Professional Documents
Culture Documents
Unit 7 Completing The IT Audit
Unit 7 Completing The IT Audit
AUDIT
Gabriel. Nacachi. Verde.
THE IT AUDIT
LIFE CYCLE
Planning
Gather Evidence
Risk Assessment
Form Conclusions
Prepare Audit
Program
Deliver Audit
Opinion
Follow Up
Planning
Planning
Planning
Materiality
Benchmark by which the auditor
gauges the importance of
exceptions
Criteria for Materiality
1. A control is material if its
absence prevents control
objectives from being met
Planning
Financial Nonfinan
Transactio cial
ns
Transactio
ns
Value
Cost
of the
of the
assets
syste
contro
m
lledISACA
by Guideline
Critica
Reference:
050.010.010
Outsourcing
Understand the nature, scope and
timing of such services by reviewing
the existing service agreements.
Planning
Risk
Assessmen
t
Risk
Assessmen
t
Audit
Program
Audit
Program
Gathering
Evidence
Gathering
Evidence
Representations (client-provided
flowcharts, written policies and
procedures)
Analysis (CAATs procedures run on
client-provided data files)
Gathering
Evidence
Gathering
Evidence
Sampling
Application of audit procedures to less than
100% of the population to enable the [IT]
Auditor to evaluate audit evidence
Reference: ISACA Guideline 060.020.040
Sampling
Attribute
Sampling
Gathering
Evidence
most
IT
audito
rs
testin
g
intern
al
contro
ls
aroun
Variable
Sampling
financi
al
state
ment
audits
substa
ntive
testin
g of
popul
ation
Forming
Conclusion
s
Reportable conditions
Management should have reconciled
and discharged these problems
Forming
Conclusion
s
Deliver
Audit
Opinion
Deliver
Audit
Opinion
Follow Up
Follow Up
ATTESTATIO
N
ATTESTATIO
N
ATTESTATIO
N
Procedures:
SysTrust engagements
Evaluate the reliability of the clients
business
information
system
(availability, security, integrity, and
maintainability)
Financial projections
This is performed in conjunction with
seeking loans or issuing stock
IT auditors are less involved in this
type of attest service
Involved only to the extent the
auditor needs to use special software
to
perform
the
projections
ATTESTATIO
N
Procedures:
Compliance reviews
Verifying compliance with business
regulations (ex. Occupational Safety
and Health Administration, Food
and
Drug
Administration,
Environmental Protection Agency)
FINDINGS
AND
RECOMMEN
DATIONS
FINDINGS
AND
RECOMMEN
DATIONS
Recommendations
Difference
between
Attestation
vs Findings
and
Recommen
dations
Often referred to as
Consulting
Client states in general
terms what he wants
done, but specific line
items are not agreed
to by the auditor and
client.
Written report is not
required in a
consulting
engagement.
Attestation
Client specifically
agrees to the
procedures to be
applied.
Written report is
required for an
attestation
engagement.
Difference
between
Attestation
vs Findings
and
Recommen
dations
Attest
Engagem
ent
Consulti
ng
Engage
ment
Written
report
providin
g
assuran
ce
Yes
No
Represe
ntation
letter
Not
required
on every
attest
engagem
ent, but
often
used
No
Written
Required
No
SAS 70 Audit
SAS 70 Audit
Type I
SAS 70 Audit
Contents
1.
2.
3.
Type II
SAS 70 Audit
Contents
4.
b.
5.
6.
7.
SAS 94 Audit
SAS 94
Requirement
s
SAS 94 Audit
Steps
(Sayana,
2002)
1.
2.
3.
4.
5.
6.
SAS 94 Audit
Steps
(Sayana,
2002)
SAS 94 Audit
Steps
(Sayana,
2002)
Processing
Output
Access control and authorization
Error handling
System log procedures
Range check
Validity check
Completeness check
Processing Controls
Run-to-run Totals
Operator recalculation
Limit checks on fields calculated
during processing
SAS 94
Audit Steps
(Sayana,
2002)
SAS 94
Audit Steps
(Sayana,
2002)
SAS 94
Audit Steps
(Sayana,
2002)
USING COBIT TO
PERFORM AN
AUDIT
CobiTs
Framework
Reference: ISACA
Perform risk
assessment to
determine appropriate
high level control
objectives
Describe the exposures
that may result from
failure to achieve each
identified control
objective
Select appropriate
detailed control
objectives
COMPLETING THE IT
AUDIT
Gabriel. Nacachi. Verde.