GS 497 CH 3 The IT Audit Process
Conclusions and Recommendations Conclusions are auditor opinions, based on documented evidence, that determine whether an audit subject area meets the audit objective. All conclusions must be based on factual data obtained and documented by the auditor as a result of audit activity. The degree to which the conclusions are supported by the evidence is a function of the amount of evidence secured by the auditor. Conclusions are documented in the audit working papers and should support the audit procedures performed.
A complete, well-organized, cross referenced, and legible set of working papers is essential to support the findings, conclusions, and recommendations as stated in the Audit Report. Typically, a copy of the final Audit Report is filed in the working papers.
Other Types of IT Audits : Business Continuity Planning/Disaster Recovery Planning According to the SysAdmin, Audit, Network, Security (SANS) Institute, a business continuity (or resiliency) plan (BCP) incorporates activities and procedures to recover all business operations (no just IT) from interruptions or adverse events.*
A disaster recovery plan (DRP) incorporates a set of procedures to recover and protect the organization's IT infrastructure in the event of an emergency or disaster. DRP audits help ensure that the IT infrastructure and all related equipment used to develop, test, operate, monitor, manage, and/or support IT services (e.g., hardware, software, networks, data centers, etc.) are adequately maintained and protected to ensure their continued availability consistent with organizational objectives. A DRP audit considers factors such as alternate site designation, training of personnel, and insurance issues, among others. Both plans should be formally documented, and kept updated within the organization. A BCP audit evaluates how an organization's continuity processes are being managed. This type of audit defines the risks or threats to the success of the plan, and assesses the controls in place to determine whether those risks or threats are acceptable and in line with the organization's objectives.† This audit also quantifies the impact of weaknesses of the plan and offers recommendations for business continuity plan improvements.
Other Types of IT Audits : Information Processing Facilities
An audit of the information processing facility ensures timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
The benefit of a standard framework for IT controls, such as COBIT, is that it allows
management to benchmark its environment and compare it to other organizations. IT auditors can also use COBIT to substantiate their internal control assessments and opinions. Because the framework is comprehensive, it provides assurances that IT security and controls exist.
Methods applied in gathering these data include reviewing computer information systems and human interface practices, procedures, documents, narratives, flowcharts, and record layouts. Other audit procedures implemented to gather data include:
observing, interviewing, inspecting existing documentation, and flowcharting, among others. Physical inspection techniques are used both to gather data and to validate existing documents or representations made during the interviews. For example, a single visit to the computer/data center can provide both data gathering and validation opportunities for determining equipment configurations, library procedures, operating procedures, physical security controls, existing environmental controls, and other data control procedures. Appendix 2 shows an example of the types of questions and information that should be documented when gathering an understanding of an IT environment.
In today's environment, it is difficult to keep pace with
organization and regulatory changes to provide timely information on internal controls. Change increases the audit universe, the number of business partners (i.e., vendors), and the number of projects where an objective and independent perspective is needed.
COBIT 5's framework is valuable for all
size types organizations, including commercial, not-for-profit, or in the public sector. The comprehensive framework provides a set of control objectives that not only helps IT management and governance professionals manage their IT operations, but also IT auditors in their quests for examining those objectives.
During the audit planning phase, the IT audit manager should meet with the chief information officer (CIO) and senior members of IT management to gain
their input and concurrence with the risk assessment of the IT processes in the audit universe. If there is an IT steering committee, the audit universe should be reviewed with it as well. This will help ensure alignment between IT, business, and audit on the key risk areas.
An audit universe includes
• the basic functional audit area, • organization objectives, • key business processes that support those organization objectives, • specific audit objectives, risks of not achieving those objectives, and • controls that mitigate the risks.
At a minimum, an IT audit plan, after gathering a comprehensive understanding of the audit universe and the risks associated with each universe item, should:
1. List the audit objectives and describe the context 2. Develop the audit schedule 3. Create the audit budget and define scope 4. List audit team members, describe audit tasks, determine deadlines
Phases of an Audit (Audit Phases / AP)
1. Risk Assessment 2. Audit Plan 3. Preliminary Review 4. Design Audit Procedures 5. Test Controls 6. Substantive Testing 7. Document Results 8. Communication (External)
NIST recommends that for a risk assessment, it is important that organizations follow these steps: 1. Have a process in place to identify or characterize assets (e.g., financial applications, etc.). 2. Define vulnerabilities on those assets and the threat-sources that can trigger them. 3. Determine the likelihood or probability levels (e.g., very high, high, medium, etc.) that vulnerabilities may be exercised. For example, probabilities of very high = 1.00, high = 0.75, medium = 0.50, low = 0.25, and very low = 0.10 may be assigned for each vulnerability based on the organization's estimate of their likelihood level.
