Previous | Table of Contents | Next |
Reporting Findings and Conclusions
Potential audit findings should be discussed with the appropriate personnel throughout the course of the audit. Preliminary conclusions and audit findings, normally a subset of the potential findings, should be presented to the auditee during an exit conference and discussed at that time. The draft audit report should be the natural extension of the exit conference materials combined with the discussions that took place during the exit meeting. Once the auditees responses have been received, the final audit report may be prepared and distributed.
Regardless of whether the IT auditor uses the four-step approach just mentioned or another, the following guidelines should be satisfied.
Audit Follow-up
The IT auditor should schedule follow-up procedures whenever an auditee agrees to take action in response to a specific audit recommendation. The auditor should always be concerned about whether that action is really taken, as there will be a certain percentage of auditees that will agree to take action just to get the audit over with, never intending to make any change. One very real risk is that an auditors failure to follow up may lead the auditee community to conclude that the audit recommendations are not worth taking seriously, and actually create the problem situation just described. Follow-up procedures may include the following:
The IT auditor should remain aware that although the desirability of formal procedures is clear, the auditor should obtain effective responses without overemphasizing haste. Overall audit management should try to ensure that monitoring techniques are effective yet do not arouse antagonism that may impair the departments relationship with operating management. The company may choose to appoint a senior officer formally responsible for audit follow-up to protect the auditor/auditee relationship.
The responsibilities of external auditors should be defined clearly for the audit committee, board of directors, and senior management. The external auditors are aware of this need, and will normally submit engagement letters to the board that require a written acceptance before commencing their work. Such letters normally include the scope of the audit, its length, and expected results. In many cases, essential features of the audit are summarized in the letter with schedules attached that describe specific procedures for each area to be audited. The letter may include biographical information on the personnel involved, as well as provisions for disclosure and review of audit workpapers by third parties. In addition, the letter may specify any normal audit procedures to be omitted and whether the auditor is expected to render an opinion on the organizations financial statements.
The external auditor must review IT internal control procedures as part of his evaluation of the overall system of internal control when auditing the organizations financial statements. AICPA standards require auditors to consider the effects of IT activity in each significant financial application.
Generally, the external auditors must review the general controls and application controls that could have a material impact on the financial statements as presented. General controls include IT planning and structure, physical and logical access security, and other controls over the IT environment. Application controls are linked to individual systems, and should ensure that these are adequate controls over input, processing, output, and data storage.
As the external auditors evaluate internal controls, they must determine the extent to which IT is used in each significant accounting application, and thus also determine the need to review IT controls. The AICPA has indicated in the past that: the external auditor is permitted to select the specific procedures they believe are the most effective for evaluating IT controls. Most of the audit forms begin with a questionnaire that gathers most or all of the required background information. Usually, these questionnaires cover:
As part of their review, external auditors can also decide to perform a variety of substantive audit procedures.
Previous | Table of Contents | Next |