CHAPTER I.

INFORMATION TECHNOLOGY CLOUD COMPUTING

ENVIRONMENT AND IT AUDIT - “The use of the internet to store and access data
and programs.” (PC Magazine)
IT ENVIRONMENT - “Model for enabling ubiquitous, convenient, on-
 Technology demand network access to a shared pool of
- Has improved the ability to capture, store, configurable computing resources (e.g., networks,
analyze, and process data servers, storage, applications, and services) that
- Became a primary enabler to production & can be rapidly provisioned and released with
service processes minimal management effort or service provider
- Impacted the control process interaction.” (National Institute of Standards and
 Control objective – safeguarding Technology)
assets - BENEFITS:
 Highly flexible virtual environment
ENTERPRISE RESOURCE PLANNING  Availability is significantly promoted
- A software that provides standard business - RISKS:
functionality in an integrated IT environment  Exposes an organization’s sensitive/critical
system (e.g., procurement, inventory, accounting, information to potential unauthorized access
and human resources). & exposure
- Allows multiple functions to access a common  Cloud-stored info is vulnerable and
database susceptible to misuse if fallen into the wrong
- Offered by a single vendor hands
- Ex: SAP, FIS Global, Oracle, Fiserv, Intuit, Inc.,
Cerner Corporation, Microsoft, Ericsson, Infor, and MOBILE DEVICE MANAGEMENT
McKesson - MDM is responsible for managing and
- BENEFITS: administering mobile devices (e.g., smartphones,
 Reduces storage costs; and laptops, tablets, mobile printers, etc.) provided to
 Increases consistency & accuracy from data employees as part of their work responsibilities.
from a single source - Specifically, it ensures the ff for mobile devices:
 Share real-time information from modules  Integrate well within the organization and are
(finance, HR, etc.) residing in one common implemented to comply with organization
database, thus FS, analyses, & reports are policies and procedures
generated more frequently  Protect corporate information (e.g., emails,
 Have standard methods in place for corporate documents, etc.) and configuration
automating processes (ex. Information in HR settings for all mobile devices within the
systems can be sued in payroll) organization
- RISKS: - RISKS:
 As it’s offered by a single vendor, risks  Potential risk to the organization’s security
associated with having a single supplier apply when it allows direct access to the org’s info
 Ex. Dependence on a single supplier for  Can serve as a distraction to employees
maintenance and support, or for software
requirements OTHER TECHNOLOGY SYSTEMS IMPACTING THE IT
ENVIRONMENT
 Internet of Things
- A system that allows remote assets from
“things” (e.g., devices, sensors, objects, etc.)
to interact and communicate among them
and with other network systems.
 Big Data
- Large volumes of high velocity, complex and
variable data that require advanced
techniques and technologies to enable the
capture, storage, distribution, management,
and analysis of the information
- CHALLENGES:
 Analysis
 Capture data curation
  Search disclosure, and, in the event that
 Sharing an opinion cannot be reached, the
 Storage requirement to state the assertion
 Transfer explicitly.
 Visualization  International Financial Reporting Standards
 Querying (IFRS)
 Updating - Created by the International Accounting
Standards Board (IASB)
IT ENVIRONMENT AS PART OF THE ORGANIZATION - set of accounting standards developed by
STRATEGY the IASB that is becoming the global
- IT auditors are expected to be well aware of the standard for the preparation of public
organization’s IT infrastructure, policies, and company financial statements
operations before embarking in their reviews and
examinations. AUDIT FUNCTIONS
 Internal Audit
- IT auditors must be capable of determining - An independent, objective assurance and
whether the IT controls in place by the consulting activity designed to add value
organization ensure data protection and and improve an organization’s operations
adequately align with the overall organization - IA brings organizations a systematic and
goals. disciplined approach to assess and
enhance their:
FINANCIAL AUDITING  Risk management
- Encompasses all activities and responsibilities  Control & governance processes
concerned with the rendering of an opinion  Accomplish goals & objective
on the fairness of financial statements. - Led by the Chief Audit Executive (CAE) who
- Was spurred in legislation in 1933 & 1934, directly reports to the Audit Committee of
which created the SEC the BoD and directly reports to the CEO.
