Audit Management

planning and execution of assignmentsAudit ManagementAudit vs. It auditAUDIT MISSIONTo review, appraise, and report on: Soundness, adequacy, and application of controls Compliance with established policies, plans, and procedures Accounting for and safeguarding corporate assets Application of proper authority levels Reliability of accounting and other data Quality of performance of assigned duties Extent of coordinated effort between departments Safeguarding of corporate interests in general

IT AUDIT MISSION To review, appraise, and report on: Soundness, adequacy, and application of IT operational standards Soundness, adequacy, and application of systems-development standards The extent of compliance with corporate standards Security of the corporate IT investment Adequacy of contingency arrangements Completeness and accuracy of computer-processed information Whether optimum use is being made of all computing resources Soundness of application systems developedORGANIZATION OF THE FUNCTION3 different views on computer audit as a discrete discipline

first view, and one often held by computer auditors themselves, is that any review of computer controls should be carried out by a specialist computer auditor. contrary view is that computer auditors and general auditors must integrate fully. Between these views is a third view.INTEGRATED IT AUDITOR VERSUS INTEGRATED IT AUDITIntegrated AuditorThe basic concept is to develop an expanded auditor skill set, basically to train financial/ operational auditors to be partial IT auditorsIntegrated AuditSeek to apply the knowledge base that currently exists within their organization by assembling an audit team including IT audit-trained as well as financial/operationally trained auditors working together.BUSINESS INFORMATION SYSTEMSAuditing computer systems of any kind is a systematic process commenced by obtaining a business understanding of the system under review.The next stage would be the definition of the specific control objectives and from there the auditor may proceed to identify and evaluate critical controls/processes/apparent exposures and design the audit procedures to test the critical facets. Evaluation of the results, reporting, and follow-up complete the process. PlanningPlanning the IT audit function involves defining the areas of audit involvement. These could be the review of: Business systems Systems under development IT facilities management Security and recovery controls Efficiency and effectiveness of IT

STAFFINGDepending on the size and complexity, staffing could consist of a mix of:

Computer audit manager Application auditors Trainee auditors Audit application development staff Technical support Typical skills or knowledge may be required in an IT audit department:

IT security and control principlesAudit principlesGood interpersonal and communications skillsGood sense of judgmentBusiness-specific skillsSystems-analysis skills Data-analysis skills Some programming skill Computer operations experienceNetworks Systems software PCs and minicomputersInterfacing with the InternetCloud computingIT AUDIT AS A SUPPORT FUNCTION IT audit may also be viewed as support function to the rest of the internal audit function.

They may also assist in the development of control procedures for internal computer usage.

3 types of organizational structure involving IT auditCentralizedDecentralizedHybrid approachIn todays world, the team audit approach needs to be taken to the next level, including management and staff of the area undergoing evaluation. AUDITEES AS PART OF THE AUDIT TEAMAPPLICATION AUDIT TOOLS The tools available for computer auditors include not only CAATs but also the standard tools such as interviews, system questionnaires, control questionnaires, and documentation.Control evaluation tools such as CAATs, test data generators, and flowcharting packages may be combined with specialized audit software, generalized audit software, utility programs, and non-audit-specific software such as reporting programs and general query languages.Risk analysers, audit planning software, and automated working papers may also prove useful tools in this environment.ADVANCED SYSTEMSThe audit of advanced systems such as paperless systems (e.g., electronic data interchange [EDI]) or decision support systems (e.g., Executive Information Systems) involves a risk-multiplier factor.

The risk is limited only by the corporate dependency on the system.

The use of cloud computing and enterprise resource management (ERM) systems to drive the fundamental business of the organization means the risks within these areas must be clearly understood by the IT auditor and that the IT audit program must be tailored to meet these advanced risks.SPECIALIST AUDITOR Many organizations make use of specialists within their IT audit function to carry out tasks classed as being beyond the scope of the conventional IT auditor.

These include such audit areas as performance auditing of computerized systems, auditing logical computer security, auditing telecommunications, auditing that technical specialists area, and auditing IT strategic planning.IT AUDIT QUALITY ASSURANCE As with any other audit area, quality assurance remains the responsibility of the audit manager.

Normally involve review of audit work by other IT auditors as well as audit management.