Previous Table of Contents Next


Section 2
Reviewing Application Systems

An Automated application review will include some combination of auditors, the application, methods, tools, technical personnel, end users, etc. Audit management is responsible for ensuring that these are in place and effective. This chapter identifies eight areas that should be addressed during the audit process:

  Audit structure
  Internal auditors
  Audit manual
  Audit management
  Audit procedures
  Application development and testing
  Documenting and reporting audit work
  External auditors

THE AUDIT STRUCTURE

The audit director should ensure that there are policies or procedures that are likely to select the auditors best suited to perform a particular review. The audit director retains ultimate responsibility for all work done by the department, and should therefore periodically review and/or approve the following:

  Qualifications and independence of each audit staff member
  Scope and frequency of the audits performed
  Techniques to be used
  The overall condition of the company’s controls and operations
  The actual resolution of issues from the final reports developed by the department
  Management actions to resolve material weaknesses cited in audit reports

The IT and financial audit personnel must have sufficient IT expertise to perform the audits, whether IT audit coverage is provided by an internal audit staff, external auditors, or a combination of both. The IT expertise should be commensurate with the degree and sophistication of the IT function. The audit director should utilize internal and external third parties when it is not possible or practical to acquire or develop the internal IT expertise required for a particular assignment.

THE INTERNAL AUDITORS

The internal IT audit function should provide independent appraisals of applications, systems, etc., as needed. IT auditors evaluate the effectiveness of controls to ascertain whether processing is done in compliance with the applicable internally or externally created standards.

IT auditors should produce reports with analyses, appraisals, recommendations, and other pertinent comments concerning the activities reviewed. These comments should help the auditors meet their responsibilities more effectively. The IT auditor is properly concerned with all phases of business activity and must look beyond simple technical or financial issued to obtain a full understanding of the operations under review. The IT auditor’s full range of activities should include one or more of the following in each review.

  Reviewing, appraising, and reporting on the adequacy and effectiveness of established controls
  Supporting the implementation of cost-effective controls
  Ascertaining compliance with established policies, procedures, and laws
  Determining the extent to which IT assets are safeguarded
  Ascertaining the reliability and timely processing of statistical data
  Recommending alternatives to correct control deficiencies

Competence

The overall skills required for IT audit tasks depend on the size and complexity of the IT operation. In some instances, the internal IT audit is performed by an individual or group that is only responsible for IT auditing. In other cases, the responsibility for the audit may be placed with a generalist auditor who plans and performs the audits personally or directs staff borrowed from other departments. Whatever the situation, an auditor must possess IT expertise commensurate with the sophistication of the system under audit. The following basic skills are required of any internal auditors with IT audit responsibilities:

  A sound knowledge of company practices and requirements
  A firm understanding of the fundamental principles of internal control
  The ability to schedule and execute specific IT audit functions
  The ability to investigate thoroughly and document the work
  The ability to accurately summarize and report negative findings, and prepare effective and constructive recommendations
  A general understanding of SCLC methodology concepts
  A general knowledge of automated environments
  Awareness of automated application review concepts and techniques

Audit management should be committed to providing a program of continuing education to maintain or improve competence levels, because the automated environment changes with the introduction of new technologies. Available sources of technical audit training include:

  Conferences and seminars sponsored by ISACA, IIA, other professional associations, and private organizations
  Courses sponsored by hardware and software vendors, colleges, universities, and local technical schools
  Self-study and programmed learning courses

The IT auditor’s competence will ultimately be evidenced by the quality of the work performed, the ability to communicate the results of that work, and the ability to have deficiencies corrected.

Independence. The audit department’s real or perceived independence is likely to have a significant impact on its ability to meet departmental objectives. One quick, although not always accurate, indication of its independence is to determine where the auditor director reports within the organization. Internal auditor departments should report to the board of directors or to the audit committee. The board should ensure that the audit department does not participate in functions that compromise its independence. These areas include such activities as preparing records, developing procedures, or engaging in other duties they would normally review.

Audit department or individual auditor independence can be evaluated by reviewing the appropriate organization charts, evaluating the findings and recommendations actually being presented, and performing other procedures as needed. To be effective, the IT auditor should be given authority to obtain all records necessary to conduct the audit and to require management to respond formally to audit findings. Internal IT and financial auditors have been considered responsible for ensuring that financial and operating management takes corrective action on each recommendation presented. This has more recently been seen as inappropriate because it does not permit the affected management to have the final say in the areas for which they are responsible. The auditor’s power comes from the ability to escalate an issue all the way to the Board of Directors if the affected managers do not appear to respond appropriately to particular issue, or group of issues.

THE AUDIT MANUAL

The audit director should oversee the development of a manual that will increase the likelihood that audits performed will be successful and consistent. This manual should be built on an Internal Audit Charter that defines the role of the audit department in the organization, describes the philosophies of the Audit Committee, and establishes the authority the department needs to meet its objectives.

The manual and the charter should include sections that similarly define and empower the IT auditing function within the department. These sections should establish appropriate guidelines for auditing data centers, automated applications, and other related controls.

The Board of Directors must approve the Audit Charter for the latter to be meaningful. The Board is less likely to be involved in the audit manual, although it may choose to review and approve it as well. The Board may ask the external auditors to determine whether the standards and procedures it contains meet the requirements to perform an effective audit. Once the manual has been approved, it should provide the audit department with uniform standards and serve as a valuable training aid. In addition, it gives the Board a basis for evaluating the audit department.

The audit manual should contain the following policies, standards, and procedures:

  Administrative personnel policies to the extent not already provided by Human Resources
  Organization structure
  Areas or functions to be audited
  Audit frequency and scheduling guidelines
  Standards for audit workpapers and reports (e.g., content, format, filing, and distribution) and report follow-up


Previous Table of Contents Next