audit process 2
DESCRIPTION
AuditingTRANSCRIPT
![Page 1: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/1.jpg)
The Information Systems (IS) Audit
Process
Chapter 1 -- Page 1
![Page 2: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/2.jpg)
Process Area Tasks
Five Tasks:1. Develop and implement a risk-based IS audit strategy for
the organization in compliance with IS audit standards, guidelines and best practices.
2. Plan specific audits to ensure that IT and business systems are protected and controlled.
3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.
4. Communicate emerging issues, potential risks and audit results to key stakeholders.
5. Advise on the implementation of risk management and control practices within the organization while maintaining independence.
2
![Page 3: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/3.jpg)
Process Area Knowledge Statements
Ten Knowledge Statements:
1. Knowledge of IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
2. Knowledge of IS auditing practices and techniques
3. Knowledge of techniques to gather information and preserve evidence
4. Knowledge of the evidence life cycle
5. Knowledge of control objectives and controls related to IS
3
![Page 4: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/4.jpg)
Process Area Knowledge Statements
Ten Knowledge Statements (Cont’d):
6. Knowledge of risk assessment in an audit context
7. Knowledge of audit planning and management techniques
8. Knowledge of reporting and communication techniques
9. Knowledge of control self-assessment (CSA)
10. Knowledge of continuous audit techniques
4
![Page 5: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/5.jpg)
Organization of IS Audit Function
• Audit charter (or engagement letter)
• Stating management’s responsibility and objectives for, and delegation of authority to, the IS audit function
• Outlining the overall authority, scope and responsibilities of the audit function
• Approval of the audit charter
• Change in the audit charter
5
![Page 6: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/6.jpg)
IS Audit Resource
Management
• Limited number of IS auditors
• Maintenance of their technical competence
• Assignment of audit staff
6
![Page 7: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/7.jpg)
Audit Planning• Audit planning
• Short-term planning
• Long-term planning
• Things to consider• New control issues
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
• Individual audit planning• Understanding of overall environment
• Business practices and functions
• Information systems and technology 7
![Page 8: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/8.jpg)
Audit Planning
• Audit Planning Steps• Gain an understanding of the business’s mission,
objectives, purpose and processes.
• Identify stated contents (policies, standards, guidelines, procedures, and organization structure)
• Evaluate risk assessment and privacy impact analysis
• Perform a risk analysis.
• Conduct an internal control review.
• Set the audit scope and audit objectives.
• Develop the audit approach or audit strategy.
• Assign personnel resources to audit and address engagement logistics. 8
![Page 9: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/9.jpg)
Effect of Laws and Regulations
• Regulatory requirements
• Establishment
• Organization
• Responsibilities
• Correlation to financial, operational and IT audit functions
9
![Page 10: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/10.jpg)
Effect of Laws and Regulations
• Steps to determine compliance with external requirements:
• Identify external requirements
• Document pertinent laws and regulations
• Assess whether management and the IS function have considered the relevant external requirements
• Review internal IS department documents that address adherence to applicable laws
• Determine adherence to established procedures
10
![Page 11: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/11.jpg)
ISACA IS Auditing Standards and
Guidelines
Framework for the ISACA IS Auditing Standards
• Standards
• Guidelines
• Procedures
11
![Page 12: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/12.jpg)
ISACA IS Auditing Standards and
Guidelines• IS Auditing Standards
12
1. Audit charter
2. Independence
3. Ethics and Standards
4. Competence
5. Planning
6. Performance of audit work
7. Reporting
8. Follow-up activities
9. Irregularities and illegal acts
10.IT governance
11.Use of risk assessment in audit planning
![Page 13: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/13.jpg)
ISACA IS Auditing Standards and
Guidelines9. Irregularities and Illegal Acts
(Cont’d)
Obtain written representations from management
Have knowledge of any allegations of irregularities or illegal acts
Communicate material irregularities/illegal acts
Consider appropriate action in case of inability to continue performing the audit
Document irregularity/illegal act related communications, planning, results, evaluations and conclusions 13
![Page 14: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/14.jpg)
IT Risk Assessment Quadrants
14
Quadrant I (High Risk)
Suggested Action(s):Mitigate
Sen
siti
vity
Rat
ing
Vulnerability Assessment Rating
100%
0%100%
Quadrant II (Medium Risk)
Suggested Action(s):AcceptMitigateTransfer
Quadrant III (Medium Risk)
Suggested Action(s):AcceptMitigateTransfer
Quadrant IV (Low Risk)
Suggested Action(s):Accept
Example Risk Level Assignment
50%
50%
0%
![Page 15: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/15.jpg)
ISACA IS Auditing Standards and
Guidelines
• ISACA Auditing Procedures
• Procedures developed by the ISACA Standards Board provide examples.
