Professional Documents
Culture Documents
The audit function should formulate both long-range and annual plans. Planning is a
basic function necessary to develop the Annual Audit Schedule and perform
individual audits. Such plans describe what must be accomplished, include budgets
of time and costs, and state priorities according to organizational goals and policies.
The objective of audit planning is to optimize the use of audit
resources. To effectively allocate audit resources, internal audit departments must
obtain a comprehensive understanding of the audit universe and the risks associated
with each universe item. Failure to select appropriate items can result in missed
opportunities to enhance controls and operational efficiencies. Internal audit
departments that develop and maintain audit universe files provide themselves with
a solid framework for audit planning. At a minimum, an IT audit plan should
Define scope
State objectives
Structure an orderly approach
Provide for measurement of achievement
Assure reasonable comprehensiveness
Provide flexibility in approach
At this level, the computer audit plan is stated in general terms. The intent
is to provide an overall approach within which audit engagements can be conducted.
Plans for specific audit engagements are then carried out to sufficient levels of
detail to prepare budgets and actual work assignments. There is, however, another
rationale for conceptualizing the computer audit plan at a general level; both the
systems in development and the state-of-the-art in computer technology are
undergoing constant, dynamic change. Detailed plans at the functional level cannot
hope to anticipate the pattern of such change. Thus, they would quickly become
obsolete and ineffective.
A computer audit plan partitions the audit of IT into discrete segments. These
segments describe a computer systems audit as a series of manageable audit
engagements and steps. At the detailed planning or engagement level, these
segments will have objectives that are custom- tailored to implement organizational
goals and objectives within the circumstances of the audit.
Thus, computer auditing does not call for “canned” approaches. There is no single
series of detailed steps that can be outlined once and then repeated in every audit.
The computer audit plan, therefore, is an attempt to provide an orderly approach
within which flexibility can be exercised.
Once estimated audit hours and other factors have been considered, audit
management should be able to arrange the audit schedule.
Preparing IT Audit Workpapers
Workpapers are the written records kept by an IT auditor to document review
materials, notes, and other sample material—the evidential matter—gathered or
accumulated during an audit. The term workpaper is a rather archaic auditor
expression that describes a physical or computer file that includes the various
schedules, analyses, memoranda prepared, and, in many cases,
copies of documents secured as part of an audit. The common characteristic of all
workpapers, however, is that they describe the results of the internal audit work
performed and should be formally retained for subsequent reference and
substantiation of reported audit conclusions and recommendations. Work-papers
are the bridge between actual internal audit procedures and the audit reports issued.
Not an end in themselves but a means to an end, workpapers are created to fit
particular audit tasks and are subject to a great deal of flexibility. They must support
and document the purposes and activities of an ITauditor, regardless of their specific
form. Thus, workpaper principles and concepts are more important than any specific
formats.
Internal audit workpapers also can have considerable legal significance. In certain
investigations, they have been handed over, through court orders, to government,
legal, or regulatory authorities. When scrutinized by outsiders in this context,
inappropriate workpaper notes or schedules can easily be taken in the wrong
context. They form the documented record of both who performed the audit and who
reviewed that work. IT audit workpapers are the only record of that audit work
performed, and they may provide future evidence of what did or did not happen
in the area of audit interest at some point in time.
This section provides general guidance for preparing, organizing, reviewing, and
retaining workpapers. Once organized in bulky legal-size paper folders, audit work-
papers today are usually stored as computer-based folders or a
combination of paper and computer format documents. As a side note, we
use the term workpaper, although many have used working paper or work paper. All
mean the same thing.
Internal audit workpapers are different in that they may also be used to support or
defend the conclusions reached from the audit. They may be reviewed by others for
various reasons. Members of an internal audit organization may work on common
projects and need to share workpapers to support their individual components of a
larger audit project or to take over an audit performed previously by another
member of the audit staff. It is essential that an internal audit department have a
set ofstandards to ensure consistent workpaper preparation.
Various techniques may be used by the information systems auditor to gather audit
evidence, including the following five methods:
1. Reviewing organization structure, documentation, standards, and practices.
2. Interviewing appropriate personnel and observing processing and operations.
3. Using audit documentation techniques such as flowcharts,
questionnaires, system narratives, decision trees, decision tables, and control
grids.
4. Applying analytical review procedures and sampling techniques.
5. Using software tools to analyze logs and audit trails built into the system.
Conduct follow up
After issuing a report, the auditor is required to conduct an exit interview with
management to obtain a commitment for the recommendations made in the audit.
Management is responsible for acknowledging the recommendations and
designating whatever corrective action will be taken, including the estimated dates
for the action.
Sometimes events of concern are discovered, or occur, after an audit has been
completed. You would be concerned about the discovery of subsequent events that
pose a material challenge to your final report. Accounting standards recognize these
events and classify them as follows:
Type 1 events refer to those that occurred before the balance sheet date.
Type 2 events are those that occurred after the balance sheet date.
Depending on the type of audit, you may have additional reporting requirements or
activities. These may require additional disclosures or adjustments to your report
based on the nature of the event that was recently discovered or occurred.