The Concepts of an Audit - erpanet.org · The Concepts of an Audit Audit and Certification in...
Transcript of The Concepts of an Audit - erpanet.org · The Concepts of an Audit Audit and Certification in...
April 14, 2004 / 1Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
. The Concepts of an AuditAudit and Certification in Digital Preservation
April 14 – 16, 2004, Antwerpen
J. Pasmooij RE RA ROManager ICT Knowledge Center, Royal NIVRA, AmsterdamProgram Manager postgraduate IT-auditing curriculum Erasmus University, Rotterdam
April 14, 2004 / 2Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
Agenda
• The objectives of an audit• The elements of an audit• Examples of audits
April 14, 2004 / 3Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The objective of an audit
The objective of an audit is for the responsible party a way to proof compliance with legal and/or contractual terms, or suitable criteria.
April 14, 2004 / 4Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The objective of an audit
The objective of an audit is for an (intended) user to learn more about the quality of the subject matter or compliance with legaland/or contractual terms or suitable criteria.
April 14, 2004 / 5Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The objective of an audit
The objective of an audit is for a professional auditor to evaluate or measure a subject matter that is the responsibility of an other party against identified suitable criteria, and to express a conclusion(opinion) with a level of assurance aboutthe subject matter for the intended user.
April 14, 2004 / 6Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The elements of an audit• Kind of audit / assurance engagements• A three party relationship• The subject matter• The scope of the audit• Suitable criteria• The audit process• The report
April 14, 2004 / 7Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
Kind of audit engagements• Attest (audit relates to a report or written
assertion by the responsible party)• Direct reporting (audit relates directly to the
subject matter)• A broad range of subject matters• To provide high or moderate levels of
assurance• To report internally and/or externally• Within the private or public sector
April 14, 2004 / 8Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The auditor• The auditor has to observe:
– Integrity– Objectivity– Independency– Professional competence and due care– Confidentiality– Professional behavior– Application of technical standards
• The auditor should be:A member of a respected institute or organization with:– quality control policies and procedures– disciplinary rules– a code of ethics– auditing standards
April 14, 2004 / 9Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The subject matterMay be:• A report / a management assertion (data /
information)
• A system (infrastructure / software)• A process (organization / people / procedures• A strategy / policy
• Behavior
April 14, 2004 / 10Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The scope of the audit• Design (point in time)• Design and operating (covering a period of time)
• Focussing on specific criteria (for example):– Compliance with ……– Integrity– Exclusivity / Confidentiality– Continuity / Availability– Auditability / Controllability– Effectiveness– Efficiency
April 14, 2004 / 11Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
Suitable criteria• Criteria are the standards / requirements used to
evaluate or measure the subject matter• Suitable criteria are context-sensitive• The characteristics are suitable when they are
– Relevant– Reliable– Neutral objective– Understandable– Complete– Generally accepted– Unequivocal
April 14, 2004 / 12Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The audit process • Pre-audit
– Preliminary investigation– Assignment process
• Performing the audit– Initial investigation– Determing the Soll-position (the required situation)– Determing the Ist-position (collecting evidence)– Evaluating Soll versus Ist– Evaluating and forming an opinion
• Completion– Reporting– Evaluating the audit
April 14, 2004 / 13Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The report• The auditor’s report should contain a clear expression
of the auditor’s opinion about a subject matter based on the identified suitable criteria and the evidence obtained in the course of the audit engagement.
• The form of conclusion to be expressed by the auditor is determined by the nature of the subject matter and the agreed objective of the engagement and is designed to meet the needs of the intended user of the report of the auditor.
April 14, 2004 / 14Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
The reportThe auditor’s report should include:• Title• An addressee• A description of the engagement and identification of the subject
matter• A statement to identify the responable party and decribe the
auditor’s reponsibilities• When the report is for restricted purposes, identification of the
parties concerned• Identification of the auditing standards• Identification of the criteria• The auditor’s conclusion (opinion), including any reservations or
denial of a conclusion• The report date• The name of the auditor
April 14, 2004 / 15Erasmus Universiteit Rotterdam
Eras
mus
Uni
vers
iteit
Rot
terd
am. P
ostd
octo
rale
opl
eidi
ngen
.
Examples of audits • Financial audit• IT-audits• Operational audits• Compliance• Sarbanes Oxley• Audits based on ISO-standards
(security, digital signatures).