Republic of the Philippines

President Ramon Magsaysay State University

College of Accountancy and Business Administration
(Formerly Ramon Magsaysay Technological University)
Iba, Zambales, Philippines
Tel/Fax No.: (047) 811-1683

College/Department College of Accountancy and Business Administration

Course Code Pre5

Course Title Auditing in CIS

Place of the Course in the Program Major Subject

Semester & Academic Year Second Semester AY 2020-2021

AUDITING IN CIS

CHAPTER 6
 AUDIT PLANNING PROCESS AND AUDIT MANAGEMENT

A structured, well-documented audit plan identifies and establishes the criteria against
which a successful audit will be measured. The planning process involves:

■ Identifying the tasks to be performed in the course of an audit

■ Allocation of those tasks to specific auditors
■ Deciding when a task should commence
■ Quantification of the duration of each individual task based upon the auditor allocated

The primary stage of planning any audit, computer or non-computer, is obtaining a clear
understanding of the business objectives of the area under review. Once the control
objectives of the area under review are clearly and fully understood, the auditor may
then proceed to identify those controls relied upon by the user to ensure that the control
objectives are achieved. Once the auditor has identified the source of evidence as to
the achievement of the control objectives, the appropriate audit technique and audit
tools may be selected. If these steps are omitted and the auditor proceeds directly to
the interrogation of computer systems and the running of Computer Assisted Audit
Techniques (CAATs), an audit will result that cannot be seen to be achieving its goals
and objectives because the goals and objectives were unknown when the audit took
place.

The Elements

An audit should include:

■ Tentative determination of the objectives and scope of the audit. This includes
determining the objectives of the audit in consultation with the auditees as well as what
is to be included within the scope of the audit and what will not be included. Once the
objectives and scope have been finalized and agreed, an engagement letter clarifying
the agreed scope and objectives should be sent to the client so that, at a later stage, no
misunderstanding will arise as to what had been agreed would and would not be
audited.

■ At this stage, the auditor will seek to determine the overall business objectives of the
area to be reviewed as well as the control objectives. The background information
regarding the area to be audited must be gathered. This involves a reading of operating
procedure manuals and discussions with operating management in order to obtain the
whole picture. The major products and services that are the key activities involved in
meeting the business objectives must be identified. Once again, this will involve
determining the level of management’s understanding of their own key performance
areas (KPAs).

■ For each KPA, performance objectives must be established. This involves seeking
core activity targets that are both achievable and, at the same time, stretching. Key
performance indicators (KPIs) must be identified that will enable the performance to be
measured appropriately. The risks and threats that could lead to non-achievement,
underachievement, or even failure must then be assessed. Both external and internal
threats must be considered.

Internal threats are those over which management has complete control, such as
choice of vendor.
External threats are those that management cannot directly control, but for which
they must nevertheless develop a coping strategy, such as interest rate fluctuations or
actions by competitors.

■ The overall intention of a specific audit may be classified as reviewing the design of
the internal control system for adequacy, tests of compliance with the designed control
system, and evaluation of the effectiveness of the implementation of the control system.

■ The selection of the audit team. In many cases the audit will be conducted by a team
of auditors that will include a mixture of disciplines. Each team has typically several
functions to perform, usually by different members of the team. These will include
determining of objectives and scope, coordinating the work including assigning team
members, coordinating the project with other work going on in the department at the
same time, and reviewing all documentation for the audit process.

■ Initial communication with the auditees and others involved in the audit. Courtesy as
well as good business of practice indicates that the auditor should notify the auditee and
selected others prior to the commencement of the audit. This permits the auditees to
make necessary preparation and arrange access to records, employees, and facilities.
At this point it is appropriate for the audit team leader to draft an engagement letter
outlining the information pertaining to the forthcoming audit. This letter confirms
discussions with the auditees and agreements reached on scope and objectives.

■ Preparation of the preliminary audit program. One of the most critical areas in the
planning process is establishing the audit program. This program is a detailed list of
analytical steps to be carried out during the course of the audit. Preparation of this
program enables the assignment of individual auditors to individual tasks within the
overall audit. This is essential in time management because individual auditors do not
work at the same rates. Auditor productivity will be heavily dependent on the individual
auditor’s experience and knowledge of the areas under review.

■ The planning of the audit report. The best audit in the world is a waste of time and
money if necessary, improvements do not take place. In order for management to be
convinced that changes to control procedures are necessary, the auditor must produce
a report that is objective but persuasive, clear, concise, constructive, and timely. The
audit report communicates the result of the audit to the auditees and others in the
organization. The planning for the audit report begins at the preparation stage of the
audit process.

■ Approval for the audit approach. It is the responsibility of the in-charge auditor to
review and approve the audit program prior to the commencement of actual work by the
audit team. This review includes determining that the audit objectives and scope are as
required and that the specific audit procedures including in the audit program will lead to
those audit objectives being accomplished.

