WORK GROUP 4

Submitted by:
ABAD, MA. JUSTINE ESTEPHANY C.
ACUNA, KATHLEEN B.
BANDRANG, ABDUL NASSER P.
CASTEN, ROBERT JUSTINNE M.
CHIONG, AMOS ELIJAH A.
DE LEON, IRENE DANIECA M.

THE IT AUDIT
GACAYAN, IZZA MAE L.

PROCESS Submitted to:

LAZO. REYMARK
MT-CP 2. Group Exercise
 IT Audit Memorandum
DATE: November 10, 2020
SUBJECT: Revised IT Audit Planning
FROM: Abdul Nasser P. Bandrang III (IT Audit Senior), Ma. Justine Estephany C. Abad, Robert
Justinne M. Casten, and Amos Elijah A. Chiong (IT Audit Staffs)
TO: Izza Mae L. Gacayan (IT Partner), Kathleen B. Acuna, and Irene Danieca M. De Leon (IT
Managers)

Objective:
The purpose of this memorandum is to provide a perspective on why the audit should focus
on Financial Application #2 (FA2), although, the IT Manager and Partner believe that the audit
should be performed on Financial Application #1 (FA1) based on previous relevant experience.
After conducting risk assessment, it entails that the Financial Application #2 is more likely to be
the problem rather than Financial Accounting #1. This is based on the risk rating of FA#2 which
is 18.75 to 75, computed through the probability assigned multiplied by impact level value, that
depicts a very high action priority.
To justify the aforementioned claim, we have assessed the Financial Application #2 and identified the following necessary information.

Financial Information Unauthorized Very High 1.00 High 75 75 Users access Very
Users possess
Application security do not users such as the privilege within FA2 High
privileges that are
#2 periodically review hackers, are periodically
not consistent with
the user access terminated reviewed by
their job functions,
privilege employees, application owners
allowing
insiders, and to verify access
unauthorized or
terrorists privileges remain
incorrect
appropriate and
modifications to
consistent with job
FA2’s data, which
requirements.
could cause
The security
management
administrator
decisions based
notified employees
upon misleading
who have been
information.
terminated. Access
privileges of such
Terminated users employees are
can gain access to immediately
FA2 and modify its changed to reflect
financial their new status.
information.
 Outdated Very High 1.00 High 75 Problems from 75 Very
The vendor has Develop and
identified flaws in software that previous will remain maintain system High
can a misleading unresolved due to
the security design security plans to
information irregular software
of the system; document current
testing and unable to
however, new controls and address
Batch process process dome of the
patches have not planned controls for
are outdated transaction due to
been applied to the IT systems in support
can subject to outdated software.
system of the organization’s
loss of
mission.
Confidentiality
Insufficient regular
software testing Conduct security
and updates awareness and
technical training to
Information system ensure that end
has a weak security users and system
protocol in terms of users are aware of
Job scheduling the rules of behavior
and their
responsibilities in
protecting the
organization’s
mission.
Conduct regular
periodic review of
security controls to
ensure that the
controls are effective
and updated.
Unprotected to the Sensitive Very High 1.00 Very High 75 75 Obtaining Very
The sensitive
public network information can information can unauthorized access High
connection be easily access to sensitive system
easily give to others,
by anyone and files based on known
allowing
can cause system
unauthorized person
information vulnerabilities.
to review the
bribery information from
Unauthorized FA2 The security
users can detect
Terminated users administrator
that can cause can gain access to notified employees
fraudulent act FA2 and modify its who have been
financial information terminated. Access
privileges of such
employees are
immediately
changed to reflect
their new status.
 IT Planning Memo

Memo
Date: November 10, 2020
To: The Financial Statement Audit File
From: IT Audit Manager, Melbourne, FL office
Subject: Internal Memorandum

Purpose
The purpose of this memo is to outline the procedures associated with the involvement of the
Information Technology Auditors (“IT Auditors”) in connection with the financial statement audit
of Company XYZ for the year ending December 31, 2021. The approach for the IT audit outlined
herein serves as a supplement to the financial audit planning memorandum and should be reviewed
in conjunction with such working paper.

Planning Discussions
As detailed in the working paper (w/p) 1000.1, a discussion with the financial audit Partner,
Principal, or Director was held to determine the level of IT audit involvement. During this planning
meeting, risk assessments of areas to be addressed were also discussed along with the nature,
extent, and timing of planned tests of controls described further in this planning memo.
IT Audit Team
The IT audit team will consist of the following:
Role Name
IT Partner Gacayan, Izza Mae L.
Acuna. Kathleen B.
IT Managers
De Leon. Irene Danieca M.
IT Audit Senior Bandrang, Abdul Nasser P.
Abad, Ma. Justine Estephany C.
IT Audit Staffs Casten, Robert Justinne M.
Chiong, Amos Elijah A.