• The IS auditor should apply their own professional judgment to the specific circumstances.
(Index of Procedures)
15
![Page 16: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/16.jpg)
Internal Control
• Internal Controls
Policies, procedures, practices and organizational structures implemented to reduce risks
16
![Page 17: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/17.jpg)
Internal Control
• Components of Internal Control System
• Internal accounting controls
• Operational controls
• Administrative controls
17
![Page 18: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/18.jpg)
Internal Control
• Internal Control Objectives
• Safeguarding of information technology assets
• Compliance to corporate policies or legal requirements
• Authorization/input
• Accuracy and completeness of processing of transactions
• Output
• Reliability of process
• Backup/recovery
• Efficiency and economy of operations18
![Page 19: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/19.jpg)
Internal Control
• Classification of Internal Controls
– Preventive controls
– Detective controls
– Corrective controls
19
![Page 20: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/20.jpg)
Internal Control
IS Control Objectives
Control objectives in an information systems environment remain unchanged from those of a manual environment. However, control features may be different. The internal control objectives, thus need, to be addressed in a manner specific to IS-related processes
20
![Page 21: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/21.jpg)
Internal ControlIS Control Objectives (cont’d)
• Safeguarding assets
• Assuring the integrity of general operating system environments
• Assuring the integrity of sensitive and critical application system environments through:
– Authorization of the input
– Accuracy and completeness of processing of transactions
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity
21
![Page 22: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/22.jpg)
Internal Control
IS Control Objectives (Cont’d)
• Ensuring the efficiency and effectiveness of operations
• Complying with requirements, policies and procedures, and applicable laws
• Developing business continuity and disaster recovery plans
• Developing an incident response plan
22
![Page 23: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/23.jpg)
Internal Control
IS Control Objectives (Cont’d)
• COBIT
• A framework with 34 high-level control objectives Planning and organization
Acquisition and implementation
Delivery and support
Monitoring and evaluation
• Use of 36 major IT related standards and regulations
23
![Page 24: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/24.jpg)
Internal Control
General Control Procedures
apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.
24
![Page 25: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/25.jpg)
Internal Control
General Control Procedures (Cont’d)
• Internal accounting controls directed at accounting operations
• Operational controls concerned with the day-to-day operations
• Administrative controls concerned with operational efficiency and adherence to management policies
• Organizational logical security policies and procedures
• Overall policies for the design and use of documents and records
• Procedures and features to ensure authorized access to assets
• Physical security policies for all data centers
25
![Page 26: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/26.jpg)
IS Control Procedures
• Strategy and direction
• General organization and management
• Access to data and programs
• Systems development methodologies and change control
• Data processing operations
• Systems programming and technical support functions
• Data processing quality assurance procedures
• Physical access controls
• Business continuity/disaster recovery planning
• Networks and communications
• Database administration26
Internal Control
![Page 27: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/27.jpg)
Performing an IS Audit
Definition of Auditing
Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the
assertion conforms to an identified set of standards.
27
![Page 28: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/28.jpg)
Performing an IS Audit
Definition of IS Auditing
Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated
processes and the interfaces between them.
28
![Page 29: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/29.jpg)
Performing an IS Audit
• Classification of audits:
• Financial audits
• Operational audits
• Integrated audits
• Administrative audits
• Information systems audits
• Specialized audits
• Forensic audits
29
![Page 30: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/30.jpg)
Performing an IS Audit
• Audit Programs
• Based on the scope and the objective of the particular assignment
• IS auditor’s perspectives
• Security (confidentiality, integrity and availability)
• Quality (effectiveness, efficiency)
• Fiduciary (compliance, reliability)
• Service and Capacity
30
![Page 31: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/31.jpg)
Performing an IS Audit
• General audit procedures
• Understanding of the audit area/subject
• Risk assessment and general audit plan
• Detailed audit planning
• Preliminary review of audit area/subject
• Evaluating audit area/subject
• Compliance testing
• Substantive testing
• Reporting(communicating results)
• Follow-up31
![Page 32: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/32.jpg)
Performing an IS Audit
• Procedures for testing & evaluating IS controls• Use of generalized audit software to survey the contents of data
files
• Use of specialized software to assess the contents of operating system parameter files
• Flow-charting techniques for documenting automated applications and business process
• Use of audit reports available in operation systems
• Documentation review
• Observation
32
![Page 33: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/33.jpg)
Performing an IS Audit
• Audit Methodology
• A set of documented audit procedures designed to achieve planned audit objectives
• Composed of • Statement of scope
• Statement of audit objectives
• Statement of work programs
• Set up and approved by the audit management
• Communicated to all audit staff
33
![Page 34: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/34.jpg)
Performing an IS Audit
34
Typical audit phases
1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or unit of the organization
![Page 35: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/35.jpg)
Performing an IS Audit
35
Typical audit phases (Cont’d)
4. Pre-audit planning
Identify technical skills and resources needed
Identify the sources of information for test or review
Identify locations or facilities to be audited
![Page 36: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/36.jpg)
Performing an IS Audit
Typical audit phases (Cont’d)
5. Audit procedures and steps for data gathering
Identify and select the audit approach
Identify a list of individuals to interview
Identify and obtain departmental policies, standards and guidelines
Develop audit tools and methodology
36
![Page 37: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/37.jpg)
Performing an IS AuditTypical audit phases (Cont’d)
6. Procedures for evaluating test/review result
7. Procedures for communication
8. Audit report preparation • Identify follow-up review procedures
• Identify procedures to evaluate/test operational efficiency and effectiveness
• Identify procedures to test controls
• Review and evaluate the soundness of documents, policies and procedures.