4. Assign a magnitude of impact to determine how sensitive the asset may be against successfully exercised threats. Magnitudes of impact and impact level values are typically assigned by management for every successful threat that may exercise a vulnerability. 5. Associate assets with correspondent IT and/or business risks. 6. Compute risk rating by multiplying the probability assigned from Step 3 above (e.g., 1.00, 0.75, etc.) times the impact level value assigned in Step 4. Must be able to explain how the rating was achieved and if it makes sense. Numbers are relative to each other No one correct scale A product of the likelihood and the impact. 7. Recommend the controls that are needed to mitigate the risks according to their priority or ranking. Activity (how to mitigate risk)
Working papers are the formal collection of
pertinent writings, documents, flowcharts, correspondence, results of observations, plans and results of tests, the audit plan, minutes of meetings, computerized records, data files or application results, and evaluations that document the auditor activity for the entire audit period.
LEARNING OBJECTIVES 1. Describe what audit universe is, and illustrate example. 2. Define control objectives for information and related technology and explain why they are useful for organizations and auditors. 3. Explain what a risk assessment is and its significance to the audit function. Illustrate an example of a risk assessment following the National Institute of Standards and Technology methodology.
4. Describe an audit plan and its components. Illustrate examples of IT audit documentation supporting a financial statement audit. 5. Define the audit process and describe the phases of an IT audit engagement. 6. Discuss other types of audits conducted in IT.
Other Types of IT Audits : Systems Development
An IT audit related to systems development would make certain that applications and systems under development meet the objectives of the organization, satisfy user requirements, and provide efficient, accurate, and cost-effective applications and systems. This type of audit ensures that applications and systems are written, tested, and installed in accordance with generally accepted standards for systems development.
IT risks surrounding financial applications can be identified through: ◾ Audits, reviews, inspections ◾ Reading flowcharts of operations ◾ Using risk analysis questionnaires (not interactive, not as helpful) ◾ Analyzing financial statement trends (Year over Year comparisons) ◾ Completing insurance policy checklists
Absolute security from threads and risks in today's technology environments is unrealistic. Risk assessments, according to the National Institute of Standards and Technology (NIST) Special Publication 800-30, are used to assist organizations determine the extent of potential threats and the risks associated with IT systems and applications.
4 of 8 : Audit Process : Design Audit Procedures In this phase, the IT auditor must prepare an audit program for the areas being audited, select control objectives applicable to each area, and identify procedures or activities to assess such objectives. An audit program differs from an internal control questionnaire (ICQ) in that an ICQ involves questions to evaluate the design of the internal control system. Particularly, ICQs check whether controls are implemented to detect, prevent, or correct a material misstatement. Controls not in place would represent a deviation or deficiency in the internal control structure. • Prepare Audit Program for evaluating the audit areas (e.g. financial applications, etc.) identified during fact gathering • Select Audit Techniques applicable to area • Prepare test instructions and procedures Note: If design is inefficient control fails
An audit program, on the other hand, contains specific procedures to test the responses received from the questions asked, thus substantiating that the controls identified are in place and work as expected by management. An audit program is a formal plan for reviewing and testing each significant audit subject area disclosed during fact gathering. The auditor should select subject areas for testing that have a significant impact on the control of the application and those that are within the scope defined by the audit objectives.
2 of 4 : IT audit plan : Audit Schedule Internal auditing departments create annual audit schedules to gain agreement from the board on audit areas, communicate audit areas with the functional departments, and create a project / resource plan for the year. The audit schedule should be linked to current business objectives and risks based on their relative cost in terms of potential loss of goodwill, loss of revenue, or noncompliance with laws and regulations. • To gain BoD agreement on audit areas • To communicate audit areas to departments • To create a project/resource plan for the year • To determine the total audit hours available and assign universe items to fill the available time.
Annual schedule creation is the process of determining the total audit hours available, then assigning universe items (audit areas) to fill the available time. As mentioned previously, to maximize the risk assessment process, "high risk" universe items should be given top audit priority. Planning and scheduling are ongoing tasks as risks, priorities, available resources, and timelines change. When these changes take place, it is important to communicate them to the audit committee, board, and all other impacted functional departments.
It is important to track corrective action to verify that findings have been remediated. This requires a formal process to track corrective actions, target dates, and status for reporting to IT management, the audit committee, and the board.