- Primary purpose:
 Scope of an audit  To assure that management-
- covers all equipment and procedures used authorized controls are being applied
in processing significant data. effectively
 Financial Accounting Standards Board (FASB)  External Audit
- The present governing authority - Evaluates the reliability and the validity of
- Its responsibility is the implementation of systems controls in all forms.
GAAP - Is responsible for testing the reliability of
 GAAS client IT systems and should have a special
- The second group of standards combination of skills and experience.
- Was adopted in 1949 by the AICPA for audit - Must be thoroughly familiar with the audit
- Provide broad guidelines, but not specific attest function
guidance  Attest function encompasses all
- Covers three strategies: activities and responsibilities
 General Standards associated with the rending of an
- Relate to professional & technical audit opinion on the fairness of the
competence, independence, & due financial statements.
professional care - Must have substantial IT audit experience
o Standards of Fieldwork - Primary Objective:
- Encompass planning, evaluation of  to minimize the amount of
internal control, sufficiency of substantial auditing or testing of
evidential matter, or documentary transactions required to render an
evidence upon which findings are opinion on the financial statements.
based.
o Standards of Reporting INFORMATION TECHNOLOGY VS INFORMATION
- Stipulate compliance with all SYSTEMS
accepted auditing standards,
consistency with the preceding IT Auditing IS
account period, adequacy of It is the formal, Represented by three
independent, and objective components: o Change control management (ex. System
examination of an  People software acquisition, change &
organization’s IT  Process maintenance, program change, etc.)
infrastructure to determine  IT  Applications Control Audit
whether the activities - Involves the  examines processing controls specific to
(procedures, controls, etc.) hardware, software, the application. Application controls may
involved in gathering, communication, and also be referred to as “automated
processing, storing, other facilities controls.”
distributing, and using necessary to  They are concerned with the accuracy,
information comply with manage such completeness, validity, and authorization
guidelines, safeguard information of the data captured, entered, processed,
assets, maintain data stored, transmitted, and reported
integrity, and operate  Is likely to be effective when general
effectively and efficiently to controls are effective
achieve the organization’s  Examples:
objectives. o Checking the mathematical accuracy
Provides reasonable of records
assurance (never absolute) o Validating data input
that the information from o Performing numerical sequence
the organization’s checks
applications is accurate,
complete, & supports INFORMATION ASSURANCE
effective decision-making  Defined as information integrity (the level of
w/ the scope & nature of confidence and trust that can be placed on the
the engagement information) and service availability.
 Goal:
o To protect users, business units, and
enterprises from the negative effects of
corruption of information or denial of services

IT GOVERNANCE
 The process by which an enterprise’s IT is directed
and controlled.
 BENEFITS:
o It helps ensure that IT supports business goals
o Maximizes business investment in IT, and
whatever facilities used to store, process, &
transmit data in whatever form
o Helps ensure the achievement of critical
success factors
o Develop secure & reliable information and
applied technology
IT AUDITS/AUDITING
 REASONS FOR ITS IMPLEMENTATION:
- Became an integral part of the audit function
o Increasing dependence on information and
because it supports the auditor’s judgment on the
the system
quality of the information processed by computer
o Increasing vulnerabilities and a wide spectrum
systems.
- Broad groupings: of threats
o Scale and cost of current and future
 General Computer Controls Audit
- Examines IT general controls, including investments in information and IS
policies and procedures, that relate to o Potential for technologies to dramatically
many applications and sup- ports the change organizations and business practices
effective functioning of application to create new opportunities and reduce costs
controls.
- Includes controls over: GOOD INFORMATION SECURITY POLICY
o IS operations  Encompasses the ff:
o Information Security o Specifying required security features
 o Defining “reasonable expectations” of privacy o Cyber Campaigns
regarding such issues as monitoring people’s o Cyberwarfare
activities o Cyberterrorism
o Defining access rights and privileges and protecting INTERNET CRIME DESCRIPTION
assets from losses, disclosures, or damages by Sophisticated scam targeting businesses
specifying acceptable use guidelines for users Business Email working with foreign suppliers and/or
o Providing guidelines for external communications Compromise (BEC) businesses who regularly perform wire
(networks) transfer payments.
o Defining responsibilities of all users Ransomware is a form of malware
targeting both human and technical
o Establishing trust through an effective Ransomware weaknesses in an effort to deny the
password policy availability of critical data and/or
o Specifying recovery procedures systems.
o Requiring violations to be recorded Tech support fraud occurs when the
subject claims to be associated with a
o Acknowledging that owners, custodians, and Tech Support Fraud computer software or security company,
clients of information need to report or even a cable or Internet company,
irregularities and protect its use and offering technical support to the victim.
dissemination Typical automobile fraud scam involves
o Providing users with support information selling a consumer an automobile (listed
on a legitimate Website) with a price
significantly below its fair market value.
