icte1073

Handout #3 – audit and review: THEIR ROLE IN INFORMATION TECHNOLOGY

Financial auditing – encompasses all activities and responsibilities concerned with the rendering of an opinion on the
fairness of financial statements.

Two groups of standards that affect the preparation of financial statements and the procedures for their audit by CPA firms:

1. Generally Accepted Accounting Principles (GAAP) – establishes consistent guidelines for financial reporting by
corporate managers. These principles have been formulated and revised periodically. An auditor rendering an
opinion that the financial statements are presented fairly stipulates that those financial statements conform to GAAP.

2. Generally Accepted Auditing Standards (GAAS) – standards for audits which cover three categories:
a. General standards – relate to professional and technical competence, independence, and due professional
care
b. Fieldwork standards – encompasses planning, evaluation of internal control, sufficiency of evidential matter, or
documentary evidence upon which findings are based.
c. Reporting standards – stipulate compliance with all accepted auditing standards, consistency with the preceding
account period, adequacy of disclosure, and, in the event that an opinion cannot be reached, the requirement
to state the assertion explicitly.

Note: These standards provide broad guidelines, but not specific guidelines.

Audit Universe – an inventory of all the potential audit areas within an organization. Building an audit universe documents
the key business processes and risks of an organization. An audit universe includes the organization’s objectives, the
processes that support those objectives, risks of not achieving those objectives, controls that mitigate the risk, and audit
objectives for each audit area. Tying the audit universe to organization objectives links the entire audit process to business
objectives and risks, making it easier to communicate the impact of control deficiencies.

Once the audit universe has been developed, the next step in the planning process is to perform a risk assessment for each
universe item.

Risk assessment – is the foundation of the audit function. It determines what audit/projects are to be performed. It also
assists the audit function in developing the audit schedule and the process for planning individual audit projects. Risk
assessment is a technique used to examine potential projects in the audit universe and choose projects that have the
greatest risk exposure. Risk assessment is important in that it provides a framework for allocating audit resources to achieve
maximum benefits. Given that there are an unlimited number of potential audit projects, but a limited amount of audit
resources, it is important to focus on the right projects.

Audit Plan – at a minimum, an IT audit plan should:

 Define scope
 State objectives
 Structure an orderly approach
 Provide for measurement of achievement
 Assure reasonable comprehensiveness
 Provide flexibility in approach

Once estimated audit hours and other factors have been considered, the audit management should be able to arrange the
audit schedule.

Audit Schedule creation – is the process of determining the total audit hours available, then assigning universe items to
fill the available time. “High risk” items should be given top priority.

Audit Budget – contains the universe items and their corresponding costs and resources needed. It is ideally created after
the audit schedule is determined.

Audit Preparation – composed of all the work that is involved in initiating an audit. The functions include audit selection,
definition of audit scope, initial contacts and communication with auditees, and audit team selection.

Audit Scope – defines the area to be reviewed. It should clearly state the process areas, controls, geographic or functional
area, time period, and other specifics to delineate the area to be reviewed.

Audit Scope Objectives – formal statements that describe the purposes of the audit.

Objective and Context

/pler,ctt,micb,rca,cpa
http://bit.ly/icte1073-h3
The objective and context of the work one is to perform is a key element in any audit environment and should not be
overlooked. It is the basis by which all audits should be approached.

Objective – what we are trying to accomplish

Context – the environment in which we perform our work
Typical phases of an audit engagement include:

 Preliminary review – in this step, the auditor should obtain and review summary-level information and evaluate it
in relation to the audit objectives.
 Preliminary evaluation of internal controls – in this step, the auditor determines which controls are essential to
the overall audit objectives.
 Design audit procedures – in this step, the auditor must prepare and audit program for the area being audited,
select the verification techniques applicable to each area, and prepare the instructions for their performance.
 Test controls – testing the critical controls, processes, and apparent exposures. The auditor performs the
necessary testing by using documentary evidence, corroborating interviews, and personal observation.
 Final evaluation of internal controls
 Substantive testing – where controls are determined not to be effective, substantive testing may be required to
determine whether there is a material issue with the resulting financial information. In an IT audit, substantive testing
is used to determine the accuracy of information being generated by a process or application.
 Documenting results – the final step involves evaluating results of the work and preparing a report on the findings.
The audit results should include the audit finding, conclusions, and recommendations.

Audit findings – includes the process area audited, the objective of the process, the control objective, the
results of the test of that control, and a recommendation in the case of a control deficiency. Audit findings should
be formally documented.

Analysis – most important factor in converting raw data into a finished product ready for inclusion in an audit
report. Thorough analysis includes a clear understanding of:

 The standards
 The cause of the deviation
 The control weakness that led to the deviation
 The materiality and exposure involved
 When possible, recommendations for corrective action

Conclusions – are auditor opinions, based on documented evidence, that determine whether an audit subject area
meets the audit objective.

Recommendations – formal statements that describe a course of action that should be implemented to restore or
provide accuracy, efficiency, or adequate control of audit subjects. A recommendation must be provided for each
audit finding for the report to be useful to the management.

Working papers – the formal collection of pertinent writings, documents, flowcharts, correspondence, results of
observations, plans for tests, results of tests, the audit plan, minutes of meetings, computerized records, data files
or application results, and evaluations that document the auditor activity for the entire audit period.

Audit report – the formal communication issued by the audit department describing the results of the audit. The
report should include at a minimum the audit scope and objectives, a description of the audit subject, a narrative of
the audit work activity performed, conclusions, findings, and recommendation. To be effective, audit reports must
be timely, credible, readable, and have a constructive tone.

/pler,ctt,micb,rca,cpa
http://bit.ly/icte1073-h3