STRUCTURE OF THE PLAN

The structure of the planning will, in general, follow the structure of the audit process. It
will therefore include the preliminary survey of operations, the internal control
description and analysis, the expanded tests control systems, the development of
findings and recommendations, the report production, following up, and audit
evaluation.

Preliminary Survey

The objectives of the preliminary survey are to gain an initial understanding of the
auditee’s operations and to gather preliminary evidence for further audit planning.
Where the area has been audited in the past, the preliminary survey may take the form
of confirmation of the auditor’s understanding. The survey itself will typically include an
opening conference between members of the audit team and auditee management to
outline the audit assignment with management and coordinate audit activities with
auditee operations. An on-site tour of the premises is normal to familiarize the auditor
with the nature of the operations and personnel involved. This tour permits the auditor
an initial assessment of the overall standard of internal control. Documents such as job
descriptions, organization charts, policy manuals, and critical operating documents
would be examined at this stage in order to determine if they exist, how well they are
maintained, if they are appropriately secured, and if they are ever used. Written
descriptions of the auditee’s operations prepared by the auditor can clarify the auditor’s
understanding and confirmation can be sought directly from auditee management.
Internal Control Description and Analysis

From the preliminary survey the audit should have a good understanding of the
business and control objectives of the area under review. This stage allows the
preparation of detailed descriptions of the auditee’s internal controls related to the areas
under review. Limited testing of such controls may take place at this stage in order to
determine the size of subsequent testing required. Based on this information the auditor
would evaluate the system of internal controls in order to determine whether the control
structures in place, if effective, would lead to the desired level of control. At this point a
risk reassessment can be carried out in order to determine the need for any changes in
the objectives and school of the audit and how much, if any, expanded audit tests are
required before conclusions can be drawn.

Expanded Tests

These are the tests that would be included in the final audit program as an addition to
the preliminary audit program. Such testing would include the examination of records
and documents, interviews with auditee management and other personnel, observation
of operations, examination of assets, interrogation of computer files, comparisons of
audit results to auditee’s reports, and other procedures designed to test the
effectiveness of the system of internal control.

Findings and Recommendations

Based on the work carried out, the auditors will develop the findings and determine what
changes, if any, are necessary to improve internal controls. A finding consists of four
distinct parts.

Criteria are those standards against which observed conditions will be measured.
Conditions refer to what was actually observed during the course of audit testing.
The effect refers to the impact on the business associated with any observed problems.
The cause of the problem addresses failures of internal control or weaknesses within
the internal control structures.

Based on these findings the auditor may choose to make recommendations. These
typically take four form:
1. Make no changes in the control system. Where controls are deemed to be both
adequate for a given level of a risk and effective in controlling that risk and the current
control system is seen to be cost effective.
2. Improve control and reduce risk either by modifying current controls or by adding new
ones.
3. For those areas where risk is not at acceptable levels, but control is impractical or not
cost-effective to implement, the auditor may recommend the transfer of risk either by
insurance or outsourcing.
4. Should there remain an element of risk uncovered by the system of internal control
but nevertheless at an unacceptable level, the auditor may be able to recommend
changes that would improve the rate of return for accepting that level of risk.

Report Production

The overall objective of the audit was to assist management to improve control within
the organization. It is the audit report that will persuade management to take effective
action or conversely fail to persuade management. The reputation of the audit function
is largely based on the audit report because this represents a formal presentation of the
auditor’s professional competence. In most audit reports it is found beneficial to include
the comments of the auditee to any recommendations raised. The audit report itself
must be produced in a timely manner and no unwarranted delays should be permitted to
occur within the process. A 24- to 48-hour production schedule should be aimed at.

Following Up

It is critical that any recommendations made within the audit report be followed up in
order to determine whether management has accepted the risk of taking no further
action, taken the appropriate remedial steps to resolve any control weakness, or taken
no action and left the weakness as an unacceptable risk. This follow-up will itself result
in the production of report, albeit a short report, which will hopefully state that all
outstanding issues have now been resolved.

Audit Evaluation

The final stage of the audit relates to the evaluation made by the auditors of
themselves. No audit is complete until the full audit process has been executed. It is an
essential control within the audit function itself that self-assessment be carried out at the
end of each audit project. Coming as it does at the end of the process, the step is often
omitted to the detriment of future audit performance.

TYPES OF AUDIT
Financial audits tend to involve the verification of figures produced by the computer
systems.

Operational audits focus on the effectiveness and efficiency of business operations and
could include IT in itself as a business function. These audits will normally involve
identifying performance evaluation criteria and KPAs and matching the performance
achieved against that intended.

General control audits focus on the management controls around the information
processing function and facility and may be either operational or compliance based.

Application audits can take the form of reviews of live application systems within the
user arena, audits of application systems under development, or audits of the
applications systems development process itself.

Audits involving operating systems are less concerned with audits of the operating
system itself but rather the way in which the installation has chosen to implement
operating system options.

Physical access audits are performed in the same manner as physical access audits to
any corporate asset for the primary objective and safeguarding of the corporate asset.

