Audit Planning Process
Audit Planning Process
•
•
•
•
•
•
Strategic/tactical audit planning
Engagement letter
Risk assessment
Preliminary evaluation of internal controls
Audit plan, program and scope
Classification, scope of audit
Strategic/tactical Audit Planning
• Short term
– Takes into account audit issues that will be
covered during the year
• Long term
– Relates to audit plans that will take into
account risk related issues regarding changes
in the organization’s IT strategic direction that
will affect the organization’s IT environment
Steps to perform audit planning
• Gain an understanding of the business's mission,
objectives, purpose and processes, which include
information and processing requirements, such as
availability, integrity, security and business
technology
– Touring key organization facilities
– Reading background material including industry publications,
annual reports and independent financial analysis reports
– Reviewing long term strategic plans
– Interviewing key managers to understand business issues
– Reviewing prior reports
• Identify stated contents, such as policies, standards
and required guidelines, procedures, and
organization structure
Steps to perform audit planning
• Evaluate risk assessment and any privacy
impact analysis carried out by management
• Perform a risk analysis
• Conduct an internal control review
• Set the audit scope and audit objectives
• Develop the audit approach or audit strategy
• Assign personnel resources to the audit and
address engagement logistics
Risk Assessment
• Risk assessment method
• Areas to be audited
• Use of risk assessment in audit planning
(S11, G13, P1)
Risk Assessment Method
• Qualitative and Quantitative Methods
• Semiquantitative Analysis Methods
• Quantitative Analysis Methods
Areas to be audited
• Enables management
• Ensures that relevant information
• Establishes a basis for effectively managing the audit
departement
• Provides a summary of how the individual audit subject
is related to the overall organization as well as to the
business plans
Audit Program
• Obtaining and recording and understanding of the audit
area/subject
• Risk assessment and general audit plan and schedule
• Detailed audit planning
• Preliminary review of the audit area/subject
• Evaluating the audit area/subject
• Compliance testing (often referred to as test of controls)
• Substantive testing
• Reporting (communicating results)
• Follow up
Classification, scope of audits
•
•
•
•
•
•
•
Financial Audits
Operational Audits
Integrated Audits
Administrative Audits
Information Systems Audits
Specialized Audits
Forensic Audits