"What is it with IT audit?

"

IT audit is similar to our financial audit, an IT audit focuses on IT procedures and operations. IT audits
consist of three phases: audit planning, test of control, and substantive testing.

THIS IS WHERE WE MUST UNDERSTAND/ANALYZE THE COMPANY'S INTERNAL CONTROL IF IT IS

EFFECTIVE, EFFICIENT, TIME-SAVING, AND ECONOMICAL. The focus is on the computer-based
components of an organization's information system.

NOTES:

Internal control legislation timeline – us enacted laws

The video explains the different objective of the us enacted laws for the internal control

Surbanes- oxley act of 2002 is one of the law us accountants need to remember because this one
supports efforts to increase public confidence in capital markets and requires management of public
companies to implement adequate system of internal controls

The related SOX act to the Philippines is the section 302 “certification” and section 404 “assessment”
this condifeis the management responsibilities of internal control

Section 302 the corporate management is required to certify the management internal control on
quarterly or annual basis

Section 404 after certifiying the internal control you need to assess if the internal control is effective
through provision of annual report.

GAAS

GAAS is for auditing and GAAP is for accounting

Auditing standards – minimum standards of measure of performance that the auditor shall follow in
conducting the audit.

GAAS is divided in 3 categories the general standard, standards of field work and reporting standards.

General standards this applies to the auditor, standards of field work apply to the work and for the
reporting standard this are the standards for reporting.

Statement of auditing standards

What is an IT audit

IT audit has 3 steps audit planning phase, test of control phase, and substantive testing phase similar to
our financial audit

It is similar to the financial audit but the focus of an IT audit is the emphasis is on the IT practices and
operations.

THIS IS WHERE WE HAVE TO UNDERSTAND/ANALYZE THE COMPANY ARE THERE INTERNAL CONTROL If
its effective, efficient, time-saving, economical. The focus is the computer-based aspects of an
organization’s information system.
Role of an it auditor, types of auditor, code of professional ethics

General control is general this is more on governing the design, security the use of computer program
and application controls is specific more on the transactional of the IT environment.

IT auditor can be counselor, part of management or investigator

Counselor- As an IT auditor you can provide advices, recommendations, suggestion to improve the
practices in terms of IT environment

Part of management – senior roles, boss

Investigator –outside the company

Types of auditor are internal if they are part of the company, and external if they are outside the
company

Code of professional ethics you need to follow so they can trust you

General audit universe, it audit universe

Audit universe – anything that falls into the “environment” can be subject to audit

Assessing client acceptance & retention decision – this is for the external auditor there should be a client
acceptance unlike the internal audit it doesn’t have client acceptance since they are working for the
company they don’t have certain checklist to be followed.

IT AUDIT –

external audit – involve it general and control as part of risk assessment (if the company is automated )

risk assessment, business risk, financial reporting risk, engagement risk, audit risk

the audits are risk based

bsr and frr- if we’re the external auditor this one depends on our clients. If you will be accepting a client
what are the possible risks of the client because these are the things we can’t control but we can
minimize the impact.

VERY CRITICAL ESPECIALLY AT THE VERY BEGINNING SINCE IT GIVES US THE DIRECTION WE HAVE TO
PURSUE WHRN WE ARE CONDUCTING OUR AUDIT.
"What is it with IT audit?"

IT audits are critical for protecting an organization's information systems, maintaining compliance,
controlling risks, and streamlining IT operations. It enables enterprises to preserve the confidentiality,
integrity, and availability of their data and systems in an ever-changing technological context.

IT audits, similar to financial audits, are divided into three phases: audit planning, control testing, and
substantive testing.

The IT audit focuses on an organization's IT practices and operations, namely the computer-based parts
of its information system.

Understanding and analyzing the effectiveness, efficiency, time-saving, and economy of internal controls
are essential components of an IT audit, ensuring a comprehensive evaluation of an organization's
information systems.

Key Takeaways:

1. Internal Control Legislation Timeline – US Enacted Laws:

The video discusses the objectives of US-enacted laws related to internal control.

The Sarbanes-Oxley Act of 2002 (SOX) is discussed, highlighting its importance in enhancing public trust
in capital markets and requiring public company management to maintain effective internal controls.

Sections 302 and 404 of SOX are particularly relevant to the Philippines since they focus on management
certification and internal control evaluation.

2. Generally Accepted Auditing Standards (GAAS) | General, Fieldwork, and Reporting Standards

GAAS is for auditing, while GAAP is for accounting.

GAAS is organized into three categories: general standards, fieldwork standards, and reporting
standards.

General standards apply to the auditor; fieldwork standards apply to the work performed; and reporting
standards guide the reporting process.

The statement of auditing standards emphasizes the relevance of auditing standards as minimal
performance indicators for auditors.

3. Role of an IT Auditor and Types of Auditors:

IT auditors can work as counselors, part of management, or investigators.

Counselors advise on how to enhance IT operations, while managers have top positions and
investigators work outside the organization.

Auditors can be internal (within the company) or external (outside the company).

IT auditors need to adhere to a code of professional ethics to maintain trust.

4. General and IT Audit Universe

The audit universe includes anything in the environment that can be subject to auditing.

External auditors must assess client acceptability, but internal auditors do not have client acceptance
because they work for the organization.

External IT audits include general and control components as part of risk evaluation, particularly in
automated businesses.

5. Risk assessment

Audits are risk-based, taking into account business, financial reporting, engagement, and audit risks.

Business risk and financial reporting risk—if we’re the external auditor, this one depends on our clients.
If you will be accepting a client, what are the possible risks of the client? These are the things we can’t
control, but we can minimize their impact.

Assessing risks is very important, especially at the beginning, because it gives us the direction we need
to follow while conducting our audit.