AUDIT PROJECT MANAGEMENT
MODULE 6
● Several steps are required to perform an audit.
Adequate planning is a necessary first step in
performing effective IS audits. To efficiently
use IS audit resources, audit organizations
must assess the overall risk for the general and
application areas and related services being
audited, and then develop an audit program
that consists of objectives and audit
procedures to satisfy the audit objectives.
● The audit process requires an IS auditor to
gather evidence, evaluate the strengths and
weaknesses of controls based on the evidence
gathered through audit tests, and prepare an
audit report that presents to management
those issues (i.e., areas of control weaknesses
with recommendations for remediation) in an
objective manner.
● Audit management must ensure the availability
of adequate audit resources and a schedule for
performing the audits and, in the case of
internal IS audit, for follow-up reviews on the
status of corrective actions taken by
management.
● The process of auditing includes defining the
audit scope, formulating audit objectives,
identifying audit criteria, performing audit
procedures, reviewing and evaluating evidence,
forming audit conclusions and opinions, and
reporting to management after discussion with
key process owners.
PROJECT
● Series of structured tasks, activities, and
deliverables that are carefully executed to
achieve a desired outcome.
● They are temporary efforts to create value
through unique products, services and
processes
- Audit engagement is a type of project. It has
several phases and it is not an indefinite task, it
has a beginning and end.
PROJECT MANAGEMENT
● Is the practice of using knowledge, skills,
tools, and techniques to complete a series of
tasks to deliver value and achieve a desired
outcome (Project Management Institute)
○ Project Management Institute – It is an
organization which provides certification
to project managers.
○ Project Management Professional (PMP)
Certification
ELEINA BEA BERNARDO • MARIA BERNISE DIMZON
AUDIT PROJECT MANAGEMENT
- Application of project management in our audit
1. Plan the audit engagement
● Plan the audit
● Consider project-specific risk
○ Project-specific risk - it may pertain to
certain risks that are unique to the audit
engagement.
● Apply learnings from Module 4
○ Preparation of audit plan
2. Build the audit plan
● Chart out the necessary audit tasks across a
timeline, optimizing resource use
● Make a realistic estimates of the time
requirements for each task with proper
consideration given to the availability of the
auditee
- Ang gagawing audit plan dito ay engagement
audit plan which is being prepared before we
start the audit activity.
- Don't be confused between engagement audit
plan and annual risk-based plan.
- Annual risk-based plan - ginagamit to
prioritize yung audit engagements natin.
In building the audit plan, we need to
consider/answer the following questions:
● Who will be involved?
● What is the purpose of the audit?
● What is the duration of the audit?
● What audit procedures will be used?
3. Execute the plan
● Conducting onsite activities
● Gathering audit evidences
● Selecting audit samples
- This is the audit proper. Dito natin ginagawa
yung mga substantive testing and compliance
testing.
4. Monitor project activity
● Report actual progress against planned audit
steps to ensure challenges are managed
proactively and the scope is completed within
time and budget
○ Some internal audit departments prepare
the lead time or Gantt chart to monitor the
progress of the audit team.
○ Ex. they will alot 3 days for planning - for
the preparation of the planning materials
1
 Module 6: Audit Project Management
and scope memorandum, and then
another 2 days for the review of the audit
managers. Tapos depende sa type ng
audit, may certain number of Mondays (?)
for the audit proper. Lets say 10 days to
prepare the audit report.
○ Some monitoring tools have templates or
Excel files. Mayroong start date and date
finished to determine if every audit
activity is finished within the prescribed
timeline.
○ It is to determine the efficiency and
sometimes it serves as a tool for
performance evaluation of the auditor.
○ If nakita na medyo nag exceed sa
budgeted time and no acceptable
justification, baka pwede iyong gamitin sa
rating ng auditor.
○ Chief audit executive yung magrarate sa
mga auditor. In the case of the chief audit
executive, audit committee or the board.