CHAPTER II. LEGISLATION RELATED TO The seller (fraudster) tries to rush the sale
INFORMATION TECHNOLOGY by stating that he/she must sell
immediately due to relocation, family
issues, need of cash, or other personal
IT CRIMES AND CYBERATTACKS
reasons. The seller does not allow for
 Three main categories of crimes involving Auto Fraud inspecting the automobile nor meet with
computers: the consumer
1) The computer is the target of the crime
a. Theft of information face to face. The seller then asks the
b. Unauthorized access or modification consumer to wire payment to a third-
party agent, and to fax the payment
of records receipt back to him or her as proof of
i. Become a super-user thru payment. The seller keeps the money and
backdoor in a system never gets to deliver the automobile.
 Super-user is equivalent to This type of Internet crime involves
being the system’s manager & posing as government, law enforcement
Government
officials, or simply someone pretending to
allows access to almost all Impersonation E-mail
have certain level of authority in order to
areas and functions within the Scam
persuade unaware victims to provide
system their personal information.
2) The computer is used as an instrument of This type of crime utilizes demands for
the crime money, property, assets, etc. through
Intimidation/Extortion undue exercise of authority (i.e., threats
a. Fraudulent used of ATM cards,
Scam of physical harm, criminal prosecution, or
credit cards, public exposure) in order to extort and
telecommunications, & financial intimidate.
fraud from computer Similar to Auto Fraud. The seller
transactions (fraudster) tries to rush the sale of a
3) Computer is not necessary to the crime house (with a price significantly below its
market rental rates) by stating that
but is incidental & is used to commit the he/she must sell immediately due to
crime faster relocation, new employment, family
a. Child pornography Real Estate Fraud
issues, need of cash, or other personal
 Cyberattacks reasons. Such significant price reduction
is used to attract potential victims. The
- an attempt by hackers to damage or destroy a seller will then ask the consumer to
computer network or system. provide personal identifying information
- the deliberate and malicious exploitation of and to wire payment to a third-party.
computer networks, systems, and data by Upon receiving payment, the seller is
individuals or organizations to obtain valuable never found.
This type of crime refers to schemes
information from the users through fraudulent
Confidence Fraud/ designed to look for companionship,
means Romance Scam friendship, or romance via online
- can be labeled as: resources.
 and issuance of audit reports and the
obligations and liabilities of accountants
RECENT CYBERATTACKS ON US COMPANIES with respect thereto
 Verizon - suffered a data security breach with 7) Set the budget and manage the operations
over 6 million U.S. customers’ personal details of the board and the staff of the board.
exposed on the Internet
 Yahoo! - hackers stole information associated COMPUTER FRAUD ANND ABUSE ACT OF 1984
with at least 500 million Yahoo! user accounts, - The Act requires that certain conditions needed
including names, e-mail addresses, telephone to be present for the crime to be a violation of
numbers, encrypted or unencrypted security the CFAA. Only if these conditions are present
questions and answers, dates of births, and will the crime fall under violation of the CFAA.
encrypted password. - The three types of attacks that are covered under
 Target - Cyberattack during the 2013 Christmas the Act and the conditions that have to be met
holiday season compromised Target’s computer include:
systems and stole data from up to 40 million o Fraudulent trespass - This is when a trespass
customers’ credit and debit cards. is made with the intent to defraud that
 Sony Pictures – the cyberattack stole significant results in both furthering the fraud and the
amounts of private and of confidential data and attacker obtaining something of value.
released them to the public. o Intentional destructive trespass - This is a
o Hackers were believed to be linked to the trespass along with actions that intentionally
North Korean government, which was cause damage to a computer, computer
extremely angry at the major Hollywood system, network, information, data, or
movie studio for producing a movie that program, or results in denial of service and
portrayed North Korea in a negative way causes at least $1,000 in total loss in the
course of a year.
