1 / 24

Chapter 3: The Audit Process in an Information Technology Environment

Chapter 3: The Audit Process in an Information Technology Environment. MBAD 7090. Objectives. Understand the overall IT audit process The overall definition of the audit process Audit standards Audit planning Audit tasks. Overview.

becka
Télécharger la présentation

Chapter 3: The Audit Process in an Information Technology Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3: The Audit Process in an Information Technology Environment MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)

  2. Objectives • Understand the overall IT audit process • The overall definition of the audit process • Audit standards • Audit planning • Audit tasks IS Security, Audit, and Control (Dr. Zhao)

  3. Overview • The IT audit process complements the work of the financial/operation audit by providing reasonable assurance that information and information technology are processing as expected. IS Security, Audit, and Control (Dr. Zhao)

  4. Financial Audits • Financial auditors • Evaluate the fairness of financial statements • Cover all equipment and procedures used in processing significant data • Certification: CPA • Standards: Generally Accepted Accounting Principles (GAAP) • Fairly presented in conformity with generally accepted accounting principles (GAAP). • The measure for ‘fairly presented’: there is less than 5% chance (5% audit risk) that the financial statements are ‘materially misstated’. IS Security, Audit, and Control (Dr. Zhao)

  5. IT Audits • IT auditors • Evaluate IT systems, practices, and operations • Assure the validity, reliability, and security of information • Assure the efficiency and effectiveness of the IT environment in economic terms • Certification: CISA, CISM, etc. • Standards: Generally Accepted Auditing Standards (GAAS) IS Security, Audit, and Control (Dr. Zhao)

  6. GAAS • General standards • An auditor should have adequate technical training and proficiency • An auditor should maintain an independent attitude • Due professional care • Field work standards • The auditor must adequately plan the work and must properly supervise any assistants • "The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures." • The auditor must obtain sufficient appropriate audit evidence IS Security, Audit, and Control (Dr. Zhao)

  7. GAAS (continued) • Reporting Standards • In accordance with generally accepted accounting principles • Identify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period. • Reasonably adequate • Contain an expression of opinion regarding the financial statements IS Security, Audit, and Control (Dr. Zhao)

  8. The Overall Audit Process • Step 1: Audit plan • Step 2: Audit schedule • Step 3: Audit tasks • Step 4: Evaluating audit’s performance and the audit results • A uniform, process-oriented approach • A series of logical, orderly steps IS Security, Audit, and Control (Dr. Zhao)

  9. The Audit Plan • Purpose: • Identify what must be accomplished • Deliverable • An audit plan • Steps: • Preliminary assessment • Risk assessment • Identify application areas • Preparing an audit plan IS Security, Audit, and Control (Dr. Zhao)

  10. Preliminary Assessment • To gather information for an audit plan • General data gathering • Identifying financial application areas • General data • Nature of business • Financial history • Organization structure • Systems involved • Current procedures (e.g., the extent of automation) IS Security, Audit, and Control (Dr. Zhao)

  11. General Data Gathering • System related information • An overall picture of major application systems • Interrelationships, key inputs, and outputs • Data control procedures • Assurance of an uninterruptible power supply • Procedures for backup, recovery, and restart of operations • Methods • Interviews: inputs from managers and key stakeholders • Documentations • Policies, organization chart, prior audit reports • Physical inspections IS Security, Audit, and Control (Dr. Zhao)

  12. Risk Assessment • Standardized approach to evaluate: • Business risks • Application/systems risks • Current control environment • Prioritized by risks • Which subsystems need more detailed examination IS Security, Audit, and Control (Dr. Zhao)

  13. Preparing an Audit Plan • Description of client organization • Define objectives • Define audit scope • Structure work schedules • Assure reasonable comprehensiveness • Provide flexibility in approach • Example 1 • Example 2 IS Security, Audit, and Control (Dr. Zhao)

  14. Audit Schedule • Timing • By request • Synergizing and coordinating audits • Resources • Availability of internal and external expertise • Cost IS Security, Audit, and Control (Dr. Zhao)

  15. Audit Tasks • Define scope and objectives • Obtain a basic understanding of the area being audited • Develop a detailed understanding of the area being audited • Evaluate control strengths and weaknesses • Test the critical controls, processes and exposures • Evaluate the results • Final evaluation and report • Documentation IS Security, Audit, and Control (Dr. Zhao)

  16. Obtain an Understanding • Interviews & Documentation • Understand the relationship of each application to the client’s business • Flowchart • An effective tool to understand related processes • Frequency of processing • Document source and destination • Actions that process/change the data • Controls over the documents transfer between units • An example IS Security, Audit, and Control (Dr. Zhao)

  17. Evaluating Control Strength and Weakness • Existence of • Documented policies and procedures • Accuracy and completeness • Evidence of compliance • Process Effectiveness • Avoid redundancy and bottlenecks • Management support • Examples of controls over documents • Record counts • Control totals IS Security, Audit, and Control (Dr. Zhao)

  18. Evidence • Observation • Observe the activity being performed • Evidence of the activity • Source documents (input forms, etc.) • Output documents (reports) • Logs (errors, exceptions) • Duplicating the activity • repeating the task IS Security, Audit, and Control (Dr. Zhao)

  19. Testing • Compliance testing • Are they doing what they said they would do? • Determines adherence to existing controls (policies, procedures, etc.) • Substantive testing • Determine if the business objective is being achieved • Are the current controls enabling the intended business goal to be met? IS Security, Audit, and Control (Dr. Zhao)

  20. Evaluating the Results • Legal requirements • Audit Standards • Best Practices • Company policies and procedures IS Security, Audit, and Control (Dr. Zhao)

  21. Final Evaluation and Report • Closing meeting with management to discusses weaknesses identified during the audit and formulate value-adding recommendations • Management responses • Fix discrepancies • Report audience(s) • Review process IS Security, Audit, and Control (Dr. Zhao)

  22. Evaluate Audit’s Performance • Client feedback • Audit results • Accurate issues • Realistic action plans • Audit management • Resource allocation • On time? • Did the audit add value? IS Security, Audit, and Control (Dr. Zhao)

  23. Everyday Auditing • We develop expectations (standards, best practices) • We experience or observe an activity (testing) • We compare our experiences to our expectations (analyze our test results) • We modify our behavior based on the difference between what we experienced and our expectations (action plan) • Exercise: • Please apply everyday auditing to the following action: • See a movie IS Security, Audit, and Control (Dr. Zhao)

  24. Assignment 2 • Please visit a website of an audit professional organization. Provide a summary of information that is useful for a current/future auditor. • Suggested websites: • AICPA (http://www.aicpa.org/) • IIA (http://www.theiia.org/) • ISACA (http://www.isaca.org/) • Deliverables • Limit: one page • Email submission to kzhao2@uncc.edu • Due date: September 15, 5:00pm. • Research Project 1 Due: • Topic & Team Membership - Send me email with cc to entire team IS Security, Audit, and Control (Dr. Zhao)

More Related