Previous Table of Contents Next


Section 28
Analyze Audit Results

The purpose of producing the computer reports is to provide audit information. In many instances, the computer program will perform analyses; in others, additional audit steps will be needed to verify or refute findings in the report. The objective of this step is to analyze and use the information produced by the data tests.

DOCUMENT FINDINGS

The concerns raised during the audit tests should be documented as potential findings; a finding is the discovery of a difference between actual and expected or prescribed procedures, operations, or results. It should be understood that documenting a finding at this point does not necessarily mean that the finding will be included in the audit report. In this task, findings are described as they occur during the audit process. These can be operational or financial findings that represent a variance from the organization’s policies, procedures, and guidelines or from general good business practices.

The analyses of auditee controls and data performed during the audit may uncover deviations from what is expected. In most cases, the IT auditor discovers deviations from company policies or procedures (including established transaction processing procedures) in the functioning of a control or in the result produced. When a finding (i.e., a factual circumstance) is located, it should be documented; however, the IT auditor should judge which findings are worth documenting. It obviously would not be prudent for the IT auditor to document a calculation that was off by a penny. The following guidelines can help the IT auditor determine whether or not to document a particular deviation:

  The amount in question is significant for the organization.
  During an extended period of time, the loss resulting from the deviation could be significant.
  The problem caused by the deviation could affect the credibility of the department and organization. The deviation exemplifies the generally sloppy manner in which the business is conducted.

At this point, the IT auditor is asked not to draw conclusions but to merely document the finding. The audit objectives are those stated in the workpapers—the narrative should be kept brief, and all supporting workpapers should be referenced. The IT auditor should avoid the two extremes possible in documenting findings. Documenting insignificant findings causes the audit function to lose credibility with the auditee. On the other hand, if the IT auditor fails to recognize the potential effect of a deviation and therefore fails to document a critical finding, the organization could be adversely affected.

ANALYZE FINDINGS

The investigative work has now been completed, and the IT auditor must begin to turn the disparate audit results into an audit report. The initial effort is an in-depth analysis of the findings that will be helpful in presenting the findings to the auditee and management and in developing recommendations. Analyzing an audit finding involves answering the what, where, when, who, how, and why questions about that finding—the questions that both the auditee and management will ask. This task explains the background information needed concerning a finding and how to obtain it. Six categories of analysis should be performed about every finding, each involving the following process:

1.  Ask a factual question.
2.  Counter that factual question with an analytical question.
3.  Analyze the answer to the second question to determine the basic cause of the problem.

Analysis 1: The Finding Event

Factual Question:

What was done?

The IT auditor must be able to state exactly what has happened that is a problem.

Analytical Question:

Why that?

The IT auditor must determine why the event happened, and whether it was caused by inadequate training, employee oversight, or other problem.

General Analysis:

When there is a problem as to why something was done, an analysis of the finding generally leads to the conclusion that the event was nonessential or redundant.

Analysis 2: Location of the Event

Factual Question:

Where was it done?

The IT auditor must determine which part of the process, which department, or which job is the source of the problem.

Analytical Question:

Why there?

The IT auditor must determine why the event was performed at that location and whether that was in fact the right place for the event.

General Analysis:

In most instances when there is a problem associated with location, the results of the analysis will reveal that the event was performed at an inconvenient location or segment of the application.


Previous Table of Contents Next