FEDERAL FINANCIAL INTEGRITY LEGISLATION o Reckless destructive trespass - This is when
(SARBANES-OXLEY ACT OF 2002) there is the presence of trespass along with
- prohibits all registered public accounting firms reckless actions (although not deliberately
from providing audit clients, contemporaneously harmful) that cause damage to a computer,
with the audit, certain non-audit services computer system, network, information,
including internal audit outsourcing, financial- data, or program, or results in denial of
information-system design and implementation service and causes at least $1,000 in total
services, and expert services, among others. loss in the course of a year.
- Independence compliance Issues:
o Requires auditor rotation for independence COMPUTER SECURITY ACT OF 1987
acceptance - General purpose: a declaration from the
o CEO, CFO, Chief Accounting Officer, or any government that improving the security of
equivalent position cannot be employed by sensitive information in federal computer systems
the company’s audit firm during the 1-year is in the public interest
period preceding the audit - It assigned responsibility for developing
- Requirements for Board of Directors: government- wide computer system security
1) Register public accounting firms standards, guidelines, and security training
2) Establish or adopt auditing quality control, programs to the National Bureau of Standards
ethics, independence, and other standards - SIGNIFICANCE: it is fundamental to the
relating to the preparation of audit reports development of federal standards of safeguarding
for issuers unclassified information and establishing a balance
i. Issuers – a legal entity that registers and between national security and other non-classified
sells securities to finance its operations issues in implementing security policies within the
3) Conduct inspections of accounting firms; federal government.
4) Conduct investigations and disciplinary
proceedings, and impose appropriate HOMELAND SECURITY ACT OF 2002
sanctions - Purpose: to prevent terrorist attacks within the
5) Perform such other duties or functions as United States and to reduce the vulnerability of the
necessary or appropriate United States to terrorism and any form of attack
6) Enforce compliance with the act, the rules of
the board, professional standards, and the PAYMENT CARD INDUSTRY DATA SECURITY
securities laws relating to the preparation STANDARDS OF 2004
 - technical and operational requirements applicable examination of authenticity that applies
to entities that store, process, or transmit to traditional paper documents and wet
cardholder data, with the intention of protecting ink signatures.
such data in order to reduce credit card fraud. - To be valid under US law, the e-signature must
- Was founded in 2006 by major credit card have the ff:
companies, such as American Express, Discover, o There must be a clear intent to sign by all
JCB International, MasterCard, and Visa, Inc. who involved parties.
share equally in governance, execution, and o Parties to the transaction must consent to
compliance of the Council’s work. do business electronically.
o The application system used to capture the
FEDERAL INFORMATION SECURITY MANAGEMENT electronic signature must be configured
ACT OF 2002 and ready to retain (for validation
- was enacted as part of the E-Government Act of purposes) all processing steps performed
2002 to "provide a comprehensive framework for in generating the electronic signature
ensuring the effectiveness of information security  as well as the necessary electronic
controls over information resources that support signature records for accurate and
Federal operations and assets and to provide for timely reproduction or restoration, if
development and maintenance of minimum needed.
controls required to protect Federal information
and information systems PRIVACY LEGISLATION
- It requires federal agencies to develop  Privacy
information security programs with the purpose - involves the “freedom from unauthorized
of protecting both, the information and the intrusion or disclosure of information about
systems implemented to support the operations an individual.”
and assets of the agencies, including those - focuses on protecting personal information
provided or managed by another agency, about customers, employees, suppliers, or
contractor, or other source business partners.

ELECTRONIC SIGNATURE LAWS – UNIFORM PRIVACY ACT OF 1974

ELECTRONIC TRANSACTIONS ACT OF 1999 & - Purpose: to provide certain safeguards to an
ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL individual against an invasion of personal privacy.
COMMERCE ACT OF 2000 - This act places certain requirements on federal
- two main pieces of legislation with respect to agencies, such as permitting individuals to*:
electronic signature laws: o Determine what personal records are
o Uniform Electronic Transactions Act (UETA) collected and maintained by federal
agencies
- It exists to harmonize state laws o Prevent personal records that were obtained
concerning retention of paper records for a particular purpose from being used or
(especially checks) and the validity of made available for another purpose without
electronic signatures. consent
- Makes electronic signatures valid and in o Gain access to their personal information in
compliance with law requirements federal agency records and to correct or
when parties ready to enter into a amend them
transaction have agreed to proceed
electronically. ELECTRONIC COMMUNICATIONS PRIVACY ACT OF
o Electronic Signatures in Global and National 1986
Commerce Act (ESIGN) - Is one of the leading early pieces of legislation
- A federal law that recognizes electronic against violation of private information as
signatures and records granted all applicable to online systems
contract parties opt to use electronic - It specifically prohibits interception and
documents and sign them disclosure of wire, oral, or electronic
electronically. communications, as well as the manufacture or
- Documents with electronic signatures possession of intercepting devices.