GENERAL AUDIT PROCEDURES
1. Obtaining and recording and understanding
of the audit area/subject
2. Creating a risk assessment and general audit
plan and schedule
3. Performing detailed audit planning that
includes the necessary audit steps and a
breakdown of the work planned across an
anticipated timeline
4. Creating a risk assessment and general audit
plan and schedule
5. Doing a preliminary review of the audit
area/subject
6. Evaluating the audit area/subject
7. Verifying and evaluating the appropriateness
of controls designed to meet control
objectives
8. Conducting compliance testing
9. Conducting substantive testing
10. Reporting
11. Follow up - to ensure that directives are being
addressed or any corrective actions are being
taken by the management.
Green - Plan stages (Module 7)
ELEINA BEA BERNARDO • MARIA BERNISE DIMZON
AUDIT PHASES - PLANNING
1. Determine the audit subject
● Identify area to be audited (business
function, system, location)
● Sino yung i-aaudit natin? Anong department
and location?
2. Determine audit objective
● Identify purpose of audit
● Why are we auditing this unit or business
process? Usually, it is a motherhood statement
which usually involves review of the
effectiveness of internal controls and risk
management and governance of X process or
X department. This does not preclude you from
making more granular objectives.
3. Set audit scope
● Identify specific systems, function or unit of
the organization to be included in the review
● In audit scope, we also identify the duration of
the audit.
● Ano ba yung cut off date? Yung sineset na
date na hanggang dito na lang dapat yung
inaaudit natin.
● Usually, the coverage period is the last audit,
kung kailan huling inaudit yung unit or business
process up to the cutoff date
○ This means na tignan mo yung mga
transaction from the last audit up to the
cutoff date.
○ Yung mga transaction after the cutoff
date, pwede mo pa rin siyang tignan.
○ Lets say may findings ka, tapos sinabi nila
na na-correct na nila yon at gumawa na
sila ng necessary adjustments to correct
your findings. Of course, the subsequent
transaction is already beyond your cutoff.
But still, you still need to check it para
ma-ascertain mo na tama talaga yung
sinasabi ng management na naayos na
nila yung problem.
● We also need to identify kung ano yung mga
units na ichecheck mo, lalo na kung process
review. When we say process review,
ni-rereview natin yung process and may involve
different units or department. You need to
consider kasi kung mag-iistart ka ng audit,
hindi basta-basta na porket auditor ka is
pupunta ka na lang sa business unit.
2
 Module 6: Audit Project Management
● Usually, there's still a protocol of formality
before starting the audit. Mayroon tayong
tinatawag na letter of authority, usually
pirmado ito ng chief audit executive niyo.
Sinasabi rito na authorized ka to perform the
audit of a certain unit.
● If it is a process audit, maraming department
ang involved doon. Kapag ganon, gagawan mo
yon lahat ng different types of letter of
authority. So dapat we need to consider yung
mga ganoong factors—kung ano yung mga
kasamang department and units when
performing the audit.
● This step is very important because the IS
auditor will need to understand the IT
environment and its components to identify the
resources that will be required to conduct a
comprehensive evaluation. A clear scope will
help the IS auditor define a set of testing
points that is relevant to the audit and further
determine the technical skills and resources
necessary to evaluate different technologies
and their components
AUDIT OBJECTIVES
● (Step #2)
● It is almost parallel with the internal control or
control objectives.
● Specific goals that must be accomplished by
the audit
● Often focus on confirming that internal
controls exist to minimize business risk and
they function as expected
● Include assuring compliance with legal and
regulatory requirements as well as the
confidentiality, integrity, reliability and
availability of information and IT resources
○ Diba parang ito rin yung mga objectives
sa mga control objectives na diniscuss
natin in our previous module
● Audit management may give an IS auditor a
general control objective to review and
evaluate when performing an audit.
