DOMAIN 1:THE PROCESS OF AUDITING I.

S SYSTEMS

PART B: EXECUTION
 AUDIT PROJECT MANAGEMENT
 Audit management must ensure the availability of adequate audit resources and a schedule for
performing the audits; and follow-up reviews on the status of corrective action (in the case of
internal audit) taken by management.
 Auditing process includes:
 Scope definition
 Formulation of audit objectives
 Identification of audit criteria
 Performing audit procedures
 Reviewing and evaluating evidence
 Forming audit conclusions and opinions
 Reporting
 Project management techniques for audit projects include the following steps:
 Plan the audit engagement- Plan the audit considering the project-specific risk.
 Build the audit plan- Chart out the necessary audit tasks across a timeline, optimizing resource
use.
 Execute the plan- execute audit tasks against the plan
 Monitor project activity- report actual progress against planned audit steps to ensure challenges
are managed and scope completed within time and budget.
 AUDIT OBJECTIVES
 Audit objectives are Specific goals that must be accomplished by the audit. E.g.
assuring compliance with legal and regulatory requirements; confidentiality
integrity, reliability and availability of information and IT resources.
 An auditor must understand how general audit objectives can be translated into
specific I.S control objectives.
 An auditor must identify control objectives and the related controls that address
the objective.
 An auditor should identify key general and application controls after understanding
and documenting business processes and the applications/functions that support
these processes and systems.
 AUDIT PHASES
1.Planning phase:
Determine audit subject Determine audit objective Set audit scope
Perform pre-audit planning Determine audit procedure.
2.Fieldwork and Documentation phase
Acquire data Test controls issue discovery and validation Document results
3.Reporting phase
Gather report requirements Draft report issue report Follow up
 AUDIT PROGRAMS
Definition- A step-by-step set of audit procedures and instructions that should be
performed to complete an audit. It is based on the scope and objective of the
particular assignment.
Main purposes of developing an audit program:
 Formal documentation of audit procedures and sequential steps
 Creation of procedures that are repeatable and easy to use by internal or external
audit professionals.
 Documentation of the type of testing that will be used (compliance/substantive)
 Meeting generally-accepted audit standards that relate to the planning phase in
the audit process.
 FRAUD, IRREGULARITIES AND ILLEGAL ACTS

 Management is primarily responsible for establishing, implementing and

maintaining an internal control system that leads to the deterrence or timely
detection of fraud.
 I.S auditors should observe and exercise due professional care and be alert to the
possible opportunities that allow fraud to materialize.
 Whenever there are instances or indicators of fraud, an I.S Auditor should
communicate the need for a detailed investigation to appropriate authorities.
 AUDIT WORK PAPERS

 All audit plans, programs, activities, tests, findings and incidents should be
properly documented in work papers.
 Format and media of work papers vary depending on specific needs of the
department.
 Work papers can be considered the bridge or interface between the audit
objectives and the final report.
 SAMPLING METHODOLOGY

 IS auditors should design and select an audit sample, perform audit procedures
and evaluate sample results to obtain sufficient and appropriate evidence to form
a conclusion.
 In so doing the auditor should consider the purpose of the sample; whether
compliance testing (effectiveness of controls) or substantive testing (material
weaknesses at the assertion level).
 COMPLIANCE VS. SUBSTANTIVE TESTING

 Compliance-Tests compliance with internal controls eg user access rights,

documentation procedures, review of logs.
 Substantive-verifies the integrity of actual testing- e.g performance of a complex
calculation on a sample of accounts.
 SAMPLING

 Sampling is performed when time and cost considerations preclude a total

verification of all transactions or every predefined population. It is used to infer
characteristics about a population based on characteristics of a sample.
 General approaches to audit sampling:
 Statistical-Objective; uses mathematical laws; quantitative.
 Non-statistical-Judgemental; based on subjective judgement.
 Sampling Risk

 Incorrect acceptance-a material weakness is assessed as unlikely, when, in fact,

the population is materially misstated and;
 Incorrect rejection- a material weakness is assessed as likely, when, in fact, the
population is materially misstated.
 AUDIT EVIDENCE COLLECTION TECHNIQUES

 Audit evidence may include:

