1 / 18

Chapter Nine

Chapter Nine. Conducting the IT Audit. Audit Standards. AICPA — Statements of Auditing Standards (SASs) ISACA—IS Audit Standards, Guidelines, and Procedures AICPA —Statement on Standards for Attestation Engagements (SSAE) IFAC —International Auditing Standards ISACA —CobiT.

maggy-mooney
Download Presentation

Chapter Nine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter Nine Conducting the IT Audit

  2. Audit Standards • AICPA — Statements of Auditing Standards (SASs) • ISACA—IS Audit Standards, Guidelines, and Procedures • AICPA —Statement on Standards for Attestation Engagements (SSAE) • IFAC —International Auditing Standards • ISACA —CobiT

  3. The IT Audit Lifecycle • Planning • Risk Assessment • Prepare Audit Program • Gather Evidence • Form Conclusions • Deliver Audit Opinion • Follow Up

  4. Planning • Scope and control objectives • Materiality • Outsourcing • Gain an understanding of the client and client’s industry, business risks

  5. Risk Assessment • Shift is to risk-based audit approach • “What can go wrong” • High risk areas require more audit effort • Materiality important

  6. The Audit Program • Includes: • Scope • Audit objectives • Audit procedures • Administrative details such as planning and reporting • Generic audit programs are customized for the client and client’s technology

  7. Gathering Evidence • Evidence includes: • Observations • Documentary evidence • Flowcharts, narratives, written policies • CAATs procedures • Sampling • Attribute sampling used by IT auditors

  8. Forming Conclusions • Identify reportable conditions

  9. The Audit Opinion • Per Guidelines 70, should include: • Name of organization being audited • Title, signature, and date • Statement of audit objectives and whether these were met • Scope of the audit • Any scope limitations • Intended audience

  10. The Audit Opinion (Cont’d.) • Standards used to perform the audit • Detailed explanation of findings • Conclusion, including reservations or qualifications • Suggestions for corrective action or improvement • Significant subsequent events

  11. 4 Main Types of IT Audits • Attestation • Findings and Recommendations • SAS 70 • SAS 94

  12. Attestation • Standard is SSAE 10 • Includes: • Data analytic reviews • Commission agreement reviews • Webtrust engagements • Systrust engagements • Financial projections • Compliance reviews

  13. Findings and Recommendations • Consulting, or advisory services • Include: • Systems implementations • Enterprise resource planning implementation • Security reviews • Database application reviews • IT infrastructure and improvements needed engagement • Project management • IT Internal audit services

  14. SAS 70 Audit • Applicable to any service organization that wishes to assure its clients of the existence and effectiveness of internal controls relative to the service provided • Two types of SAS 70 audits • Type I • Type II

  15. Types of SAS 70 reports • Type I: A “walkthrough,” that describes a company’s internal controls but does not perform detailed testing of these controls • Type II: Detailed testing of controls around the service provided

  16. SAS 94 • Requires the auditor to: • Consider how a client’s IT processes affect internal control, evidential matter, and the assessment of control risk; • Understand how transactions are initiated, entered and processed through the IS, and • Understand how recurring and nonrecurring journal entries are initiated, entered, and processed through the IS

  17. Components of a SAS 94 audit • Physical and environmental review • Systems administration review • Application software review • Network security review • Business continuity review • Data integrity review

  18. Using CobiT to Perform an Audit • If no audit program exists, use CobiT to develop the audit program, or • Map existing audit program to company objectives

More Related