Timing
Timing of the IT audit work is scheduled as follows:
1. Planning starting January 01. 2021, ending June 30, 2021
2. Interim starting November 1, 2021, ending December 31, 2020
3. Year-end procedures starting January 01, 2022, ending March 31, 2020
4. Sign-off date, April 30, 2022

Hours
Hours and costs are based on the estimated time required to complete the IT audit procedures and
the level of experience required. Detailed IT audit procedures have been planned with the financial
audit team, including discussions regarding the necessary documentation and assistance to be
provided by the Company to facilitate the effective and efficient performance of the procedures.
It is estimated that the IT audit procedures will take 100 hours to complete.
The hours incurred are to be charged to: Company XYZ-0000.
During the course of the IT audit, circumstances encountered that could significantly affect the
performance of such audit procedures will be promptly notified to the financial audit team and
Company personnel, as appropriate, including any additional hours resulting from such
circumstances.

Understand the IT Environment

Meetings with Company personnel will take place in order to gather or update the existing under-
standing of the IT environment, including significant changes from the prior year. This under-
standing will be considered as part of the planning process and documented in working paper 1540.
Relevant Applications and Technology Elements
As agreed with the financial audit team, applications are classified as relevant to the audit when
they:
• are used to support a critical business process (e.g., revenues, expenditures, payroll, etc.)
• have information generated by the organization (IGO) that is significant for a financial
audit test procedure or in the context of any internal controls, such as information used to
test a relevant control activity or information used by the Company to perform the control
activity
• include application or automated control activities that have been identifying as addressing
significant financial audit risks
Relevant applications and their related technology elements have been identified on the following
table or documented at w/p 1540.
Relevant Database Operating System Network
Application
All Accounting Oracle UNIX platform Windows
Application (AAA
Financial Document Oracle Windows Windows
Generator
Application (FDGA)
Human Resources third-party
and Payroll organization called
Application (HRPA) HRP-For-All

IT Risks and Controls

IT risks have been identified on the relevant applications based on the understanding obtained from
(1) the IT environment, (2) existing application controls, and (3) IGO. Certain control activities
will be assessed to determine whether they are adequately designed and operate effectively to
address those risks. Refer to working paper w/p 1000.2 where such controls have been identified
and listed.

