Professional Documents
Culture Documents
Submitted by:
ABAD, MA. JUSTINE ESTEPHANY C.
ACUNA, KATHLEEN B.
BANDRANG, ABDUL NASSER P.
CASTEN, ROBERT JUSTINNE M.
CHIONG, AMOS ELIJAH A.
DE LEON, IRENE DANIECA M.
THE IT AUDIT
GACAYAN, IZZA MAE L.
Objective:
The purpose of this memorandum is to provide a perspective on why the audit should focus
on Financial Application #2 (FA2), although, the IT Manager and Partner believe that the audit
should be performed on Financial Application #1 (FA1) based on previous relevant experience.
After conducting risk assessment, it entails that the Financial Application #2 is more likely to be
the problem rather than Financial Accounting #1. This is based on the risk rating of FA#2 which
is 18.75 to 75, computed through the probability assigned multiplied by impact level value, that
depicts a very high action priority.
To justify the aforementioned claim, we have assessed the Financial Application #2 and identified the following necessary information.
Financial Information Unauthorized Very High 1.00 High 75 75 Users access Very
Users possess
Application security do not users such as the privilege within FA2 High
privileges that are
#2 periodically review hackers, are periodically
not consistent with
the user access terminated reviewed by
their job functions,
privilege employees, application owners
allowing
insiders, and to verify access
unauthorized or
terrorists privileges remain
incorrect
appropriate and
modifications to
consistent with job
FA2’s data, which
requirements.
could cause
The security
management
administrator
decisions based
notified employees
upon misleading
who have been
information.
terminated. Access
privileges of such
Terminated users employees are
can gain access to immediately
FA2 and modify its changed to reflect
financial their new status.
information.
Outdated Very High 1.00 High 75 Problems from 75 Very
The vendor has Develop and
identified flaws in software that previous will remain maintain system High
can a misleading unresolved due to
the security design security plans to
information irregular software
of the system; document current
testing and unable to
however, new controls and address
Batch process process dome of the
patches have not planned controls for
are outdated transaction due to
been applied to the IT systems in support
can subject to outdated software.
system of the organization’s
loss of
mission.
Confidentiality
Insufficient regular
software testing Conduct security
and updates awareness and
technical training to
Information system ensure that end
has a weak security users and system
protocol in terms of users are aware of
Job scheduling the rules of behavior
and their
responsibilities in
protecting the
organization’s
mission.
Conduct regular
periodic review of
security controls to
ensure that the
controls are effective
and updated.
Unprotected to the Sensitive Very High 1.00 Very High 75 75 Obtaining Very
The sensitive
public network information can information can unauthorized access High
connection be easily access to sensitive system
easily give to others,
by anyone and files based on known
allowing
can cause system
unauthorized person
information vulnerabilities.
to review the
bribery information from
Unauthorized FA2 The security
users can detect
Terminated users administrator
that can cause can gain access to notified employees
fraudulent act FA2 and modify its who have been
financial information terminated. Access
privileges of such
employees are
immediately
changed to reflect
their new status.
IT Planning Memo
Memo
Date: November 10, 2020
To: The Financial Statement Audit File
From: IT Audit Manager, Melbourne, FL office
Subject: Internal Memorandum
Purpose
The purpose of this memo is to outline the procedures associated with the involvement of the
Information Technology Auditors (“IT Auditors”) in connection with the financial statement audit
of Company XYZ for the year ending December 31, 2021. The approach for the IT audit outlined
herein serves as a supplement to the financial audit planning memorandum and should be reviewed
in conjunction with such working paper.
Planning Discussions
As detailed in the working paper (w/p) 1000.1, a discussion with the financial audit Partner,
Principal, or Director was held to determine the level of IT audit involvement. During this planning
meeting, risk assessments of areas to be addressed were also discussed along with the nature,
extent, and timing of planned tests of controls described further in this planning memo.
IT Audit Team
The IT audit team will consist of the following:
Role Name
IT Partner Gacayan, Izza Mae L.
Acuna. Kathleen B.
IT Managers
De Leon. Irene Danieca M.
IT Audit Senior Bandrang, Abdul Nasser P.
Abad, Ma. Justine Estephany C.
IT Audit Staffs Casten, Robert Justinne M.
Chiong, Amos Elijah A.
Timing
Timing of the IT audit work is scheduled as follows:
1. Planning starting January 01. 2021, ending June 30, 2021
2. Interim starting November 1, 2021, ending December 31, 2020
3. Year-end procedures starting January 01, 2022, ending March 31, 2020
4. Sign-off date, April 30, 2022
Hours
Hours and costs are based on the estimated time required to complete the IT audit procedures and
the level of experience required. Detailed IT audit procedures have been planned with the financial
audit team, including discussions regarding the necessary documentation and assistance to be
provided by the Company to facilitate the effective and efficient performance of the procedures.
It is estimated that the IT audit procedures will take 100 hours to complete.
The hours incurred are to be charged to: Company XYZ-0000.
During the course of the IT audit, circumstances encountered that could significantly affect the
performance of such audit procedures will be promptly notified to the financial audit team and
Company personnel, as appropriate, including any additional hours resulting from such
circumstances.
ISO 1.00 - IT operations support ISO 1.01 - Batch and/or online processing
adequate scheduling, execution, is defined, timely executed, and
monitoring, and continuity of monitored for successful completion.
systems, programs, and processes ISO 1.02 - Exceptions identified on batch
to ensure the complete, accurate, and/or online processing are timely
and valid processing and recording reviewed and corrected to ensure
of financial transactions. accurate, complete, and authorized
processing of financial information.
ISO 2.00 - The storage of financial ISO 2.02 - Automated backup tools have
information is appropriately been implemented to manage retention
managed, accurate, and complete. data plans and schedules.
ISO 2.04 - Tests for the readability of
backups are performed on a periodic
basis. Results support timely and
successful restoration of backed up
data.
Deficiency Evaluation
If deviations or findings result from the IT test procedures performed, they will be assessed to
determine their nature and cause, and whether they represent a control deficiency. Evaluation of
control deficiencies will be performed in conjunction with the financial audit team. Refer to
working paper w/p 2302, where such evaluation will be documented.
Work of Others
There will be no work of others (e.g., Internal Audit personnel, etc.) used in the IT audit.
(The table below can be included to summarize information about the relevant service
organizations.)
Service Brief Service Service Report Report
Organization Description Organization Auditor Period Type/Conclusion
of Relevant Location
Service(s)
Provided
HRP-For-All used to Austin, Deloitte July 1, Controls at HRP-
manage the Texas. 2020 – June For-All were
company’s Deloitte 30, 2021 found to be
human effective
resources
and process
payroll.