preparing for an it audit
Skip this Video
Download Presentation
Preparing for an IT Audit

Loading in 2 Seconds...

play fullscreen
1 / 27

Preparing for an IT Audit - PowerPoint PPT Presentation

  • Uploaded on

Preparing for an IT Audit. September 11, 2007 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” Housekeeping. Submitting questions to speaker

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Preparing for an IT Audit' - philana

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
preparing for an it audit

Preparing for an IT Audit

September 11, 2007

2:00pm EDT, 11:00am PDT

George Spafford,

Principal Consultant

Pepperweed Consulting, LLC

“Optimizing The Business Value of IT”

  • Submitting questions to speaker
    • Submit question at any time by using the “Ask a question” section located on lower left-hand side of your console.
    • Questions about presentation content will be answered during 10 minute Q&A session at end of webcast.
  • Technical difficulties?
    • Click on “Help” button
    • Use “Ask a question” interface
  • Background on Audit
  • Why audits are part of the Deming cycle of plan-do-check-act
  • How to prepare for audits
  • What auditors look for
  • For a copy of today’s webcast PPT, please email:
the shewhart cycle
The Shewhart Cycle
  • Popularized by Deming
    • We plan
    • We do
    • We check results
    • We take corrective action
  • How can we objectively check?
    • Audit
  • Auditors must be objective
  • The process is necessary for improvement
ia risk management control
IA - Risk Management & Control
  • Reliability and integrity of financial and operational information
  • Effectiveness and efficiency of operations
  • Safeguarding of assets
  • Compliance with laws, regulations, and contracts.

Source: International Standards for the Professional Practice of Internal Auditing,

ia governance
IA - Governance
  • Promoting appropriate ethics and values within the organization.
  • Ensuring effective organizational performance management and accountability.
  • Effectively communicating risk and control information to appropriate areas of the organization.
  • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

Source: International Standards for the Professional Practice of Internal Auditing,

external audit
External Audit
  • Is driven by the regulatory requirement to have an independent third party certify the financial information provided to stockholders is reasonably accurate.
  • Some feel that internal review of external audit reports creates another layer of protection for financial reporting.
  • Primarily reports to the audit committee on the accuracy of the financial reports, attests to management’s assessment of internal controls over financial reporting.

Source: “Common Misconceptions”, Tone From the Top, Institute of Internal Auditors, March 2005.

important establish key controls
Important: Establish Key Controls
  • Review risks
    • Management’s current risk assessment
    • Use of a control framework as a proxy (verify with audit if acceptable)
    • If nothing to go on, the auditor will impose his/her belief system
  • Review key controls
    • Auditor may want to understand the state of the overall control environment – be sure to plan in advance
    • The emphasis and testing will be on key controls
    • Want as few key controls as possible grounded in risks
  • You want to be clear
  • Doesn’t benefit IT or audit if guessing or misinterpretation happens
cost of control

You can spend a fortune and you will never truly hit a 100% level of assurance.

The objective is to lower risk to an acceptable level, not eliminate it because you can’t!

