3/20/2021 Information Technology Environment and IT Audit

Information Technology Environment and IT Audit

Site: New Era University Printed by: Ann Nathalie G. Torres

Course: ACTG15-18 - Auditing in a CIS Environment Date: Saturday, 20 March 2021, 12:18 PM
Book: Information Technology Environment and IT Audit

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 1/13
3/20/2021 Information Technology Environment and IT Audit

Description

Lesson 1: Title

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 2/13
3/20/2021 Information Technology Environment and IT Audit

Table of contents

1. Introduction/Overview

2. Learning Outcomes

3. IT Environment and IT Audit

4. The Structure of an IT Audit

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 3/13
3/20/2021 Information Technology Environment and IT Audit

1. Introduction/Overview

Organizations today are more information dependent and conscious of the pervasive nature of technology across the business enterprise. The
increased connectivity and availability of systems and open environments have proven to be the lifelines of most business entities. Information
technology (IT) is now used more extensively in all areas of commerce around the world.

The role of IT audit continues to be a critical mechanism for ensuring the integrity of information systems and the reporting of organization
finances to prevent future financial fiascos such as Enron (2001) and WorldCom (2002). Unfortunately, these fiascos continue to occur. Global
economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in
business processes around the globe. The need to control and audit IT has never been greater.

Today’s IT auditor is faced with many concerns about the exposure of information systems to a multitude of risks. From these concerns arise
the objectives for the audit process and function.

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 4/13
3/20/2021 Information Technology Environment and IT Audit

2. Learning Outcomes

1. Discuss how technology is constantly evolving and shaping today’s business (IT) environments.
2. Explain what IT auditing is and summarize its two broad groupings.
3. Define the audit process and describe the phases of an IT audit engagement.

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 5/13
3/20/2021 Information Technology Environment and IT Audit

3. IT Environment and IT Audit

IT Environment

The need for improved control over IT, especially in commerce, has been advanced over the years in earlier and continuing studies by many
national and international organizations. Essentially, technology has impacted various significant areas of the business environment, including
the use and processing of information, the control process, and the auditing profession.

Technology has improved the ability to capture, store, analyze, and process tremendous amounts of data and information, expanding the
empowerment of the business decision maker. It has also become a primary enabler to production and service processes. There is a residual
effect in that the increased use of technology has resulted in increased budgets, increased successes and failures, and better awareness of
the need for control.
Technology has significantly impacted the control process around systems. Although control objectives have generally remained constant,
except for some that are technology specific, technology has altered the way in which systems should be controlled. Safeguarding assets, as
a control objective, remains the same whether it is done manually or is automated. However, the manner by which the control objective is met
is certainly impacted.
Technology has impacted the auditing profession in terms of how audits are performed (information capture and analysis, control concerns)
and the knowledge required to draw conclusions regarding operational or system effectiveness, efficiency, and reporting integrity. Initially, the
impact was focused on dealing with a changed processing environment. As the need for auditors with specialized technology skills grew, so
did the IT auditing profession.

What is IT Auditing?

Before defining what IT auditing is, let us explain the difference between IS and IT.

An IS, represented by three components (i.e., people, process, and IT), is the combination of strategic, managerial, and operational activities
involved in managing information.
The IT component of an IS involves the hardware, software, communication, and other facilities necessary to manage (i.e., input, store,
process, transmit, and output) such information.

The term audit, according to ISACA, refers to the formal inspection and verification to check whether a standard or set of guidelines is being
followed, records are accurate, or efficiency and effectiveness targets are being met. In combining both definitions above, IT auditing can be
defined as the formal, independent, and objective examination of an organization’s IT infrastructure to determine whether the activities (e.g.,
procedures, controls, etc.) involved in gathering, processing, storing, distributing, and using information comply with guidelines, safeguard
assets, maintain data integrity, and operate effectively and efficiently to achieve the organization’s objectives. IT auditing provides reasonable
assurance (never absolute) that the information generated by applications within the organization is accurate, complete, and supports effective
decision making consistent with the nature and scope of the engagement previously agreed.

