1 / 19

Planning for IT Audit

Planning for IT Audit. Session 4. Planning. Planning helps in the direction and control of auditor’s work; highlighting critical areas ; allocation of scarce audit resources towards more important areas; setting time frame and targets for review work ;

amycsmith
Download Presentation

Planning for IT Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Planning for IT Audit Session 4

  2. Planning Planning helps in • the direction and control of auditor’s work; • highlighting critical areas ; • allocation of scarce audit resources towards more important areas; • setting time frame and targets for review work ; • obtaining sufficient, reliable and relevant audit evidence and • subsequently aid the auditee in sound decision making

  3. Types of Planning • Strategic plan • Annual plan • Micro plan / audit programme

  4. Strategic Plan Plan for a period of 3-5 years and addresses issues like • aims and long term objectives of audit; • audit priorities and criteria for prioritisation; • how to re-orient audit techniques and methods to meet the changing requirements; • human and infrastructure requirements and • training needs

  5. Annual Plan • Translates the long term plan into a programme of work for the ensuing year • Planning here defines the aims and objectives of each of the major audits to be undertaken during the year, given the resources available within the SAI

  6. Micro Plan Operational plan for each individual audit and spells out the details of tasks to be undertaken for each audit along with the time schedule • Technical Planning • Logistical Planning • Risk Assessment

  7. Technical Plan Obtain an overview of • the nature of auditee business and the business environment regulatory environment in which the auditee functions • the size, type, nature and complexity of the IT systems major IT systems • nature of risks the systems are exposed to critical organizational units/functions • main types and volume of transactions processed by the systems • extent and scope of internal audit

  8. Logistical Plan Involves • allocation of responsibilities of the IT audit team; • planning the methodology of audit; • deciding the scope and extent of audit coverage • framing budget and obtaining approvals • drawing up the time schedule for various tasks; • exploring ways of obtaining audit evidence and • framing the reporting requirements

  9. Risk Assessment Risk assessment is the responsibility of the top management and includes a systematic consideration of • the business harm likely to result from a security failure, • the realistic likelihood of such a failure occurring and • the controls currently implemented

  10. Steps in Risk Analysis • Inventory of information systems in use in the organization • Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate. • Assess what risks affect these systems and the severity of impact on the business

  11. Types of Risks • Inherent risk • Control risk • Detection risk

  12. Inherent Risk • Inherent risk is the susceptibility of information resources or resources controlled by the information system to material theft, destruction, disclosure, unauthorized modification, or other impairment, assuming that there are no related internal controls

  13. Control Risk • Control risk is the risk that an error which could occur in an audit area, and which could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system

  14. Detection Risk • Detection risk is the risk that the IT auditor’s substantive procedures will not detect an error which could be material, individually or in combination with other errors.

  15. Introduction to Controls • Internal controls include policies, procedures, practices and organizational structures put in place to reduce risks • The extent of internal controls present would determine the risk levels of the application under audit and also the quantum of auditing to be undertaken

  16. Audit Planning Memo The purposes of an audit planning memo is to: • define the scope of IT audit; • describe the justification for the audit approach; • describe how the audit should progress; and • provide a means for communicating the audit plan to other assigned audit staff

  17. Outline of Audit Planning Memo • Background of the audited entity • Objectives of the audit • Critical areas to be examined • Resource requirements

  18. Audit Scope Scope defines the boundaries of the audit. It addresses aspects like • period and • number of locations to be covered and • the extent of substantive testing depending on risk levels and control weaknesses

  19. Audit Objectives Audit objectives should take into consideration • the managements’ objectives for a system • whether the system meets the managements’ objectives and serves the business interests

More Related