Preparing for an it audit l.jpg
Sponsored Links
This presentation is the property of its rightful owner.
1 / 27

Preparing for an IT Audit PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Preparing for an IT Audit. September 11, 2007 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” Housekeeping. Submitting questions to speaker

Download Presentation

Preparing for an IT Audit

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Preparing for an IT Audit

September 11, 2007

2:00pm EDT, 11:00am PDT

George Spafford,

Principal Consultant

Pepperweed Consulting, LLC

“Optimizing The Business Value of IT”


  • Submitting questions to speaker

    • Submit question at any time by using the “Ask a question” section located on lower left-hand side of your console.

    • Questions about presentation content will be answered during 10 minute Q&A session at end of webcast.

  • Technical difficulties?

    • Click on “Help” button

    • Use “Ask a question” interface

Main Presentation


  • Background on Audit

  • Why audits are part of the Deming cycle of plan-do-check-act

  • How to prepare for audits

  • What auditors look for

  • For a copy of today’s webcast PPT, please email:

    • George at: [email protected]

    • Kendra at: [email protected]

The Shewhart Cycle

  • Popularized by Deming

    • We plan

    • We do

    • We check results

    • We take corrective action

  • How can we objectively check?

    • Audit

  • Auditors must be objective

  • The process is necessary for improvement

IA - Risk Management & Control

  • Reliability and integrity of financial and operational information

  • Effectiveness and efficiency of operations

  • Safeguarding of assets

  • Compliance with laws, regulations, and contracts.

Source: International Standards for the Professional Practice of Internal Auditing,

IA - Governance

  • Promoting appropriate ethics and values within the organization.

  • Ensuring effective organizational performance management and accountability.

  • Effectively communicating risk and control information to appropriate areas of the organization.

  • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

Source: International Standards for the Professional Practice of Internal Auditing,

External Audit

  • Is driven by the regulatory requirement to have an independent third party certify the financial information provided to stockholders is reasonably accurate.

  • Some feel that internal review of external audit reports creates another layer of protection for financial reporting.

  • Primarily reports to the audit committee on the accuracy of the financial reports, attests to management’s assessment of internal controls over financial reporting.

Source: “Common Misconceptions”, Tone From the Top, Institute of Internal Auditors, March 2005.

Work with Audit, not around Audit

Important: Establish Key Controls

  • Review risks

    • Management’s current risk assessment

    • Use of a control framework as a proxy (verify with audit if acceptable)

    • If nothing to go on, the auditor will impose his/her belief system

  • Review key controls

    • Auditor may want to understand the state of the overall control environment – be sure to plan in advance

    • The emphasis and testing will be on key controls

    • Want as few key controls as possible grounded in risks

  • You want to be clear

  • Doesn’t benefit IT or audit if guessing or misinterpretation happens


You can spend a fortune and you will never truly hit a 100% level of assurance.

The objective is to lower risk to an acceptable level, not eliminate it because you can’t!

Level of Assurance

Level of Investment

Cost of Control

Preparing (1)

  • Emphasis – talk to your audit group ahead of time

  • Auditing is not a science

  • Practices will vary between audit firms, within firms and between auditors

  • Work with Internal Audit closely to understand company requirements and External Audit Requirements

  • Put everything in writing and get approval – do not rely on verbal communications

    • Summarize your conversations in the form of meeting minutes and send them to the other party for confirmation.

  • Bear in mind that auditors leave firms and so do audit partners

    • Who you deal with can change year to year.

Preparing (2)

  • Determine a formal documentation plan

    • Policies and Procedures

    • Evidence of activity / compliance

  • Clearly identify what IT services/systems are in scope

    • Materiality

    • Guide to the Assessment of IT General Controls Scope Based on Risk

  • Take care in documenting control activity, test plans, etc. If they are ambiguous or inaccurate, deficiencies may well result

  • Documenting controls that don’t exist will guarantee findings

  • Be sure to document exceptions along with risks, the business case and management’s approval

    • It is better for management to disclose known exceptions than for auditors to find them.

