Audit Risk and Materiality

• Inherent Risk – Can occur because of nature

of business.
• Control risk - risk that client's internal control
system will fail to prevent/ detect/correct
errors.
• Detection risk - risk that auditor's procedures
will fail to detect.
• Audit Risk = Inherent Risk x Control Risk x
Detection Risk
• A risk-based audit approach is usually adapted to
develop and improve the continuous audit process. This
approach is used to assess risk and to assist an IS auditor
in making the decision to perform either compliance
testing or substantive testing. IS auditors also rely on
Internal controls as well as knowledge of the business.
Risk based auditing minimizes the audit risk during the
execution of an audit.
• Compliance testing- Is evidence gathering for the
purpose of testing an organization’s compliance with
control procedures.
• Substantive testing- evidence is gathered to evaluate the
integrity of data, transaction or any other information.
 Audit risk
• Audit risk can be defined as the risk that information may contain a
material error that may go undetected during the course of audit.
Errors that will affect auditors thought process is called material error.
• Materiality: Materiality can be understood in the context of how
significant a loss is to the organization if a particular control is absent,
ineffective or inefficient.
• Measure of the estimated effect that the presence or absence of an
item of information may have on the accuracy or validity of a
statement.
• An audit concept regarding the importance of information with regard
to its impact or effect on the subject matter being audited. Information
is said to be material if omitting it or misstating it could influence
decisions that users make on the basis of it. The assessment of what is
material is a matter of professional judgment. IS auditor should
consider potential weakness or absence of controls and whether such
weakness or absence of control could result into significant deficiency
in the information system
 ITGC and ITAC
• An IT control is a procedure or policy that provides a reasonable assurance
that the information technology (IT) used by an organization operates as
intended, that data is reliable and that the organization is in compliance
with applicable laws and regulations. IT Controls can be categorized as
either general controls (ITGC) or application controls (ITAC).
• An IT general control should demonstrate that the organization has a
procedure or policy in place for technology that affects the management
of fundamental organizational processes such as risk management,
change management, disaster recovery and security. IT application
controls, which are actions that a software application does automatically,
should demonstrate that software applications used for specific business
processes (such as payroll) are properly maintained, are only used with
proper authorization, are monitored and are creating audit trails.
 ITGC
• Logical access control
• SDLC
• Change management
• Backup and recovery
• Physical security
• Operations control
 Logical access control
• User Review -users come and go, change positions and
responsibilities, and are assigned to new projects all the
time. To make sure that users are assigned the correct
authorizations, formalize the user access review process.
• Assign Appropriate User Privileges-To follow the principle of
“least-privileged user account.” This means that a user
should be given access to as few resources as possible – they
should be authorized to use the resources that they need to
do their job, but no more. Problems arise when special
privileges are temporarily given to employees and are not
then revoked after the temporary period has expired.
 Logical access control-cont.
• Segregation of Duties- Segregation of Duties (SoD) is a principle of
risk management that distributes critical functions among a
number of people so that no one person has complete control or
access. Critical tasks should be broken down into multiple smaller
tasks so that one person is not in control of the entire process.
• Manage Generic User Accounts - Sometimes it is useful for
training, testing and other purposes to have generic user accounts
set up on your network. However, a generic user account –
without an actual person assigned– is a security risk. Make sure to
delete generic user accounts that are no longer being used, and
do not assign Admin rights or rights to mission-critical systems to
generic user accounts.
 Logical access control-cont.
• Disable Unnecessary User Accounts-
– Delete dormant accounts
– Remove users from groups that they shouldn’t be
part of
– Review group policies
– Delete unnecessary user login details
• Maintain Clear Documentation-
easy-to-follow documentation trail is
necessary
 Access Provisioning Process
• Request,
• Reason
• Approve
• Grant (network),
• Grant (system)

• Access Deprovisioning process

– Complete exit
– Transfer
 Controls
•Below listed controls must be implemented effectively for all access
requests. Ensure –
•PROVISIONING-
 Proper documentation exists?
 Appropriately approved?
 Appropriately granted?

•TERMINATION-
 Proper documentation exists?
 Appropriately removed?

