Risk assessment and response for assertions

Auditee:

Purpose
The purpose of this working paper is to provide guidance to the IT Auditor in performing the Audit Engagement and it cove
responsibilities, gathering evidence, documenting work performed and formulating findings and conclusions.

Specific Standard requirements addressed in this working paper

IISSAI 5300 - Guidelines on IT Audit

ISACA 1204 - Materiality
ISACA 1203 - Performance and Supervision
ent and response for assertions

Period-end:

rforming the Audit Engagement and it covers performing an audit engagement, roles and
ing findings and conclusions.
 Guidance
Guidance Note 1 -ISACA Standards and Guidelines 2203, Section 2.1.1

Audit Component: The IT Auditor should be able to identify auditable areas (audit
component) during the risk assessment of the entity and it's environment.

Guidance Note 2 -ISACA Standards and Guidelines 2203, Section 2.1.2

Criteria:
The IT Auditor should document a reference/
control objective against which audit evidence is compared. Examples can be
obtained from standards, policies, procedures, regulations or requirements

Guidance Note 4 -ISACA Standards and Guidelines 2203, Section 2.4.1, 2.4.2, 2.4.3 and
Based on your assessment of risk, the IT Auditor
should obtain evidence that is sufficient and appropriate to form an opinion or support
the conclusions and achieve the audit objectives. The IT Auditor can use a
combination of auditing methods for Test of Controls and or substantive testing.
Should deviations from expectations be identified, professionals should ask
management about the reasons for the difference. If management's explanation be
adequate, according to professional judgement, professionals should modify their
expectations and re-analyse the evidence and information.

Guidance Note 5 -ISACA Standards and Guidelines 2203, Section 2.4.4, 2.4.5, 2.4.6 an
Result of Tests/ Findings:
The IT auditor should consider the
source and nature of evidence obtained to evaluate its reliability and the need for
further verification. Appropriate analysis and interpretation should be performed by
professionals to support the audit findings and form conclusions. Significant
deviations from expectations should result in findings and be communicated to

Guidance Note 6 -ISACA Standards and Guidelines 2203, Section 2.5.1, 2.6.1-4
Conclusion/ Management Letter Point (MLP):
The IT Auditor must prepare
sufficient, appropriate and relevant documentation to cover the whole process. Based
on the above, conclusions and recommendations should be recorded here.

Guidance Note 7 -ISACA Standards and Guidelines 2203, Section 2.5.3

Suggested further Audit Tests:
Document the suggested further Audit tests,
Approach or Areas for that are relevant to the Financial Auditor.

This is the information to be given to the financial or other auditor as per terms of
reference in the IT Discussion document.
 Guidance Notes
1

Back to Work Paper

Back to Work Paper

1, 2.4.2, 2.4.3 and 2.4.4

Back to workpaper

4, 2.4.5, 2.4.6 and 2.4.7

Back to Work Paper

1, 2.6.1-4

Back to Work Paper

3
Back to Work Paper
 Auditee: Reviewed by:
Period end: Level 1
Prepared by: Level 2
Rank: Level 3
Date:

Audit Component

Audit Objective Criteria Financial Assertions/ IT Control Objective

Financial Component
affected
Guidance Note 1Guidance Note 2
 Audit Program

Name Rank

Audit Tests Result of Audit Test

Guidance Note 4 Guidance Note 5

 Date

Conclusion/ Management Letter Point (MLP)

Suggested further Audit tests, Approach or
Areas for Financial Audit Focus
Guidance Note 6 Guidance Note 7
 Reference
(Audit evidence
or work
performed)