Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conducting the IT Audit

Published byTracey Douglas Modified over 8 years ago

Similar presentations

Presentation on theme: "Conducting the IT Audit"— Presentation transcript:

1 Conducting the IT Audit
Revised on 2014

2 Content ISACA IT Audit Standards, Guidelines and Procedures
IT Audit Lifecycle Audit Work papers Using COBIT framework to perform audit CISB424, Sulfeeza

3 ISACA IT Audit Standards, Guidelines and Procedures
IT Assurance Framework (ITAF) A comprehensive and good-practice-setting reference model that: Establishes standards that address IS audit and assurance professional roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements Defines terms and concepts specific to IS assurance Provides guidance and tools and techniques on the planning, design, conduct and reporting of IS audit and assurance assignments (Source: ISACA) CISB424, Sulfeeza

4 ISACA IT Audit Standards, Guidelines and Procedures
IT Assurance Framework (ITAF) provides three (3) levels of guidance: A) Standards – define mandatory requirements for IT auditing and reporting. ITAF IS audit and assurance standards are divided into three (3) categories: General standards (1000 series) —Are the guiding principles under which the IS assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated (Source: ISACA; Cascarino, 2012) CISB424, Sulfeeza

5 ISACA IT Audit Standards, Guidelines and Procedures
IT Assurance Framework (ITAF) provides three (3) levels of guidance and procedures: B) Guidelines – provide guidance in applying IT audit standards. ITAF IS audit and assurance guidelines are also divided into three (3) categories: General guidelines (2000 series) Performance guidelines (2200 series) Reporting guidelines (2400 series) C) Tools and techniques (Section 3000) provide specific information on various methodologies, tools and templates—and provide direction in their application and use to operationalize the information provided in the guidance (Source: ISACA; Cascarino, 2012) CISB424, Sulfeeza

6 1. Audit Planning & Preparation
IT Audit Lifecycle 1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up CISB424, Sulfeeza

7 IT Audit Lifecycle – Planning & Preparation
Auditor assignment Audit request 1. Identification of audit objectives, scope, tasks and duration 2. Preliminary study of the auditee’s operations and environment 1. Selection of audit team members 2. Allocation of tasks to each team member 3. Deciding when tasks should commence 4. Estimation of duration for each task based on the allocated auditors 1. Engagement letter to auditee CISB424, Sulfeeza

8 IT Audit Lifecycle – Execution
Fieldwork Solution development Report Issuance 1. Review of risks and internal controls implemented 2. Testing of controls Sampling approaches: Non-statistical/judgmental sampling Statistical sampling 3. Risk assessment 4. Identification and development of findings Component of a finding: Criteria Standards where observed conditions will be measured Conditions The actual observations during audit testing Effects The impact to business associated with the observed problem Cause Reasons for internal control failures 1. Propose recommendations a. No changes b. Improve control c. Transfer of risk Recommendation approaches: Recommendation Approach Auditors provide recommendations for the raised issues Inquire auditees on their agreements of the proposed recommendations Management-Response Approach Auditors highlight issues Auditees provide the responses and action plans Solution Approach Collaboration work between auditors and auditees in coming out with solutions to resolve issues 1. Conduct exit meeting: To discuss the findings, recommendations, and text of the draft. The auditees may comment on the draft and the group works to reach an agreement on the audit findings 2. Draft Report 3. Final Report CISB424, Sulfeeza

9 IT Audit Lifecycle – Follow Up
Recommendations Evaluation Self-assessment 1. Determine and assess whether audit recommendations have been implemented 2. Follow-up report development and issuance 1. Perform self-assessment on the audit assignment CISB424, Sulfeeza

10 Audit work papers Objectives:
Document the planning, performance, and review of audit work – include audit planning and scoping decisions, testing methodologies and results, and evidence of review and completion of audit program work steps. Provide the principal support for audit communication such as observations, conclusions, and the final report - contain sufficient competent, relevant, and useful information to provide a sound basis (act as evidence) for engagement observations and recommendations to support the auditor's assessment. Facilitate third-party reviews and re-performance requirements – provide an audit trail that enables a technically competent individual who has no experience with the prior audit to re- perform procedures. Provide a basis for evaluating the internal audit activity's quality control program – tangible representation of the project that can be assessed during the quality review. Source(: Practice Advisory : Recording Information from the International Standards for the Professional Practice of Internal Auditing (Standards) CISB424, Sulfeeza