IT auditing is needed to evaluate the adequacy of application systems to meet processing needs, evaluate the adequacy of internal controls,
and ensure that assets controlled by those systems are adequately safeguarded. As for the IT auditors of today, their advanced knowledge and
skills will progress in two ways. One direction is continued growth and skill in this profession, leading the way in computer audit research and
development and progressing up the external and internal audit career paths. The other direction involves capitalizing on a thorough knowledge
of organizational systems and moving into more responsible career areas in general management. Today, even in these economic times, the
demand for qualified IT auditors exceeds the supply. IT governance has created vast opportunities for the IT auditor.

There are two broad groupings of IT audits, both of which are essential to ensure the continued proper operation of IS. These are as follows:

General Computer Controls Audit. It examines IT general controls (“general controls” or “ITGCs”), including policies and procedures, that
relate to many applications and supports the effective functioning of application controls. General controls cover the IT infrastructure and
support services, including all systems and applications. General controls commonly include controls over (1) IS operations; (2) information
security (ISec); and (3) change control management (CCM) (i.e., system software acquisition, change and maintenance, program change,
and application system acquisition, development, and maintenance). Examples of general controls within IS operations address activities
such as data backups and offsite storage, job monitoring and tracking of exceptions to completion, and access to the job scheduler, among
others. Examples of general controls within ISec address activities such as access requests and user account administration, access
terminations, and physical security. Examples of general controls within CCM may include change request approvals; application and
database upgrades; and network infrastructure monitoring, security, and change management.
Application Controls Audit. It examines processing controls specific to the application. Application controls may also be referred to as
“automated controls.” They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered,

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 6/13
3/20/2021 Information Technology Environment and IT Audit
processed, stored, transmitted, and reported. Examples of application controls include checking the mathematical accuracy of records,
validating data input, and performing numerical sequence checks, among others. Application controls are likely to be effective when general
controls are effective.

Need for IT Audit

Initially, IT auditing (formerly called electronic data processing [EDP], computer information systems [CIS], and IS auditing) evolved as an
extension of traditional auditing. At that time, the need for an IT audit came from several directions:

Auditors realized that computers had impacted their ability to perform the attestation function.
Corporate and information processing management recognized that computers were key resources for competing in the business
environment and similar to other valuable business resource within the organization, and therefore, the need for control and auditability were
critical.
Professional associations and organizations, and government entities recognized the need for IT control and auditability.

The early components of IT auditing were drawn from several areas. First, traditional auditing contributes knowledge of internal control practices
and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful
design and implementation of systems. The field of behavioral science provided such questions and analysis to when and why IS are likely to
fail because of people problems. Finally, the field of computer science contributes knowledge about control concepts, discipline, theory, and the
formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity.

IT auditing became an integral part of the audit function because it supports the auditor’s judgment on the quality of the information processed
by computer systems. Auditors with IT audit skills were viewed as the technological resource for the audit staff. The audit staff often looked to
them for technical assistance. The IT auditor’s role evolved to provide assurance that adequate and appropriate controls are in place. Of course,
the responsibility for ensuring that adequate internal controls are in place rests with management. The audit’s primary role, except in areas of
management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and
are operating in an efficient and effective manner. Management’s role is to ensure and the auditors’ role is to assure.

There are several types of needs within IT auditing, including organizational IT audits (management control over IT), technical IT audits
(infrastructure, data centers, data communication), and application IT audits (business/financial/operational). There are also
development/implementation IT audits (specification/requirements, design, development, and post-implementation phases), and compliance IT
audits involving national or international standards.

When auditing IT, the breadth and depth of knowledge required are extensive. For instance, auditing IT involves:

Application of risk-oriented audit approaches

Use of computer-assisted audit tools and techniques
Application of standards (national or international) such as the ISO to improve and implement quality systems in software development and
meet IT security standards
Understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software
packaging and project management
Assessment of information security, confidentiality, privacy, and availability issues which can put the organization at risk
Examination and verification of the organization’s compliance with any IT-related legal issues that may jeopardize or place the organization at
risk
Evaluation of complex systems development life cycles (SDLC) or new development techniques (i.e., prototyping, end-user computing, rapid
systems, or application development)
Reporting to management and performing a follow-up review to ensure actions taken at work

The auditing of IT and communications protocols typically involves the Internet, intranet, extranet, electronic data interchange, client servers,
local and wide area networks, data communications, telecommunications, wireless technology, integrated voice/data/video systems, and the
software and hardware that support these processes and functions. Some of the top reasons to initiate an IT audit include the increased
dependence on information by organizations, the rapidly changing technology with new risks associated with such technology, and the support
needed for financial statement audits.

