Developing And

Implementing a
Risk-based IT
Audit Strategy
AUDITING IN CIS
ENVIRONMENT – TOPIC 1
Learning Objectives:
1. Discuss how technology is constantly evolving and shaping today’s business (IT) environments.

2. Discuss the auditing profession and define financial auditing.

3. Differentiate between the two types of audit functions that exist today (internal and external).

4. Describe current IT auditing trends, and identify the needs to have an IT audit.

5. Discuss the process of auditing information systems, its organization of the IS audit function

6. Discuss the Audit Planning and Risk Assessment procedures.

Information Technology
Environment and IT Audit
The need for improved control over IT, especially in commerce, has been advanced over the years in
earlier and continuing studies by many national and international organizations. Essentially,
technology has impacted various significant areas of the business environment, including the use and
processing of information, the control process, and the auditing profession.

 Technology has improved the ability to capture, store, analyse, and process tremendous amounts of data and
information, expanding the empowerment of the business decision maker.
 It has also become a primary enabler to production and service processes. There is a residual effect in that the
increased use of technology has resulted in increased budgets, increased successes and failures, and better
awareness of the need for control.
 Technology has significantly impacted the control process around systems.
Information Technology
Environment and IT Audit (cont’d.)
 Although control objectives have generally remained constant, except for some that are technology specific,
technology has altered the way in which systems should be controlled. Safeguarding assets, as a control
objective, remains the same whether it is done manually or is automated. However, the manner by which the
control objective is met is certainly impacted.
 Technology has impacted the auditing profession in terms of how audits are performed (information capture
and analysis, control concerns) and the knowledge required to draw conclusions regarding operational or
system effectiveness, efficiency, and reporting integrity. Initially, the impact was focused on dealing with a
changed processing environment.
 As the need for auditors with specialized technology skills grew, so did the IT auditing profession.
Technology is constantly evolving and finding
ways to shape today’s IT environment in the
organization.
Enterprise Resource Planning
(ERP)
ERP is software that provides standard business functionality in an integrated IT environment system
(e.g., procurement, inventory, accounting, and human resources [HR]).

ERPs allow multiple functions to access a common database—reducing storage costs and increasing
consistency and accuracy of data from a single source. Additionally, ERPs:

 Have standard methods in place for automating processes (i.e., information in the HR system can be used by
payroll, help desk, and so on).

 Share real-time information from modules (finance, HR, etc.) residing in one common database, hence,
financial statements, analyses, and reports are generated faster and more frequently.
ERP defined
ERP is an acronym that stands for “Enterprise Resource Management”, the consolidated process of
gathering and organizing business data through an integrated software suite. ERP software contains
applications which automates business functions like production, sales quoting, accounting, and more.

In layman’s terms, ERP facilitates your company operations across every department. ERP
solutions improve how you handle business resources, whether it’s raw materials for
manufacturing or staffing hours for human resources.
Some of the primary ERP suppliers today include SAP, FIS Global,
Oracle, Fiserv, Intuit, Inc., Cerner Corporation, Microsoft,
Ericsson, Infor, and McKesson.
ERP (cont’d.)
Despite the many advantages of ERPs, they are not much different than purchased or packaged
systems, and may therefore require extensive modifications to new or existing business processes. ERP
modifications (i.e., software releases) require considerable programming to retrofit all of the
organization-specific code.
Cloud Computing
Refers to the use of the Internet (versus one’s computer’s hard drive) to store and access data and
programs.

“Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort or service provider
interaction.
How does it relate to Cloud
Storage?
Cloud storage is a cloud computing model that stores data on the Internet through a cloud
computing provider who manages and operates data storage as a service. It’s delivered on
demand with just-in-time capacity and costs, and eliminates buying and managing your own data
storage infrastructure. This gives you agility, global scale and durability, with “anytime,
anywhere” data access.

Cloud storage is purchased from a third party cloud vendor who owns and operates data storage
capacity and delivers it over the Internet in a pay-as-you-go model. These cloud storage vendors
manage capacity, security and durability to make data accessible to your applications all around
the world.
Mobile Device Management
(MDM)
MDM, also known as Enterprise Mobility Management, is a relatively new term, but already shaping
the IT environment in organizations. MDM is responsible for managing and administering mobile
devices (e.g., smartphones, laptops, tablets, mobile printers, etc.) provided to employees as part of their
work responsibilities. Specifically, these mobile devices:

Integrate well within the organization and are implemented to comply with organization policies and
procedures
Protect corporate information (e.g., emails, corporate documents, etc.) and configuration settings for all
mobile devices within the organization
IT Environment as Part of the
Organization Strategy
In today’s environment, organizations must integrate their IT with business strategies to attain their
overall objectives, get the most value out of their information, and capitalize on the technologies
available to them.

It is now regarded as an integral part of that strategy to attain profitability and service.

At the same time, issues such as IT governance, international information infrastructure, security, and
privacy and control of public and organization information have driven the need for self-review and
self-assurance.
How does management view
audit?
For the IT manager, the words “audit” and “auditor” send
chills up and down the spine.
How management view audit
(cont’d)
Yes, the auditor or the audit has been considered an evil that has to be dealt with by all managers. In
the IT field, auditors in the past had to be trained or provided orientation in system concepts and
operations to evaluate IT practices and applications.

IT managers cringe at the auditor’s ability to effectively and efficiently evaluate the complexities and
grasp the issues.

