Part 3 - Planning the IT Audit
Transcript of Part 3 - Planning the IT Audit
-
8/17/2019 Part 3 - Planning the IT Audit
1/6
Definition of IT audit – An IT audit can be defined as any audit that encompasses review and
evaluation of automated information processing systems, related non-automated processes and the
interfaces among them. Planning the IT audit involves two maor steps. The first step is to gather
information and do some planning the second step is to gain an understanding of the e!isting
internal control structure. "ore and more organi#ations are moving to a ris$-based audit approach
which is used to assess ris$ and helps an IT auditor ma$e the decision as to whether to performcompliance testing or substantive testing. In a ris$-based approach, IT auditors are relying on
internal and operational controls as well as the $nowledge of the company or the business. This
type of ris$ assessment decision can help relate the cost-benefit analysis of the control to the $nown
ris$. In the %&athering Information' step the IT auditor needs to identify five items(
• Knowledge of business and industry
• Prior year’s audit results
• Recent nancial information
• Regulatory statutes
• Inherent risk assessments
A side note on %Inherent ris$s,' is to define it as the ris$ that an error e!ists that could be material or
significant when combined with other errors encountered during the audit, assuming there are no
related compensating controls. As an e!ample, comple! database updates are more li$ely to be
miswritten than simple ones, and thumb drives are more li$ely to be stolen )misappropriated* than
blade servers in a server cabinet. Inherent ris$s e!ist independent of the audit and can occur
because of the nature of the business.
In the %&ain an +nderstanding of the !isting Internal ontrol tructure' step, the IT auditor needs to
identify five other areas/items(
• Control environment
• Control procedures
-
8/17/2019 Part 3 - Planning the IT Audit
2/6
• Detection risk assessment
• Control risk assessment
• !uate total risk
0nce the IT auditor has %&athered Information' and %+nderstands the ontrol' then they are ready
to begin the planning, or selection of areas, to be audited. 1emember one of the $ey pieces of
information that you will need in the initial steps is a current 2usiness Impact Analysis )2IA*, to assist
you in selecting the application which support the most critical or sensitive business functions.
Objectives of an IT audit
"ost often, IT audit obectives concentrate on substantiating that the internal controls e!ist and are
functioning as e!pected to minimi#e business ris$. These audit obectives include assuring
compliance with legal and regulatory re3uirements, as well as the confidentiality, integrity, and
availability )IA – no not the federal agency, but information security* of information systems and
data.
IT audit strategies
There are two areas to tal$ about here, the first is whether to do compliance or substantive testing
and the second is %4ow do I go about getting the evidence to allow me to audit the application and
ma$e my report to management5' o what is the difference between compliance and substantive
testing5 ompliance testing is gathering evidence to test to see if an organi#ation is following its
control procedures. 0n the other hand substantive testing is gathering evidence to evaluate the
integrity of individual data and other information. 6or e!ample, compliance testing of controls can be
described with the following e!ample. An organi#ation has a control procedure which states that all
application changes must go through change control. As an IT auditor you might ta$e the current
running configuration of a router as well as a copy of the -7 generation of the configuration file for the
same router, run a file compare to see what the differences were8 and then ta$e those differences
and loo$ for supporting change control documentation. Don9t be surprised to find that networ$
admins, when they are simply re-se3uencing rules, forget to put the change through change control.
6or substantive testing, let9s say that an organi#ation has policy/procedure concerning bac$up tapes
at the offsite storage location which includes : generations )grandfather, father, son*. An IT auditor
-
8/17/2019 Part 3 - Planning the IT Audit
3/6
-
8/17/2019 Part 3 - Planning the IT Audit
4/6
ensure the completeness and accuracy of the records and the validity of the entries made to them.
Application controls are controls over IP0 )input, processing, output* functions, and include methods
for ensuring that(
• &nly complete( accurate and valid data are entered and updated in an
application system
• Processing accomplishes the designed and correct task
• "he processing results meet e'pectations
• Data is maintained
As an IT auditor, your tas$s when performing an application control audit should include(
• Identifying the signicant application components* the +ow of transactions
through the application ,system-* and to gain a detailed understanding of the
application by reviewing all available documentation and interviewing the
appropriate personnel( such as system owner( data owner( data custodian
and system administrator)
• Identifying the application control strengths and evaluating the impact( if any(
of weaknesses you nd in the application controls
• Developing a testing strategy
• "esting the controls to ensure their functionality and e.ectiveness
• valuating your test results and any other audit evidence to determine if the
control ob/ectives were achieved
• valuating the application against management’s ob/ectives for the system to
ensure e0ciency and e.ectiveness)
IT audit control reviews
After gathering all the evidence the IT auditor will review it to determine if the operations audited are
well controlled and effective. ;ow this is where your subective udgment and e!perience come into
play. 6or e!ample, you might find a wea$ness in one area which is compensated for by a very
strong control in another adacent area. It is your responsibility as an IT auditor to report both of
these findings in your audit report.
The audit deliverable
-
8/17/2019 Part 3 - Planning the IT Audit
5/6
o what9s included in the audit documentation and what does the IT auditor need to do once their
audit is finished. 4ere9s the laundry list of what should be included in your audit documentation(
• Planning and preparation of the audit scope and ob/ectives
• Description and1or walkthroughs on the scoped audit area
• %udit program
• %udit steps performed and audit evidence gathered
• 2hether services of other auditors and e'perts were used and their
contributions
• %udit ndings( conclusions and recommendations
• %udit documentation relation with document identication and dates ,your
cross3reference of evidence to audit step-
• % copy of the report issued as a result of the audit work
• vidence of audit supervisory review
-
8/17/2019 Part 3 - Planning the IT Audit
6/6
• Detailed ndings and recommendations
6inally, there are a few other considerations which you need to be cogni#ant of when preparing and
presenting your final report. ??-@:. =our report will want to be timely so as to encourage prompt corrective action.
And as a final, final parting comment, if during the course of an IT audit, you come across a
materially significant finding, it should be communicated to management immediately, not at the end
of the audit.