Scribd Logo
Upload

Welcome to Scribd!

  • 2007 - Introduction To IT Audit 04

    Uploaded by

    pmdrnora
    9 views19 pages
    The document discusses planning for IT audits. It describes that planning helps direct and control audit work, highlights critical areas, allocates resources, and obtains sufficient evidence. There are three types of planning: strategic plans covering 3-5 years, annual plans translating long-term goals into yearly work, and micro plans detailing tasks for individual audits. Micro plans include technical planning to understand the IT environment and logistical planning covering responsibilities, methodology, and timelines. Risk assessment identifies inherent, control, and detection risks. The document outlines the audit planning memo and covers scoping the audit, objectives, critical areas, and resource needs.

    Original Description:

    Original Title

    2007_Introduction-to-IT-Audit-04

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses planning for IT audits. It describes that planning helps direct and control audit work, highlights critical areas, allocates resources, and obtains sufficient evidence. There are three types of planning: strategic plans covering 3-5 years, annual plans translating long-term goals into yearly work, and micro plans detailing tasks for individual audits. Micro plans include technical planning to understand the IT environment and logistical planning covering responsibilities, methodology, and timelines. Risk assessment identifies inherent, control, and detection risks. The document outlines the audit planning memo and covers scoping the audit, objectives, critical areas, and resource needs.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views19 pages

    2007 - Introduction To IT Audit 04

    Uploaded by

    pmdrnora
    The document discusses planning for IT audits. It describes that planning helps direct and control audit work, highlights critical areas, allocates resources, and obtains sufficient evidence. There are three types of planning: strategic plans covering 3-5 years, annual plans translating long-term goals into yearly work, and micro plans detailing tasks for individual audits. Micro plans include technical planning to understand the IT environment and logistical planning covering responsibilities, methodology, and timelines. Risk assessment identifies inherent, control, and detection risks. The document outlines the audit planning memo and covers scoping the audit, objectives, critical areas, and resource needs.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    IT audit

    training
    for

    Planning for IT Audit

    Session 4

    March 2007 Introduction to IT Audit : S4/ 1


    IT audit
    training
    for
    Planning

    Planning helps in
     the direction and control of auditor’s work;
     highlighting critical areas ;
     allocation of scarce audit resources towards more
    important areas;
     setting time frame and targets for review work ;
     obtaining sufficient, reliable and relevant audit
    evidence and
     subsequently aid the auditee in sound decision
    making
    March 2007 Introduction to IT Audit : S4/ 2
    IT audit
    training
    for
    Types of Planning

     Strategic plan
     Annual plan
     Micro plan / audit programme

    March 2007 Introduction to IT Audit : S4/ 3


    IT audit
    training
    for
    Strategic Plan

    Plan for a period of 3-5 years and addresses


    issues like
     aims and long term objectives of audit;
     audit priorities and criteria for
    prioritisation;
     how to re-orient audit techniques and
    methods to meet the changing
    requirements;
     human and infrastructure requirements and
     training needs

    March 2007 Introduction to IT Audit : S4/ 4


    IT audit
    training
    for
    Annual Plan

     Translates the long term plan into a


    programme of work for the ensuing year
     Planning here defines the aims and
    objectives of each of the major audits to be
    undertaken during the year, given the
    resources available within the SAI

    March 2007 Introduction to IT Audit : S4/ 5


    IT audit
    training
    for
    Micro Plan

    Operational plan for each individual audit and


    spells out the details of tasks to be
    undertaken for each audit along with the
    time schedule
     Technical Planning
     Logistical Planning
     Risk Assessment

    March 2007 Introduction to IT Audit : S4/ 6


    IT audit
    training
    for
    Technical Plan

    Obtain an overview of
     the nature of auditee business and the business
    environment regulatory environment in which the
    auditee functions
     the size, type, nature and complexity of the IT
    systems major IT systems
     nature of risks the systems are exposed to critical
    organizational units/functions
     main types and volume of transactions processed
    by the systems
     extent and scope of internal audit

    March 2007 Introduction to IT Audit : S4/ 7


    IT audit
    training
    for
    Logistical Plan

    Involves
     allocation of responsibilities of the IT audit team;
     planning the methodology of audit;
     deciding the scope and extent of audit coverage
     framing budget and obtaining approvals
     drawing up the time schedule for various tasks;
     exploring ways of obtaining audit evidence and
     framing the reporting requirements

    March 2007 Introduction to IT Audit : S4/ 8


    IT audit
    training
    for
    Risk Assessment

    Risk assessment is the responsibility of the


    top management and includes a systematic
    consideration of
     the business harm likely to result from a
    security failure,
     the realistic likelihood of such a failure
    occurring and
     the controls currently implemented

    March 2007 Introduction to IT Audit : S4/ 9


    IT audit
    training
    for
    Steps in Risk Analysis

     Inventory of information systems in use in


    the organization
     Determine which of the systems impact
    critical functions or assets, such as money,
    materials, customers, decision making, and
    how close to real time they operate.
     Assess what risks affect these systems and
    the severity of impact on the business

    March 2007 Introduction to IT Audit : S4/ 10


    IT audit
    training
    for
    Types of Risks

     Inherent risk
     Control risk
     Detection risk

    March 2007 Introduction to IT Audit : S4/ 11


    IT audit
    training
    for
    Inherent Risk

     Inherent risk is the susceptibility of


    information resources or resources
    controlled by the information system to
    material theft, destruction, disclosure,
    unauthorized modification, or other
    impairment, assuming that there are no
    related internal controls

    March 2007 Introduction to IT Audit : S4/ 12


    IT audit
    training
    for
    Control Risk

     Control risk is the risk that an error which


    could occur in an audit area, and which
    could be material, individually or in
    combination with other errors, will not be
    prevented or detected and corrected on a
    timely basis by the internal control system

    March 2007 Introduction to IT Audit : S4/ 13


    IT audit
    training
    for
    Detection Risk

     Detection risk is the risk that the IT


    auditor’s substantive procedures will not
    detect an error which could be material,
    individually or in combination with other
    errors.

    March 2007 Introduction to IT Audit : S4/ 14


    IT audit
    training
    for
    Introduction to Controls

     Internal controls include policies,


    procedures, practices and organizational
    structures put in place to reduce risks
     The extent of internal controls present
    would determine the risk levels of the
    application under audit and also the
    quantum of auditing to be undertaken

    March 2007 Introduction to IT Audit : S4/ 15


    IT audit
    training
    for
    Audit Planning Memo

    The purposes of an audit planning memo is to:


     define the scope of IT audit;
     describe the justification for the audit
    approach;
     describe how the audit should progress;
    and
     provide a means for communicating the
    audit plan to other assigned audit staff

    March 2007 Introduction to IT Audit : S4/ 16


    IT audit
    training
    for
    Outline of Audit Planning Memo

     Background of the audited entity


     Objectives of the audit
     Critical areas to be examined
     Resource requirements

    March 2007 Introduction to IT Audit : S4/ 17


    IT audit
    training
    for
    Audit Scope

    Scope defines the boundaries of the audit. It


    addresses aspects like
     period and
     number of locations to be covered and
     the extent of substantive testing depending
    on risk levels and control weaknesses

    March 2007 Introduction to IT Audit : S4/ 18


    IT audit
    training
    for
    Audit Objectives

    Audit objectives should take into


    consideration
     the managements’ objectives for a system
     whether the system meets the
    managements’ objectives and serves the
    business interests

    March 2007 Introduction to IT Audit : S4/ 19

    You might also like