IT audit training for Audit Execution Session 5
- Slides: 30
IT audit training for Audit Execution Session 5 March 2007 Introduction to IT Audit : S 5/ 1
IT audit training Audit Execution for F F F March 2007 Entry conference Evidence collection and evaluation Exit conference Introduction to IT Audit : S 5/ 2
IT audit training for Entry Conference Meeting with senior management F Finalise scope of work F Understand the management concerns F Schedule the dates F Discuss audit methodology March 2007 Introduction to IT Audit : S 5/ 3
IT audit training for Entry Conference (contd. ) Apprise senior management of F Broad objectives of audit F Proposed audit plan F Possible areas of concern March 2007 Introduction to IT Audit : S 5/ 4
Evidence Collection and Evaluation IT audit training for Types of audit evidence F Observed process and existence of physical items F Documentary audit evidence (including electronic records) F Analysis( including IT enabled analysis using CAATs) March 2007 Introduction to IT Audit : S 5/ 5
IT audit training for F F March 2007 Physical Evidence Obtained by observing Get auditee to confirm/accept physical evidence Visual verification of presence of water and smoke detectors Physical environment of system to be verified Introduction to IT Audit : S 5/ 6
IT audit training Interview for To obtain qualitative and quantitative evidence F Interview system analysts, programmers, clerical/data entry staff , users and operations staff F Understand functions and controls of systems March 2007 Introduction to IT Audit : S 5/ 7
IT audit training Planning for Interview for F F March 2007 Ensure that the information required is not readily available elsewhere Identify those personnel within an organization who can provide the best information of an interview topic Identify clearly the objectives of the interview Prepare a report as soon as possible after the interview Introduction to IT Audit : S 5/ 8
IT audit training Questionnaires for F F Used to flag areas of system weakness during evidence collection Avoid V V V March 2007 ambiguous questions leading questions presumptuous questions hypothetical questions embarrassing questions Introduction to IT Audit : S 5/ 9
IT audit training Flowcharts for Control flowcharts show that controls exist in a system and where these controls exist in the system. They have three major audit purposes: F Comprehension; F Evaluation; and F Communication March 2007 Introduction to IT Audit : S 5/ 10
IT audit training Analytical Procedures for F F March 2007 Use of comparisons and relationships to determine whether data/account balances appear reasonable CAATs can be useful in analytical audit procedures Introduction to IT Audit : S 5/ 11
IT audit training Tools of Evidence Collection for F F March 2007 Generalised audit software Industry specific audit software Specialised audit software Concurrent auditing tools Introduction to IT Audit : S 5/ 12
IT audit training Generalised Audit Software for F F F March 2007 Off-the-shelf software that provides the means to gain access to and manipulate data maintained on computer storage media Developed specifically to accommodate a wide variety of different hardware and software platforms Provide a number of functions such as file access, file re- organisation, selection and extraction of data, various data analysis function and reporting functions Introduction to IT Audit : S 5/ 13
IT audit training Industry Specific Audit Software for F F March 2007 Designed to provide high level commands that invoke common audit functions needed within a particular industry They provide industry specific logic Introduction to IT Audit : S 5/ 14
IT audit training Specialised Audit Software for F F March 2007 Software written to fulfil a specific set of audit tasks Most well developed systems have embedded audit modules, comprising routines to throw up alerts Introduction to IT Audit : S 5/ 15
IT audit training Concurrent Auditing Tools for F F Collecting audit evidence at the same time as an application system undertakes processing of its data Could be in the form of special audit modules embedded in application systems to collect process and print audit evidence V V V March 2007 evaluate application systems with test data used to select transactions for audit review used to trace or map the changing states of application systems Introduction to IT Audit : S 5/ 16
Concurrent Auditing Tools (contd. ) IT audit training for Some of the concurrent auditing techniques are F Integrated Test Facility (ITF) F Systems control audit review file and embedded audit modules (SCARF/EAM) F Snapshots F Audit hooks F Continuous and intermittent simulation (CIS) March 2007 Introduction to IT Audit : S 5/ 17
IT audit training for Audit Tests There are two types of audit tests F Substantive tests F Compliance tests March 2007 Introduction to IT Audit : S 5/ 18