At the close of the audit, a draft Audit Report is issued for review by all impacted parties. The review process will go much faster if findings have already been agreed with management during the testing and conclusion phase. After the Audit Report has been finalized, it is a good practice to schedule an exit meeting involving both, IT and financial sides. Typically, invitations to the exit meeting are sent to the CIO and the Chief Financial Officer (CFO) (or Controller if the CFO is not available) to discuss the audit, as well as to review the audit objectives and ask for feedback on the performance of the audit team. This meeting will provide valuable information into the performance of the audit staff and lessons learned for improving future engagements.
It is up to the organization to determine how to deal with the risks they have identified: take a chance and live with them or take action to protect their assets.
At the same time, they must consider the costs associated with implementing controls, their impact on users, the manpower required to implement and manage them, and the scope of the action. Exhibit 3.3 (page 65)shows an example of an IT risk assessment performed to identify and prioritize risks within financial applications. (sample attached)
Anatomy of an accounting firm - Part 1
Big 4 Firms (Top 100 companies use these) • KPMG • Ernstine Young • Deloitte • Pricewaterhouse Cooper Upper mid Market BDO RSM Grant Thornton (GT) Crowe Generally part of an international alliance. Lower Mid Market (regional) Weaver Whitley Penn Calvetti Ferguson (Prime Global) Boutique / Sole Proprietor • Virtual • One office Highly specialized
4 of 4 : IT audit plan : Audit Team, Tasks, and Deadlines The audit plan must include a section listing the members of the audit, their titles and positions, and the general tasks they will have. For instance, a typical audit involves staff members, seniors, managers, or senior managers, and a partner, principal, or director (PPD) who will be overseeing the entire audit. At a staff level (usually those auditors with less than 3 years of experience), most of the field work is performed, including gathering documentation, meeting with personnel, and creating audit work papers, among others. Senior-level auditors not only supervise the work of staff auditors, but guide them in performing the work (e.g., accompany staff auditors to meet with users, assist the staff in selecting what specific information should be gathered, how to document such information in the working papers, etc.). Lastly, the PPD performs a high-level review of the work (as provided by managers), focusing on high-risk areas, controls in place that are not adequately designed nor operating effectively, findings identified and their impact to the overall audit, etc. PPDs tend to rely on the detailed reviews performed by managers or senior managers, and also ensure the overall objectives of the audit have been achieved.
Deadlines are a critical component of an audit plan. They should be reviewed and agreed with the client organization from the start of the audit so that they comply with requirements established by third parties (e.g., banks, financial institutions, etc.) and regulators (e.g., government, private organizations, etc.). Deadlines should be well-thought of taking into account the information and resources that must be available to perform the audit work within the established requirements. An audit planning memo ("planning memo") is part of the auditor working papers and documents the sections just described. The planning memo is typically prepared by the audit engagement senior, and reviewed by the manager before submitting it to the PPD for approval. Appendix 1 shows the format of a typical IT planning memo, including the procedures which may be performed by an IT auditor in connection with an audit engagement. The planning memo may be tailored for the specific facts and circumstances of the audit engagement. • Should be reviewed and agreed with the client from the start of the audit. Must comply with requirements established by third parties. e.g banks, financial institutions, government, private organizations, etc. • Covenants (promises) made to the lender Stakeholders / Shareholders
5 of 8 : Audit Process : Test Controls The IT auditor executes several procedures in order to test controls, processes, and apparent exposures. These audit procedures may include examining documentary evidence, as well as performing corroborating interviews, inspections, and personal observations. Documentary evidence may consist of a variety of forms of documentation on the application system under review. Test controls and process through: • Inspections, interviews, corroboration, observations, inquiries. • Evaluate controls, strengths, weaknesses • Document test results and identify potential exposures (i.e. ineffective controls) Example: Logical Security Settings Test
Examples include notes from meetings on subject system, programmer notes, systems documentation, screenshots, user manuals, and change control documentation from any system or operation changes since inception, and a copy of the contract if third parties involved. Corroborating interviews are also part of the testing process, and may include procedures such as: ◾ Asking different personnel the same question and comparing their answers ◾ Asking the same question in different ways at different times ◾ Comparing answers to supporting documentation, work papers, programs, tests, or other verifiable results ◾ Comparing answers to observations and actual system results Weak -> Stong Inquiry/Interview -> Corroboration -> Inspection/Observation Risk rating makes a big difference in organizing failed findings
Tying the audit universe to organizational objectives links the entire audit process to business objectives and risks, making it easier to communicate the impact of control deficiencies.
