IT Audit course: IS Audit Plan

March 3, 2008

STRUCTURE OF THE PLAN

The structure of the planning will, in general, follow the structure of the audit process. It will therefore include the preliminary survey of operations, the internal control description and analysis, the expanded tests control systems, the development of findings and recommendations, the report production, following up, and audit evaluation.

Preliminary Survey

The objectives of the preliminary survey are to gain an initial understanding of the auditee’s operations and to gather preliminary evidence for further audit planning. Where the area has been audited in the past, the preliminary survey may take the form of confirmation of the auditor’s understanding. The survey itself will typically include an opening conference between members of the audit team and auditee management to outline the audit assignment with management and coordinate audit activities with auditee operations. An on-site tour of the premises is normal to familiarize the auditor with the nature of the operations and personnel involved. This tour permits the auditor an initial assessment of the overall standard of internal control. Care must be taken at this stage not to start the audit process prematurely. Further studies of selected documents will provide a basis for written descriptions of the auditee’s operations. Documents such as job descriptions, organization charts, policy manuals, and critical operating documents would be examined at this stage in order to determine if they exist, how well they are maintained, if they are appropriately secured, and if they are ever used. Written descriptions of the auditee’s operations prepared by the auditor can clarify the auditor’s understanding and confirmation can be sought directly from auditee management.

Internal Control Description and Analysis

From the preliminary survey the audit should have a good understanding of the business and control objectives of the area under review. This stage allows the preparation of detailed descriptions of the auditee’s internal controls related to the areas under review. Limited testing of such controls may take place at this stage in order to determine the size of subsequent testing required. Based on this information the auditor would evaluate the system of internal controls in order to determine whether the control structures in place, if effective, would lead to the desired level of control. At this point a risk reassessment can be carried out in order to determine the need for any changes in the objectives and school of the audit and how much, if any, expanded audit tests are required before conclusions can be drawn.

Expanded Tests

In order to determine whether the internal control structure is effective, a certain amount of expanded audit testing will be required. These are the tests that would be included in the final audit program as an addition to the preliminary audit program. Such testing would include the examination of records and documents, interviews with auditee management and other personnel, observation of operations, examination of assets, interrogation of computer files, comparisons of audit results to auditee’s reports, and other procedures designed to test the effectiveness of the system of internal control. The auditor would make use of all the previously discussed tools and techniques at their disposal.

Findings and Recommendations

Based on the work carried out, the auditors will develop the findings and determine what changes, if any, are necessary to improve internal controls. A finding consists of four distinct parts. Criteria are those standards against which observed conditions will be measured. Conditions refer to what was actually observed during the course of audit testing. The effect refers to the impact on the business associated with any observed problems. The cause of the problem addresses failures of internal control or weaknesses within the internal control structures.

Based on these findings the auditor may choose to make recommendations. These typically take four forms:

  1. Make no changes in the control system. Where controls are deemed to be both adequate for a given level of a risk and effective in controlling that risk and the current control system is seen to be cost effective.
  2. Improve control and reduce risk either by modifying current controls or by adding new ones.
  3. For those areas where risk is not at acceptable levels, but control is impractical or not cost-effective to implement, the auditor may recommend the transfer of risk either by insurance or outsourcing.
  4. Should there remain an element of risk uncovered by the system of internal control but nevertheless at an unacceptable level, the auditor may be able to recommend changes that would improve the rate of return for accepting that level of risk.

Report Production

The reporting phase of the audit includes documenting and communicating the final results. This is not, as is often believed, the “final product.” The overall objective of the audit was to assist management to improve control within the organization. As such communication via the audit report is a critical element. It is the audit report that will persuade management to take effective action or conversely fail to persuade management. The reputation of the audit function is largely based on the audit report because this represents a formal presentation of the auditor’s professional competence. In most audit reports it is found beneficial to include the comments of the auditee to any recommendations raised. This ensures the objectivity of the final report by permitting the auditee to disagree formally with the auditor’s observations. Failure to include auditee comments may result in the auditee finding other ways of expressing their disagreement with the audit report, the audit process, and the auditors themselves. The audit report itself must be produced in a timely manner and no unwarranted delays should be permitted to occur within the process. A 24to 48-hour production schedule should be aimed at.

Following Up

It is critical that any recommendations made within the audit report be followed up in order to determine whether management has accepted the risk of taking no further action, taken the appropriate remedial steps to resolve any control weakness, or taken no action and left the weakness as an unacceptable risk. This follow-up will itself result in the production of report, albeit a short report, which will hopefully state that all outstanding issues have now been resolved.

Audit Evaluation

The final stage of the audit relates to the evaluation made by the auditors of themselves. No audit is complete until the full audit process has been executed. It is an essential control within the audit function itself that self-assessment be carried out at the end of each audit project. Coming as it does at the end of the process, the step is often omitted to the detriment of future audit performance.

TYPES OF AUDIT

Again, to a large extent the development of the audit plan will depend upon the nature of the audit being conducted. Financial audits tend to involve the verification of figures produced by the computer systems. This will commonly involve the auditor using CAATs to extract information directly from data files for comparisons to reported figures. Operational audits focus on the effectiveness and efficiency of business operations and could include IT in itself as a business function. These audits will normally involve identifying performance evaluation criteria and KPAs and matching the performance achieved against that intended. General control audits focus on the management controls around the information processing function and facility and may be either operational or compliance based. Application audits can take the form of reviews of live application systems within the user arena, audits of application systems under development, or audits of the applications systems development process itself. Audits involving operating systems are less concerned with audits of the operating system itself but rather the way in which the installation has chosen to implement operating system options. This typically involves examining the parameters selected and the selection process for appropriateness. Physical access audits are performed in the same manner as physical access audits to any corporate asset for the primary objective and safeguarding of the corporate asset. Logical access audits, however, will typically involve interrogation of computer systems control files in order to match access rights granted against job requirements.

Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.

Get free blog up and running in minutes with Blogsome | Theme designs available here