37
![Page 38: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/38.jpg)
Performing an IS Audit
• Workpapers (WPs)
What are documented in WPs?
– Audit plans
– Audit programs
– Audit activities
– Audit tests
– Audit findings and incidents
38
![Page 39: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/39.jpg)
Performing an IS AuditPerforming an IS Audit
Identify
• the area to be audited
• the purpose of the audit
• the specific systems, function or unit of the organization to be included in the review.
• technical skills and resources needed
• the sources of information for tests or review such as functional flow-charts, policies, standards, procedures and prior audit work papers.
• locations or facilities to be audited.
• select the audit approach to verify and test the controls
• list of individuals to interview
• obtain departmental policies, standards and guidelines for review 39
Develop– audit tools and methodology to test and
verify control– procedures for evaluating the test or
review results– procedures for communication with
management
Identify– follow-up review procedures– procedures to evaluate/test operational
efficiency and effectiveness– procedures to test controls
Review and evaluate the soundness of documents, policies and procedures
Typical audit phases SummaryTypical audit phases Summary
![Page 40: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/40.jpg)
Performing an IS Audit
• Workpapers (Cont’d)
• Do not have to be on “paper”
• Must be • Dated• Initialized• Page-numbered• Relevant• Complete• Clear• Self-contained and properly labeled• Filed and kept in custody
40
![Page 41: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/41.jpg)
Performing an IS Audit
• Fraud Detection
• Management’s responsibility
• Benefits of a well-designed internal control system
• Deterring frauds at the first instance
• Detecting frauds in a timely manner
• Fraud detection and disclosure
• Auditor’s role in fraud prevention and detection
41
![Page 42: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/42.jpg)
Performing an IS Audit
• Audit Risk
• Audit risk is the risk that the information/financial report may contain material error that
may go undetected during the audit.
• A risk-based audit approach is used to assess risk and assist with an IS auditor’s decision to perform either compliance or substantive testing.
42
![Page 43: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/43.jpg)
Performing an IS Audit
– Audit Risks
• Inherent risk• Control risk• Detection risk• Overall audit risk
43
![Page 44: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/44.jpg)
Performing an IS Audit
• Risk-based Approach Overview
• Gather Information and Plan
• Obtain Understanding of Internal Control
• Perform Compliance Tests
• Perform Substantive Tests
• Conclude the Audit
44
![Page 45: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/45.jpg)
Performing an IS Audit
• Materiality
An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited
45
![Page 46: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/46.jpg)
Performing an IS Audit
• Risk Assessment Techniques• Enables management to effectively allocate
limited audit resources
• Ensures that relevant information has been obtained
• Establishes a basis for effectively managing the audit department
• Provides a summary of how the individual audit subject is related to the overall organization and to business plans
46
![Page 47: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/47.jpg)
Performing an IS Audit
• Audit Objectives - Specific goals of the audit
• Compliance with legal & regulatory requirements
• Confidentiality
• Integrity
• Reliability
• Availability
47
![Page 48: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/48.jpg)
Performing an IS Audit
• Compliance vs. Substantive Testing• Compliance test
determines whether controls are in compliance with management policies and procedures
• Substantive test
tests the integrity of actual processing
• Correlation between the level of internal controls and substantive testing required
• Relationship between compliance and substantive tests
48
![Page 49: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/49.jpg)
Performing an IS Audit
• Evidence
It is a requirement that the auditor’s conclusions must be based on sufficient, competent evidence.
