Concepts and procedures involved in the auditor’s study and evaluation of controls for manual systems are also applicable when processing is performed by IT. Commonly, a primary objective of the control study and evaluation is to determine the extent designed controls meet defined criteria; while a secondary objective of the control study and evaluation is to determine the extent that the auditor can rely on the examined configuration for restricting subsequent audit procedures and to plan those subsequent audit procedures deemed necessary.
Basic control system procedures are applicable to all IT that process datum. However, the IT auditor must be able to distinguish controls at a detail level in order to properly evaluate the appropriateness of application. Study of the defined control system is followed by evaluation of the corresponding control system to determine the extent that the IT auditor can rely on deployed controls in utilizing, or designing, subsequent audit procedures.
“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“