wk 10a- it auditing.ppt

7/28/2019 Wk 10a- IT Auditing.ppt

1/18

Conducting the IT Audit


2/18

Audit Standards

AICPA Statements of AuditingStandards (SASs)

ISACA IS Audit Standards, Guidelines,and ProceduresAICPA Statement on Standards for Attestation Engagements (SSAE)IFAC International Auditing StandardsISACA CobiT


3/18

The IT Audit Lifecycle

PlanningRisk Assessment

Prepare Audit ProgramGather EvidenceForm Conclusions

Deliver Audit OpinionFollow Up


4/18

Planning

Scope and control objectivesMateriality

OutsourcingGain an understanding of the client andclients industry, business risks


5/18

Risk Assessment

Shift is to risk-based audit approachWhat can go wrong

High risk areas require more audit effortMateriality important


6/18

The Audit Program

Includes: Scope Audit objectives Audit procedures Administrative details such as planning and

reporting

Generic audit programs are customized for the client and clients technology


7/18

Gathering Evidence

Evidence includes: Observations Documentary evidence Flowcharts, narratives, written policies CAATs procedures

Sampling Attribute sampling used by IT auditors


8/18

Forming Conclusions

Identify reportable conditions


9/18

The Audit Opinion

Per Guidelines 70, should include: Name of organization being audited Title, signature, and date Statement of audit objectives and whether these

were met Scope of the audit Any scope limitations Intended audience


10/18

The Audit Opinion (Contd.)

Standards used to perform the auditDetailed explanation of findings

Conclusion, including reservations or qualificationsSuggestions for corrective action or

improvementSignificant subsequent events


11/18

4 Main Types of IT Audits

AttestationFindings and Recommendations

SAS 70SAS 94


12/18

Attestation

Standard is SSAE 10 Includes:

Data analytic reviews Commission agreement reviews Webtrust engagements Systrust engagements Financial projections Compliance reviews
http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspxhttp://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx


13/18

Findings and Recommendations

Consulting, or advisory servicesInclude: Systems implementations

Enterprise resource planning implementation Security reviews Database application reviews IT infrastructure and improvements needed engagement Project management IT Internal audit services


14/18

SAS 70 Audit

Applicable to any service organization thatwishes to assure its clients of the existenceand effectiveness of internal controlsrelative to the service providedTwo types of SAS 70 audits Type I Type II


15/18

Types of SAS 70 reports

Type I: A walkthrough, that describes acompanys internal controls but does not

perform detailed testing of these controlsType II: Detailed testing of controls aroundthe service provided


16/18

SAS 94

Requires the auditor to: Consider how a clients IT processes affect

internal control, evidential matter, and theassessment of control risk;

Understand how transactions are initiated,entered and processed through the IS, and

Understand how recurring and nonrecurring journal entries are initiated, entered, and processed through the IS


17/18

Components of a SAS 94 audit

Physical and environmental reviewSystems administration review

Application software review Network security reviewBusiness continuity review

Data integrity review


18/18

Using CobiT to Perform an Audit

If no audit program exists, use CobiT todevelop the audit program, or Map existing audit program to companyobjectives

wk 10a- it auditing.ppt

Documents