Governmental statues may require an entity’s management design, implement, and maintain a system of internal controls; however, internal controls verification usually is an auditor attestation responsibility. To adequately perform this professional responsibility, an IT auditor should have knowledge of the types, traits, techniques, and modus operandi normally associated with irregular and illegal acts. For instance, an IT auditor must understand, compared to other crimes or improprieties, a key distinguishing fraud feature is false representation or concealment of a material fact.
Irregularities and/or illegal acts agreed-upon procedures maybe included in the “terms of reference” of a standard IT assurance engagement. Alternatively, agreed-upon procedures can be documented within a separate engagement letter. IT financial statement fraud and computer forensics are examples of potential agreed-upon procedures that may be undertaken as separate engagements. Nonetheless, if agreed procedures are a separate engagement, the IT auditor should not express any assurance concerning the subject matter examined during the course of performing assignment procedures.
Post Note: Irregularities and Illegal Acts Agreed-Upon Procedures Assessments contains redacted excerpts from Assuring IT Legal Compliance (Assurance Services)