– Independence of the provider of the evidence
– Qualification of the individual providing the information or evidence
– Objectivity of the evidence
– Timing of evidence
49
![Page 50: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/50.jpg)
Performing an IS Audit
– Techniques for gathering evidence: Review IS organization structures
Review IS policies and procedures
Review IS standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee performance
50
![Page 51: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/51.jpg)
Performing an IS Audit
• Interviewing and Observing Personnel
– Actual functions
– Actual processes/procedures
– Security awareness
– Reporting relationships
51
![Page 52: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/52.jpg)
Performing an IS Audit
• Sampling
• General approaches to audit sampling:
• Statistical sampling
• Non-statistical sampling
• Methods of sampling used by auditors:
• Attribute sampling
• Variable sampling
52
![Page 53: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/53.jpg)
Performing an IS Audit
• Sampling (Cont’d)
– Attribute sampling Stop-or-go sampling
Discovery sampling
– Variable sampling Stratified mean per unit
Unstratified mean per unit
Difference estimation
53
![Page 54: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/54.jpg)
• Statistical sampling terms:– Confident coefficient
– Level of risk
– Precision
– Expected error rate
– Sample mean
– Sample standard deviation
– Tolerable error rate
– Population standard deviation
54
Performing an IS Audit
![Page 55: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/55.jpg)
Performing an IS Performing an IS AuditAudit
ATTRIBUTE SAMPLE
S=C2*P*Q
PRE2
VARIABLE SAMPLE
S=C2*S2
PRE2
55
STATISTICAL SAMPLING FORMULAS
![Page 56: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/56.jpg)
Performing an IS Audit
–Key steps in choosing a sample Determine the objectives of the test
Define the population to be sampled
Determine the sampling method, such as attribute versus variable sampling.
Calculate the sample size
Select the sample
Evaluating the sample from an audit perspective.
56
![Page 57: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/57.jpg)
Performing an IS Audit
• Computer-Assisted Audit Techniques• CAATs enable IS auditors to gather information
independently
• CAATs include:
• Generalized audit software (GAS)
• Utility software
• Test data
• Application software for continuous online audits
• Audit expert systems
57
![Page 58: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/58.jpg)
Performing an IS Audit
• Computer-Assisted Audit Techniques (Cont’d)
• Need for CAATs
Evidence collection
• Functional capabilities
Functions supported
Areas of concern
58
![Page 59: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/59.jpg)
Performing an IS Audit
• Computer-Assisted Audit Techniques (Cont’d)
• Examples of CAATs used to collect evidence
• CAATS as a continuous online approach
59
![Page 60: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/60.jpg)
Performing an IS Audit
• Computer-Assisted Audit Techniques (Cont’d)
• Advantages of CAATs
• Cost/benefits of CAATs
60
![Page 61: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/61.jpg)
Performing an IS Audit
• Computer-Assisted Audit Techniques (Cont’d)
• Development of CAATs
• Documentation retention
• Access to production data
• Data manipulation
61
![Page 62: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/62.jpg)
Performing an IS Audit
• Evaluation of Strengths and Weaknesses
– Assess evidence
– Evaluate overall control structure
– Evaluate control procedures
– Assess control strengths and weaknesses
62
![Page 63: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/63.jpg)
Performing an IS Audit
– Judging Materiality of Findings
Materiality is a key issue
Assessment requires judgment of the potential effect of the finding if corrective action is not taken
63
![Page 64: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/64.jpg)
Performing an IS Audit• Communicating Audit Results
• Exit interview
• Correct facts
• Realistic recommendations
• Implementation dates for agreed recommendations
• Presentation techniques
• Executive summary
• Visual presentation
64
![Page 65: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/65.jpg)
Performing an IS Audit
–Audit report structure and contents
An introduction to the report
The IS auditor’s overall conclusion and opinion
The IS auditor’s reservations with respect to the audit
Detailed audit findings and recommendations
A variety of findings
Limitations to audit
Statement on the IS audit guidelines followed
65
![Page 66: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/66.jpg)
Performing an IS Audit
• Management Actions to Implement Recommendations
– Auditing is an ongoing process
– Timing of follow-up
66
![Page 67: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/67.jpg)
Performing an IS Audit
• Audit Documentation
– Contents of audit documentation
– Custody of audit documentation
– Support of findings and conclusions
67
![Page 68: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/68.jpg)
Performing an IS Audit
–Constraints on the Conduct of the Audit Availability of audit staff
Auditee constraints
–Project Management Techniques Develop a detailed plan
Report project activity against the plan
Adjust the plan
Take corrective action