SOX also requires the assessment of internal controls and makes it mandatory for SEC registrants. As part of the process for assessing the
effectiveness of internal controls over financial reporting, management needs to consider controls related to the IS (including technologies) that
support relevant business and financial processes. These controls are referred to as ITGCs (or IT general controls). ITGCs are IT processes,
activities, and/or procedures that are performed within the IT environment and relate to how the applications and systems are developed,
maintained, managed, secured, accessed, and operated.

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 7/13
3/20/2021 Information Technology Environment and IT Audit

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 8/13
3/20/2021 Information Technology Environment and IT Audit

4. The Structure of an IT Audit

Audit Planning

The first step in the IT audit is audit planning. Before the auditor can determine the nature and extent of the tests to perform, he or she must gain
a thorough understanding of the client’s business. A major part of this phase of the audit is the analysis of audit risk. The auditor’s objective is to
obtain sufficient information about the firm to plan the other phases of the audit. The risk analysis incorporates an overview of the organization’s
internal controls. During the review of controls, the auditor attempts to understand the organization’s policies, practices, and structure. In this
phase of the audit, the auditor also identifies the financially significant applications and attempts to understand the controls over the primary
transactions that are processed by these applications.

The techniques for gathering evidence at this phase include conducting questionnaires, interviewing management, reviewing systems
documentation, and observing activities. During this process, the IT auditor must identify the principal exposures and the controls that attempt to
reduce these exposures. Having done so, the auditor proceeds to the next phase, where he or she tests the controls for compliance with pre-
established standards.

Test of Controls

The objective of the tests of controls phase is to determine whether adequate internal controls are in place and functioning properly. To
accomplish this, the auditor performs various tests of controls. The evidence-gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques.

At the conclusion of the tests-of-controls phase, the auditor must assess the quality of the internal controls by assigning a level for control risk.
The degree of reliance that the auditor can ascribe to internal controls will affect the nature and extent of substantive testing that needs to be
performed.

Substantive Testing

The third phase of the audit process focuses on financial data. This phase involves a detailed investigation of specific account balances and
transactions through what are called substantive tests. For example, a customer confirmation is a substantive test sometimes used to verify
account balances. The auditor selects a sample of accounts receivable balances and traces these back to their source—the customers—to
determine if the amount stated is in fact owed by a bona fide customer. By so doing, the auditor can verify the accuracy of each account in the
sample. Based on such sample findings, the auditor is able to draw conclusions about the fair value of the entire accounts receivable asset.

Some substantive tests are physical, labor-intensive activities, such as counting cash, counting inventories in the warehouse, and verifying the
existence of stock certificates in a safe. In an IT environment, the data needed to perform substantive tests (such as account balances and
names and addresses of individual customers) are contained in data files that often must be extracted using Computer-Assisted Audit Tools and
Techniques (CAATTs) software.

Audit Process

Statement on Auditing Standards (SAS No. 1) has the effect of mandating a uniform, processoriented approach to audit engagements. The
approach depicted is a true process technique. That is, audits follow a series of logical, orderly steps, each designed to accomplish specific end
results. This is also the case for an IT audit. The difference in an IT audit is the specialized approach to the audit work and the skills needed to
understand technology and the IT control environment. The phases of auditing activities typically overlap and involve some reassessment and
retracing of procedures performed earlier.

Preliminary Review

In this phase, the auditor should obtain and review summary-level information and evaluate it in relation to the audit objectives. The purpose of
the preliminary review phase of an IT audit engagement is to gather an understanding of the IT environment, including the controls in place that
are essential to meet the overall audit objectives. The IT auditor conducts this preliminary review at a general level, without examining details of
individual applications and the processes involved. Instead, the IT auditor interviews key personnel to determine policies and practices, and
prepares supplemental audit information as required. Preliminary review information serves as a basis for supporting the information included in
the IT audit plan.

