Information technology audit process:
Contents :
1 Generally Accepted Auditing Standards (GAAS)2 IT Audit Process Overview3 Phases of an IT Audit3.1 Establish the Terms of the Engagement3.2 Preliminary Review3.3 Establish Materiality and Assess Risks3.4 Plan the Audit3.5 Consider Internal Control3.6 Perform Audit Procedures3.7 Issue the Audit Report4 Planning the Audit4.1 Materiality4.2 Risk Assessment4.2.1 Documentation of Risk Assessment4.3 The Audit Plan4.4 Planning Memo5 Evaluation of Internal Controls5.1 General Controls5.2 Application Controls5.3 Tests of Controls6 Audit Procedures6.1 Audit Sampling6.1.1 Selecting the Sample6.1.2 Evaluation and Documentation of Samples6.2 Computer Assisted Auditing Techniques (CAATs)6.3 Evidence7 Completing the Audit7.1 Reporting7.1.1 Types of Reports7.2 Audit Documentation7.3 Follow Up Activities7.4 Assessing the Audit8 Resources9 See alsoGenerally Accepted Auditing Standards (GAAS)
In 1947, the American Institute of Certified Public Accountants (
AICPA) adopted GAAS to establish standards for
audits. The standards cover the following three categories:
General Standards – relates to professional and technical competence, independence, and professional due care.
Field Work Standards – relates to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based.
Reporting Standards – relates to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to explicitly state their assertions.
IT Audit Process Overview
The auditor must plan and conduct the audit to ensure their audit
risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps:
Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes.
Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives). An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few.
Evaluate the Organization’s Response to those Risks: Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks. The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk.
Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment.
Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor will issue either an unqualified or qualified audit report based on their findings.
Phases of an IT Audit
The audit process can be broken down into the following audit phases:
Establish the Terms of the Engagement
This will allow the auditor to set the
scope and objectives of the relationship between the auditor and the organization. The engagement letter should address the responsibility (scope, independence, deliverables), authority (right of access to information), and accountability (auditees’ rights, agreed completion date) of the auditor.
Preliminary Review
This phase of the audit allows the auditor to gather organizational information as a basis for creating their audit plan. The preliminary review will identify an organization’s strategy and responsibilities for managing and controlling computer applications. An auditor can provide an in depth overview of an organization’s accounting system to establish which applications are financially significant at this phase. Obtaining general data about the company, identifying financial application areas, and preparing an audit plan can achieve this.
Establish Materiality and Assess Risks
In order to plan the audit, a preliminary judgment about materiality and assessment of the client’s business risks are made to set the scope of the audit.
Plan the Audit
Proper planning of the audit will ensure the audit is conducted in an effective and efficient manner. When developing the audit plan, the auditor should take into consideration the results of their understanding of the organization and the results of the risk assessment process.
Consider Internal Control
An internal control system should be designed and operated to provide reasonable assurance that an organization’s objectives are being achieved in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
To develop their understanding of internal controls, the auditor should consider information from previous audits, the assessment of inherent risk, judgments about materiality, and the complexity of the organization’s operations and systems.
Once the auditor develops their understanding of an organization’s internal controls, they will be able to assess the level of their control risk (the risk a material weakness will not be prevented or detected by internal controls).
Perform Audit Procedures
Audit procedures are developed based on the auditor’s understanding of the organization and its environment. A substantive audit approach is used when auditing an organization’s information system.
Issue the Audit Report
Once audit procedures have been performed and results have been evaluated, the auditor will issue either an unqualified or qualified audit report based on their findings.
Planning the Audit
IS Standard 050 (Planning) states, “The IT auditor should plan the
information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards.”
One of the first tasks an auditor must do when planning the audit is to develop a working budget. The IT audit manager must know the capabilities of the audit staff assigned to the project. In addition to budgeted time needed to perform the audit, the IT audit manager should also budget time needed to train the audit staff (if needed) and allow time for any error correction purposes.
While planning the audit, the auditor decides what level of
audit risk (the risk of reaching an incorrect conclusion based on the audit findings) he or she is willing to accept. The more effective and extensive the audit work is, the less the risk that a weakness will go undetected and the auditor will issue an inappropriate report. Audit risk is dependent on the auditors assessed levels of inherent risk (the susceptibility of an audit area to error which could be material, assuming there are no related internal controls), control risk (the risk a material weakness will not be prevented or detected by internal controls), and detection risk (the risk substantive tests will not detect an error which could be material). These risks are determined when the auditor performs a risk assessment of the organization.
Additionally, in order to evaluate whether an IT audit has been successful, the auditor must first identify the intended scope and objectives of the audit to test management’s assertions on their information systems. To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality. An assessment of risk should be made to provide reasonable assurance that all material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems.