and records are equally as good as their
standard paper equivalents, and COMMUNICATIONS DECENCY ACT OF 1996
therefore subject to the same legal
 - It bans the making of “indecent” or “patently - Enhances law enforcement investigatory tools,
offensive” material available to minors through among others.
computer networks.
- The Act imposes a fine of up to $250,000 and
imprisonment for up to 2 years.
- The CDA also states that an employer shall not be
held liable for the actions of an employee unless
the employee’s conduct is within the scope of his
or her employment.

CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF

1998 International
International Privacy Legislation
Privacy Legislation
- Applies to the online collection of personal
One of the main purposes of PIPEDA is to support
information from children under 13. and promote electronic commerce by “protecting
- The new rules spell out what a Website operator personal information that is collected, used or
must include in a privacy policy when and how to disclosed in certain circumstances.”a The following
seek verifiable consent from a parent, and what 10 principles, established by PIPEDA, govern the
responsibilities an operator has to protect collection, use, and disclosure of personal
Personal informationb:
children’s privacy and safety online.
Information
Protection and 1) Accountability
Health Insurance Portability & Accountability Act Electronic 2) Identifying Purposes
(HIPAA) of 1996 Documents Act of 3) Consent
- Protects confidentiality and security of 2000 (PIPED Act, or 4) Limiting Collection
PIPEDA)—Canada 5) Limiting Use, Disclosure, and Retention
healthcare information (e.g., patients’ medical
6) Accuracy
records, health information provided to doctors, 7) Safeguards
hospitals). 8) Openness
- Restricts insurers to reject workers based on 9) Individual Access
10) Challenging Compliance
preexisting health conditions; requires security
and privacy to protect personal information.
The law requires Mexican business organizations
(as well as any company that operates or
THE HEALTH INFORMATION TECHNOLOGY FOR advertises in Mexico or uses Spanish-language call
ECONOMIC AND CLINICAL HEALTH OF 2009 centers and other support services located in
- Promotes the adoption and meaningful use of Mexico) to have either consent or legal obligation
for/when collecting, processing, using, and
health IT in the United States.
disclosing personally identifiable information (PII).
- Provides the U.S. Department of Health and Organizations dealing with PII must inform
Human Services with the authority to establish individuals about such use and, most importantly,
Law on the provide notification to all affected persons in the
programs to improve healthcare quality, safety,
Protection of event of a security breach. b The law also include
and efficiency through the "meaningful use" and Personal Data Held eight general principles that Mexican business
promotion of by Private Parties of organizations must follow when handling personal
- health IT. 2010—Mexico
datac:
- Meaningful use refers to minimum  Legality
- government standards for using electronic health  Consent
records and exchanging patient data between  Notice
 Quality
healthcare providers, healthcare providers and
 Purpose Limitation
insurers, and healthcare providers and patients.  Fidelity
 Proportionality
GRAM-LEACH-BLILEY ACT OF 1999  Accountability
- Requires financial institutions to assess, manage, European Union The Directive establishes rigorous limits on the
and control risk; oversee service providers; and Data Protection collection and use of personal data, and demands
Directive of 1995 that each member state institute an independent
adjust security programs based on risk. national body responsible for the protection of
such data.b The Directive impacts European
USA PATRIOT ACT OF 2001 businesses (as well as non-European companies
- Deters and punishes terrorist acts in the United to which data is exported), and includes the seven
States and around the world. governing principles described belowd:
1. Notice should be given to all affected data
subjects when their data is being collected
 2.Data should only be used for the purpose CONTROL OBJECTIVES FOR INFORMATION AND
stated. RELATED TECHNOLOGY (COBIT)
3.Data should not be disclosed without the
subject’s consent.
