Professional Documents
Culture Documents
Module 6_ Audit Project Management
Module 6_ Audit Project Management
MODULE 6
● Usually, there's still a protocol of formality ● An IS auditor must understand how general
before starting the audit. Mayroon tayong audit objectives can be translated into specific
tinatawag na letter of authority, usually IS control objectives.
pirmado ito ng chief audit executive niyo. ● Determination of audit objective is a critical
Sinasabi rito na authorized ka to perform the step in planning the audit
audit of a certain unit. ○ Dapat alam mo yung dapat mong gawin
● If it is a process audit, maraming department kasi ito yung starting point mo which is
ang involved doon. Kapag ganon, gagawan mo yung audit objective.
yon lahat ng different types of letter of ○ Dito manggagaling yung mga next na
authority. So dapat we need to consider yung gagawin mo - yung mga procedure and
mga ganoong factors—kung ano yung mga other testing na pwede mong gawin.
kasamang department and units when ● One of the primary purposes of an IS audit is
performing the audit. to identify control objectives and the related
● This step is very important because the IS controls that address the objective. For
auditor will need to understand the IT example, an IS auditor’s initial review of an
environment and its components to identify the information system should identify key controls.
resources that will be required to conduct a It should then be determined whether to test
comprehensive evaluation. A clear scope will these controls for compliance.
help the IS auditor define a set of testing ● An IS auditor should identify both key general
points that is relevant to the audit and further and application controls after developing an
determine the technical skills and resources understanding and documenting the business
necessary to evaluate different technologies processes and the applications/functions that
and their components support these processes and general support
systems. Based on that understanding, an IS
auditor should identify the key control points.
AUDIT OBJECTIVES
● Alternatively, an IS auditor may assist in
● (Step #2) assessing the integrity of financial reporting
● It is almost parallel with the internal control or data, referred to as substantive testing,
control objectives. through CAATs.
● Specific goals that must be accomplished by
the audit Examples of audit objectives (more granular):
● Often focus on confirming that internal ● “To validate the integrity of information and
controls exist to minimize business risk and data stored in the database”
they function as expected ● “To assess the effectiveness of the access
● Include assuring compliance with legal and control software”
regulatory requirements as well as the ● “To verify the integrity of the transactions by
confidentiality, integrity, reliability and determining that controls are in place to
availability of information and IT resources detect and correct message loss due to
○ Diba parang ito rin yung mga objectives equipment failure”
sa mga control objectives na diniscuss ● “To check if minimum requirements by laws
natin in our previous module and regulations on business continuity plans
● Audit management may give an IS auditor a and disaster recovery program are being
general control objective to review and complied with.”
evaluate when performing an audit. ● “To determine the readiness and resiliency of
● A key element in planning an IS audit is to network communications in the event of
translate basic and wide-ranging audit business disruption”
objectives into specific IS audit objectives. For - Yung mga keywords natin (yung nakabold na
example, in a financial/operational audit, a words), more on assurance side sila, hindi natin
control objective could be to ensure that ginagamit sa audit objectives yung mga term
transactions are properly posted to the general like implement, develop, generate, and
ledger accounts. formulate kasi it is more on management’s
● However, in an IS audit, the objective could be responsibility.
extended to ensure that editing features are in
place to detect errors in the coding of 4. Perform pre-audit planning
transactions that may impact the
● Conduct risk-assessment
account-posting activities.
ang conclusion na ma-rereach niyo. Kung ● The presence of internal controls does not
sinabing hindi acceptable, kapag tinignan altogether eliminate fraud. IS auditors should
ng ibang auditor yung working paper mo, observe and exercise due professional care in
masasabi rin nila na hindi acceptable. all aspects of their work and be alert to the
○ Kaya sa planning, we check the previous possible opportunities that allow fraud to
working papers to have an understanding materialize.
of the business units, in the assumption na ● IS auditors should consider the risk of
maganda yung pagkaka-document ng irregularities and illegal acts during the
mga working papers on the previous engagement
exam. ○ While it is not our responsibility to detect
fraud during our audits, we should have an
understanding of fraud indicators or so
FRAUD IRREGULARITIES AND ILLEGAL ACTS
called red flags during the audit. It maybe
● Management is primarily responsible for a game changer kapag nakakita ka ng
establishing, implementing and maintaining illegal acts or frauds.
an internal control system that leads to the ○ Pwede kasi yung normal audit mo is
deterrence and/or timely detection of fraud maging fraud audit na siya bigla depende
○ It is the management’s responsibility to kung ano yung impact or extent ng fraud
prevent and detect fraud, NOT auditor. na makikita mo during your audit.
Hindi trabaho ni auditor ang maghanap ● IS should be aware of the possibility and
ng fraud unless you are doing a fraud means of perpetrating fraud, especially by
audit. exploiting the vulnerabilities and overriding
● Internal controls may fail where such controls controls in the IT-enabled environment
are circumvented by exploiting vulnerabilities ● IS should have knowledge of fraud and fraud
or through management perpetrated indicators and be alert to the possibility of
weakness in controls or collusion among fraud and errors while performing an audit
people ● IS auditor may come across instances or
○ Nadiscuss na natin ito doon sa modules indicators of fraud. After careful evaluation,
natin regarding internal controls. an IS auditor may communicate the need for
○ May limitations ang internal controls kaya a detailed investigation to appropriate
reasonable assurance lang din ang kaya authorities
niyang ibigay because of the collusion na ● In the case of the IS auditor identifying a
pwedeng gawin ng mga people involved in major fraud or if the risk associated with the
the internal control. detection is high, audit management should
○ Kasama rin dito yung mga falsification of also consider communicating in a timely
documents. As auditors, hindi naman manner to the audit committee
talaga natin expertise para makita talaga ○ Yung communication sa appropriate
na hindi legit yung mga documents lalo na authority is dun dapat muna tayo sa audit
kung maganda talaga yung pagkaka fake management muna (sa mga officer). Kung
niya. Pero kahit papaano ay dapat ikaw auditor ay hindi ka naman agad
mayroon din tayong idea/professional dumidiretso kay audit committee.
skepticism na baka fake yung documents ● Regarding fraud prevention, an IS auditor
kasi pwede namang makita sa original should be aware of potential legal requirements
document na baka parang iba yung itsura concerning the implementation of specific
niya or forged yung signature. May mga fraud detection procedures and reporting fraud
indication kasi kapag finoforge yung to appropriate authorities.
signature
○ Kapag pipirma ka, spontaneous yon,
dire-diretso ka lang. Kapag nakita mo na
medyo may hesitation doon sa pirma,
parang trinace lang or kapag may pen
leaf, nagbblot yung ballpen kapag sinulat
mo ulit.
○ Usually pagpumipirma ka, dapat
dere-derecho.