Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week Ten – IT Audit Reporting

Published bySuharto Halim Modified over 5 years ago

Similar presentations

Presentation on theme: "Week Ten – IT Audit Reporting"— Presentation transcript:

1 Week Ten – IT Audit Reporting
IT Audit Process Prof. Liang Yao Week Ten – IT Audit Reporting IT Audit Process Prof. Liang Yao

2 IT Audit Reporting Standards IIA Standards ITAF Standards
Audit Reports Audit Committee Reporting Common Audit Report Mistakes IT Audit Process Prof. Liang Yao

3 IT Audit Reporting IIA Standards Communicate the engagement results
Including: objectives; scope; conclusions; recommendations; action plans Overall Opinion: rating; conclusions; other descriptions of the results Accurate, objective, clear, concise, constructive, complete and timely IT Audit Process Prof. Liang Yao

4 IT Audit Reporting 1401 ITAF Reporting Standards
Who is the audience (considering any restrictions on content and circulation) Scope, objectives, period under review, the nature, timing, and extent of the work performed Findings, conclusions and recommendations What not been covered? (scope qualifications or limitations) Signature, date and distribution IT Audit Process Prof. Liang Yao

5 IT Audit Reporting Key Audit Reports Contents: Executive Summary
Overall Rating and rationale Tiering approach (Satisfactory; Needs Improvement; Unsatisfactory or less than satisfactory) Audit Scope Audit findings with risk rating Management action plan and target dates Report distribution IT Audit Process Prof. Liang Yao

6 Audit Committee Reporting
Chief Auditor must report to AC periodically about audit plan, purpose, authority, responsibility and performance. (quarterly, semi-annually, annually) Including: significant risk exposures, and control deficiencies (fraud, governance, IT, etc.) along with other matters… Senior management should NOT have any influence of over the audit committee meeting and its decisions reached over audit plan, scope, finding remediation status, etc. IT Audit Process Prof. Liang Yao

7 Common Audit Report Issues
Unclear opinions Lack of supporting to the overall report rating – didn’t “Tell the Story” Non-reportable issues: why didn’t make to the report? How were they being handled? Tone of the report align to the testing results documented in the workpaper Adequacy of AC reporting Finding status follow up (see next slides) IT Audit Process Prof. Liang Yao

8 Issue Development ITAF : IS audit and assurance professionals shall ensure that findings in the audit report are supported by sufficient and appropriate evidence. Key elements to consider while developing audit findings Condition or Facts What did you noted? Criteria or Standards What is suppose to happen? Root Cause Analysis (vs. Symptoms) Why did it happen? Symptoms: results or situation that exist Root Cause: the reason why they exist Effect or Impact – “So What” Recommendations IT Audit Process Prof. Liang Yao

9 Issue Development An Sample of answering “So What” question from an audit finding: Issue: “Departed employees still have active account and therefore have access to the claims processing systems.” Why? Because the user ID was not deleted from the system Why? Because system owner was not informed Why Because IT manager didn’t communicate to the system owner upon employees’ departure Why? Because IT manager was not aware it was his/her duty to inform system owner when employee left Why? There is not documented procedures to define the communication flow between HR, IT and system owner – Root cause IT Audit Process Prof. Liang Yao

10 Issue Tracking IIA Guidance
2500 – Monitoring Progress: “The chief audit executive must established a system to monitor the disposition of results communicated to management.” 2500.A1 – The chief audit executive must established a follow up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. IT Audit Process Prof. Liang Yao

11 Issue Tracking Procedures and Approach
What to follow up? Defined in the audit methodology manual Risk rating criteria Degree of effort and cost Impact if action plan fails Complexity of the plan Time line External, internal and regulatory issues Long term vs. short team action plans Adequacy, effectives and timelines Approval or reject action plans Review risk acceptance process IT Audit Process Prof. Liang Yao

12 Risk Acceptance Process
Who has the authority to accept IT risks and ignore findings raised by IT auditors? What IT Auditors expect regarding the risk acceptance process? Identifying mitigating controls Explain the residual risk level Cost/benefit analysis Independent challenge (e.g. 2nd line) Ops risk review and approval, etc. IT Audit Process Prof. Liang Yao

13 Issue Tracking Procedures and Approach
Ensure the findings are “Factually Accurate” Identify issue owners and executive sponsor ship Provide risk rating Define timeframe for management to responding to findings Evaluate the action plan first (control design) Verify the operation effectiveness of the control Sustainability Track and escalate “pass due” findings (especially for those rated as “high” risk) IT Audit Process Prof. Liang Yao

14 Issue Tracking Procedures and Approach (cont.)
Communicate with management Receiving periodical status updates Adopt phased approach for large complex IT action plans. E.g. network infrastructure rebuilt Interim solutions – to reduce the exposure Report to audit committee of findings status periodically (# of new findings, # of closed findings, # of pass due findings (H, L, M) IT Audit Process Prof. Liang Yao

15 Issue Tracking Procedures and Approach (cont.)
Closure and Verify Prioritization (H-> M-> L) Follow audit methodology Testing procedures Sample approach and rationale Conclusion Red flags Issues are not tracked Large # of pass due findings No remediation testing evidenced but issues were closed IT Audit Process Prof. Liang Yao

Download ppt "Week Ten – IT Audit Reporting"

Similar presentations

Internal Audit Documentation and Working Papers

Internal Audit Documentation and Working Papers
The key steps in an annual cycle Produce the annual work programme Create an annual Internal Audit plan for approval by the Audit Committee, typically.

The key steps in an annual cycle Produce the annual work programme Create an annual Internal Audit plan for approval by the Audit Committee, typically.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Purpose of the Standards

Purpose of the Standards
Chapter 11: Follow-up Reviews and Audit Evaluation ACCT620 Internal Auditing Otto Chang Professor of Accounting.

Chapter 11: Follow-up Reviews and Audit Evaluation ACCT620 Internal Auditing Otto Chang Professor of Accounting.
ISA 220 – Quality Control for Audits of Historical Financial Information

ISA 220 – Quality Control for Audits of Historical Financial Information
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?
Reports on Audited Financial Statements

Reports on Audited Financial Statements
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
Harmonization project The long and winding road to level 3…

Harmonization project The long and winding road to level 3…
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.

CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.

Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the Preface to the Standards on Internal.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
RAWG.  Risk assessment guideline for strategic and annual planning ◦ Identifying auditing universe ◦ Identification of risks ◦ Categorization of possible.

RAWG.  Risk assessment guideline for strategic and annual planning ◦ Identifying auditing universe ◦ Identification of risks ◦ Categorization of possible.
Copyright © 2007 Pearson Education Canada 1 Chapter 24: Assurance Services: Internal Auditing and Government Auditing.

Copyright © 2007 Pearson Education Canada 1 Chapter 24: Assurance Services: Internal Auditing and Government Auditing.
 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.

 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Similar presentations

Ads by Google