• TERMINATION CONTROL WILL BE CHECKED FOR ALL

EMPLOYEES WHO LEFT. NOT ON SAMPLE BASIS.
CHECKLIST
 SDLC
• Throughout the steps in the SDLC, documentation is being created
that provides valuable potential sources of evidence for IT auditors.
• During this phase, several documents will be generated.
• They include:
– long-term plan,
– policies for selection of IT projects,
– long-term and short-term IT budget,
– as well as preliminary feasibility studies and project authorizations.
• Determine the extent of the responsibilities of management, internal
audit, users, quality assurance, and data processing during the system
design, development, and maintenance.
• Review SDLC work papers to determine if the appropriate levels of
authorization were obtained for each phase.
 …SDLC continued
• In systems analysis phase, IT professionals
gather information requirements for the IT
project.
• Review and evaluate the procedures for
performing a needs analysis.
• Review a needs analysis for a recent project
and determine if it conforms to standards.
• Systems Design and Development
– Review and evaluate the procedures for systems design
and development.
– Review design specifications schedules, look for written
evidence of approval, and determine if the design
specifications comply with the standards.
– Determine if an audit trail and programmed controls are
incorporated in the design specifications of a recent
project.
– Review samples of source documents used for data entry
which are included in SDLC work papers of a recently
developed application. Determine if they are designed to
facilitate accurate gathering and entry of information.
• Testing Procedures
– Review and evaluate the procedures for system and program testing.
– Review documented testing procedures, test data, and resulting output
to determine if they appear to be comprehensive
– Review the adequacy of testing performed on the manual phases of an
application.
• Implementation Procedures
– Review and evaluate procedures for program promotion and
implementation.
– Review documentation of the program promotion procedure.
Determine if the standards are followed and if documentation of
compliance with the standards is available. Trace selected program and
system software changes to the appropriate supporting records to
determine if the changes have been properly approved.
– Review documentation of the conversion/implementation of a newly
developed application.
• Post-implementation Review
– Review and evaluate the procedures for performing
post-implementation reviews.
– Review program modifications, testing procedures, and
the preparation of supporting documentation to
determine if the standards are being followed.
• Maintenance of Applications
– Review and evaluate the procedures for the
maintenance of existing applications.
– Review program modifications, testing procedures, and
the preparation of supporting documentation to
determine if the standards are being followed.
 Change management
• At a minimum the change control process should include the following
phases:
– Logged Change Requests;
– Identification, prioritization and initiation of change;
– Proper authorization of change;
– Requirements analysis;
– Inter-dependency and compliance analysis;
– Impact Assessment;
– Change approach;
– Change testing;
– User acceptance testing and approval;
– Implementation and release planning;
– Documentation;
– Change monitoring;
•RAISED
•REASON
•RETURN
•RISKS
•RESOURCES
•RESPONSIBLE
•RELATIONSHIP
 Change management process
• Request
• Develop
• Test
• Approve
• Mitigate

• NORMAL, EMERGENCY, STANDARD

 CONTROLS
 Below listed controls must be implemented effectively for all
changes. Ensure -
 Proper documentation exists?
 Comprehensive testing is carried out?
 Appropriately approved?
 Migration activities are performed by appropriate individuals?
https://www.smartsheet.com/operational-audit-process
 Checklist
Audit point : What to look for Audit evidence
questions or prompt (e.g. Audit schedule)
e.g. Are internal audits
• ()
conducted as planned?

