Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conducting the IT Audit

Published byLydia Rodgers Modified over 5 years ago

Similar presentations

Presentation on theme: "Conducting the IT Audit"— Presentation transcript:

1 Conducting the IT Audit
Revised on 2014

2 Content IT Audit Lifecycle Audit Work papers
Methods for selecting sample to be audited CISB424, Sulfeeza

3 CISB424, Sulfeeza

4 Introduction Each internal audit project should be carefully planned prior to its start Audits should be initiated as: a scheduled element in internal audit’s annual planning and risk-assessment process through a management or audit committee special request, or in response to unplanned events, such as the discovery of a fraud, new regulations, or unexpected economic events. With overall objectives to review and improve internal controls as well as to promote the effectiveness and efficiency of operations, an internal audit function has a wide variety of areas and activities to include in its reviews. (Moeller, 2009, pp 155, 237) CISB424, Sulfeeza

5 Introduction Given the broad scope of enterprise operations and management and audit committee demands for internal audit attest services, many internal audit functions find that there are just too many areas to include within their scope, given staff, budget, and timing constraints. Internal audit functions need to define the areas within their scope that they may consider for internal audits. This list of all of the potential areas to audit is often called the audit universe. Audit universe is the aggregate of all areas that are available to be audited within an enterprise. (Moeller, 2009, pp 237) CISB424, Sulfeeza

6 Defining audit universe
To define an audit universe, internal audit should review or understand the number of potential auditable entities in terms of both the business units or areas of operations within the organization, and the number of auditable units or activities within and across those business units These auditable entities can be defined in a number of ways, such as by: Function or activity performed Organizational unit or division Project or program (Moeller, 2009, pp 236) CISB424, Sulfeeza

7 Defining audit universe
In building their audit universe description, the CAE and the supporting internal audit team might start with a fairly detailed organizational chart to describe the auditable entity units. This review of organizational units sometimes can be a complex process if the enterprise has many subsidiaries, internationally based units, joint ventures, and the like as well as a complex audit department structure. However, the emphasis should be placed on units where the enterprise CAE has prime internal audit responsibility. Internal audit can share such lists of potential auditable entities with members of management for observations or corrections. This information will help them to compile a tentative audit universe that represents all organizational units or activities in the enterprise where internal audit has prime internal audit responsibility. (Moeller, 2009, pp 239) CISB424, Sulfeeza

8 Assessing internal audit capabilities and objectives
A detailed list of enterprise units showing all of the areas that internal audit could review is of little value unless internal audit has the skills and resources to launch audits in those areas. Based on the preliminary list of auditable units and candidates, internal audit should analyze each of these potential internal audit candidates by: Establish high-level control objectives for each of the audit universe candidates. Assess high-level risks for audit universe candidates. Coordinate the internal audit activity with other audit and governance interests. Develop high-level control objectives for audits designated by the audit universe. Develop a preliminary control assessment questionnaire for each audit. (Moeller, 2009, pp 242, 243) CISB424, Sulfeeza

9 Approval of the audit universe
The CAE and a key internal audit team may go through massive efforts to build and maintain the internal audit universe and may have solicited the help and advice from senior management in the contents and assumptions of this audit universe, but the audit committee is the entity responsible for reviewing and approving such a document. In the end, the audit committee is responsible if there are any questions regarding why internal audit did or did not look at some area, and the CAE should carefully brief the audit committee members and explain key assumptions. The audit universe schedule should be prepared and updated on an annual basis for audit committee review and approval. (Moeller, 2009, pp 245) CISB424, Sulfeeza

10 Example of Audit Universe
CISB424, Sulfeeza (Moeller, 2009, pp 246)

11 Example of IT Audit Annual Plan
CISB424, Sulfeeza (Moeller, 2009, pp 156)

12 1. Audit Planning & Preparation
IT Audit Lifecycle 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up CISB424, Sulfeeza

13 1. Audit Planning & Preparation
IT Audit Lifecycle 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up CISB424, Sulfeeza

14 1. Audit Planning & Preparation
IT Audit Lifecycle 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up CISB424, Sulfeeza

15 IT Audit Lifecycle – Planning & Preparation
CISB424, Sulfeeza

16 IT Audit Lifecycle – a) Planning & Preparation Stage
i. Planning ii. Preliminary Survey CISB424, Sulfeeza iii. Audit request

