Activity

Ascertaining the degree of correspondence between audit area assertions or direct subject matter and audit criteria is a professional mandate. Under normal circumstances, audit area planning, study, and testing permit IT audit team members submitting working papers for review by the in-charge IT auditor. Preceding IT audit report preparation, the in-charge IT auditor must review documented inconsistencies and departures from applicable IT principles discovered during the engagement. Moreover, the in-charge IT auditor must apply an in-depth understanding of what constitutes appropriate audit evidence. Chapter 7 conveys evidential working papers expectations that assist in ensuring appropriate audit engagement fieldwork. Chapter 7 also discusses the assessment of audit findings and the evaluation of audit working papers.

Activity

When addressing IT audit planner responsibilities, the in-charge IT auditor must inscribe and communicate an engagement's objectives, ambit, and examinable units based on an obtained audit area understanding. Through synthesizing relevant audit standards and guidelines as well as professional experience, Chapter 2 presents crucial outputs for completing the IT audit planning process. Chapter 2 discusses issues related to planned compliance and substantive testing and then provides primary documentation requirements of an operational IT audit plan. Chapter 2 also presents IT audit planner tasks when conferencing with the engagement auditee(s) and associated communication distribution.

Activity

One of the more pivotal aspects of an IT audit engagement is IT audit follow-up. Depending on the ambit and terms of the engagement as well as under a relevant information systems audit standard, external IT auditors may rely on an internal IT audit function to follow-up on agreed-on corrective actions. Follow-up responsibilities for ongoing internal audit activities should receive inscription in the audit charter of the internal IT audit function and for external IT audit assignments in the engagement letter. Chapter 10 details follow-up as a continuing IT audit engagement, a separate follow-up engagement, and agreed-upon follow-up procedures covering corrective actions. Chapter 10 also provides IT audit follow-up tasks for determining satisfactory and unsatisfactory corrective action deployments.

Activity

IT audit testing addresses auditable unit risks of the IT audit area. Selecting appropriate techniques, methods, and tools for conducting audit testing can be challenging. Sufficient evidential matter collection requires alignment with audit fieldwork standards that affect the type and means of acquisition by IT audit team members. When test audit evidence is unobtainable, the assigned IT auditor should attempt to acquire appropriate and sufficient evidence by activating alternative procedures directly related to the engagement test plan. Upon completion of an IT audit test, the assigned IT auditor determines whether errors in an auditable unit population exceed the tolerable error rate. Chapter 6 presents how to conduct, measure, and document IT audit area tests.

Activity

No matter whether the engagement team members use one, a combination, or all control study techniques, upon completion, the assigned IT auditors should have a sufficient understanding to perform competent audit area controls evaluation. That is, controls study completion empowers an IT audit team with the ability to determine if adequate controls deployment exists for key IT audit area processes, activities, and tasks. Chapter 4 conveys the evaluation of audit evidence, audit working papers development, determining if control objectives are met, reassessing IT audit risk, and assessing planned IT audit testing.

Activity

To fulfill audit planner responsibilities, the information technology (IT) auditor must determine examinable units using a selection method for engagements. Through synthesis of relevant audit standards and guidelines as well as professional experience, Chapter 1 presents crucial inputs to the IT audit planning process to organize a comprehensive assessment of an IT audit area. Chapter 1 discusses how to obtain an understanding of assurance objectives, enterprise objectives, and business practices for an IT audit project. Moreover, Chapter 1 discusses IT audit materiality, IT audit risk assessment tasks, and presents foundational control appraisal tasks from a system perspective.

Activity

After assessing sufficient, reliable, relevant, and useful evidence from planning through fieldwork, formal IT audit results communication is the next IT audit activity. IT audit area reporting conveys an opinion concerning control adequacy after planning, studying, and testing material or significant auditable units. Completing the working papers review and assessment prepares the in-charge IT auditor for drafting a report stating an opinion reflecting conclusions drawn from engagement area evidence. Reviewing the audit report draft with audit area personnel is a courtesy that can ensure final audit report validity, Chapter 8 details draft audit reporting preparation, review, and distribution. Chapter 8 also details the IT audit closing conference as well as the final audit review and distribution.

Activity

At inception, the study of control processes demands an IT auditor identify and relate applicable auditing standards to control activities. An IT audit controls study produces sufficient audit area documentation, demonstrating a comprehensive investigation concerning IT and related manual processes associated with the defined auditable units. Most business processes have control measures assisting in accomplishing the audit area's control objectives. Chapter 3 covers the IT audit study of control activity through presenting tasks addressing internal and external control systems, general and application controls, as well as laws and regulations. Additionally, Chapter 3 discusses the documentation of audit evidence.

Activity

Whether an IT auditor is engaged in internal or external IT audit reporting, after formal audit results communication, IT audit follow-up is an engagement requirement. The IT auditor assigned responsibility for tracking and assessing audit area responses must have skills to confirm appropriate corrective actions deployment. The IT audit reporting process prepares an IT auditor for providing appropriate follow-up concerning resolved and unresolved audit issues. If the deployment of a corrective action does not occur, the assigned IT auditor should seek support from higher levels of audit area management for achieving recommendation implementation within a reasonable timeframe. Chapter 9 presents management's proposed actions, IT audit follow-up materiality, and IT audit follow-up criticality. Chapter 9 also addresses the management response assessment of corrective actions.

Activity

Audit testing objectives, frequently, are determined in the preceding audit processes: planning as well as study and evaluation of controls. IT audit test materiality influences the audit testing nature, timing, and extent. In designing tests, the in-charge auditor must choose between statistical and non-statistical testing methodologies. Compliance and substantive testing may take the form of inquiry, observation, inspection, or re-performance. Sampling method selection reflects whether audit area statistical inferences are going to occur concerning the target population. Sampling risk, acceptable error rate, and the expected extent of errors in the population are sample size consideration factors. Chapter 5 conveys how to determine IT audit test objectives, test materiality, test methods, test designs, and designing audit tests.