03: Intro to IT Audit

avatar
Created by
lei

Cards (46)

  • IT audit - is the examination and evaluation of an organization's information technology infrastructure, policies and operations.
  • Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall goals
  • IT auditors examine not only physical security controls, but also overall business and financial controls that involve information technology systems.
  • IT audit - any audit that encompasses review and evaluation of automated information processing systems, related non-automated processes, and the interfaces among them.
  • The primary objectives of an IT audit include:
    • Evaluate the systems and processes in place that secure company data.
    • Determine risks to a company's information assets and help identify methods to minimize those risks.
    • Substantiating that the internal controls exist and are functioning as expected to minimize business risk.
    • Ensure information management processes are in compliance with IT-specific laws, policies, and standards.
    • Determine inefficiencies in IT systems and associated management.
  • Financial Audit is focused on gathering data to ensure that the company’s financial statements are free from material misstatements
  • IT Audit is just a part of the overarching process of the Financial Audit.
  • IT auditing is also not compliance testing.
  • IT auditors are examining whether the entity’s relevant systems or business processes for achieving and monitoring compliance are effective.
  • IT auditors also assess the design effectiveness of the rules—whether they are suitably designed or sufficient in scope to properly mitigate the target risk or meet the intended objective.
  • A compliance failure can be, and often is, the symptom of a bigger problem related to some risk factor and/or control, such as a defective system or business process, that can or does adversely affect the entity.
  • To the IT auditor, compliance failures are much more about risk (ultimately) than the rules themselves.
  • It is also passé to automatically or casually consider IT considerations of an audit to be out of scope because it is not explicitly related to some stated requirement, or to consider an audit to be a waste of time. The fact is IT can and does adversely affect business processes or financial data in ways of which management may not be adequately aware.
  • IT Audit Process
    1. Planning the Audit Schedule
    2. Planning the Process Audit
    3. Conducting the Audit
    4. Reporting on the Audit
    5. Follow-up on Issues or Improvements Found
  • Planning the Audit Schedule
    A key part of a good process is having an overall Audit Schedule that is readily available to let everyone know when each process will be audited over the upcoming cycle (usually a yearly schedule).
  • Planning the Audit Schedule
    If you were not to have a plan and went with surprise audits, the message that is given from senior management is “We don’t trust our employees.”
  • Planning the Process Audit
    The first step in planning the individual process audits is to confirm with the process owners when the audit will take place.
  • Planning the Process Audit
    A good audit plan can make sure that the process owner will get value out of the audit process
  • Planning the Process Audit
    Planning the IT audit involves two major steps. The first step is to gather information and do some planning, and the second step is to gain an understanding of the existing internal control structure.
  • Planning the Process Audit
    In a risk-based approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business
  • Planning the Process Audit
    In the “Gathering Information” step, the IT auditor needs to identify five items:
    1. Knowledge of business and industry
    2. Prior year’s audit results
    3. Recent financial information
    4. Regulatory statutes
    5. Inherent risk assessments
  • Planning the Process Audit
    “Inherent risks” is to define it as the risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming there are no related compensating controls.
  • Planning the Process Audit
    In the “Gain an Understanding of the Existing Internal Control Structure” step, the IT auditor needs to identify five other areas/items:
    1. Control Environment
    2. Control Procedures
    3. Detection Risk Assessment
    4. Control Risk Assessment
    5. Equate Total Risk
  • Conducting the Audit
    An audit should start with a meeting of the process owner to make sure that the audit plan is complete and ready.
  • Conducting the Audit
    The focus of this activity is to gather evidence that the process is functioning as planned in the QMS, and is effective in producing the required results.
  • Reporting on the Audit
    A closing meeting with the process owner is a necessity to ensure that the flow of information is not delayed.
  • Reporting on the Audit
    By identifying not only the non-conforming areas of the process, but also the positive areas and potential improvement areas, the process owner will get a better value from the Internal Audit, which will allow for process improvements.
  • Follow-up on Issues or Improvements Found
    If problems have been found and corrective actions were taken, making sure that the problem is actually fixed is a key part of fixing it.
  • Overview of the Four (4) Phases of an IT Audit
    The IT audit is generally divided into three phases: audit planning, tests of controls, and substantive testing.
    1. Audit Planning
    2. Test of Controls
    3. Substantive Testing
    4. Audit Report
  • Audit Planning
    The first step in the IT audit is audit planning. Before the auditor can determine the nature and extent of the tests to perform, he or she must gain a business.
  • Audit Planning
    A major part of this phase of the audit is the analysis of audit risk. The objective of the auditor is to obtain sufficient information about the firm to plan the other phases of the audit.
  • Audit Planning
    The risk analysis incorporates an overview of the organization’s internal controls. During the review of controls, the auditor attempts to understand the organization’s policies, practices, and structure.
  • Audit Planning
    The techniques for gathering evidence at this phase include questionnaires, interviewing management, reviewing systems documentation, and observing activities.
  • Audit Planning
    During this process, the IT auditor must identify the principal exposures and the controls that attempt to reduce these exposures
  • Tests of Controls
    The objective of the tests of controls phase is to determine whether adequate internal controls are in place and functioning properly.
  • Tests of Controls
    Auditor performs various tests of controls. The evidence gathering techniques used in this phase may include both manual techniques and specialized computer audit techniques.
  • Tests of Controls
    Tests controls phase, the auditor must assess the quality of internal controls.
  • Tests of Controls
    The degree of reliance the auditor can ascribe to internal controls affects the nature and extent of substantive testing that needs to be performed.
  • Substantive Testing
    This involves a detailed investigation of specific account balances and transactions through what are called substantive tests.
  • Substantive Testing
    Some substantive tests are physical, labor-intensive activities such as counting cash, counting inventories in the warehouse, and verifying the existence of stock certificates in a safe.