COMPLETING THE IT

AUDIT
Gabriel. Nacachi. Verde.

I. IT Audit Life Cycle

II. Four Main Types of IT Audits
III.Using COBIT to Perform an Audit

THE IT AUDIT
LIFE CYCLE

Planning

Gather Evidence

Risk Assessment

Form Conclusions

Prepare Audit
Program

Deliver Audit
Opinion

IT Audit Life Cycle

Follow Up

Planning

Scope and Control Objectives

Scope - nature and extent of
testing of audit
Control Objectives - support for
the scope of the audit
Preliminary assessment of control
Understanding of the organization

Reference: ISACA Guideline 010.010.020

Planning

Identify the extent to which the

client relies on outsourcing
Develop the audit program
Develop the audit plan
Documentation of audit workpapers
with aud plan and audit program

Reference: ISACA Guideline 010.010.020

Planning

Materiality
Benchmark by which the auditor
gauges the importance of
exceptions
Criteria for Materiality
1. A control is material if its
absence prevents control
objectives from being met

Criteria for Materiality

Information
System

Planning

Financial Nonfinan
Transactio cial
ns
Transactio
ns
Value
Cost
of the
of the
assets
syste
contro
m
lledISACA
by Guideline
Critica
Reference:
050.010.010

Outsourcing
Understand the nature, scope and
timing of such services by reviewing
the existing service agreements.

Planning

Third Party has had SAS 70 audit

performed
Copy of Audit Opinion
Unqualified Opinion
Add the opinion to the audit working
papers
Reference: ISACA Guideline 010.010.020

Risk
Assessmen
t

1. Determining the critical support

processes are for a given audit process
What can go wrong
2. Identify the controls that should be in
place to safeguard the integrity of the
process under audit What can possibly go
wrong within those support process?

Risk
Assessmen
t

Understanding of the client, the industry

and environment in which the client
operates and nature of the clients business
processes
Materiality

Audit
Program

Audit
Program

No standard audit program

Generic audit program
The audit scope;
The audit objectives;
The audit procedures; and
Administrative details such as
planning and reporting

Gathering
Evidence

Purpose of field work: gather sufficient,

reliable, relevant and useful evidence to
achieve the audit objectives effectively
Heart of the audit: basis for audit opinion
Several Types of Evidence
Observed processes and existence of
physical items (computer operations or
data backup procedures)

Reference: ISACA Guideline 060.020.030

Several Types of Evidence

Documentary evidence (program change
logs, system access logs)

Gathering
Evidence

Representations (client-provided
flowcharts, written policies and
procedures)
Analysis (CAATs procedures run on
client-provided data files)

Reference: ISACA Guideline 060.020.030

Gathering
Evidence

If sufficient evidence cannot be obtained

request from the client or;
consider materiality and effect on the
scope of the audit
Not all evidence is created equal
discern the quality or reliability of
evidence collected

Gathering
Evidence

Sampling
Application of audit procedures to less than
100% of the population to enable the [IT]
Auditor to evaluate audit evidence
Reference: ISACA Guideline 060.020.040

Sampling
Attribute
Sampling

Gathering
Evidence

most
IT
audito
rs
testin
g
intern
al
contro
ls
aroun

Variable
Sampling
financi
al
state
ment
audits
substa
ntive
testin
g of
popul
ation

Audit objectives are met

Sufficiency of audit procedures performed in
arriving at an overall audit opinion

Forming
Conclusion
s

Reportable conditions (situations that comes

to the attention of the auditor that
represents a substantial control weakness)
Compiled in Management Letter
Discussed with the audit committee and
client management in the exit interview

Reportable conditions
Management should have reconciled
and discharged these problems

Forming
Conclusion
s

If not, the auditor may need to qualify

the opinion.

General Items Included in the Audit Report

The name of the organization audited;
A title, signature, and date;

Deliver
Audit
Opinion

A statement of the objectives of the audit and

whether the audit met these objectives;
The scope of the audit, including the functional
audit area, the audit period covered and the
information systems, applications or processing
environments audited;
Acknowledgement of scope limitation where the
auditor could not perform audit work adequately
to achieve a particular audit objective;
The intended audience for the report

General Items Included in the Audit Report

The standards and criteria under which the
auditor performed the audit work;

Deliver
Audit
Opinion

A detailed explanation of all significant findings;

A conclusion on the areas the audit evaluated,
including an significant reservations or
qualifications;
Suggestions for corrective action or
improvement;
Significant subsequent events occurring after the
fieldwork for the audit was completed.