General Information about IT Environment

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 9/13
3/20/2021 Information Technology Environment and IT Audit
IT is defined as the hardware, software, communication, and other facilities used to input, store, process, transmit, and output data in whatever
form. The IT environment refers to the policies, procedures, and practices implemented by organizations to program, test, deliver, monitor,
control, and support their IT infrastructure (e.g., hardware, software, networks, etc.). The IT environment also includes the applications and
programs used by organizations to support critical business operations (i.e., financial operations) and achieve business strategies.

The IT auditor begins the examination process by becoming acquainted, generally, with the company, its line of business, and the IT
environment, including its financial application systems. Typically, an IT auditor would tour the client company’s facilities and observe general
business operations that bear upon customer service as well as on strictly financial functions.

Given this familiarity, the next level of general data gathering would include the preparation of organizational charts, particularly those for the
accounting and IT functions. If organizational charts are unavailable, the IT auditor should develop them. Once drawn, the charts should be
reviewed and verified with appropriate personnel (i.e., key executives in the accounting and IT areas) to secure an agreement that they
represent the actual organization structure. During these interviews, the IT auditor would also secure copies of the company’s chart of accounts
and an accounting standards manual, if available.

IT auditors must gain a deep understanding of the IT environment, particularly how the organization responds to risks arising from IT, and
whether the IT controls in place have been adequately designed and operate effectively to address those risks. From a financial standpoint,
knowledge about the IT environment is crucial for IT auditors in order to understand how financial transactions are initiated, authorized,
recorded, processed, and reported in the financial statements.

For application systems which the organization uses computers to process significant financial data, the IT auditor would gather a number of
specific items of evidential matter, such as:

Policies and procedures that the organization implements and the IT infrastructure and application software that it uses to support business
operations and achieve business strategies.
Narratives or overview flowcharts of the financial applications, including server names, make and model, supporting operating systems,
databases, and physical locations, among others.
Whether the financial applications are in-house developed, purchased with little or no customization, purchased with significant customization,
or proprietary provided by a service organization.
Whether service organizations host financial applications and if so, what are these applications and which relevant services they perform.
Controls in place supporting the area of information systems operations, such as those supporting job scheduling, data and restoration,
backups, and offsite storage.
Controls in place supporting the area of information security, such as those supporting authentication techniques (i.e., passwords), new
access or termination procedures, use of firewalls and how are they configured, physical security, etc.
Controls in place supporting the area of change control management, such as those supporting the implementation of changes into
applications, operating systems, and databases; testing whether access of programmers is adequate; etc.

Methods applied in gathering these data include reviewing computer information systems and human interface practices, procedures,
documents, narratives, flowcharts, and record layouts. Other audit procedures implemented to gather data include: observing, interviewing,
inspecting existing documentation, and flowcharting, among others. Physical inspection techniques are used both to gather data and to validate
existing documents or representations made during the interviews. For example, a single visit to the computer/data center can provide both data
gathering and validation opportunities for determining equipment configurations, library procedures, operating procedures, physical security
controls, existing environmental controls, and other data control procedures.

Design Audit Procedures

In this phase, the IT auditor must prepare an audit program for the areas being audited, select control objectives applicable to each area, and
identify procedures or activities to assess such objectives. An audit program differs from an internal control questionnaire (ICQ) in that an ICQ
involves questions to evaluate the design of the internal control system. Particularly, ICQs check whether controls are implemented to detect,
prevent, or correct a material misstatement. Controls not in place would represent a deviation or deficiency in the internal control structure. An
audit program, on the other hand, contains specific procedures to test the responses received from the questions asked, thus substantiating that
the controls identified are in place and work as expected by management.

An audit program is a formal plan for reviewing and testing each significant audit subject area disclosed during fact gathering. The auditor
should select subject areas for testing that have a significant impact on the control of the application and those that are within the scope defined
by the audit objectives. IT audit areas are very specific to the type of audit. For IT, COBIT is an excellent starting point as it lists risks, objectives,
and key controls per IT audit area. This information then has to be customized to the particular organization objectives, processes, and
technology.

