectives that are to be accomplished during the performance of the application audit. These objectives drive the audit; when the objectives have been completed, the audit is considered to be complete.
Two tasks are performed as part of this task.
Only those audit procedures that support the audit objectives should be performed. The audit objectives are the basis and purpose for performing the audit; when they have been accomplished, the audit is complete. There are three basic types of audit objectives, as follows:
Each objective should be described in as measurable a format as possible so that the auditor knows when the audit is complete.
Audits are often constrained by time, staff availability, and budgets. During the performance of the audit, it may be necessary to emphasize some objectives and de-emphasize others. This system of setting priorities provides the audit team with guidance as to which objectives should be accomplished first if there is a shortage of time.
This step ensures that the proper staff, resources, tools, and skills are available to perform the audit. During this step, the auditor must first determine the administrative staffing resources needed to perform each audit objective. This requires the auditor-in-charge to apply the staffing resources, tools, and audit approach previously defined for the audit to each specific audit objective. In some instances, the previous data may need to be expanded and, in other cases, that data may be applied to the specific audit objective.
The second project for the auditor is to identify and acquire audit staff. On the basis of the administrative analysis of the resource requirements for performing each audit objective, staff members should be identified and acquired to accomplish these objectives. This information is used during the performance of the audit to assign specific objectives to individuals.
The auditor-in-charge transcribes all of the planning information into an audit program. This audit program is used as a basis for performing the audit.
Once the audit program has been prepared, the fieldwork can commence. Other parts of this book commence at the point that the audit program has been issued.
Previous | Table of Contents | Next |