- an authoritative, international set of generally
4.Collected data should be kept secure from accepted IT practices or control objectives that
any potential abuses. help employees, managers, executives, and
5.Disclosure of who is collecting the data should auditors in: understanding IT systems, discharging
be provided to all affected data subjects. fiduciary responsibilities, and deciding adequate
6.Data subjects should be allowed to access
their data and make corrections to any levels of security and controls.
inaccurate data. - It supports the need to research, develop,
7.Data subjects should have an available publicize, and promote up-to-date internationally
method to hold data collectors accountable accepted IT control objectives.
for following these six principles above.
- BENEFITS:
- Under the Act, transferring personal data to o It allows management to benchmark its
non-European Union nations (e.g., U.S.
environment and compare it to other
companies) not complying with the European
“adequacy” standard for privacy protection organizations.
(established by the European Union Data o IT auditors can also use COBIT to substantiate
Protection Directive) is prohibited. their internal control assessments and
- The Act (specifically related to U.S. companies opinions.
doing business in Europe) was intended to o It enables It to be governed and managed in a
bridge the different privacy approaches of the
United States and Europe, thus enabling U.S. holistic manner through:
companies to safely engage in trans-Atlantic  Establishing principles, policies, and
transactions without facing interruptions or practical guidance for daily management.
even prosecution by European authorities.  Implementing processes to achieve
Safe Harbor Act of - Some key requirements or provisions of the overall IT-related goals and objectives.
1998 Act include:
 Companies participating in the safe
harbor will be deemed adequate, and
data flows to those companies will
continue.
 Member state requirements for prior
approval of data transfers either will be
waived or approval will be automatically
granted.
 Claims brought by European citizens
against U.S. companies will be heard in
the United States, subject to limited
exceptions.

CHAPTER III. THE IT AUDIT PROCESS

AUDIT UNIVERSE OBJECTIVES AND CONTEXT

- An inventory of all the potential audit areas within - Everything ultimately depends on both the
an organization & documents the key business objective and the context of the work to be
processes and risks of the organization performed.
- An essential building block to a properly risk-based - By defining appropriate objectives and context of
internal audit process the work, management can ensure that the audit
- Basic functional audit areas: will verify the correct functioning and control of all
o Sales key audit areas.
o Marketing  Objective - what is trying to be accomplished
o Research & development  Context - the environment in which the work
o Customer service will be performed
o Operations
o Human resource IT AUDITS CONDUCTED TO SUPPORT FINANCIAL
o Finance STATEMENT AUDITS
o Information technology - Once the auditor has gained a general familiarity
o Legal with the client’s accounting and financial
procedures, the auditor must decide what
 applications will have to be examined at a more - It should state the general control areas,
detailed level. control objectives, & control activities that
- The results or findings from an IT audit typically would undergo review
determine the amount of substantive tests that
will be performed by financial auditors AUDIT TEAM, TASKS, & DEADLINES
o Effective results (IC are operating properly) • The Audit Plan must include:
- the work of the financial auditor would be o List of members of the audit team
less on that particular part of the audit. § Staff
o IC are lacking/not working effectively - the § Senior
amount of substantive testing performed § Managers or Senior Managers
by the financial auditor will be much § PPD
higher. o Positions and titles of the members
o Tasks of the members
AUDIT SCHEDULE • Deadlines should be reviewed and agreed with
- A set of one or more audits planned for a specific the client organization from the start of the audit
time frame and directed towards a specific so that they comply with requirements
purpose. (ISO 9000:2015 – Fundamentals and established by third parties and regulators.
Vocabulary) • An audit planning memo is a pre-audit
- Created annually by Internal Auditing departments memorandum that contains information stated
- Takes note of the ff: above.
o Business Objectives
o Risks AUDIT PROCESS
o Cost (in terms of potential loss of goodwill and
revenue, & non-compliance w/ laws &
regulations)
o Timeline of the audit
- Is “Risked-Based”
- High risk items = High priority
o Performed together with the Annual Risk
Assessment Process
o An ongoing task along with planning
- Audit schedule is like a “Live Document”
o Planning and scheduling are ongoing tasks as
risks, priorities, available resources, and time-
lines change.
o When there are changes, it is always RISK ASSESSMENT
important to relay these changes to the key - considered the foundation of the audit function as
persons involved they assist in developing the process for planning
individual audits.
