Upload
faisalcsedu
View
217
Download
0
Embed Size (px)
Citation preview
7/28/2019 Wk 10a- IT Auditing.ppt
1/18
Conducting the IT Audit
7/28/2019 Wk 10a- IT Auditing.ppt
2/18
Audit Standards
AICPA Statements of AuditingStandards (SASs)
ISACA IS Audit Standards, Guidelines,and ProceduresAICPA Statement on Standards for Attestation Engagements (SSAE)IFAC International Auditing StandardsISACA CobiT
7/28/2019 Wk 10a- IT Auditing.ppt
3/18
The IT Audit Lifecycle
PlanningRisk Assessment
Prepare Audit ProgramGather EvidenceForm Conclusions
Deliver Audit OpinionFollow Up
7/28/2019 Wk 10a- IT Auditing.ppt
4/18
Planning
Scope and control objectivesMateriality
OutsourcingGain an understanding of the client andclients industry, business risks
7/28/2019 Wk 10a- IT Auditing.ppt
5/18
Risk Assessment
Shift is to risk-based audit approachWhat can go wrong
High risk areas require more audit effortMateriality important
7/28/2019 Wk 10a- IT Auditing.ppt
6/18
The Audit Program
Includes: Scope Audit objectives Audit procedures Administrative details such as planning and
reporting
Generic audit programs are customized for the client and clients technology
7/28/2019 Wk 10a- IT Auditing.ppt
7/18
Gathering Evidence
Evidence includes: Observations Documentary evidence Flowcharts, narratives, written policies CAATs procedures
Sampling Attribute sampling used by IT auditors
7/28/2019 Wk 10a- IT Auditing.ppt
8/18
Forming Conclusions
Identify reportable conditions
7/28/2019 Wk 10a- IT Auditing.ppt
9/18
The Audit Opinion
Per Guidelines 70, should include: Name of organization being audited Title, signature, and date Statement of audit objectives and whether these
were met Scope of the audit Any scope limitations Intended audience
7/28/2019 Wk 10a- IT Auditing.ppt
10/18
The Audit Opinion (Contd.)
Standards used to perform the auditDetailed explanation of findings
Conclusion, including reservations or qualificationsSuggestions for corrective action or
improvementSignificant subsequent events
7/28/2019 Wk 10a- IT Auditing.ppt
11/18
4 Main Types of IT Audits
AttestationFindings and Recommendations
SAS 70SAS 94
7/28/2019 Wk 10a- IT Auditing.ppt
12/18
Attestation
Standard is SSAE 10 Includes:
Data analytic reviews Commission agreement reviews Webtrust engagements Systrust engagements Financial projections Compliance reviews
http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspxhttp://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx7/28/2019 Wk 10a- IT Auditing.ppt
13/18
Findings and Recommendations
Consulting, or advisory servicesInclude: Systems implementations
Enterprise resource planning implementation Security reviews Database application reviews IT infrastructure and improvements needed engagement Project management IT Internal audit services
7/28/2019 Wk 10a- IT Auditing.ppt
14/18
SAS 70 Audit
Applicable to any service organization thatwishes to assure its clients of the existenceand effectiveness of internal controlsrelative to the service providedTwo types of SAS 70 audits Type I Type II
7/28/2019 Wk 10a- IT Auditing.ppt
15/18
Types of SAS 70 reports
Type I: A walkthrough, that describes acompanys internal controls but does not
perform detailed testing of these controlsType II: Detailed testing of controls aroundthe service provided
7/28/2019 Wk 10a- IT Auditing.ppt
16/18
SAS 94
Requires the auditor to: Consider how a clients IT processes affect
internal control, evidential matter, and theassessment of control risk;
Understand how transactions are initiated,entered and processed through the IS, and
Understand how recurring and nonrecurring journal entries are initiated, entered, and processed through the IS
7/28/2019 Wk 10a- IT Auditing.ppt
17/18
Components of a SAS 94 audit
Physical and environmental reviewSystems administration review
Application software review Network security reviewBusiness continuity review
Data integrity review
7/28/2019 Wk 10a- IT Auditing.ppt
18/18
Using CobiT to Perform an Audit
If no audit program exists, use CobiT todevelop the audit program, or Map existing audit program to companyobjectives