11 Audit work papers The work papers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report. Therefore, the work papers will: Provide documentation of evidences Support findings and recommendations CISB424, Sulfeeza

12 Work papers and audit cycle
1. Audit Planning & Preparation 2. Audit Execution 3. Audit Follow-up Audit plan Audit program Audit working papers Draft audit report Final audit report Follow-up checklist Follow-up report CISB424, Sulfeeza

13 Audit Plan A detailed outline of the auditor's plans and procedures used in conducting an audit. An audit plan will include the following items: the audit objectives and scope of work background information about the activities to be audited, including the risks associated with the area the resources necessary to perform the audit the names of individuals who need to know about the audit the results, if appropriate, of an on-site survey to become familiar with the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions the audit program how, when, and to whom audit results will be communicated CISB424, Sulfeeza

14 Audit Program A detailed step-by-step procedures to be followed during an audit. Consists of: Audit concerns Audit objectives Evidence to be examined Procedures to follow CISB424, Sulfeeza

15 Audit Checklists Consists of: Things to be done
Persons who have done it Reason(s) for not doing it (if any) Date of execution CISB424, Sulfeeza

16 Audit Findings Worksheet
Consists of: Condition Criteria Cause Effect Recommendation CISB424, Sulfeeza

17 Audit Report Sample audit report
A document that is issued to auditee management to record the findings of the audit and recommended actions to rectify findings or improve controls. Consists of: Audit Scope Executive Summary Background and methodology Findings/Issues Prioritised action list, with suggested fixes and timeline Sample audit report ( Verifications/IT05Full-IT05Detaille_eng.pdf) CISB424, Sulfeeza

18 COBIT® Was introduced to meld existing IT standards and best practices into a comprehensive structure to achieve international accepted governance standards Encompasses full range of IT activities and processes which focus on the achievement of control objectives Is designed to be utilized by different set of entities in an organization: Top management – to ensure value is obtained from the IT investment; and risk and control is balanced Middle management – to ensure that management and control of IT resources is appropriate IT management – to ensure that business strategy is supported by IT resources in a controlled and appropriate management manner IT auditor – to evaluate adequacy of controls, design appropriate tests to determine the controls’ effectiveness, and provide management with appropriate advice on the IT related internal controls (Source: Cascarino, 2012) CISB424, Sulfeeza

19 COBIT® Framework a) Planning and Organizing Domain (10 processes)
Processes undertaken by management in order to ensure that IT function is properly planned and controlled to provide assurance that IT objectives will be achieved b) Acquire and Implement (7 processes) Processes involved in identifying solutions through to installation and accreditation of solutions and changes c) Deliver and Support (13 processes) Processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance d) Monitor and Evaluate (4 processes) Processes required to monitor the overall IT performance and ensure effective IT governance CISB424, Sulfeeza

Download ppt "Conducting the IT Audit"

Similar presentations

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Using the work of internal audit Mpumalanga. Our reputation promise/mission The Auditor-General of South Africa (AGSA) has a constitutional mandate and,

Using the work of internal audit Mpumalanga. Our reputation promise/mission The Auditor-General of South Africa (AGSA) has a constitutional mandate and,
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Internal Audit Documentation and Working Papers

Internal Audit Documentation and Working Papers
Audit Documentation PCAOB Auditing Standard no.3.

Audit Documentation PCAOB Auditing Standard no.3.
Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,

Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,
S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.

S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.
IS Audit Function Knowledge

IS Audit Function Knowledge
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
NATIONAL BOARD OF ACCOUNTANTS AND AUDITORS

NATIONAL BOARD OF ACCOUNTANTS AND AUDITORS
4 4 By: A. Shukr, M. Alnouri. Many new project managers have trouble looking at the “big picture” and want to focus on too many details. Project managers.

4 4 By: A. Shukr, M. Alnouri. Many new project managers have trouble looking at the “big picture” and want to focus on too many details. Project managers.
Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.

Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.
Purpose of the Standards

Purpose of the Standards
TC176/IAF ISO 9001:2000 Auditing Practices Group.

TC176/IAF ISO 9001:2000 Auditing Practices Group.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 5.1 Client Acceptance.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 5.1 Client Acceptance.
Auditing & Assurance Services, 6e

Auditing & Assurance Services, 6e
Methods, Process and Practices of Management Audit Balananda Paudel.

Methods, Process and Practices of Management Audit Balananda Paudel.
REVIEW AND QUALITY CONTROL

REVIEW AND QUALITY CONTROL

Similar presentations

Ads by Google