Exhibit 3.1 shows an example of an audit universe related to the IT area of an organization. The audit universe is also an essential building block to a properly risk-based internal audit process. Some terms can be known by other names. • IT Audit Objective : Control Objective • IT Mitigating Control : Control Activity • Access Control Management : Logical Access • Management of Data Center, Network, and Support : Operations
3 of 4 : IT audit plan : Audit Budget and Scoping The scope should further state the general control areas, control objectives, and control activities that would undergo review. (continued)
Exhibit 3.5a, b shows examples of scoping for applications and control objectives, respectively, in an IT audit.
IT Mitigating Control
How the IT Risk will be managed • Can be detective • Can be manual
Exhibit 3.10 Summary of the audit process.
I. Risk Assessment II. Audit Plan III. Audit Procedures IV. Results and Communication
7 of 8 : Audit Process : Communication The value of an audit depends, in large part, on how efficiently and effectively its results are communicated. At the conclusion of audit tests, it is best to discuss the identified findings with IT management to gain their agreement and begin any necessary corrective action. Findings, risks as a result of those findings, and audit recommendations are usually documented on the Management Letter (in a separate section of the Audit Report). Refer to Exhibit 3.9 for an example of the format of a Management Letter from an IT audit.
On receipt of the Management Letter, IT management and affected staff should review the document immediately. Those items not already completed should be handled and followed-up. Within a relatively short time, the fact that all discrepancies have been corrected should be transmitted to the audit staff in a formal manner. These actions are noted in the audit files, and such cooperation reflects favorably in future audits.
The next step in the planning process is to perform a risk assessment for each universe item from Exhibit 3.1. The risk assessment will analyze exposures and help prioritize "high risk" audit projects. Design audit approach to where the risks lie. Prioritizes risk areas based on objective and subjective evaluation.
Risk Assessment Risk assessments are considered the foundation of the audit function as they assist in developing the process for planning individual audits. Specifically, risk assessments: ◾ improve the quality, quantity, and accessibility of planning data, such as risk areas, past audits and results, and budget information; ◾ examine potential audit projects in the audit universe and choose those that have the greatest risk exposure to be performed first; and ◾ provide a framework for allocating audit resources to achieve maximum benefits. The auditing function is cyclical in that it uses historical and current information for risk assessment, evaluates controls, communicates results, and incorporates those results back into the risk assessment.
RCM or RACM
Risk Control Matrix Risk and Control Matrix One to Many relationship List control objectives and activities on how those objectives will be met. List the things that will be actually looked at.
Anatomy of an accounting firm - Part 2 Partner / Principle - owners, generally partner has CPA (voted in, not promoted in - requires investment/equity from Senior Managers) Trying to build the business and relationships Sign off on projects Directors Back office management Cannot be partners / principles CEO / IT / HR • Not on the partner track Middle Management • Senior Managers Highest level management rank Business development Client relationships • Managers Operation of Team Daily relationships with clients Training
Staffing Senior Associate / Senior Staff "In Charge" - majority of the audit training keep audit on schedule • Staff/Associate - Majority of the audit Learning / studying for license certification • Interns Learning Transitions between Staffing / Middle Management to next levels can be difficult. Usually doing the role without the title, may mistake you for a manager Transitions Difficult in part due to technical Difficult in part due to whether they see you as a partner
6 of 8 : Audit Process : Substantive Testing Where controls are determined not to be effective, substantive testing may be required to determine whether there is a material issue with the resulting financial information. In an IT audit, substantive testing is used to determine the accuracy and completeness of information being generated by a process or application. Contrary to compliance testing where the auditor's goal is to confirm whether the organization is adhering to applicable policies, procedures, rules, and regulations. An example of a compliance test procedure would be verifying that a change or upgrade in a financial application was adequately tested, approved, and documented prior to its implementation.
Substantive audit tests are designed and conducted to verify the functional accuracy, efficiency, and control of the audit subject. During the audit of a financial application, for example, the IT auditor would build and process test data to verify the processing steps of such an application. Auditing-through-the-computer is a term that involves steps in addition to those mentioned previously. Programs are executed on the computer to test and authenticate application programs that are run in normal processing. Usually, the financial audit team will select one of the many Generalized Audit Software packages such as SAS, SPSS, Computer-Assisted Audit Techniques (CAATs), or CA-Easytrieve(T) and determine what changes are necessary to run the software at the installation.