68
![Page 69: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/69.jpg)
Control Self Assessment
Control Self-Assessment (CSA)
• A management technique
• A methodology
• In practice, a series of tools
69
![Page 70: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/70.jpg)
Control Self Assessment– Implementation of CSA
Facilitated workshops
Hybrid approach
70
![Page 71: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/71.jpg)
Control Self Assessment
• Benefits of CSA
• Disadvantages of CSA
• Objectives of CSA
• Enhancement of audit responsibilities (not a replacement)
• Education for line management in control responsibility and monitoring
• Empowerment of workers to assess the control environment
71
![Page 72: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/72.jpg)
Control Self Assessment
• IS Auditor’s Role in CSAs
• Technology Drivers for CSA Program
• Traditional vs. CSA Approach
72
![Page 73: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/73.jpg)
Emerging Changes in IS Audit Process
New Topics:
• Automated Work Papers
• Integrated Auditing
• Continuous Auditing
73
![Page 74: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/74.jpg)
Emerging Changes in IS Audit Process
• Automated Work Papers
• Risk analysis
• Audit programs
• Results
• Test evidences,
• Conclusions
• Reports and other complementary information
74
![Page 75: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/75.jpg)
Emerging Changes in IS Audit Process
• Automated Work Papers (Cont’d)
• Controls over automated work papers:
• Access to work papers
• Audit trails
• Approvals of audit phases
• Security and integrity controls
• Backup and restoration
• Encryption for confidentiality
75
![Page 76: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/76.jpg)
Emerging Changes in IS Audit Process• Integrated Auditing
process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity
• Focuses on risk to the organization (for an internal auditor)
• Focuses on the risk of providing an incorrect or misleading audit opinion (for external auditor
76
![Page 77: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/77.jpg)
Emerging Changes in IS Audit Process
• Integrated Auditing - Typical process:
• Identification of relevant key controls
• Review and understanding of the design of key controls
• Testing that key controls are supported by the IT system
• Testing that management controls operate effectively
• A combined report or opinion on control risks, design and weaknesses
77
![Page 78: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/78.jpg)
Emerging Changes in IS Audit Process
• Continuous Auditing - Definition
“A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter”
78
![Page 79: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/79.jpg)
Emerging Changes in IS Audit Process
• Continuous Auditing
• Distinctive character
• short time lapse between the facts to be audited and the collection of evidence and audit reporting
• Drivers
• better monitoring of financial issues
• allowing real-time transactions to benefit from real-time monitoring
• preventing financial fiascoes and audit scandals
• using software to determine proper financial controls
79
![Page 80: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/80.jpg)
Emerging Changes in IS Audit Process
– Continuous Auditing vs. Continuous Monitoring
Continuous monitoring Management-driven
Based on automated procedures to meet fiduciary responsibilities
Continuous auditing
Audit-driven
Done using automated audit procedures
80
![Page 81: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/81.jpg)
Emerging Changes in IS Audit Process
• Continuous Auditing
Enabler for the Application of Continuous Auditing
– New information technology developments
– Increased processing capabilities
– Standards
– Artificial intelligence tools
81
![Page 82: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/82.jpg)
Emerging Changes in IS Audit Process
• Continuous AuditingIT techniques in a continuous auditing environment
– Transaction logging
– Query tools
– Statistics and data analysis (CAAT)
– Database management systems (DBMS)
– Data warehouses, data marts, data mining.
– Artificial intelligence (AI)
– Embedded audit modules (EAM)
– Neural network technology
– Standards such as Extensible Business Reporting Language 82
![Page 83: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/83.jpg)
Emerging Changes in IS Audit Process
• Continuous Auditing - Prerequisites• A high degree of automation
• An automated and reliable information-producing process
• Alarm triggers to report control failures
• Implementation of automated audit tools
• Quickly informing IS auditors of anomalies/errors
• Timely issuance of automated audit reports
• Technically proficient IS auditors
• Availability of reliable sources of evidence
• Adherence to materiality guidelines
• Change of IS auditors’ mind-set
• Evaluation of cost factors 83
![Page 84: Audit Process 2](https://reader038.vdocuments.net/reader038/viewer/2022103005/55cf9133550346f57b8b71ab/html5/thumbnails/84.jpg)
Emerging Changes in IS Audit Process
• Continuous Auditing
• Advantages
• Instant capture of internal control problems
• Reduction of intrinsic audit inefficiencies
• Disadvantages
• Difficulty in implementation
• High cost
• Elimination of auditors’ personal judgment and evaluation
84