● A key element in planning an IS audit is to
translate basic and wide-ranging audit
objectives into specific IS audit objectives. For
example, in a financial/operational audit, a
control objective could be to ensure that
transactions are properly posted to the general
ledger accounts.
● However, in an IS audit, the objective could be
extended to ensure that editing features are in
place to detect errors in the coding of
transactions that may impact the
account-posting activities.
ELEINA BEA BERNARDO • MARIA BERNISE DIMZON
● An IS auditor must understand how general
audit objectives can be translated into specific
IS control objectives.
● Determination of audit objective is a critical
step in planning the audit
○ Dapat alam mo yung dapat mong gawin
kasi ito yung starting point mo which is
yung audit objective.
○ Dito manggagaling yung mga next na
gagawin mo - yung mga procedure and
other testing na pwede mong gawin.
● One of the primary purposes of an IS audit is
to identify control objectives and the related
controls that address the objective. For
example, an IS auditor’s initial review of an
information system should identify key controls.
It should then be determined whether to test
these controls for compliance.
● An IS auditor should identify both key general
and application controls after developing an
understanding and documenting the business
processes and the applications/functions that
support these processes and general support
systems. Based on that understanding, an IS
auditor should identify the key control points.
● Alternatively, an IS auditor may assist in
assessing the integrity of financial reporting
data, referred to as substantive testing,
through CAATs.
Examples of audit objectives (more granular):
● “To validate the integrity of information and
data stored in the database”
● “To assess the effectiveness of the access
control software”
● “To verify the integrity of the transactions by
determining that controls are in place to
detect and correct message loss due to
equipment failure”
● “To check if minimum requirements by laws
and regulations on business continuity plans
and disaster recovery program are being
complied with.”
● “To determine the readiness and resiliency of
network communications in the event of
business disruption”
- Yung mga keywords natin (yung nakabold na
words), more on assurance side sila, hindi natin
ginagamit sa audit objectives yung mga term
like implement, develop, generate, and
formulate kasi it is more on management’s
responsibility.
4. Perform pre-audit planning
● Conduct risk-assessment
3
 Module 6: Audit Project Management
○ conducting a risk assessment is a good
practice because the results can help the
IS audit team to justify the engagement
and further refine the scope and
preplanning focus.
○ Control risk, inherent risk, detection risk
● Interview the auditee to inquire about
activities or areas of concern that should be
included in the scope of the engagement
○ Does not necessarily mean na kung sinabi
talaga nila ay titignan natin. We might
consider the inputs of the management in
our audit.
● Identify regulatory compliance requirements
● Identify the resources that will be needed to
perform the audit work.
○ Technical skills and resources needed;
○ Budget and effort needed to complete
engagement;
○ Locations or facilities to be audited;
○ Roles and responsibilities of the audit
team;
○ Time frame for the various stages of the
audit;
○ Sources of information for test or review;
○ Points of contact for administrative and
logistic arrangement;
○ Communication plan that describes to
whom to communicate, when, how and
what purposes
■ More on staffing and logistics.
■ Audit activity should have a collective
expertise, hindi ibig-sabihin na isang
individual possess all the expertise.
■ Collective - as a team, all the
expertise ay mayroon kayo.
■ Depende the engagement. Pipiliin ng
audit manager or head or any
responsible audit officer tasked for
staffing to determine the qualified
individuals for the audit assignment.
■ Kasama rin ang logistics lalo na kung
yung assignment mo ay out of town.
Paano ba yung mode of
transportation? Bus/airplane/barko?
Alamin din yung rates ng
accommodation - yung mga hotels
kasi baka mamaya yung mga rates
ng hotel na pupuntahan niyo ay hindi
pasok sa rates na allowed ng
company.
■ Another one is the peace and order of
the place kasi baka mamaya ay
delikado yung lugar. It might be
infested by NPA or other
ELEINA BEA BERNARDO • MARIA BERNISE DIMZON
terrorists/may security issue. With
that, we can either defer the audit or
conduct it via other means such as
online or virtually.