 Auditor’s observations, notes from interviews, results of independent
confirmations by stakeholders, correspondences and internal documentation,
results of audit procedures.
 Determinants for evaluating reliability of audit evidence:
 Independence of the provider
 Qualifications of the individual providing the evidence.
 Objectivity of the evidence
 Timing of the evidence
 AUDIT EVIDENCE COLLECTION TECHNIQUES

 Techniques for gathering evidence:

 Reviewing IS organization structures
 Reviewing is policies and procedures
 Reviewing is standards
 Reviewing IS documentation
 Interviewing appropriate personnel
 Observing processes and employee performance
 Re-performance
 Walk-throughs
 DATA ANALYTICS

 By use of technology, an I.S auditor can select and analyze full data sets to
continuously audit or monitor key organizational data for abnormalities or
variances that can be used to identify and evaluate organizational risk and
compliance with control and regulatory requirements.
 An I.S auditor can use data analytics for the following purposes:
 Determination of the operational effectiveness of the current control environment
 Determination of the effectiveness of antifraud procedures and controls
 Identification of business process errors
 Determination of business process improvements and inefficiencies in the control
environment
 Identification of fraud
 Identification of poor quality data
 Performance of risk assessment
 Identification of exceptions or unusual business rules
 DATA ANALYTICS

 The process for collecting and analyzing data includes the following elements:
 Setting the scope
 Identifying and obtaining data
 Validating the data
 Executing the tests
 Documenting results
 Reviewing results
 Retaining results
 Data analytics can be effective for an I.S auditor in both the planning and
fieldwork.
COMPUTER-ASSISTED AUDIT TECHNIQUES(CAATS)

 CAATS are used for gathering and analyzing data.

 They enable an auditor to gather information independently.
 They provide a means to gain access and analyze data for a predetermined audit
objective and report the findings with emphasis on reliability of the records produced
and maintained in the system.
 The reliability of the source of the information used provides assurance on the
generated findings.
 CAATS include types of tools and techniques such as:
 Generalized audit software (GAS)-Software that has the capability to directly read and
access data from various database platforms, file systems and ASCII formats.
 Utility software-A subset of software that provides evidence about system control
effectiveness.
 Test data-Involves using a sample set of data to assess whether logic errors exist
 Expert systems-Query-based systems built on the knowledge base of senior auditors or
managers; they give direction and valuable information to all levels of auditors.
COMPUTER-ASSISTED AUDIT TECHNIQUES(CAATS)

 The tools and techniques can be used for performing audit procedures such as:
 Test of transactions and balances
 Analytical review procedures
 Compliance tests of I.S general controls
 Compliance tests of I.S application controls
 Network and OS vulnerability assessments-e.g wireshark, nmap,nessus
 Penetration testing-e.g john the ripper
 Application security testing and source code security scans
COMPUTER-ASSISTED AUDIT TECHNIQUES(CAATS)
 An I.S auditor should have thorough understanding of CAATS and know where and
when to apply them.
 An I.S auditor should weigh the costs and benefits of using CAATS before going
through the effort, time and expense of purchasing or developing them.
 Factors to consider include:
 Ease of use, Training requirements, Complexity of coding, flexibility of uses,
installation requirements, processing efficiencies, ensuring integrity of imported
data, confidentiality of data being processed, reliability of the software, among
others.
 CAATS provide the ability to improve audit efficiency through continuous online
auditing techniques.
 CONTINUOUS AUDITING AND MONITORING
Definition: An approach used to monitor system reliability on a continuous basis and
gather selective audit evidence through the computer.

Continuous Auditing- Tests and assessments are performed in a real time or near real
time environment. It is designed to enable an IS auditor to report results within a
much shorter time frame than under a traditional audit approach.

Continuous monitoring – Used by an organization to observe the performance of one

or many processes, systems or types of data e.g. real-time antivirus or IDSs.
 CONTINUOUS AUDITING AND MONITORING
 Continuous auditing should be independent of continuous control or monitoring
activities.
 Continuous auditing efforts often incorporate new IT developments; increased
processing capabilities of current hardware, software, standards and AI tools; and
attempts to collect and analyze data at the moment of the transaction.
 Continuous auditing aims to provide a more secure platform to avoid fraud and a
real-time process aimed at ensuring a high level of financial control.
 REPORTING AND COMMUNICATION TECHNIQUES
 Effective and clear communication can significantly improve the quality of audits
and maximize their results.
 Successful resolution of audit findings with auditees is essential so that auditees
will adopt the recommendations in the report and initiate prompt corrective
action.
 The concept of materiality should be understood when reporting on audit results.

