Information technology audit process

Information technology audit process:

Contents 1 Generally Accepted Auditing Standards (GAAS) 2 Information Technology Audit Process Overview 3 Phases of an IT Audit 3.1 Establish the Terms of the Engagement 3.2 Preliminary Review 3.3 Establish Materiality and Assess Risks 3.4 Plan the Audit 3.5 Consider Internal Control 3.6 Perform Audit Procedures 3.7 Issue the Audit Report 4 Planning the Audit 4.1 Materiality 4.2 Risk Assessment 4.2.1 Documentation of Risk Assessment 4.3 The Audit Plan 4.4 Planning Memo 5 Evaluation of Internal Controls 5.1 General Controls 5.2 Application Controls 5.3 Tests of Controls 6 Audit Procedures 6.1 Audit Sampling 6.1.1 Selecting the Sample 6.1.2 Evaluation and Documentation of Samples 6.2 Computer Assisted Auditing Techniques (CAATs) 6.3 Evidence 7 Completing the Audit 7.1 Reporting 7.1.1 Types of Reports 7.2 Audit Documentation 8 Resources

Generally Accepted Auditing Standards (GAAS)

In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits. The standards cover the following three categories:

• General Standards – relates to professional and technical competence, independence, and professional due care.
• Field Work Standards – relates to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based.
• Reporting Standards – relates to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports. If an opinion cannot be reached, the auditor is required to explicitly state their assertions.

Information Technology Audit Process Overview

The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps:

1. Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes.
2. Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives). An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few.
3. Evaluate the Organization’s Response to those Risks: Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks. The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk.
4. Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment.
5. Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor will issue either an unqualified or qualified audit report based on their findings.

Phases of an IT Audit

The audit process can be broken down into the following audit phases:

Establish the Terms of the Engagement

This will allow the auditor to set the scope and objectives of the relationship between the auditor and the organization. The engagement letter should address the responsibility (scope, independence, deliverables), authority (right of access to information), and accountability (auditees’ rights, agreed completion date) of the auditor.

Preliminary Review

This phase of the audit allows the auditor to gather organizational information as a basis for creating their audit plan. The preliminary review will identify an organization’s strategy and responsibilities for managing and controlling computer applications. An auditor can provide an in depth overview of an organization’s accounting system to establish which applications are financially significant at this phase. Obtaining general data about the company, identifying financial application areas, and preparing an audit plan can achieve this.

Establish Materiality and Assess Risks

In order to plan the audit, a preliminary judgment about materiality and assessment of the client’s business risks are made to set the scope of the audit.

Plan the Audit

Proper planning of the audit will ensure the audit is conducted in an effective and efficient manner. When developing the audit plan, the auditor sinto consideration the results of their understanding of the organization and the results of the risk assessment process.

Consider Internal Control

To develop their understanding of internal controls, the auditor should consider information from previous audits, the assessment of inherent risk, judgments about materiality, and the complexity of the organization’s operations and systems.

Once the auditor develops their understanding of an organization’s internal controls, they will be able to assess the level of their control risk (the risk a material weakness will not be prevented or detected by internal controls).

Perform Audit Procedures

Audit procedures are developed based on the auditor’s understanding of the organization and its environment. A substantive audit approach is used when auditing an organization’s information system.

Issue the Audit Report

Once audit procedures have been performed and results have been evaluated, the auditor will issue either an unqualified or qualified audit report based on their findings.

Planning the Audit

IS Standard 050 (Planning) states, “The IT auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards.”

One of the first tasks an auditor must do when planning the audit is to develop a working budget. The IT audit manager must know the capabilities of the audit staff assigned to the project. In addition to budgeted time needed to perform the audit, the IT audit manager should also budget time needed to train the audit staff (if needed) and allow time for any error correction purposes.

While planning the audit, the auditor decides what level of audit risk (the risk of reaching an incorrect conclusion based on the audit findings) he or she is willing to accept. The more effective and extensive the audit work is, the less the risk that a weakness will go undetected and the auditor will issue an inappropriate report. Audit risk is dependent on the auditors assessed levels of inherent risk (the susceptibility of an audit area to error which could be material, assuming there are no related internal controls), control risk (the risk a material weakness will not be prevented or detected by internal controls), and detection risk (the risk substantive tests will not detect an error which could be material). These risks are determined when the auditor performs a risk assessment of the organization.