Materiality
In assessing materiality, the IT auditor should consider:
The aggregate level of error acceptable to management, the IT auditor, and appropriate regulatory agencies.
The potential for the cumulative effect of small errors or weaknesses to become material.
While establishing materiality, the auditor may audit non-financial items such as physical access controls,
logical access controls, and systems for personnel management, manufacturing control, design, quality control, and password generation.
While planning the audit work to meet the audit objectives, the auditor should identify relevant control objectives and determine, based on materiality, which controls should be examined. Internal control objectives are placed by management and identifies what the management strives to achieve through their internal controls.
Where financial transactions are not processed, the following identifies some measures the auditor should consider when assessing materiality:
Criticality of the business processes supported by the system or operation.
Cost of the system or operation (hardware, software, third-party services)
Potential cost of errors.
Number of accesses/transactions/inquiries processed per period.
Penalties for failure to comply with legal and contractual requirements.
Risk Assessment
A risk is any event or action, generated internally or externally, which prevents an organization from achieving its goals and/or objectives. Risks affect control objectives in the areas of data integrity and accuracy, timeliness of the information for decision making, ability to access the system, and confidentiality/privacy of information, to name a few. Risk assessment allows the auditor to determine the scope of the audit and assess the level of audit risk and error risk (the risk of errors occurring in the area being audited). Additionally, risk assessment will aid in planning decisions such as:
The nature, extent, and timing of audit procedures.
The areas or business functions to be audited.
The amount of time and resources to be allocated to an audit.
Documentation of Risk Assessment
Once the assessed level of risk has been determined, the auditor should document the following in their work papers:
A description of the risk assessment technique used.
The identification of significant risks.
The risks the audit is going to address.
The audit evidence used to support the IS auditor’s assessment of risk.
The Audit Plan
The audit plan details the audit objectives and steps the auditor must take to ensure all of the important issues in the audit are covered. The audit plan includes:
The auditor’s understanding of the client.
Potential audit risks.
A basic framework for how the audit resources (budgeted audit hours) are to be allocated throughout the audit.
Audit procedures to be performed.
The objective of the audit plan is to assist the auditor in conducting an effective and efficient audit.
Planning Memo
A planning memo outlines for the auditee the tone and course of action the IT audit manager plans to take. The memo outlines for the auditee the areas within the audit the auditor is planning to spend most of their time, and it gives the auditee the opportunity to voice any concerns.
Evaluation of Internal Controls
COSO defines internal control as, “a process, influenced by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance in the effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of applicable laws and regulations”. The auditor evaluates the organization’s control structure by understanding the organization’s five interrelated control components. They include:
Control Environment Provides the foundation for the other components. Encompasses such factors as management’s philosophy and operating style.
Risk Assessment Consists of risk identification and analysis.
Control Activities Consists of the policies and procedures that ensure employees carry out management’s directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively).
Information and Communication Ensures the organization obtains pertinent information, and then communicates it throughout the organization.
Monitoring Reviewing the output generated by control activities and conducting special evaluations.
In addition to understanding the organization’s control components, the auditor must also evaluate the organization’s General and Application controls.
General Controls
General controls relate to the overall information-processing environment and has a large effect on the organization’s computer operations. Types of general controls include:
Organizational Controls - includes
segregation of duties controls.
Data Center and Network Operations Controls – ensures the proper entry of data into an application system and proper oversight of error correction.
Hardware & Software Acquisition and Maintenance Controls – includes controls to compare data for accuracy when it is input twice by two separate components.
Access Security Controls – ensures the physical protection of computer equipment, software, and data, and is concerned with the loss of assets and information through theft or unauthorized use.
Application System Acquisition, Development, and Maintenance Controls - ensures the reliability of information processing.
Managerial controls- To ensure that there is no unauthorised access to IT assets.
Application Controls
Application controls apply to the processing of individual accounting applications and help ensure the completeness and accuracy of transaction processing, authorization, and validity. Types of application controls include:
Data Capture Controls – ensures that all transactions are recorded in the application system, transactions are recorded only once, and rejected transactions are identified, controlled, corrected, and reentered into the system.
Data Validation Controls – ensures that all transactions are properly valued.
Processing Controls – ensures the proper processing of transactions.
Output Controls – ensures that computer output is not distributed or displayed to unauthorized users.
Error Controls – ensures that errors are corrected and resubmitted to the application system at the correct point in processing.
Application controls may be compromised by the following application risks:
Weak security
Unauthorized access to data and unauthorized remote access
Inaccurate information and erroneous or falsified data input
Misuse by authorized end users
Incomplete processing and/or duplicate transactions
Untimely processing
Communication system failure
Inadequate training and support
Tests of Controls
Tests of controls are audit procedures performed to evaluate the effectiveness of either the design or the operation of an internal control. Tests of controls directed toward the design of the control focuses on evaluating whether the control is suitably designed to prevent material weaknesses. Tests of controls directed toward the operation of the control focuses on assessing how the control was applied, the consistency with which it was applied, and who applied it. In addition to inquiring with appropriate personnel and observation of the application of the control, an IT auditor’s main focus when testing the controls is to do a re-performance of the application of the control themselves.