17 IT Audit Lifecycle – a) Planning & Preparation Stage
i. Planning “Memo to files” document A document prepared by the audit manager to the internal audit team in outlining the upcoming planned audit Determine the audit objectives and scope Objective – a high level statement that describes what internal audit is planning to accomplish in the audit Scope – a statement that explain the coverage and boundaries of an audit exercise Audit schedule and time estimates Depends on the nature and complexity of the audit projects, auditors’ abilities and skills Auditor assignment Selection of audit team members Allocation of tasks to each team member Deciding when tasks should commence Estimation of duration for each task based on the allocated auditors CISB424, Sulfeeza

18 Audit Planning Memo Sample
CISB424, Sulfeeza Moeller, 2009, pp 156

19 Preliminary Audit Plan
CISB424, Sulfeeza Moeller, 2009, pp 323

20 IT Audit Lifecycle – a) Planning & Preparation Stage
ii. Preliminary Survey To gather background materials related to the entities to be audited Usually being conducted by the designated in-charge auditor Review of prior workpapers The prior audit objectives and scope, audit workpapers and audit programs used in in prior audit should be reviewed to gain familiarity with the approaches used and the results of those audits Review of prior audit reports To review the significant findings and the corrective actions suggested To include the review of these corrective actions in the upcoming audit Organization of entity To obtain the organization chart of the auditees to understand its structure and responsibilities Other related audit materials Supporting data from related completed, planned or in process audits CISB424, Sulfeeza

21 IT Audit Lifecycle – a) Planning & Preparation Stage
iii. Audit Request To inform the entity to be audited of the planned audit (However, for fraud detection review, auditee will not be informed beforehand) “Engagement letter” to the auditee A formal letter or notification to the auditee on the upcoming audit Usually will consists of: When the audit is scheduled Who will be performing the audit (i.e. audit team members) Why the audit has been planned (i.e. a regular scheduled, management request, or audit committee request) (Moeller, 2009, pp 160) CISB424, Sulfeeza

22 Audit Engagement Letter Sample
CISB424, Sulfeeza Moeller, 2009, pp 161

23 IT Audit Lifecycle – Execution
CISB424, Sulfeeza

24 IT Audit Lifecycle – b) Execution
i. Fieldwork ii. Solution Development CISB424, Sulfeeza iii. Report Issuance

25 IT Audit Lifecycle – b) Execution Stage
i. Fieldwork Allow auditors To be familiar with the auditees’ business operations and processes To evaluate the control structure and level of control risk in the various processes and systems Information to be collected/reviewed Organization chart – the key personnel, functions, roles, responsibilities Manuals and directive – policies, manuals, laws, regulation, data Reports – relevant management reports and minutes of meetings related to the audit areas Results of any external inspections or management review (Moeller, 2009, pp 163) CISB424, Sulfeeza

26 IT Audit Lifecycle – b) Execution Stage
i. Fieldwork Personal observation A tour or walkthrough the activities will familiarize the auditors with the entity, its operations, personnel Compliance with the policies, procedures, rules and regulations can also be observed and should be documented Discussions with key personnel Help to determine any known problem areas, the current results of the unit’s operations, changes or reorganizations Documenting the fieldwork Identification and development of findings Component of a finding: Criteria - Standards where observed conditions will be measured Conditions - The actual observations during audit testing Effects - The impact to business associated with the observed problem Cause - Reasons for internal control failures (Moeller, 2009, pp 164) CISB424, Sulfeeza

27 IT Audit Lifecycle – b) Execution Stage
ii. Solution Development To propose recommendations based on the fieldwork No changes Improve control Transfer of risk Approaches on how to suggest recommendation : Recommendation Approach Auditors provide recommendations for the raised issues Inquire auditees on their agreements of the proposed recommendations Management-Response Approach Auditors highlight issues Auditees provide the responses and action plans Solution Approach Collaboration work between auditors and auditees in coming out with solutions to resolve issues CISB424, Sulfeeza

28 IT Audit Lifecycle – b) Execution Stage
iii. Report Issuance Conduct an exit meeting with the auditees: To discuss the findings, recommendations, and text of the draft. The auditees may comment on the draft and the group works to reach an agreement on the audit finding Preparation of the audit report A document that describes the audit performed in terms of what are being observed and communicating the results of the audit Elements of an audit report: Objectives, timing and scope of the audit – summary of the high-level audit objectives, where the audit was conducted and its scope Descriptions of findings – description of what was found “wrong” during the audit (i.e. internal control weaknesses, violations of procedures, etc) Recommendations – the suggested corrective actions Documentation of plans and clarifications of views of auditee – auditee may state mitigating circumstances or provide clarification of any findings raised (Moeller, 2009, pp 352) CISB424, Sulfeeza