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 10/13
3/20/2021 Information Technology Environment and IT Audit
Identifying Financial Applications

With the help of management, the IT auditor must decide what application systems will have to be examined at a more detailed level (i.e.,
scoping). As a basis for preparation of the audit plan, the IT auditor must also determine, in general, how much time will be required, what types
of people and skills will be needed to conduct the examination; and, roughly, what the schedule will be.

The identification of financial applications can be accomplished with the auditor gaining familiarity with the organization’s accounting procedures
and processes. The importance of determining the significant financial applications has to be derived through preliminary analysis. The
assessment of the sophistication of the application, its complexity, the business process they support, and extent of use are factors that come
into play in deciding whether to select such application and how one might evaluate it. As stated before, the preliminary review phase is a critical
step in the audit process that examines an organization’s financial systems and provides the auditor with a basis for selecting audit areas for
more detailed analysis and evaluation whether they are manual or computerized.

Auditors involved in reviewing financial applications should focus their concerns on the application’s control aspects. This requires their
involvement from the time a transaction is initiated until it is posted into the organization’s general ledger. Specifically, auditors must ensure that
provisions are made for:

An adequate audit trail so that transactions can be traced forward and backward through the financial application
The documentation and existence of controls over the accounting for all data (e.g., transactions, etc.) entered into the application and controls
to ensure the integrity of those transactions throughout the computerized segment of the application
Handling exceptions to, and rejections from, the financial application
Unit and integrated testing, with controls in place to determine whether the applications perform as stated
Controls over changes to the application to determine whether the proper authorization has been given and documented
Authorization procedures for application system overrides and documentation of those processes
Determining whether organization and government policies and procedures are adhered to in system implementation
Training user personnel in the operation of the financial application
Developing detailed evaluation criteria so that it is possible to determine whether the implemented application has met predetermined
specifications
Adequate controls between interconnected application systems
Adequate security procedures to protect the user’s data
Backup and recovery procedures for the operation of the application and assurance of business continuity
Ensuring technology provided by different vendors (i.e., operational platforms) is compatible and controlled
Adequately designed and controlled databases to ensure that common definitions of data are used throughout the organization, redundancy
is eliminated or controlled, and data existing in multiple databases is updated concurrently

Test of Controls

The IT auditor executes several procedures in order to test controls, processes, and apparent exposures. These audit procedures may include
examining documentary evidence, as well as performing corroborating interviews, inspections, and personal observations.

Documentary evidence may consist of a variety of forms of documentation on the application system under review. Examples include notes from
meetings on subject system, programmer notes, systems documentation, screenshots, user manuals, and change control documentation from
any system or operation changes since inception, and a copy of the contract if third parties involved. Examining such documentary evidence
may require the IT auditor to ask questions of the user, developer and managers to help him or her establish the appropriate test criteria to be
used. It also helps in identifying the critical application and processes to be tested.

Corroborating interviews are also part of the testing process, and may include procedures such as:

Asking different personnel the same question and comparing their answers
Asking the same question in different ways at different times
Comparing answers to supporting documentation, work papers, programs, tests, or other verifiable results
Comparing answers to observations and actual system results

Substantive Testing

Where controls are determined not to be effective, substantive testing may be required to determine whether there is a material issue with the
resulting financial information. In an IT audit, substantive testing is used to determine the accuracy and completeness of information being
generated by a process or application. Contrary to compliance testing where the auditor’s goal is to confirm whether the organization is adhering

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 11/13
3/20/2021 Information Technology Environment and IT Audit
to applicable policies, procedures, rules, and regulations. An example of a compliance test procedure would be verifying that a change or
upgrade in a financial application was adequately tested, approved, and documented prior to its implementation.

Substantive audit tests are designed and conducted to verify the functional accuracy, efficiency, and control of the audit subject. During the audit
of a financial application, for example, the IT auditor would build and process test data to verify the processing steps of such an application.

