IT audit training for Planning for IT Audit

IT audit training for Planning for IT Audit Session 4 March 2007 Introduction to IT Audit : S 4/ 1

IT audit training Planning for Planning helps in F the direction and control of auditor’s work; F highlighting critical areas ; F allocation of scarce audit resources towards more important areas; F setting time frame and targets for review work ; F obtaining sufficient, reliable and relevant audit evidence and F subsequently aid the auditee in sound decision making March 2007 Introduction to IT Audit : S 4/ 2

IT audit training Types of Planning for F F F March 2007 Strategic plan Annual plan Micro plan / audit programme Introduction to IT Audit : S 4/ 3

IT audit training Strategic Plan for a period of 3 -5 years and addresses issues like F aims and long term objectives of audit; F audit priorities and criteria for prioritisation; F how to re-orient audit techniques and methods to meet the changing requirements; F human and infrastructure requirements and F training needs March 2007 Introduction to IT Audit : S 4/ 4

IT audit training Annual Plan for F F March 2007 Translates the long term plan into a programme of work for the ensuing year Planning here defines the aims and objectives of each of the major audits to be undertaken during the year, given the resources available within the SAI Introduction to IT Audit : S 4/ 5

IT audit training Micro Plan for Operational plan for each individual audit and spells out the details of tasks to be undertaken for each audit along with the time schedule F Technical Planning F Logistical Planning F Risk Assessment March 2007 Introduction to IT Audit : S 4/ 6

IT audit training Technical Plan for Obtain an overview of F the nature of auditee business and the business environment regulatory environment in which the auditee functions F the size, type, nature and complexity of the IT systems major IT systems F nature of risks the systems are exposed to critical organizational units/functions F main types and volume of transactions processed by the systems F extent and scope of internal audit March 2007 Introduction to IT Audit : S 4/ 7

IT audit training Logistical Plan for Involves F allocation of responsibilities of the IT audit team; F planning the methodology of audit; F deciding the scope and extent of audit coverage F framing budget and obtaining approvals F drawing up the time schedule for various tasks; F exploring ways of obtaining audit evidence and F framing the reporting requirements March 2007 Introduction to IT Audit : S 4/ 8

IT audit training Risk Assessment for Risk assessment is the responsibility of the top management and includes a systematic consideration of F the business harm likely to result from a security failure, F the realistic likelihood of such a failure occurring and F the controls currently implemented March 2007 Introduction to IT Audit : S 4/ 9

IT audit training Steps in Risk Analysis for F F F March 2007 Inventory of information systems in use in the organization Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate. Assess what risks affect these systems and the severity of impact on the business Introduction to IT Audit : S 4/ 10

IT audit training Types of Risks for F F F March 2007 Inherent risk Control risk Detection risk Introduction to IT Audit : S 4/ 11

IT audit training Inherent Risk for F March 2007 Inherent risk is the susceptibility of information resources or resources controlled by the information system to material theft, destruction, disclosure, unauthorized modification, or other impairment, assuming that there are no related internal controls Introduction to IT Audit : S 4/ 12

IT audit training Control Risk for F March 2007 Control risk is the risk that an error which could occur in an audit area, and which could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system Introduction to IT Audit : S 4/ 13

IT audit training Detection Risk for F March 2007 Detection risk is the risk that the IT auditor’s substantive procedures will not detect an error which could be material, individually or in combination with other errors. Introduction to IT Audit : S 4/ 14

IT audit training Introduction to Controls for F F March 2007 Internal controls include policies, procedures, practices and organizational structures put in place to reduce risks The extent of internal controls present would determine the risk levels of the application under audit and also the quantum of auditing to be undertaken Introduction to IT Audit : S 4/ 15

IT audit training for Audit Planning Memo The purposes of an audit planning memo is to: F define the scope of IT audit; F describe the justification for the audit approach; F describe how the audit should progress; and F provide a means for communicating the audit plan to other assigned audit staff March 2007 Introduction to IT Audit : S 4/ 16

IT audit training for Outline of Audit Planning Memo F F March 2007 Background of the audited entity Objectives of the audit Critical areas to be examined Resource requirements Introduction to IT Audit : S 4/ 17

IT audit training Audit Scope for Scope defines the boundaries of the audit. It addresses aspects like F period and F number of locations to be covered and F the extent of substantive testing depending on risk levels and control weaknesses March 2007 Introduction to IT Audit : S 4/ 18

IT audit training Audit Objectives for Audit objectives should take into consideration F the managements’ objectives for a system F whether the system meets the managements’ objectives and serves the business interests March 2007 Introduction to IT Audit : S 4/ 19