AUDIT BUDGET AND SCOPING - Specifically, it:
 Audit Budget o Improve the quality, quantity, and accessibility
- Created after the audit schedule is determined of planning data, such as risk areas, past
- Determines the number of hours to allocate on audits and results, and budget information;
audit areas and processes o Examine potential audit projects in the audit
o After determining the audit priorities, audit universe and choose those that have the
management will determine the number of greatest risk exposure to be performed first;
available hours to decide how many audits and
they can complete in a year. o Provide a framework for allocating audit
 Scoping resources to achieve maximum benefits.
- Defined as the amount of time, documents, & o Provides explicit criteria for systematically
processes which are involved in an audit evaluating and selecting these audits.
- Elaborates the audit areas to be reviewed - An effective risk assessment planning process
- It should clearly identify the critical business allows auditing to be more flexible and efficient to
process supported by the selected application meet the needs of a changing organization, such
as:
o Identifying new risk areas
 o Identifying changes in existing risk areas - Auditor should select subject areas for
o Accessing current regulatory and legal testing that have a significant impact on
information the control of the application and those
o Taking advantage of information gathered that are within the scope defined by the
during the audit process to improve risk audit objectives.
assessment
ICQ AUDIT PROGRAM
IT RISK ASSESSMENT In the form of QUESTIONS In the form of SPECIFIC
- Financial applications are common audits/projects CHECK: Controls PROCEDURES
to be ranked SUBSTANTIATE: Controls
- IT risks surrounding financial applications can be
identified through: TEST CONTROLS
o Audits, reviews, inspection - The IT auditor executes audit procedures to test
o Reading flowcharts of operations controls, processes, and apparent exposures,
o Using risk analysis questionnaires including:
o Analyzing financial statement trends  Examining documentary evidence
o Completing insurance policy checklists  Performing corroborating interviews
 Performing inspections
 Personal observations
AUDIT PLAN
- Objective: to optimize the use of audit resources SUBSTANTIVE TESTING
- The intent of the audit plan is to provide an overall - Is used to determine the accuracy and
approach within which audit engagements can be completeness of information being generated by
conducted. a process or application.
- It provides the guidance for auditing the - Substantive audit tests are designed and
organization’s integral processes. conducted to verify the functional accuracy,
- Planning is a basic function necessary to describe efficiency, and control of the audit subject.
what must be accomplished, include budgets of
time and costs, and state priorities according to DOCUMENT RESULTS
organizational goals and policies. - Documenting results of the work performed, as
well as reporting on the findings.
PRELIMINARY REVIEW - Audit results should include a description of audit
- The auditor should obtain and review summary- findings, conclusions, and recommendations.
level information and evaluate it in relation to the
audit objectives. Audit Findings
- Purpose: to gather an understanding of the IT - Findings identify and describe inaccurate,
environment, including the controls in place that inefficient, or inadequately controlled audit
are essential to meet the overall audit objectives subjects
- Is conducted at a general level, without examining - Audit findings should be individually documented
details of individual applications and the processes and should at least include the following:
involved. o Name of the IT environment (operating
o Auditor interviews key personnel to system hosting the relevant financial
determine policies and practices application(s)) evaluated
- The basis for supporting the information included o IT area affected (IS operations, information
in the IT audit plan security, change control management)
o Working paper test reference where the
DESIGN AUDIT PROCEDURES finding was identified
- IT auditor must prepare an audit program for the o General control objective(s) and activity/ies
areas being audited, select control objectives that failed
applicable to each area, and identify procedures or o Brief description of the finding
activities to assess such objectives. o Where is the finding formally communicated
o Audit Program to management (this should reference the
Management Letter within the Auditor
- A formal plan for reviewing and testing Report)
each significant audit subject area o The individual classification of the finding
disclosed during fact gathering per audit standard AU 325, Communications
 About Control Deficiencies in an Audit of
Financial Statements, as either a deficiency,
significant deficiency, or a material
weakness*
o Evaluation of the finding, specifically
whether it was identified at the design level
(i.e., there is no general control in place) or
at the operational level (i.e., the general
control was in place, but did not test
effectively)
o Whether the finding represents or not a
pervasive or entity-level risk
o Whether the finding can be mitigated by
other compensating general controls, and if
so, include reference to where these
controls have been tested successfully

COMMUNICATION
- The value of an audit depends, in large part, on
how efficiently and effectively its results are
communicated.
- It is best to discuss the identified findings with IT
management to gain their agreement and begin
any necessary corrective action.