.
 COMMUNICATING AUDIT RESULTS
 Exit interviews are conducted at the end of the audit to discuss findings and
recommendations with the auditee management.
 During the interview an auditor should:
 Ensure that the facts presented are correct and material.
 Ensure that the recommendations are realistic and cost-effective; if not, seek
alternatives through negotiation with auditee management.
 Recommend implementation dates for agreed-on recommendations.

.
 AUDIT REPORT OBJECTIVES
 6 objectives of audit reporting include:
 Formally present audit results to the auditee
 Serve as a formal closure of the audit engagement
 Provide statements of assurance and, if needed, identification of areas requiring
action and related recommendations.
 Serve as a valued reference for any party researching the auditee or audit topic
 Serve as a basis for a follow-up audit if audit findings were presented.
 Promote audit credibility. This depends on the report being well developed and
well written.

.
 FOLLOW-UP ACTIVITIES

 An auditor is not effective if audits are performed, reports issued, but no follow-
up is conducted to determine whether management has taken appropriate
corrective actions.
 External IS auditors may not necessarily have a follow-up program, they may
achieve these tasks if agreed to by the auditee.
QUALITY ASSURANCE AND IMPROVEMENT OF THE AUDIT
PROCESS
CONTROL SELF-ASSESSMENT(CSA)
 This is an assessment of controls made by the staff and management of the unit or
units involved.
 It is a management technique that assures stakeholders, customers and other
parties of the internal control system’s reliability.
 It ensures that employees are aware of the risk to the business and they conduct
periodic, proactive reviews of controls.
 It is used to review key business objectives; and internal controls designed to
manage business risk in a formal, documented and collaborative process.
 An IS auditor acts in the role of facilitator to the business process owners to help
them define and assess appropriate controls; and helps them understand the need
for controls, based on risk to the business processes.
CONTROL SELF-ASSESSMENT…..

Objectives of CSA
 The PRIMARY objective of a CSA program is to leverage the internal audit function
by shifting some of the control monitoring responsibilities to the functional areas.
 CSA programs also educate management about control design and monitoring,
particularly concentrating on areas of high risk.
 CSA is not intended to replace audit’s responsibilities but to enhance them.
CONTROL SELF-ASSESSMENT (CSA)…..

Benefits of CSA
 Early detection of risk
 More effective and improved internal controls
 Creation of cohesive teams through employee involvement
 Development of a sense of ownership of the controls in the employees and process
owners; reduction of their resistance to control improvement initiatives.
 Increased employee awareness of the organizational objectives, and knowledge of
risk and internal controls.
 Increased communication between operational and top management.
 Highly motivated employees
 Improved audit rating process
CONTROL SELF-ASSESSMENT (CSA)…..

Disadvantages of CSA
 It could be mistaken as an audit function replacement
 It may be regarded as an additional workload
 Failure to act on improvement suggestions could damage employee morale.
 Lack of motivation may limit effectiveness in detection of weak controls.
 INTEGRATED AUDITING
Definition: A process whereby appropriate audit disciplines are combined to assess
key internal controls over an operation, process or entity and focuses on risk.
 A key element of integrated approach is a discussion among the whole audit team
of emerging risk, with consideration of impact and likelihood.
 It demands a focus on business risk and a drive for creative control solutions.
 The process typically involves:
 Identification of risk faced by the organization for the area being audited
 Identification of relevant key controls
 Review and understanding of the design of key controls
 Testing that key controls are supported by the IT system
 Testing that management controls operate effectively.
 A combined report or opinion on control risk, design and weakness.
 INTEGRATED AUDITING PROCESS

 Identification
 INTEGRATED AUDITING
 Illustration
 INTEGRATED AUDITING
Benefits of integrated audit:
 Using this approach permits a single audit of an entity with one comprehensive
report.
 It assists in staff development and retention by providing greater variety and the
ability to see how all of the elements mesh together.

NOTE: A CISA candidate should be familiar with the integrated audit process and
steps