IT Audit Fieldwork: Generally Accepted Processes - Part VIII

When providing audit assurance, auditors commonly have an opportunity to define current risks to resources and subsequently recommend remedial activities to reduce assessed risks to resources. Professionally, three generally accepted audit fieldwork standards guide auditors in the performance of audit assurance services. These standards impact studying, evaluating and testing controls during audit assurance engagements. However, IT auditors assume additional responsibilities and must overcome complex obstacles to ensure audit assurance processes are in compliance with generally accepted audit fieldwork standards.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes - Part VII

Compliance and substantive testing to collect sufficient evidential matter to render an opinion on the audit area follows the study and evaluation of controls. Regarding substantive tests, IT can be used in this aspect of the audit to perform analytical procedures and direct tests of details. In performing tests of details, IT can be utilized for substantive testing in conjunction with compliance tests or independently in direct tests of details by examining files resulting from IT processing.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes - Part VI

IT processing of datum has effects on controls and audit trails. IT can induce numerous changes in processing cycles. As a result of these changes, the IT auditor must evaluate the effects on the basic characteristics of control. The IT auditor must also consider how IT can change the typical manual audit trail. Additional controls that have been specified in response to the effects of IT on the processing of datum may encompass general and/or application controls. In studying and evaluating the control system, the auditor must minimally assess the potential operational effectiveness and relationships when determining the extent that they will be able to rely on the deployed control system under examination for meeting objectives.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes - Part V

Concepts and procedures involved in the auditor’s study and evaluation of controls for manual systems are also applicable when processing is performed by IT. Commonly, a primary objective of the control study and evaluation is to determine the extent designed controls meet defined criteria; while a secondary objective of the control study and evaluation is to determine the extent that the auditor can rely on the examined configuration for restricting subsequent audit procedures and to plan those subsequent audit procedures deemed necessary.

Basic control system procedures are applicable to all IT that process datum. However, the IT auditor must be able to distinguish controls at a detail level in order to properly evaluate the appropriateness of application. Study of the defined control system is followed by evaluation of the corresponding control system to determine the extent that the IT auditor can rely on deployed controls in utilizing, or designing, subsequent audit procedures.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes - Part IV

Collection of sufficient evidential matter required for compliance with the third generally accepted standard of audit fieldwork affects the IT auditor as to the type of evidence to be collected and as to the means of acquisition. For example, types of evidence may change because of source document eliminations and/or substitution of electronic data interchange (EDI) formats for processing transactions. Whereas, for example, the means of acquiring evidence may change because the auditor may have to substitute a computer and programs for the visual scanning performed with a manual system.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes - Part III

The second generally accepted standard of audit fieldwork requires the study and evaluation of controls. Potential for change in audit program procedures during the study and evaluation of controls due to the acquisition and/or integration of IT is immense. Specifically, general and application controls must be examined because of their effect on electronically encoded data. For instance, activities previously decentralized and performed by several clerical personnel may be centralized into one IT program, eliminating the control previously available through segregation of functions. Consequently, an individual having access to this program and related data files may be able to make undetected changes to the program and data files as part of an illegal act scheme.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes - Part II

Planning and supervision aspects of the first generally accepted standard of audit fieldwork become more complex to attain when IT is involved. In planning an overall strategy for the expected assurance conduct and ambit, the auditor is faced with evaluations and tests that are not normally encountered in manual systems. On the other hand, supervision of assistants becomes more difficult because in addition to directing audit work and controlling audit quality, the engagement supervisor may be required to monitor numerous complicated IT processes.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes - Part I

IT auditing is similar to, and yet different from, auditing manual systems. The process is similar in that compliance and substantive tests are still performed within the context of generally accepted auditing standards, whereas the difference emanate from additional standards pertaining to IT auditing and the procedures unique to IT auditing which are the result of these standards. Three audit fieldwork standards guide auditors in the performance of audits. Considering the collection of evidential matter necessary to render an opinion, these standards serve as the basis for auditing concepts pertaining to the study and evaluation of controls as well as related compliance and substantive testing.

IT Audit Verification Planning: Resolving Technique Selection - Part VII

Many techniques are available to the IT auditor. A significant responsibility is selecting a technique appropriate to the audit task at hand. To aid the IT auditor in understanding which technique may be appropriate, alternative schemes for categorization should be considered. Potential benefits include finding a close approximation of the employed taxonomy to the: audit objectives, objects to which the IT auditor applies procedures, and types of techniques that have been developed to assist the IT auditor.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection - Part VI

Characteristics of a deployed audit trail can determine the test procedures performed. With an acceptable audit trial, the IT auditor may decide to trace selected data or information through the entire configuration or to determine infrastructure availability. Without a trial, the IT auditor may decide to execute extensive substantive tests on the electronically encoded configuration items.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“