General Information about IT Environment As previously discussed, IT is defined as the hardware, software, communication, and other facilities used to input, store, process, transmit, and output data in whatever form. The IT environment refers to the policies, procedures, and practices implemented by organizations to program, test, deliver, monitor, control, and support their IT infrastructure (e.g., hardware, software, networks, etc.). The IT environment also includes the applications and programs used by organizations to support critical business operations (i.e., financial operations) and achieve business strategies.
The IT auditor begins the examination process by becoming acquainted, generally, with the company, its line of business, and the IT environment, including its financial application systems. Typically, an IT auditor would tour the client company's facilities and observe general business operations that bear upon customer service as well as on strictly financial functions. Given this familiarity, the next level of general data gathering would include the preparation of organizational charts, particularly those for the accounting and IT functions. If organizational charts are unavailable, the IT auditor should develop them. Once drawn, the charts should be reviewed and verified with appropriate personnel (i.e., key executives in the accounting and IT areas) to secure an agreement that they represent the actual organization structure. During these interviews, the IT auditor would also secure copies of the company's chart of accounts and an accounting standards manual, if available.
Identifying Financial Applications With the help of management, the IT auditor must decide what application systems will have to be examined at a more detailed level (i.e., scoping).
The identification of financial applications can be accomplished with the auditor gaining familiarity with the organization's accounting procedures and processes. The importance of determining the significant financial applications has to be derived through preliminary analysis. The assessment of the sophistication of the application, its complexity, the business process they support, and extent of use are factors that come into play in deciding whether to select such application and how one might evaluate it.
1 of 4 : IT audit plan : Objectives and Context The objective and context of the work are key elements in any audit environment and should not be overlooked. They are simply the basis by which all audits should be approached. The context is where the auditor's true analytical skills come into play. Here, the environment is for the most part always different from shop to shop. The auditor must assess the context for which he or she has entered and make a decision as to how the environment should be addressed (e.g., big company, small company, large staff, small staff, etc.). • Support the financial Audit • Compliance with internal polices, regulatory, legal • Operational assurance
The objective is what is trying to be accomplished. The context is the environment in which the work will be performed. Thus, everything ultimately depends on both the objective and the context of the work to be performed. That is, the decisions made about the scope, nature, and timing of the audit work depends on what the auditor's trying to do (e.g., gain assurance of an Accounts Receivable balance, ensure that a newly-implemented financial application will work correctly, assess whether a client Website is secure, etc.) and the environment he/she is working in (e.g., a large versus a small company, a domestic organization with a centralized system versus a multinational with multiple divisions, a New York-based organization versus one based in North Dakota, etc.). Context - Environment where work is performed, centralized common system or decentralized Where does everything "live" that we want to audit?
Audit Plan The audit function should formulate both long-range and annual plans. Planning is a basic function necessary to describe what must be accomplished, include budgets of time and costs, and state priorities according to organizational goals and policies. The intent of the audit plan is to provide an overall approach within which audit engagements can be conducted. It provides the guidance for auditing the organization's integral processes. 1. List Audit Objective and Describe Context 2. Develop Audit Schedule 3. Create Audit Budget and Define Scope 4. List Audit Team Members, Describe Tasks, Determine Deadlines
The objective of audit planning is to optimize the use of audit resources. To effectively allocate audit resources, internal audit departments must obtain a comprehensive understanding of the audit universe and the risks associated with each universe item. Failure to select appropriate items can result in missed opportunities to enhance controls and operational efficiencies. Internal audit departments that develop and maintain audit universe files provide themselves with a solid framework for audit planning.
Audit Process Statement on Auditing Standards (SAS No. 1) has the effect of mandating a uniform, process oriented approach to audit engagements. That is, audits follow a series of logical, orderly steps, each designed to accomplish specific end results. This is also the case for an IT audit. The difference in an IT audit is the specialized approach to the audit work and the skills needed to understand technology and the IT control environment.
The phases of auditing activities typically overlap and involve some reassessment and retracing of procedures performed earlier. Common phases of an audit engagement are shown in Exhibit 3.6.
