IT Governance, Risk, and Compliance » Program

IT Audit Fieldwork: Generally Accepted Processes – Part VI

Robert Davis — Tue, 02 Feb 2010 17:56:35 +0000

IT processing of datum has effects on controls and audit trails. IT can induce numerous changes in processing cycles. As a result of these changes, the IT auditor must evaluate the effects on the basic characteristics of control. The IT auditor must also consider how IT can change the typical manual audit trail. Additional controls that have been specified in response to the effects of IT on the processing of datum may encompass general and/or application controls. In studying and evaluating the control system, the auditor must minimally assess the potential operational effectiveness and relationships when determining the extent that they will be able to rely on the deployed control system under examination for meeting objectives.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part V

Robert Davis — Thu, 28 Jan 2010 16:56:57 +0000

Concepts and procedures involved in the auditor’s study and evaluation of controls for manual systems are also applicable when processing is performed by IT. Commonly, a primary objective of the control study and evaluation is to determine the extent designed controls meet defined criteria; while a secondary objective of the control study and evaluation is to determine the extent that the auditor can rely on the examined configuration for restricting subsequent audit procedures and to plan those subsequent audit procedures deemed necessary.

Basic control system procedures are applicable to all IT that process datum. However, the IT auditor must be able to distinguish controls at a detail level in order to properly evaluate the appropriateness of application. Study of the defined control system is followed by evaluation of the corresponding control system to determine the extent that the IT auditor can rely on deployed controls in utilizing, or designing, subsequent audit procedures.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part IV

Robert Davis — Mon, 25 Jan 2010 16:35:42 +0000

Collection of sufficient evidential matter required for compliance with the third generally accepted standard of audit fieldwork affects the IT auditor as to the type of evidence to be collected and as to the means of acquisition. For example, types of evidence may change because of source document eliminations and/or substitution of electronic data interchange (EDI) formats for processing transactions. Whereas, for example, the means of acquiring evidence may change because the auditor may have to substitute a computer and programs for the visual scanning performed with a manual system.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part III

Robert Davis — Thu, 21 Jan 2010 22:04:36 +0000

The second generally accepted standard of audit fieldwork requires the study and evaluation of controls. Potential for change in audit program procedures during the study and evaluation of controls due to the acquisition and/or integration of IT is immense. Specifically, general and application controls must be examined because of their effect on electronically encoded data. For instance, activities previously decentralized and performed by several clerical personnel may be centralized into one IT program, eliminating the control previously available through segregation of functions. Consequently, an individual having access to this program and related data files may be able to make undetected changes to the program and data files as part of an illegal act scheme.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part II

Robert Davis — Tue, 19 Jan 2010 19:22:20 +0000

Planning and supervision aspects of the first generally accepted standard of audit fieldwork become more complex to attain when IT is involved. In planning an overall strategy for the expected assurance conduct and ambit, the auditor is faced with evaluations and tests that are not normally encountered in manual systems. On the other hand, supervision of assistants becomes more difficult because in addition to directing audit work and controlling audit quality, the engagement supervisor may be required to monitor numerous complicated IT processes.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

IT Audit Fieldwork: Generally Accepted Processes – Part I

Robert Davis — Thu, 14 Jan 2010 20:01:38 +0000

IT auditing is similar to, and yet different from, auditing manual systems. The process is similar in that compliance and substantive tests are still performed within the context of generally accepted auditing standards, whereas the difference emanate from additional standards pertaining to IT auditing and the procedures unique to IT auditing which are the result of these standards. Three audit fieldwork standards guide auditors in the performance of audits. Considering the collection of evidential matter necessary to render an opinion, these standards serve as the basis for auditing concepts pertaining to the study and evaluation of controls as well as related compliance and substantive testing.

IT Audit Verification Planning: Resolving Technique Selection – Part VII

Robert Davis — Mon, 11 Jan 2010 18:21:10 +0000

Many techniques are available to the IT auditor. A significant responsibility is selecting a technique appropriate to the audit task at hand. To aid the IT auditor in understanding which technique may be appropriate, alternative schemes for categorization should be considered. Potential benefits include finding a close approximation of the employed taxonomy to the: audit objectives, objects to which the IT auditor applies procedures, and types of techniques that have been developed to assist the IT auditor.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part VI

Robert Davis — Thu, 07 Jan 2010 19:30:31 +0000

Characteristics of a deployed audit trail can determine the test procedures performed. With an acceptable audit trail, the IT auditor may decide to trace selected data or information through the entire configuration or to determine infrastructure availability. Without a trail, the IT auditor may decide to execute extensive substantive tests on the electronically encoded configuration items.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part V

Robert Davis — Mon, 04 Jan 2010 18:49:57 +0000

Performance of audit procedures on individual programs and files, or the entire configuration as an integrated unit, is determined by the audit objectives and the audit trial. To test the functionality of input controls, for example, the IT auditor can perform compliance tests on a specific program; while separately, or jointly, test the integrity of processing through performance of substantive procedures on a specific data file. Alternatively, the selected configuration may be compliance tested as an integrated unit by processing test data through it and examining errors rejected by programs and the contents of files for evidence of controls.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“

IT Audit Verification Planning: Resolving Technique Selection – Part IV

Robert Davis — Wed, 30 Dec 2009 19:03:45 +0000

Auditing IT configurations involves performing compliance and substantive tests on a selected information asset as an integrated unit. Integration can refer to various activities including: combining the separate testing of programs and files into an overall evaluation; combining the testing of programs and files into a single test; utilizing a mixture of techniques to accomplish the compliance and substantive testing objectives and combining the results into an overall evaluation of the entire IT configuration or a specific configuration subset; and treating the IT configuration — with its programs and files — as a single unit that receives input, processes data, and produces output in a regulated environment.

“View Part I of the IT Audit Verification Planning: Resolving Technique Selection series here“