Level of Assurance

Level of Investment

Cost of Control
preparing 1
Preparing (1)
  • Emphasis – talk to your audit group ahead of time
  • Auditing is not a science
  • Practices will vary between audit firms, within firms and between auditors
  • Work with Internal Audit closely to understand company requirements and External Audit Requirements
  • Put everything in writing and get approval – do not rely on verbal communications
    • Summarize your conversations in the form of meeting minutes and send them to the other party for confirmation.
  • Bear in mind that auditors leave firms and so do audit partners
    • Who you deal with can change year to year.
preparing 2
Preparing (2)
  • Determine a formal documentation plan
    • Policies and Procedures
    • Evidence of activity / compliance
  • Clearly identify what IT services/systems are in scope
      • Materiality
      • Guide to the Assessment of IT General Controls Scope Based on Risk
  • Take care in documenting control activity, test plans, etc. If they are ambiguous or inaccurate, deficiencies may well result
  • Documenting controls that don’t exist will guarantee findings
  • Be sure to document exceptions along with risks, the business case and management’s approval
    • It is better for management to disclose known exceptions than for auditors to find them.
    • How exceptions are documented and handled vary from auditor to auditor so be sure to understand what to do, ramifications, etc.
during the audit 1
During the Audit (1)
  • Never lie to an auditor - the repercussions can be severe
  • Do not tamper with evidence - the repercussions can be severe
    • Be sure to outline the process for making any urgent remediation or changes during an audit with the auditor.
  • Be prompt in replying or providing samples
    • Delays may be interpreted as a lack of controls or that evidence is being created or altered
  • Auditors will follow the key controls and test plans verbatim if things go as planned
  • Do not be antagonistic
during the audit 2
During the Audit (2)
  • Auditors make mistakes like everyone else.
    • Be sure to help them with any requested quality assurance processes that they have to make sure that the findings are accurate
  • The management response is the proper place to voice disagreements about findings
    • Do not get into senseless arguments
the audit process 1
The Audit Process (1)
  • Coordinate Auditors
    • Internal Audit should coordinate with External Audit (This coordination is typically done by the Chief Audit Executive.)
    • Faster audits
    • Lower costs
    • Fewer interruptions
  • Schedule the audit
    • IT’s availability
    • Internal Audit’s availability
    • External audit’s availability
  • Kick off meeting
    • Goals of the audit
    • Scope
    • Roles and Responsibilities
    • Schedule / Plan
the audit process 2
The Audit Process (2)
  • Review
    • Risks
    • Key Controls
    • Documentation (Requirements will vary so inquire as to what is needed)
      • Policies and Procedures
      • What systems are in scope
      • Narratives (An audit device used when documentation doesn’t exist)
      • Flowcharts
      • Test Plans (These should have been developed between management and internal audit. Care must be taken that they are very clear and concise.)
  • Execute Tests
    • Observe
    • Inquire
    • Obtain samples according to the test plan
the audit process 3
The Audit Process (3)
  • Organize Work Papers
    • Management/IA should determine what documentation to retain from audits.
    • Part of the document retention is driven by what External Audit can leverage
    • The more management testing that External Audit can leverage, the faster the external audit goes and the lower the costs.
  • Document Results
    • The auditor will record results of tests and relate scores to work papers.
  • Make recommendations
    • Control Improvement Opportunities
    • Remediation Recommendations
  • Exit Meeting
    • Review rough draft of results as a QA step
    • Review any open items
the audit process 4
The Audit Process (4)
  • Generate Management Letter
    • Once the testing is finished, the auditor reviews the audit documentation and develops a formal letter for management summarizing findings and recommendations.
  • Solicit Management Response
    • Management can then review and respond to the findings.
  • Finalize the audit documentation
  • Share Results with Management, Audit Committee and External Audit
audit findings
Audit Findings
  • Audits always generate findings
  • Management can
    • Agree with a given finding and remediate
    • Dispute the finding
    • Accept the risk and do nothing
  • Remediation depends on the auditor and situation.
    • They may, or may not, wish to see remediation of audit findings.
  • Some external auditors leave remediation up to management
    • Bear in mind, that if this year’s audit turned up the control deficiencies, then there is a strong likelihood that next year’s audit will turn up the same things unless there are changes to scope, key controls, etc.
  • If the same deficiencies show up over and over again, the auditor may choose to increase their severity
continuous improvement
Continuous Improvement
  • Audits are vital
  • Provide objective opinions
  • Look at audit as another tool for process improvement
    • Set the proper tone from the top
    • If you think audits are a waste, then so will your team
  • The idea is to take their findings, and review what to do

* Adapted from ITIL Service Support Graphic

learning more about audit
Learning More About Audit
  • Institute of Internal Auditors
  • Information Systems Audit and Control Association
  • IT Compliance Institute
  • Jim Kaplan’s Audit Net
  • Subscribe to Dan Swanson’s Email Lists
thank you for the privilege of facilitating this webcast

Thank you for the privilege of facilitating this webcast

George Spafford

Principal Consultant

Pepperweed Consulting

Optimizing the Value of IT

[email protected]

Daily News Archive and Subscription Instructions

If you have any further questions, e-mail [email protected]

For future ITSM Watch Webcasts, visit

Thank you again for attending