Logical access audits, however, will typically involve interrogation of computer systems
control files in order to match access rights granted against job requirements.

AUDIT MANAGEMENT

AUDIT MISSION IS AUDIT MISSION

To review, appraise, and report on:
■ Soundness, adequacy, and application
of controls
■ Compliance with established policies,
plans, and procedures
■ Accounting for and safeguarding
corporate assets
■ Application of proper authority levels
■ Reliability of accounting and other data
To review, appraise, and report on:
■ Soundness, adequacy, and application
of IS operational standards
■ Soundness, adequacy, and application
of systems development standards
■ The extent of compliance with
corporate standards
■ Security of the corporate IS investment
■ Adequacy of contingency arrangements
 ■ Quality of performance of assigned
duties
■ Extent of coordinated effort between
departments
■ Safeguarding of corporate interests in
genera
■ Completeness and accuracy of
computer-processed information
■ Whether optimum use is being made of
all computing resources
■ Soundness of application systems
developed

STAFFING

Depending on the size and complexity, staffing could consist of a mix of:
 Computer audit manager
 Application auditors
 Trainee auditors
 Audit application development staff
 Technical support

Assuming a typical IS Audit coverage in a large organization, the following skills or

knowledge may be required in an IS Audit department:

■ IS security and control principles.

■ Audit principles. Auditors need to understand how to plan and undertake audits, and
how to document their work.
■ Good interpersonal and communications skills, both oral and written, because very
complex technical information often has to be communicated in a jargon-free way
■ Good sense of judgment, because they need to analyze complex technical and
business issues, and to conclude on the security and control implications.
■ Business-specific skills; for example, a bank will benefit in application reviews if some
staff have banking training.
■ Systems analysis skills, to assist in understanding computer systems, and reviewing
the development process.
■ Data analysis skills, to assist the auditor in understanding the design and
development process, as data analysis techniques are in widespread use.
■ Some programming skill, to assist in preparing computer assisted audit techniques
(CAATs) and reviewing systems under development.
■ Computer operations experience, to help the auditor to review computer installations.
■ Networks, for the review of data communications.
■ Systems software, to assist in the review of the systems software infrastructure of the
organization.
■ PCs and minicomputers. This has now become a very significant area in many
organizations.

INTEGRATED IS AUDITOR VS INTEGRATED IS AUDIT

Integrated Auditor

The basic concept is to develop an expanded auditor skill set, basically to train
financial/operational auditors to be “partial” IS Auditors. Armed with a basic
understanding of computers—and general and application controls—all auditors would
be able to include IS control considerations in each and every audit, as well as use
basic CAATs (without being totally dependent on the IS Audit staff). Basic training on
information technology and IS Audit remains the first step in developing IS Auditors
(including integrated auditors) at all skill levels.

The complete integrated auditor fully understands and will use CAATs in all audits.
Undertrained integrated auditors rely on others to do CAATs for them.

Thus, in reality, all auditors have become integrated IS Auditors—some just have
greater knowledge and skills than others. Effective integration is therefore dependent
on:
 Expanding the IT knowledge base of each and every auditor
 Realistic audit assignments based on knowledge and skill level
 Extensive IS Audit tools and support
 Effective technical supervision

Integrated Audit

The alternate solution chosen by some organizations is to focus their resources more
directly by providing an integrated audit product rather than developing an integrated
auditor. Rather than attempt to expand the knowledge base of an individual, they seek
to apply the knowledge base that currently exists within their organization by
assembling an audit team including IS Audit-trained as well as financial/operationally
trained auditors working together. Realistic audit team assignments based on
knowledge and skill level are a prerequisite as IS Audit management involvement and
participation.

APPLICATION AUDIT TOOLS

The tools available for computer auditors include not only CAATs but also the standard
tools such as interviews, system questionnaires, control questionnaires, and
documentation. Control evaluation tools such as CAATs, test data generators, and
flowcharting packages may be combined with specialized audit software, generalized
audit software, utility programs, and non-audit-specific software such as reporting
programs and general query languages. Risk analyzers, audit planning software, and
automated working papers may also prove useful tools in this environment.

SPECIALIST AUDITOR

Many organizations make use of specialists within their IS Audit function to carry out
tasks classed as being beyond the scope of the conventional IS Auditor. These include
such audit areas as performance auditing of computerized systems, auditing logical
computer security, auditing telecommunications, auditing that technical specialist’s area,
and auditing IS strategic planning.

IS AUDIT QUALITY ASSURANCE

As with any other audit area, quality assurance remains the responsibility of the audit
manager. In practice, this will normally involve review of audit work by other IS Auditors
as well as audit management. It is critical, to maintain the confidence of the auditee and
the IS department in the IS Audit function, that IS Audit work be seen to be technically
competent in all of the areas addressed. Once more, where such assurance cannot be
given in-house, outside sources may be used as external quality assurance (QA)
reviewers. Such external resources can come from a variety of sources including
specialist consultancy firms and independent external auditors .