    • How exceptions are documented and handled vary from auditor to auditor so be sure to understand what to do, ramifications, etc.

  • During the Audit (1)

    • Never lie to an auditor - the repercussions can be severe

    • Do not tamper with evidence - the repercussions can be severe

      • Be sure to outline the process for making any urgent remediation or changes during an audit with the auditor.

    • Be prompt in replying or providing samples

      • Delays may be interpreted as a lack of controls or that evidence is being created or altered

    • Auditors will follow the key controls and test plans verbatim if things go as planned

    • Do not be antagonistic

    During the Audit (2)

    • Auditors make mistakes like everyone else.

      • Be sure to help them with any requested quality assurance processes that they have to make sure that the findings are accurate

    • The management response is the proper place to voice disagreements about findings

      • Do not get into senseless arguments

    The Audit Process (1)

    • Coordinate Auditors

      • Internal Audit should coordinate with External Audit (This coordination is typically done by the Chief Audit Executive.)

      • Faster audits

      • Lower costs

      • Fewer interruptions

    • Schedule the audit

      • IT’s availability

      • Internal Audit’s availability

      • External audit’s availability

    • Kick off meeting

      • Goals of the audit

      • Scope

      • Roles and Responsibilities

      • Schedule / Plan

    The Audit Process (2)

    • Review

      • Risks

      • Key Controls

      • Documentation (Requirements will vary so inquire as to what is needed)

        • Policies and Procedures

        • What systems are in scope

        • Narratives (An audit device used when documentation doesn’t exist)

        • Flowcharts

        • Test Plans (These should have been developed between management and internal audit. Care must be taken that they are very clear and concise.)

    • Execute Tests

      • Observe

      • Inquire

      • Obtain samples according to the test plan

    Sample Size Example

    The Audit Process (3)

    • Organize Work Papers

      • Management/IA should determine what documentation to retain from audits.

      • Part of the document retention is driven by what External Audit can leverage

      • The more management testing that External Audit can leverage, the faster the external audit goes and the lower the costs.

    • Document Results

      • The auditor will record results of tests and relate scores to work papers.

    • Make recommendations

      • Control Improvement Opportunities

      • Remediation Recommendations

    • Exit Meeting

      • Review rough draft of results as a QA step

      • Review any open items

    Example Test Plan and Test Results

    The Audit Process (4)

    • Generate Management Letter

      • Once the testing is finished, the auditor reviews the audit documentation and develops a formal letter for management summarizing findings and recommendations.

    • Solicit Management Response

      • Management can then review and respond to the findings.

    • Finalize the audit documentation

    • Share Results with Management, Audit Committee and External Audit

    Audit Findings

    • Audits always generate findings

    • Management can

      • Agree with a given finding and remediate

      • Dispute the finding

      • Accept the risk and do nothing

    • Remediation depends on the auditor and situation.

      • They may, or may not, wish to see remediation of audit findings.

    • Some external auditors leave remediation up to management

      • Bear in mind, that if this year’s audit turned up the control deficiencies, then there is a strong likelihood that next year’s audit will turn up the same things unless there are changes to scope, key controls, etc.

    • If the same deficiencies show up over and over again, the auditor may choose to increase their severity

    Continuous Improvement

    • Audits are vital

    • Provide objective opinions

    • Look at audit as another tool for process improvement

      • Set the proper tone from the top

      • If you think audits are a waste, then so will your team

    • The idea is to take their findings, and review what to do

    * Adapted from ITIL Service Support Graphic

    Learning More About Audit

    • Institute of Internal Auditors

    • Information Systems Audit and Control Association

    • IT Compliance Institute

    • Jim Kaplan’s Audit Net

    • Subscribe to Dan Swanson’s Email Lists

    Thank you for the privilege of facilitating this webcast

    George Spafford

    Principal Consultant

    Pepperweed Consulting

    Optimizing the Value of IT

    [email protected]

    Daily News Archive and Subscription Instructions


    If you have any further questions, e-mail [email protected]

    For future ITSM Watch Webcasts, visit

    Thank you again for attending

  • Login