IT Governance, Risk, and Compliance » PM

IT Audit Reporting: Communicating Results – Part VII

Robert Davis — Thu, 04 Mar 2010 18:48:39 +0000

Upon acknowledgement of final audit report delivery to identified recipients, the IT auditor should await responses from key audit area personnel, as stipulated in the entity’s audit charter or engagement letter. Once all client responses have been received or the stated response deadline has been reached, the IT auditor should distribute the final audit report to appropriate personnel, thus concluding the IT audit reporting phase.

“View Part I of the IT Audit Reporting: Communicating Results series here“

IT Audit Reporting: Communicating Results – Part VI

Robert Davis — Mon, 01 Mar 2010 18:41:35 +0000

The final audit report should clearly identify ‘gaps’ in controls and the source of the vulnerabilities. Of the potential vulnerabilities documented in the audit report, it is importance to identify any significant, or material, risks. It must also include recommendations to address the issues identified. Lastly, the executive summary of the final audit report must elaborate on the ‘state of controls’ within the audit area. In particular, weaknesses need to be clearly communicated to enable management by exception.

“View Part I of the IT Audit Reporting: Communicating Results series here“

IT Audit Reporting: Communicating Results – Part IV

Robert Davis — Mon, 22 Feb 2010 18:13:14 +0000

Generally, following audit area findings assessment completion and ensuring appropriate working papers retention, an IT auditor documents the draft audit report based on auditing standards and guidelines. Subsequently, the draft audit report is typically submitted for approval by the next higher audit management level. Specific organization, intended recipients, and any circulation restrictions should be identified in this draft audit report.

“View Part I of the IT Audit Reporting: Communicating Results series here“

IT Audit Reporting: Communicating Results – Part III

Robert Davis — Thu, 18 Feb 2010 19:33:59 +0000

Through an IT auditor’s efforts, audit findings are facts generated which directly support and evidence conclusions as well as recommendations. Audit findings are also the product of all previously performed audit work related to the audit area under examination. Each finding form should be reviewed by an IT auditor for accurate as well as factual: criteria, condition, cause, possible effect(s) and recommendation(s). Furthermore, inconsistencies and departures from applicable accounting principles, discovered during the IT audit, should be reviewed with a qualified financial auditor.

“View Part I of the IT Audit Reporting: Communicating Results series here“

IT Audit Reporting: Communicating Results – Part II

Robert Davis — Mon, 15 Feb 2010 19:18:07 +0000

The process utilized to ascertain ‘the degree of correspondence’ between assertions, or direct subject matter, and established criteria for IT audits is similar to that employed for manual audits; yet, slightly more complex. The process is similar because with these audit types, ‘the degree of correspondence’ requires objective and/or subjective judgment by the auditor as to what constitutes material noncompliance in the control system or error in information. The process is more complex for IT audits because the control system is commonly more sophisticated, and because it is generally more difficult to ascertain whether computer programs and data files provided to the auditor are those actually used; or bogus copies not actually invoked by the entity’s technology under examination. Consequently, to ensure an appropriate IT risk scoring, preceding audit report preparation, IT audit area findings analysis is performed.

“View Part I of the IT Audit Reporting: Communicating Results series here“

IT Audit Reporting: Communicating Results – Part I

Robert Davis — Thu, 11 Feb 2010 19:05:03 +0000

IT audit area reporting conveys an opinion concerning control adequacy based on planning, studying, testing and evaluating material or significant auditable units. Whether an IT auditor is engaged in direct or attest reporting — after obtaining sufficient, reliable, relevant and useful evidence during the previous audit phases — formal audit results communication is an important step in the audit process. Direct reporting assignments exist when management does not document an assertion concerning control procedures effectiveness and the IT auditor provides an opinion. Conversely, attest reporting assignments exist when management documents a control procedures effectiveness assertion and the IT auditor provides an opinion about the stated assertion.

IT Audit Fieldwork: Generally Accepted Processes – Part VIII

Robert Davis — Mon, 08 Feb 2010 19:39:00 +0000

When providing audit assurance, auditors commonly have an opportunity to define current risks to resources and subsequently recommend remedial activities to reduce assessed risks to resources. Professionally, three generally accepted audit fieldwork standards guide auditors in the performance of audit assurance services. These standards impact studying, evaluating and testing controls during audit assurance engagements. However, IT auditors assume additional responsibilities and must overcome complex obstacles to ensure audit assurance processes are in compliance with generally accepted audit fieldwork standards.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part VII

Robert Davis — Thu, 04 Feb 2010 18:50:50 +0000

Compliance and substantive testing to collect sufficient evidential matter to render an opinion on the audit area follows the study and evaluation of controls. Regarding substantive tests, IT can be used in this aspect of the audit to perform analytical procedures and direct tests of details. In performing tests of details, IT can be utilized for substantive testing in conjunction with compliance tests or independently in direct tests of details by examining files resulting from IT processing.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part VI

Robert Davis — Tue, 02 Feb 2010 17:56:35 +0000

IT processing of datum has effects on controls and audit trails. IT can induce numerous changes in processing cycles. As a result of these changes, the IT auditor must evaluate the effects on the basic characteristics of control. The IT auditor must also consider how IT can change the typical manual audit trail. Additional controls that have been specified in response to the effects of IT on the processing of datum may encompass general and/or application controls. In studying and evaluating the control system, the auditor must minimally assess the potential operational effectiveness and relationships when determining the extent that they will be able to rely on the deployed control system under examination for meeting objectives.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part V

Robert Davis — Thu, 28 Jan 2010 16:56:57 +0000

Concepts and procedures involved in the auditor’s study and evaluation of controls for manual systems are also applicable when processing is performed by IT. Commonly, a primary objective of the control study and evaluation is to determine the extent designed controls meet defined criteria; while a secondary objective of the control study and evaluation is to determine the extent that the auditor can rely on the examined configuration for restricting subsequent audit procedures and to plan those subsequent audit procedures deemed necessary.

Basic control system procedures are applicable to all IT that process datum. However, the IT auditor must be able to distinguish controls at a detail level in order to properly evaluate the appropriateness of application. Study of the defined control system is followed by evaluation of the corresponding control system to determine the extent that the IT auditor can rely on deployed controls in utilizing, or designing, subsequent audit procedures.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“