Audit Procedures
Audit procedures are specific tasks (audit tests) performed by the auditor to gather evidence to determine if specific audit objectives are being met. IS Auditing Standard 060 (Performance of Audit Work) states, “During the course of the audit, the IT auditor should obtain sufficient, reliable, and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.”
An auditor must design, select, evaluate, and document sample evidence in order to meet the requirements of “sufficient, reliable, and relevant evidence” and “supported by appropriate analysis”.
Audit Sampling
Audit sampling is the application of an audit procedure to less than 100% of the population to enable the IT auditor to evaluate audit evidence within a class of transactions for the purpose of forming a conclusion concerning the population. When designing the size and structure of an audit sample, the IT auditor should consider the audit objectives determined when planning the audit, the nature of the population, and the sampling and selection methods.
Selecting the Sample
The auditor should select the sample items in such a way that they are representative of the population. The most commonly used sampling selection methods are:
Statistical Sampling MethodsRandom Sampling – ensures that all combinations of sampling units in the population have an equal chance of selection.
Systematic Sampling – involves selecting sampling units using a fixed interval between selections with the first interval having a random start.
Non-Statistical Sampling Methods
Haphazard Sampling – the auditor selects the sample without following a structured technique.
Judgmental Sampling – the auditor places a bias on the sample. For example, selecting only sampling units over a certain value.
The selection of the sample size is affected by the level of sampling risk that the IT auditor is willing to accept. Sampling risk is the risk the auditor’s conclusion may be different from the conclusion that would be reached if the entire population were subjected to the same audit procedure. The two types of sampling risk are:
The Risk of Incorrect Acceptance – the risk that a material misstatement is assessed as unlikely, when in fact the population is materially misstated.
The Risk of Incorrect Rejection – the risk that a material misstatement is assessed as likely, when in fact the population is not materially misstated.
Once the sample items have been selected to be tested, the auditor can begin audit tests using Computer Assisted Auditing Techniques (CAATs), which will be discussed shortly.
Evaluation and Documentation of Samples
The performance and evaluation of a sample must address the following issues:
The effect of not being able to apply a planned procedure to a sample item.
A projection of the sample results to the population being tested, then comparing those results with the planned amounts.
Appropriate consideration to the assessed level of sampling risk must be performed.
SAS 39 requires the auditor to adequately consider qualitative aspects of misstatements, such as the nature and cause of the misstatement and the possible relationship of the misstatements to other phases of the audit.
The auditor must document in their work papers the sampling objectives and the sampling process used. The work papers should include the source of the population, the sampling method used, sampling parameters, items selected, details of audit tests performed, and conclusions reached.
Computer Assisted Auditing Techniques (CAATs)
Further information:
Data analysis (information technology)CAATs are used to test application controls as well as perform substantive tests on sample items. Types of CAATs include:
Generalized Audit Software (GAS) – allows the auditor to perform tests on computer files and databases.
Custom Audit Software (CAS) – generally written by auditors for specific audit tasks. CAS is necessary when the organization’s computer system is not compatible with the auditor’s GAS or when the auditor wants to conduct some testing that may not be possible with the GAS.
Test Data – the auditor uses test data for testing the application controls in the client’s computer programs. The auditor includes simulated valid and invalid test data, used to test the accuracy of the computer system’s operations. This technique can be used to check data validation controls and error detection routines, processing logic controls, and arithmetic calculations, to name a few.
Parallel Simulation – the auditor must construct a computer simulation that mimics the client’s production programs.
Integrated Test Facility – the auditor enters test data along with actual data in a normal application run.
Evidence
Through the use of CAATs, the auditor will be able to obtain evidence to support their final conclusions developed on the audit. Audit evidence should be sufficient, reliable, relevant, and useful in order for the auditor to form an opinion and to support their findings and conclusions. If the auditor cannot form an opinion based on the audit evidence obtained, the auditor should then obtain additional audit evidence. Procedures used to gather audit evidence varies depending on the information system being audited. The auditor should select the most appropriate procedure for the audit objective. The following procedures should be considered:
Inquiry and/or Observation
Inspection
Reperformance
Monitoring
The audit evidence gathered by the auditor should be documented and organized to support the auditor’s findings and conclusions. Finally, when an auditor believes that sufficient audit evidence cannot be obtained, the auditor should disclose this fact as a scope limitation within the audit report.
