chapter nine
DESCRIPTION
Chapter Nine. Conducting the IT Audit. Audit Standards. AICPA — Statements of Auditing Standards (SASs) ISACA—IS Audit Standards, Guidelines, and Procedures AICPA —Statement on Standards for Attestation Engagements (SSAE) IFAC —International Auditing Standards ISACA —CobiT. - PowerPoint PPT PresentationTRANSCRIPT
Chapter NineChapter Nine
Conducting the IT AuditConducting the IT Audit
Audit StandardsAudit Standards
AICPA — Statements of Auditing AICPA — Statements of Auditing Standards (SASs)Standards (SASs)
ISACA—IS Audit Standards, Guidelines, ISACA—IS Audit Standards, Guidelines, and Proceduresand Procedures
AICPA —Statement on Standards for AICPA —Statement on Standards for Attestation Engagements (SSAE)Attestation Engagements (SSAE)
IFAC —International Auditing StandardsIFAC —International Auditing Standards ISACA —CobiTISACA —CobiT
The IT Audit LifecycleThe IT Audit Lifecycle
PlanningPlanning Risk AssessmentRisk Assessment Prepare Audit ProgramPrepare Audit Program Gather EvidenceGather Evidence Form ConclusionsForm Conclusions Deliver Audit OpinionDeliver Audit Opinion Follow UpFollow Up
PlanningPlanning
Scope and control objectivesScope and control objectives MaterialityMateriality OutsourcingOutsourcing Gain an understanding of the client and Gain an understanding of the client and
client’s industry, business risksclient’s industry, business risks
Risk AssessmentRisk Assessment
Shift is to risk-based audit approachShift is to risk-based audit approach ““What can go wrong”What can go wrong” High risk areas require more audit effortHigh risk areas require more audit effort Materiality importantMateriality important
The Audit ProgramThe Audit Program
Includes:Includes:– ScopeScope– Audit objectivesAudit objectives– Audit proceduresAudit procedures– Administrative details such as planning and Administrative details such as planning and
reportingreporting Generic audit programs are customized for Generic audit programs are customized for
the client and client’s technologythe client and client’s technology
Gathering EvidenceGathering Evidence
Evidence includes:Evidence includes:– ObservationsObservations– Documentary evidenceDocumentary evidence– Flowcharts, narratives, written policiesFlowcharts, narratives, written policies– CAATs proceduresCAATs procedures
SamplingSampling– Attribute sampling used by IT auditorsAttribute sampling used by IT auditors
Forming ConclusionsForming Conclusions
Identify reportable conditionsIdentify reportable conditions
The Audit OpinionThe Audit Opinion
Per Guidelines 70, should include:Per Guidelines 70, should include:– Name of organization being auditedName of organization being audited– Title, signature, and dateTitle, signature, and date– Statement of audit objectives and whether these Statement of audit objectives and whether these
were metwere met– Scope of the auditScope of the audit– Any scope limitationsAny scope limitations– Intended audienceIntended audience
The Audit Opinion (Cont’d.)The Audit Opinion (Cont’d.)
Standards used to perform the auditStandards used to perform the audit Detailed explanation of findingsDetailed explanation of findings Conclusion, including reservations or Conclusion, including reservations or
qualificationsqualifications Suggestions for corrective action or Suggestions for corrective action or
improvementimprovement Significant subsequent eventsSignificant subsequent events
4 Main Types of IT Audits4 Main Types of IT Audits
AttestationAttestation Findings and RecommendationsFindings and Recommendations SAS 70SAS 70 SAS 94SAS 94
AttestationAttestation
Standard is SSAE 10Standard is SSAE 10 Includes:Includes:
– Data analytic reviewsData analytic reviews– Commission agreement reviewsCommission agreement reviews– Webtrust engagementsWebtrust engagements– Systrust engagementsSystrust engagements– Financial projectionsFinancial projections– Compliance reviewsCompliance reviews
Findings and RecommendationsFindings and Recommendations
Consulting, or advisory servicesConsulting, or advisory services Include:Include:
– Systems implementationsSystems implementations
– Enterprise resource planning implementationEnterprise resource planning implementation
– Security reviewsSecurity reviews
– Database application reviewsDatabase application reviews
– IT infrastructure and improvements needed engagementIT infrastructure and improvements needed engagement
– Project managementProject management
– IT Internal audit servicesIT Internal audit services
SAS 70 AuditSAS 70 Audit
Applicable to any service organization that Applicable to any service organization that wishes to assure its clients of the existence wishes to assure its clients of the existence and effectiveness of internal controls and effectiveness of internal controls relative to the service providedrelative to the service provided
Two types of SAS 70 auditsTwo types of SAS 70 audits– Type IType I– Type IIType II
Types of SAS 70 reportsTypes of SAS 70 reports
Type I: A “walkthrough,” that describes a Type I: A “walkthrough,” that describes a company’s internal controls but does not company’s internal controls but does not perform detailed testing of these controlsperform detailed testing of these controls
Type II: Detailed testing of controls around Type II: Detailed testing of controls around the service providedthe service provided
SAS 94SAS 94
Requires the auditor to:Requires the auditor to:– Consider how a client’s IT processes affect Consider how a client’s IT processes affect
internal control, evidential matter, and the internal control, evidential matter, and the assessment of control risk;assessment of control risk;
– Understand how transactions are initiated, Understand how transactions are initiated, entered and processed through the IS, andentered and processed through the IS, and
– Understand how recurring and nonrecurring Understand how recurring and nonrecurring journal entries are initiated, entered, and journal entries are initiated, entered, and processed through the ISprocessed through the IS
Components of a SAS 94 auditComponents of a SAS 94 audit
Physical and environmental reviewPhysical and environmental review Systems administration reviewSystems administration review Application software reviewApplication software review Network security reviewNetwork security review Business continuity reviewBusiness continuity review Data integrity reviewData integrity review
Using CobiT to Perform an AuditUsing CobiT to Perform an Audit
If no audit program exists, use CobiT to If no audit program exists, use CobiT to develop the audit program, ordevelop the audit program, or
Map existing audit program to company Map existing audit program to company objectivesobjectives