■ Yung mga ganitong decision at naka
depende sa audit policies and
procedures.
■ Just like other business units, yung
audit department ay mayroon ding
sariling audit and procedures
especially for administrative matters.
SAMPLE DUTIES AND RESPONSIBILITIES
This may vary from one organization to another.
● Lead auditor - siya yung in-charge. More on
leadership. When you say quality control, siya
yung nagrereview ng mga ginagawa ng
auditor.
● Auditor - assisting auditors. Lahat ng mga
dirty works and testing ay siya ang gumagawa.
● Trainee - new hires, fresh grad or from other
departments na nalipat sa audit team. Halos
puro observe lang ang ginagawa para matuto.
● Tech expert - usually outsourced or yung may
mga special skills talaga. Depende sa auditor
kung mas better/more beneficial mag
outsource or mag hire.
5. Determine procedures
● Identify and obtain departmental policies,
standards and guidelines for review
○ Usually dapat readily available ito ng
business units na dapat i-audit talaga.
Kasi from here, it can serve as our metrics
in determining their compliance. Kung ano
yung policies and procedures nila, ayon
dapat yung expect natin na ginagawa nila.
● Identify any regulatory compliance
requirements
○ True especially for heavily regulated
industries ng government. Aside from
internal policies and procedure, mayroon
silang mga laws and regulations na dapat
din na i-comply.
4
 Module 6: Audit Project Management
● Identify a list of individuals to interview
○ One way of obtaining information is
magtanong sa mga individuals, expected
natin na alam nila yung mga ginagawa
nila. Kung magwawalkthrough
tayo/understanding of the business, we
can use this technique to interview the
auditee
● Identify methods (including tools) to perform
the evaluation
● Develop audit tools and methodology to test
and verify controls
● Develop test scripts
○ Test script - software testing. Set of
instructions that will be performed on the
system under test, to test whether the
system functions as expected.
● Identify criteria for evaluating the test
● Define a methodology to evaluate that the
test and its results are accurate
○ Yung mga maliliit na organization or bago
pa lang, usually dito pa lang sila gagawa
ng audit procedure upon understanding
the business, or first time i-aaudit yung
business unit or process
○ Matured audit departments has already
established audit procedures, especially
for routinary or same business model.
○ Ex: branches ng mga bank. Same lang na
procedures ang gagawin mo kahit anong
branch pa yan ay same lang naman yung
products, yung mga tao, and yung mga
ginagawa nila. Same procedures lang
yung gagawin mo kay Branch A and
Branch B.
○ This audit procedures are usually reviewed
annually or as earlier as warranted to
check if it is still applicable or could
capture or identify the existing or potential
business risk.
FACTORS THAT AFFECT AN AUDIT
● Organization strategic goals and objectives
○ The organization’s overall goal and
objectives should flow down from
individual departments and their support
of these goals and objectives. These goals
and objectives will translate into business
processes, technology to support business
processes, controls for both business
processes and technologies, and audit of
those controls.
● Market conditions
○ Changes in the product or service market
may have an impact on auditing.
ELEINA BEA BERNARDO • MARIA BERNISE DIMZON
○ For instance, in a product or service
markets where security is becoming more
important, market competitors could
decide to voluntarily undergo audits in
order to show that their products and
services are safer and better than the
competitors.
○ Other market players may need to follow
the suit for a competitive parity.
○ Changes in the supply or demand of
supply chain goods and services can also
affect the auditing.
● Changes in technology
○ Enhancements in technology that supports
business processes may affect business or
technical controls which in turn affect the
audit procedures for those controls
● Changes in regulatory requirements
○ Changes in technologies, markets, or
security related events can resort into new
or change regulation. Maintaining
compliance may require changes in the
audit program.
