Part 3 - Planning the IT Audit

8/17/2019 Part 3 - Planning the IT Audit

1/6

Definition of IT audit – An IT audit can be defined as any audit that encompasses review and

evaluation of automated information processing systems, related non-automated processes and the

interfaces among them. Planning the IT audit involves two maor steps. The first step is to gather

information and do some planning the second step is to gain an understanding of the e!isting

internal control structure. "ore and more organi#ations are moving to a ris$-based audit approach

which is used to assess ris$ and helps an IT auditor ma$e the decision as to whether to performcompliance testing or substantive testing. In a ris$-based approach, IT auditors are relying on

internal and operational controls as well as the $nowledge of the company or the business. This

type of ris$ assessment decision can help relate the cost-benefit analysis of the control to the $nown

ris$. In the %&athering Information' step the IT auditor needs to identify five items(

• Knowledge of business and industry

• Prior year’s audit results

• Recent nancial information

• Regulatory statutes

• Inherent risk assessments

A side note on %Inherent ris$s,' is to define it as the ris$ that an error e!ists that could be material or

significant when combined with other errors encountered during the audit, assuming there are no

related compensating controls. As an e!ample, comple! database updates are more li$ely to be

miswritten than simple ones, and thumb drives are more li$ely to be stolen )misappropriated* than

blade servers in a server cabinet. Inherent ris$s e!ist independent of the audit and can occur

because of the nature of the business.

In the %&ain an +nderstanding of the !isting Internal ontrol tructure' step, the IT auditor needs to

identify five other areas/items(

• Control environment

• Control procedures


2/6

• Detection risk assessment

• Control risk assessment

• !uate total risk

0nce the IT auditor has %&athered Information' and %+nderstands the ontrol' then they are ready

to begin the planning, or selection of areas, to be audited. 1emember one of the $ey pieces of

information that you will need in the initial steps is a current 2usiness Impact Analysis )2IA*, to assist

you in selecting the application which support the most critical or sensitive business functions.

Objectives of an IT audit

"ost often, IT audit obectives concentrate on substantiating that the internal controls e!ist and are

functioning as e!pected to minimi#e business ris$. These audit obectives include assuring

compliance with legal and regulatory re3uirements, as well as the confidentiality, integrity, and

availability )IA – no not the federal agency, but information security* of information systems and

data.

IT audit strategies

There are two areas to tal$ about here, the first is whether to do compliance or substantive testing

and the second is %4ow do I go about getting the evidence to allow me to audit the application and

ma$e my report to management5' o what is the difference between compliance and substantive

testing5 ompliance testing is gathering evidence to test to see if an organi#ation is following its

control procedures. 0n the other hand substantive testing is gathering evidence to evaluate the

integrity of individual data and other information. 6or e!ample, compliance testing of controls can be

described with the following e!ample. An organi#ation has a control procedure which states that all

application changes must go through change control. As an IT auditor you might ta$e the current

running configuration of a router as well as a copy of the -7 generation of the configuration file for the

same router, run a file compare to see what the differences were8 and then ta$e those differences

and loo$ for supporting change control documentation. Don9t be surprised to find that networ$

admins, when they are simply re-se3uencing rules, forget to put the change through change control.

6or substantive testing, let9s say that an organi#ation has policy/procedure concerning bac$up tapes

at the offsite storage location which includes : generations )grandfather, father, son*. An IT auditor


3/6


4/6

ensure the completeness and accuracy of the records and the validity of the entries made to them.

Application controls are controls over IP0 )input, processing, output* functions, and include methods

for ensuring that(

• &nly complete( accurate and valid data are entered and updated in an

application system

• Processing accomplishes the designed and correct task

• "he processing results meet e'pectations

• Data is maintained

As an IT auditor, your tas$s when performing an application control audit should include(

• Identifying the signicant application components* the +ow of transactions

through the application ,system-* and to gain a detailed understanding of the

application by reviewing all available documentation and interviewing the

appropriate personnel( such as system owner( data owner( data custodian

and system administrator)

• Identifying the application control strengths and evaluating the impact( if any(

of weaknesses you nd in the application controls

• Developing a testing strategy

• "esting the controls to ensure their functionality and e.ectiveness

• valuating your test results and any other audit evidence to determine if the

control ob/ectives were achieved

• valuating the application against management’s ob/ectives for the system to

ensure e0ciency and e.ectiveness)

IT audit control reviews

After gathering all the evidence the IT auditor will review it to determine if the operations audited are

well controlled and effective. ;ow this is where your subective udgment and e!perience come into

play. 6or e!ample, you might find a wea$ness in one area which is compensated for by a very

strong control in another adacent area. It is your responsibility as an IT auditor to report both of

these findings in your audit report.

The audit deliverable


5/6

o what9s included in the audit documentation and what does the IT auditor need to do once their

audit is finished. 4ere9s the laundry list of what should be included in your audit documentation(

• Planning and preparation of the audit scope and ob/ectives

• Description and1or walkthroughs on the scoped audit area

• %udit program

• %udit steps performed and audit evidence gathered

• 2hether services of other auditors and e'perts were used and their

contributions

• %udit ndings( conclusions and recommendations

• %udit documentation relation with document identication and dates ,your

cross3reference of evidence to audit step-

• % copy of the report issued as a result of the audit work

• vidence of audit supervisory review


6/6

• Detailed ndings and recommendations

6inally, there are a few other considerations which you need to be cogni#ant of when preparing and

presenting your final report. ??-@:. =our report will want to be timely so as to encourage prompt corrective action.

And as a final, final parting comment, if during the course of an IT audit, you come across a

materially significant finding, it should be communicated to management immediately, not at the end

of the audit.

Part 3 - Planning the IT Audit

Documents

Transcript of Part 3 - Planning the IT Audit