Audit Plan

The audit function should formulate both long-range and annual plans. Planning is a
basic function necessary to develop the Annual Audit Schedule and perform
individual audits. Such plans describe what must be accomplished, include budgets
of time and costs, and state priorities according to organizational goals and policies.
The objective of audit planning is to optimize the use of audit
resources. To effectively allocate audit resources, internal audit departments must
obtain a comprehensive understanding of the audit universe and the risks associated
with each universe item. Failure to select appropriate items can result in missed
opportunities to enhance controls and operational efficiencies. Internal audit
departments that develop and maintain audit universe files provide themselves with
a solid framework for audit planning. At a minimum, an IT audit plan should
 Define scope
 State objectives
 Structure an orderly approach
 Provide for measurement of achievement
 Assure reasonable comprehensiveness
 Provide flexibility in approach

At this level, the computer audit plan is stated in general terms. The intent
is to provide an overall approach within which audit engagements can be conducted.
Plans for specific audit engagements are then carried out to sufficient levels of
detail to prepare budgets and actual work assignments. There is, however, another
rationale for conceptualizing the computer audit plan at a general level; both the
systems in development and the state-of-the-art in computer technology are
undergoing constant, dynamic change. Detailed plans at the functional level cannot
hope to anticipate the pattern of such change. Thus, they would quickly become
obsolete and ineffective.

A computer audit plan partitions the audit of IT into discrete segments. These
segments describe a computer systems audit as a series of manageable audit
engagements and steps. At the detailed planning or engagement level, these
segments will have objectives that are custom- tailored to implement organizational
goals and objectives within the circumstances of the audit.

Thus, computer auditing does not call for “canned” approaches. There is no single
series of detailed steps that can be outlined once and then repeated in every audit.
The computer audit plan, therefore, is an attempt to provide an orderly approach
within which flexibility can be exercised.

A professional IT audit environment supports a professional staff by maximizing the

effect of special skills and abilities and minimizing redundant activity. Key
prerequisites for a professional environment are a firm management
commitment to discipline and orderly planning and a structured methodology
for auditing.

Once estimated audit hours and other factors have been considered, audit
management should be able to arrange the audit schedule.
Preparing IT Audit Workpapers
Workpapers are the written records kept by an IT auditor to document review
materials, notes, and other sample material—the evidential matter—gathered or
accumulated during an audit. The term workpaper is a rather archaic auditor
expression that describes a physical or computer file that includes the various
schedules, analyses, memoranda prepared, and, in many cases,
copies of documents secured as part of an audit. The common characteristic of all
workpapers, however, is that they describe the results of the internal audit work
performed and should be formally retained for subsequent reference and
substantiation of reported audit conclusions and recommendations. Work-papers
are the bridge between actual internal audit procedures and the audit reports issued.
Not an end in themselves but a means to an end, workpapers are created to fit
particular audit tasks and are subject to a great deal of flexibility. They must support
and document the purposes and activities of an ITauditor, regardless of their specific
form. Thus, workpaper principles and concepts are more important than any specific
formats.

Internal audit workpapers also can have considerable legal significance. In certain
investigations, they have been handed over, through court orders, to government,
legal, or regulatory authorities. When scrutinized by outsiders in this context,
inappropriate workpaper notes or schedules can easily be taken in the wrong
context. They form the documented record of both who performed the audit and who
reviewed that work. IT audit workpapers are the only record of that audit work
performed, and they may provide future evidence of what did or did not happen
in the area of audit interest at some point in time.

This section provides general guidance for preparing, organizing, reviewing, and
retaining workpapers. Once organized in bulky legal-size paper folders, audit work-
papers today are usually stored as computer-based folders or a
combination of paper and computer format documents. As a side note, we
use the term workpaper, although many have used working paper or work paper. All
mean the same thing.

