Previous Table of Contents Next


Section 5
Strategic IT Audit Planning

The IT audit department plans should include IT components, and within these components should be plans for auditing automated application systems. This section focuses on application system audit planning, which follows the same pattern as the overall planning, and which should be running concurrently.

The IT auditor following the described four-step process should comply with all applicable professional standards for planning. This plan begins with guidance from the overall audit planning process and adheres to the following outline.

  Step 1: Identify all potential reviews. The IT auditor should obtain or, if unavailable, create an inventory of the company’s automated application systems.
  Step 2: Prioritize the potential reviews. The IT auditor assesses the absolute and relative risk between applications based on the period since the last review, results of that review, levels of inherent risk, and other appropriate factors. The IT auditor concludes this step by preparing a prioritized list of automated application reviews.
  Step 3: Prepare initial review estimate. The IT auditor should estimate the time and resources required for at least the top third of the potential reviews.
  Step 4: Integrate plans. The IT auditor initially integrates the automated application review plan with general controls and other IT audit focus areas, and that integrated plan is then merged with the overall departmental plan.

Specific Audit Planning

There are several very different, but equally effective, models for detailed planning. The model presented includes two phases, which may run consecutively. The first phase is designed to establish a framework for the review, gather additional background information, attempting to support or extend the original risk analysis, developing the specific measurable objectives, and summarizing the phase, often in an Audit Planning Memo (APM).

The first detailed planning phase should almost always be performed and completed before spending any time in the field. The second phase can be performed in the office or the field, although the IT auditor will often find that being in the field facilitates completing the second phase. Second-phase procedures should confirm the APM or lead to its revision, and should also result in a final detailed audit program, whether it is developed or simply finalized in this phase.

At one time, this second phase was known to the public accounting forms as “interim procedures.” The IT auditors updated all carryforward files, reviewed permanent workpapers, performed walkthroughs to validate procedural narratives, and performed tests of transactions to evaluate both narrative accuracy and quantitative compliance with established procedures.

Phase 1 specific audit planning includes the following steps:

  Step 1.1: Assigning an Auditor in Charge (AIC).
  Step 1.2: Reviewing background information. Includes reviewing permanent files, carryforward documents prior audit reports, etc.
  Step 1.3: Extending the risk analysis. Based in step 2, the original risk analysis should be reviewed and extended to reflect any new or additional information the IT auditor identified.
  Step 1.4: Defining measurable IT audit objectives. This objectivity should be closely related to all the prior steps, and be clearly stated to help ensure that the audit is successfully executed.
  Step 1.5: Write the APM. The IT auditor should be able to complete this task having begun it earlier and based on the results of steps 1.1 through 1.4. Once written, the IT audit manager should review and approve it on a timely basis. Work can proceed without this approval, but the work is at risk of the IT audit manager should decide on a scope adjustment that is inconsistent with the work already done or in progress.
  Step 2: Writing the detailed audit program. Refines the nature of all activities needed to meet the previously established objectives.

Updating IT Planning Deliverables

The IT audit planning process has been described as a single thread activity—develop, document, and monitor progress. However, the plans should be periodically updated to reflect significant changes in assumptions or underlying information.

Significant changes requiring plan maintenance:

  Business or operating environment changes: adding a new product line; significant unexpected changes in business volume, or problems in some part of the business.
  Work reallocations between internal audit and external audit. Change in allocation of work between the independent auditors and the internal auditors.
  IT audit staffing changes.
  Detail IT audit changes, both in terms of audits performed and their scope, that arise over time.

Plans should be updated as needed whenever one of these events occurs. Internal audit and IT audit management, along with each AIC, use the plans to manage the audit effort. All these persons will be less effective if plans are not properly maintained.

THE ANNUAL IT AUDIT PLANNING PROCESS

The annual IT audit plan is usually prepared by the most senior IT auditor on staff. This plan is a subset of the internal audit’s annual planning process. IT audit planning is properly separated due to its unique issues and objectives, although all auditing planning must be coordinated to help ensure that all top-level objectives are met. (Throughout this section, we will generically refer to the senior IT auditor as the IT audit manager for convenience.)

The IT audit manager should already know or gather the following information before preparing the annual IT audit plan.

  The talent, shell, and capacity of the current IT audit staff
  The potential for acquiring additional resources of these are problems that could prevent eventual completion of the plan
  The IT annual plan
  Expected external audit scope, historical support provided by IT audit, and the level and nature of coordination expected for the coming year
  Expected changes in the business or operating environment
  Any planned changes in the IT audit or internal audit function

The IT audit manager, armed with the above information, should prepare the plan by following the four-step methodology described earlier in the text.

STEP 1: IDENTIFY ALL POTENTIAL REVIEWS

The IT audit manager will find that the vast majority of IT reviews will fall into one of two categories: automated application reviews or general controls reviews. This author feels that almost every conceivable review falls into one of these categories, except for special topics like fraud investigations. In most normal situations, the IT auditor will be focused on a processing environment, making the work a general controls review, or on how the activity within or across environments meets general business objectives, making the work an automated application review.


Previous Table of Contents Next