1 / 22

Chapter Nine

Chapter Nine. Conducting the IT Audit. Audit Standards. AICPA — Statements of Auditing Standards (SASs) ISACA—IS Audit Standards, Guidelines, and Procedures AICPA —Statement on Standards for Attestation Engagements (SSAE) IFAC —International Auditing Standards ISACA —CobiT.

prescott-ellison
Download Presentation

Chapter Nine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter Nine Conducting the IT Audit

  2. Audit Standards • AICPA — Statements of Auditing Standards (SASs) • ISACA—IS Audit Standards, Guidelines, and Procedures • AICPA —Statement on Standards for Attestation Engagements (SSAE) • IFAC —International Auditing Standards • ISACA —CobiT

  3. The IT Audit Lifecycle • Planning • Risk Assessment • Prepare Audit Program • Gather Evidence • Form Conclusions • Deliver Audit Opinion • Follow Up

  4. Client Acceptance & Continuance Decision • Assess client integrity • Preparation of Engagement Letter

  5. Planning • Scope and control objectives • Materiality • Outsourcing • Gain an understanding of the client and client’s industry, business risks

  6. Audit Announcement

  7. Risk Assessment • Shift is to risk-based audit approach • “What can go wrong” • High risk areas require more audit effort • Materiality important

  8. Audit Risk model A client is an importer with inexperienced clerical staff. Inherent risk is high for the accuracy of recorded purchasesas they involve foreign currency translation. Control risk is high as clerical staff are inexperienced and not accustomed to recording complex foreign currency transactions. The auditor will set a low detection risk and spend more time checking that purchases are recorded at appropriate amounts.

  9. The Audit Program • Includes: • Scope • Audit objectives • Audit procedures • Administrative details such as planning and reporting • Generic audit programs are customized for the client and client’s technology

  10. Gathering Evidence • Evidence includes: • Observations • Documentary evidence • Flowcharts, narratives, written policies • CAATs procedures • Sampling • Attribute sampling used by IT auditors

  11. Concluding audit • Review planned audit procedures • Determine that all matters have been considered • Revisit open review notes, ‘to-do’ items and any audit procedures not yet completed • Determine that all unnecessary documentations, drafts and review notes have been removed from the engagement files • Remove all documents from the working papers that aren’t necessary to support the auditor’s conclusion • Reconsider the assessment of internal controls • Revisit the planning documentation

  12. Forming Conclusions • Evaluating the audit evidence obtained • Evaluating the effects of unrecorded misstatements identified • Evaluating fair presentation of the financial report

  13. Management Letter

  14. The Audit Opinion • Per Guidelines 70, should include: • Name of organization being audited • Title, signature, and date • Statement of audit objectives and whether these were met • Scope of the audit • Any scope limitations • Introductory paragraph • Intended audience

  15. The Audit Opinion (Cont’d.) • Standards used to perform the audit • Detailed explanation of findings • Conclusion, including reservations or qualifications • Suggestions for corrective action or improvement • Significant subsequent events • Management and auditor’s responsibility for the report • Auditor’s address

  16. 3 Main Types of IT Audits • Attestation • Findings and Recommendations • SAS 70

  17. Attestation • Standard is SSAE 10 • Includes: • Data analytic reviews • Commission agreement reviews • Webtrust engagements • Systrust engagements • Financial projections • Compliance reviews

  18. Findings and Recommendations • Consulting, or advisory services • Include: • Systems implementations • Enterprise resource planning implementation • Security reviews • Database application reviews • IT infrastructure and improvements needed engagement • Project management • IT Internal audit services

  19. SAS 70 Audit • Applicable to any service organization that wishes to assure its clients of the existence and effectiveness of internal controls relative to the service provided • Two types of SAS 70 audits • Type I • Type II “SAS 70- Service OrganizationsThis section provides guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions. This section also provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors.” (www.aicpa.org)

  20. Types of SAS 70 reports • Type I: A “walkthrough,” that describes a company’s internal controls but does not perform detailed testing of these controls • Type II: Detailed testing of controls around the service provided

  21. Representation Letter

  22. Using CobiT to Perform an Audit • If no audit program exists, use CobiT to develop the audit program, or • Map existing audit program to company objectives Image Sources: Auditing, A Practical Approach, Wiley

More Related