Relevant Application Controls

In addition to the general control IT areas (information systems operations, information security,
and change control management), the IT audit team will test certain relevant application controls.
Meetings between the IT audit team and appropriate members of the financial audit team will occur
to:
1. understand how application or automated controls work
 2. evaluate if they have been adequately designed and implemented
3. assess whether they operate effectively
The relevant application controls to be tested are noted below.
Working Relevant Application
Paper
Reference
#
1000.2 Information Systems Operations
ISO 1.00 - IT operations support
adequate scheduling, execution,
monitoring, and continuity of
systems, programs, and processes
to ensure the complete, accurate,
and valid processing and recording
of financial transactions.
ISO 2.00 - The storage of financial
information is appropriately
managed, accurate, and complete.
ISO 3.00 - Physical access is
appropriately managed to
safeguard relevant components of
the IT infrastructure and the
integrity of financial information.
Relevant Application Control
ISO 1.01 - Batch and/or online processing
is defined, timely executed, and
monitored for successful completion.
ISO 1.02 - Exceptions identified on batch
and/or online processing are timely
reviewed and corrected to ensure
accurate, complete, and authorized
processing of financial information.
ISO 2.02 - Automated backup tools have
been implemented to manage retention
data plans and schedules.
ISO 2.04 - Tests for the readability of
backups are performed on a periodic
basis. Results support timely and
successful restoration of backed up
data.
ISO 3.02 - Physical access is authorized,
monitored, and restricted to individuals
who require such access to perform
their job duties. Entry of unauthorized
personnel is supervised and logged. The
log is maintained and regularly
reviewed by IT management.
1000.2 Information Security
ISEC 1.00 - Security configuration
of applications, databases,
networks, and operating systems is
adequately managed to protect
against unauthorized changes to
programs and data that may result
in incomplete, inaccurate, or
invalid processing or recording of
financial information.
ISEC 2.00 - Adequate security is
implemented to protect against
unauthorized access and
modifications of systems and
information, which may result in
the processing or recording of
incomplete, inaccurate, or invalid
financial information
1000.2 Change Control Management
CCM 1.00 - Changes implemented
in applications, databases,
networks, and operating systems
(altogether referred to as “system
changes”) are assessed for risk,
authorized, and thoroughly
documented to ensure desired
results are adequate.
ISEC 1.02 - Formal policies and
procedures define the organization’s
information security objectives and the
responsibilities of employees with
respect to the protection and disclosure
of informational resources.
Management monitors compliance with
security policies and procedures, and
agreement to these are evidenced by the
signature of employees.
ISEC 1.06 - Consistent with information
security policies and procedures, local
and remote users are required to
authenticate to applications, databases,
networks, and operating systems via
passwords to enhance computer
security.
ISEC 2.02 - System owners authorize user
accounts and the nature and extent of
their access privileges.
ISEC 2.04 - Users who have changed roles
or tasks within the organization, or that
have been transferred or terminated are
immediately informed to the security
department for user account access
revision in order to reflect the new
and/or revised status.
ISEC 2.05 - Transmission of sensitive
information is encrypted consistent
with security policies and procedures to
protect its confidentiality.
CCM 1.03 - Documentation related to the
change implementation is adequate and
complete.
CCM 1.05 - Documentation related to the
change implementation has been
released and communicated to system
users.
 CCM 2.00 - Changes implemented
in applications, databases,
networks, and operating systems
(altogether referred to as “system
changes”) are appropriately tested.
Tests are performed by a group
other than the group responsible for
the system (e.g., operating systems
changes are implemented by
someone other than the systems
programmer, etc.).
CCM 3.0 - Changes implemented
in applications, databases,
networks, and operating systems
(altogether referred to as “system
changes”) are appropriately
managed to reduce disruption,
unauthorized alterations and errors,
which impact the accuracy,
completeness and valid processing
and recording of financial
information.
CCM 4.00 - Changes implemented
in applications, databases,
networks and operating systems
(altogether referred to as “system
changes”) are formally approved to
support accurate, complete and
valid processing and recording of
financial information.
CCM 2.01 - System changes are tested
before implementation into the
production environment consistent with
test plans and cases.
CCM 2.02 - Test plans and cases involving
complete and representative test data
(instead of production data) are
approved by application owners and
development management.
CCM 3.01- Problems and errors
encountered during the testing of
system changes are identified,
corrected, retested, followed up for
correction and documented.
CCM 4.04 - An overall review is
performed by management after system
changes have been implemented in the
live production environment to
determine whether the objectives for
implementing system changes were
met.

Information Generated by the Organization

IGO has been identified and classified as significant for an audit test procedure or in the context
of any internal controls. This means that certain information will be used as part of various audit
tests of controls and/or organization personnel will use such to perform controls. Given the
relevance of this information, the IT audit will include procedures to assess its accuracy and
completeness.

Deficiency Evaluation
If deviations or findings result from the IT test procedures performed, they will be assessed to
determine their nature and cause, and whether they represent a control deficiency. Evaluation of
control deficiencies will be performed in conjunction with the financial audit team. Refer to
working paper w/p 2302, where such evaluation will be documented.
Work of Others
There will be no work of others (e.g., Internal Audit personnel, etc.) used in the IT audit.

Evaluation of Service Organization Controls

(This section is applicable if there are external service organizations that perform services or
general controls relevant for the audit.)
A service auditor’s report will be obtained for the relevant general controls related to the [relevant
application(s)] application(s) performed by [name of service organization]. A review of the report
will be performed by the IT audit team to understand the relevant services provided by the service
organization. Specifically, the IT audit team will evaluate the service organization controls by:
• assessing the IT controls and related exceptions in the report
• documenting the IT complementary or locally based user controls specified in the report
(These controls are implemented in the Company and, thus, are not part of the service
organization; however, they complement service organization controls. The IT auditor
typically document these controls by tying them to the IT audit work performed as part of
the IT audit of general controls IT areas.)

(The table below can be included to summarize information about the relevant service
organizations.)
Service Brief Service Service Report Report
Organization Description Organization Auditor Period Type/Conclusion
of Relevant Location
Service(s)
Provided
HRP-For-All used to Austin, Deloitte July 1, Controls at HRP-
manage the Texas. 2020 – June For-All were
company’s Deloitte 30, 2021 found to be
human effective
resources
and process
payroll.

Other Areas of IT Audit Assistance

There are no other areas identified within Company XYZ that IT auditors can assist with.