The objective of audit workpapers is to document that an adequate audit was

conducted following professional standards. The IT auditor can perhaps better
understand the overall role of workpapers in the audit process by
considering the major functions these documents serve:
 Basis for planning an audit. Workpapers from a prior audit provide
an IT auditor with background information for conducting a current review
in the same overall area. They may contain descriptions of the entity,
evaluations of internal control, time budgets, audit programs used, and other
results of past auditwork.
 Record of audit work performed. Workpapers
describe the current audit work performed and reference it to an
 established audit program, discussed previously. Even if the audit is of a
special nature, such as an IT network fraud investigation where there may not
be a formal audit program, a record should be established of the actual audit.
This workpaper record should include a description of activities reviewed,
copies or Web links to representative files, theextent of the audit coverage,
and the results obtained.
 Use during the audit. In many instances, the workpapers prepared play a
direct role in carrying out the specific audit effort. For
example, the workpapers can contain control logs for such areas
as the responses received as part of an accounts receivable customer
balance independent confirmation audit. Similarly, a flowchart might be
prepared and then used to provide guidance for a further review of the actual
activities in some process. Each of these would have been included
in the workpapers in a previous audit step.
 Support for specific audit conclusions. The final product of most internal
audits is a formal audit report containing findings and
recommendations. Thefindings may be actual evidence, such as a copy of a
purchase order lacking a required signature, or derived evidence, such
as the output report from a computerassisted procedure against a data file or
notes from an interview. The workpapers should provide sufficient evidential
matter to support the specific audit findings that would be included in
an audit report.
 Reference source. Workpapers can answer additional questions raised by
management, the operational or financial internal audit group, or external
auditors. Such questions may be in connection with a particular audit report
finding or its recommendation, or they may relate to other inquiries. For
example, management may ask IT audit if a reported systems weakness
problem also exists at another location that is not
part of the current audit. Theworkpapers from that review may
provide the answer. Workpapers also provide basic background materials that
may be applicable to future audits of theparticular entity or activity.
 Staff appraisal. The performance of an IT audit staff member during a
review—including that auditor's ability to gather and organize data, evaluate it,
and arrive at conclusions—is reflected in the workpapers.
 Audit coordination. Internal auditors on occasion exchange workpapers with
external auditors, each relying on the other's work. In addition, government
auditors, in their regulatory reviews of internal controls, may request to
examine the internal auditor's workpapers.

In some respects, audit workpapers are no different from the formal

files of correspondence, e-mails, and notes that are part of any well-managed
organization. A manager would keep files of incoming and outgoing correspondence,
notes based on telephone conversations, and the like. However, these files are
based on just good practices and may vary from one manager to another in an
organization. The manager may never be called on to retrieve these personal files to
support some organization decision or other action.

Internal audit workpapers are different in that they may also be used to support or
defend the conclusions reached from the audit. They may be reviewed by others for
various reasons. Members of an internal audit organization may work on common
projects and need to share workpapers to support their individual components of a
larger audit project or to take over an audit performed previously by another
member of the audit staff. It is essential that an internal audit department have a
set ofstandards to ensure consistent workpaper preparation.

EVIDENCE COLLECTION AND EVALUATION

An area of concern for an information systems auditor is collection of evidence
during audit. Very often internal controls used in the information systems are built
into the system. For example, a bank teller will not get payment authorization against
a presented check if the available balance is not sufficient. This internal control is
built into the application software. Consequently, auditors have to interact with
the system to collect necessary evidence of the existence and efficiency of internal
controls. The auditor has to evaluate whether a control is acting reliably, and assess
impact of its functioning through the system. It may be noted that the evidence in
case of information systems auditors would reflect in terms of working of
the system and processes and not necessarily in terms of financial impact. Though
the informationsystems auditor may use the same set of tools and techniques that
are employed by the financial auditor for the purpose of extracting data, the scope of
application of these tools will be quite different.

It must be appreciated that the financial system is intensely connected with

the information systems in almost all organizations. Thus there can always be certain
controls that perform a dual role in terms of satisfying the control requirements of
both financial systems and information systems. In other words, the
financial systems audit can supplement the information systems audit, and vice
versa.

Techniques of Audit Evidence Collection

Various techniques may be used by the information systems auditor to gather audit
evidence, including the following five methods:
1. Reviewing organization structure, documentation, standards, and practices.
2. Interviewing appropriate personnel and observing processing and operations.
3. Using audit documentation techniques such as flowcharts,
questionnaires, system narratives, decision trees, decision tables, and control
grids.
4. Applying analytical review procedures and sampling techniques.
5. Using software tools to analyze logs and audit trails built into the system.

Categories of Audit Evidence

An information systems auditor may select the appropriate methodology for

collection of evidence from the 10 categories listed below:
1. Physical examination: Physical inspection for presence of
tangible information systems assets. The information systems auditor may
physically count and inspect for the presence of kinds of computer equipment,
such as terminals, printers, and so forth.
 2. Confirmation: A response from an independent third party, mostly written
and provided at the request of the auditor, verifying a fact or the accuracy
of information.
3. Documentation: Examination of documents and records to
substantiate information, especially those involving the designing and
functioning of software and network. For example, a review of service
agreements will substantiate the service entitlement claims made by the
auditee.
4. Observation: This involves observing the conduct of specific activities. For
example the auditor may verify whether a particular operation is performed
under dual control. Observations usually require corroborative evidence to be
substantiated.
5. Inquiry: Herein evidences are created through obtaining written and
oral information from the auditee against specific queries. Additional
corroborating evidence is required since the responding person is not an
independent entity.
6. Processing accuracy: Processing accuracy involves rechecking a sample of
activities performed by the auditee for confirming processing accuracy. For
example, an information systems auditor can test processing accuracy of
computations with use of appropriate software, observing logs, or by
reviewing data in certain fields in the object data file.
7. Screenshots: The auditor may take screenshots of errors that are observed
during the audit. Various operating systems provide different methodologies to
obtain the screenshot.
8. Log files: Access logs, transaction logs, fault logs, and other audit trails
provide corroborative evidence to errors.
9. Testing software results: Where software has been used for testing, for
example, network security testing, the output reports generated by such
software provide evidence of errors in the system.
10. Analytical procedures: These involve the use of comparisons and
relationships to determine the reasonableness of the processes and activities
being audited. For example, an information systems auditor may examine the
number of times during two audit periods that accounts were locked out
because of inaccurate passwords and form an opinion on whether there has
been an increased attempt of access violation.