Completing the Audit
Before choosing the appropriate audit report, the auditor must consider the following issues:
Review for Subsequent Events – two types of subsequent events require an evaluation by the auditor. They include:
Type I events – events that provide additional evidence about the conditions that existed at the date of the balance sheet.
Type II events – events that provide evidence about conditions that did not exist at the date of the balance sheet, but arose after that date.
Audit procedures used to review for subsequent events include asking management whether any unusual adjustments to their information systems have been made during the subsequent events period (after the completion of the audit, but before the audit report is issued), or obtaining a representation letter from management.
Final Evidential Evaluation Processes – audit steps performed by the auditor in this phase to determine the most appropriate audit report includes obtaining a representation letter, reviewing work papers, final assessment of audit results and obtaining an independent review of the engagement.
Communications with the Audit Committee and Management – communications should include significant audit adjustments, the auditor’s judgments about the quality of the entity’s accounting principles, disagreements with management, major issues discussed with management before the auditor was retained, difficulties encountered during the audit, and fraud involving senior management. Also, the auditor should discuss the draft of the audit report with management to give management the chance to correct any weaknesses or deficiencies before they are reported and released to the public. The auditor may decide to do this in the form of a Management Comment Letter.
Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report – Auditing standards 561 provides guidance for auditors when facts have come to the auditor’s attention about the organization’s processes that might have affected the report had they known about them.
The auditor’s conclusion and findings, which are based on documented evidence, must be objective, measurable, complete, and relevant. The findings are disclosed to management in formal statements, typically an audit report. Any recommendations must be provided for each audit finding for the report to be useful to management.
Reporting
IS Auditing Standard 070 (Reporting) states, “The IT auditor should provide a report in an appropriate form, upon the completion of the audit. The report should state the scope, objectives, period of coverage, and the nature, timing, and extent of the audit work performed. The report should state the findings, conclusions, and recommendations and any reservations, qualifications or limitations of scope that IT auditor has with respect to the audit.”
Types of Reports
Unqualified Audit Report
This type of report is used when the auditor has gathered sufficient evidence, the audit was performed in accordance with GAAS, and no scope limitations were encountered.
Unqualified Audit Report with Explanation
This type of audit report is required when the auditor’s wording needs to be modified possibly due to an emphasis of a matter or an organization’s lack of consistency when processing information.
Qualified Report
The auditor’s opinion will be qualified due to a scope limitation or an organization’s departure from GAAP, even though the overall financial statements having been fairly presented.
Qualified Report with Disclaimer
The auditor disclaims an opinion because there is insufficient competent evidence to form an opinion or because there is a lack of independence.
Qualified Report with an Adverse Opinion
The auditor issues this report because the organization’s financial statements are not presented fairly and were not developed in conformance with GAAP.
Audit Documentation
Working papers (audit documentation) is the formal collection of auditors notes, documents, flowcharts, correspondence, results of observations, plans and results of tests, the audit plan, minutes of meetings, computerized records, data files or application results, and evaluations that document the auditor activity for the entire audit period. The audit report is also included in the work papers. Work papers are essential to support the auditor’s findings and recommendations as stated in the audit report.
Follow Up Activities
Once the auditor has reported their findings and recommendations to management, the IT auditor should request and evaluate relevant information to conclude whether appropriate action was taken by management in a timely manner. The nature, timing, and extent of the follow-up activities should take into account the importance of the reported findings and the impact on the organization if corrective action has not been taken. Depending on the scope of the audit, the IT auditor may rely on an internal auditor to perform the follow-up activities.
Assessing the Audit
The audit and working papers should be evaluated based on the following criteria by a partner or senior manager:
Completeness – An audit must cover every element of the audit subject.
Pertinence – The audit should be free of extraneous or unnecessary elements.
Accuracy – All elements of the audit must be precise and error-free.
Appropriate Conclusions, Findings and Recommendations – The audit must present appropriate conclusions and findings that lead to recommendations reflecting workable and timely solutions to audit objectives.
Follow-up to Findings and Recommendations – The value of the audit must be assessed to assure that the findings and recommendations, reflecting workable and timely solution have been achieved to some quantifiable degree and have provided value to the organization.
Resources
Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 45
Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al, 2nd Edition, page 577
Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 55
Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 60 and Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al, 2nd Edition, page 72
IS Auditing Standard S5 Planning - 04 Risk Assessment
IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.2
IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.5
IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.1.3
IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.3.4 & 2.3.5
IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.5.3
Guest speaker Mike Simpson, May 16, 2005
Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 263
AU 350.01
IS Auditing Guideline G10 Audit Sampling, Paragraph 2.3.1
SAS No. 39
Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 304
IS Auditing Guideline G10 Audit Sampling, Paragraph 2.4.1
Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 276
IS Auditing Guideline G2 Audit Evidence Requirement, Paragraph 3.2.1
Posts
