Professional Documents
Culture Documents
How To Derive An IT Audit Universe
How To Derive An IT Audit Universe
How To Derive An IT Audit Universe
Question
Answer
The Global Technology Audit Guide (GTAG), Developing the IT Audit Plan, has a recommended
approach to compiling an IT audit universe. The sections below (using the GTAG numbering) explain
the steps involved.
Another common IT model is to outsource the IT function to an external provider. For example, the
property development company may use a combination of centralised corporate IT HQ as well as
satellite IT resources to support the overseas property development projects.
1
© Chartered Institute of Internal Auditors
It is also important to understand the IT support processes. Examples of the IT support processes
include the IT helpdesk support, backup management, user administration process, etc. In the
context of the property development company, examples of the key support processes include IT
helpdesk support, backup management as well as IT disaster recovery processes.
The Sarbanes Oxley act states that public companies must show that controls over financial
reporting are designed and operating effectively. If the property development company is listed in the
United States, the company is required to demonstrate to the regulators that it has effective IT
controls on the financial system.
What this series of steps highlights is that it is best to take a strategic, top down approach to build
an IT audit universe.
One simple reason for this is that it provides an indication of what is important rather than trying to
build the detail from the bottom up from a wide range of IT activities, processes, procedures,
products and services.It will also give an indication of the most important risks are around IT and
where assurance is most needed.
We therefore suggest that you structure your research and information gathering using a set of
heading similar to the GTAG steps that might work for your organisation.
Here is an example with a brief and simple set of supporting tables to illustrate how you can begin
to build the universe:
• IT governance areas
• IT infrastructure review areas
• IT infrastructure assets
• Business application review areas
• Business applications
IT governance
IT resourcing Corporate HQ
2
© Chartered Institute of Internal Auditors
IT infrastructure
IT infrastructure assets
Business application
SAP Corporate HQ
It is important to appreciate that the IT audit universe will probably form part of the overall internal
audit universe so using the same structure and approach is likely to help and ensure consistency.
Whilst the International Standards do not require internal audit activities to maintain an audit
universe, the head of internal audit can choose whether or not this is a useful thing to do. However,
the Standards do require the head of internal audit to establish a risk based internal audit plan
(Standard 2010 Planning).
One of the advantages of having an audit universe is that it enables the audit activity to be clear
about the extent of coverage of key risks and other risk areas each year. It can also provide a
degree of rigour around areas not being audited.
3
© Chartered Institute of Internal Auditors
Further reading
Audit universe
4
© Chartered Institute of Internal Auditors