Chapter 4: IT Audit Process Flashcards
(38 cards)
key part of a good process
having an overall audit schedule
should be readily available to let everyone
know when each process will be audited over the upcoming cycle (usually a yearly schedule).
overall audit schedule
the message is that this is meant as a support to the process owners and the auditors are there to help
publishing the audit intentions
can allow the process owners to time the finish of any improvement projects that they are working on to be before the audit, so that they can gather valuable information on the implementation, or to request the auditors to focus on helping to gather information for other planned improvements
publishing the audit intentions
first step in planning the individual process audits
confirm with the process owners when the audit will take place
is more of a guideline as to how often processes will be audited, and roughly when
overall plan/ overall audit schedule
allows the auditor and process owner to collaborate to determine the best time to review the process
confirmation
This is when the auditor can review previous audits to see if any follow-up is required on comments or concerns previously found, and when the process owner can identify any areas that the auditor can look at to assist the process owner to identify information.
confirmation
can make sure that the process owner will get value out of the audit process
good audit plan
two major steps in planning the IT Audit
- gather information and do some
planning - gain an understanding of the existing internal control structure
is used to assess risk and helps an IT auditor make the decision as to whether to perform compliance testing or substantive testing
risk-based audit approach
in this approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business
risk-based audit approach
can help relate the cost-benefit analysis of the control to the known risk
risk-based audit approach
five items in the “Gathering Information” step the IT auditor needs
a. Knowledge of business and industry
b. Prior year’s audit results
c. Recent financial information
d. Regulatory statutes
e. Inherent risk assessments
the risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming there are no related compensating controls
Inherent risks
exist independent of the audit and can occur because of the nature of the business
Inherent risks
five items in the “Gain an Understanding of the Existing Internal Control Structure” step that the IT auditor needs
a. Control Environment
b. Control Procedures
c. Detection Risk Assessment
d. Control Risk Assessment
e. Equate Total Risk
one of the key pieces of information that you will need in the initial steps in planning an IT Audit
current Business Impact Analysis (BIA)
assist you in selecting the application which support the most critical or sensitive business functions
current Business Impact Analysis (BIA)
should start with a meeting of the process owner to make sure that the audit plan is complete and ready
audit
avenues for the auditor to gather information during the audit
reviewing records, talking to employees, analyzing key process data or even observing the process in action
One of the most valuable things that an
auditor can do for a process owner
point out areas of a process that may function better if changes are made
is a necessity to ensure that the flow of information is not delayed
closing meeting with the process owner
will want to know if there are any areas of weakness that need to be addressed, but will also be interested in knowing if any areas exist that might be improved
process owner