AUDIT PROCEDURES AND APPROACHES

Information systems auditors play a major role to identify risks and to evaluate the
adequacy of controls in critical information systems in an organization. Various steps
involved in an information systems audit process are described next:
1. Obtain the background information: Information about the organization,
including its operations, work, document flow, and computing system, is
obtained by the auditor at the outset of the audit. This
background information allows the auditor to form an opinion about the
maturity of the system users.
2. Understanding the controls: The auditor makes an evaluation of controls,
their strengths and weaknesses, and the overall reliability of the system.
Administrative controls to maintain data integrity and safeguarding of assets
may even be built into the system. An auditor looks into the design of controls
 and functional areas to which they relate. Internal controls normally include
the following components:
a. Control environment: The control environment consists of the
management's philosophy, responsibility, and authority assignments,
structure and functioning of the audit committee, and methodology of
performance measurement and monitoring. Design of control, definition
of level of materiality, and sincerity in enforcement of control tools are
all dependent on the control environment.
b. Risk assessment: It is a process of identification and analysis of risks
and exposure of the auditee and ways in which risk can be managed.
This assessment will assist the auditor in identifying risk areas with
high overall adverse exposure and prioritizing the same in the audit
plan.
c. Control activities: This includes access, authorization, duties,
segregation of jobs, documentation, maintenance, safeguards of
assets, checks on performance, and so forth. However, it must be
noted that mere existence of controls does not validate whether the
internal control system is efficient. Adequacy and effectiveness of the
controls also need to be assessed.
d. Information and communication: This includes existence of defined
roles and responsibilities for information generation and exchange
control.
e. Monitoring: Continuous monitoring and analysis of operation of
internal controls is an integral part of an effective system of internal
control. The feedback arising from monitoring activity helps to
strengthen the internal control environment.
3. Developing the audit plan: Development of an audit plan and audit program
to schedule an audit is a critical component of the audit process. Much more
than a procedural exercise, as it is often alleged to be, the audit plan defines
the boundaries of effectiveness of an audit. An inefficient audit plan is likely to
cause an inefficient audit exercise, regardless of the quality of audit staff and
process.
4. Compliance test of controls: This process involves testing the general
controls. Relevant checklists under the ISecGrade framework have been
provided in Chapter 12. Compliance reviews and tests provide a reasonable
assurance that the system controls are functioning as intended and are in line
with the auditee's plans, programs, policies, procedures, standards,
guidelines, government laws and regulations, and other regulatory agency
requirements.
5. Use of analytical review procedures: Various ratios, trends, and
relationships among data items may be reviewed using mathematical
procedures to identify areas that would require further audit work. Focus of
the analytical tests is on various parameters of information system functioning
such as network load, connection speed, transaction per second, and allied.
The analytical procedure will identify if any parameter is reporting values out
of normal range given the activities performed on the information system.
6. Substantive tests of details of transactions: The extent of substantive
reviews and tests to be performed are designed based on the degree of
satisfaction and reliance derived from the results of the compliance tests. This
would include review of the authentication devices, application software,
 database management system, network, utility software, legal compliances,
and so forth.
7. Summary of evidences: The information systems auditor then summarizes
the audit evidence collected during the audit.
8. Evaluation and opinion: Upon evaluation of the test results the auditor will
form an audit opinion. This will be discussed with the auditee to confirm its
acceptance or disagreement. Subsequent to considering the response of the
auditee, the auditor will issue the audit report.

Conduct follow up
After issuing a report, the auditor is required to conduct an exit interview with
management to obtain a commitment for the recommendations made in the audit.
Management is responsible for acknowledging the recommendations and
designating whatever corrective action will be taken, including the estimated dates
for the action.

In subsequent audits, you will check whether management honored their

commitments to fix or remediate deficiencies found in a prior audit. Occasionally, the
deficiencies are left uncorrected because changes in the organizational design or
practice have eliminated the conditions of the prior control's weakness. Particular
findings may apply to events that are no longer relevant. Otherwise, you expect
management to act in a timely manner to correct the deficiency as originally
reported.
The auditor should never take ownership of any problems found. This
Warning would violate your independence. All issues raised in your findings
should be regarded as owned by the auditee. It's the job of their
management to fix it.

Sometimes events of concern are discovered, or occur, after an audit has been
completed. You would be concerned about the discovery of subsequent events that
pose a material challenge to your final report. Accounting standards recognize these
events and classify them as follows:
 Type 1 events refer to those that occurred before the balance sheet date.
 Type 2 events are those that occurred after the balance sheet date.

Depending on the type of audit, you may have additional reporting requirements or
activities. These may require additional disclosures or adjustments to your report
based on the nature of the event that was recently discovered or occurred.