Additionally, in order to evaluate whether an IT audit has been successful, the auditor must first identify the intended scope and objectives of the audit to test management’s assertions on their information systems. To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality. An assessment of risk should be made to provide reasonable assurance that all material items will be adequately covered during the audit work. This assessment should identify areas with relatively high risk of existence of material problems.

Materiality

In assessing materiality, the IT auditor should consider:

• The aggregate level of error acceptable to management, the IT auditor, and appropriate regulatory agencies.
• The potential for the cumulative effect of small errors or weaknesses to become material.

While establishing materiality, the auditor may audit non-financial items such as physical access controls, logical access controls, and systems for personnel management, manufacturing control, design, quality control, and password generation.

While planning the audit work to meet the audit objectives, the auditor should identify relevant control objectives and determine, based on materiality, which controls should be examined. Internal control objectives are placed by management and identifies what the management strives to achieve through their internal controls.

Where financial transactions are not processed, the following identifies some measures the auditor should consider when assessing materiality:

• Criticality of the business processes supported by the system or operation.
• Cost of the system or operation (hardware, software, third-party services)
• Potential cost of errors.
• Number of accesses/transactions/inquiries processed per period.
• Penalties for failure to comply with legal and contractual requirements.

Risk Assessment

A risk is any event or action, generated internally or externally, which prevents an organization from achieving its goals and/or objectives. Risks affect control objectives in the areas of data integrity and accuracy, timeliness of the information for decision making, ability to access the system, and confidentiality/privacy of information, to name a few. Risk assessment allows the auditor to determine the scope of the audit and assess the level of audit risk and error risk (the risk of errors occurring in the area being audited). Additionally, risk assessment will aid in planning decisions such as:

• The nature, extent, and timing of audit procedures.
• The areas or business functions to be audited.
• The amount of time and resources to be allocated to an audit.

Documentation of Risk Assessment

Once the assessed level of risk has been determined, the auditor should document the following in their work papers:

• A description of the risk assessment technique used.
• The identification of significant risks.
• The risks the audit is going to address.
• The audit evidence used to support the IS auditor’s assessment of risk.

The Audit Plan

The audit plan details the audit objectives and steps the auditor must take to ensure all of the important issues in the audit are covered. The audit plan includes:

• The auditor’s understanding of the client.
• Potential audit risks.
• A basic framework for how the audit resources (budgeted audit hours) are to be allocated throughout the audit.
• Audit procedures to be performed.

The objective of the audit plan is to assist the auditor in conducting an effective and efficient audit.

Planning Memo

A planning memo outlines for the auditee the tone and course of action the IT audit manager plans to take. The memo outlines for the auditee the areas within the audit the auditor is planning to spend most of their time, and it gives the auditee the opportunity to voice any concerns.

Evaluation of Internal Controls

COSO defines internal control as, “a process, influenced by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance in the effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of applicable laws and regulations”. The auditor evaluates the organization’s control structure by understanding the organization’s five interrelated control components. They include:

1. Control Environment Provides the foundation for the other components. Encompasses such factors as management’s philosophy and operating style.
2. Risk Assessment Consists of risk identification and analysis.
3. Control Activities Consists of the policies and procedures that ensure employees carry out management’s directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively).
4. Information and Communication Ensures the organization obtains pertinent information, and then communicates it throughout the organization.
5. Monitoring Reviewing the output generated by control activities and conducting special evaluations.

In addition to understanding the organization’s control components, the auditor must also evaluate the organization’s General and Application controls. there are three audit risk componenets which are control risk, detection risk and inherent risk.

General Controls

General controls relate to the overall information-processing environment and has a large effect on the organization’s computer operations. Types of general controls include:

• Organizational Controls – includes segregation of duties controls.
• Data Center and Network Operations Controls – ensures the proper entry of data into an application system and proper oversight of error correction.
• Hardware & Software Acquisition and Maintenance Controls – includes controls to compare data for accuracy when it is input twice by two separate components.
• Access Security Controls – ensures the physical protection of computer equipment, software, and data, and is concerned with the loss of assets and information through theft or unauthorized use.
• Application System Acquisition, Development, and Maintenance Controls – ensures the reliability of information processing.
• Managerial controls- To ensure that there is no unauthorised access to IT assets.

