IT Governance, Risk, and Compliance


February 18, 2010  7:33 PM

IT Audit Reporting: Communicating Results – Part III

Robert Davis Robert Davis Profile: Robert Davis

Through an IT auditor’s efforts, audit findings are facts generated which directly support and evidence conclusions as well as recommendations. Audit findings are also the product of all previously performed audit work related to the audit area under examination. Each finding form should be reviewed by an IT auditor for accurate as well as factual: criteria, condition, cause, possible effect(s) and recommendation(s). Furthermore, inconsistencies and departures from applicable accounting principles, discovered during the IT audit, should be reviewed with a qualified financial auditor.

View Part I of the IT Audit Reporting: Communicating Results series here

February 15, 2010  7:18 PM

IT Audit Reporting: Communicating Results – Part II

Robert Davis Robert Davis Profile: Robert Davis

The process utilized to ascertain ‘the degree of correspondence’ between assertions, or direct subject matter, and established criteria for IT audits is similar to that employed for manual audits; yet, slightly more complex. The process is similar because with these audit types, ‘the degree of correspondence’ requires objective and/or subjective judgment by the auditor as to what constitutes material noncompliance in the control system or error in information. The process is more complex for IT audits because the control system is commonly more sophisticated, and because it is generally more difficult to ascertain whether computer programs and data files provided to the auditor are those actually used; or bogus copies not actually invoked by the entity’s technology under examination. Consequently, to ensure an appropriate IT risk scoring, preceding audit report preparation, IT audit area findings analysis is performed.

View Part I of the IT Audit Reporting: Communicating Results series here


February 11, 2010  7:05 PM

IT Audit Reporting: Communicating Results – Part I

Robert Davis Robert Davis Profile: Robert Davis

IT audit area reporting conveys an opinion concerning control adequacy based on planning, studying, testing and evaluating material or significant auditable units. Whether an IT auditor is engaged in direct or attest reporting — after obtaining sufficient, reliable, relevant and useful evidence during the previous audit phases — formal audit results communication is an important step in the audit process. Direct reporting assignments exist when management does not document an assertion concerning control procedures effectiveness and the IT auditor provides an opinion. Conversely, attest reporting assignments exist when management documents a control procedures effectiveness assertion and the IT auditor provides an opinion about the stated assertion.


February 8, 2010  7:39 PM

IT Audit Fieldwork: Generally Accepted Processes – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

When providing audit assurance, auditors commonly have an opportunity to define current risks to resources and subsequently recommend remedial activities to reduce assessed risks to resources. Professionally, three generally accepted audit fieldwork standards guide auditors in the performance of audit assurance services. These standards impact studying, evaluating and testing controls during audit assurance engagements. However, IT auditors assume additional responsibilities and must overcome complex obstacles to ensure audit assurance processes are in compliance with generally accepted audit fieldwork standards.

View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here


February 4, 2010  6:50 PM

IT Audit Fieldwork: Generally Accepted Processes – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Compliance and substantive testing to collect sufficient evidential matter to render an opinion on the audit area follows the study and evaluation of controls. Regarding substantive tests, IT can be used in this aspect of the audit to perform analytical procedures and direct tests of details. In performing tests of details, IT can be utilized for substantive testing in conjunction with compliance tests or independently in direct tests of details by examining files resulting from IT processing.

View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here


February 2, 2010  5:56 PM

IT Audit Fieldwork: Generally Accepted Processes – Part VI

Robert Davis Robert Davis Profile: Robert Davis

IT processing of datum has effects on controls and audit trails. IT can induce numerous changes in processing cycles. As a result of these changes, the IT auditor must evaluate the effects on the basic characteristics of control. The IT auditor must also consider how IT can change the typical manual audit trail. Additional controls that have been specified in response to the effects of IT on the processing of datum may encompass general and/or application controls. In studying and evaluating the control system, the auditor must minimally assess the potential operational effectiveness and relationships when determining the extent that they will be able to rely on the deployed control system under examination for meeting objectives.

View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here


January 28, 2010  4:56 PM

IT Audit Fieldwork: Generally Accepted Processes – Part V

Robert Davis Robert Davis Profile: Robert Davis

Concepts and procedures involved in the auditor’s study and evaluation of controls for manual systems are also applicable when processing is performed by IT. Commonly, a primary objective of the control study and evaluation is to determine the extent designed controls meet defined criteria; while a secondary objective of the control study and evaluation is to determine the extent that the auditor can rely on the examined configuration for restricting subsequent audit procedures and to plan those subsequent audit procedures deemed necessary.

Basic control system procedures are applicable to all IT that process datum. However, the IT auditor must be able to distinguish controls at a detail level in order to properly evaluate the appropriateness of application. Study of the defined control system is followed by evaluation of the corresponding control system to determine the extent that the IT auditor can rely on deployed controls in utilizing, or designing, subsequent audit procedures.

View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here


January 25, 2010  4:35 PM

IT Audit Fieldwork: Generally Accepted Processes – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Collection of sufficient evidential matter required for compliance with the third generally accepted standard of audit fieldwork affects the IT auditor as to the type of evidence to be collected and as to the means of acquisition. For example, types of evidence may change because of source document eliminations and/or substitution of electronic data interchange (EDI) formats for processing transactions. Whereas, for example, the means of acquiring evidence may change because the auditor may have to substitute a computer and programs for the visual scanning performed with a manual system.

View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here


January 21, 2010  10:04 PM

IT Audit Fieldwork: Generally Accepted Processes – Part III

Robert Davis Robert Davis Profile: Robert Davis

The second generally accepted standard of audit fieldwork requires the study and evaluation of controls. Potential for change in audit program procedures during the study and evaluation of controls due to the acquisition and/or integration of IT is immense. Specifically, general and application controls must be examined because of their effect on electronically encoded data. For instance, activities previously decentralized and performed by several clerical personnel may be centralized into one IT program, eliminating the control previously available through segregation of functions. Consequently, an individual having access to this program and related data files may be able to make undetected changes to the program and data files as part of an illegal act scheme.

View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here


January 19, 2010  7:22 PM

IT Audit Fieldwork: Generally Accepted Processes – Part II

Robert Davis Robert Davis Profile: Robert Davis

Planning and supervision aspects of the first generally accepted standard of audit fieldwork become more complex to attain when IT is involved. In planning an overall strategy for the expected assurance conduct and ambit, the auditor is faced with evaluations and tests that are not normally encountered in manual systems. On the other hand, supervision of assistants becomes more difficult because in addition to directing audit work and controlling audit quality, the engagement supervisor may be required to monitor numerous complicated IT processes.

View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: