2. AGENDA
▪ What does IT audit mean to you?
▪ Traditional IT audit
▪ Top audit concerns of audit committees
▪ The way towards value-added IT audit
▪ Some predictions
▪ Questions
8. TYPES OF INFORMATION FOR AN IT AUDITOR
• Relevant information : relating to controls, tells the evaluator something meaningful about
the operation of the underlying controls or control component. Information that directly
confirms the operation of controls is most relevant.
• Reliable information : accurate, verifiable and from an objective source.
• Timely information : produced and used in a timeframe that makes it possible to prevent or
detect control deficiencies before they become material to an enterprise.
• Sufficient information : when evaluators have gathered enough of it to form a reasonable
conclusion. For information to be sufficient, however, it must first be suitable.
• Suitable information : relevant (i.e., fit for its intended purpose), reliable (i.e., accurate,
verifiable and from an objective source) and timely (i.e., produced and used in an
appropriate time frame) information.
9. TRADITIONAL IT AUDIT APPROACH
Identification of
Safeguards
Threat
Assessment
Asset
Identification
Vulnerability
Assessment
Risk
Determination
Reporting
Remediation
Planning
Proactive processes that
turn policies into awareness
programs, IT administration,
change management and
other activities.
Technologies needed to
provide the appropriate
protection and support
critical processes.
Management strategies for
IT and relevant policies,
standards, guidelines or
directives used to
communicate these
strategies to the
organization.
Reactive processes that
enable management to
measure how well policies
are implemented and
followed and when they
need to be changed.
10. TYPICAL IT AUDIT ENGAGEMENTS
A. General control examination or facility audit
B. Application audit
C. System development audit
D. Technical or special topic audit
11. IT CONTROLS
The plan of organization & the methods a business uses to
safeguard IT assets, provide accurate & reliable information,
promote & improve operational IT efficiency, and
encourage adherence to prescribed IT management policies.
IT control procedure classifications:
1. Preventive / Detective / Corrective / Deterrent IT controls
2. General & Application IT controls
3. Administrative & Accounting IT controls
4. Input – Processing – Output IT controls
12. GENERAL IT OPERATIONS
1. Change Management
2. System Development Life Cycle (SDLC)
3. Problem & Incident management
4. Back-up and data recovery
5. Project Management
6. Continuity Planning (CBCP and DRP)
14. INDEPENDENT IT CONTROLS ON PERFORMANCE
To ensure that transactions are processed accurately are another
important control element.
Types of independent IT controls
–reconciliation of 2 independently maintained sets of records
–comparison of actual quantities with recorded amounts
–double-entry accounting (debits = credits)
–batch totals
15. INDEPENDENT IT CONTROLS ON PERFORMANCE
Types of independent IT controls
–batch totals:
5 types:
1 Financial total: sum of a euro field.
2 Hash total: sum of a field that would usually not be added.
3 Record count: number of documents processed by the IT system.
4 Line count: number of lines of data entered in the IT system.
5 Cross-footing: compares grand total of all rows with grand total of all
columns to check that they are equal in the IT system.
16. INDEPENDENT IT CONTROLS ON PERFORMANCE
Auditors must understand the following basic IT controls:
1 How transactions are initiated
2 How data are captured in machine-readable form or converted from source
documents
3 How computer files are accessed & updated
4 How data are processed to prepare information
5 How information is reported
All of these items make it possible to have an IT audit trail.
An IT audit trail exists when individual company transactions can be traced
end-to-end through the IT system.
29. IT CONTROLS
• IT controls continue to increase in
importance to organisations
• Corporate reliance on IT increases
• Compliance requirements increase
• IT control deficiencies can have a significant
impact on any organisation
41. TYPES OF IT AUDIT ENGAGEMENTS
Review
• provide limited assurance about an assertion.
• consists primarily of review work (less emphasis on testing).
• can be more process oriented, focusing on the appropriateness of the
tasks and activities that the audit entity performs and the associated
controls. The level of evidence that is gathered is less than in an audit,
and testing is generally limited or none is performed.
• do not include audit opinions. Conclusions may often be stated
negatively. Example: ‘Nothing came to our attention to indicate that the assertion is not
true’.
42. TYPES OF IT AUDIT ENGAGEMENTS
Examination
• Systematic process by which a competent, independent person
objectively obtains & evaluates evidence regarding assertions about
an entity or event, processes, operations or internal controls, for the
purpose of forming an opinion & providing a report on the degree to
which the assertions conform to an identified set of standards.
• Attestation process that provides the highest level of assurance about
an assertion that an IT auditor can provide.
• Gathering & evaluating sufficient, competent evidence and performing
appropriate tests and other procedures to form the opinion about an
assertion for presentation in an IT audit report.
43. TYPES OF IT AUDIT ENGAGEMENTS
Agreed-upon Procedures Engagement
Third party & IT auditor agree on specific procedures that will be performed
to obtain evidence on which the third party is willing to rely as a basis for a
conclusion. Agreed-upon level of evidence may be significantly limited or
extensive. The IT auditor may need to obtain a substantial amount of
evidence (in some cases, more than that is required for an IT audit).
The IT audit report should include a statement that sufficiency of
procedures is solely the responsibility of the responsible parties & a
disclaimer of responsibility for the sufficiency of those procedures. The
report relates only to the elements specified & does not extend beyond
them.
44.
45. CAATS
Computer programs & data
that the IT auditor uses
as part of audit procedures
to process data of significance
contained in a computer system
46. CAATS USAGE
· Calculation checks: e.g. program gives total amount of individual entries in
purchases day book in a particular period. Auditor then agree this total amount to the
amount posted in purchases ledger control.
· Detecting system violation rule: e.g. program checks that no customer has
balance above specified credit limit.
· Detecting unreasonable items: programs checks that no customer has discount of
50% or sales ledger balance is more than the amount of sales made to that customer.
· New calculation & analysis: e.g. statistical analysis of inventory movements to
identify slow moving items.
· Selecting items for audit testing: e.g. obtaining a stratified sample of sales ledger
balances to be used as a basis for a circularization of debtors.
· Completeness checks: e.g. checking continuity of sales invoices to ensure they
are all accounted for.
47. CAATS ADVANTAGES
· Test programmed controls: in an IT accounting system, there are large volume of
transactions which the auditor will have to audit. The auditor will have to check if the
programmed controls are functioning correctly. The only effective way of testing
programmed controls is through CAAT.
· Test on large volume of data: CAAT enable auditors to test large amount of data
quickly & accurately and increase the confidence they have in their opinion.
· Test on source location of data: CAAT enables auditors to test the accounting
systems & its records at its source location rather than testing printouts of what they
believe to be a copy of those records.
· Cost effective: once set up CAAT are a cost effective way of obtaining audit evidence
year after year provided that the client does not change the accounting system.
· Comparison: allows results from using CAAT to be compared to traditional testing.
Where the two results agree this increase the overall audit confidence.
57. PA2.2 Work Product Management
PA2.1 Performance Management
Level 2 - Managed
PA1.1 Process PerformanceLevel 1 - Performed
Level 0 - Incomplete
PA3.2 Deployment
PA3.1 Definition
Level 3 - Established
PA4.2 Control
PA4.1 Measurement
Level 4 - Predictable
PA5.1 Innovation
PA5.2 Optimisation
Level 5 - Optimising
1
L
/
F
2
L
/
F
F
F
3
L
/
F
F
4
L
/
F
F
F
F
L
/
F
5
F
F
F
F
L/F = Largely or Fully F= Fully
60. PREDICTIONS INTRODUCTION
• Users want to be provided with more information about business
organisations, rather than less.
• Demands for information is driven by business clients, customers,
oversight authorities and legislatures:
audit plan can change in the middle of the current quarter and sometimes
even change on a day-to-day basis
• Trend: better, faster and more comprehensive reporting.
• Strong interest in independent assessment & reporting of
organisational compliance with laws & regulations.
61.
62.
63. PREDICTION: INTEGRATED REPORTING
Objective of integrated reporting = provide a more detailed picture of
the organisation’s efforts to:
• Produce and sustain value
• Identify and manage risk
• Employ and develop human capital
• Meet legal requirements
• Address corporate and social responsibility
Audit reports include more in-depth non-financial reporting.
Shift from solely lag indicators (as found in traditional reporting) to lead
or forward indicators with increased focus on management &
performance capabilities.
64. PREDICTION: USE OF TECHNOLOGY IN REPORTING
Demand is likely to increase for using technology to present audit
results in a manner that quickly enables recipients to focus on the key
points of the audit.
Auditing standards provide a foundation for the auditing profession to
develop and issue professional audit reports.
Considerations of increased use of technology in the reporting
process must be benchmarked against applicable auditing standards.