3 of 8 : Audit Process : Preliminary Review In this phase, the auditor should obtain and review summary-level information and evaluate it in relation to the audit objectives. • Nature of the business (industry trends) • Financial History • Applications / Systems involved • Current policies, procedures • Past Audit Reports How • Interviews • Inspection of documentation
The purpose of the preliminary review phase of an IT audit engagement is to gather an understanding of the IT environment, including the controls in place that are essential to meet the overall audit objectives. The IT auditor conducts this preliminary review at a general level, without examining details of individual applications and the processes involved. Instead, the IT auditor interviews key personnel to determine policies and practices, and prepares supplemental audit information as required. Ensure policies and procedures exist and are in place (this process is commonly referred to as "walk throughs".) Testing Design • TOD : Test of Design • TOE : Test of Effectiveness Appendix 2 For each application that has modification/customization. Review of service organization (outsourced functions)
3 of 4 : IT audit plan : Audit Budget and Scoping Ideally, the audit budget should be created after the audit schedule is determined. However, most organizations have budget and resource constraints. An alternative approach may be necessary when building the audit schedule. After determining the audit priorities, audit management will determine the number of available hours to decide how many audits they can complete in a year. Budget - • Determines the number of available hours to decide how many audits can be completed in a year Scope - • Defines areas, systems, applications, time period, controls to test, etc
The scope of an audit defines the area(s) (e.g., relevant financial applications, databases, operating systems, networks, etc.) to be reviewed. The names of the financial applications and databases should also be described along with their hosting information (e.g., server location, etc.). The scope should clearly identify the critical business process supported by the selected financial application. This association typically justifies the relevance of the application and, hence, its inclusion as part of the audit.
For inspection of documentation, the IT auditor can obtain the logical settings (i.e., passwords) currently configured at the organization's network, operating system, and financial application levels. Of particular importance is to obtain and assess the network's configured logical settings as this is the first level of authentication before users can gain access to the financial applications. • Minimum password age : 1 (so that folks don't reset their pw over and over to get back to a point where they can use their original password).
The settings received are then compared against the organization's password policy to determine whether they are or not in compliance with such policies. In the absence of a password policy, the organization's logical settings configured are compared against industry standards or best practices. Documentation supporting the above settings is usually first obtained through interviewing information security personnel. Another common audit procedure to test and validate information would be to observe actual procedures taking place. In the example above, the IT auditor would observe the settings configured in the financial application and request organization personnel to print out a screenshot for documentation in the audit working papers. Exhibit 3.7a shows an example of common documentation obtained supporting the password settings configured.
An audit finding form (e.g., General Computer Controls Findings Form, etc.) can be used to review the control issues identified with the responsible IT manager in order to agree on corrective action.
This information can then be used to prepare the formal Management Letter that will accompany the Audit Report and the corrective action follow-ups. Taking corrective action could result in enhanced productivity; the deterrence of fraud; or the prevention of monetary loss, personal injury, or environmental damage. Exhibit 3.8 shows an example of a worksheet that may be used to summarize the individual findings identified during an IT audit.
When settings do not comply with the policy or industry standards or best practices, audit exceptions (findings) are written up and listed in a separate working paper. For ineffective controls: • Determine severity (impact) and whether they should be re-examined ○ What does failure mean ○ Are there compensating controls • identify and test "mitigating" or "compensating" controls to ensure audit objective(s) has / have been achieved. Three types: • Exceptions • Deficiencies ○ Significant ○ Material Weakness • Ineffective
This working paper will eventually assist when writing up the findings/ deficiency section of the Management Letter.
An IT audit plan partitions the audit into discrete segments that describe application systems as a series of manageable audit engagements and steps. At the detailed planning or engagement level, these segments will have objectives that are custom-tailored to implement organizational goals and objectives within the circumstances of the audit.
Thus, IT auditing does not call for "canned" approaches. There is no single series of detailed steps that can be outlined once and then repeated in every audit.
IT Audits Conducted to Support Financial Statement Audits For applications used to support significant business processes, the auditor must determine their sophistication and extent of use. This preliminary study goes just deep enough for the auditor to evaluate the complexity and sophistication of the applications and determine the procedures to be followed in evaluating their internal controls.
Understanding financial applications and determining whether IT controls are in place to effectively secure them and the information generated represent a significant process as it relates to the overall financial statement audit. Results of an IT audit over financial applications have direct bearing on the substantive testing performed by financial auditors.
Other Types of IT Audits : Enterprise Architecture IT management must develop organizational procedures to ensure a controlled and efficient architecture for information processing. These procedures should also specify the computers and peripheral equipment required to support all functions in an economic and timely manner.
With enterprise systems being very critical to medium-size and large businesses today, the need to monitor and validate operational integrity of an enterprise resource planning system is an important process. IT audit plays an important role in maintaining, validating, and monitoring the enterprise architecture.