Application Controls

Application controls apply to the processing of individual accounting applications and help ensure the completeness and accuracy of transaction processing, authorization, and validity. Types of application controls include:

• Data Capture Controls – ensures that all transactions are recorded in the application system, transactions are recorded only once, and rejected transactions are identified, controlled, corrected, and reentered into the system.
• Data Validation Controls – ensures that all transactions are properly valued.
• Processing Controls – ensures the proper processing of transactions.
• Output Controls – ensures that computer output is not distributed or displayed to unauthorized users.
• Error Controls – ensures that errors are corrected and resubmitted to the application system at the correct point in processing.

Application controls may be compromised by the following application risks:

• Weak security
• Unauthorized access to data and unauthorized remote access
• Inaccurate information and erroneous or falsified data input
• Misuse by authorized end users
• Incomplete processing and/or duplicate transactions
• Untimely processing
• Communication system failure
• Inadequate training and support

Tests of Controls

Tests of controls are audit procedures performed to evaluate the effectiveness of either the design or the operation of an internal control. Tests of controls directed toward the design of the control focuses on evaluating whether the control is suitably designed to prevent material weaknesses. Tests of controls directed toward the operation of the control focuses on assessing how the control was applied, the consistency with which it was applied, and who applied it. In addition to inquiring with appropriate personnel and observation of the application of the control, an IT auditor’s main focus when testing the controls is to do a re-performance of the application of the control themselves.

Audit Procedures

Audit Sampling

Audit sampling is the application of an audit procedure to less than 100% of the population to enable the IT auditor to evaluate audit evidence within a class of transactions for the purpose of forming a conclusion concerning the population. When designing the size and structure of an audit sample, the IT auditor should consider the audit objectives determined when planning the audit, the nature of the population, and the sampling and selection methods.

Selecting the Sample

The auditor should select the sample items in such a way that they are representative of the population. The most commonly used sampling selection methods are:

• Statistical Sampling Methods
  • Random Sampling – ensures that all combinations of sampling units in the population have an equal chance of selection.
  • Systematic Sampling – involves selecting sampling units using a fixed interval between selections with the first interval having a random start.
• Non-Statistical Sampling Methods
  • Haphazard Sampling – the auditor selects the sample without following a structured technique.
  • Judgmental Sampling – the auditor places a bias on the sample. For example, selecting only sampling units over a certain value.

The selection of the sample size is affected by the level of sampling risk that the IT auditor is willing to accept. Sampling risk is the risk the auditor’s conclusion may be different from the conclusion that would be reached if the entire population were subjected to the same audit procedure. The two types of sampling risk are:

1. The Risk of Incorrect Acceptance – the risk that a material misstatement is assessed as unlikely, when in fact the population is materially misstated.
2. The Risk of Incorrect Rejection – the risk that a material misstatement is assessed as likely, when in fact the population is not materially misstated.

Once the sample items have been selected to be tested, the auditor can begin audit tests using Computer Assisted Auditing Techniques (CAATs), which will be discussed shortly.

Evaluation and Documentation of Samples

The performance and evaluation of a sample must address the following issues:

• The effect of not being able to apply a planned procedure to a sample item.
• A projection of the sample results to the population being tested, then comparing those results with the planned amounts.
• Appropriate consideration to the assessed level of sampling risk must be performed.
• SAS 39 requires the auditor to adequately consider qualitative aspects of misstatements, such as the nature and cause of the misstatement and the possible relationship of the misstatements to other phases of the audit.

The auditor must document in their work papers the sampling objectives and the sampling process used. The work papers should include the source of the population, the sampling method used, sampling parameters, items selected, details of audit tests performed, and conclusions reached.

