Download presentation
Presentation is loading. Please wait.
Published byLewis Washington Modified over 9 years ago
1
Chapter Nine Conducting the IT Audit
2
Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs) ISACA—IS Audit Standards, Guidelines, and Procedures ISACA—IS Audit Standards, Guidelines, and Procedures AICPA —Statement on Standards for Attestation Engagements (SSAE) AICPA —Statement on Standards for Attestation Engagements (SSAE) IFAC —International Auditing Standards IFAC —International Auditing Standards ISACA —CobiT ISACA —CobiT
3
The IT Audit Lifecycle Planning Planning Risk Assessment Risk Assessment Prepare Audit Program Prepare Audit Program Gather Evidence Gather Evidence Form Conclusions Form Conclusions Deliver Audit Opinion Deliver Audit Opinion Follow Up Follow Up
4
Planning Scope and control objectives Scope and control objectives Materiality Materiality Outsourcing Outsourcing Gain an understanding of the client and client’s industry, business risks Gain an understanding of the client and client’s industry, business risks
5
Risk Assessment Shift is to risk-based audit approach Shift is to risk-based audit approach “What can go wrong” “What can go wrong” High risk areas require more audit effort High risk areas require more audit effort Materiality important Materiality important
6
The Audit Program Includes: Includes: –Scope –Audit objectives –Audit procedures –Administrative details such as planning and reporting Generic audit programs are customized for the client and client’s technology Generic audit programs are customized for the client and client’s technology
7
Gathering Evidence Evidence includes: Evidence includes: –Observations –Documentary evidence –Flowcharts, narratives, written policies –CAATs procedures Sampling Sampling –Attribute sampling used by IT auditors
8
Forming Conclusions Identify reportable conditions Identify reportable conditions
9
The Audit Opinion Per Guidelines 70, should include: Per Guidelines 70, should include: –Name of organization being audited –Title, signature, and date –Statement of audit objectives and whether these were met –Scope of the audit –Any scope limitations –Intended audience
10
The Audit Opinion (Cont’d.) Standards used to perform the audit Standards used to perform the audit Detailed explanation of findings Detailed explanation of findings Conclusion, including reservations or qualifications Conclusion, including reservations or qualifications Suggestions for corrective action or improvement Suggestions for corrective action or improvement Significant subsequent events Significant subsequent events
11
4 Main Types of IT Audits Attestation Attestation Findings and Recommendations Findings and Recommendations SAS 70 SAS 70 SAS 94 SAS 94
12
Attestation Standard is SSAE 10 Standard is SSAE 10 Includes: Includes: –Data analytic reviews –Commission agreement reviews –Webtrust engagements –Systrust engagements –Financial projections –Compliance reviews
13
Findings and Recommendations Consulting, or advisory services Consulting, or advisory services Include: Include: –Systems implementations –Enterprise resource planning implementation –Security reviews –Database application reviews –IT infrastructure and improvements needed engagement –Project management –IT Internal audit services
14
SAS 70 Audit Applicable to any service organization that wishes to assure its clients of the existence and effectiveness of internal controls relative to the service provided Applicable to any service organization that wishes to assure its clients of the existence and effectiveness of internal controls relative to the service provided Two types of SAS 70 audits Two types of SAS 70 audits –Type I –Type II
15
Types of SAS 70 reports Type I: A “walkthrough,” that describes a company’s internal controls but does not perform detailed testing of these controls Type I: A “walkthrough,” that describes a company’s internal controls but does not perform detailed testing of these controls Type II: Detailed testing of controls around the service provided Type II: Detailed testing of controls around the service provided
16
SAS 94 Requires the auditor to: Requires the auditor to: –Consider how a client’s IT processes affect internal control, evidential matter, and the assessment of control risk; –Understand how transactions are initiated, entered and processed through the IS, and –Understand how recurring and nonrecurring journal entries are initiated, entered, and processed through the IS
17
Components of a SAS 94 audit Physical and environmental review Physical and environmental review Systems administration review Systems administration review Application software review Application software review Network security review Network security review Business continuity review Business continuity review Data integrity review Data integrity review
18
Using CobiT to Perform an Audit If no audit program exists, use CobiT to develop the audit program, or If no audit program exists, use CobiT to develop the audit program, or Map existing audit program to company objectives Map existing audit program to company objectives
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.