COBIT (Control Objectives for Information and related Technology) COBIT 5, which can be downloaded from www.isaca.org, helps organizations create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.
an authoritative, international set of generally accepted IT practices or control objectives that help employees, managers, executives, and auditors in: understanding IT systems, discharging fiduciary responsibilities, and deciding adequate levels of security and controls. COBIT supports the need to research, develop, publicize, and promote up-to-date internationally accepted IT control objectives.
Audit Universe One of the best practices for an audit function is to have an audit universe. The audit universe is
an inventory of all the potential audit areas within an organization. Basic functional audit areas within an organization include sales, marketing, customer service, operations, research and development, finance, human resource, information technology, and legal.
CAATs, for example, use auditor-supplied specifications to generate a program that performs audit functions, such as evaluating application controls, selecting and analyzing computerized data for substantive audit tests, etc. In essence, CAATs
automate and simplify the audit process, and this is why audit teams (external and internal) are increasingly using them. In fact, many organizations have Generalized Audit Software already installed for their internal auditors to allow them to gather information and conduct the planned audit tests. The appropriate selection and effective use of these audit tools are essential not only to perform adequate audit testing but also to document results.
An audit universe documents the key
business processes and risks of an organization. Documenting processes and, particularly, risks have proved to be a best practice for organizations. The IIA's Performance Standard 2010 encourages the establishment of risk-based plans to determine the priorities for internal audit activity.
Identifying, measuring, and quantifying problems in the IT area are difficult. The IT field is technologically
complex and has a language of its own. Participants in the formulation of an IT audit plan, and particularly the IT auditors themselves, must have sufficient experience and training in technical matters to be able to grasp key concepts and abstractions about application systems. For example, abstractions about IT might include significant aspects that are susceptible to naming, counting, or conceptualizing. Understanding the systems at this level can lead to the identification of major problem areas. Audit concentration, then, may be directed to the major problem areas most likely to yield significant results.
COBIT provides a
comprehensive list of IT processes as a starting point (can be customized for the audit)
COBIT 5 is based on five principles (see Exhibit 3.2). COBIT 5 considers the IT needs of internal and external stakeholders (Principle 1), while fully covering the organization's governance and management of information and related technology (Principle 2). COBIT 5 provides an integrated framework that aligns and integrates easily with other frameworks (e.g., Committee of Sponsoring Organizations of the Treadway Commission-Enterprise Risk Management (COSOERM), etc.), standards, and best practices used (Principle 3). COBIT 5 enables IT to be governed and managed in a holistic manner for the entire organization (Principle 4) through: a. Establishing principles, policies, and practical guidance for daily management. b. Implementing processes to achieve overall IT-related goals and objectives. c. Putting in place organizational structures with key decision-making capabilities.
d. Promoting good culture, ethics, and behavior in the organization. e. Recognizing that information is pervasive throughout any organization, and often the key product of the organization itself. f. Taking into account the infrastructure, technology, and applications that provide the organization with IT processing and services. g. Recognizing that people, skills, and competencies are required for successful completion of all activities and correct-decision making. (Principle 5). Both governance and management are described below. a. Governance—optimizes the use of organizational resources to effectively address risks. Governance ensures that the Board of Directors ("board"): i. evaluates stakeholder needs to identify objectives, ii. guides management by prioritizing objectives, and iii. monitors overall management's performance. b. Management—plan, build, run, and monitor the activities and processes used by the organization to pursue the objectives established by the board.
The audit universe is an ongoing process; as an organization changes, new risks arise or existing risks change, and new regulations are introduced. Organizations can
either remove lower-priority audits from the schedule or hire external auditors to supplement internal staff. IT audits, for example, have specific IT processes to include in the audit universe.
Recommendations are
formal statements that describe a course of action that should be implemented by the company's management to restore or provide accuracy, efficiency, or adequate control of audit subjects. A recommendation should be provided by the auditor for each audit finding for the report to be useful to management.