29 IT Audit Lifecycle – c) Follow Up
i. Recommendation Evaluation ii. Self Assessment CISB424, Sulfeeza

30 IT Audit Lifecycle – c) Follow Up
i. Recommendation Evaluation Determine and assess whether audit recommendations have been implemented Follow-up report development and issuance ii. Self Assessment CISB424, Sulfeeza Auditors to perform self-assessment on the audit assignment

31 CISB424, Sulfeeza

32 Audit work papers What are audit work papers?
Written records kept to gather documentation, reports, correspondence and other materials (the evidential matter) that is accumulated during an audit exercise (Moeller, 2009, pp 335) CISB424, Sulfeeza

33 Audit work papers Functions: Basis for planning an audit –
Workpapers from a prior audit provide an auditor with background information for conducting a current review in the same overall area. They may contain descriptions of the entity, evaluations of internal control, time budgets, audit programs used, and other results of past audit work. Record of audit work performed – Workpapers describe the current audit work performed and also provide a reference to an established audit program. Use during the audit – The workpapers play a direct role in carrying out the specific audit effort Description of situations of special interest – As the audit work is carried out, situations may occur that have special significance in such areas as compliance with established policies and procedures, accuracy, efficiency, personnel performance, or potential cost savings. (Moeller, 2009, pp ) CISB424, Sulfeeza

34 Audit work papers Functions: Support for specific audit conclusions –
Workpapers should provide sufficient evidential matter to support the specific audit findings that are included in a formal audit report Reference source – Workpapers can answer additional questions raised by management or by external auditors. Workpapers also provide basic background materials that may be applicable to future audits of the particular entity or activity. Staff appraisal – The performance of a staff member during an audit—including the auditor’s ability to gather and organize data, evaluate it, and arrive at conclusions—is directly reflected in or demonstrated by the workpapers. Audit coordination – An internal auditor may exchange workpapers with external auditors, each relying on the other’s work. In addition, government auditors, in their regulatory reviews of internal controls, may request to examine the internal auditor’s workpapers. (Moeller, 2009, pp ) CISB424, Sulfeeza

35 Audit work papers Objectives:
Document the planning, performance, and review of audit work – include audit planning and scoping decisions, testing methodologies and results, and evidence of review and completion of audit program work steps. Provide the principal support for audit communication such as observations, conclusions, and the final report - contain sufficient competent, relevant, and useful information to provide a sound basis (act as evidence) for engagement observations and recommendations to support the auditor's assessment. Facilitate third-party reviews and re-performance requirements – provide an audit trail that enables a technically competent individual who has no experience with the prior audit to re- perform procedures. Provide a basis for evaluating the internal audit activity's quality control program – tangible representation of the project that can be assessed during the quality review. Source(: Practice Advisory : Recording Information from the International Standards for the Professional Practice of Internal Auditing (Standards) CISB424, Sulfeeza

36 Audit work papers In summary,
the workpapers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report. Therefore, the workpapers will: provide documentation of evidences support findings and recommendations CISB424, Sulfeeza

37 Audit Plan A detailed outline of the auditor's plans and procedures used in conducting an audit. An audit plan will include the following items: the audit objectives and scope of work background information about the activities to be audited, including the risks associated with the area the resources necessary to perform the audit the names of individuals who need to know about the audit the results, if appropriate, of an on-site survey to become familiar with the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions the audit program how, when, and to whom audit results will be communicated CISB424, Sulfeeza

38 Audit Program A detailed step-by-step procedures to be followed during an audit. Consists of: Audit concerns Audit objectives Evidence to be examined Procedures to follow Audit Program CISB424, Sulfeeza

39 Audit Findings Worksheet
Consists of: Condition Criteria Cause Effect Recommendation Audit Findings Worksheet CISB424, Sulfeeza

40 Audit Report Sample audit report
A document that is issued to auditee management to record the findings of the audit and recommended actions to rectify findings or improve controls. Consists of: Audit Scope Executive Summary Background and methodology Findings/Issues Prioritised action list, with suggested fixes and timeline Sample audit report ( Verifications/IT05Full-IT05Detaille_eng.pdf) CISB424, Sulfeeza

41 Sampling Methods Audit evidence – assessment made by internal auditors about audit issues or to fulfill audit objectives through detailed reviews However, generally auditors do not look at every item in an area of audit concern to develop evidence to support an audit. Rather, internal auditor examines a limited set of files or reports and reviews selected sample items to develop audit conclusions over the entire set or population of data (Moeller, 2009, pp 199) CISB424, Sulfeeza

