Slide 1ObjectivesOverviewFinancial AuditsIT AuditsGAASGAAS (continued)The Overall Audit ProcessThe Audit PlanPreliminary AssessmentGeneral Data GatheringRisk AssessmentPreparing an Audit PlanAudit ScheduleAudit TasksObtain an UnderstandingEvaluating Control Strength and WeaknessEvidenceTestingEvaluating the ResultsFinal Evaluation and ReportEvaluate Audit’s PerformanceEveryday AuditingAssignment 2Chapter 3: The Audit Process in an Information Technology EnvironmentMBAD 7090Fall, 2008IS Security, Audit, and Control (Dr. Zhao)1ObjectivesFall, 2008IS Security, Audit, and Control (Dr. Zhao)Understand the overall IT audit processThe overall definition of the audit processAudit standardsAudit planningAudit tasks2OverviewFall, 2008IS Security, Audit, and Control (Dr. Zhao)3The IT audit process complements the work of the financial/operation audit by providing reasonable assurance that information and information technology are processing as expected.Financial AuditsFall, 2008IS Security, Audit, and Control (Dr. Zhao)4Financial auditorsEvaluate the fairness of financial statementsCover all equipment and procedures used in processing significant dataCertification: CPAStandards: Generally Accepted Accounting Principles (GAAP)Fairly presented in conformity with generally accepted accounting principles (GAAP).The measure for ‘fairly presented’: there is less than 5% chance (5% audit risk) that the financial statements are ‘materially misstated’.IT AuditsFall, 2008IS Security, Audit, and Control (Dr. Zhao)5IT auditorsEvaluate IT systems, practices, and operationsAssure the validity, reliability, and security of informationAssure the efficiency and effectiveness of the IT environment in economic termsCertification: CISA, CISM, etc.Standards: Generally Accepted Auditing Standards (GAAS)GAASFall, 2008IS Security, Audit, and Control (Dr. Zhao)6General standardsAn auditor should have adequate technical training and proficiencyAn auditor should maintain an independent attitudeDue professional careField work standardsThe auditor must adequately plan the work and must properly supervise any assistants"The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures." The auditor must obtain sufficient appropriate audit evidenceGAAS (continued)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)7Reporting StandardsIn accordance with generally accepted accounting principlesIdentify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period. Reasonably adequateContain an expression of opinion regarding the financial statementsThe Overall Audit ProcessFall, 2008IS Security, Audit, and Control (Dr. Zhao)8Step 1: Audit planStep 2: Audit scheduleStep 3: Audit tasksStep 4: Evaluating audit’s performance and the audit resultsA uniform, process-oriented approachA series of logical, orderly stepsThe Audit PlanFall, 2008IS Security, Audit, and Control (Dr. Zhao)9Purpose:Identify what must be accomplishedDeliverableAn audit planSteps:Preliminary assessmentRisk assessmentIdentify application areasPreparing an audit planPreliminary AssessmentFall, 2008IS Security, Audit, and Control (Dr. Zhao)10To gather information for an audit planGeneral data gatheringIdentifying financial application areasGeneral dataNature of businessFinancial historyOrganization structureSystems involvedCurrent procedures (e.g., the extent of automation)General Data GatheringFall, 2008IS Security, Audit, and Control (Dr. Zhao)11System related informationAn overall picture of major application systemsInterrelationships, key inputs, and outputsData control proceduresAssurance of an uninterruptible power supplyProcedures for backup, recovery, and restart of operationsMethodsInterviews: inputs from managers and key stakeholdersDocumentationsPolicies, organization chart, prior audit reportsPhysical inspectionsRisk AssessmentFall, 2008IS Security, Audit, and Control (Dr. Zhao)12Standardized approach to evaluate:Business risksApplication/systems risksCurrent control environmentPrioritized by risksWhich subsystems need more detailed examinationPreparing an Audit PlanFall, 2008IS Security, Audit, and Control (Dr. Zhao)13Description of client organizationDefine objectivesDefine audit scopeStructure work schedulesAssure reasonable comprehensivenessProvide flexibility in approachExample 1Example 2Audit ScheduleFall, 2008IS Security, Audit, and Control (Dr. Zhao)14TimingBy requestSynergizing and coordinating auditsResourcesAvailability of internal and external expertiseCostAudit TasksFall, 2008IS Security, Audit, and Control (Dr. Zhao)15Define scope and objectivesObtain a basic understanding of the area being auditedDevelop a detailed understanding of the area being auditedEvaluate control strengths and weaknessesTest the critical controls, processes and exposuresEvaluate the resultsFinal evaluation and reportDocumentationObtain an UnderstandingFall, 2008IS Security, Audit, and Control (Dr. Zhao)16Interviews & DocumentationUnderstand the relationship of each application to the client’s businessFlowchartAn effective tool to understand related processesFrequency of processingDocument source and destinationActions that process/change the dataControls over the documents transfer between unitsAn exampleEvaluating Control Strength and WeaknessFall, 2008IS Security, Audit, and Control (Dr. Zhao)17Existence ofDocumented policies and proceduresAccuracy and completenessEvidence of complianceProcess EffectivenessAvoid redundancy and bottlenecksManagement supportExamples of controls over documentsRecord countsControl totalsEvidenceFall, 2008IS Security, Audit, and Control (Dr. Zhao)18ObservationObserve the activity being performedEvidence of the activitySource documents (input forms, etc.)Output documents (reports)Logs (errors, exceptions)Duplicating the activityrepeating the