Chapter Nine Conducting the IT Audit Audit Standards

Chapter Nine Conducting the IT Audit

Audit Standards AICPA — Statements of Auditing Standards (SASs) n ISACA—IS Audit Standards, Guidelines, and Procedures n AICPA —Statement on Standards for Attestation Engagements (SSAE) n IFAC —International Auditing Standards n ISACA —Cobi. T n

The IT Audit Lifecycle Planning n Risk Assessment n Prepare Audit Program n Gather Evidence n Form Conclusions n Deliver Audit Opinion n Follow Up n

Planning Scope and control objectives n Materiality n Outsourcing n Gain an understanding of the client and client’s industry, business risks n

Risk Assessment Shift is to risk-based audit approach n “What can go wrong” n High risk areas require more audit effort n Materiality important n

The Audit Program n Includes: – Scope – Audit objectives – Audit procedures – Administrative details such as planning and reporting n Generic audit programs are customized for the client and client’s technology

Gathering Evidence n Evidence includes: – Observations – Documentary evidence – Flowcharts, narratives, written policies – CAATs procedures n Sampling – Attribute sampling used by IT auditors

Forming Conclusions n Identify reportable conditions

The Audit Opinion n Per Guidelines 70, should include: – Name of organization being audited – Title, signature, and date – Statement of audit objectives and whether these were met – Scope of the audit – Any scope limitations – Intended audience

The Audit Opinion (Cont’d. ) Standards used to perform the audit n Detailed explanation of findings n Conclusion, including reservations or qualifications n Suggestions for corrective action or improvement n Significant subsequent events n

4 Main Types of IT Audits Attestation n Findings and Recommendations n SAS 70 n SAS 94 n

Attestation Standard is SSAE 10 n Includes: n – Data analytic reviews – Commission agreement reviews – Webtrust engagements – Systrust engagements – Financial projections – Compliance reviews

Findings and Recommendations n n Consulting, or advisory services Include: – – – – Systems implementations Enterprise resource planning implementation Security reviews Database application reviews IT infrastructure and improvements needed engagement Project management IT Internal audit services

SAS 70 Audit Applicable to any service organization that wishes to assure its clients of the existence and effectiveness of internal controls relative to the service provided n Two types of SAS 70 audits n – Type II

Types of SAS 70 reports Type I: A “walkthrough, ” that describes a company’s internal controls but does not perform detailed testing of these controls n Type II: Detailed testing of controls around the service provided n

SAS 94 n Requires the auditor to: – Consider how a client’s IT processes affect internal control, evidential matter, and the assessment of control risk; – Understand how transactions are initiated, entered and processed through the IS, and – Understand how recurring and nonrecurring journal entries are initiated, entered, and processed through the IS

Components of a SAS 94 audit Physical and environmental review n Systems administration review n Application software review n Network security review n Business continuity review n Data integrity review n

Using Cobi. T to Perform an Audit If no audit program exists, use Cobi. T to develop the audit program, or n Map existing audit program to company objectives n