Auditing-through-the-computer is a term that involves steps in addition to those mentioned previously. Programs are executed on the computer
to test and authenticate application programs that are run in normal processing. Usually, the financial audit team will select one of the many
Generalized Audit Software packages such as SAS, SPSS, Computer-Assisted Audit Techniques (CAATs), or CA-Easytrieve(T) and determine
what changes are necessary to run the software at the installation. Financial auditors use this specific software to do sampling, data extraction,
exception reporting, summarize and foot totals, and other tasks. They also use packages such as Microsoft Access, Excel, IDEA, or ACL
because of their in-depth analyses and reporting capabilities.

CAATs, for example, use auditor-supplied specifications to generate a program that performs audit functions, such as evaluating application
controls, selecting and analyzing computerized data for substantive audit tests, etc. In essence, CAATs automate and simplify the audit process,
and this is why audit teams (external and internal) are increasingly using them. In fact, many organizations have Generalized Audit Software
already installed for their internal auditors to allow them to gather information and conduct the planned audit tests. The appropriate selection and
effective use of these audit tools are essential not only to perform adequate audit testing but also to document results.

Document Results

The next phase of an audit involves documenting results of the work performed, as well as reporting on the findings. Audit results should include
a description of audit findings, conclusions, and recommendations.

Audit Findings

The terms finding, exception, deficiency, deviation, problem, and issue are basically synonymous in the audit world, and mean the auditor
identified a situation where controls, procedures, or efficiencies can be improved. Findings identify and describe inaccurate, inefficient, or
inadequately controlled audit subjects. An example of an IT audit finding would be a change implemented into a financial application that did not
include proper management authorization. Another example would include the IT auditor discovering that the organization’s procedures manual
does not require management’s permission before implementing changes into applications.

Audit findings should be individually documented and should at least include the following:

Name of the IT environment (operating system hosting the relevant financial application(s)) evaluated
IT area affected (IS operations, information security, change control management)
Working paper test reference where the finding was identified
General control objective(s) and activity(ies) that failed
Brief description of the finding
Where is the finding formally communicated to management (this should reference the Management Letter within the Auditor Report)
Evaluation of the finding, specifically whether it was identified at the design level (i.e., there is no general control in place) or at the operational
level (i.e., the general control was in place, but did not test effectively)
Whether the finding represents or not a pervasive or entity-level risk
Whether the finding can be mitigated by other compensating general controls, and if so, include reference to where these controls have been
tested successfully

An audit finding form (e.g., General Computer Controls Findings Form, etc.) can be used to review the control issues identified with the
responsible IT manager in order to agree on corrective action. This information can then be used to prepare the formal Management Letter that
will accompany the Audit Report and the corrective action follow-ups. Taking corrective action could result in enhanced productivity; the
deterrence of fraud; or the prevention of monetary loss, personal injury, or environmental damage.

Conclusions and Recommendations

Conclusions are auditor opinions, based on documented evidence, that determine whether an audit subject area meets the audit objective. All
conclusions must be based on factual data obtained and documented by the auditor as a result of audit activity. The degree to which the
conclusions are supported by the evidence is a function of the amount of evidence secured by the auditor. Conclusions are documented in the
audit working papers and should support the audit procedures performed. Working papers are the formal collection of pertinent writings,
documents, flowcharts, correspondence, results of observations, plans and results of tests, the audit plan, minutes of meetings, computerized

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 12/13
3/20/2021 Information Technology Environment and IT Audit
records, data files or application results, and evaluations that document the auditor activity for the entire audit period. A complete, well-
organized, crossreferenced, and legible set of working papers is essential to support the findings, conclusions, and recommendations as stated
in the Audit Report. Typically, a copy of the final Audit Report is filed in the working papers.

Recommendations are formal statements that describe a course of action that should be implemented by the company’s management to restore
or provide accuracy, efficiency, or adequate control of audit subjects. A recommendation should be provided by the auditor for each audit finding
for the report to be useful to management.

Communication

The value of an audit depends, in large part, on how efficiently and effectively its results are communicated. At the conclusion of audit tests, it is
best to discuss the identified findings with IT management to gain their agreement and begin any necessary corrective action. Findings, risks as
a result of those findings, and audit recommendations are usually documented on the Management Letter (in a separate section of the Audit
Report).

https://college.neu.edu.ph/mod/book/tool/print/index.php?id=138154 13/13