Module 1
CHAPTER 1: Building an Effective Internal IT Audit Function

Independence and Objectivity: While complete independence may be a myth, maintaining
objectivity is crucial for effective auditing. Auditors should strive to operate without undue influence
and report to the audit committee or board of directors when possible.

Consulting and Early Involvement: Early involvement in projects can prevent issues and reduce costs
associated with post-implementation corrections. Auditors can add significant value by providing
input on controls and risk management strategies from the outset.

Relationship Building: Building strong partnerships with other departments enhances credibility and
cooperation, making audits more productive and less adversarial. Auditors should be seen as trusted
advisors who help improve processes and controls.

Role of the IT Audit Team: The IT audit team should comprise a mix of application auditors, data
extraction and analysis specialists, and IT auditors to effectively cover a broad range of IT-related
audits.

Continuous Learning: Regular training, certifications, and staying updated with industry trends are
essential for maintaining audit expertise. Developing technical and soft skills is necessary to conduct
thorough audits and effectively communicate findings.
CHAPTER 2: The Audit Process

Understanding Internal Controls: A thorough understanding of preventive, detective, and corrective
controls is essential for effective auditing. Auditors must assess the design and effectiveness of these
controls to ensure they mitigate identified risks.

Audit Universe and Risk-Based Approach: Creating and prioritizing an audit universe helps focus
audit efforts on the most critical areas. A risk-based approach ensures that resources are allocated
effectively to address the highest risks.

Structured Audit Stages: Following a structured approach to planning, fieldwork, issue discovery,
solution development, reporting, and issue tracking ensures thorough and effective audits. Each
stage plays a critical role in providing valuable insights and recommendations.

Adherence to Standards: Adhering to auditing standards ensures consistency, reliability, and
alignment with professional guidelines. These standards provide a framework for conducting audits
and maintaining independence, objectivity, and professional skepticism.

Continuous Monitoring and Follow-Up: Ensuring that identified issues are resolved in a timely
manner and tracking corrective actions is crucial for maintaining a strong control environment.
Ongoing monitoring helps improve the organization’s overall risk management and control
environment.
The Stages of an Audit The audit process consists of several stages, each of which is critical for ensuring a
thorough and effective audit:
1. Planning
Objective: Define the audit’s scope, objectives, and approach.
Steps: Gather relevant information, develop an audit plan, and determine what will be reviewed. Effective
planning sets the audit team up for success.
2. Fieldwork and Documentation
Objective: Collect data, perform interviews, and document findings.
Steps: Gather evidence through various techniques, such as observing processes, reviewing documents, and
testing controls. Proper documentation is essential for supporting audit conclusions and recommendations.
3. Issue Discovery and Validation
Objective: Identify and validate issues based on the collected evidence.
Steps: Analyze findings, validate their significance, and confirm their accuracy through additional testing or
consultation with relevant stakeholders.
4. Solution Development
Objective: Develop practical solutions to address identified issues.
Steps: Recommend corrective actions to improve controls and address root causes. Solutions should be
feasible and aligned with organizational objectives.
5. Report Drafting and Issuance
Objective: Communicate audit findings and recommendations.
Steps: Write a comprehensive audit report that is clear, concise, and well-organized, providing a thorough
overview of the audit process, findings, and suggested improvements.
6. Issue Tracking
Objective: Ensure identified issues are resolved on time.
Steps: Track the progress of corrective actions, follow up with stakeholders, and ensure recommendations are
implemented effectively. Ongoing monitoring helps maintain a strong control environment.
Standards Adhering to auditing standards ensures that the audit process is consistent, reliable, and aligned
with professional guidelines. These standards provide a framework for conducting audits and include
principles related to independence, objectivity, and professional skepticism.
CHAPTER 3: Auditing Entity-Level Controls
Background Entity-level controls are pervasive across an organization and set the foundation for an effective internal
control environment. These controls include governance structures, risk management practices, and compliance
measures that impact the entire organization. Effective entity-level controls are critical for ensuring that the organization
operates in a controlled and efficient manner, mitigating risks and achieving strategic objectives.
 Governance Structures: Establish the framework within which the organization operates, including the roles
and responsibilities of management and the board of directors.
 Risk Management Practices: Involve identifying, assessing, and managing risks to ensure they are mitigated to
an acceptable level.
 Compliance Measures: Ensure the organization adheres to laws, regulations, and internal policies.
Test Steps for Auditing Entity-Level Controls Auditing entity-level controls involves assessing various areas that are
critical for maintaining a strong control environment. The following test steps provide a structured approach for
auditors:
1. Review IT Organization Structure
o Objective: Ensure clear assignment of authority and responsibility, and adequate segregation of
duties.
o Steps: Evaluate organization charts, reporting structures, and the division of responsibilities within the
IT organization.
2. Review IT Strategic Planning
o Objective: Ensure alignment with business strategies and effective monitoring of progress.
o Steps: Assess the strategic planning process, long-range technical planning, and performance
indicators.
3. Evaluate Project Approval Processes
o Objective: Ensure projects are aligned with organizational objectives and subject to appropriate
controls.
o Steps: Review processes for approving and prioritizing projects, and assess ongoing project monitoring
and evaluation.
4. Assess Policies and Procedures
o Objective: Ensure adequacy and enforcement of policies and procedures.
o Steps: Review the comprehensiveness and communication of policies, and evaluate compliance with
internal controls.
5. Evaluate Employee Management
o Objective: Ensure employees are competent and well-informed about their roles and responsibilities.
o Steps: Assess hiring, training, and performance evaluation practices.
6. Review Asset Management
o Objective: Ensure proper controls over organizational assets.
o Steps: Evaluate asset management practices, including tracking, safeguarding, and maintaining assets.
7. Assess System Configuration Change Management
o Objective: Ensure controls over system changes to prevent unauthorized modifications.
o Steps: Review change management processes, including approval, testing, and documentation
procedures.
Knowledge Base A strong knowledge base is essential for effective auditing of entity-level controls. This includes
understanding industry standards and frameworks, such as COBIT and COSO, and leveraging resources from professional
organizations like ISACA and the Institute of Internal Auditors (IIA). External auditors can also provide valuable insights
and guidelines.
Master Checklist A master checklist summarizes the steps for auditing entity-level controls, ensuring a comprehensive
evaluation. This checklist includes specific test steps for each area of focus, allowing auditors to systematically assess the
design and effectiveness of controls.