Previous Table of Contents Next


A final technique that is helpful in fact-gathering is to organize a group of key audit personnel and brainstorm about the potential problems in the auditee area. This process usually takes about an hour. The group members list their concerns and then consolidate and rank them in order of importance. The result is a risk list that is used by the audit staff.

STEP 3: ANALYZE APPLICATION AUDIT RISK

The auditor-in-charge documents, from previous planning, the risks associated with this application; analyzes the severity of those risks using auditor judgment; and translates the specific risk concerns into criteria for fieldwork audit objectives.

The auditor-in-charge should have at least these three tasks.

Task 1: Document Audit Risks

Using the results of previous planning steps, the auditor-in-charge must document the risk criteria from the application system. This information is usually transferred from one workpaper to another; however, it may be easier to cross-reference available workpapers, particularly if they are lengthy.

Task 2: Perform an Analysis of the Audit Risk

The auditor-in-charge must use the risk score, risk dimensions, and audit issues gathered during the planning process to create a form that can be used by the audit team. This task converts that data into a summary analysis that familiarizes the audit staff with the concerns that they must address and is used as one of the primary bases for developing audit objectives.

Task 3: Define Specific Risk Concerns

This task is the key task in computer application risk analysis. The auditor extracts the key concerns from the audit risk analysis and the risk information, and then translates them into specific audit objectives (see Step 4).

This step depends heavily on audit judgment and experience. The auditor-in-charge should pose the following questions to determine the audit’s risk concerns.

  Are there aspects of risk which subject the organization to high financial or negative publicity exposure?
  Do new risks exist that have not been addressed in previous audits?
  Are there risk concerns for which the auditor does not believe there are adequate controls to reduce that risk to an acceptable level?
  Based on the auditor’s knowledge of the business, is the risk one that could have already turned into a significant loss?
  Is there reasonable supporting evidence to substantiate that the risk is significant to the organization?

STEP 4: DEVELOP AND RANK MEASURABLE AUDIT OBJECTIVES

The auditor-in-charge develops a set of specific objectives that are to be accomplished during the performance of the application audit. These objectives drive the audit; when the objectives have been completed, the audit is considered to be complete.

Two tasks are performed as part of this task.

Task 1: Define Audit Objectives

Only those audit procedures that support the audit objectives should be performed. The audit objectives are the basis and purpose for performing the audit; when they have been accomplished, the audit is complete. There are three basic types of audit objectives, as follows:

  Administrative objectives: including compliance to auditing standards and procedures and other administrative criteria.
  Application-specific audit objectives: for example, verifying the correctness of the account balances controlled by the application and tracing it to the general ledger.
  Risk-related objectives: including the objectives developed through risk analysis.

Each objective should be described in as measurable a format as possible so that the auditor knows when the audit is complete.

Task 2: Define the Priority for Each Audit Objective

Audits are often constrained by time, staff availability, and budgets. During the performance of the audit, it may be necessary to emphasize some objectives and de-emphasize others. This system of setting priorities provides the audit team with guidance as to which objectives should be accomplished first if there is a shortage of time.

STEP 5: DEVELOP ADMINISTRATIVE PLAN

This step ensures that the proper staff, resources, tools, and skills are available to perform the audit. During this step, the auditor must first determine the administrative staffing resources needed to perform each audit objective. This requires the auditor-in-charge to apply the staffing resources, tools, and audit approach previously defined for the audit to each specific audit objective. In some instances, the previous data may need to be expanded and, in other cases, that data may be applied to the specific audit objective.

The second project for the auditor is to identify and acquire audit staff. On the basis of the administrative analysis of the resource requirements for performing each audit objective, staff members should be identified and acquired to accomplish these objectives. This information is used during the performance of the audit to assign specific objectives to individuals.

STEP 6: WRITE AUDIT PROGRAM

The auditor-in-charge transcribes all of the planning information into an audit program. This audit program is used as a basis for performing the audit.

Once the audit program has been prepared, the fieldwork can commence. Other parts of this book commence at the point that the audit program has been issued.


Previous Table of Contents Next