IT audit training Substantive Testing for F March 2007 Provides auditors with evidence about the validity and propriety of the transactions and balances Introduction to IT Audit : S 5/ 19
IT audit training Substantive Testing (contd. ) for Examples of substantive testing F Conducting system availability analysis F Performing system storage media analysis F Conducting system outage analysis F Comparing computer inventory as per book vis-à-vis actual count F Reconciling account balances March 2007 Introduction to IT Audit : S 5/ 20
IT audit training Compliance Testing for F F March 2007 Concerned with testing the transactions for compliance with rules and regulations of the entity and provides auditors with evidence about presence/absence of internal controls Can be used to test the existence and effectiveness of a defined process Introduction to IT Audit : S 5/ 21
IT audit training Compliance Testing (contd. ) for Examples of compliance testing F Determining whether passwords are changed periodically F Determining whether system logs are reviewed F Determining whether program changes are authorised F Determining whether controls are functioning as prescribed F Determining whether a disaster recovery plan was tested March 2007 Introduction to IT Audit : S 5/ 22
IT audit training Sampling for F F Testing of selected items within a population to obtain and evaluate evidence about some characteristic of that population, in order to form a conclusion concerning the population Two primary methods of sampling used by IT auditors V V March 2007 Attribute sampling and Variable sampling Introduction to IT Audit : S 5/ 23
IT audit training for Sampling (contd. ) Advantages of using sampling F Provides a framework for obtaining sufficient audit evidence F Minimizes the risk of over-auditing F Facilitates more expeditious review of working papers F Increases the acceptability of audit conclusions by the auditee March 2007 Introduction to IT Audit : S 5/ 24
IT audit training Evaluation of Evidence for While arriving at audit conclusions, the auditor needs to benchmark the conditions to ensure that evidence is F factual and discovered by the auditor; F based on standards or guidelines against which the conditions are evaluated; F Effect, impact and significance of variance March 2007 Introduction to IT Audit : S 5/ 25
IT audit training Audit Findings for F F An audit finding is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the finding’s elements. A deficiency finding should have five elements or attributes as detailed below. V V V March 2007 Criteria (what should be) Condition (what is) Cause (why condition occurred) Effect (what is the consequence) Recommendation (what is to be done) Introduction to IT Audit : S 5/ 26
IT audit training Significance of Audit Findings for Significance of audit findings can be assessed from two aspects: F the nature of the finding itself and F the quality of the recommendations March 2007 Introduction to IT Audit : S 5/ 27
Significance of Audit Findings (contd. ) IT audit training for Two advantages of focused audit findings and recommendations F quantitative aspects V F qualitative aspects V March 2007 revenues increased, cost decreased, number of defects reduced etc. citizens/client satisfaction increased, employee morale improved and compliance with laws and regulations is achieved Introduction to IT Audit : S 5/ 28
IT audit training Exit Conference for F F March 2007 Communication and discussion of audit observations formally with management Ensures better understanding and increase buy-in of audit recommendations Gives the auditee organisation an opportunity to express their viewpoints on the issues raised Help in finalizing recommendations which are practical and feasible Introduction to IT Audit : S 5/ 29
IT audit training Reporting and Follow up for Structure of an Audit Report F Introduction F Audit Objectives, Scope and Methodology F Audit Findings F Audit Conclusions F Recommendations March 2007 Introduction to IT Audit : S 5/ 30
Training session outline
Facilitate training session
Training session design
Welcome to the training session
Talk boost tracker
Opening prayer for training session
Kontinuitetshantering i praktiken
Novell typiska drag
Nationell inriktning för artificiell intelligens
Ekologiskt fotavtryck
Varför kallas perioden 1918-1939 för mellankrigstiden?
En lathund för arbete med kontinuitetshantering
Särskild löneskatt för pensionskostnader
Personlig tidbok fylla i
A gastrica
Densitet vatten
Datorkunskap för nybörjare
Boverket ka
Debattinlägg mall
Delegerande ledarskap
Nyckelkompetenser för livslångt lärande
Påbyggnader för flakfordon
Kraft per area
Publik sektor
Kyssande vind analys
Presentera för publik crossboss
Jiddisch
Bat mitza
Klassificeringsstruktur för kommunala verksamheter
Mjälthilus
Claes martinsson