Yes/No Comment

Form a checklist for 1) Fire Hazard, water damage, Air conditioning, power supply
2) Access controls
3) Backup procedures
4) Internet usage
5) Anti-virus
6) Password
 Backup
• Perform Regular Backups
– The principle for regular data backups is to back up data daily.
– That backup could be to media (e.g., tape or external hard drive), or
– to a remote location via the cloud (i.e., the Internet).
– backups be conducted to a different media for end-of-week and end-of-month backups
• Test Backup Process Reliability
– IT auditor should still validate what is being backed up.
– There is a risk of corruption during the backup process, an IT auditor
should ensure that a health check is periodically performed.
• Use Secure Storage
– Use a location that is at a safe distance from the entity’s location. The
cloud automatically provides this element.
• Perform Test Restores
– provide a test for restoring the backup at least once a year.
 IT Operations Control
• The roles of IT operations include the following:
– Capacity Planning
– Performance Monitoring
– Initial Program loading
– Media Management
– Job scheduling
– Help desk and problem management
– Maintenance of both hardware and software
– Network monitoring and administration
Application Control Review
 Application controls
• Application controls pertain to specific computer applications. They
include controls that help to ensure the proper authorization,
completeness, accuracy, and validity of transactions, maintenance,
and other types of data input. Examples include system edit checks of
the format of entered data to help prevent possible invalid inputs,
system enforced transaction controls that prevent users from
performing transactions that are not part of their normal duties, and
the creation of detailed reports to ensure all transactions have been
posted completely and accurately.
• Application Controls include:
– Controls over the input of transactions.
– Controls over processing.
– Controls over output.
– Controls over standing data and master files.
• Application system is a set of interrelated
components, designed for performing a
particular business process or a group of
business processes.
• All the activities of the business process can
be carried out through the computer or the
output from a computer system can be used
intermittently as input for a manual system
and then the output of the manual system can
again be used as input for a computer system
to get the final output.
 Types of application system
• Single user Applications
– Stand alone environment
• Multi-user application
– File and Record level locking
– Works in networking environment
• Client server
– Works in request-response way.
• Web based- Application
– Thin clients:
• Browser based solutions where server is a web server
and clients are browsers.
• A thin client machine is going to communicate with a
central processing server, meaning there is little
hardware and software installed on the user's machine.
– Thick clients:
• Is a system that is designed to have software loaded on
the user’s PC
• processing is done locally on the user system, and the
server is accessed primarily for storage purposes
 Subsystem Factoring
• Boundary control
• Input control - These controls are used mainly to check
the integrity of data entered into a business application,
whether the data is entered directly by staff, remotely
by a business partner, or through a web-enabled
application interface. Data input is checked to ensure
that is remains within specified parameters.
• Processing control - These controls provide an
automated means to ensure processing is complete,
accurate and authorized.
• Output control-These controls address what is
done with the data and should compare
output results with the intended result by
checking the output against the input.
Boundary Subsystem and Controls
• Objectives of boundary subsystem
– The system has an authentic user
– The user gets authentic resources
– Users are allowed to employ resources only in
restricted ways
• Access Control
– Logon IDs and Passwords
– Interrogation System -
• Terminal Restriction
– Access to the application is restricted to the
designated terminal
• Temporal Restriction
– Access to the application is restricted on the basic
of time e.g. cash payment in bank during customer
hours
• Usage Control
– Access to menu on a “need to know” basis
– Based on profile e.g. Librarian, member
Audit trail control for boundary system
• Audit trails are basically the primary source
for building the profile of past behavior of any
system/subsystem.
– Operational: Maintains record of resource
consumption within the system
– Accounting: Maintains the record of each event
within the system. (Identification, Authentication,
resource requested, action privileges, terminal
identifier, Start and finish time, number of login
attempt, resource provided/denied etc.)
 Input Subsystem
• Validation of input
• Field Level input control
– –Sequence check: invoice numbers
– –Limit Check: Pay predetermined amount
– –Range Check: Product code, marks
– –Set Mapping/validity check: Gender, marital status
– –Master reference: States, hard coded or from db
– –Completeness check: contain data rather than zeros or blanks (No Null value)
– –Duplicate check: New transactions are matched to those previously input to
ensure that they have not already been entered. vendor invoice number agrees
with previously recorded invoices to ensure that the current order is not a
duplicate and, therefore, the vendor will not be paid twice.
– –Logical relationship check: condition is true, then one or more additional
conditions or data input relationships may be required to be true and consider
the input valid.
File level input control: Input validation program will
check for correctness of input from different files or
files used by other application. (Generation
number/version number, Retention date)

Data Entry Screen Design

• Screen organization
• Screen caption
• Field design
• Tabbing
• Color
• Prompting help facility
Audit trail for Input control
• Audit trail for the input subsystem should
contain
– Identity of the person (organization) who was
source of data
– Identity of the person who entered data
– The date and time of data entered
– Physical device through which data was entered
– Account or record to be updated by the transaction
– Number of read errors made by an optical scanning
device
 Processing Control
• Assures that data processing has been
performed as intended. Have transactions
updated the files.
• Lost and rejected entry-If update is on more
than one file or table, and if the process is
interrupted is there a provision for rollback.
• Automated functionality and calculations
• Compare input and output values
• Review reports and evidence
 Input and access controls
Input Control
Control
Limit checks on financial values
Format and required field checks
Sequence check
Validations
Processing control
Calculations conducted on one or more
inputs and stored data elements produce
further data elements
Tests
Conduct sample tests
Observe attempts to input incorrect data
Determine who can override controls
Determine who can change edits and
tolerance levels
Calculate input values and output values
for all scenarios by walkthrough and re-
performance
 Output Control
• Outputs can be in physical forms like printouts
or in digital forms.
• Basic task of output control is to filter the
output that the users are permitted to see
• Output on “need to know basis”
• Is printing of sensitive reports and its
distribution
• Files with digital signatures
• Audit Trails
 Operating System Controls
• Adherence to Licensing requirements
(Originality, Media, no of licenses)
• Version Maintenance
• Application of Patches
• Network security (remote logins)
• User account Maintenance
• Logical access controls(List of directories/WRX)
• Maintenance of Sensitive User accounts