Previous | Table of Contents | Next |
The audit manual must be periodically modified to remain consistent with the company, other business changes, technology changes, etc. The Board should at least review, if not approve, any item that threatens to compromise the audit departments ability to satisfy its chartered responsibilities.
The IT auditor must either know, or else learn, how to manage all of the work involved in performing a specific IT review, beginning with high-level planning and continuing through planning and performing the procedures required for the specific review. The strategic and tactical audit planning process will be covered in detail later in the book, but a summary of the key issues follows below.
Scope and Frequency of Audit Coverage
The Audit Department must perform audits with a scope and frequency sufficient to meet the objectives and responsibilities set forth in the Audit Charter and strategic plans. The scope of any specific IT audit will include one or more of the following.
The IT auditor should establish audit frequencies after conducting a risk assessment of the companys possible IT audit areas. Risk assessment considerations include:
All relevant IT audit areas should be reviewed on a periodic basis, even if it is only once every three years. There is always a certain chance that the risk assessment is flawed, that the assumptions or information supporting the last risk assessment are no longer valid, or that another condition that caused a review to be deferred when there was a problem to be addressed. The Board, or its audit committee, should approve the annual audit schedule. The audit director should also inform them of significant deviations to that schedule. If these changes will cause part of the approved schedule not to be completed, the audit director should revise the schedule and obtain the audit committees approval.
Planning the Audit. The audit department, and the IT audit function within it, benefits from effective planning just like every other part of the company. Effective planning should produce consistent high-quality results, which the IT auditor should view as an absolute necessity. The planning function should include:
Performing the Audit. The IT auditor responsible for performing a specific IT audit may satisfy this objective in one of three ways, or through a combinations of these three in more complex situations. First, the IT auditor may perform all procedures personally if the total effort is limited or if no one else has the technical expertise to effectively help complete the work. Second, the IT auditor may supervise less-experienced IT or financial auditors as they perform the detail audit program steps. Third, the IT auditor may coordinate the efforts of fellow IT auditors or outside consultants who have the experience to do the audit program steps.
In any case, the IT auditors responsibility is likely to include most, if not all, of the following.
IT audit procedures should only vary based on the technical environment and the specific audit scope. The audit procedures should never vary based on the skills of the internal IT audit staff. If the risk assessment identifies an IT audit that no one on the staff has the skill or experience to perform, audit department management is obligated to develop or contract those skills and complete the audit. The audit program steps may include manual procedures, computer-assisted procedures, or fully automated procedures. In most cases, a combination of these techniques is used.
Manual Procedures
The IT auditor utilizes manual procedures when they are more effective than the alternatives, or when they cannot be partially or fully automated. Please note that a procedure that cannot be automated today may be fully automated tomorrow, based on a new technology. Examples of these procedures include:
There are hundreds of other examples that every auditor is probably familiar with, thus no other examples of manual procedures will be discussed.
Computer-Assisted Procedures
The IT auditor uses computer-assisted procedures, also known as Computer Assisted Audit Techniques (CAATs), because they permit the auditor to switch from procedures based on limited, random, or statistical samples of records in a file to procedures that include every record in a file.
The IT auditor may choose to use an audit software package that is designed to support CAATs, or to develop his or her own programs using desktop database or spreadsheet software. In either case, the IT auditor would either request read-only access to the appropriate file or files, or ask to have them downloaded in ASCII or EBCDIC format. The following examples are set in the context of an IT auditor who has received a file of cash disbursement information for testing.
In most cases, CAATs are used to evaluate the data directly, while testing processing indirectly through the data evaluation procedures. It is possible to simulate application processing with a CAAT, but this is still an indirect way of evaluating the actual processing done by an automated application.
Previous | Table of Contents | Next |