Computer Assisted Auditing Techniques (CAATs)

CAATs are used to test application controls as well as perform substantive tests on sample items. Types of CAATs include:

• Generalized Audit Software (GAS)
• Custom Audit Software (CAS)
• Test Data
• Parallel Simulation
• Integrated test facility

Evidence

Through the use of CAATs, the auditor will be able to obtain evidence to support their final conclusions developed on the audit. Audit evidence should be sufficient, reliable, relevant, and useful in order for the auditor to form an opinion and to support their findings and conclusions. If the auditor cannot form an opinion based on the audit evidence obtained, the auditor should then obtain additional audit evidence. Procedures used to gather audit evidence varies depending on the information system being audited. The auditor should select the most appropriate procedure for the audit objective. The following procedures should be considered:

• Inquiry and/or Observation
• Inspection
• Reperformance
• Monitoring

The audit evidence gathered by the auditor should be documented and organized to support the auditor’s findings and conclusions. Finally, when an auditor believes that sufficient audit evidence cannot be obtained, the auditor should disclose this fact as a scope limitation within the audit report.

Completing the Audit

Before choosing the appropriate audit report, the auditor must consider the following issues:

• Review for Subsequent Events – two types of subsequent events require an evaluation by the auditor. They include:

1. Type I events – events that provide additional evidence about the conditions that existed at the date of the balance sheet.
2. Type II events – events that provide evidence about conditions that did not exist at the date of the balance sheet, but arose after that date.

Audit procedures used to review for subsequent events include asking management whether any unusual adjustments to their information systems have been made during the subsequent events period (after the completion of the audit, but before the audit report is issued), or obtaining a representation letter from management.

• Final Evidential Evaluation Processes – audit steps performed by the auditor in this phase to determine the most appropriate audit report includes obtaining a representation letter, reviewing work papers, final assessment of audit results and obtaining an independent review of the engagement.
• Communications with the Audit Committee and Management – communications should include significant audit adjustments, the auditor’s judgments about the quality of the entity’s accounting principles, disagreements with management, major issues discussed with management before the auditor was retained, difficulties encountered during the audit, and fraud involving senior management. Also, the auditor should discuss the draft of the audit report with management to give management the chance to correct any weaknesses or deficiencies before they are reported and released to the public. The auditor may decide to do this in the form of a Management Comment Letter.
• Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report – Auditing standards 561 provides guidance for auditors when facts have come to the auditor’s attention about the organization’s processes that might have affected the report had they known about them.

The auditor’s conclusion and findings, which are based on documented evidence, must be objective, measurable, complete, and relevant. The findings are disclosed to management in formal statements, typically an audit report. Any recommendations must be provided for each audit finding for the report to be useful to management.

Reporting

IS Auditing Standard 070 (Reporting) states, “The IT auditor should provide a report in an appropriate form, upon the completion of the audit. The report should state the scope, objectives, period of coverage, and the nature, timing, and extent of the audit work performed. The report should state the findings, conclusions, and recommendations and any reservations, qualifications or limitations of scope that IT auditor has with respect to the audit.”

Types of Reports

• Unqualified Audit Report
• Unqualified Audit Report with Explanation
• Qualified Report
• Qualified Report with Disclaimer
• Qualified Report with an Adverse Opinion

Audit Documentation

Working papers (audit documentation) is the formal collection of auditors notes, documents, flowcharts, correspondence, results of observations, plans and results of tests, the audit plan, minutes of meetings, computerized records, data files or application results

Resources

1. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 45
2. Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al., 2nd Edition, page 577
3. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 55
4. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 60 and Information Technology Control and Audit, Frederick Gallegos, Sandra Senft, et al., 2nd Edition, page 72
5. IS Auditing Standard S5 Planning – 04 Risk Assessment
6. IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.2
7. IS Auditing Guideline G6 Materiality Concepts for Auditing Information, Paragraph 2.1.5
8. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.1.3
9. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.3.4 & 2.3.5
10. IS Auditing Guideline G13 Use of Risk Assessment in Audit Planning, Paragraph 2.5.3
11. Guest speaker Mike Simpson, May 16, 2005
12. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 263
13. AU 350.01
14. IS Auditing Guideline G10 Audit Sampling, Paragraph 2.3.1
15. SAS No. 39
16. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 304
17. IS Auditing Guideline G10 Audit Sampling, Paragraph 2.4.1
18. Auditing & Assurance Services, William F. Messier, Jr., 3rd Edition, page 276
19. IS Auditing Guideline G2 Audit Evidence Requirement, Paragraph 3.2.1