THE AUDIT PROCESS IN AN
INFORMATION TECHNOLOGY
ENVIRONMENT
IT AUDITING : WHAT IS IT?
• The evaluation of IS and IT by auditors has
generated the term IS auditing
• IT auditing is the evaluation of IS, practices, and
operations to assure the integrity of an entity’s
information.
• The computer auditor’s evaluation of systems,
practices and operations may include one or
both of the following :
– Assessment of internal controls within the IT
environment to assure the validity, reliability, and
security of information
– Assessment of the efficiency and effectiveness of the
IT environment in economic terms
Planning the Audit
•
•
•
•
•
•
Define scope
State objectives
Structure an orderly approach
Provide for measurement of achievement
Assure reasonable comprehensiveness
Provide flexibility in approach
Organizing the Audit
•
•
•
•
•
•
Preliminary review
Application analysis
Preliminary evaluation of internal controls
Compliance testing
Final evaluation of internal controls
Substantive testing
Preliminary Review
• General data gathering
• Identifying financial application areas
• Preparing an audit plan
Field Work and Implementing Audit
Methodology
• Define objectives
• Build a basic understanding of the area being
audited
• Build a detailed understanding of the area being
audited
• Evaluate controls, strengths, and weaknesses
• Design the audit procedures
• Test the critical controls, processes, and
apparent exposures
• Evaluate the results
Audit Tools and Techniques
• Understanding how computers process data
• Identifying documents and heir flow through the
system
• Defining critical data
• Developing audit data flow diagrams
• Evaluating the quality of system documentation
• Assessing controls over documents
• Determining the effectiveness of processing
under computer programs
• Evaluating the usefulness of reports
Audit Report
• A written report will provide excellent
documentation for both the positive and negative
points made and will serve as a reference for
future audits and improvements.
• The value of the audit must be assessed to
assure that the findings and recommendations
have been achieved to some quantifiable degree
and provide value to the organization.