AUDIT PROGRAM
● Term used to describe the audit strategy and
audit plans that include scope, objectives,
resources, and procedures used to evaluate a
set of controls and deliver an audit opinion
○ The term program in the audit program is
intended to evoke a similar big picture,
point of view as term program manager
does.
○ The program manager is responsible for
the performance of several related
projects in an organization. Similarly in an
audit program, an audit program is the
plan for conducting several audits in an
organization.
● An IS auditor often evaluates IT functions and
systems from different perspectives, such as
security (confidentiality, integrity and
availability), quality (effectiveness, efficiency),
fiduciary (compliance, reliability), service and
capacity. The audit work program is the audit
strategy and plan—it identifies scope, audit
objectives and audit procedures to obtain
sufficient, relevant and reliable evidence to
draw and support audit conclusions and
opinions.
GENERAL AUDIT PROCEDURES IN THE
PERFORMANCE OF AN AUDIT
5
 Module 6: Audit Project Management
● Obtaining and recording an understanding of
the audit area/subject
● Creating a risk assessment and general audit
plan and schedule
● Performing detailed audit planning that
includes the necessary audit steps and a
breakdown of the work planned across an
anticipated timeline
● Doing a preliminary review of the audit
area/subject
● Evaluating the audit area/subject
● Verifying and evaluating the appropriateness
of controls designed to meet control objectives
● Conducting compliance testing (tests of the
implementation of controls and their consistent
application)
● Conducting substantive testing (confirming the
accuracy of information)
● Reporting (communicating results)
● Following up in cases where there is an internal
audit function
SKILLS NEEDED IN CREATING AN AUDIT
PROGRAM
● Good understanding of the nature of the
enterprise and its industry to identify and
categorize the types of risk and threat
● Good understanding of the IT space and its
components and sufficient knowledge of the
technologies that affect them
● Understanding of the relationship between
business risk and IT risk
● A basic knowledge of risk assessment
practices
● Understanding of the different testing
procedures for evaluating IS controls and
identifying the best method of evaluation
AUDIT WORK PAPER
● Ito yung deliverables natin for finals and
working paper for substantive and compliance
testing
● Documentation of the audit
● Record the information and the analyses
made during the audit process
● The format and media of work papers can
vary, depending on specific needs of the
department
○ Pwede pa ring hard copy or electronic,
depende sa policies and guidelines kung
paano siya i-maintain.
○ The retention of working papers - may
sinusunod din siya kung gaano katagal
ELEINA BEA BERNARDO • MARIA BERNISE DIMZON
ni-reretain yung working paper ng mga
auditors.
● IS auditors should particularly consider how to
maintain the integrity and protection of audit
test evidence in order to preserve its value as
substantiation in support of audit results.
● Work papers can be considered the bridge or
interface between the audit objectives and the
final report. Work papers should provide a
seamless transition—with traceability and
support for the work performed—from
objectives to report and from report to
objectives. In this context, the audit report can
be viewed as a particular work paper.
WHAT SHOULD BE DOCUMENTED
● Plans for the audit including the audit
program
● The examination and the evaluation of the
adequacy and effectiveness of the systems of
internal controls
○ Deliverables for finals
○ Kasama rin dito yung mga files na
hinihingi natin from our auditee such as
mga internal audit report nila, copy of a
certain transaction such as contracts and
documents that will support our audit
opinion.
● The audit procedures followed, the
information obtained, and the conclusions
reached
● The supervisory reviews
○ Yung nandoon sa table na responsibility of
the audit team. Ito yung usually na
ginagawa ng mga team leader -
ni-rereview yung mga audit reports na
ginagawa ng mga auditors nila
● The audit reports
○ Yung iba ay sinasama yung mga original
nila, yung wala pang revisions, kasi kapag
nagpasa ka ng audit reports usually
mayroong revisions yon habang
ni-rereview ng mga audit managers or
audit executives.
○ Usually yung finifile nila is yung pinaka
original draft para makita yung original
bago nabago and of course the final
version of the report.