Auditors involved in reviewing financial applications should focus their concerns on the application's control aspects. This requires their involvement from the time a transaction is initiated until it is posted into the organization's general ledger. Specifically, auditors must ensure that provisions are made for: ◾ An adequate audit trail so that transactions can be traced forward and backward through the financial application ◾ The documentation and existence of controls over the accounting for all data (e.g., transactions, etc.) entered into the application and controls to ensure the integrity of those transactions throughout the computerized segment of the application ◾ Handling exceptions to, and rejections from, the financial application ◾ Unit and integrated testing, with controls in place to determine whether the applications perform as stated ◾ Controls over changes to the application to determine whether the proper authorization has been given and documented ◾ Authorization procedures for application system overrides and documentation of those processes
◾ Determining whether organization and government policies and procedures are adhered to in system implementation ◾ Training user personnel in the operation of the financial application ◾ Developing detailed evaluation criteria so that it is possible to determine whether the implemented application has met predetermined specifications ◾ Adequate controls between interconnected application systems ◾ Adequate security procedures to protect the user's data ◾ Backup and recovery procedures for the operation of the application and assurance of business continuity ◾ Ensuring technology provided by different vendors (i.e., operational platforms) is compatible and controlled ◾ Adequately designed and controlled databases to ensure that common definitions of data are used throughout the organization, redundancy is eliminated or controlled, and data existing in multiple databases is updated concurrently
7 of 8 : Audit Process : Document Results The terms finding, exception, deficiency, deviation, problem, and issue are basically synonymous in the audit world, and mean the auditor identified a situation where controls, procedures, or efficiencies can be improved. Findings identify and describe inaccurate, inefficient, or inadequately controlled audit subjects. An example of an IT audit finding would be a change implemented into a financial application that did not include proper management authorization. Another example would include the IT auditor discovering that the organization's procedures manual does not require management's permission before implementing changes into applications. Audit findings should be individually documented and should at least include the following: ◾ Name of the IT environment (operating system hosting the relevant financial application(s))evaluated ◾ IT area affected (IS operations, information security, change control management) ◾ Working paper test reference where the finding was identified
◾ General control objective(s) and activity(ies) that failed ◾ Brief description of the finding ◾ Where is the finding formally communicated to management (this should reference the Management Letter within the Auditor Report) ◾ The individual classification of the finding per audit standard AU 325, Communications About Control Deficiencies in an Audit of Financial Statements, as either a deficiency, significant deficiency, or a material weakness* ◾ Evaluation of the finding, specifically whether it was identified at the design level (i.e., there is no general control in place) or at the operational level (i.e., the general control was in place, but did not test effectively) ◾ Whether the finding represents or not a pervasive or entity-level risk ◾ Whether the finding can be mitigated by other compensating general controls, and if so, include reference to where these controls have been tested successfully ◘ Conclusions should reconcile with work documented in the working papers ◘ Recommendations to management ◘ John's rule : Exit meeting should be formalities Process owner should be the first to know about issues - no surprises (socialized ahead of time) Bonus: Come to exit meeting with solutions. Management letter at the end.
IT auditors must gain a deep understanding of the IT environment, particularly how the organization responds to risks arising from IT, and whether the IT controls in place have been adequately designed and operate effectively to address those risks. From a financial standpoint, knowledge about the IT environment is crucial for IT auditors in order to understand how financial transactions are initiated, authorized, recorded, processed, and reported in the financial statements. For application systems which the organization uses computers to process significant financial data, the IT auditor would gather a number of specific items of evidential matter, such as: ◾ Policies and procedures that the organization implements and the IT infrastructure and application software that it uses to support business operations and achieve business strategies.
◾ Narratives or overview flowcharts of the financial applications, including server names, make and model, supporting operating systems, databases, and physical locations, among others. ◾ Whether the financial applications are in-house developed, purchased with little or no customization, purchased with significant customization, or proprietary provided by a service organization. ◾ Whether service organizations host financial applications and if so, what are these applications and which relevant services they perform. ◾ Controls in place supporting the area of information systems operations, such as those supporting job scheduling, data and restoration, backups, and offsite storage. ◾ Controls in place supporting the area of information security, such as those supporting authentication techniques (i.e., passwords), new access or termination procedures, use of firewalls and how are they configured, physical security, etc. ◾ Controls in place supporting the area of change control management, such as those supporting the implementation of changes into applications, operating systems, and databases; testing whether access of programmers is adequate; etc.
Other Types of IT Audits : Computerized Systems and Applications A computerized systems and applications type of audit verifies that the organization's systems and applications (operational and non-financial in nature) are:
◾ appropriate to the users' needs, ◾ efficient, and ◾ adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at current and projected levels of system activity.
An effective risk assessment planning process allows auditing to be more flexible and efficient to meet the needs of a changing organization, such as:
◾ identifying new risk areas ◾ identifying changes in existing risk areas ◾ accessing current regulatory and legal information ◾ taking advantage of information gathered during the audit process to improve risk assessment Leverages information gathered during the prior year audit (prior audit findings). We reserve the right to get smarter. Audit areas can be evaluated using a weighted scoring mechanism. However, audit management must evaluate the results using their knowledge of the organization objectives and environment to make sure the priorities reflect reality.