Conducting the IT Audit

Audit Standards
AICPA Statements of Auditing Standards (SASs) ISACAIS Audit Standards, Guidelines, and Procedures AICPA Statement on Standards for Attestation Engagements (SSAE) IFAC International Auditing Standards ISACA CobiT

The IT Audit Lifecycle

Planning Risk Assessment Prepare Audit Program Gather Evidence Form Conclusions Deliver Audit Opinion Follow Up

Planning
Scope and control objectives Materiality Outsourcing Gain an understanding of the client and clients industry, business risks

Risk Assessment
Shift is to risk-based audit approach What can go wrong High risk areas require more audit effort Materiality important

The Audit Program

Includes:
Scope Audit objectives Audit procedures Administrative details such as planning and reporting

Generic audit programs are customized for the client and clients technology

Gathering Evidence

Evidence includes:
Observations Documentary evidence Flowcharts, narratives, written policies CAATs procedures

Sampling
Attribute sampling used by IT auditors

Forming Conclusions

Identify reportable conditions

The Audit Opinion

Per Guidelines 70, should include:

Name of organization being audited Title, signature, and date Statement of audit objectives and whether these were met Scope of the audit Any scope limitations Intended audience

The Audit Opinion (Contd.)

Standards used to perform the audit Detailed explanation of findings Conclusion, including reservations or qualifications Suggestions for corrective action or improvement Significant subsequent events

4 Main Types of IT Audits

Attestation Findings and Recommendations SAS 70 SAS 94

Attestation
Standard is SSAE 10 Includes:

Data analytic reviews Commission agreement reviews Webtrust engagements Systrust engagements Financial projections Compliance reviews

Findings and Recommendations

Consulting, or advisory services Include:

Systems implementations Enterprise resource planning implementation Security reviews Database application reviews IT infrastructure and improvements needed engagement Project management IT Internal audit services

SAS 70 Audit
Applicable to any service organization that wishes to assure its clients of the existence and effectiveness of internal controls relative to the service provided Two types of SAS 70 audits

Type I Type II

Types of SAS 70 reports

Type I: A walkthrough, that describes a companys internal controls but does not perform detailed testing of these controls Type II: Detailed testing of controls around the service provided

SAS 94

Requires the auditor to:

Consider how a clients IT processes affect internal control, evidential matter, and the assessment of control risk; Understand how transactions are initiated, entered and processed through the IS, and Understand how recurring and nonrecurring journal entries are initiated, entered, and processed through the IS

Components of a SAS 94 audit

Physical and environmental review Systems administration review Application software review Network security review Business continuity review Data integrity review

Using CobiT to Perform an Audit

If no audit program exists, use CobiT to develop the audit program, or Map existing audit program to company objectives