● The follow up of corrective actions
○ Masasabi nila na maganda yung working
papers mo kung kaya niyang i-defend or
i-support yung conclusions or audit
findings mo.
○ Ibig-sabihin, kahit sinong auditor ang
tumingin doon sa working paper mo, same
6
 Module 6: Audit Project Management
ang conclusion na ma-rereach niyo. Kung
sinabing hindi acceptable, kapag tinignan
ng ibang auditor yung working paper mo,
masasabi rin nila na hindi acceptable.
○ Kaya sa planning, we check the previous
working papers to have an understanding
of the business units, in the assumption na
maganda yung pagkaka-document ng
mga working papers on the previous
exam.
FRAUD IRREGULARITIES AND ILLEGAL ACTS
● Management is primarily responsible for
establishing, implementing and maintaining
an internal control system that leads to the
deterrence and/or timely detection of fraud
○ It is the management’s responsibility to
prevent and detect fraud, NOT auditor.
Hindi trabaho ni auditor ang maghanap
ng fraud unless you are doing a fraud
audit.
● Internal controls may fail where such controls
are circumvented by exploiting vulnerabilities
or through management perpetrated
weakness in controls or collusion among
people
○ Nadiscuss na natin ito doon sa modules
natin regarding internal controls.
○ May limitations ang internal controls kaya
reasonable assurance lang din ang kaya
niyang ibigay because of the collusion na
pwedeng gawin ng mga people involved in
the internal control.
○ Kasama rin dito yung mga falsification of
documents. As auditors, hindi naman
talaga natin expertise para makita talaga
na hindi legit yung mga documents lalo na
kung maganda talaga yung pagkaka fake
niya. Pero kahit papaano ay dapat
mayroon din tayong idea/professional
skepticism na baka fake yung documents
kasi pwede namang makita sa original
document na baka parang iba yung itsura
niya or forged yung signature. May mga
indication kasi kapag finoforge yung
signature
○ Kapag pipirma ka, spontaneous yon,
dire-diretso ka lang. Kapag nakita mo na
medyo may hesitation doon sa pirma,
parang trinace lang or kapag may pen
leaf, nagbblot yung ballpen kapag sinulat
mo ulit.
○ Usually pagpumipirma ka, dapat
dere-derecho.
ELEINA BEA BERNARDO • MARIA BERNISE DIMZON
● The presence of internal controls does not
altogether eliminate fraud. IS auditors should
observe and exercise due professional care in
all aspects of their work and be alert to the
possible opportunities that allow fraud to
materialize.
● IS auditors should consider the risk of
irregularities and illegal acts during the
engagement
○ While it is not our responsibility to detect
fraud during our audits, we should have an
understanding of fraud indicators or so
called red flags during the audit. It maybe
a game changer kapag nakakita ka ng
illegal acts or frauds.
○ Pwede kasi yung normal audit mo is
maging fraud audit na siya bigla depende
kung ano yung impact or extent ng fraud
na makikita mo during your audit.
● IS should be aware of the possibility and
means of perpetrating fraud, especially by
exploiting the vulnerabilities and overriding
controls in the IT-enabled environment
● IS should have knowledge of fraud and fraud
indicators and be alert to the possibility of
fraud and errors while performing an audit
● IS auditor may come across instances or
indicators of fraud. After careful evaluation,
an IS auditor may communicate the need for
a detailed investigation to appropriate
authorities
● In the case of the IS auditor identifying a
major fraud or if the risk associated with the
detection is high, audit management should
also consider communicating in a timely
manner to the audit committee
○ Yung communication sa appropriate
authority is dun dapat muna tayo sa audit
management muna (sa mga officer). Kung
ikaw auditor ay hindi ka naman agad
dumidiretso kay audit committee.
● Regarding fraud prevention, an IS auditor
should be aware of potential legal requirements
concerning the implementation of specific
fraud detection procedures and reporting fraud
to appropriate authorities.
7