42 Sampling Methods The internal audit sampling challenge is to extract a sample of items that will be representative of the entire population. For example, If there are 100,000 transactions and if internal auditor looks at only 50 of them and finding 10 exceptions (20% of the sample), can the auditor conclude that 20% of the entire population of transactions (i.e. 20,000 transactions) are exceptions? Audit sampling techniques can help an auditor to determine an appropriate sample size and develop an opinion for this type of audit task. (Moeller, 2009, pp 200) CISB424, Sulfeeza

43 Sampling Methods The internal audit sampling challenge is to extract a sample of items that will be representative of the entire population. For example, If there are 100,000 transactions and if internal auditor looks at only 50 of them and finding 10 exceptions (20% of the sample), can the auditor conclude that 20% of the entire population of transactions (i.e. 20,000 transactions) are exceptions? Audit sampling techniques can help an auditor to determine an appropriate sample size and develop an opinion for this type of audit task. (Moeller, 2009, pp 200) CISB424, Sulfeeza

44 Sampling Methods There are two types of audit sampling: Statistical
A mathematical-based method of selecting representative items that reflect the characteristics of the entire population Non-statistical Also called as judgment sampling, and is not supported by mathematical theory and does not allow auditor to express statistically precise opinions on the entire population (Moeller, 2009, pp 200) CISB424, Sulfeeza

45 Statistical Sampling Methods
Advantages: Conclusions may be drawn regarding an entire population of data. If a statistical sampling method is used, information can be projected accurately over the entire population without performing a 100% check on the population. Sample results are objective and defensible. An audit test based on random selection is objective and even defensible in a court of law. Less sampling may be required through the use of audit sampling. Using mathematics-based statistical techniques, internal auditors often do not need to increase the size of a sample directly in proportion to the size of the population to be sampled. (Moeller, 2009, pp ) CISB424, Sulfeeza

46 Statistical Sampling Methods
Advantages: Statistical sampling may provide for greater accuracy than a 100% test. When voluminous amounts of data items are counted in their entirety, the risk of significant clerical or audit errors increases. However, a small sample typically receives very close scrutiny and analysis. The more limited sample is subject only to sampling errors resulting from the statistical projection. Audit coverage of multiple locations is often more convenient. Audits can be performed at multiple locations with small samples taken at individual sites to complete an overall sampling plan. In addition, an audit using comprehensive statistical sampling may be started by one auditor and continued by another. Each of their sample results can be combined to yield one set of audit results. (Moeller, 2009, pp ) CISB424, Sulfeeza

47 Judgmental Sampling Methods
This approach requires internal auditor to use his or her best judgment to design and select a sample It requires auditor to select a representative sample of items in a populations of data or transactions for audit review Three (3) decisions need to be made when planning to adopt judgmental sampling method: Develop method of selection and decide what types of items to be examined The size of sample How to interpret and report the audit results from the judgmental sample (Moeller, 2009, pp ) CISB424, Sulfeeza

48 Judgmental Sampling Methods
Example of problems related to audit findings using judgmental sample (Moeller, 2009, pp 204) CISB424, Sulfeeza

Download ppt "Conducting the IT Audit"

Similar presentations

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Internal Audit Documentation and Working Papers

Internal Audit Documentation and Working Papers
Auditing Concepts.

Auditing Concepts.
Audit Documentation PCAOB Auditing Standard no.3.

Audit Documentation PCAOB Auditing Standard no.3.
1 ACC 3303: AUDITING 2 Assurance Services ?? Need for Assurance ? Illustration using an Audit Engagement as an example.

1 ACC 3303: AUDITING 2 Assurance Services ?? Need for Assurance ? Illustration using an Audit Engagement as an example.
S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.

S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.
IS Audit Function Knowledge

IS Audit Function Knowledge
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.

Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.
Purpose of the Standards

Purpose of the Standards
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session 1.8 1 Internal Control and Risk Assessment.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
AUDIT PROCEDURES. Commonly used Audit Procedures Analytical Procedures Analytical Procedures Basic Audit Approaches - Basic Audit Approaches - System.

AUDIT PROCEDURES. Commonly used Audit Procedures Analytical Procedures Analytical Procedures Basic Audit Approaches - Basic Audit Approaches - System.
Lecture 7 Audit Documentation

Lecture 7 Audit Documentation
Auditing & Assurance Services, 6e

Auditing & Assurance Services, 6e
Workpapers: Documenting Internal Audit Activities

Workpapers: Documenting Internal Audit Activities
Conducting the IT Audit

Conducting the IT Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
Understanding Audit Risk Assessment

Understanding Audit Risk Assessment
Evidence and Documentation

Evidence and Documentation

Similar presentations

Ads by Google