Follow Up

Final stage of the audit

Follow up with the client on any reportable

conditions or deficiencies the audit
uncovered during the course of the audit

Follow Up

Deficiencies that take significantly longer time

to reconcile
Exit interview, audit and client will agree
on the extent and timing of follow-up
procedures
Auditor may schedule additional audit
procedures to satisfy all parties that
management has corrected a material
control weakness

FOUR MAIN TYPES OF

IT AUDIT
Attestation.
Findings and Recommendations. SAS 70.
SAS 94

ATTESTATIO
N

The auditor provides assurance on

something for which the client is
responsible.
For example, the auditor performs an
examination, review, or agreed-upon
procedure and provides written report
called Report to Management
regarding the assertion provided by
the
client
in
the
form
of
representation letter that the internal
control structure of the company is
effective using the standards of
COSO.

ATTESTATIO
N

Attestation guidance is provided by

Auditing Standards Board (ASB)s
Statement
on
Standards
for
Attestation Engagements (SSAE) No.
10.
According to SSAE No. 10, the criteria
or standards against which the
auditor performs the attestation must
be suitable and available to users of
attestation report. Example: COSO
If not specifically listed, a criteria will
be deemed to be suitable if it is
objective, measurable, complete, and

 DATA ANALYTICS REVIEW

Uses software(ACL) to check FS numbers
Involves ratio analysis, recalculations,
verifying, and summarizing
ATTESTATIO
N
Procedures:

Commission agreement reviews

Agreed-upon procedure
To verify that a clients commission
agreement is being properly accounted for
WebTrust engagements
To evaluate a companys Web site
according to AICPA/CICA standards and
evaluate transaction integrity

ATTESTATIO
N
Procedures:

SysTrust engagements
Evaluate the reliability of the clients
business
information
system
(availability, security, integrity, and
maintainability)
Financial projections
This is performed in conjunction with
seeking loans or issuing stock
IT auditors are less involved in this
type of attest service
Involved only to the extent the
auditor needs to use special software
to
perform
the
projections

ATTESTATIO
N
Procedures:

Compliance reviews
Verifying compliance with business
regulations (ex. Occupational Safety
and Health Administration, Food
and
Drug
Administration,
Environmental Protection Agency)

Only involves IT auditors to the

extent they are needed to access to
the technology used by the client
company such as a PIN encryption
security
review.

FINDINGS
AND
RECOMMEN
DATIONS

Includes most reviews that would be

considered consulting or advisory
services.
Examples: systems implementations
including enterprise resource planning
(ERP)
implementations;
security
reviews;
database
application
reviews;
IT
infrastructure
and
improvements needed engagement;
project management; and IT internal
audit services.

FINDINGS
AND
RECOMMEN
DATIONS

Does not produce an opinion but

rather a summary of the work
performed in connection with the
engagement.
IT auditors are often used on these
types of engagements due to the
complexity of the project undertaken.
For example, an ERP implementation
will require knowledge of specific
hardware and software requirements.
To the extent IT auditors can provide
the needed technical expertise, they
are the logical choice to staff such
engagements.

Recommendations

Difference
between
Attestation
vs Findings
and
Recommen
dations

Often referred to as
Consulting
Client states in general
terms what he wants
done, but specific line
items are not agreed
to by the auditor and
client.
Written report is not
required in a
consulting
engagement.

Attestation
Client specifically
agrees to the
procedures to be
applied.
Written report is
required for an
attestation
engagement.

Difference
between
Attestation
vs Findings
and
Recommen
dations

Attest
Engagem
ent

Consulti
ng
Engage
ment

Written
report
providin
g
assuran
ce

Yes

No

Represe
ntation
letter

Not
required
on every
attest
engagem
ent, but
often
used

No

Written

Required

No

SAS 70 Audit

Applicable to service providers to

ensure adequate internal controls on
services provided.
Primary users:
Management
Customers
Independent auditors of the users
of the service provider

SAS 70 Audit

Only covers controls around service

provided and not the entire internal
control structure
Applicable to:
Application service providers
Banks
Claims processing centers
Internet service providers
Data processing bureaus

 Describes internal control but does

not perform detailed
testing of
controls
Type I
SAS 70 Audit

Auditor validates understanding of the

controls
Unqualified opinion: Effective, but
not tested beyond a walkthrough

1. A description of the service organizations process for

which the internal controls are being evaluated;
2. A description of the scope, nature, and timing of the
audit procedures performed;

Type I
SAS 70 Audit
Contents

3. A statement of purpose of the engagement and

opinion as to whether:
a. The service organization has presented fairly in
all material respects, the internal control policies
and procedures relevant to their internal control
structure, and the process or service for which
the audit is being conducted;
b. Whether the internal control policies and
procedures were operational on a specific date;
c. Whether those internal control policies were
adequately designed to meet specific control
objectives;
4. A disclaimer of opinion as to operating effectiveness;
5. Statement of the risk of projecting the future periods
the current findings on internal controls;
6. A statement restricting the use of the report to the

 Controls are reviewed and tested over

a minimum of six months with an
industry standard of 12 months
Type II
SAS 70 Audit

Unqualified opinion: Effective and

tested beyond a walkthrough
Reduces external auditors
substantive testing when auditing
customers of the service organization

1.
2.
3.

