Slide 1ObjectivesOverviewFinancial AuditsIT AuditsGAASGAAS (continued)The Overall Audit ProcessThe Audit PlanPreliminary AssessmentGeneral Data GatheringRisk AssessmentPreparing an Audit PlanAudit ScheduleAudit TasksObtain an UnderstandingEvaluating Control Strength and WeaknessEvidenceTestingEvaluating the ResultsFinal Evaluation and ReportEvaluate Audit’s PerformanceEveryday AuditingAssignment 2Chapter 3: The Audit Process in an Information Technology EnvironmentMBAD 7090Fall, 2008IS Security, Audit, and Control (Dr. Zhao)1ObjectivesFall, 2008IS Security, Audit, and Control (Dr. Zhao)Understand the overall IT audit processThe overall definition of the audit processAudit standardsAudit planningAudit tasks2OverviewFall, 2008IS Security, Audit, and Control (Dr. Zhao)3The IT audit process complements the work of the financial/operation audit by providing reasonable assurance that information and information technology are processing as expected.Financial AuditsFall, 2008IS Security, Audit, and Control (Dr. Zhao)4Financial auditorsEvaluate the fairness of financial statementsCover all equipment and procedures used in processing significant dataCertification: CPAStandards: Generally Accepted Accounting Principles (GAAP)Fairly presented in conformity with generally accepted accounting principles (GAAP).The measure for ‘fairly presented’: there is less than 5% chance (5% audit risk) that the financial statements are ‘materially misstated’.IT AuditsFall, 2008IS Security, Audit, and Control (Dr. Zhao)5IT auditorsEvaluate IT systems, practices, and operationsAssure the validity, reliability, and security of informationAssure the efficiency and effectiveness of the IT environment in economic termsCertification: CISA, CISM, etc.Standards: Generally Accepted Auditing Standards (GAAS)GAASFall, 2008IS Security, Audit, and Control (Dr. Zhao)6General standardsAn auditor should have adequate technical training and proficiencyAn auditor should maintain an independent attitudeDue professional careField work standardsThe auditor must adequately plan the work and must properly supervise any assistants"The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures." The auditor must obtain sufficient appropriate audit evidenceGAAS (continued)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)7Reporting StandardsIn accordance with generally accepted accounting principlesIdentify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period. Reasonably adequateContain an expression of opinion regarding the financial statementsThe Overall Audit ProcessFall, 2008IS Security, Audit, and Control (Dr. Zhao)8Step 1: Audit planStep 2: Audit scheduleStep 3: Audit tasksStep 4: Evaluating audit’s performance and the audit resultsA uniform, process-oriented approachA series of logical, orderly stepsThe Audit PlanFall, 2008IS Security, Audit, and Control (Dr. Zhao)9Purpose:Identify what must be accomplishedDeliverableAn audit planSteps:Preliminary assessmentRisk assessmentIdentify application areasPreparing an audit planPreliminary AssessmentFall, 2008IS Security, Audit, and Control (Dr. Zhao)10To gather information for an audit planGeneral data gatheringIdentifying financial application areasGeneral dataNature of businessFinancial historyOrganization structureSystems involvedCurrent procedures (e.g., the extent of automation)General Data GatheringFall, 2008IS Security, Audit, and Control (Dr. Zhao)11System related informationAn overall picture of major application systemsInterrelationships, key inputs, and outputsData control proceduresAssurance of an uninterruptible power supplyProcedures for backup, recovery, and restart of operationsMethodsInterviews: inputs from managers and key stakeholdersDocumentationsPolicies, organization chart, prior audit reportsPhysical inspectionsRisk AssessmentFall, 2008IS Security, Audit, and Control (Dr. Zhao)12Standardized approach to evaluate:Business risksApplication/systems risksCurrent control environmentPrioritized by risksWhich subsystems need more detailed examinationPreparing an Audit PlanFall, 2008IS Security, Audit, and Control (Dr. Zhao)13Description of client organizationDefine objectivesDefine audit scopeStructure work schedulesAssure reasonable comprehensivenessProvide flexibility in approachExample 1Example 2Audit ScheduleFall, 2008IS Security, Audit, and Control (Dr. Zhao)14TimingBy requestSynergizing and coordinating auditsResourcesAvailability of internal and external expertiseCostAudit TasksFall, 2008IS Security, Audit, and Control (Dr. Zhao)15Define scope and objectivesObtain a basic understanding of the area being auditedDevelop a detailed understanding of the area being auditedEvaluate control strengths and weaknessesTest the critical controls, processes and exposuresEvaluate the resultsFinal evaluation and reportDocumentationObtain an UnderstandingFall, 2008IS Security, Audit, and Control (Dr. Zhao)16Interviews & DocumentationUnderstand the relationship of each application to the client’s businessFlowchartAn effective tool to understand related processesFrequency of processingDocument source and destinationActions that process/change the dataControls over the documents transfer between unitsAn exampleEvaluating Control Strength and WeaknessFall, 2008IS Security, Audit, and Control (Dr. Zhao)17Existence ofDocumented policies and proceduresAccuracy and completenessEvidence of complianceProcess EffectivenessAvoid redundancy and bottlenecksManagement supportExamples of controls over documentsRecord countsControl totalsEvidenceFall, 2008IS Security, Audit, and Control (Dr. Zhao)18ObservationObserve the activity being performedEvidence of the activitySource documents (input forms, etc.)Output documents (reports)Logs (errors, exceptions)Duplicating the activityrepeating the
View Full Document