Nowadays, IT auditors are expected to be well aware of the organization’s IT infrastructure, policies,
and operations before embarking in their reviews and examinations. More importantly, IT auditors
must be capable of determining whether the IT controls in place by the organization ensure data
protection and adequately align with the overall organization goals, and reasonability of financial
reporting.
Internal versus External Audit
Functions
There are two types of audit functions that exist today. They have very important roles in assuring the
validity and integrity of financial accounting and reporting systems. They are the internal and external
audit functions.
Internal Audit Function
“An independent, objective assurance and consulting activity designed to add value and improve an
organization’s operations.” IA brings organizations a systematic and disciplined approach to assess and
enhance their risk management, control, and governance processes, as well as to accomplish their goals
and objectives.
External Audit Function
The external audit function evaluates the reliability and the validity of systems controls in all forms.
The principal objective in such evaluation is to minimize the amount of substantial auditing or testing
of transactions required to render an opinion on the financial statements.

External auditors are provided by public accounting firms and also exist in government as well

From a public accounting firm standpoint, firms such as Deloitte, Ernst & Young,
PricewaterhouseCoopers, and KPMG (altogether referred to as the “Big Four”) provide these types of
external audit services worldwide. The external auditor is responsible for testing the reliability of client
IT systems and should have a special combination of skills and experience.
External Audit Function (cont’d)
Such an auditor must be thoroughly familiar with the audit attest function. The attest function
encompasses all activities and responsibilities associated with the rending of an audit opinion on the
fairness of the financial statements. Besides the accounting and auditing skills involved in performing
the attest function, these external auditors also must have substantial IT audit experience.
The Process of Auditing
Information Systems
Management of the IS audit function
Auditing should be managed and led in a manner that ensures all the tasks are performed and
accomplished by the audit team
Auditors should maintain independence as well as their competence in the auditing process
The audit function should have value-added contributions for the senior management
The audit function should also achieve business objectives
Organization of the IS Audit
Function
Audit services can be both external or internal
 Internal: An internal audit should be established by charter and have approval of senior management
 This can be an internal audit
 The audit can function as an independent group
 The audit committee integrated within a financial and operational audit provide IT related control assurance to the financial
or management auditors

 External: IS audit services are provided by an external firm

 The scope and objectives of these services should be listed in a formal contract between the organization and the external
auditing team

In either internal or external auditing there should be an independence of the

auditing team, and they should report to a high level of management
IS Audit Resource Management
As technology changes it is important that management ensures the auditors keep up-to date with
other skill sets
 This requires training that is directed to new auditing techniques and updates technology
 Standards require that the auditing team be technically competent
 Management should consider the auditor’s skills and knowledge when planning an audit
Audit Planning
Annual planning:
 Short-term should take into account issues that will be covered during the year
 Long-term will take into account the issues regarding changes to the organization’s IT strategic direction
 Both long and short-term issues should be reviewed annually
Audit Planning (cont’d.)
Other planning considerations:
 Periodic risk assessments
 Changes in technology
 Changing privacy issues
 Regulatory requirements
 System implementations or upgrade deadlines
 Future technologies
 IS resource limitations
Audit Planning (cont’d.)
Information gathering:
 An understanding of the overall environment
 Business practices and functions relating to the audit
 Types of information systems and technologies supporting the business
 Listing of all regulatory requirements in which the business operates
Audit Planning (cont’d.)
Auditing standards require the auditor to address the audit objectives and to comply with professional
auditing standards

The IS auditor should have another plan that considers the objectives of the organization that is
relevant to what is being audited in the technology infrastructure
 This plan should include an understanding of the organizations IT architecture and technological direction
Audit Planning (cont’d.)
Guidelines that the IS auditor should follow:
 Reviewing background information such as industry publications and/or annual reports
 Reviewing prior audit reports
 Understanding the business and IT long-term plans
 Talking with managers to learn about the business issues
 Researching the specific regulations that apply
 Are any IT functions outsourced?
 Walking through the organization’s facilities
Impact of computer-based
systems on the audit approach
The fact that systems are computer-based does not alter the
key stages of the audit process
Planning
The effect of information technology on the audit procedures, including the availability of data
and the expected use of computer - assisted audit techniques’ as one of the characteristics of
the audit that needs to be considered in developing the overall audit strategy.
Risk assessment
The auditor shall obtain an understanding of the internal control
relevant to the audit (PSA 315)
Risk and Internal Control
Assessment
The application notes to PSA 315 identify the information system as one of the five
components of internal control. It requires the auditor to obtain an understanding of the
information system, including the procedures within both IT and manual systems.

In other words, if the auditor relies on internal control in assessing risk at an assertion
level, he/she needs to understand and test the controls, whether they are manual or
automated. Auditors often use internal control evaluation (ICE) questions to identify
strengths and weaknesses in internal control. These questions remain the same – but in
answering them, the auditor considers both manual and automated controls.
Testing
The auditor shall design and perform further audit procedures whose nature, timing and
extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level. (PSA 330)
Per PSA 330..
The statement holds true irrespective of the accounting system, and the
auditor will design compliance and substantive tests that reflect the
strengths and weaknesses of the system. When testing a computer
information system, the auditor is likely to use a mix of manual and
computer-assisted audit tests.
The key objectives of an audit do not change in a computer environment. The auditor still
needs to obtain an understanding of the system in order to assess control risk and plan audit
work to minimise detection risk. The level of audit testing will depend on the assessment of
key controls. If these are programmed controls, the auditor will need to ‘audit through the
computer’ and use CAATs to ensure controls are operating effectively.

In small computer-based systems, ‘auditing around the computer’ may suffice if sufficient
audit evidence can be obtained by testing input and output.