Type II
SAS 70 Audit
Contents

4.

A description of the service organizations process for which the

internal controls are being evaluated;
A description of the scope, nature, and timing of the audit
procedures performed, including a description of all tests of
controls and operating effectiveness performed;
A statement of the time period covered by the independent
auditors report (must be a minimum of 6 months)
A statement of purpose of the engagement and opinion as to
whether:
a.

b.

5.
6.
7.

The service organization has presented fairly in all

material respects, the internal control policies and
procedures relevant to their internal control structure, and
the process or service for which the audit is being
conducted;

Whether those internal control policies were operating

with sufficient effectiveness to provide reasonable
assurance that the companys control objectives were
achieved during the period specified.
Statement of the risk of projecting the future periods the
current findings on internal controls;
A statement restricting the use of the report to the appropriate
parties (ordinarily the company, its clients and the auditors of
its clients);
A statement that no work was performed at individual user
organizations.

SAS 94 Audit

The Effect of Information Technology

on the Auditors Consideration of
Internal Control in
a Financial
Statement Audit
Addresses the auditors responsibility
to fully understand the clients
technology as part of gaining an
understanding about the clients
internal controls in the conduct of a
financial statement audit.
Assesses the need of an IT auditors
expertise

SAS 94
Requirement
s

1. Consider how IT affect internal

control, evidential matter, and control
risk assessment
2. Understand how transactions are
initiated, entered, and processed
through the clients information
system
3. Understand how recurring and
nonrecurring journal entries are
initiated, entered, and processed
through the companys information
system

SAS 94 Audit
Steps
(Sayana,
2002)

1.
2.
3.
4.
5.
6.

Physical and environmental review

Systems administration review
Application software review
Network security review
Business continuity review
Data integrity review

SAS 94 Audit
Steps
(Sayana,
2002)

1. Physical and environmental review

Concerned with the physical
security of the data center itself
. Is the room properly ventilated and
cooled?
. Is the system supported by
uninterruptible power supply?

SAS 94 Audit
Steps
(Sayana,
2002)

2. Systems administration review

Review of operating systems,
database management systems,
and compliance with system
administration procedures.
Evaluates passwords and the root
password access

3. Application software review

Focuses on the validation of:
Data inputs
SAS 94 Audit
Steps
(Sayana,
2002)

Processing
Output
Access control and authorization
Error handling
System log procedures

3. Application software review

Data Validation Checks
Limit check
SAS 94 Audit
Steps
(Sayana,
2002)

Range check
Validity check
Completeness check
Processing Controls
Run-to-run Totals
Operator recalculation
Limit checks on fields calculated
during processing

3. Application software review

Output controls
SAS 94 Audit
Steps
(Sayana,
2002)

Proper distribution and disposal of

sensitive reports
Error handling
Systematic process to identify and
deal with errors
Examine error log

SAS 94
Audit Steps
(Sayana,
2002)

4. Network security review

Focuses on verification and validation
of control procedures in the
information system network including:
Firewalls
Router access controls
Intrusion detection systems
Incident response plans
Port scanning
Penetration testing
Virus/worm protection
The auditor will evaluate the
existence and test the material
controls

SAS 94
Audit Steps
(Sayana,
2002)

5. Business continuity review

Focuses on the IT auditor testing
whether the information system can
continue to function even if event
disrupts normal business operations
Backup procedures, disaster recovery
plans, fault tolerant systems
Test to be done unannounced,
periodically
IT auditor should investigate the
existence of business interruption
insurance

SAS 94
Audit Steps
(Sayana,
2002)

6. Data integrity review

IT auditor verifies and validates the
clients data using computer assisted
audit tools and techniques (CAATTS) such
as ACL to perform recalculations and
other analytics as needed

USING COBIT TO
PERFORM AN
AUDIT

 CobiT is intended to bridge several

technical and internal control models
designed to be used by several
parties.
CobiT framework - Six Interrelated
Components
Executive summary;
Framework;
Control objectives;
Management guidelines;
Implementation toolset; and
Audit guidelines - not freely
available

CobiTs
Framework
Reference: ISACA

Perform risk
assessment to
determine appropriate
high level control
objectives
Describe the exposures
that may result from
failure to achieve each
identified control
objective
Select appropriate
detailed control
objectives

Using COBIT to Develop an Audit Program

Using COBITs Audit

guidelines, enumerate
the audit procedures to
be performed.

COMPLETING THE IT
AUDIT
Gabriel. Nacachi. Verde.