PowerPoint Presentation

Audit Planning ProcessAt the strategic and tactical levelAudit Plan"Audit planning" means developing a general strategy and a detailed approach for the expected nature, timing and extent of theaudit.

fundamental component | preliminary evaluation of internal controls via the appropriate information gathering and control evaluation techniques.

BENEFITS of an Audit Plan

Helps to achieve the audit objectives.

Ensures sufficient scope to cover all the risks involved.

Aids to avoid over-auditing and inefficient use of resources.

A structured, well-documented audit plan identifies and establishes the criteria against which a successful audit will be measured.

Planning ProcessIdentifying the tasks to be performed in the course of an audit.

Allocation of those tasks to specific auditors.

Deciding when a task should commence.

Quantification of the duration of each individual task based on the auditor allocated.The ELEMENTSAn audit plan should include:Tentative determination of the objectives and scope of the audit. Upon agreement, an engagement letter will be sent to the client. Involves review of control objectives throughreading of operating procedure manual,discussions with operating management, interviewing user staff, and site visits. Performance objectives must be established - involve determining the level of managements understanding of their own key performance areas (KPAs) Key performance indicators (KPIs) must be identified that will enable the performance to be measured appropriately. The risks and threats that could lead to non-achievement, underachievement, or even failure must then be assessed.Internal threats External threats

The selection of the audit team. Determining of objectives and scope. Coordinating the work including assigning team members. Coordinating the project with other work going on in the department at the same time. Reviewing all documentation for the audit process.

Initial communication with the auditees and others involved in the audit.

Preparation of the preliminary audit program. audit program - a detailed list of analytical steps to be carried out during the course of the audit. critical element is the determination of which evidence will be examined.The planning of the audit report.In order for management to be convinced that changes to control procedures are necessary, the auditor must produce a report that is objective but persuasive, clear, concise, constructive, and timely.

Approval for the audit approach. It is the responsibility of the in-charge auditor to review and approve the audit program prior to the commencement of actual work by the audit team. STRUCTURE of the PLANThe survey itself will typically include an opening conference between members of the audit team and auditee management to outline the audit assignment with management and coordinate audit activities with auditee operations. On-site tour. Further studies of selected documents.Preliminary SurveyTo gain an initial understanding and gather preliminary evidence.Limited testing of such controls may take place at this stage in order to determine the size of subsequent testing required. Based on this information the auditor would evaluate the system of internal controls in order to determine whether the control structures in place, if effective, would lead to the desired level of control.Internal Control Description and AnalysisPreparation of details.These are the tests that would be included in the final audit program as an addition to the preliminary audit program. Examination of records and documents. Interviews with auditee management and other personnel. Observation of operations. Examination of assets. Interrogation of computer files. Comparisons of audit results to auditees reports. Other procedures designed to test the effectiveness of the system of internal control.Expanded Tests Determine internal control structure effectiveness.A finding consists of four distinct parts.Criteria are those standards against which observed conditions will be measured. Conditions refer to what was actually observed during the course of audit testing.The effect refers to the impact on the business associated with any observed problems.The cause of the problem addresses failures of internal control or weaknesses within the internal control structures. Findings and RecommendationsDevelop the findings and determine what changes, if any, are necessary.Typically forms of Recommendation

Make no changes in the control system where controls are deemed to be both adequate for a given level of a risk and effective in controlling that risk and the current control system is seen to be cost effective.Improve control and reduce risk either by modifying current controls or by adding new ones.For those areas where risk is not at acceptable levels, but control is impractical or not cost effective to implement, the auditor may recommend the transfer of risk either by insurance or outsourcing.Should there remain an element of risk uncovered by the system of internal control but nevertheless at an unacceptable level, the auditor may be able to recommend changes that would improve the rate of return for accepting that level of risk.Findings and RecommendationsDevelop the findings and determine what changes, if any, are necessary.The overall objective of the audit was to assist management to improve control within the organization. As such, communication via the audit report is a critical element. It is the audit report that will persuade management to take effective action or conversely fail to persuade management.Report ProductionDocumenting and communicating the final results.This follow-up will itself result in the production of a report, albeit a short one, which will hopefully state that all outstanding issues have now been resolved.Following Up The final stage of the audit relates to the evaluation made by the auditors of themselves. No audit is complete until the full audit process has been executed. Audit EvaluationTypes of Audit Financial audits tend to involve the verification of figures produced by the computer systems. Operational audits focus on the effectiveness and efficiency of business operations and could include IT in itself as a business function. General control audits focus on the management controls around the information processing function and facility and may be either operational or compliance based. Application audits can take the form of reviews of live application systems within the user arena, audits of application systems under development, or audits of the applications systems development process itself. Audits involving operating systems are less concerned with audits of the operating system itself but rather the way in which the installation has chosen to implement operating system options. Physical access audits are performed in the same manner as physical access audits to any corporate asset for the primary objective and safeguarding of the corporate asset. Logical access audits, however, will typically involve interrogation of computer systems control files in order to match access rights granted against job requirements.